LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 04-13-2017, 05:22 PM   #601
ttk
Member
 
Registered: May 2012
Location: Sebastopol, CA
Distribution: Slackware
Posts: 479
Blog Entries: 17

Rep: Reputation: 489Reputation: 489Reputation: 489Reputation: 489Reputation: 489

Cool, thank you :-) I assume the fix is in linux-3.10.104 as well.
 
Old 04-19-2017, 05:49 AM   #602
rob.rice
Member
 
Registered: Apr 2004
Distribution: slack what ever
Posts: 998

Rep: Reputation: 159Reputation: 159
Quote:
Originally Posted by eloi View Post
And sub-quoting myself again.

Taking in care Slackware development modus operandi a bug tracking system (already invented) is of no use. Mailing lists servers are already provided and ready to use for the rest of functionality. Who think a forum is better for that is because ignores how to use mailing lists. Forums were adopted by users for the same reason all *reinventing the wheel new stuff* is adopted (i.e. systemd), ignorance and laziness.
as it stands bugs don't get fixed in systemd just marked as such
turning to a forum like this is the last resort
 
Old 04-19-2017, 06:52 AM   #603
audriusk
Member
 
Registered: Mar 2011
Location: Klaipėda, Lithuania
Distribution: Slackware
Posts: 308

Rep: Reputation: 154Reputation: 154
Mercurial 4.1.3 is released with security fix:
Quote:
This is an out of cycle release to address a security issue:
  • hg serve --stdio could be tricked into granting authorized users access to the Python debugger. Thanks to Jonathan Claudius of Mozilla for reporting this issue
Not sure which older versions are affected and how severe it is (no CVE number provided in the release note).
 
Old 04-19-2017, 07:11 AM   #604
bassmadrigal
Senior Member
 
Registered: Nov 2003
Location: Newport News, VA
Distribution: Slackware
Posts: 3,750

Rep: Reputation: 1846Reputation: 1846Reputation: 1846Reputation: 1846Reputation: 1846Reputation: 1846Reputation: 1846Reputation: 1846Reputation: 1846Reputation: 1846Reputation: 1846
Quote:
Originally Posted by rob.rice View Post
as it stands bugs don't get fixed in systemd just marked as such
turning to a forum like this is the last resort
Turning to a Slackware forum about systemd issues is pointless. Take your baggage somewhere else... we don't want to see it.

*If* Slackware ever adopts systemd, it will be because Pat felt it was the best option (likely due to other projects relying too heavily on it that gutting random parts (like eudev and elogind) aren't enough anymore). Your random posts (or anyone's random posts) will have no factor in that decision. Pat is the BDFL of Slackware. He is the only person who has a decision in the matter.

However, there is no sign that Pat is considering this, so there's no reason to be spamming the forum with a bunch of systemd nonsense.
 
5 members found this post helpful.
Old 04-19-2017, 08:56 AM   #605
mats_b_tegner
Member
 
Registered: Nov 2009
Location: Gothenburg, Sweden
Distribution: Slackware64
Posts: 382

Rep: Reputation: 171Reputation: 171
curl 7.54.0

Curl 7.54.0 fixes CVE-2017-7468.
https://curl.haxx.se/changes.html#7_54_0
https://curl.haxx.se/docs/adv_20170419.html
https://curl.haxx.se/download/curl-7.54.0.tar.bz2
https://curl.haxx.se/download/curl-7.54.0.tar.bz2.asc

Last edited by mats_b_tegner; 04-19-2017 at 08:58 AM.
 
1 members found this post helpful.
Old 04-19-2017, 09:01 AM   #606
Thom1b
Member
 
Registered: Mar 2010
Location: France
Distribution: Slackware
Posts: 155

Rep: Reputation: 97
I saw that too but didn't post anything because this CVE is present since curl-7.52. Slackware-14.2 has curl-7.51.0.
Quote:
INFO
----

This flaw also affects the curl command line tool.

For version 7.52.0, we rearranged a lot of TLS code to bring support for HTTPS
proxies, which unfortunately made us accidentally bring this old flaw back!

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2017-7468 to this issue.

AFFECTED VERSIONS
-----------------

This flaw is relevant for all versions of curl and libcurl that support TLS
and client certificates.

- Affected versions: curl 7.52.0 to and including 7.53.1
- Not affected versions: curl < 7.52.0 and >= 7.54.0
 
1 members found this post helpful.
Old 04-19-2017, 09:06 AM   #607
mats_b_tegner
Member
 
Registered: Nov 2009
Location: Gothenburg, Sweden
Distribution: Slackware64
Posts: 382

Rep: Reputation: 171Reputation: 171
Quote:
Originally Posted by Thom1b View Post
I saw that too but didn't post anything because this CVE is present since curl-7.52. Slackware-14.2 has curl-7.51.0.
Okay, but -current has 7.53.1.
 
2 members found this post helpful.
Old 04-20-2017, 12:28 AM   #608
Thom1b
Member
 
Registered: Mar 2010
Location: France
Distribution: Slackware
Posts: 155

Rep: Reputation: 97
bind is released with security fixes

bind 9.9.10, 9.10.5, 9.11.1 are released.

Quote:
Security Fixes

* rndc "" could trigger an assertion failure in named. This flaw is
disclosed in (CVE-2017-3138). [RT #44924]
* Some chaining (i.e., type CNAME or DNAME) responses to upstream
queries could trigger assertion failures. This flaw is disclosed in
CVE-2017-3137. [RT #44734]
* dns64 with break-dnssec yes; can result in an assertion failure.
This flaw is disclosed in CVE-2017-3136. [RT #44653]
* If a server is configured with a response policy zone (RPZ) that
rewrites an answer with local data, and is also configured for
DNS64 address mapping, a NULL pointer can be read triggering a
server crash. This flaw is disclosed in CVE-2017-3135. [RT #44434]
* named could mishandle authority sections with missing RRSIGs,
triggering an assertion failure. This flaw is disclosed in
CVE-2016-9444. [RT #43632]
* named mishandled some responses where covering RRSIG records were
returned without the requested data, resulting in an assertion
failure. This flaw is disclosed in CVE-2016-9147. [RT #43548]
* named incorrectly tried to cache TKEY records which could trigger
an assertion failure when there was a class mismatch. This flaw is
disclosed in CVE-2016-9131. [RT #43522]
* It was possible to trigger assertions when processing responses
containing answers of type DNAME. This flaw is disclosed in
CVE-2016-8864. [RT #43465]
* Added the ability to specify the maximum number of records
permitted in a zone (max-records #. This provides a mechanism to
block overly large zone transfers, which is a potential risk with
slave zones from other parties, as described in CVE-2016-6170. [RT
#42143]
* It was possible to trigger an assertion when rendering a message
using a specially crafted request. This flaw is disclosed in
CVE-2016-2776. [RT #43139]
* Calling getrrsetbyname() with a non absolute name could trigger an
infinite recursion bug in lwresd or named with lwres configured if,
when combined with a search list entry from resolv.conf, the
resulting name is too long. This flaw is disclosed in
CVE-2016-2775. [RT #42694]
 
2 members found this post helpful.
Old 04-20-2017, 11:50 AM   #609
volkerdi
Slackware Maintainer
 
Registered: Dec 2002
Location: Minnesota
Distribution: Slackware! :-)
Posts: 1,188

Rep: Reputation: 3161Reputation: 3161Reputation: 3161Reputation: 3161Reputation: 3161Reputation: 3161Reputation: 3161Reputation: 3161Reputation: 3161Reputation: 3161Reputation: 3161
Quote:
Originally Posted by Thom1b View Post
bind 9.9.10, 9.10.5, 9.11.1 are released.
All of these issues are already fixed in the -Px releases, and Slackware patches have already been issued. BIND has a habit of repeating all the CVEs since the last major version when announcing a new stable branch.
 
2 members found this post helpful.
Old 04-20-2017, 11:54 AM   #610
Thom1b
Member
 
Registered: Mar 2010
Location: France
Distribution: Slackware
Posts: 155

Rep: Reputation: 97
OK, I didn't see. Sorry for the unused post.
 
  


Reply

Tags
exploit, security, slackware


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[Slackware Security]: Some pending vulnerabilities... mancha Slackware 7 08-22-2013 09:08 AM


All times are GMT -5. The time now is 09:00 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration