LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices



Reply
 
Search this Thread
Old 03-19-2014, 04:37 PM   #106
mancha
Member
 
Registered: Aug 2012
Posts: 362

Original Poster
Rep: Reputation: Disabled

Update 20140319

Quote:
Originally Posted by Phorize View Post
Firefox ESR 24.4.0 fixes some critical vulnerabilities. I'm trying to debug a failed build as I write.
  1. Mozilla Various

    Thank you for alerting us about this. Earlier today I sent Pat an email but let me copy the information here as well.
    Mozilla has released the following products:

    • Firefox 28 (current)
    • Firefox ESR 24.4
    • Thunderbird 24.4
    • Seamonkey 2.25

    To address the following:

--mancha

PS If you find something interesting re: your failed build, please post it here for our benefit
 
Old 03-19-2014, 04:51 PM   #107
Didier Spaier
Senior Member
 
Registered: Nov 2008
Location: Paris, France
Distribution: Slackware{,64}-{14.1,current} on a Lenovo Thinkpad W520
Posts: 4,673

Rep: Reputation: 1236Reputation: 1236Reputation: 1236Reputation: 1236Reputation: 1236Reputation: 1236Reputation: 1236Reputation: 1236Reputation: 1236
Apache HTTP Server 2.4.9 Released

I'll just quote the security part of the announce:

Code:
CVE-2014-0098 (cve.mitre.org)
  Segfaults with truncated cookie logging.
  mod_log_config: Prevent segfaults when logging truncated
  cookies. Clean up the cookie logging parser to recognize
  only the cookie=value pairs, not valueless cookies.

CVE-2013-6438 (cve.mitre.org)
  mod_dav: Keep track of length of cdata properly when removing
  leading spaces. Eliminates a potential denial of service from
  specifically crafted DAV WRITE requests
Sorry for the noise if that's already in the pipe. Anyhow all users of the 2.4 branch are encouraged to upgrade.

PS Compilation went fine on my Slackware 14.0 using the SlackBuild in patches/source/httpd. I just got a warning about Lua 5.1 library not found and mod_lua was not enabled.

Caveat emptor: my Slackware 14.0 is not a clean new system and I didn't look at new options with ./configure --help

Last edited by Didier Spaier; 03-19-2014 at 05:24 PM.
 
Old 03-19-2014, 06:14 PM   #108
ponce
Senior Member
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 2,504

Rep: Reputation: 912Reputation: 912Reputation: 912Reputation: 912Reputation: 912Reputation: 912Reputation: 912Reputation: 912
Quote:
Originally Posted by mancha View Post
  • Firefox 28 (current)
...
PS If you find something interesting re: your failed build, please post it here for our benefit
I'll leave this here hoping it will be useful: in case you want to rebuild firefox >= 28.0b1 or thunderbird >= 28.0b1 you will need to explicitly add "--disable-pulseaudio" to the configure options in the -current SlackBuild or it won't build.
Quote:
Originally Posted by Didier Spaier View Post
I just got a warning about Lua 5.1 library not found and mod_lua was not enabled.
that is optional (also the previous version does like that), so it should be ok

Last edited by ponce; 03-19-2014 at 06:16 PM.
 
Old 03-19-2014, 08:52 PM   #109
moisespedro
Senior Member
 
Registered: Nov 2013
Location: Brazil
Distribution: Slackware
Posts: 1,140

Rep: Reputation: 152Reputation: 152
If you don't want to rebuild it you can just grab ruario's script http://www.panix.com/~ruari/latest-firefox
 
Old 03-20-2014, 08:27 AM   #110
Phorize
Member
 
Registered: Sep 2005
Location: UK
Distribution: Slackware
Posts: 218

Rep: Reputation: 26
Quote:
Originally Posted by mancha View Post
Update 20140319


  1. Mozilla Various

    Thank you for alerting us about this. Earlier today I sent Pat an email but let me copy the information here as well.
    Mozilla has released the following products:

    • Firefox 28 (current)
    • Firefox ESR 24.4
    • Thunderbird 24.4
    • Seamonkey 2.25

    To address the following:

--mancha

PS If you find something interesting re: your failed build, please post it here for our benefit
The error was mine; I ran the slackbuild with MOZLOCALIZE=en_GB instead of MOZLOCALIZE=en-GB. Apologies to all.
 
Old 03-21-2014, 07:24 PM   #111
mats_b_tegner
Member
 
Registered: Nov 2009
Location: Gothenburg, Sweden
Distribution: Slackware64
Posts: 145

Rep: Reputation: 47
Quote:
Originally Posted by mancha View Post
Update 20140316

  1. FreeType

    Mats, thanks for bringing this up. Actually, HarfBuzz is a new and optional dependency of FreeType as of 2.5.3.
    FreeType 2.5.3 will build on stock Slackware 14.1 but automatically disables HarfBuzz support when it doesn't
    detect a new enough version.

    However, building FreeType 2.5.3 requires a modified illadvisederror patch (see note at end), so I've amended my
    recommendation for most slackers:

    Solution: Rebuild Slackware 14.1 FreeType 2.5.0.1 after applying my CVE-2014-2240+CVE-2014-2241 backport fix (sig).
--mancha

Note: For those wishing to upgrade to FreeType 2.5.3:
  • Get my FreeType 2.5.3 illadvisederror patch (gzip it or edit the Slackbuild so it applies uncompressed)
  • Build FreeType 2.5.3 (1st pass with no HarfBuzz support)
  • Upgrade to HarfBuzz 0.9.26 [OPTIONAL STEP]
  • Rebuild FreeType 2.5.3 (2nd pass with HarfBuzz support) [OPTIONAL STEP]

    Keep in mind lots of things depend on HarfBuzz and FreeType so upgrading these two libs is done at your own risk.
Hmm AlienBOB's LibreOffice 4.2.2 package crashes upon launch with HarfBuzz 0.9.26. Reverting to HarfBuzz 0.9.16 restores functionality. Rebuilding FreeType with the backported fixes seem to be the sane thing to do right now...

Mats
 
Old 03-22-2014, 04:21 AM   #112
mancha
Member
 
Registered: Aug 2012
Posts: 362

Original Poster
Rep: Reputation: Disabled
Update 20140322
  1. Mozilla NSS

    A flaw in the handling of wildcard certificates was discovered in NSS (CVE-2014-1492).

    Solution: Upgrade to NSS 3.16.
 
1 members found this post helpful.
Old 03-27-2014, 07:03 PM   #113
mancha
Member
 
Registered: Aug 2012
Posts: 362

Original Poster
Rep: Reputation: Disabled
Update 20140327
  1. curl/libcurl

    Curl/libcurl released 7.36.0 which includes several bug fixes and addresses four security issues, two of which affect Slackware:

    CVE-2014-0138 (see: http://curl.haxx.se/docs/adv_20140326A.html)
    CVE-2014-0139 (see: http://curl.haxx.se/docs/adv_20140326B.html)

    Solution: Upgrade to curl 7.36.0 (sig)
--mancha
 
Old 03-29-2014, 02:14 AM   #114
mats_b_tegner
Member
 
Registered: Nov 2009
Location: Gothenburg, Sweden
Distribution: Slackware64
Posts: 145

Rep: Reputation: 47
curl, Firefox, httpd, nss, openssh, Seamonkey and Thunderbird have been updated according to the latest ChangeLog.

Mats
 
Old 03-30-2014, 10:36 PM   #115
bonixavier
Member
 
Registered: Sep 2010
Distribution: Slackware
Posts: 320

Rep: Reputation: 62
Quote:
Originally Posted by mats_b_tegner View Post
curl, Firefox, httpd, nss, openssh, Seamonkey and Thunderbird have been updated according to the latest ChangeLog.

Mats
Yeah, but not for Slackware 14.0. Has support dropped so soon? Won't it compile? What happened? I thought I'd get by with it a couple more months, perhaps until the next release.
 
Old 03-31-2014, 04:08 AM   #116
mats_b_tegner
Member
 
Registered: Nov 2009
Location: Gothenburg, Sweden
Distribution: Slackware64
Posts: 145

Rep: Reputation: 47
Quote:
Originally Posted by bonixavier View Post
Yeah, but not for Slackware 14.0. Has support dropped so soon? Won't it compile? What happened? I thought I'd get by with it a couple more months, perhaps until the next release.
Are you sure? I can see ChangLog updates from 13.0 to -current here:
http://slackware.osuosl.org/
curl and openssh are updated for 13.0 to -current only Firefox and Thunderbird are missing in 13.0 and 14.0.

Mats
 
Old 03-31-2014, 07:04 AM   #117
bonixavier
Member
 
Registered: Sep 2010
Distribution: Slackware
Posts: 320

Rep: Reputation: 62
Quote:
Originally Posted by mats_b_tegner View Post
Are you sure? I can see ChangLog updates from 13.0 to -current here:
http://slackware.osuosl.org/
curl and openssh are updated for 13.0 to -current only Firefox and Thunderbird are missing in 13.0 and 14.0.

Mats
You're right, of course. I was referring to Firefox and Thunderbird, but was too tired to make myself clear. I just didn't get why those two weren't in the batch. Not trying to be a nagger or anything, just want to understand.
 
Old 03-31-2014, 07:59 AM   #118
mats_b_tegner
Member
 
Registered: Nov 2009
Location: Gothenburg, Sweden
Distribution: Slackware64
Posts: 145

Rep: Reputation: 47
Quote:
Originally Posted by bonixavier View Post
You're right, of course. I was referring to Firefox and Thunderbird, but was too tired to make myself clear. I just didn't get why those two weren't in the batch. Not trying to be a nagger or anything, just want to understand.
I don't know why Firefox 24 ESR and Thunderbird 24 won't compile on 14.0 since I haven't tested myself. Maybe it's a dependency? Can you use Seamonkey 2.25 as a workaround?

Edit:
...Apparently you'll need glibc 2.17 to compile Firefox and Thunderbird 24 or later

Last edited by mats_b_tegner; 03-31-2014 at 08:33 AM.
 
Old 03-31-2014, 12:36 PM   #119
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,532

Rep: Reputation: Disabled
There's also this kernel issue for all kernels through 3.13.6:
http://web.nvd.nist.gov/view/vuln/de...=CVE-2014-2523
https://github.com/torvalds/linux/co...254fc10cbc2b92
It is listed as critical:
https://www.us-cert.gov/ncas/bulletins/SB14-090
 
Old 04-07-2014, 12:50 PM   #120
mancha
Member
 
Registered: Aug 2012
Posts: 362

Original Poster
Rep: Reputation: Disabled
Update 20140407
  1. OpenSSH

    A vulnerability (CVE-2014-2653) was discovered in the way OpenSSH verifies SSHFP DNS resource records. Under certain
    circumstances, specifically when the server provides a host certificate not recognized by the client, the client skips
    SSHFP verification regardless of VerifyHostKeyDNS.

    Solution: Re-build either OpenSSH 5.9 or OpenSSH 6.6 (the two versions supported by Slackware) after applying my back
    ported fixes:

    openssh-5.9p1_CVE-2014-2653.diff
    openssh-6.6p1_CVE-2014-2653.diff

    Note: If the terms SSHFP, host certificate, or resource records are new to you, you can likely ignore this alert.
--mancha

Last edited by mancha; 04-07-2014 at 12:57 PM.
 
1 members found this post helpful.
  


Reply

Tags
exploit, security, slackware


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[Slackware Security]: Some pending vulnerabilities... mancha Slackware 7 08-22-2013 10:08 AM


All times are GMT -5. The time now is 10:56 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration