firejail/firejail.changes

-------------------------------------------------------------------
Sat Sep  9 14:40:29 UTC 2017 - aavindraa@gmail.com

- Update to version 0.9.50:
  * New features:
    - per-profile disable-mnt (--disable-mnt)
    - per-profile support to set X11 Xephyr screen size (--xephyr-screen)
    - private /lib directory (--private-lib)
    - disable CDROM/DVD drive (--nodvd)
    - disable DVB devices (--notv)
    - --profile.print
  * modif: --output split in two commands, --output and --output-stderr
  * set xpra-attach yes in /etc/firejail/firejail.config
  * Enhancements:
    - print all seccomp filters under --debug
    - /proc/sys mounting
    - rework IP address assingment for --net options
    - support for newer Xpra versions (2.1+) -
    - all profiles use a standard layout style
    - create /usr/local for firecfg if the directory doesn't exist
    - allow full paths in --private-bin
   * New seccomp features:
    - --memory-deny-write-execute
    - seccomp post-exec
    - block secondary architecture (--seccomp.block_secondary)
    - seccomp syscall groups
    - print all seccomp filters under --debug
    - default seccomp list update
  * new profiles:
    curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite,
    Geary, Liferea, peek, silentarmy, IntelliJ IDEA,
    Android Studio, electron, riot-web, Extreme Tux Racer,
    Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux
    telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg,
    hashcat, obs, picard, remmina, sdat2img, soundconverter
    truecraft, gnome-twitch, tuxguitar, musescore, neverball
    sqlitebrowse, Yandex Browser, minetest

-------------------------------------------------------------------
Tue Aug 15 15:47:49 CEST 2017 - tiwai@suse.de

- Update to version 0.9.48:
  * modifs: whitelisted Transmission, Deluge, qBitTorrent,
    KTorrent;
    please use ~/Downloads directory for saving files
  * modifs: AppArmor made optional; a warning is printed on the
    screen if the sandbox fails to load the AppArmor profile
  * feature: --novideo
  * feature: drop discretionary access control capabilities for
    root sandboxes
  * feature: added /etc/firejail/globals.local for global
    customizations
  * feature: profile support in overlayfs mode
  * new profiles: vym, darktable, Waterfox, digiKam, Catfish,
    HandBrake
  * bugfixes

-------------------------------------------------------------------
Mon Jan 16 16:33:59 CET 2017 - tiwai@suse.de

- Update to version 0.9.44.4:
  * --bandwidth root shell found by Martin Carpenter (CVE-2017-5207)
  * disabled --allow-debuggers when running on kernel versions prior
    to 4.8; a kernel bug in ptrace system call allows a full bypass
    of seccomp filter; problem reported by Lizzie Dixon (CVE-2017-5206)
  * root exploit found by Sebastian Krahmer (CVE-2017-5180)
- Update to version 0.9.44.6:
  * new fix for CVE-2017-5180 reported by Sebastian Krahmer last week
  * major cleanup of file copying code
  * tightening the rules for --chroot and --overlay features
  * ported Gentoo compile patch
  * Nvidia drivers bug in --private-dev
  * fix ASSERT_PERMS_FD macro
  * allow local customization using .local files under /etc/firejail
    backported from our development branch
  * spoof machine-id backported from our development branch
- Remove obsoleted patches:
  firejail-CVE-2017-5180-fix1.patch
  firejail-CVE-2017-5180-fix2.patch

-------------------------------------------------------------------
Thu Jan  5 10:38:43 CET 2017 - tiwai@suse.de

- Update to version 0.9.44.2:
  Security fixes:
  * overwrite /etc/resolv.conf found by Martin Carpenter
  * TOCTOU exploit for –get and –put found by Daniel Hodson
  * invalid environment exploit found by Martin Carpenter
  * several security enhancements
  Bugfixes:
  * crashing VLC by pressing Ctrl-O
  * use user configured icons in KDE
  * mkdir and mkfile are not applied to private directories
  * cannot open files on Deluge running under KDE
  * –private=dir where dir is the user home directory
  * cannot start Vivaldi browser
  * cannot start mupdf
  * ssh profile problems
  * –quiet
  * quiet in git profile
  * memory corruption
- Fix VUL-0: local root exploit (CVE-2017-5180,bsc#1018259):
  firejail-CVE-2017-5180-fix1.patch
  firejail-CVE-2017-5180-fix2.patch

-------------------------------------------------------------------
Thu Oct 27 17:49:48 CEST 2016 - tiwai@suse.de

- Update to version 0.9.44:
  * CVE-2016-7545 submitted by Aleksey Manevich
  Modifications:
  * removed man firejail-config
  * –private-tmp whitelists /tmp/.X11-unix directory
  * Nvidia drivers added to –private-dev
  * /srv supported by –whitelist
  New features:
  * allow user access to /sys/fs (–noblacklist=/sys/fs)
  * support starting/joining sandbox is a single command (–join-or-start)
  * X11 detection support for –audit
  * assign a name to the interface connected to the bridge (–veth-name)
  * all user home directories are visible (–allusers)
  * add files to sandbox container (–put)
  * blocking x11 (–x11=block)
  * X11 security extension (–x11=xorg)
  * disable 3D hardware acceleration (–no3d)
  * x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
  * move files in sandbox (–put)
  * accept wildcard patterns in user name field of restricted shell login feature
  New profiles:
  * qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape
  * feh, ranger, zathura, 7z, keepass, keepassx,
  * claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot
  * Flowblade, Eye of GNOME (eog), Evolution

-------------------------------------------------------------------
Fri Sep 30 10:56:58 CEST 2016 - tiwai@suse.de

- Update to version 0.9.42:
  Security fixes:
  * –whitelist deleted files
  * disable x32 ABI in seccomp
  * tighten –chroot
  * terminal sandbox escape
  * several TOCTOU fixes
  Behavior changes:
  * bringing back –private-home option
  * deprecated –user option, please use “sudo -u username firejail”
  * allow symlinks in home directory for –whitelist option
  * Firejail prompt is enabled by env variable FIREJAIL_PROMPT=”yes”
  * recursive mkdir
  * include /dev/snd in –private-dev
  * seccomp filter update
  * release archives moved to .xz format
  New features:
  * AppImage support (–appimage)
  * AppArmor support (–apparmor)
  * Ubuntu snap support (/etc/firejail/snap.profile)
  * Sandbox auditing support (–audit)
  * remove environment variable (–rmenv)
  * noexec support (–noexec)
  * clean local overlay storage directory (–overlay-clean)
  * store and reuse overlay (–overlay-named)
  * allow debugging inside the sandbox with gdb and strace (–allow-debuggers)
  * mkfile profile command
  * quiet profile command
  * x11 profile command
  * option to fix desktop files (firecfg –fix)
  Build options:
  * Busybox support (–enable-busybox-workaround)
  * disable overlayfs (–disable-overlayfs)
  * disable whitlisting (–disable-whitelist)
  * disable global config (–disable-globalcfg)
  Runtime options:
  * enable/disable overlayfs (overlayfs yes/no)
  * enable/disable quiet as default (quiet-by-default yes/no)
  * user-defined network filter (netfilter-default)
  * enable/disable whitelisting (whitelist yes/no)
  * enable/disable remounting of /proc and /sys (remount-proc-sys yes/no)
  * enable/disable chroot desktop features (chroot-desktop yes/no)
  New/updated profiels:
  * Gitter, gThumb, mpv, Franz messenger, LibreOffice
  * pix, audacity, xz, xzdec, gzip, cpio, less
  * Atom Beta, Atom, jitsi, eom, uudeview
  * tar (gtar), unzip, unrar, file, skypeforlinux,
  * inox, Slack, gnome-chess. Gajim IM client, DOSBox
- Enable apparmor support

-------------------------------------------------------------------
Wed Jun  8 15:20:43 CEST 2016 - tiwai@suse.de

- Update to version 0.9.40:
  * Added firecfg utility
  * New options: -nice, -cpu.print, -writable-etc, -writable-var,
    -read-only
  * X11 support: -x11 option (-x11=xpra, -x11=xephr)
  * Filetransfer options: –ls and –get
  * Added mkdir, ipc-namespace, and nosound profile commands
  * added net, ip, defaultgw, ip6, mac, mtu and iprange profile
    commands
  * Run time config support, man firejail-config
  * AppArmor fixes
  * Default seccomp filter update
  * Disable STUN/WebRTC in default netfilter configuration
  * Lots of new profiles

-------------------------------------------------------------------
Tue May 17 17:13:03 CEST 2016 - tiwai@suse.de

- initial package: 0.9.38