[Slackware 14.1rc1]: Some loose ends
 

Hello. A few requests/suggestions I'd like to summarize before 14.1 releases:

1. Security:

a. yp-tools:
Since my name is associated with the crypt() fix, I'd like to request you re-build using my corrected patch.

b. libtiff
It seems Slackware 14.1 will stay on the 3.9.x branch. In that case I suggest upgrading to tiff 3.9.7 (which addresses CVE-2012-2088, CVE-2012-2113) and applying the following backports I've put together from upstream:

tiff-3.9.7_CVS20130502.diff (sig) addresses CVE-2012-4447, CVE-2012-4564, CVE-2013-1960, CVE-2013-1961
tiff-3.9.7_CVE-2013-4231.diff (sig) addresses CVE-2013-4231
tiff-3.9.7_CVE-2013-4232.diff (sig) addresses CVE-2013-4232
tiff-3.9.7_CVE-2013-4244.diff (sig) addresses CVE-2013-4244

2. Suggested Upgrade:

a. OpenSSH
Upgrading to 6.3p1 would be worthwhile. Aside from bug-fixes, there are some nice new features like download resumption in sftp, proxying through stdin/stdout, and time-based rekeying.

3. Optional Bug-Fixes:

a. util-linux
agetty included in util-linux 2.21.2 doesn't properly filter arrow keys. See this thread for the discussion about the wandering cursor at login and util-linux-2.21.2-fixcursor.diff for my fix.

b. bash
bash 4.2 currently has no support for multibyte characters in ansic_* functions. this means no multi-byte char suport in printf %q, command not found messages, XTRACE output, etc. This thread describes the issue noted with "command not found" and bash-4.2-widechars.diff has the fix.

--mancha

PS You might have noticed my URLs have changed. I've re-organized things into a new project: http://sf.net/projects/mancha. The old project will remain to not break existing links but will not be updated.

You mean kernel 3.10.16? Not sure what you mean when you say 3.9.x branch.

Hi , Pat, hplip-3.13.10 has a security update also:

http://hplipopensource.com/hplip-web/release_notes.html

(fix for CVE-2013-4325:Insecure Polkit use)

He talked about libtiff, not linux.

I saw that the libtiff security updates were applied to current and stable last night, but there's been no notification on the slackware-security list.

@Pat:

Many thanks for the yp-tools rebuild.

BTW, this is shaping into a very impressive release.

--mancha

Hi mancha,

If you have some spare time, could you please have a look at CVE-2013-2924? I think the fix is here (at the very end) and here from upstream. Can we apply it to icu4c-51_2?

Thanks.

Hi BrZ.

Your upstream link indeed is the fix for CVE-2013-2924 and applies cleanly to Slackware 14.1rc1's icu4c 51-2.

I've placed the patch here: icu4c-51_2_CVE-2013-2924.diff (sig).

Note: this is fixed in icu4c 52-1 but an upgrade would imply some API changes.

--mancha

Thanks mancha :hattip:

Thanks, Pat, for hplip ;)

I'm running hplip 3.13.10 since the pop-up warning, with F4280 (Deskjet all in one F4200 family) and is printing fine:)

The hplip updates always are ok, they release updates every one or two months.

Except for that last one that broke if systemd wasn't installed.

Is systemd default on Slackware14 full install? I don't know if I have it :)
I always upgrade hplip to a new version with slackbuild so maybe this is the reason
that my hplip is working.

no slackware is still (and hopefully stays forever) sysvinit.. no systemd here.. :D

Off topic, sorry, but did we all see this?
I would like to request CVE ids for 4 systemd issues [seclists.org]
I cried real tears :D