diff options
Diffstat (limited to 'RELNOTES')
-rw-r--r-- | RELNOTES | 115 |
1 files changed, 111 insertions, 4 deletions
@@ -1,12 +1,113 @@ | |||
1 | firejail (0.9.40-rc1) baseline; urgency=low | 1 | firejail (0.9.45) baseline; urgency=low |
2 | * development version, work in progress | ||
3 | * security: overwrite /etc/resolv.conf found by Martin Carpenter | ||
4 | * secuirty: TOCTOU exploit for --get and --put found by Daniel Hodson | ||
5 | * security: invalid environment exploit found by Martin Carpenter | ||
6 | * security: split most of networking code in a separate executable | ||
7 | * security: split seccomp filter code configuration in a separate executable | ||
8 | * security: split file copying in private option in a separate executable | ||
9 | * feature: disable gnupg and systemd directories under /run/user | ||
10 | * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) | ||
11 | * feature: AppImage type 2 support | ||
12 | * feature: test coverage (gcov) support | ||
13 | * feature: private /opt directory (--private-opt, profile support) | ||
14 | * feature: private /srv directory (--private-srv, profile support) | ||
15 | * feature: spoof machine-id | ||
16 | * feature: config support for firejail prompt in terminal | ||
17 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, | ||
18 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, | ||
19 | * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, | ||
20 | * new profiles: Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos, | ||
21 | * new profies: Xonotic, wireshark | ||
22 | * bugfixes | ||
23 | -- netblue30 <netblue30@yahoo.com> Sun, 23 Oct 2016 08:00:00 -0500 | ||
24 | |||
25 | firejail (0.9.44) baseline; urgency=low | ||
26 | * CVE-2016-7545 submitted by Aleksey Manevich | ||
27 | * modifs: removed man firejail-config | ||
28 | * modifs: --private-tmp whitelists /tmp/.X11-unix directory | ||
29 | * modifs: Nvidia drivers added to --private-dev | ||
30 | * modifs: /srv supported by --whitelist | ||
31 | * feature: allow user access to /sys/fs (--noblacklist=/sys/fs) | ||
32 | * feature: support starting/joining sandbox is a single command | ||
33 | (--join-or-start) | ||
34 | * feature: X11 detection support for --audit | ||
35 | * feature: assign a name to the interface connected to the bridge | ||
36 | (--veth-name) | ||
37 | * feature: all user home directories are visible (--allusers) | ||
38 | * feature: add files to sandbox container (--put) | ||
39 | * feature: blocking x11 (--x11=block) | ||
40 | * feature: X11 security extension (--x11=xorg) | ||
41 | * feature: disable 3D hardware acceleration (--no3d) | ||
42 | * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands | ||
43 | * feature: move files in sandbox (--put) | ||
44 | * feature: accept wildcard patterns in user name field of restricted | ||
45 | shell login feature | ||
46 | * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape | ||
47 | * new profiles: feh, ranger, zathura, 7z, keepass, keepassx, | ||
48 | * new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot | ||
49 | * new profiles: Flowblade, Eye of GNOME (eog), Evolution | ||
50 | * bugfixes | ||
51 | -- netblue30 <netblue30@yahoo.com> Fri, 21 Oct 2016 08:00:00 -0500 | ||
52 | |||
53 | firejail (0.9.42) baseline; urgency=low | ||
54 | * security: --whitelist deleted files, submitted by Vasya Novikov | ||
55 | * security: disable x32 ABI in seccomp, submitted by Jann Horn | ||
56 | * security: tighten --chroot, submitted by Jann Horn | ||
57 | * security: terminal sandbox escape, submitted by Stephan Sokolow | ||
58 | * security: several TOCTOU fixes submitted by Aleksey Manevich | ||
59 | * modifs: bringing back --private-home option | ||
60 | * modifs: deprecated --user option, please use "sudo -u username firejail" | ||
61 | * modifs: allow symlinks in home directory for --whitelist option | ||
62 | * modifs: Firejail prompt is enabled by env variable FIREJAIL_PROMPT="yes" | ||
63 | * modifs: recursive mkdir | ||
64 | * modifs: include /dev/snd in --private-dev | ||
65 | * modifs: seccomp filter update | ||
66 | * modifs: release archives moved to .xz format | ||
67 | * feature: AppImage support (--appimage) | ||
68 | * feature: AppArmor support (--apparmor) | ||
69 | * feature: Ubuntu snap support (/etc/firejail/snap.profile) | ||
70 | * feature: Sandbox auditing support (--audit) | ||
71 | * feature: remove environment variable (--rmenv) | ||
72 | * feature: noexec support (--noexec) | ||
73 | * feature: clean local overlay storage directory (--overlay-clean) | ||
74 | * feature: store and reuse overlay (--overlay-named) | ||
75 | * feature: allow debugging inside the sandbox with gdb and strace | ||
76 | (--allow-debuggers) | ||
77 | * feature: mkfile profile command | ||
78 | * feature: quiet profile command | ||
79 | * feature: x11 profile command | ||
80 | * feature: option to fix desktop files (firecfg --fix) | ||
81 | * compile time: Busybox support (--enable-busybox-workaround) | ||
82 | * compile time: disable overlayfs (--disable-overlayfs) | ||
83 | * compile time: disable whitlisting (--disable-whitelist) | ||
84 | * compile time: disable global config (--disable-globalcfg) | ||
85 | * run time: enable/disable overlayfs (overlayfs yes/no) | ||
86 | * run time: enable/disable quiet as default (quiet-by-default yes/no) | ||
87 | * run time: user-defined network filter (netfilter-default) | ||
88 | * run time: enable/disable whitelisting (whitelist yes/no) | ||
89 | * run time: enable/disable remounting of /proc and /sys | ||
90 | (remount-proc-sys yes/no) | ||
91 | * run time: enable/disable chroot desktop features (chroot-desktop yes/no) | ||
92 | * profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice | ||
93 | * profiles: pix, audacity, xz, xzdec, gzip, cpio, less | ||
94 | * profiles: Atom Beta, Atom, jitsi, eom, uudeview | ||
95 | * profiles: tar (gtar), unzip, unrar, file, skypeforlinux, | ||
96 | * profiles: inox, Slack, gnome-chess. Gajim IM client, DOSBox | ||
97 | * bugfixes | ||
98 | -- netblue30 <netblue30@yahoo.com> Thu, 8 Sept 2016 08:00:00 -0500 | ||
99 | |||
100 | firejail (0.9.40) baseline; urgency=low | ||
2 | * added --nice option | 101 | * added --nice option |
3 | * added --x11 option | 102 | * added --x11 option |
4 | * added --x11=xpra option | 103 | * added --x11=xpra option |
5 | * added --x11=xephyr option | 104 | * added --x11=xephyr option |
6 | * added --cpu.print option | 105 | * added --cpu.print option |
7 | * added filetransfer options --ls and --get | 106 | * added filetransfer options --ls and --get |
107 | * added --writable-etc and --writable-var options | ||
108 | * added --read-only option | ||
8 | * added mkdir, ipc-namespace, and nosound profile commands | 109 | * added mkdir, ipc-namespace, and nosound profile commands |
9 | * added net iface, and iprange profile commands | 110 | * added net, ip, defaultgw, ip6, mac, mtu and iprange profile commands |
10 | * --version also prints compile options | 111 | * --version also prints compile options |
11 | * --output option also redirects stderr | 112 | * --output option also redirects stderr |
12 | * added compile-time option to restrict --net= to root only | 113 | * added compile-time option to restrict --net= to root only |
@@ -18,10 +119,16 @@ firejail (0.9.40-rc1) baseline; urgency=low | |||
18 | * new profiles: lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril | 119 | * new profiles: lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril |
19 | * new profiles: qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars | 120 | * new profiles: qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars |
20 | * new profiles: qTox, OpenSSH client, OpenBox, Dillo, cmus, dnsmasq | 121 | * new profiles: qTox, OpenSSH client, OpenBox, Dillo, cmus, dnsmasq |
21 | * new profiles: PaleMoon, Icedove, abrowser, 0ad | 122 | * new profiles: PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100 |
123 | * new profiles: okular, gwenview, Google-Play-Music-Desktop-Player | ||
124 | * new profiles: Aweather, Stellarium, gpredict, quiterss, cyberfox | ||
125 | * new profiles: generic Ubuntu snap application profile, xplayer | ||
126 | * new profiles: xreader, xviewer, mcabber, Psi+, Corebird, Konversation | ||
127 | * new profiles: Brave, Gitter | ||
128 | * generic.profile renamed default.profile | ||
22 | * build rpm packages using "make rpms" | 129 | * build rpm packages using "make rpms" |
23 | * bugfixes | 130 | * bugfixes |
24 | -- netblue30 <netblue30@yahoo.com> Sun, 3 Apr 2016 08:00:00 -0500 | 131 | -- netblue30 <netblue30@yahoo.com> Sun, 29 May 2016 08:00:00 -0500 |
25 | 132 | ||
26 | firejail (0.9.38) baseline; urgency=low | 133 | firejail (0.9.38) baseline; urgency=low |
27 | * IPv6 support (--ip6 and --netfilter6) | 134 | * IPv6 support (--ip6 and --netfilter6) |