LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 08-30-2013, 10:27 AM   #1
mancha
Member
 
Registered: Aug 2012
Posts: 292

Rep: Reputation: Disabled
[Slackware current]: Problem in Aug-30-2013 updates (?)


Pat:

Slackware issued a security bulletin announcing an upgrade to GnuTLS 3.0.26 to address CVE-2013-1619 (aka Lucky-13).
I believe this was a small lapsus; the fix wasn't introduced until GnuTLS 3.0.28.

However, as long as GnuTLS is being upgraded on Slackware 14 & current, any reason to avoid the latest 3.0.31 on 3.0.x?

Also, xlockmore was upgraded to version 5.43 but didn't receive a security notice though it was specifically released to address
CVE-2013-4143. How come?

--mancha

Last edited by mancha; 08-30-2013 at 11:44 AM.
 
Old 08-30-2013, 11:58 AM   #2
willysr
Senior Member
 
Registered: Jul 2004
Location: Jogja, Indonesia
Distribution: Slackware-Current
Posts: 2,555

Rep: Reputation: 424Reputation: 424Reputation: 424Reputation: 424Reputation: 424
It appears to be correct. According to this page, the upstream version that fixed this problem is 3.0.28, not 3.0.26.

About xlockmore, i believe it's because there hasn't been any information about this on CVE's website.
Quote:
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
 
Old 08-30-2013, 02:03 PM   #3
volkerdi
Slackware Maintainer
 
Registered: Dec 2002
Location: Minnesota
Distribution: Slackware! :-)
Posts: 867

Rep: Reputation: 1751Reputation: 1751Reputation: 1751Reputation: 1751Reputation: 1751Reputation: 1751Reputation: 1751Reputation: 1751Reputation: 1751Reputation: 1751Reputation: 1751
Quote:
Originally Posted by mancha View Post
Pat:

Slackware issued a security bulletin announcing an upgrade to GnuTLS 3.0.26 to address CVE-2013-1619 (aka Lucky-13).
I believe this was a small lapsus; the fix wasn't introduced until GnuTLS 3.0.28.

However, as long as GnuTLS is being upgraded on Slackware 14 & current, any reason to avoid the latest 3.0.31 on 3.0.x?
Oops... I grabbed the latest from the out of date ftp.gnu.org archive. I'll try that again using ftp.gnupg.org instead.

By the way, I spent most of yesterday looking at gnutls for earlier versions, and found that none of the newer versions will compile on Slackware 13.37 or earlier without adding additional dependencies, and what patches I could find won't apply to the existing versions. On the bright side, not many programs used gnutls until Slackware 14.0. And as far as making a big version jump to fix earlier Slackware releases goes, based on my past experiences with gnutls I'm guessing both runtime and compile issues would be likely to occur.

Quote:
Also, xlockmore was upgraded to version 5.43 but didn't receive a security notice though it was specifically released to address
CVE-2013-4143. How come?
If the xlockmore fix had anything to do with glibc-2.17 crypt() then it doesn't merit an advisory since it was never a problem in a stable release.
 
1 members found this post helpful.
Old 08-30-2013, 02:53 PM   #4
mancha
Member
 
Registered: Aug 2012
Posts: 292

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by volkerdi
By the way, I spent most of yesterday looking at gnutls for earlier versions, and found that none of the newer versions will compile on Slackware 13.37 or earlier without adding additional dependencies, and what patches I could find won't apply to the existing versions.
I'll take a look to see how much work would be involved in developing a full set of patches for virgin Slackware 12.1-13.37. No promises though; lot on my plate right now.

Quote:
If the xlockmore fix had anything to do with glibc-2.17 crypt() then it doesn't merit an advisory since it was never a problem in a stable release.
Yes, the CVE is related to the potential for bypassing the screen lock due to crypt() changes. I understand the criterion for noting CVEs in the ChangeLog now. Thanks.

--mancha
 
Old 08-30-2013, 03:05 PM   #5
volkerdi
Slackware Maintainer
 
Registered: Dec 2002
Location: Minnesota
Distribution: Slackware! :-)
Posts: 867

Rep: Reputation: 1751Reputation: 1751Reputation: 1751Reputation: 1751Reputation: 1751Reputation: 1751Reputation: 1751Reputation: 1751Reputation: 1751Reputation: 1751Reputation: 1751
Quote:
Originally Posted by mancha View Post
I'll take a look to see how much work would be involved in developing a full set of patches for virgin Slackware 12.1-13.37. No promises though; lot on my plate right now.
Slackware 12.1 - 13.0 already had an upgrade to gnutls-2.8.4 to fix previous issues, so those would be the versions to patch there. Anyway, I'm not sure I'd characterize the issues that exist as being anywhere near critical, especially in light of how few programs in 12.1 - 13.37 actually use gnutls for anything (although self-compiled things could be using it for more important purposes).

Compared to OpenSSL, gnutls isn't very maintainable. It's too bad all these licenses can't get along.
 
Old 08-30-2013, 03:33 PM   #6
volkerdi
Slackware Maintainer
 
Registered: Dec 2002
Location: Minnesota
Distribution: Slackware! :-)
Posts: 867

Rep: Reputation: 1751Reputation: 1751Reputation: 1751Reputation: 1751Reputation: 1751Reputation: 1751Reputation: 1751Reputation: 1751Reputation: 1751Reputation: 1751Reputation: 1751
New gnutls updates out for 14.0 and -current.
 
2 members found this post helpful.
Old 08-30-2013, 05:07 PM   #7
qunying
Member
 
Registered: Jun 2002
Distribution: Slackware
Posts: 46

Rep: Reputation: 3
FYI, for the latest version of wireshark to show the decrypted content of SSL traffic (with supplied key), it needs to compile with gnutls in stead of OpenSSL. And it requires a minimum gnutls version of 3.1.10.

Not sure if Slackware could upgrade the gnutls version to the current stable line of 3.1.x.
 
Old 10-08-2013, 04:16 PM   #8
mancha
Member
 
Registered: Aug 2012
Posts: 292

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by volkerdi View Post
Slackware 12.1 - 13.0 already had an upgrade to gnutls-2.8.4 to fix previous issues, so those would be the versions to patch there.
This turned out to be a lot more work than I bargained for. But, it's for a great distrib and I sorta offered, so...I rolled up my sleeves and
here it is.

gnutls-cve-backports.tar.bz2 contains patchsets for GnuTLS 2.8.4, GnuTLS 2.8.6, and GnuTLS 2.10.5 which address:

Code:
                    GnuTLS 2.8.4   GnuTLS 2.8.6   GnuTLS 2.10.5
                    ------------   ------------   -------------
    CVE-2009-3555         X              X
    CVE-2011-4128         X              X              X
    CVE-2012-1569         X              X              X
    CVE-2012-1573         X              X              X
    CVE-2013-1619         X              X              X
    CVE-2013-2116         X              X              X
After their application, all publicly-disclosed GnuTLS vulnerabilities still outstanding in five Slackware versions (12.1-13.37) will be patched.
Slackware 14.0 & current are already OK.

Please take a look at the README first; It contains important info.

The signature (gnutls-cve-backports.tar.bz2.sig) was made with this key:

PGP: 0x25168EB24F0B22AC 56B7 100E F4D5 811C 8FEF ADD1 2516 8EB2 4F0B 22AC

--mancha

Last edited by mancha; 10-08-2013 at 04:18 PM.
 
2 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Creating a CSR for website HTTPS cert. What are best practices for aug 2013? sneakyimp Linux - Security 1 08-13-2013 06:12 PM
Slackware-current (aug) upgrade to slackware 13? jensklas Slackware 20 09-02-2009 11:52 AM
Problem with X after upgrading to slackware-current (27 Aug 2006) crisostomo_enrico Slackware 8 08-30-2006 03:39 AM
Slackware current updates today! neo Slackware 2 04-22-2005 05:32 PM
Why haven't there been any updates to slackware current lately? moger Slackware 18 07-21-2004 10:21 AM


All times are GMT -5. The time now is 09:41 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration