diff options
Diffstat (limited to 'RELNOTES')
-rw-r--r-- | RELNOTES | 39 |
1 files changed, 28 insertions, 11 deletions
@@ -1,31 +1,47 @@ | |||
1 | firejail (0.9.45) baseline; urgency=low | 1 | firejail (0.9.45) baseline; urgency=low |
2 | * development version, work in progress | 2 | * development version, work in progress |
3 | * security: overwrite /etc/resolv.conf found by Martin Carpenter | 3 | * Gentoo compile patch |
4 | * secuirty: TOCTOU exploit for --get and --put found by Daniel Hodson | 4 | * security: --bandwidth root shell found by Martin Carpenter (CVE-2017-5207) |
5 | * security: invalid environment exploit found by Martin Carpenter | 5 | * security: disabled --allow-debuggers when running on kernel |
6 | versions prior to 4.8; a kernel bug in ptrace system call | ||
7 | allows a full bypass of seccomp filter; problem reported by Lizzie Dixon | ||
8 | (CVE-2017-5206) | ||
9 | * security: overwrite /etc/resolv.conf found by Martin Carpenter (CVE-2016-10118) | ||
10 | * security: TOCTOU exploit for --get and --put found by Daniel Hodson | ||
11 | * security: invalid environment exploit found by Martin Carpenter (CVE-2016-10122) | ||
6 | * security: split most of networking code in a separate executable | 12 | * security: split most of networking code in a separate executable |
7 | * security: split seccomp filter code configuration in a separate executable | 13 | * security: split seccomp filter code configuration in a separate executable |
8 | * security: split file copying in private option in a separate executable | 14 | * security: split file copying in private option in a separate executable |
15 | * security: root exploit found by Sebastian Krahmer (CVE-2017-5180) | ||
16 | * security: ~/.pki directory whitelisted and later blacklisted. This affects | ||
17 | most browsers, and disables the custom certificates installed by the user. | ||
9 | * feature: disable gnupg and systemd directories under /run/user | 18 | * feature: disable gnupg and systemd directories under /run/user |
10 | * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) | ||
11 | * feature: AppImage type 2 support | ||
12 | * feature: test coverage (gcov) support | 19 | * feature: test coverage (gcov) support |
20 | * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) | ||
13 | * feature: private /opt directory (--private-opt, profile support) | 21 | * feature: private /opt directory (--private-opt, profile support) |
14 | * feature: private /srv directory (--private-srv, profile support) | 22 | * feature: private /srv directory (--private-srv, profile support) |
15 | * feature: spoof machine-id | 23 | * feature: spoof machine-id (--machine-id, profile support) |
24 | * feature: allow blacklists under --private (--allow-private-blacklist, profile support) | ||
25 | * feature: user-defined /etc/hosts file (--hosts-file, profile support) | ||
26 | * feature: support for the real /var/log directory (--writable-var-log, profile support) | ||
16 | * feature: config support for firejail prompt in terminals | 27 | * feature: config support for firejail prompt in terminals |
28 | * feature: AppImage type 2 support | ||
17 | * feature: pass command line arguments to appimages | 29 | * feature: pass command line arguments to appimages |
18 | * feature: --allow-private-blacklist option | 30 | * feature: allow non-seccomp setup for OverlayFS sandboxes - more work to come |
31 | * feature: added a number o Python scripts for handling sandboxes | ||
32 | * feature: allow local customization using .local files under /etc/firejail | ||
33 | * feature: follow-symlink-as-user runtime config option in /etc/firejail/firejail.config | ||
19 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, | 34 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, |
20 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, | 35 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, |
21 | * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, | 36 | * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, |
22 | * new profiles: Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos, | 37 | * new profiles: Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos, |
23 | * new profies: Xonotic, wireshark, keepassx2, QupZilla | 38 | * new profies: Xonotic, wireshark, keepassx2, QupZilla, FossaMail, |
39 | * new profiles: Uzbl browser, iridium browser, Thunar | ||
24 | * bugfixes | 40 | * bugfixes |
25 | -- netblue30 <netblue30@yahoo.com> Sun, 23 Oct 2016 08:00:00 -0500 | 41 | -- netblue30 <netblue30@yahoo.com> Sun, 23 Oct 2016 08:00:00 -0500 |
26 | 42 | ||
27 | firejail (0.9.44) baseline; urgency=low | 43 | firejail (0.9.44) baseline; urgency=low |
28 | * CVE-2016-7545 submitted by Aleksey Manevich | 44 | * CVE-2016-9016 submitted by Aleksey Manevich |
29 | * modifs: removed man firejail-config | 45 | * modifs: removed man firejail-config |
30 | * modifs: --private-tmp whitelists /tmp/.X11-unix directory | 46 | * modifs: --private-tmp whitelists /tmp/.X11-unix directory |
31 | * modifs: Nvidia drivers added to --private-dev | 47 | * modifs: Nvidia drivers added to --private-dev |
@@ -142,11 +158,12 @@ firejail (0.9.38) baseline; urgency=low | |||
142 | * added KMail, Seamonkey, Telegram, Mathematica, uGet, | 158 | * added KMail, Seamonkey, Telegram, Mathematica, uGet, |
143 | * and mupen64plus profiles | 159 | * and mupen64plus profiles |
144 | * --chroot in user mode allowed only if seccomp support is available | 160 | * --chroot in user mode allowed only if seccomp support is available |
145 | * in current Linux kernel | 161 | * in current Linux kernel (CVE-2016-10123) |
146 | * deprecated --private-home feature | 162 | * deprecated --private-home feature |
147 | * the first protocol list installed takes precedence | 163 | * the first protocol list installed takes precedence |
148 | * --tmpfs option allowed only running as root | 164 | * --tmpfs option allowed only running as root (CVE-2016-10117) |
149 | * added --private-tmp option | 165 | * added --private-tmp option |
166 | * weak permissions (CVE-2016-10119, CVE-2016-10120, CVE-2016-10121) | ||
150 | * bugfixes | 167 | * bugfixes |
151 | -- netblue30 <netblue30@yahoo.com> Tue, 2 Feb 2016 10:00:00 -0500 | 168 | -- netblue30 <netblue30@yahoo.com> Tue, 2 Feb 2016 10:00:00 -0500 |
152 | 169 | ||