No! The way things should be done is administrators should administrate their own boxes. If a kernel/software/php update isn't put out with the expediency they desire, they should compile their own. All the SlackBuilds are available, as is the config used for the kernel.

Yes, Pat will likely get a patch out soon, but as an administrator, it is your job to ensure your system is as secure as it should be, and that will ALWAYS require you to deviate from a completely stock system... whether that be changing a config, starting/stopping a service, or recompiling a piece of software or the kernel.

If you have to get an update piece of software from the distribution to ensure your systems are safe, you're failing as an administrator. Roll your own, and then when the official patch comes, you can switch to that. Until then, any breaches in security are on you, not on the distro. We aren't running Windows, and we don't need to wait for someone who designed the OS to release new updates.

Take some pride and take the initiative to keep your system secure!

4 members found this post helpful.

And so said to all administrators who use Slackware, the great Slackware Thinker, Mr. Bassmadrigal.

Maybe you do not figured it yet, man! All servers running Slackware (while not only) are with the pants down right now.

Why? We know why! We know even who is on fault about!

The question is what do Slackware facing to most epic Linux vulnerability ever...

And, please let's do not go zealots, as usual!

1 members found this post helpful.

People...

"a security update should have been issued by now" is a valid criticism.

9 members found this post helpful.

You may have a point, but yelling around won't help anyone.

1 members found this post helpful.

Just a observation from a Salix/Slackel user.

Valid point on one side.

On the other.

Gift horses get their inoculation shots when ready.

1 members found this post helpful.

This is one of the downsides of running a one-man centric distro. Pat simply can't offer the same level of response as the bigger distros. One should keep that in mind when choosing to run Slackware and be prepared to step in when he's not around to do the work for you. This situation is nothing new.

14 members found this post helpful.

Let me fix that statement for you...

All servers running Slackware (while not only) whose administrators haven't taken the initiative and compiled a patched kernel are with the pants down right now.

GazL is indeed correct. Slackware is a one man team. Pat may be working on compiling kernels for all supported versions of Slackware, or he may be on vacation out in the wilderness without a signal. We don't know the reason why there haven't been updates, but seriously, do you really think Pat is going to work any harder because you posted your usual crap? It would certainly have been nice to have these security updates available as soon as they were available, but we don't have them yet. You can complain all you want, but unless you're willing to compile your own kernel like a good administrator should, you'll remain vulnerable until packages do become available.

If you (not just you, but any system admin) choose to just wait until Pat puts out updates, and decide to keep your systems vulnerable, then that's on you. Not on Pat.

I totally agree with this, but until a patch is released by Pat, a good sysadmin would upgrade the kernel themselves. As many of us know, this isn't the first time we've had a large gap in updates when valid security patches should've been released. Once the gap in updates during the 14.2 development cycle passed, Pat released updates for 16 packages for 14.1. Raising the question is fine, but geez, Darth has a way of bringing out the bad in everyone with his horrible posts.

6 members found this post helpful.

Wordpress? Joomla? Drupal? They all have awful, terrible reputations for insecurity. Any fool knows that the only way to run Wordpress and stay sane is to have somebody else do it for you.

"Most epic Linux vulnerability ever" is a ridiculous exaggeration. This is "only" a local privilege escalation with a funny name, a funny logo and a funny online shop. To put that in perspective, look at all these remote exploits that didn't become memes.

Mr Volkerding's 50th birthday was the same day that Dirty Cow was announced. I hope he's having the holiday of a lifetime, and I hope he's off-grid, and anyone with a shred of humanity should bloody well agree.

16 members found this post helpful.

The patches DO come in a timely manner.

If you want them even faster you can do them yourself. There is no "obfuscated kernel changelog".

Security update come much faster than other systems as Slackware is closer to the upstream projects.

If you think the patches are too slow, you can certainly use RH... or Windows (oh wait, Windows still has the unpatched NTLM vulnerability from almost 20 years ago).

4 members found this post helpful.

The fear mongering tone of this thread is disgraceful. Please conduct a proper threat assessment.
The vulnerability in question is a local privilege escalation. If you are a home user, using a default Slackware install, then the only way a remote user could exploit this would be via an unhardened SSH setup. The SSH port is likely blocked by default on your ISP supplied modem/router.
Anybody else who feels threatened, should reflect on the fact that they have chosen to open up their Slackware system to the internet and/or potentially hostile local users. By doing so, you also accepted responsibility for maintaining the security of your system.
I am not trying to underplay the seriousness of the vulnerability. The full disclosure has escalated the threat. The fix is simple and easy. Compile and install a new kernel.

8 members found this post helpful.

Actually you are being a bit stupid about it.

The EASIEST mitigation is to change the acess mode of the memory map - as has been done by RH 5.

The next easiest is to just recompile the kernel. Easy to do, takes only a couple of minutes.

4 members found this post helpful.

That's what I do, and that's the reason I won't recommend slackware.
How, without digging through the source, or spend time at lwn or other sites, would you know from the changelog that commit 1294d355881cc5c3421d24fee512f16974addb6c fixes a severe security issue?
Well, Alpine, which is the only non-slackware linux system I use, released their grsecurity enhanced 4.4.26 on the 21st of October…

1 members found this post helpful.

You will find VERY few distributions that go faster. Most will spend a week or more verifying that nothing else has been affected by the patch.

I suppose you don't recommend any distribution...
The words "Fix get_user_pages() race for write access" look fairly obvious.
Oh gee. VERY slow...

The kernel was provided on 20th.

<sarcasm>And if you want the latest, it was released yesterday. So Alpine must be way behind.... </sarcasm>

1 members found this post helpful.

Is someone really here complaining about WORDPRESS?!

PHP is BAD... Run from anything PHP as fast as you can. No surprise when I just saw a picture of its creator at a joomla conference.

But... but... I blog!

And Wordpress will waste a lot of your blogging time. Try Pelican! It's simple and there is therefore little to go wrong. LOL

http://wallofscribbles.com/2015/07/p...y-pelican.html

http://blog.getpelican.com/

1 members found this post helpful.

At least he doesn't mention you-know-what or you-know-whom.