SlackwareThis Forum is for the discussion of Slackware Linux.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
A security audit of GnuTLS, carried out by one of its primary developers, has identified serious flaws in its certificate validation
code (CVE-2014-0092). The vulnerabilities can be exploited via specially-crafted certificates to effectively circumvent certificate
Solution: Slackware deployed security fixes for Slackware 13.0 through current the day the issue became public (20140303).
I encourage those who've not yet applied these updates to do so as soon as possible.
Note: Slackware 12.1 and 12.2 systems can address this issue by rebuilding GnuTLS after applying Slackware 13.0's fix.
So what slackware code is actually using GnuTLS?
I did a search of the current slackware64-current/source and found very little.
It looks like two packages use it as they are built with "gnutls"
l/loudmouth a library for the Jabber instant messenger protocol.
xap/pan a usenet news reader.
Since I don't use Jabber and I don't use pan this appears to be an extremely low impact "security risk".
A flaw in the way udisks/udisks2 processes path names (CVE-2014-0004) can be exploited by malicious local users, via
specially-crafted directory structures, to execute arbitrary code as the udisks daemon (i.e. root).
A buffer overflow vulnerability (CVE-2014-0467) was discovered in mutt's parsing of RFC2049 headers. A remote attacker
can exploit this via an email with specially-crafted headers to cause a DoS and potentially execute arbitrary code.
An internal samba audit has identified two security issues:
CVE-2013-4496 (flaw allows bypass of password lock-out and unlimited password attempts via the samr interface).
CVE-2013-6442 (flaw in smbacls potentially clears an object's existing ACLs leaving it unprotected).
My Slackware deployments do not require a tin foil hat the size of a sombrero, but I also am very grateful to mancha for the investigation and fixes to security issues. It shows an ability beyond my ken.
On the file issue, it just goes to show the degree of difficulty that our BDFL faces in balancing usability with security. An upstream change made the basic nano utility segfault without a change to file to use a compiled magic file. http://www.linuxquestions.org/questi...le-4175455374/ Now a security issue has been uncovered.
Yeah, stability and security have to be juggled carefully as they can affect one another. I'm only concerned about critical exploits, like privilege escalation / remotely rooting the system, etc. Lesser exploits are more of a concern on multi-user systems or for sysadmins, not me.
I want too commend 'Mancha' along with other Slackers for contributing helpful information to the Slackware community here at LQ.
Thanks for your post and thanks to other slackers who have encouraged me in this thread and privately. It makes the effort worthwhile
knowing folks are appreciative and finding the information valuable.
To slackers contributing alerts or solutions here, keep up the good work.
In order to compile FreeType 2.5.3 Harfbuzz needs to be updated as well.
Mats, thanks for bringing this up. Actually, HarfBuzz is a new and optional dependency of FreeType as of 2.5.3.
FreeType 2.5.3 will build on stock Slackware 14.1 but automatically disables HarfBuzz support when it doesn't
detect a new enough version.
However, building FreeType 2.5.3 requires a modified illadvisederror patch (see note at end), so I've amended my
recommendation for most slackers:
Solution: Rebuild Slackware 14.1 FreeType 188.8.131.52 after applying my CVE-2014-2240+CVE-2014-2241 backport fix (sig).
Note: For those wishing to upgrade to FreeType 2.5.3: