Changelog for
firejail-0.9.46-3.1.x86_64.rpm :
Sat Jun 10 14:00:00 2017 devAATTabrooke.fr
- Update to version 0.9.44.8:
* bugfix: fix broken PulseAudio support
- Update to version 0.9.44.10:
* security: when using --x11=xorg and --net, incorrect processing of
the return code of /usr/bin/xauth could end up in starting the
sandbox without X11 security extension installed. Problem found/fixed
by Zack Weinberg
* bugfix: ~/.pki directory whitelisted and later blacklisted. This affects
most browsers, and disables the custom certificates installed by the user
* bugfix: firecfg config fix
* bugfix: gajim security profile fix
* bugfix: man page fix
* bugfix: force-nonewprivs fix for /etc/firejail/firejail.config
* bugfix: xephyr-extra-params fix for /etc/firejail/firejail.config
* bugfix: memory corruption in noblacklist processing
* bugfix: --quiet fix for Arch and Fedora systems
* bugfix: updated Keepass(x) profiles
* bugfix: firemon --nowrap problem
* bugfix: document firemon --nowrap in man page and in --help option
* bugfix: bash completion for --noblacklist command
* bugfix: vlc profile fix
* bugfix: fixed handling of .local profile files when the software is
installed in ~/.local directory
* bugfix: temporarily remove private-tmp from all profiles, until a fix for
.Xauthority file handling in KDE becomes available
* maintenance: --output cleanup
* maintenance: updated copyright statement in all files
- Update to version 0.9.46:
* security: split most of networking code in a separate executable
* security: split seccomp filter code configuration in a separate executable
* security: split file copying in private option in a separate executable
* feature: disable gnupg and systemd directories under /run/user
* feature: test coverage (gcov) support
* feature: allow root user access to /dev/shm (--noblacklist=/dev/shm)
* feature: private /opt directory (--private-opt, profile support)
* feature: private /srv directory (--private-srv, profile support)
* feature: spoof machine-id (--machine-id, profile support)
* feature: allow blacklists under --private (--allow-private-blacklist,
profile support)
* feature: user-defined /etc/hosts file (--hosts-file, profile support)
* feature: support for the real /var/log directory (--writable-var-log,
profile support)
* feature: config support for firejail prompt in terminals
* feature: AppImage type 2 support
* feature: pass command line arguments to appimages
* feature: allow non-seccomp setup for OverlayFS sandboxes - more work to come
* feature: added a number of Python scripts for handling sandboxes
* feature: allow local customization using .local files under /etc/firejail
* feature: follow-symlink-as-user runtime config option in
/etc/firejail/firejail.config
* feature: follow-symlink-private-bin option in /etc/firejail/firejail.config
* feature: xvfb X11 server support (--x11=xvfb)
* feature: allow /tmp directory in mkdir and mkfile profile commands
* feature: implemented --noblacklist command, profile support
* feature: config support to disable access to /mnt and /media (disable-mnt)
* feature: config support to disable join (join)
* feature: disabled Go, Rust, and OpenSSL in disable-devel.conf
* feature: support overlay, overlay-named and overlay-tmpfs in profile files
* feature: allow PulseAudio sockets in --private-tmp
* feature: --fix-sound support in firecfg
* feature: added support for sandboxing Xpra, Xvfb and Xephyr in
independent sandboxes when started with firejail --x11
* feature: enable automatic X server sandboxing for --x11=xpra
and --x11=xephyr
* feature: support for Xpra extra params in firejail config file
* new profiles: xiphos, Tor Browser Bundle, display (imagemagick), Wire,
* new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,
* new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator,
* new profiles: Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos,
* new profiles: Xonotic, wireshark, keepassx2, QupZilla, FossaMail,
* new profiles: Uzbl browser, iridium browser, Thunar, Geeqie, Engrampa,
* new profiles: Scribus, mousepad, gpicview, keepassxc, cvlc, MediathekView,
* new profiles: baloo_file, Nylas, dino, BibleTime, viewnior, Kodi, viking,
* new profiles: youtube-dl, meld, Arduino, Akregator, KCalc, KTorrent,
* new profiles: Orage Globaltime, Orage Clendar, xfce4-notes, xfce4-dict,
* new profiles: Ristretto, PCManFM, Dia, FontForge, Geany, Hugin,
* new profiles: mate-calc, mate-dictionary, mate-color-select, caja,
* new profiles: galculator, Nemo, gnome-font-viewer, gucharmap, knotes
* new profiles: clipit, leafpad, lximage-qt, lxmusic, qlipper, Xvfb, Xephyr
* new profiles: Blender, 2048-qt
* bugfixes
Mon Jan 16 13:00:00 2017 tiwaiAATTsuse.de
- Update to version 0.9.44.4:
* --bandwidth root shell found by Martin Carpenter (CVE-2017-5207)
* disabled --allow-debuggers when running on kernel versions prior
to 4.8; a kernel bug in ptrace system call allows a full bypass
of seccomp filter; problem reported by Lizzie Dixon (CVE-2017-5206)
* root exploit found by Sebastian Krahmer (CVE-2017-5180)
- Update to version 0.9.44.6:
* new fix for CVE-2017-5180 reported by Sebastian Krahmer last week
* major cleanup of file copying code
* tightening the rules for --chroot and --overlay features
* ported Gentoo compile patch
* Nvidia drivers bug in --private-dev
* fix ASSERT_PERMS_FD macro
* allow local customization using .local files under /etc/firejail
backported from our development branch
* spoof machine-id backported from our development branch
- Remove obsoleted patches:
firejail-CVE-2017-5180-fix1.patch
firejail-CVE-2017-5180-fix2.patch
Thu Jan 5 13:00:00 2017 tiwaiAATTsuse.de
- Update to version 0.9.44.2:
Security fixes:
* overwrite /etc/resolv.conf found by Martin Carpenter
* TOCTOU exploit for –get and –put found by Daniel Hodson
* invalid environment exploit found by Martin Carpenter
* several security enhancements
Bugfixes:
* crashing VLC by pressing Ctrl-O
* use user configured icons in KDE
* mkdir and mkfile are not applied to private directories
* cannot open files on Deluge running under KDE
* –private=dir where dir is the user home directory
* cannot start Vivaldi browser
* cannot start mupdf
* ssh profile problems
* –quiet
* quiet in git profile
* memory corruption
- Fix VUL-0: local root exploit (CVE-2017-5180,bsc#1018259):
firejail-CVE-2017-5180-fix1.patch
firejail-CVE-2017-5180-fix2.patch
Thu Oct 27 14:00:00 2016 tiwaiAATTsuse.de
- Update to version 0.9.44:
* CVE-2016-7545 submitted by Aleksey Manevich
Modifications:
* removed man firejail-config
* –private-tmp whitelists /tmp/.X11-unix directory
* Nvidia drivers added to –private-dev
* /srv supported by –whitelist
New features:
* allow user access to /sys/fs (–noblacklist=/sys/fs)
* support starting/joining sandbox is a single command (–join-or-start)
* X11 detection support for –audit
* assign a name to the interface connected to the bridge (–veth-name)
* all user home directories are visible (–allusers)
* add files to sandbox container (–put)
* blocking x11 (–x11=block)
* X11 security extension (–x11=xorg)
* disable 3D hardware acceleration (–no3d)
* x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
* move files in sandbox (–put)
* accept wildcard patterns in user name field of restricted shell login feature
New profiles:
* qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape
* feh, ranger, zathura, 7z, keepass, keepassx,
* claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot
* Flowblade, Eye of GNOME (eog), Evolution
Fri Sep 30 14:00:00 2016 tiwaiAATTsuse.de
- Update to version 0.9.42:
Security fixes:
* –whitelist deleted files
* disable x32 ABI in seccomp
* tighten –chroot
* terminal sandbox escape
* several TOCTOU fixes
Behavior changes:
* bringing back –private-home option
* deprecated –user option, please use “sudo -u username firejail”
* allow symlinks in home directory for –whitelist option
* Firejail prompt is enabled by env variable FIREJAIL_PROMPT=”yes”
* recursive mkdir
* include /dev/snd in –private-dev
* seccomp filter update
* release archives moved to .xz format
New features:
* AppImage support (–appimage)
* AppArmor support (–apparmor)
* Ubuntu snap support (/etc/firejail/snap.profile)
* Sandbox auditing support (–audit)
* remove environment variable (–rmenv)
* noexec support (–noexec)
* clean local overlay storage directory (–overlay-clean)
* store and reuse overlay (–overlay-named)
* allow debugging inside the sandbox with gdb and strace (–allow-debuggers)
* mkfile profile command
* quiet profile command
* x11 profile command
* option to fix desktop files (firecfg –fix)
Build options:
* Busybox support (–enable-busybox-workaround)
* disable overlayfs (–disable-overlayfs)
* disable whitlisting (–disable-whitelist)
* disable global config (–disable-globalcfg)
Runtime options:
* enable/disable overlayfs (overlayfs yes/no)
* enable/disable quiet as default (quiet-by-default yes/no)
* user-defined network filter (netfilter-default)
* enable/disable whitelisting (whitelist yes/no)
* enable/disable remounting of /proc and /sys (remount-proc-sys yes/no)
* enable/disable chroot desktop features (chroot-desktop yes/no)
New/updated profiels:
* Gitter, gThumb, mpv, Franz messenger, LibreOffice
* pix, audacity, xz, xzdec, gzip, cpio, less
* Atom Beta, Atom, jitsi, eom, uudeview
* tar (gtar), unzip, unrar, file, skypeforlinux,
* inox, Slack, gnome-chess. Gajim IM client, DOSBox
- Enable apparmor support
Wed Jun 8 14:00:00 2016 tiwaiAATTsuse.de
- Update to version 0.9.40:
* Added firecfg utility
* New options: -nice, -cpu.print, -writable-etc, -writable-var,
- read-only
* X11 support: -x11 option (-x11=xpra, -x11=xephr)
* Filetransfer options: –ls and –get
* Added mkdir, ipc-namespace, and nosound profile commands
* added net, ip, defaultgw, ip6, mac, mtu and iprange profile
commands
* Run time config support, man firejail-config
* AppArmor fixes
* Default seccomp filter update
* Disable STUN/WebRTC in default netfilter configuration
* Lots of new profiles
Tue May 17 14:00:00 2016 tiwaiAATTsuse.de
- initial package: 0.9.38
