diff options
-rw-r--r-- | RELNOTES | 13 |
1 files changed, 7 insertions, 6 deletions
@@ -4,13 +4,13 @@ firejail (0.9.45) baseline; urgency=low | |||
4 | * security: disabled --allow-debuggers when running on kernel | 4 | * security: disabled --allow-debuggers when running on kernel |
5 | versions prior to 4.8; a kernel bug in ptrace system call | 5 | versions prior to 4.8; a kernel bug in ptrace system call |
6 | allows a full bypass of seccomp filter; problem reported by Lizzie Dixon | 6 | allows a full bypass of seccomp filter; problem reported by Lizzie Dixon |
7 | * security: overwrite /etc/resolv.conf found by Martin Carpenter | 7 | * security: overwrite /etc/resolv.conf found by Martin Carpenter (CVE-2016-10118) |
8 | * secuirty: TOCTOU exploit for --get and --put found by Daniel Hodson | 8 | * secuirty: TOCTOU exploit for --get and --put found by Daniel Hodson |
9 | * security: invalid environment exploit found by Martin Carpenter | 9 | * security: invalid environment exploit found by Martin Carpenter (CVE-2016-10122) |
10 | * security: split most of networking code in a separate executable | 10 | * security: split most of networking code in a separate executable |
11 | * security: split seccomp filter code configuration in a separate executable | 11 | * security: split seccomp filter code configuration in a separate executable |
12 | * security: split file copying in private option in a separate executable | 12 | * security: split file copying in private option in a separate executable |
13 | * security: root exploit found by Sebastian Krahmer | 13 | * security: root exploit found by Sebastian Krahmer (CVE-2017-5180) |
14 | * feature: disable gnupg and systemd directories under /run/user | 14 | * feature: disable gnupg and systemd directories under /run/user |
15 | * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) | 15 | * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) |
16 | * feature: AppImage type 2 support | 16 | * feature: AppImage type 2 support |
@@ -32,7 +32,7 @@ firejail (0.9.45) baseline; urgency=low | |||
32 | -- netblue30 <netblue30@yahoo.com> Sun, 23 Oct 2016 08:00:00 -0500 | 32 | -- netblue30 <netblue30@yahoo.com> Sun, 23 Oct 2016 08:00:00 -0500 |
33 | 33 | ||
34 | firejail (0.9.44) baseline; urgency=low | 34 | firejail (0.9.44) baseline; urgency=low |
35 | * CVE-2016-7545 submitted by Aleksey Manevich | 35 | * CVE-2016-9016 submitted by Aleksey Manevich |
36 | * modifs: removed man firejail-config | 36 | * modifs: removed man firejail-config |
37 | * modifs: --private-tmp whitelists /tmp/.X11-unix directory | 37 | * modifs: --private-tmp whitelists /tmp/.X11-unix directory |
38 | * modifs: Nvidia drivers added to --private-dev | 38 | * modifs: Nvidia drivers added to --private-dev |
@@ -149,11 +149,12 @@ firejail (0.9.38) baseline; urgency=low | |||
149 | * added KMail, Seamonkey, Telegram, Mathematica, uGet, | 149 | * added KMail, Seamonkey, Telegram, Mathematica, uGet, |
150 | * and mupen64plus profiles | 150 | * and mupen64plus profiles |
151 | * --chroot in user mode allowed only if seccomp support is available | 151 | * --chroot in user mode allowed only if seccomp support is available |
152 | * in current Linux kernel | 152 | * in current Linux kernel (CVE-2016-10123) |
153 | * deprecated --private-home feature | 153 | * deprecated --private-home feature |
154 | * the first protocol list installed takes precedence | 154 | * the first protocol list installed takes precedence |
155 | * --tmpfs option allowed only running as root | 155 | * --tmpfs option allowed only running as root (CVE-2016-10117) |
156 | * added --private-tmp option | 156 | * added --private-tmp option |
157 | * weak permissions (CVE-2016-10119, CVE-2016-10120, CVE-2016-10121) | ||
157 | * bugfixes | 158 | * bugfixes |
158 | -- netblue30 <netblue30@yahoo.com> Tue, 2 Feb 2016 10:00:00 -0500 | 159 | -- netblue30 <netblue30@yahoo.com> Tue, 2 Feb 2016 10:00:00 -0500 |
159 | 160 | ||