LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   [Slackware current]: Problem in Aug-30-2013 updates (?) (http://www.linuxquestions.org/questions/slackware-14/%5Bslackware-current%5D-problem-in-aug-30-2013-updates-4175475322/)

mancha 08-30-2013 11:27 AM

[Slackware current]: Problem in Aug-30-2013 updates (?)
 
Pat:

Slackware issued a security bulletin announcing an upgrade to GnuTLS 3.0.26 to address CVE-2013-1619 (aka Lucky-13).
I believe this was a small lapsus; the fix wasn't introduced until GnuTLS 3.0.28.

However, as long as GnuTLS is being upgraded on Slackware 14 & current, any reason to avoid the latest 3.0.31 on 3.0.x?

Also, xlockmore was upgraded to version 5.43 but didn't receive a security notice though it was specifically released to address
CVE-2013-4143. How come?

--mancha

willysr 08-30-2013 12:58 PM

It appears to be correct. According to this page, the upstream version that fixed this problem is 3.0.28, not 3.0.26.

About xlockmore, i believe it's because there hasn't been any information about this on CVE's website.
Quote:

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

volkerdi 08-30-2013 03:03 PM

Quote:

Originally Posted by mancha (Post 5018943)
Pat:

Slackware issued a security bulletin announcing an upgrade to GnuTLS 3.0.26 to address CVE-2013-1619 (aka Lucky-13).
I believe this was a small lapsus; the fix wasn't introduced until GnuTLS 3.0.28.

However, as long as GnuTLS is being upgraded on Slackware 14 & current, any reason to avoid the latest 3.0.31 on 3.0.x?

Oops... I grabbed the latest from the out of date ftp.gnu.org archive. I'll try that again using ftp.gnupg.org instead.

By the way, I spent most of yesterday looking at gnutls for earlier versions, and found that none of the newer versions will compile on Slackware 13.37 or earlier without adding additional dependencies, and what patches I could find won't apply to the existing versions. On the bright side, not many programs used gnutls until Slackware 14.0. And as far as making a big version jump to fix earlier Slackware releases goes, based on my past experiences with gnutls I'm guessing both runtime and compile issues would be likely to occur.

Quote:

Also, xlockmore was upgraded to version 5.43 but didn't receive a security notice though it was specifically released to address
CVE-2013-4143. How come?
If the xlockmore fix had anything to do with glibc-2.17 crypt() then it doesn't merit an advisory since it was never a problem in a stable release.

mancha 08-30-2013 03:53 PM

Quote:

Originally Posted by volkerdi
By the way, I spent most of yesterday looking at gnutls for earlier versions, and found that none of the newer versions will compile on Slackware 13.37 or earlier without adding additional dependencies, and what patches I could find won't apply to the existing versions.

I'll take a look to see how much work would be involved in developing a full set of patches for virgin Slackware 12.1-13.37. No promises though; lot on my plate right now.

Quote:

If the xlockmore fix had anything to do with glibc-2.17 crypt() then it doesn't merit an advisory since it was never a problem in a stable release.
Yes, the CVE is related to the potential for bypassing the screen lock due to crypt() changes. I understand the criterion for noting CVEs in the ChangeLog now. Thanks.

--mancha

volkerdi 08-30-2013 04:05 PM

Quote:

Originally Posted by mancha (Post 5019043)
I'll take a look to see how much work would be involved in developing a full set of patches for virgin Slackware 12.1-13.37. No promises though; lot on my plate right now.

Slackware 12.1 - 13.0 already had an upgrade to gnutls-2.8.4 to fix previous issues, so those would be the versions to patch there. Anyway, I'm not sure I'd characterize the issues that exist as being anywhere near critical, especially in light of how few programs in 12.1 - 13.37 actually use gnutls for anything (although self-compiled things could be using it for more important purposes).

Compared to OpenSSL, gnutls isn't very maintainable. It's too bad all these licenses can't get along.

volkerdi 08-30-2013 04:33 PM

New gnutls updates out for 14.0 and -current.

qunying 08-30-2013 06:07 PM

FYI, for the latest version of wireshark to show the decrypted content of SSL traffic (with supplied key), it needs to compile with gnutls in stead of OpenSSL. And it requires a minimum gnutls version of 3.1.10.

Not sure if Slackware could upgrade the gnutls version to the current stable line of 3.1.x.

mancha 10-08-2013 05:16 PM

Quote:

Originally Posted by volkerdi (Post 5019047)
Slackware 12.1 - 13.0 already had an upgrade to gnutls-2.8.4 to fix previous issues, so those would be the versions to patch there.

This turned out to be a lot more work than I bargained for. But, it's for a great distrib and I sorta offered, so...I rolled up my sleeves and
here it is.

gnutls-cve-backports.tar.bz2 contains patchsets for GnuTLS 2.8.4, GnuTLS 2.8.6, and GnuTLS 2.10.5 which address:

Code:

                    GnuTLS 2.8.4  GnuTLS 2.8.6  GnuTLS 2.10.5
                    ------------  ------------  -------------
    CVE-2009-3555        X              X
    CVE-2011-4128        X              X              X
    CVE-2012-1569        X              X              X
    CVE-2012-1573        X              X              X
    CVE-2013-1619        X              X              X
    CVE-2013-2116        X              X              X

After their application, all publicly-disclosed GnuTLS vulnerabilities still outstanding in five Slackware versions (12.1-13.37) will be patched.
Slackware 14.0 & current are already OK.

Please take a look at the README first; It contains important info.

The signature (gnutls-cve-backports.tar.bz2.sig) was made with this key:

PGP: 0x25168EB24F0B22AC 56B7 100E F4D5 811C 8FEF ADD1 2516 8EB2 4F0B 22AC

--mancha


All times are GMT -5. The time now is 04:10 PM.