The maintainers of the Openwall security enhanced Linux distribution have released a new stable version, which includes fixes for a number of serious vulnerabilities, such as the Shellshock Bash bug and the flaw in SSLv3 that leads to the POODLE attack.
Openwall is designed to be a small, compact Linux distribution for servers, appliances and virtual appliances and much of the code that’s packaged with the distribution undergoes a source code review. The distribution comprises a number of popular open source packages, including OpenSSL.
“The primary approach used is proactive source code review for several classes of software vulnerabilities. However, because of the large amount of code, there’s a certain level of ‘importance’ for a software component or a part thereof to be audited. Currently, only pieces of code which are typically run with privileges greater than those of a regular user and/or typically process data obtained over a network are audited before the corresponding software component is included. This covers relevant code paths in many of the system libraries, all SUID/ SGID programs, all daemons and network services,” the Openwall site says.
Openwall, also known as Owl, was updated to version 3.1, which fixes, not notably, four vulnerabilities in OpenSSL. One of those bugs is the SSLv3 fallback problem that allows the POODLE attack to succeed. That issue involves the tendency of Web servers trying to negotiate an SSL session to fallback to an older version of the secure protocol if a session fails. In some cases, attackers can force a connection to fail and then, if the server falls back to SSLv3, an outdated version of the protocol, exploit that to recover protected data.
Owl 3.1 also includes an update to the Bash package that fixes the Shellshock vulnerability. That flaw allows an attacker to remotely attach a malicious executable to a variable that is executed when Bash is called.
Image from Flickr photos of Jon Bunting.