LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   [Slackware security] vulnerabilities outstanding 20140101 (http://www.linuxquestions.org/questions/slackware-14/%5Bslackware-security%5D-vulnerabilities-outstanding-20140101-a-4175489800/)

mancha 01-01-2014 12:53 PM

[Slackware security] vulnerabilities outstanding 20140101
 
Hello.

Some vulnerabilities of varying severity...

  1. curl 7.34.0
    CVE-2013-4545 fixed.
    CVE-2013-6422 fixed.

  2. php 5.4.23
    CVE-2013-6420 fixed.

  3. libgcrypt 1.6.0
    CVE-2013-4576 fixed.
    There's a secondary mitigant relevant to gnupg2 in libgcrypt (see: http://seclists.org/oss-sec/2013/q4/523).

  4. samba 4.1.3
    CVE-2013-4408 fixed.
    CVE-2012-6150 fixed.

  5. xorg-server
    CVE-2013-6424 fixed in http://patchwork.freedesktop.org/patch/14769/

  6. pixman
    CVE-2013-6425 fixed in http://cgit.freedesktop.org/pixman/p...d=5e14da97f16e

  7. openssl
    CVE-2013-6449 fixed in http://git.openssl.org/gitweb/?p=ope...h;h=ca989269a2
    CVE-2013-6450 fixed in http://git.openssl.org/gitweb/?p=ope...h;h=34628967f1

--mancha

mancha 01-06-2014 12:49 PM

Update 20140106
  1. openssl 1.0.1f
    CVE-2013-6449 fixed.
    CVE-2013-6450 fixed.
    CVE-2013-4353 fixed.

    Also, gmt_unix_time (seconds since epoch) is no longer added to the random fields of {Client,Server}Hello because that can be used for host fingerprinting by an adversary.
--mancha

mancha 01-07-2014 01:19 PM

Update 20140107
  1. libXfont
    CVE-2013-6462 fixed in http://cgit.freedesktop.org/xorg/lib...d=4d024ac10f96

    Above patch applies cleanly to Slackware 14.1's libXfont 1.4.6. Note: X.Org released libXfont 1.4.7 on 20140107
    to address this vulnerability.
--mancha

mats_b_tegner 01-07-2014 05:24 PM

Quote:

Originally Posted by mancha (Post 5092961)
Update 20140106
  1. openssl 1.0.1f
    CVE-2013-6449 fixed.
    CVE-2013-6450 fixed.
    CVE-2013-4353 fixed.

    Also, gmt_unix_time (seconds since epoch) is no longer added to the random fields of {Client,Server}Hello because that can be used for host fingerprinting by an adversary.
--mancha

Compilation fails when building the docs with Perl 5.18. Use the following patch from LFS on the 0.9.8y-sources:
http://www.linuxfromscratch.org/patc...syntax-1.patch

And then this patch from Gentoo on 1.0.1f:
http://sources.gentoo.org/cgi-bin/vi...ch?view=markup

Mats

mancha 01-07-2014 11:18 PM

Quote:

Originally Posted by mats_b_tegner (Post 5093798)
Compilation fails when building the docs with Perl 5.18. Use the following patch from LFS on the 0.9.8y-sources:
http://www.linuxfromscratch.org/patc...syntax-1.patch

And then this patch from Gentoo on 1.0.1f:
http://sources.gentoo.org/cgi-bin/vi...ch?view=markup

Thanks for that. The LFS patch doesn't apply to 0.9.8y here so I made one from scratch. I also took the Gentoo patch you linked and reformatted it a bit. Both patches are here:

openssl-0.9.8y-perl-5.18.diff
openssl-1.0.1f-perl-5.18.diff


--mancha

mats_b_tegner 01-09-2014 07:10 AM

Quote:

Originally Posted by mancha (Post 5093989)
Thanks for that. The LFS patch doesn't apply to 0.9.8y here so I made one from scratch. I also took the Gentoo patch you linked and reformatted it a bit. Both patches are here:

openssl-0.9.8y-perl-5.18.diff
openssl-1.0.1f-perl-5.18.diff


--mancha

I've rebuilt the openssl-packages with your patches and they apply without errors.

mats_b_tegner 01-09-2014 07:14 AM

I've upgraded curl, php and samba to their latest versions. Just download the sources and compile using the SlackBuild-scripts from /source. Should we notify PatV?

mancha 01-09-2014 04:19 PM

Quote:

Originally Posted by mats_b_tegner (Post 5094840)
I've upgraded curl, php and samba to their latest versions. Just download the sources and compile using the SlackBuild-scripts from /source. Should we notify PatV?

Glad to hear my patches worked out for you.

I emailed Pat about a week and a half before starting this thread but I haven't sent a 2nd email with more recent news (e.g. openssl, libxfont). A new email might be worthwhile in case he's not visiting LQ. Feel free to send one.

--mancha

sardinha 01-10-2014 08:01 AM

samba 4.1.4
 
The last stable released of samba is version 4.1.4: http://www.samba.org/samba/history/samba-4.1.4.html

The previous version (4.1.3) resolved some security holes, but maybe worth have the last release with more bug fixes.

corvid 01-10-2014 11:37 AM

I appreciate that you're keeping on top of the security issues.

Given how single-point-of-failure it is having Pat in control and these things often going unfixed for so long, it's really looking like I'm going to have to move on from slackware at last.

mats_b_tegner 01-12-2014 07:58 AM

PHP 5.5.24 has been released. No security fixes as far as I know, but it's a recommended upgrade:

http://www.php.net/ChangeLog-5.php#5.4.24

Mats

hpfeil 01-12-2014 12:51 PM

Bye, corvid! Remember to write if you find work and hang by your thumbs. [Bob & Ray Radio Program sign-off] I'll move on when Pat does. He's done fine with me for twenty years. I've tried the rest, but still use the best.

Thank you, mancha for staying on top of the SSL security patches. (Openssl-1.0.1e is the version on the mirrors.)

hitest 01-12-2014 01:22 PM

Quote:

Originally Posted by corvid (Post 5095552)
I appreciate that you're keeping on top of the security issues.

Given how single-point-of-failure it is having Pat in control and these things often going unfixed for so long, it's really looking like I'm going to have to move on from slackware at last.

Okay. But, why announce that you're leaving?
I hope that you find a distro that is more to your liking.

metaschima 01-12-2014 02:11 PM

If you look at the patches, few of them are actually security vulnerabilities, and none of them are critical. I'm sure Pat V. would have pushed updates if any of them were critical security vulnerabilities.

In other words, don't let this thread chase you away from Slackware.

gnupg 1.x is up-to-date at 1.4.16 BTW.

dugan 01-12-2014 03:44 PM

Quote:

Originally Posted by corvid (Post 5095552)
these things often going unfixed for so long

What are you talking about?


All times are GMT -5. The time now is 10:10 PM.