OmniOS 151044 stable (OpenSource Solaris fork/ Unix)

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

gea

Well-Known Member
Dec 31, 2010
3,141
1,182
113
DE
There is a new stable r.151044 of the resource efficient OmniOS ZFS server.
see Release Schedule

Upgrades are supported from the r151038, r151040 and r151042 releases only.
If upgrading from an earlier version, upgrade in stages over earlier LTS

 
Last edited:
  • Like
Reactions: gb00s

gea

Well-Known Member
Dec 31, 2010
3,141
1,182
113
DE
Problem: Napp-it TLS Alert/Status and TLS Reports not working after an update to OmniOS 151044
This is fixed in napp-it 23.dev (Jan 23)

 
Last edited:

gea

Well-Known Member
Dec 31, 2010
3,141
1,182
113
DE
r151044n (2023-02-07)
Weekly release for w/c 06th of February 2023.

Security Fixes
OpenSSL packages updated to 3.0.8 and 1.1.1t, fixing various vulnerabilities
OpenSSL 1.0.2 has been also been patched to resolve vulnerabilities.
OpenJDK packages updated to 17.0.6+10, 11.0.18+10 and 1.8.362-09
 
  • Like
Reactions: gb00s

gea

Well-Known Member
Dec 31, 2010
3,141
1,182
113
DE
OmniOS r151044p (2023-02-21)

Weekly release for w/c 20th of February 2023.
This update requires a reboot

Security Fixes
Git has been updated to version 2.37.6.

Other Changes
The bundled AMD CPU microcode has been updated.
The signalfd driver could cause a system panic.
It was possible that the system could panic if the in-zone NFS server was in use.

 
  • Like
Reactions: gb00s

gea

Well-Known Member
Dec 31, 2010
3,141
1,182
113
DE
r151044v (2023-04-07)

Weekly release for w/c 3rd of April 2023.
This update requires a reboot

Security Fixes

-The bundled Intel CPU microcode has been updated.
See Release microcode-20230214 Release · intel/Intel-Linux-Processor-Microcode-Data-Files for details.
-curl has been updated to version 8.0.1 fixing 6 security vulnerabilities
- openssl has been updated to mitigate CVE-2023-0464

-rsyslog has been updated to address a vulnerability in the fastjson component that it uses internally.
Due to extra bounds checks employed by rsyslog, it is unlike that this problem could be exploited.

Other Changes

zstd has been updated to version 1.5.5 to fix a rare corruption bug.
The timezone database has been updated to version 2023c.
gcc 7 has been updated to the latest illumos version, gcc 7.5.0-il-2.

 

gea

Well-Known Member
Dec 31, 2010
3,141
1,182
113
DE
The illumos security team have today published a security advisory concerning CVE-2023-31284, a kernel stack overflow that can be performed by an unprivileged user, either in the global zone or in any non-global zone. A copy of their advisory is below.


ACTION: If you are using any of the supported OmniOS versions, see below, (or the recently retired r42), run pkg update to upgrade to a version that includes the fix. Note, that a reboot is required. If you have already upgraded to r46, then you are all set as it already includes the fix.


The following OmniOS versions include the fix:
  • r151046
  • r151044y
  • r151042az
  • r151038cz

If you are running an earlier version, upgrade to a supported version (in stages if necessary) following Upgrading OmniOS.



##########################
--- illumos Security Team advisory ---


We are reaching out today to inform you about CVE-2023-31284. We have pushed a commit to address this, which you can find at
15586 ddi_parse needs len · illumos/illumos-gate@676abcb. While we don't currently know of anyone exploiting this in the wild, this is a kernel stack overflow that can be performed by an unprivileged user, either in the global zone, or any non-global zone.

The following details provide information about this particular issue:

IMPACT: An unprivileged user in any zone can cause a kernel stack buffer overflow. While stack canaries can capture this and lead to a denial of service, it is possible for a skilled attacker to leverage this for local privilege escalation or execution of arbitrary code (e.g. if combined with another bug such as an information leak).


ACTION: Please be on the look out for patches from your distribution and be ready to update.


MITIGATIONS: Running a kernel built with -fstack-protector (the illumos default) can help mitigate this and turn these issues into a denial of service, but that is not a guarantee. We believe that unprivileged processes which have called chroot(2) with a new root that does not contain the sdev (/dev) filesystem most likely cannot trigger the bug, but an exhaustive analysis is still required.

Please reach out to us if you have any questions, whether on the mailing list, IRC, or otherwise, and we'll try to help as we can.

We'd like to thank Alex Wilson and the students at the University of Queensland for reporting this issue to us, and to Dan McDonald for his work in fixing it.

The illumos Security Team
 
Last edited: