Owl live CDs with remote SSH access are also good for recovering or installing systems (whether with Owl or not).
Another secondary use is for operating systems and/or computer security courses, which benefit from the simple structure of Owl and from the inclusion of the complete build environment.
Update (via Distrowatch):
Openwall GNU/*/Linux 3.0 is a small security-enhanced Linux distribution for servers, appliances, and virtual appliances. Today's release of version 3.0 marks the 10-year anniversary of the project: "I am pleased to announce that we have made a new major release of Openwall GNU/*/Linux, version 3.0. The ISO images include a live system, installable packages, the installer program, as well as full source code and the build environment. This release marks roughly 10 years of our project - development started in mid-2000, and Owl 0.1-prerelease was made public in 2001. With the 3.0 release, the Owl 2.0-stable branch is formally discontinued. We intend to proceed with further development under Owl-current and to maintain the newly-created Owl 3.0-stable branch until the next release, as usual."
See the full release announcement for more information and upgrade instructions.
Download (SHA1): Owl-3.0-release-i686.iso.gz (442MB), Owl-3.0-release-x86_64.iso.gz (448MB).
• 2010-12-16: Distribution Release: Openwall GNU/*/Linux 3.0
• 2006-02-15: Distribution Release: Openwall GNU/*/Linux 2.0
• 2003-12-24: Distribution Release: Openwall GNU/*/Linux 1.1
• 2002-10-15: Distribution Release: Openwall GNU/Linux 1.0
- Patch for Linux 18.104.22.168, version 1 and its signature
- Patch for Linux 2.2.26, version 1 and its signature
- Patch for Linux 2.0.40, version 1 and its signature
Linux 22.214.171.124-ow1 is out. You may want to check out the lists of changes in 126.96.36.199 and 188.8.131.52. The patch additionally includes a post-184.108.40.206 fix for FAT filesystems.
Linux 220.127.116.11-ow1 is out. The 18.104.22.168 kernel fixes a number of security-related bugs.
Linux 22.214.171.124-ow1 is out. The 126.96.36.199 kernel fixes a number of information leak vulnerabilities. One of these was already fixed in 188.8.131.52-ow1 (see below), and the remaining ones may or may not affect specific systems depending on both kernel and userspace configuration.
Linux 184.108.40.206-ow1 is out. The 220.127.116.11 kernel adds a fix for the Linux NULL pointer dereference due to incorrect proto_ops initializations (CVE-2009-2692), which was not exploitable into privilege escalation as long as the vm.mmap_min_addr restriction was enabled and working. There have been no known issues with vm.mmap_min_addr in recent kernels (the "personality" trick mentioned below does not count because it required a vulnerable SUID-root program). In our patched kernels, vm.mmap_min_addr is enabled by default. More importantly, Linux 18.104.22.168-ow1 adds a fix for the sigaltstack local information leak affecting 64-bit kernel builds (CVE-2009-2847).
Linux 22.214.171.124-ow1 is out. The 126.96.36.199 kernel integrates a replacement for the "personality" hardening measure introduced in 188.8.131.52-ow1.
Linux 184.108.40.206-ow1 is out. The 220.127.116.11 kernel release adds the "-fno-delete-null-pointer-checks" option to gcc invocations, which is important to reduce the impact of a class of kernel bugs (which are yet to be found and fixed individually, but are known to exist in general), adds several security-relevant fixes to the RTL-8169 NIC driver, and makes other assorted changes. The Linux 18.104.22.168-ow1 kernel patch introduces an additional security hardening measure where the kernel will no longer allow the "personality" feature (which is needed to support some program binaries from other operating systems) to be abused to bypass the vm.mmap_min_addr restriction via SUID-root programs with a certain class of design errors in them. Similar changes were introduced into 2.6.x kernels recently.
Linux 22.214.171.124-ow1 is out. The 126.96.36.199 kernel release adds several bug fixes, including security-relevant ones.
Linux 188.8.131.52-ow1 is out. Linux 184.108.40.206, compared to 2.4.35-ow2, adds numerous security-relevant fixes to various kernel subsystems. Additionally, functionality of the restricted zero page mappings feature in 220.127.116.11-ow1 has been revised to apply on top of the vm.mmap_min_addr sysctl introduced in mainstream 2.4 kernels, and the documentation has been revised accordingly.
Linux 2.4.35-ow2 is out. This revision adds a fix for the parent process death signal vulnerability in the Linux kernel discovered by Wojciech Purczynski of COSEINC PTE Ltd. and iSEC Security Research (CVE-2007-3848). It also adds two security hardening features, both enabled by default: restricted access to VM86 mode (specific to 32-bit x86) and restricted zero page mappings (generic).
Linux 2.4.35-ow1 is out. The single known security-relevant change added with Linux 2.4.35 is correction of the randomness pool update bug discovered by the PaX Team.
Linux 2.4.34-ow1 is out. Linux 2.4.34 includes a number of security fixes for issues that either have minor impact or are in subsystems that are not commonly used in ways that would expose the security issues.
Linux 2.4.33-ow1 is out.
Linux 2.4.32-ow1 is out.
Linux 2.4.31-ow1 is out. The changes since 2.4.30-ow3 are unimportant for most users.
Further analysis shows that on Linux 2.4.30 and above running on x86, the impact of CAN-2005-1263 is limited to DoS. On 2.4.x kernels older than 2.4.30 and/or on other architectures (including x86-64), privilege escalation via this bug appears to actually be possible.
Linux 2.4.30-ow3 is out. This version adds a fix to the ELF core dump vulnerability (CAN-2005-1263) discovered by Paul Starzetz, as well as a fix to an x86-64 DoS vulnerability (from Linux 2.4.31-pre1). Linux 2.2.x starting with 2.2.21-ow2 and 2.0.x kernels are unaffected.
Linux 2.4.30-ow1 is out.
Linux 2.4.29-ow1 is out. Linux 2.4.29, and thus 2.4.29-ow1, adds a number of security fixes, including to the x86/SMP page fault handler (CAN-2005-0001) and the uselib(2) (CAN-2004-1235) race conditions, both discovered by Paul Starzetz. The potential of these bugs is a local root compromise. The uselib(2) bug does not affect default builds of Linux kernels with the Openwall patch applied since the vulnerable code is only compiled in if one explicitly enables CONFIG_BINFMT_ELF_AOUT, an option introduced by the patch.
Linux 2.4.28-ow1 is out. Linux 2.4.28, and thus 2.4.28-ow1, fixes a number of security-related bugs, including the ELF loader vulnerabilities discovered by Paul Starzetz (confirmed: ability for users to read +s-r binaries; potential: local root), a race condition with reads from Unix domain sockets (local root), and smbfs support vulnerabilities discovered by Stefan Esser (confirmed: remote DoS by a malicious smbfs server; potential: remote root by a malicious smbfs server).
Linux 2.4.27-ow1 is out.
Linux 2.4.26-ow3 is out. This corrects the access control check in the Linux kernel which previously wrongly allowed any local user to change the group ownership of arbitrary NFS-exported/imported files (CAN-2004-0497) and adds a workaround for the file offset pointer races discovered by Paul Starzetz (CAN-2004-0415).
Linux 2.4.26-ow2 is out. This update fixes multiple security-related bugs in the Linux kernel (those discovered by Al Viro using "Sparse", fsave/frstor local DoS on x86, infoleak in the e1000 driver, and some others) as well as two non-security bugs in the patch itself. Please refer to the announcement for detailed information on the changes.
Linux 2.4.26-ow1 and 2.0.40-ow1 are out.
Linux 2.4.26 (and thus 2.4.26-ow1) fixes an integer overflow vulnerability in processing of the MCAST_MSFILTER socket option discovered by Paul Starzetz. When properly exploited, the bug would lead to a local root compromise. Also included in this kernel release is a fix for the ext3/XFS information leak discovered by Solar Designer, and a number of other relatively minor fixes.
Linux 2.0.40 (and thus 2.0.40-ow1), compared to Linux 2.0.39-ow3, eliminates an information leak via ICMP messages.
Linux 2.2.26-ow1 is out and includes more verbose reporting of returns onto stack.
Linux 2.2.25-ow2 is out and includes a workaround for the second mremap(2) system call vulnerability discovered by Paul Starzetz. It also includes the /dev/rtc information leak fix (see the news item from January 5, below) and other minor fixes. Upgrading of existing Linux 2.2.x installs is strongly recommended.
Linux 2.4.25-ow1 is out. Upgrading of existing 2.4.23-ow2 and 2.4.24-ow1 installs is not strictly required for most users as 2.4.23-ow2+ patches already included a kernel bug fix which was later determined to be security-critical and needed to avoid the second mremap(2) system call vulnerability discovered by Paul Starzetz and made public two days ago.
Linux 2.4.24-ow1 is out. Upgrading of existing 2.4.23-ow2 installs is not required.
Linux 2.4.23-ow2 adds fixes for two Linux kernel vulnerabilities. One of the vulnerabilities, discovered by Paul Starzetz, is in incorrect handling of a boundary case in mremap(2) system call. When properly exploited, this vulnerability may allow any local user and any process to execute arbitrary code with kernel privileges and thus gain root access and bypass restrictions such as cap-bound. More trivial exploits of the same vulnerability result in an instant reboot (local DoS). This vulnerability does not affect Linux 2.2.x and older kernels. The other vulnerability has been discovered by Russell King and results in the real time clock drivers leaking small amounts of kernel internal data to user-space applications via the /dev/rtc device. Such data might be security-sensitive. All of Linux 2.0.x, 2.2.x, and 2.4.x are affected, provided the /dev/rtc device is readable to untrusted users (it isn't on Owl).
Linux 2.4.23 (and thus 2.4.23-ow1) includes a fix to a vulnerability in the brk(2) system call discovered by Andrew Morton. When properly exploited, this vulnerability may allow any local user and any process to execute arbitrary code with kernel privileges and thus gain root access and bypass restrictions such as cap-bound. Linux 2.2.x and 2.0.x are not affected.
Additionally, Linux 2.4.23-ow1 makes the reporting of returns onto stack more verbose and makes the kernel retry attempts to open the root filesystem device if the first attempt fails.
Linux 2.4.21-ow2 adds fixes for two Linux kernel vulnerabilities recently discovered by Paul Starzetz. One of the vulnerabilities allows for substitution of SUID/SGID programs on Linux 2.4.x (but not 2.2.x or 2.0.x), thereby leaking their elevated privileges. On older Linux kernels, the impact of this vulnerability is limited to dumping the contents of unreadable SUID/SGID programs. The other vulnerability gives users read access to the environment of SUID/SGID programs they run.
Linux 2.4.21 (and thus 2.4.21-ow1) adds numerous security fixes, including to the kmod/ptrace race previously fixed in 2.2.25 and many 2.4.x-specific vulnerabilities (ioperm(2) allowing unauthorized direct access to certain I/O ports, O_DIRECT information leaks, excessive CPU consumption with networking, and more).
Linux 2.2.24 and 2.2.25 (and thus 2.2.25-ow1) add a number of security fixes: for the kmod/ptrace race, "Etherleak", and a local DoS with mmap(2) of /proc/
Linux 2.2.22-ow2 improves the "lcall" DoS fix for the Linux kernel to cover the NT (Nested Task) flag attack discovered by Christophe Devine.
Linux 2.2.21-ow2 includes many security fixes for issues with the Linux kernel discovered during code reviews by Silvio Cesare, Solar Designer, and others.
Linux 2.2.20-ow2 fixes an x86-specific vulnerability in the Linux kernel discovered by Stephan Springl where local users could abuse a binary compatibility interface (lcall) to kill processes not belonging to them (including system processes).
Linux 2.2.20 adds a workaround for a vulnerability with certain packet filter setups and SYN cookies where the packet filter rules could be bypassed. Additionally, 2.2.20-ow1 moves even more of the support for combined ELF/a.out setups (in particular, uselib(2) and its related a.out library loaders) under the configuration option introduced with 2.2.19-ow4.
Linux 2.2.19-ow4 fixes a symbol export issue introduced with 2.2.19-ow3 and moves the support for ELF executables which use an a.out format interpreter (dynamic linker) into a separate configuration option (disabled by default). No upgrade from 2.2.19-ow3 is necessary.
Linux 2.2.19-ow3+ fixes two Linux kernel vulnerabilities discovered by Rafal Wojtczuk. Please refer to the Owl change log for information on the vulnerabilities and how they affect Owl. Of the two newly discovered vulnerabilities, Linux 2.0.39-ow3 is only affected by the DoS.
Linux 2.2.19 is another important security update. Please upgrade to at least 2.2.19-ow1 or 2.0.39-ow3.