Discover Server Security News
Linux 2.4.21-ow1, msulogin, Owl updates
This is a cumulative announcement for several updates which have occurred in the last three months. I'll start with the latest.
Linux 2.4.21-ow1 is out and available for download at the usual location:
Linux 2.4.21 (and thus 2.4.21-ow1) adds numerous security fixes, including to the kmod/ptrace race previously fixed in 2.2.25 and many 2.4.x-specific vulnerabilities (ioperm(2) allowing unauthorized direct access to certain I/O ports, O_DIRECT information leaks, excessive CPU consumption with networking, and more).
Linux 2.4.21-ow1, compared to previous versions of the patch for Linux 2.4.x, corrects the RLIMIT_NPROC enforcement to not apply to privileged processes and to work also for 32-bit syscall emulation on sparc64, ppc64, mips64, s390x, and 64-bit parisc, thanks to the report from Brad Spengler. It also has a harmless user-triggerable Oops (kernel mode fault) in the GPF handler on x86/SMP fixed, thanks to the PaX team.
Owl-current now fully supports Linux 2.4.x as well as 2.2.x, although only 2.2.x is included and it's still the preferred choice. This means that not only will Owl run with a 2.4.x kernel (Owl 1.0 release supported that already), but its userland may be fully rebuilt from source ("make buildworld") with Linux 2.4.x kernel headers.
Another recent release is msulogin, a single user mode login program which adds support for having multiple root accounts on a system. It's a part of Owl-current but is also made available separately:
More importantly, Owl-current now defaults to tcb, our alternative and better password shadowing scheme. This was already supported in Owl 1.0, but not made the default until recently. Updating existing Owl installs to Owl-current or the upcoming release results in automatic conversion from /etc/shadow to tcb. It is still possible to maintain an Owl system with /etc/shadow should you require this level of backwards compatibility, -- automatic conversion to tcb won't be performed on updates if a system has been explicitly unconverted from tcb. Just to remind, our tcb suite is also available separately from Owl primarily for re-use by other distributions:
Other recent changes to Owl-current include the addition of CVS and Nmap packages (both with our modifications), replacing console-tools with kbd, updates to Mutt 1.4.1i, mktemp 1.5, OpenSSH 3.6.1p2, OpenSSL 0.9.6j, util-linux 2.11z, xinetd 2.3.11, SysVinit 2.85, GnuPG 1.2.2, lftp 2.6.6, and stmpclean 0.3. We've imported many improvements from ALT Linux, including libpam_userpass, much better command line parsing in su(1), and various fixes and improvements to start-stop-daemon and wall(1). pam_tcb now implements proper fake salt creation for non-existent or password-less accounts to reduce timing leaks, and our login services know to make use of that functionality.
For a more complete and verbose list of Owl-current changes, please refer to:
-- Alexander Peslyak
GPG key ID: B35D3598 fp: 6429 0D7E F130 C13E C929 6447 73C3 A290 B35D 3598
https://www.openwall.com - bringing security into open computing environments