1. proftpd
   
   
   Quote:

   Originally Posted by mralk3 CVE-2015-3306 Original release date: 05/18/2015 Slackware64 14.1 is running proftpd version: proftpd-1.3.4e-x86_64-1_slack14.1 I am not sure how to go about auditing for this vulnerability to be sure its actually a problem. Maybe it isn't considered a big issue, but all the same I thought I would notify.

   Slackware doesn't build proftpd with mod_copy so the version it ships isn't vulnerable to CVE-2015-3306. It seems Slackware
   current patched its proftpd anyways though given the build configuration it wasn't necessary.
   
   Recommendation: Nothing needed unless you've built a customized copy of proftpd with mod_copy support.
   
   
2. Firefox+GStreamer
   
   
   Quote:

   Originally Posted by BrZ CVE-2015-0797 GStreamer before 1.4.5, as used in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 on Linux, allows remote attackers to cause a denial of service (buffer over-read and application crash) or possibly execute arbitrary code via crafted H.264 video data in an m4v file. Mozilla Foundation Security Advisory 2015-47 Buffer overflow parsing H.264 video with Linux Gstreamer Fix?

   Quote:

   Originally Posted by mats_b_tegner I just compiled GStreamer, gst-plugins-base and gst-plugins-good versions 1.4.5 under -current. I wonder if you need to recompile Firefox and Thunderbird against the new libraries as well? Mats

   This bug is a bit confusing in terms of which versions are affected. The bottom line is the bug is in h264parse from gst-plugins-bad
   (which Slackware doesn't ship). However, it's available from SBo and if you install it, Slackware's FF will automatically detect it and
   use it if necessary.
   
   Recommendation: Mozilla has patched their products (FF 38, FF ESR 31.8, and Thunderbird 31.7) so they now blacklist h264parse.
   Make sure you have at least these versions (for this issue and others). Also, if you've installed gst-plugins-bad apply Debian's patch
   (posted by BrZ in post #378) because other applications that use h264parse are potentially vulnerable as well.
   
   Note1: If you want to use GStreamer 1.x+ with FF you'll have to re-compile FF with --enable-gstreamer=1.0 or so. You might have
   valid reasons to want to transition Firefox to the new GStreamer API but keep in mind upgrading won't affect how FF deals with
   CVE-2015-0797 because at least for the time being, Mozilla's blacklisting of h264parse isn't version dependent.
   
   Note2: I don't believe GStreamer 1.x has fixed this bug yet (contrary to security reports).
   
   
3. Firefox+Logjam
   
   
   Quote:

   Originally Posted by mats_b_tegner Okay, I guess I'll wait until there is a patch against Logjam for Firefox.

   Mozilla will be releasing a new NSS library that rejects FF DH groups smaller than 1024 bits. Currently the minimum is 512 bits (actually
   because of a bug in length calculations the minimum is effectively 505 bits) which means it'll accept Logjammable DHE groups. The
   fix is planned for inclusion in FF 39 (and the next ESRs).
   
   Recommendation: Until FF releases new versions with the new NSS bundled in, you can avoid Logjam by disabling all DHE cipher
   suites. Search for them by putting security.ssl3.dhe in the about:config search bar (see attached pic). Your FF might be newer
   and have less than the nine ciphers shown in the pic; just set whichever ones you do have to false.
   

1. OpenSSL
   
   OpenSSL today released a security advisory with details on 5 new vulnerabilities (4 moderate, 1 low) and a Logjam hardening measure.
   
   R̶e̶c̶o̶m̶m̶e̶n̶d̶a̶t̶i̶o̶n̶:̶ ̶U̶p̶g̶r̶a̶d̶e̶ ̶t̶o̶ ̶O̶p̶e̶n̶S̶S̶L̶ ̶1̶.̶0̶.̶1̶n̶ ̶(s̶i̶g̶) ̶a̶n̶d̶/̶o̶r̶ ̶O̶p̶e̶n̶S̶S̶L̶ ̶0̶.̶9̶.̶8̶z̶g̶ ̶(̶s̶i̶g̶)̶,̶ ̶a̶s̶ ̶a̶p̶p̶l̶i̶c̶a̶b̶l̶e̶.̶
   
   New Recommendation: I've been made aware there might be ABI breakage from OpenSSL 1.0.1m -> OpenSSL 1.0.1n. Postponing
   upgrades until that is sorted out is probably prudent.
   
   
   
2. libwmf
   
   ReadBMPImage in libwmf is vulnerable to an overflow that can be exploited using crafted input to cause a DoS or potentially execute
   arbitrary code. (CVE-2015-0848)
   
   To test:
   
   
   Code:

   $ wmf2svg --wmf-fontdir=/tmp/seggyfault bmpoverflow.wmf

   Recommendation: Apply libwmf-0.2.8.4_CVE-2015-0848.diff and rebuild.
   
   
   
3. Ruby
   
   Ruby’s OpenSSL extension suffers a vulnerability through overly permissive matching of hostnames. (CVE-2015-1855)
   
   Recommendation: 14.1 users apply ruby-1.9.3-p484_CVE-2015-1855.diff; current users apply ruby-1.9.3-p551_CVE-2015-1855.diff.

"Fama refert nostros te, Fidentine, libellos non aliter populo quam recitare tuos."

--Martial, Epigrammata

1. OpenSSL
   
   OpenSSL released new versions (1.0.1o & 1.0.2c) to address the HMAC_CTX ABI breakage I allude to in the previous post.
   
   Recommendation: Upgrade to OpenSSL 1.0.1o (sig) and/or OpenSSL 0.9.8zg (sig), as applicable.

1. Python(*)
   
   Python 2.7.5, as shipped by Slackware 14.1, is vulnerable to potential exploitation of numerous security issues (e.g. see posts #78
   and #249).
   
   In addition, Python 2.7.9 fixes DoS issues in smptlib and poplib and XMLRPC (CVE-2013-1752, CVE-2013-1753) and introduces
   hardening features (i.e. disabling SSLv3 in httplib and enabling HTTPS certificate validation by default). Python 2.7.10 fixes a potential
   buffer overflow in PyUnicode_FromFormatV.
   
   Recommendation: Slackware 14.1 & current users should upgrade to Python 2.7.10.