- Update to version 0.9.48:
* modifs: whitelisted Transmission, Deluge, qBitTorrent,
KTorrent;
please use ~/Downloads directory for saving files
* modifs: AppArmor made optional; a warning is printed on the
screen if the sandbox fails to load the AppArmor profile
* feature: --novideo
* feature: drop discretionary access control capabilities for
root sandboxes
* feature: added /etc/firejail/globals.local for global
customizations
* feature: profile support in overlayfs mode
* new profiles: vym, darktable, Waterfox, digiKam, Catfish,
HandBrake
* bugfixes
OBS-URL: https://build.opensuse.org/request/show/517016
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=7
* --bandwidth root shell found by Martin Carpenter (CVE-2017-5207)
* disabled --allow-debuggers when running on kernel versions prior
to 4.8; a kernel bug in ptrace system call allows a full bypass
of seccomp filter; problem reported by Lizzie Dixon (CVE-2017-5206)
* root exploit found by Sebastian Krahmer (CVE-2017-5180)
- Update to version 0.9.44.6:
* new fix for CVE-2017-5180 reported by Sebastian Krahmer last week
* major cleanup of file copying code
* tightening the rules for --chroot and --overlay features
* ported Gentoo compile patch
* Nvidia drivers bug in --private-dev
* fix ASSERT_PERMS_FD macro
* allow local customization using .local files under /etc/firejail
backported from our development branch
* spoof machine-id backported from our development branch
- Remove obsoleted patches:
firejail-CVE-2017-5180-fix1.patch
firejail-CVE-2017-5180-fix2.patch
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=6
- Update to version 0.9.44.2:
Security fixes:
* overwrite /etc/resolv.conf found by Martin Carpenter
* TOCTOU exploit for –get and –put found by Daniel Hodson
* invalid environment exploit found by Martin Carpenter
* several security enhancements
Bugfixes:
* crashing VLC by pressing Ctrl-O
* use user configured icons in KDE
* mkdir and mkfile are not applied to private directories
* cannot open files on Deluge running under KDE
* –private=dir where dir is the user home directory
* cannot start Vivaldi browser
* cannot start mupdf
* ssh profile problems
* –quiet
* quiet in git profile
* memory corruption
- Fix VUL-0: local root exploit (CVE-2017-5180,bsc#1018259):
firejail-CVE-2017-5180-fix1.patch
firejail-CVE-2017-5180-fix2.patch
OBS-URL: https://build.opensuse.org/request/show/448835
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=5
- Update to version 0.9.44:
* CVE-2016-7545 submitted by Aleksey Manevich
Modifications:
* removed man firejail-config
* –private-tmp whitelists /tmp/.X11-unix directory
* Nvidia drivers added to –private-dev
* /srv supported by –whitelist
New features:
* allow user access to /sys/fs (–noblacklist=/sys/fs)
* support starting/joining sandbox is a single command (–join-or-start)
* X11 detection support for –audit
* assign a name to the interface connected to the bridge (–veth-name)
* all user home directories are visible (–allusers)
* add files to sandbox container (–put)
* blocking x11 (–x11=block)
* X11 security extension (–x11=xorg)
* disable 3D hardware acceleration (–no3d)
* x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
* move files in sandbox (–put)
* accept wildcard patterns in user name field of restricted shell login feature
New profiles:
* qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape
* feh, ranger, zathura, 7z, keepass, keepassx,
* claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot
* Flowblade, Eye of GNOME (eog), Evolution
OBS-URL: https://build.opensuse.org/request/show/437560
OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=4
