OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: solaropenwall.com
Date: Sun Jul 01 2001 - 21:41:13 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi,

    We've started maintaining a stable branch of Owl, based on Owl 0.1-
    prerelease. This branch will have all significant reliability and
    security fixes necessary to use Owl in production -- even before its
    feature set is complete for it to be called 1.0.

    Another recent addition is the OpenBSD-like change logs for both Owl
    branches. Whenever there's a security fix applied to an Owl branch,
    there will be a change log entry with "SECURITY FIX" and a Severity
    field on it, in addition to the usual description of what exactly was
    changed and why. As we fix even very minor security problems, we're
    not going to "spam" Bugtraq with advisories each time.

    We will keep the number of change log entries per week low such that
    the really important changes may be easily seen. Those who need more
    detailed information can always read change logs for the individual
    packages.

    The Owl change logs are included with the corresponding branches under
    Owl/doc/CHANGES (Owl-0_1-stable/doc/CHANGES for the stable branch) and
    are also available at:

    http://www.openwall.com/Owl/CHANGES.shtml (current branch)
    http://www.openwall.com/Owl/CHANGES-stable.shtml (stable branch)

    Finally, below is a summary of security fixes that have been applied
    since the prerelease. So far, the worst vulnerability which affects
    the default install of Owl 0.1-prerelease is the GnuPG format string
    bug, and that is passive.

    owl!build:~$ grep -B1 '^SECURITY FIX' native/Owl/doc/CHANGES
    2001/06/29 Package: xinetd
    SECURITY FIX Severity: none to high, remote, active 

    --
2001/06/27	Package: gpm
SECURITY FIX	Severity: none to low, physical, active
--
2001/06/14	Package: openssh
SECURITY FIX	Severity: none to low, remote, active
--
2001/06/12	Package: screen
SECURITY FIX	Severity: low, local, passive
--
2001/06/11	Package: openssh
SECURITY FIX	Severity: low, local, active
--
2001/06/03	Package: glibc
SECURITY FIX	Severity: low to medium, local, passive
--
2001/05/30	Package: gnupg
SECURITY FIX	Severity: high, remote, passive
--
2001/05/29	Packages: SysVinit, xinetd, owl-startup
SECURITY FIX	Severity: none to medium, local, passive to active
--
2001/05/27	Package: gawk
SECURITY FIX	Severity: low, local, passive
--
2001/05/23	Package: sysklogd
SECURITY FIX	Severity: none to medium, local, active

    -- 
/sd