SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
A flaw in the Linux kernel DCCP network code allows remote (or local) attackers to cause a system crash (DoS) or potentially
execute arbitrary code via crafted DCCP packets (CVE-2014-2523).
The vulnerable code is in the kernel's DCCP connection tracker helper which Slackware builds as a module (both generic and
huge). In other words, if the DCCP conntrack module is not loaded (or not run via NOTRACK targets for example), the attack
vector is non-existent (see Prophylaxis).
Solution(s):
Re-build kernel 3.10.17 after applying upstream fix (for 14.1 users)
Upgrade to 3.10.36 (for current or 14.1 users on the latest 3.10.x)
Upgrade to 3.2.57 (for 14.0 users; not yet released)
Prophylaxis:
If you don't want to worry about patching or upgrading your kernel, you can remove the attack vector by ensuring the DCCP
conntrack helper module never loads:
A flaw in the TLS heartbeat extension code (introduced in version 1.0.1) can be exploited by attackers to reveal memory
connected to either a client or server using a vulnerable version (CVE-2014-0160 aka "heartbleed").
A design flaw in the way elliptic scalar multiplication is computed on curves defined over GF(2ᵐ) allows the recovery of
ECDSA nonces via flush+reload (CVE-2014-0076).
Notes: For the "heartbleed" bug, affected versions include 1.0.1-beta1 through 1.0.1f (inclusive) and 1.0.2-beta1. The 0.9.8
and 1.0.0 branches are not affected.
--mancha
========
Update #1
My initial report might not have transmitted the severity of the heartbeat vulnerability. At this point, any service linking a vulnerable
OpenSSL (1.0.1+) might have had its primary key material compromised. In other words, if you run such services you might need to
replace existing key material (e.g. web certificates, etc.). If your certificates are signed by an established CA, contact them about
the procedure for revocation and re-issuance of certificates. If you run a certificate authority yourself, take the necessary steps.
Client-side, credentials (or other private information) submitted by clients to vulnerable servers (login/password) are potentially
compromised.
Hi mancha, I am trying to rebuild the new openssl version and it doesn't work
Code:
created directory `/tmp/package-openssl/etc'
created directory `/tmp/package-openssl/etc/ssl'
created directory `/tmp/package-openssl/etc/ssl/man'
created directory `/tmp/package-openssl/etc/ssl/man/man1'
created directory `/tmp/package-openssl/etc/ssl/man/man3'
created directory `/tmp/package-openssl/etc/ssl/man/man5'
created directory `/tmp/package-openssl/etc/ssl/man/man7'
installing man1/CA.pl.1
installing man1/asn1parse.1
installing man1/ca.1
installing man1/ciphers.1
installing man1/cms.1
cms.pod around line 457: Expected text after =item, not a number
cms.pod around line 461: Expected text after =item, not a number
cms.pod around line 465: Expected text after =item, not a number
cms.pod around line 470: Expected text after =item, not a number
cms.pod around line 474: Expected text after =item, not a number
POD document had syntax errors at /usr/bin/pod2man line 71.
make: *** [install_docs] Error 1
Any idea/fix?
EDIT: I commented all the parts related to documentation on the slackbuild file but that is a bit annoying imo
Last edited by moisespedro; 04-08-2014 at 09:03 AM.
Use the source package in patches, not the one in the original source tree. That has worked for me without any issues. You need to remove openssl-1.0.1f.tar.gz and replace it with openssl-1.0.1g.tar.gz.
It was discovered version 1 intermediate certificates were being incorrectly considered CA certificates by default since
version 2.11.5. Systems with CAs in their trusted root certificate store, which issue X.509 version 1 certificates, are
potentially vulnerable. [CVE-2014-1959 / GNUTLS-SA-2014-1]
Solution: Upgrade to GnuTLS 3.1.21 or apply this fix.
--mancha
No way! they still had the GnuTLS in there? What about OpenSSL I haven't yet installed my new slack sys yet haven't had the time so can't check. Niether will I be running a server so it doens't affect me but just curious... Which openssl patch did you guys use. Hopefully .g and not .f
.f got an F as a security patch.
Which openssl patch did you guys use. Hopefully .g and not .f
.f got an F as a security patch.
Just in case you didn't look yet at the Slackware's Security Advisories and ChangeLogs, openssl and openssl-solibs where upgraded to version 1.0.1g on Tue Apr 8, as already stated by Willy.
See also updates in post #122 of this thread from Mancha.
Last edited by Didier Spaier; 04-13-2014 at 04:18 AM.
Reason: Typos corrected
Slackware 14.1's rsync 3.1.0 is vulnerable to a local/remote resource consumption denial of service attack (CVE assignment
pending). I've not personally checked other Slackware versions but a lightning code review suggests to me vulnerable code
exists since rsync 3.0.5 (i.e. Slackware 13.0).
Solution: Re-build rsync with upstream's fix [1] which I've mirrored at the vault.
PoC:
/etc/rsyncd.conf
Code:
[pub]
comment = PoC for DoS
path = /tmp
read only = yes
list = yes
uid = nobody
gid = nobody
auth users = *
secrets file = /etc/rsyncd.secrets
A use-after-free race condition has been discovered in OpenSSL's read buffer (CVE-2010-5298). Under certain
circumstances, this flaw may permit an attacker to inject data from one connection into another.
Note: This might be a NOP when OpenSSL is not built with OPENSSL_NO_BUF_FREELIST. Nevertheless, my strong
recommendation is that everyone apply the fix.
========
Update #1
The OpenSSL 0.9.8 branch is unaffected by this issue (vulnerable code was introduced in OpenSSL 1.0.0). Systems
running Slackware 13.37 and earlier require no action (unless they run a non-stock OpenSSL 1.0.0+).
Last edited by mancha; 04-14-2014 at 05:54 PM.
Reason: Mention 0.9.8 is unaffected
Update 20140407-1If you don't want to worry about patching or upgrading your kernel, you can remove the attack vector by ensuring the DCCPconntrack helper module never loads:
Basically, if you don't know what DCCP is, you should be save to blacklist it.. If that's what you asked.. (I've understood the question after metaschima's answer below)
Last edited by Smokey_justme; 04-16-2014 at 01:45 PM.
Technically there usually in no need to blacklist the conntrack dccp module unless you specifically load it yourself, and in this case simply don't load it. It is NOT loaded automatically, and NOT loaded by Alien Bob's firewall script.
what is difference between this code with just plain blacklist this modules in the file?
Thanks
"Blacklisting" prevents a kernel module from being auto-loaded. However, I also want to prevent the vulnerable code from loading
via two additional methods: 1) accidental manual loading and 2) indirectly via a non-blacklisted kernel module that depends on it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.