None for discussion or bug reporting as far as I know.

LibReSSL is already out: for OpenBSD. There is just no port to Linux yet, because Linux is not compatible enough to (Open)BSD to run this unmodified...

You could start a crowd fund raiser for a Linux port of LibreSSL (done by professionals, not half-assed "get it to compile" stuff) on your own. Or you could start a campaign to get the strl*() functions into glibc, which would make every Linux software out there more secure.

bind-9.9.5-P1 fixed two security issues and many bugs :

There is a security bug in linux :

It's been fixed since 3.14.6, 3.10.42, 3.2.60.

When isn't there. :(

The above is already mentioned. Duplicate of the one posted by ben in post #166


However, 3.10.44 also fixes: CVE-2014-4014. I also noticed a couple of lesser issues on the changelog, including a DoS/Information disclosure one.

Sorry, I didn't see this post. Thanks.

It's understandable given the length of this thread now. I've done the same. :)

Update 20140620

1. glibc
   
   A flaw was discovered in posix_spawn_file_actions_addopen() which can be exploited via use-after-free situations or other exploitable
   situations with mutated paths (CVE-2014-4043).
   
   Solution for Slackware 14.1: Re-build glibc 2.17 with my backport of upstream's fix.
   
   Note: If re-building glibc, I recommend the application of additional security fixes that have not been incorporated into Slackware:
   CVE-2012-4424, CVE-2012-4412, CVE-2013-4237, CVE-2013-4788, and CVE-2013-4458. See this thread for details and links to my
   backported fixes.
   
   This can be accomplished by getting all the diffs and adding the following lines (in red) to the end of glibc.SlackBuild's
   apply_patches() function:
   
   
   Code:

   ---

     zcat $CWD/glibc.CVE-2013-2207.diff.gz | patch -p1 --verbose || exit 1
  # Patch integer overflows in pvalloc, valloc, and
  # posix_memalign/memalign/aligned_alloc (CVE-2013-4332).
  zcat $CWD/glibc.CVE-2013-4332.diff.gz | patch -p1 --verbose || exit 1
  # Various security fixes
  patch -p1 --verbose < $CWD/glibc-2.17_strcoll-change.diff || exit 1
  patch -p1 --verbose < $CWD/glibc-2.17_CVE-2012-4424.diff || exit 1
  patch -p1 --verbose < $CWD/glibc-2.17_CVE-2012-4412.diff || exit 1
  patch -p1 --verbose < $CWD/glibc-2.17_CVE-2013-4237.diff || exit 1
  patch -p1 --verbose < $CWD/glibc-2.17_CVE-2013-4788.diff || exit 1
  patch -p1 --verbose < $CWD/glibc-2.17_CVE-2013-4458.diff || exit 1
  patch -p1 --verbose < $CWD/glibc-2.17_CVE-2014-4043.diff || exit 1
}

   ---

Update 20140620-1

1. OpenSSL
   
   OpenSSL recently released 0.9.8za, 1.0.0m, and 1.0.1h to correct several security flaws. In the case of CVE-2014-0224, the
   original fix restricts ChangeCipherSpec in a way that is causing problems for implementations that use tls_session_secret_cb
   for session resumption (e.g. wpa-supplicant/EAP-FAST) or use TLS renegotiation.
   
   Solution: Those experiencing problems related to the issues described above should re-build OpenSSL 1.0.1h after applying my
   regression fix (based on upstream commits).
   
   Note: If re-building OpenSSL, consider the following:
   
   
   • On 64-bit systems, enabling 64-bit optimized code for NIST Suite B elliptic curves provides speed improvements as well
     as protection against timing attacks. See this thread for details.
     
     
   • In post #163 I describe my personal set of configuration options and their security implications.

--mancha

Update 20140621

1. Samba
   
   A flaw has been discovered in Samba's internal DNS server which can be exploited to cause two affected Samba servers to DoS
   themselves (CVE-2014-0239). Additionally, a flaw in SRV_SNAPSHOT_ARRAY permits attackers to leverage configurations that use
   shadow_copy* for vfs objects to reveal potentially private server information (CVE-2014-0178).
   
   Solution: Upgrade to Samba 4.1.8 (sig)

--mancha

samba 4.1.9 and 3.6.24
 

Suggested security upgrades for resolve CVE-2014-0244 (Denial of service - CPU loop) and CVE-2014-3493 (Denial of service - Server crash/memory corruption):

• 14.1 and current upgrade to Samba 4.1.9 (sig)
• 14 upgrade to Samba 3.6.24 (sig)
• 13.37 and 13 are stuck with Samba 3.5

gnupg:

ftp://ftp.gnupg.org/GnuPG/gnupg/gnupg-1.4.17.tar.bz2
ftp://ftp.gnupg.org/GnuPG/gnupg/gnup...17.tar.bz2.sig

Update 20140626

1. PHP
   
   The following security issues have been fixed in PHP 5.4.30:
   
   
   Code:

   ---

   CVE-2014-0207    CVE-2014-3478    CVE-2014-3479
CVE-2014-3480    CVE-2014-3487    CVE-2014-3515
CVE-2014-3981    CVE-2014-4049

   ---

   Solution: Upgrade to PHP 5.4.30 (sig)

--mancha

Looks like there's some ancient LZO nastiness that is likely to be triggering security fixes across a number of upstream projects, including the kernel, ffmpeg and others... http://lwn.net/Articles/603668/

One of the comments in the linked lwn article points to a nice blog post about the issues: http://blog.securitymouse.com/2014/0...-bug-that.html

However, as the blog points out, whether its exploitable in any given use case seems to be somewhat situational. Might take a while for the details of various projects affected by this one to come out of the woodwork.

httpd 2.4.10 has been released, it fixes the following:
https://httpd.apache.org/security/vu...lities_24.html

Mats