LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   [Slackware security] vulnerabilities outstanding 20140101 (https://www.linuxquestions.org/questions/slackware-14/%5Bslackware-security%5D-vulnerabilities-outstanding-20140101-a-4175489800/)

BenCollver 06-06-2014 07:10 AM

Linux kernel exploit CVE-2014-3153
 
http://seclists.org/oss-sec/2014/q2/467

GazL 06-06-2014 11:00 AM

Cheers Ben.

Looks like Greg K-H will be throwing out some new stable kernels tonight/tomorrow, just checked the stable patches and the two 'futex' related patches are in the list for 3.10.42. Guess I know what I'll be doing tomorrow.

metaschima 06-06-2014 11:04 AM

Quote:

Originally Posted by jprzybylski (Post 5183327)
I personally doubt that OpenBSD will crowdfund LibreSSL - they seem to prefer foundations.

Incidentally, the OpenBSD Foundation official supports LibreSSL, and there is a fundraising campaign every year. (Campaign 2014 has met its goal, but that doesn't stop anybody from donating!)

That's good, maybe they'll have enough. I was just thinking that libressl would appeal to much more than just OpenBSD users, especially with recent news.

GazL 06-07-2014 02:57 AM

if you're interested in the whole openssl/libressl thing, this LibreSSL presentation by Bob Beck recorded at Calgary UNIX User Group (youtube) might be of interest. It's quite long, but I found it entertaining and informative.

eloi 06-07-2014 04:14 AM

Quote:

Originally Posted by GazL (Post 5182207)
This thread is getting a little long and confusing now,

The problem is a forum is not the suitable tool/place/audience for this. It has existed for decades a poven better, easier, convenient way and till I know it's neither broken nor obsolete. It doesn't need a fix. But perhaps it isn't *modern* enough (Luddite) for some people here: plain text on mailing list.

For example, slackware-security mailing list is abandoned and has a lot of html formated messages.

ponce 06-07-2014 04:21 AM

Quote:

Originally Posted by eloi (Post 5183970)
slackware-security mailing list is abandoned

why are you saying this? I received this just a few hours ago (I cutted only the top headers)
Code:

Date: Fri, 6 Jun 2014 21:03:06 -0700 (PDT)
From: Slackware Security Team <security@slackware.com>
To: slackware-security@slackware.com
Subject: [slackware-security]  mozilla-firefox (SSA:2014-157-01)
Message-ID: <alpine.LNX.2.02.1406062102480.21729@connie.slackware.com>
User-Agent: Alpine 2.02 (LNX 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-slackware-security@slackware.com
Reply-To: Slackware Security Team <security@slackware.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  mozilla-firefox (SSA:2014-157-01)

New mozilla-firefox packages are available for Slackware 14.1 to fix
security issues.


Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/mozilla-firefox-24.6.0esr-i486-1_slack14.1.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
  (* Security fix *)
+--------------------------+


Where to find the new packages:
+-----------------------------+

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project!  :-)

Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.

Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/mozilla-firefox-24.6.0esr-i486-1_slack14.1.txz

Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/mozilla-firefox-24.6.0esr-x86_64-1_slack14.1.txz


MD5 signatures:
+-------------+

Slackware 14.1 package:
9ba04aa0691c3b6f26580dcfdd6d3763  mozilla-firefox-24.6.0esr-i486-1_slack14.1.txz

Slackware x86_64 14.1 package:
f223ca0a93a62b843552a41e30d2c1d4  mozilla-firefox-24.6.0esr-x86_64-1_slack14.1.txz


Installation instructions:
+------------------------+

Upgrade the package as root:
# upgradepkg mozilla-firefox-24.6.0esr-i486-1_slack14.1.txz


+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

+------------------------------------------------------------------------+
| To leave the slackware-security mailing list:                          |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message:                                                    |
|                                                                        |
|  unsubscribe slackware-security                                      |
|                                                                        |
| You will get a confirmation message back containing instructions to    |
| complete the process.  Please do not reply to this email address.      |
+------------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlOSjyEACgkQakRjwEAQIjNxKACdElTd0R2MCu6RDcGAuazIitwy
HpUAoIWe3w2Z7Y6FdJd/84TwyOtPKjVm
=dcdB
-----END PGP SIGNATURE-----


eloi 06-07-2014 04:28 AM

Quote:

Originally Posted by ponce (Post 5183972)
why are you saying this? I received this just a few hours ago (I just cutted the top headers)

OK. I checked it using Pan via gmane and the last message is from 2013. Probably a gmane server sync issue. Thanks for the clarification.


Walter

ponce 06-07-2014 04:31 AM

np: just FYI I received 41 (plain-text) messages from it in 2014, see http://www.slackware.com/lists/archi...ecurity&y=2014

eloi 06-07-2014 04:52 AM

Quote:

Originally Posted by ponce (Post 5183979)
np: just FYI I received 41 (plain-text) messages from it in 2014, see http://www.slackware.com/lists/archi...ecurity&y=2014

My mistake about the particular case of slackware-security was bacause I use to check the lists I'm not associated with via news.gmane.org. It's not the first time this happens, surely a gmane issue. Thanks again for your info.

The aim of my post is to point that in general terms, Slackware mailing lists are a bit abandoned in favor to use this forum for bug reports.

GazL 06-07-2014 05:36 AM

This thread is not a replacement for the slackware security mailing list, it's an additional source of information for those of us who want to go above and beyond what Pat/Slackware provide. The forum is perfect for listing and discussing new vulnerabilities as and when they occur. What is lacking is an overview summary of the current state of play, i.e. things Pat is either: still to patch, has chosen not to patch, or has just plain missed.

eloi 06-07-2014 06:43 AM

Quote:

Originally Posted by GazL (Post 5183995)
This thread is not a replacement for the slackware security mailing list, it's an additional source of information for those of us who want to go above and beyond what Pat/Slackware provide. The forum is perfect for listing and discussing new vulnerabilities as and when they occur. What is lacking is an overview summary of the current state of play, i.e. things Pat is either: still to patch, has chosen not to patch, or has just plain missed.

Last attempt sub-quoting myself.

slackware-security is not for discussion, is for report security messages to users.

I avoid to mention a "develop" mailing list knowing the Slackware "particular" way. But traditionally FOSS projects have had a mailing list for security reports, another for bug reports, another for discussion... Why you think a forum could be a "perfect" replacement for that traditional way I don't even guess. But let's this die here to not extend the OT.

Didier Spaier 06-07-2014 06:48 AM

A more sophisticated bug tracking system would need relevant infrastructure and maintenance. Till someone provides that, let's continue to read the mailing lists, post our questions, requests, thoughts and information in this forum.

eloi 06-07-2014 07:03 AM

Quote:

Originally Posted by Didier Spaier (Post 5184010)
A more sophisticated bug tracking system would need relevant infrastructure and maintenance. Till someone provides that, let's continue to read the mailing lists, post our questions, requests, thoughts and information in this forum.

And sub-quoting myself again.

Taking in care Slackware development modus operandi a bug tracking system (already invented) is of no use. Mailing lists servers are already provided and ready to use for the rest of functionality. Who think a forum is better for that is because ignores how to use mailing lists. Forums were adopted by users for the same reason all *reinventing the wheel new stuff* is adopted (i.e. systemd), ignorance and laziness.

Didier Spaier 06-07-2014 07:07 AM

Quote:

Originally Posted by eloi (Post 5184017)
Mailing lists servers are already provided and ready to use for the rest of functionality.

You are free to take the initiative and run these mailing lists.

eloi 06-07-2014 07:09 AM

Quote:

Originally Posted by Didier Spaier (Post 5184018)
Then launch one and run it.

They are running, not by me, but they are.

(Well I see I've got your post right before you masked your "shut up" with the "freedom" softening :)).


All times are GMT -5. The time now is 07:07 AM.