diff options
Diffstat (limited to 'RELNOTES')
-rw-r--r-- | RELNOTES | 104 |
1 files changed, 100 insertions, 4 deletions
@@ -1,12 +1,102 @@ | |||
1 | firejail (0.9.40-rc1) baseline; urgency=low | 1 | firejail (0.9.45) baseline; urgency=low |
2 | * development version, work in progress | ||
3 | * security: overwrite /etc/resolv.conf found by Martin Carpenter | ||
4 | * secuirty: TOCTOU exploit for --get and --put found by Daniel Hodson | ||
5 | * security: invalid environment exploit found by Martin Carpenter | ||
6 | * security: split most of networking code in a separate executable | ||
7 | * security: split seccomp filter code configuration in a separate executable | ||
8 | * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) | ||
9 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, | ||
10 | * new profiles: mumble, zoom, Guayadeque | ||
11 | * bugfixes | ||
12 | -- netblue30 <netblue30@yahoo.com> Sun, 23 Oct 2016 08:00:00 -0500 | ||
13 | |||
14 | firejail (0.9.44) baseline; urgency=low | ||
15 | * CVE-2016-7545 submitted by Aleksey Manevich | ||
16 | * modifs: removed man firejail-config | ||
17 | * modifs: --private-tmp whitelists /tmp/.X11-unix directory | ||
18 | * modifs: Nvidia drivers added to --private-dev | ||
19 | * modifs: /srv supported by --whitelist | ||
20 | * feature: allow user access to /sys/fs (--noblacklist=/sys/fs) | ||
21 | * feature: support starting/joining sandbox is a single command | ||
22 | (--join-or-start) | ||
23 | * feature: X11 detection support for --audit | ||
24 | * feature: assign a name to the interface connected to the bridge | ||
25 | (--veth-name) | ||
26 | * feature: all user home directories are visible (--allusers) | ||
27 | * feature: add files to sandbox container (--put) | ||
28 | * feature: blocking x11 (--x11=block) | ||
29 | * feature: X11 security extension (--x11=xorg) | ||
30 | * feature: disable 3D hardware acceleration (--no3d) | ||
31 | * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands | ||
32 | * feature: move files in sandbox (--put) | ||
33 | * feature: accept wildcard patterns in user name field of restricted | ||
34 | shell login feature | ||
35 | * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape | ||
36 | * new profiles: feh, ranger, zathura, 7z, keepass, keepassx, | ||
37 | * new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot | ||
38 | * new profiles: Flowblade, Eye of GNOME (eog), Evolution | ||
39 | * bugfixes | ||
40 | -- netblue30 <netblue30@yahoo.com> Fri, 21 Oct 2016 08:00:00 -0500 | ||
41 | |||
42 | firejail (0.9.42) baseline; urgency=low | ||
43 | * security: --whitelist deleted files, submitted by Vasya Novikov | ||
44 | * security: disable x32 ABI in seccomp, submitted by Jann Horn | ||
45 | * security: tighten --chroot, submitted by Jann Horn | ||
46 | * security: terminal sandbox escape, submitted by Stephan Sokolow | ||
47 | * security: several TOCTOU fixes submitted by Aleksey Manevich | ||
48 | * modifs: bringing back --private-home option | ||
49 | * modifs: deprecated --user option, please use "sudo -u username firejail" | ||
50 | * modifs: allow symlinks in home directory for --whitelist option | ||
51 | * modifs: Firejail prompt is enabled by env variable FIREJAIL_PROMPT="yes" | ||
52 | * modifs: recursive mkdir | ||
53 | * modifs: include /dev/snd in --private-dev | ||
54 | * modifs: seccomp filter update | ||
55 | * modifs: release archives moved to .xz format | ||
56 | * feature: AppImage support (--appimage) | ||
57 | * feature: AppArmor support (--apparmor) | ||
58 | * feature: Ubuntu snap support (/etc/firejail/snap.profile) | ||
59 | * feature: Sandbox auditing support (--audit) | ||
60 | * feature: remove environment variable (--rmenv) | ||
61 | * feature: noexec support (--noexec) | ||
62 | * feature: clean local overlay storage directory (--overlay-clean) | ||
63 | * feature: store and reuse overlay (--overlay-named) | ||
64 | * feature: allow debugging inside the sandbox with gdb and strace | ||
65 | (--allow-debuggers) | ||
66 | * feature: mkfile profile command | ||
67 | * feature: quiet profile command | ||
68 | * feature: x11 profile command | ||
69 | * feature: option to fix desktop files (firecfg --fix) | ||
70 | * compile time: Busybox support (--enable-busybox-workaround) | ||
71 | * compile time: disable overlayfs (--disable-overlayfs) | ||
72 | * compile time: disable whitlisting (--disable-whitelist) | ||
73 | * compile time: disable global config (--disable-globalcfg) | ||
74 | * run time: enable/disable overlayfs (overlayfs yes/no) | ||
75 | * run time: enable/disable quiet as default (quiet-by-default yes/no) | ||
76 | * run time: user-defined network filter (netfilter-default) | ||
77 | * run time: enable/disable whitelisting (whitelist yes/no) | ||
78 | * run time: enable/disable remounting of /proc and /sys | ||
79 | (remount-proc-sys yes/no) | ||
80 | * run time: enable/disable chroot desktop features (chroot-desktop yes/no) | ||
81 | * profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice | ||
82 | * profiles: pix, audacity, xz, xzdec, gzip, cpio, less | ||
83 | * profiles: Atom Beta, Atom, jitsi, eom, uudeview | ||
84 | * profiles: tar (gtar), unzip, unrar, file, skypeforlinux, | ||
85 | * profiles: inox, Slack, gnome-chess. Gajim IM client, DOSBox | ||
86 | * bugfixes | ||
87 | -- netblue30 <netblue30@yahoo.com> Thu, 8 Sept 2016 08:00:00 -0500 | ||
88 | |||
89 | firejail (0.9.40) baseline; urgency=low | ||
2 | * added --nice option | 90 | * added --nice option |
3 | * added --x11 option | 91 | * added --x11 option |
4 | * added --x11=xpra option | 92 | * added --x11=xpra option |
5 | * added --x11=xephyr option | 93 | * added --x11=xephyr option |
6 | * added --cpu.print option | 94 | * added --cpu.print option |
7 | * added filetransfer options --ls and --get | 95 | * added filetransfer options --ls and --get |
96 | * added --writable-etc and --writable-var options | ||
97 | * added --read-only option | ||
8 | * added mkdir, ipc-namespace, and nosound profile commands | 98 | * added mkdir, ipc-namespace, and nosound profile commands |
9 | * added net iface, and iprange profile commands | 99 | * added net, ip, defaultgw, ip6, mac, mtu and iprange profile commands |
10 | * --version also prints compile options | 100 | * --version also prints compile options |
11 | * --output option also redirects stderr | 101 | * --output option also redirects stderr |
12 | * added compile-time option to restrict --net= to root only | 102 | * added compile-time option to restrict --net= to root only |
@@ -18,10 +108,16 @@ firejail (0.9.40-rc1) baseline; urgency=low | |||
18 | * new profiles: lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril | 108 | * new profiles: lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril |
19 | * new profiles: qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars | 109 | * new profiles: qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars |
20 | * new profiles: qTox, OpenSSH client, OpenBox, Dillo, cmus, dnsmasq | 110 | * new profiles: qTox, OpenSSH client, OpenBox, Dillo, cmus, dnsmasq |
21 | * new profiles: PaleMoon, Icedove, abrowser, 0ad | 111 | * new profiles: PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100 |
112 | * new profiles: okular, gwenview, Google-Play-Music-Desktop-Player | ||
113 | * new profiles: Aweather, Stellarium, gpredict, quiterss, cyberfox | ||
114 | * new profiles: generic Ubuntu snap application profile, xplayer | ||
115 | * new profiles: xreader, xviewer, mcabber, Psi+, Corebird, Konversation | ||
116 | * new profiles: Brave, Gitter | ||
117 | * generic.profile renamed default.profile | ||
22 | * build rpm packages using "make rpms" | 118 | * build rpm packages using "make rpms" |
23 | * bugfixes | 119 | * bugfixes |
24 | -- netblue30 <netblue30@yahoo.com> Sun, 3 Apr 2016 08:00:00 -0500 | 120 | -- netblue30 <netblue30@yahoo.com> Sun, 29 May 2016 08:00:00 -0500 |
25 | 121 | ||
26 | firejail (0.9.38) baseline; urgency=low | 122 | firejail (0.9.38) baseline; urgency=low |
27 | * IPv6 support (--ip6 and --netfilter6) | 123 | * IPv6 support (--ip6 and --netfilter6) |