LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 01-01-2014, 12:53 PM   #1
mancha
Member
 
Registered: Aug 2012
Posts: 355

Rep: Reputation: Disabled
[Slackware security] vulnerabilities outstanding 20140101


Hello.

Some vulnerabilities of varying severity...

  1. curl 7.34.0
    CVE-2013-4545 fixed.
    CVE-2013-6422 fixed.

  2. php 5.4.23
    CVE-2013-6420 fixed.

  3. libgcrypt 1.6.0
    CVE-2013-4576 fixed.
    There's a secondary mitigant relevant to gnupg2 in libgcrypt (see: http://seclists.org/oss-sec/2013/q4/523).

  4. samba 4.1.3
    CVE-2013-4408 fixed.
    CVE-2012-6150 fixed.

  5. xorg-server
    CVE-2013-6424 fixed in http://patchwork.freedesktop.org/patch/14769/

  6. pixman
    CVE-2013-6425 fixed in http://cgit.freedesktop.org/pixman/p...d=5e14da97f16e

  7. openssl
    CVE-2013-6449 fixed in http://git.openssl.org/gitweb/?p=ope...h;h=ca989269a2
    CVE-2013-6450 fixed in http://git.openssl.org/gitweb/?p=ope...h;h=34628967f1

--mancha

Last edited by mancha; 01-02-2014 at 04:55 PM. Reason: added CVE-2013-6450, CVE-2013-4545
 
Old 01-06-2014, 12:49 PM   #2
mancha
Member
 
Registered: Aug 2012
Posts: 355

Original Poster
Rep: Reputation: Disabled
Update 20140106
  1. openssl 1.0.1f
    CVE-2013-6449 fixed.
    CVE-2013-6450 fixed.
    CVE-2013-4353 fixed.

    Also, gmt_unix_time (seconds since epoch) is no longer added to the random fields of {Client,Server}Hello because that can be used for host fingerprinting by an adversary.
--mancha
 
5 members found this post helpful.
Old 01-07-2014, 01:19 PM   #3
mancha
Member
 
Registered: Aug 2012
Posts: 355

Original Poster
Rep: Reputation: Disabled
Update 20140107
  1. libXfont
    CVE-2013-6462 fixed in http://cgit.freedesktop.org/xorg/lib...d=4d024ac10f96

    Above patch applies cleanly to Slackware 14.1's libXfont 1.4.6. Note: X.Org released libXfont 1.4.7 on 20140107
    to address this vulnerability.
--mancha
 
2 members found this post helpful.
Old 01-07-2014, 05:24 PM   #4
mats_b_tegner
Member
 
Registered: Nov 2009
Location: Gothenburg, Sweden
Distribution: Slackware64
Posts: 145

Rep: Reputation: 47
Quote:
Originally Posted by mancha View Post
Update 20140106
  1. openssl 1.0.1f
    CVE-2013-6449 fixed.
    CVE-2013-6450 fixed.
    CVE-2013-4353 fixed.

    Also, gmt_unix_time (seconds since epoch) is no longer added to the random fields of {Client,Server}Hello because that can be used for host fingerprinting by an adversary.
--mancha
Compilation fails when building the docs with Perl 5.18. Use the following patch from LFS on the 0.9.8y-sources:
http://www.linuxfromscratch.org/patc...syntax-1.patch

And then this patch from Gentoo on 1.0.1f:
http://sources.gentoo.org/cgi-bin/vi...ch?view=markup

Mats

Last edited by mats_b_tegner; 01-07-2014 at 07:30 PM. Reason: fixed the compilation errors
 
1 members found this post helpful.
Old 01-07-2014, 11:18 PM   #5
mancha
Member
 
Registered: Aug 2012
Posts: 355

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by mats_b_tegner View Post
Compilation fails when building the docs with Perl 5.18. Use the following patch from LFS on the 0.9.8y-sources:
http://www.linuxfromscratch.org/patc...syntax-1.patch

And then this patch from Gentoo on 1.0.1f:
http://sources.gentoo.org/cgi-bin/vi...ch?view=markup
Thanks for that. The LFS patch doesn't apply to 0.9.8y here so I made one from scratch. I also took the Gentoo patch you linked and reformatted it a bit. Both patches are here:

openssl-0.9.8y-perl-5.18.diff
openssl-1.0.1f-perl-5.18.diff


--mancha

Last edited by mancha; 01-07-2014 at 11:19 PM.
 
4 members found this post helpful.
Old 01-09-2014, 07:10 AM   #6
mats_b_tegner
Member
 
Registered: Nov 2009
Location: Gothenburg, Sweden
Distribution: Slackware64
Posts: 145

Rep: Reputation: 47
Quote:
Originally Posted by mancha View Post
Thanks for that. The LFS patch doesn't apply to 0.9.8y here so I made one from scratch. I also took the Gentoo patch you linked and reformatted it a bit. Both patches are here:

openssl-0.9.8y-perl-5.18.diff
openssl-1.0.1f-perl-5.18.diff


--mancha
I've rebuilt the openssl-packages with your patches and they apply without errors.
 
Old 01-09-2014, 07:14 AM   #7
mats_b_tegner
Member
 
Registered: Nov 2009
Location: Gothenburg, Sweden
Distribution: Slackware64
Posts: 145

Rep: Reputation: 47
I've upgraded curl, php and samba to their latest versions. Just download the sources and compile using the SlackBuild-scripts from /source. Should we notify PatV?
 
Old 01-09-2014, 04:19 PM   #8
mancha
Member
 
Registered: Aug 2012
Posts: 355

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by mats_b_tegner View Post
I've upgraded curl, php and samba to their latest versions. Just download the sources and compile using the SlackBuild-scripts from /source. Should we notify PatV?
Glad to hear my patches worked out for you.

I emailed Pat about a week and a half before starting this thread but I haven't sent a 2nd email with more recent news (e.g. openssl, libxfont). A new email might be worthwhile in case he's not visiting LQ. Feel free to send one.

--mancha
 
Old 01-10-2014, 08:01 AM   #9
sardinha
Member
 
Registered: Aug 2012
Location: Portugal
Distribution: Slackware, Salix OS
Posts: 51

Rep: Reputation: 10
samba 4.1.4

The last stable released of samba is version 4.1.4: http://www.samba.org/samba/history/samba-4.1.4.html

The previous version (4.1.3) resolved some security holes, but maybe worth have the last release with more bug fixes.
 
1 members found this post helpful.
Old 01-10-2014, 11:37 AM   #10
corvid
LQ Newbie
 
Registered: May 2011
Distribution: Debian
Posts: 16

Rep: Reputation: Disabled
I appreciate that you're keeping on top of the security issues.

Given how single-point-of-failure it is having Pat in control and these things often going unfixed for so long, it's really looking like I'm going to have to move on from slackware at last.
 
Old 01-12-2014, 07:58 AM   #11
mats_b_tegner
Member
 
Registered: Nov 2009
Location: Gothenburg, Sweden
Distribution: Slackware64
Posts: 145

Rep: Reputation: 47
PHP 5.5.24 has been released. No security fixes as far as I know, but it's a recommended upgrade:

http://www.php.net/ChangeLog-5.php#5.4.24

Mats
 
Old 01-12-2014, 12:51 PM   #12
hpfeil
Member
 
Registered: Nov 2010
Location: Tucson, Arizona US
Distribution: Slackware Current, custom kernel, amd64, Beyond LinuxFromScratch
Posts: 130
Blog Entries: 1

Rep: Reputation: Disabled
Bye, corvid! Remember to write if you find work and hang by your thumbs. [Bob & Ray Radio Program sign-off] I'll move on when Pat does. He's done fine with me for twenty years. I've tried the rest, but still use the best.

Thank you, mancha for staying on top of the SSL security patches. (Openssl-1.0.1e is the version on the mirrors.)
 
Old 01-12-2014, 01:22 PM   #13
hitest
Senior Member
 
Registered: Mar 2004
Location: Prince Rupert, B.C., Canada
Distribution: Slackware, OpenBSD
Posts: 4,235

Rep: Reputation: 567Reputation: 567Reputation: 567Reputation: 567Reputation: 567Reputation: 567
Quote:
Originally Posted by corvid View Post
I appreciate that you're keeping on top of the security issues.

Given how single-point-of-failure it is having Pat in control and these things often going unfixed for so long, it's really looking like I'm going to have to move on from slackware at last.
Okay. But, why announce that you're leaving?
I hope that you find a distro that is more to your liking.
 
Old 01-12-2014, 02:11 PM   #14
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,484

Rep: Reputation: Disabled
If you look at the patches, few of them are actually security vulnerabilities, and none of them are critical. I'm sure Pat V. would have pushed updates if any of them were critical security vulnerabilities.

In other words, don't let this thread chase you away from Slackware.

gnupg 1.x is up-to-date at 1.4.16 BTW.
 
2 members found this post helpful.
Old 01-12-2014, 03:44 PM   #15
dugan
Senior Member
 
Registered: Nov 2003
Location: Canada
Distribution: distro hopper
Posts: 4,871

Rep: Reputation: 1523Reputation: 1523Reputation: 1523Reputation: 1523Reputation: 1523Reputation: 1523Reputation: 1523Reputation: 1523Reputation: 1523Reputation: 1523Reputation: 1523
Quote:
Originally Posted by corvid View Post
these things often going unfixed for so long
What are you talking about?
 
  


Reply

Tags
exploit, security, slackware


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[Slackware Security]: Some pending vulnerabilities... mancha Slackware 7 08-22-2013 10:08 AM


All times are GMT -5. The time now is 10:03 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration