relnotes

Version 0.9.64.2 released

0.9.64 testing

testing 0.9.64rc1 - disable dumpable working for this release, proble…

…ms on Debian8; we will bring it back in the next release

Version 0.9.62.4

  * fix AppArmor broken in the previous release
  * miscellaneous fixes

Versions 0.9.62.2

  * patches from Debian (firejail 0.9.62-3, sid):
         profile-fixes.patch, apparmor-include.patch
  * patches from Debian (firejail 0.9.64-4, sid)
         CVE-2020-17367 reported by Tim Starling
         CVE-2020-17368 reported by Tim Starling
  * patches from Debian (firejail 0.9.64-4, sid)
         element-profile.patch,  usrsharedoc.patch,
         pathnames.patch, usr-share-firefox.patch
  * additional hardening and bug fixes

Version 0.9.62

  * added file-copy-limit in /etc/firejail/firejail.config
  * profile templates (/usr/share/doc/firejail)
  * allow-debuggers support in profiles
  * several seccomp enhancements
  * compiler flags autodetection
  * move chroot entirely from path based to file descriptor based mounts
  * whitelisting /usr/share in a large number of profiles
  * new scripts in conrib: gdb-firejail.sh and sort.py
  * enhancement: whitelist /usr/share in some profiles
  * added signal mediation to apparmor profile
  * new conditions: HAS_X11, HAS_NET
  * new profiles: qgis, klatexformula, klatexformula_cmdl, links, xlinks
  * new profiles: pandoc, teams-for-linux, OpenArena, gnome-sound-recorder
  * new profiles: godot, tcpdump, tshark, newsbeuter, keepassxc-cli
  * new profiles: keepassxc-proxy, rhythmbox-client, jerry, zeal, mpg123
  * new profiles: conplay, mpg123.bin, mpg123-alsa, mpg123-id3dump, out123
  * new profiles: mpg123-jack, mpg123-nas, mpg123-openal, mpg123-oss
  * new profiles: mpg123-portaudio, mpg123-pulse, mpg123-strip, pavucontrol-qt
  * new profiles: gnome-characters, gnome-character-map, rsync, Whalebird,
  * new profiles: tor-browser (AUR), Zulip, tb-starter-wrapper, bzcat,
  * new profiles: kiwix-desktop, bzcat, zstd, pzstd, zstdcat, zstdgrep, zstdless
  * new profiles: zstdmt, unzstd, i2p, ar, gnome-latex, pngquant, kalgebra
  * new profiles: kalgebramobile, signal-cli, amuled, kfind, profanity
  * new profiles: audio-recorder, cameramonitor, ddgtk, drawio, unf, gmpc
  * new profiles: electron-mail, gist, gist-paste

Version 0.9.56.2

  * fix CVE-2019-12589
  * fix CVE-2019-12499
  * other bugfixes

Version 0.9.60

  * security bug reported by Austin Morton:
    Seccomp filters are copied into /run/firejail/mnt, and are writable
    within the jail. A malicious process can modify files from inside the
    jail. Processes that are later joined to the jail will not have seccomp
    filters applied.
  * memory-deny-write-execute now also blocks memfd_create
  * add private-cwd option to control working directory within jail
  * blocking system D-Bus socket with --nodbus
  * bringing back Centos 6 support
  * drop support for flatpak/snap packages
  * new profiles: crow, nyx, mypaint, celluoid, nano, transgui, mpdris2
  * new profiles: sysprof, simplescreenrecorder, geekbench, xfce4-mixer
  * new profiles: pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring
  * new profiles: regextester, hardinfo, gnome-system-log, gnome-nettool
  * new profiles: netactview, redshift, devhelp, assogiate, subdownloader
  * new profiles: font-manager, exfalso, gconf-editor, dconf-editor
  * new profiles: sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings
  * new profiles: code-oss, pragha, Maelstrom, ostrichriders, bzflag
  * new profiles: freeciv, lincity-ng, megaglest, openttd, crawl, crawl-tiles
  * new profiles: teeworlds, torcs, tremulous, warsow, lugaru, manaplus
  * new profiles: pioneer, scorched3d, widelands, freemind, kid3, kid3-qt
  * new profiles: kid3-cli, nomacs, freecol, opencity, openclonk, slashem
  * new profiles: vultureseye, vulturesclaw, anki, cheese, utox, mp3splt
  * new profiles: oggsplt, flacsplt, gramps, newsboat, freeoffice-planmaker
  * new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell
  * new profiles: freeoffice-presentations, freeoffice-textmaker, mp3wrap
  * new profiles: inkview, meteo-qt, mp3splt-gtk, ktouch, yelp, cantata

Version 0.9.60-rc1

  * new profiles: crow, nyx, mypaint, celluoid, nano, transgui, mpdris2
  * new profiles: sysprof, simplescreenrecorder, geekbench, xfce4-mixer
  * new profiles: pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring
  * new profiles: regextester, hardinfo, gnome-system-log, gnome-nettool
  * new profiles: netactview, redshift, devhelp, assogiate, subdownloader
  * new profiles: font-manager, exfalso, gconf-editor, dconf-editor
  * new profiles: sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings
  * new profiles: code-oss, pragha, Maelstrom, ostrichriders, bzflag
  * new profiles: freeciv, lincity-ng, megaglest, openttd, crawl, crawl-tiles
  * new profiles: teeworlds, torcs, tremulous, warsow, lugaru, manaplus
  * new profiles: pioneer, scorched3d, widelands, freemind, kid3, kid3-qt
  * new profiles: kid3-cli, nomacs, freecol, opencity, openclonk, slashem
  * new profiles: vultureseye, vulturesclaw, anki, cheese, utox, mp3splt
  * new profiles: oggsplt, flacsplt, gramps, newsboat, freeoffice-planmaker
  * new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell
  * new profiles: freeoffice-presentations, freeoffice-textmaker, mp3wrap
  * memory-deny-write-execute now also blocks memfd_create
  * drop support for flatpak/snap packages