pool/firejail
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7a7ff5e7fe
firejail/firejail.changes

131 lines
5.0 KiB
Plaintext
Raw Normal View History

Accepting request 448835 from home:tiwai:branches:Virtualization - Update to version 0.9.44.2: Security fixes: * overwrite /etc/resolv.conf found by Martin Carpenter * TOCTOU exploit for –get and –put found by Daniel Hodson * invalid environment exploit found by Martin Carpenter * several security enhancements Bugfixes: * crashing VLC by pressing Ctrl-O * use user configured icons in KDE * mkdir and mkfile are not applied to private directories * cannot open files on Deluge running under KDE * –private=dir where dir is the user home directory * cannot start Vivaldi browser * cannot start mupdf * ssh profile problems * –quiet * quiet in git profile * memory corruption - Fix VUL-0: local root exploit (CVE-2017-5180,bsc#1018259): firejail-CVE-2017-5180-fix1.patch firejail-CVE-2017-5180-fix2.patch OBS-URL: https://build.opensuse.org/request/show/448835 OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=5
2017-01-07 10:27:56 +01:00
-------------------------------------------------------------------
Thu Jan 5 10:38:43 CET 2017 - tiwai@suse.de
- Update to version 0.9.44.2:
Security fixes:
* overwrite /etc/resolv.conf found by Martin Carpenter
* TOCTOU exploit for get and put found by Daniel Hodson
* invalid environment exploit found by Martin Carpenter
* several security enhancements
Bugfixes:
* crashing VLC by pressing Ctrl-O
* use user configured icons in KDE
* mkdir and mkfile are not applied to private directories
* cannot open files on Deluge running under KDE
* private=dir where dir is the user home directory
* cannot start Vivaldi browser
* cannot start mupdf
* ssh profile problems
* quiet
* quiet in git profile
* memory corruption
- Fix VUL-0: local root exploit (CVE-2017-5180,bsc#1018259):
firejail-CVE-2017-5180-fix1.patch
firejail-CVE-2017-5180-fix2.patch
Accepting request 437560 from home:tiwai:branches:Virtualization - Update to version 0.9.44: * CVE-2016-7545 submitted by Aleksey Manevich Modifications: * removed man firejail-config * –private-tmp whitelists /tmp/.X11-unix directory * Nvidia drivers added to –private-dev * /srv supported by –whitelist New features: * allow user access to /sys/fs (–noblacklist=/sys/fs) * support starting/joining sandbox is a single command (–join-or-start) * X11 detection support for –audit * assign a name to the interface connected to the bridge (–veth-name) * all user home directories are visible (–allusers) * add files to sandbox container (–put) * blocking x11 (–x11=block) * X11 security extension (–x11=xorg) * disable 3D hardware acceleration (–no3d) * x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands * move files in sandbox (–put) * accept wildcard patterns in user name field of restricted shell login feature New profiles: * qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape * feh, ranger, zathura, 7z, keepass, keepassx, * claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot * Flowblade, Eye of GNOME (eog), Evolution OBS-URL: https://build.opensuse.org/request/show/437560 OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=4
2016-11-03 09:20:46 +01:00
-------------------------------------------------------------------
Thu Oct 27 17:49:48 CEST 2016 - tiwai@suse.de
- Update to version 0.9.44:
* CVE-2016-7545 submitted by Aleksey Manevich
Modifications:
* removed man firejail-config
* private-tmp whitelists /tmp/.X11-unix directory
* Nvidia drivers added to private-dev
* /srv supported by whitelist
New features:
* allow user access to /sys/fs (noblacklist=/sys/fs)
* support starting/joining sandbox is a single command (join-or-start)
* X11 detection support for audit
* assign a name to the interface connected to the bridge (veth-name)
* all user home directories are visible (allusers)
* add files to sandbox container (put)
* blocking x11 (x11=block)
* X11 security extension (x11=xorg)
* disable 3D hardware acceleration (no3d)
* x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
* move files in sandbox (put)
* accept wildcard patterns in user name field of restricted shell login feature
New profiles:
* qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape
* feh, ranger, zathura, 7z, keepass, keepassx,
* claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot
* Flowblade, Eye of GNOME (eog), Evolution
Accepting request 431498 from home:tiwai:branches:Virtualization - Update to version 0.9.42: Security fixes: * –whitelist deleted files * disable x32 ABI in seccomp * tighten –chroot * terminal sandbox escape * several TOCTOU fixes Behavior changes: * bringing back –private-home option * deprecated –user option, please use “sudo -u username firejail” * allow symlinks in home directory for –whitelist option * Firejail prompt is enabled by env variable FIREJAIL_PROMPT=”yes” * recursive mkdir * include /dev/snd in –private-dev * seccomp filter update * release archives moved to .xz format New features: * AppImage support (–appimage) * AppArmor support (–apparmor) * Ubuntu snap support (/etc/firejail/snap.profile) * Sandbox auditing support (–audit) * remove environment variable (–rmenv) * noexec support (–noexec) * clean local overlay storage directory (–overlay-clean) * store and reuse overlay (–overlay-named) * allow debugging inside the sandbox with gdb and strace (–allow-debuggers) * mkfile profile command * quiet profile command * x11 profile command * option to fix desktop files (firecfg –fix) OBS-URL: https://build.opensuse.org/request/show/431498 OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=3
2016-10-13 10:58:49 +02:00
-------------------------------------------------------------------
Fri Sep 30 10:56:58 CEST 2016 - tiwai@suse.de
- Update to version 0.9.42:
Security fixes:
* whitelist deleted files
* disable x32 ABI in seccomp
* tighten chroot
* terminal sandbox escape
* several TOCTOU fixes
Behavior changes:
* bringing back private-home option
* deprecated user option, please use “sudo -u username firejail”
* allow symlinks in home directory for whitelist option
* Firejail prompt is enabled by env variable FIREJAIL_PROMPT=”yes”
* recursive mkdir
* include /dev/snd in private-dev
* seccomp filter update
* release archives moved to .xz format
New features:
* AppImage support (appimage)
* AppArmor support (apparmor)
* Ubuntu snap support (/etc/firejail/snap.profile)
* Sandbox auditing support (audit)
* remove environment variable (rmenv)
* noexec support (noexec)
* clean local overlay storage directory (overlay-clean)
* store and reuse overlay (overlay-named)
* allow debugging inside the sandbox with gdb and strace (allow-debuggers)
* mkfile profile command
* quiet profile command
* x11 profile command
* option to fix desktop files (firecfg fix)
Build options:
* Busybox support (enable-busybox-workaround)
* disable overlayfs (disable-overlayfs)
* disable whitlisting (disable-whitelist)
* disable global config (disable-globalcfg)
Runtime options:
* enable/disable overlayfs (overlayfs yes/no)
* enable/disable quiet as default (quiet-by-default yes/no)
* user-defined network filter (netfilter-default)
* enable/disable whitelisting (whitelist yes/no)
* enable/disable remounting of /proc and /sys (remount-proc-sys yes/no)
* enable/disable chroot desktop features (chroot-desktop yes/no)
New/updated profiels:
* Gitter, gThumb, mpv, Franz messenger, LibreOffice
* pix, audacity, xz, xzdec, gzip, cpio, less
* Atom Beta, Atom, jitsi, eom, uudeview
* tar (gtar), unzip, unrar, file, skypeforlinux,
* inox, Slack, gnome-chess. Gajim IM client, DOSBox
- Enable apparmor support
Accepting request 400690 from home:tiwai:branches:Virtualization - Update to version 0.9.40: * Added firecfg utility * New options: -nice, -cpu.print, -writable-etc, -writable-var, -read-only * X11 support: -x11 option (-x11=xpra, -x11=xephr) * Filetransfer options: –ls and –get * Added mkdir, ipc-namespace, and nosound profile commands * added net, ip, defaultgw, ip6, mac, mtu and iprange profile commands * Run time config support, man firejail-config * AppArmor fixes * Default seccomp filter update * Disable STUN/WebRTC in default netfilter configuration * Lots of new profiles OBS-URL: https://build.opensuse.org/request/show/400690 OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=2
2016-06-08 19:13:02 +02:00
-------------------------------------------------------------------
Wed Jun 8 15:20:43 CEST 2016 - tiwai@suse.de
- Update to version 0.9.40:
* Added firecfg utility
* New options: -nice, -cpu.print, -writable-etc, -writable-var,
-read-only
* X11 support: -x11 option (-x11=xpra, -x11=xephr)
* Filetransfer options: ls and get
* Added mkdir, ipc-namespace, and nosound profile commands
* added net, ip, defaultgw, ip6, mac, mtu and iprange profile
commands
* Run time config support, man firejail-config
* AppArmor fixes
* Default seccomp filter update
* Disable STUN/WebRTC in default netfilter configuration
* Lots of new profiles
Accepting request 397032 from home:tiwai:firejail This is a request for a new package "firejail". It's a lightweight sandbox using namespace and seccomp. Let me know if Virtualization doesn't fit as the devel project for such a program. OBS-URL: https://build.opensuse.org/request/show/397032 OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=1
2016-05-24 07:12:25 +02:00
-------------------------------------------------------------------
Tue May 17 17:13:03 CEST 2016 - tiwai@suse.de
- initial package: 0.9.38
Reference in New Issue Copy Permalink