diff options
Diffstat (limited to 'RELNOTES')
| -rw-r--r-- | RELNOTES | 39 |
1 files changed, 28 insertions, 11 deletions
| @@ -1,31 +1,47 @@ | |||
| 1 | firejail (0.9.45) baseline; urgency=low | 1 | firejail (0.9.45) baseline; urgency=low |
| 2 | * development version, work in progress | 2 | * development version, work in progress |
| 3 | * security: overwrite /etc/resolv.conf found by Martin Carpenter | 3 | * Gentoo compile patch |
| 4 | * secuirty: TOCTOU exploit for --get and --put found by Daniel Hodson | 4 | * security: --bandwidth root shell found by Martin Carpenter (CVE-2017-5207) |
| 5 | * security: invalid environment exploit found by Martin Carpenter | 5 | * security: disabled --allow-debuggers when running on kernel |
| 6 | versions prior to 4.8; a kernel bug in ptrace system call | ||
| 7 | allows a full bypass of seccomp filter; problem reported by Lizzie Dixon | ||
| 8 | (CVE-2017-5206) | ||
| 9 | * security: overwrite /etc/resolv.conf found by Martin Carpenter (CVE-2016-10118) | ||
| 10 | * security: TOCTOU exploit for --get and --put found by Daniel Hodson | ||
| 11 | * security: invalid environment exploit found by Martin Carpenter (CVE-2016-10122) | ||
| 6 | * security: split most of networking code in a separate executable | 12 | * security: split most of networking code in a separate executable |
| 7 | * security: split seccomp filter code configuration in a separate executable | 13 | * security: split seccomp filter code configuration in a separate executable |
| 8 | * security: split file copying in private option in a separate executable | 14 | * security: split file copying in private option in a separate executable |
| 15 | * security: root exploit found by Sebastian Krahmer (CVE-2017-5180) | ||
| 16 | * security: ~/.pki directory whitelisted and later blacklisted. This affects | ||
| 17 | most browsers, and disables the custom certificates installed by the user. | ||
| 9 | * feature: disable gnupg and systemd directories under /run/user | 18 | * feature: disable gnupg and systemd directories under /run/user |
| 10 | * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) | ||
| 11 | * feature: AppImage type 2 support | ||
| 12 | * feature: test coverage (gcov) support | 19 | * feature: test coverage (gcov) support |
| 20 | * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) | ||
| 13 | * feature: private /opt directory (--private-opt, profile support) | 21 | * feature: private /opt directory (--private-opt, profile support) |
| 14 | * feature: private /srv directory (--private-srv, profile support) | 22 | * feature: private /srv directory (--private-srv, profile support) |
| 15 | * feature: spoof machine-id | 23 | * feature: spoof machine-id (--machine-id, profile support) |
| 24 | * feature: allow blacklists under --private (--allow-private-blacklist, profile support) | ||
| 25 | * feature: user-defined /etc/hosts file (--hosts-file, profile support) | ||
| 26 | * feature: support for the real /var/log directory (--writable-var-log, profile support) | ||
| 16 | * feature: config support for firejail prompt in terminals | 27 | * feature: config support for firejail prompt in terminals |
| 28 | * feature: AppImage type 2 support | ||
| 17 | * feature: pass command line arguments to appimages | 29 | * feature: pass command line arguments to appimages |
| 18 | * feature: --allow-private-blacklist option | 30 | * feature: allow non-seccomp setup for OverlayFS sandboxes - more work to come |
| 31 | * feature: added a number o Python scripts for handling sandboxes | ||
| 32 | * feature: allow local customization using .local files under /etc/firejail | ||
| 33 | * feature: follow-symlink-as-user runtime config option in /etc/firejail/firejail.config | ||
| 19 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, | 34 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, |
| 20 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, | 35 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, |
| 21 | * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, | 36 | * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, |
| 22 | * new profiles: Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos, | 37 | * new profiles: Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos, |
| 23 | * new profies: Xonotic, wireshark, keepassx2, QupZilla | 38 | * new profies: Xonotic, wireshark, keepassx2, QupZilla, FossaMail, |
| 39 | * new profiles: Uzbl browser, iridium browser, Thunar | ||
| 24 | * bugfixes | 40 | * bugfixes |
| 25 | -- netblue30 <netblue30@yahoo.com> Sun, 23 Oct 2016 08:00:00 -0500 | 41 | -- netblue30 <netblue30@yahoo.com> Sun, 23 Oct 2016 08:00:00 -0500 |
| 26 | 42 | ||
| 27 | firejail (0.9.44) baseline; urgency=low | 43 | firejail (0.9.44) baseline; urgency=low |
| 28 | * CVE-2016-7545 submitted by Aleksey Manevich | 44 | * CVE-2016-9016 submitted by Aleksey Manevich |
| 29 | * modifs: removed man firejail-config | 45 | * modifs: removed man firejail-config |
| 30 | * modifs: --private-tmp whitelists /tmp/.X11-unix directory | 46 | * modifs: --private-tmp whitelists /tmp/.X11-unix directory |
| 31 | * modifs: Nvidia drivers added to --private-dev | 47 | * modifs: Nvidia drivers added to --private-dev |
| @@ -142,11 +158,12 @@ firejail (0.9.38) baseline; urgency=low | |||
| 142 | * added KMail, Seamonkey, Telegram, Mathematica, uGet, | 158 | * added KMail, Seamonkey, Telegram, Mathematica, uGet, |
| 143 | * and mupen64plus profiles | 159 | * and mupen64plus profiles |
| 144 | * --chroot in user mode allowed only if seccomp support is available | 160 | * --chroot in user mode allowed only if seccomp support is available |
| 145 | * in current Linux kernel | 161 | * in current Linux kernel (CVE-2016-10123) |
| 146 | * deprecated --private-home feature | 162 | * deprecated --private-home feature |
| 147 | * the first protocol list installed takes precedence | 163 | * the first protocol list installed takes precedence |
| 148 | * --tmpfs option allowed only running as root | 164 | * --tmpfs option allowed only running as root (CVE-2016-10117) |
| 149 | * added --private-tmp option | 165 | * added --private-tmp option |
| 166 | * weak permissions (CVE-2016-10119, CVE-2016-10120, CVE-2016-10121) | ||
| 150 | * bugfixes | 167 | * bugfixes |
| 151 | -- netblue30 <netblue30@yahoo.com> Tue, 2 Feb 2016 10:00:00 -0500 | 168 | -- netblue30 <netblue30@yahoo.com> Tue, 2 Feb 2016 10:00:00 -0500 |
| 152 | 169 | ||