Status Update: Slackware LQ Security Thread
Hi.
Many of you are familiar with [Slackware security] vulnerabilities outstanding 20140101 (aka "the security thread"). For those who aren't, it's a thread where slackers (ranging from security-conscious end users to admins seeking to harden their systems) share and discuss security concerns with a focus on solutions. Unfortunately, its high posting volume makes navigating it a bit of a challenge. To help with this, I recently put together a status report covering the period from 20140101 (thread's birth) through 20141014. As was suggested to me, I am re-posting it here to raise visibility. --mancha Code:
LQ Slackware Vulnerability Thread Status Report (20141014) |
Thanks for a comprehensive update.
So Slackware-current is still vulnerable where you listed it as such. I know those with servers online will take one attitude. For the ordinary user, how many of these matter? |
Quote:
Great question with no simple answer. After all, levels of risk aversion, use case profiles, etc. vary considerably by user (i.e. security is not one-size-fits-all). Gurus and seasoned users can provide guidelines and recommendations to novices but ultimately each user needs to answer that question for themselves. The thread doesn't attempt to decide for you what should matter. Rather, in Slackwarian fashion, issue/solution sets are shared and discussed unfiltered. That way individual slackers can make informed decisions about which security situations are of concern to them. --mancha |
Thanks mancha, I like this thread a lot better than the original. Clear, concise, to the point and a great disclaimer that the user needs to decide for themselves, I couldn't have put it better. Keep it up.
|
wpa_supplicant v2.3 fixes CVE-2014-3686 (http://www.securityfocus.com/bid/70396/info)
This is quite urgent since it could lead to RCE. Changelog of wpa_supplicant v2.3 http://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog |
I guess I should finally upgrade my server from 14.0 to 14.1 given that there is now at least one set of security updates (ie, glibc) that have not been applied to 14.0 which still runs a vulnerable version of glibc according to the literature I have read.
|
Curious because it just came out recently, but how is ConsoleKit-0.4.5 used by Slackware compared to ConsoleKit2-0.9.2 in terms of code vulnerability?
|
can slackpkg be used to automagicly update the system from the list posted at slackware.com
if so HOW? |
yes, that's what slackpkg is used for ;)
|
Automagically? Not that I'm aware of without scripting it. But you probably shouldn't do it automatically so you can decide what new configs to keep, merge, or discard.
Just make sure you have a server selected in the mirrors file, then run the commands to check for updates and then to upgrade the packages. |
Hello rob.rice, willysr, bassmadrigal.
I request you move this to a more appropriate thread. The purpose of this low-traffic thread is to provide occasional status updates for the security thread. Thanks. |
Hi mancha, thank you for this excellent summary thread and the links.
1) Any chance you might make a follow-up thread, or include in this one, how one should do a basic security of their Slackware? 2) Any chance you might provide instructions for earlier Slackware releases on how to build the Advisory for their release? 3) For newbies, any chance you might include a link to "updating using "&make&&makeinstall" or "slackpkg upgrade <app>" type instructions? |
php-5.4.40.
Hi,
Quote:
http://fr2.php.net/distributions/php-5.4.40.tar.bz2.asc |
Can we get a more up-to-date list?
|
Quote:
|
All times are GMT -5. The time now is 09:06 AM. |