Mutt 2.0.5 was released on January 21, 2021. This is a bug-fix release, fixing a few memory leaks, including CVE-2021-3181.
ftp://ftp.mutt.org/pub/mutt/mutt-2.0.5.tar.gz |
CVE-2021-3156 sudo heap buffer overflow
1 Attachment(s)
CVE-2021-3156
Heap buffer overflow affecting sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1. Patch is here. Additional note: Conditional check of libpam symbolic link in sudo.Slackbuild fails on Slackware64 because LIBDIRSUFFIX is not defined in the arch detection stanza like it usually is. |
Fixed in -current (and 14.0, 14.1, 14.2).
|
Recently several dnsmasq vulnerabilities were reported. Version 2.78 in 14.2 is affected.
|
CVE-2021-21148 affects Google Chrome/Chromium-based browsers
Upgrade to Chromium 88.0.4324.150 or later. https://chromereleases.googleblog.co...desktop_4.html |
GNU Screen up to and including version 4.8.0 is vulnerable to CVE-2021-26937
https://www.linuxquestions.org/quest...ty-4175690257/ https://cve.mitre.org/cgi-bin/cvenam...CVE-2021-26937 A patch is available here: https://salsa.debian.org/debian/scre...21-26937.patch The patch seems to apply cleanly on 4.8.0 running Slackware-current as far as I can tell. |
OpenSSL 1.1.1j
Upgraded in -current according to the latest ChangeLogs: Quote:
|
python 3.x through 3.9.1 are vulnerable to CVE-2021-3117
https://cve.mitre.org/cgi-bin/cvenam...=CVE-2021-3177 Not aware of any patch yet. |
Quote:
https://github.com/python/cpython/co...1353ecc3.patch |
Bind-9.10.12 affected by a serious bug according to this: http://wiki.linuxfromscratch.org/blfs/ticket/14683
it's advised to downgrade to bind-9.10.11 + a sed patch. |
Kinda "nice" thread, but perhaps unstick it and create [Slackware security] vulnerabilities outstanding 20210301 ?
Or whatever month/day we go beyond Slackware 15 beta... |
Thunderbird 78.8.0 fixes the following security vulnerabilities:
https://www.mozilla.org/en-US/securi...s/mfsa2021-09/ Edit: Available in -current according to the latest ChangeLogs. Quote:
|
duplicate post.
|
GRUB: 117 security patches at once.
Daniel Kiper just released no less than 117 patches to fix vulnerabilities in GRUB.
I have pulled from git master and built a new GRUB package for Slint that I will upload today. I suggest to do the same for Slackware. |
Quote:
GRUB 2.04 has quite a few issues (e.g. the BootHole vulnerability) and version 2.06 is still pending. |
Quote:
Quote:
I am testing my new packages and for some reason grub-mkconfig doesn't create the boot entries expected from os-prober. Investigating. Of course I won't ship this package as-is. |
Quote:
PS reported on the grub-devel mailing list. |
Quote:
|
Quote:
|
git 2.30.2 due to this report
|
Security flaws in -stable (14.2) kernel before version 4.4.260:
https://linux.slashdot.org/story/21/...oot-privileges https://www.scmagazine.com/home/secu...-to-attackers/ https://blog.grimm-co.com/2021/03/ne...ux-kernel.html Edit: New kernel packages are available according to the latest ChangeLogs: Quote:
|
XTerm
I ran across nvd.nist.gov - CVE-2021-27135, looks like it is specific to 14.2 and earlier. From what I read, the version on current is fine.
So I took the xterm source and build from Current slackware.osuosl.org xterm-366 and compiled and installed it on 14.2. So far so good. But if you have custom fonts in ~/.Xdefaults you may need to adjust them. |
CVE-2019-17498 libssh2 SSH_MSG_DISCONNECT
This is a bit of an oldie. It's mostly applicable to docker and flatpak: CVE-2019-17498
Quote:
This will mostly likely be fixed when upstream releases 1.9.1 because the patch comes from the main branch on github, but I'm submitting this for Pat's consideration in the meantime. Code:
--- libssh2.SlackBuild.orig 2021-03-21 12:10:41.579936398 +0200 |
Linux kernel LTS versions prior to 5.10.29, 5.4.111, 4.19.186, 4.14.230, 4.9.266, and 4.4.266 are vulnerable to CVE-2021-29154
https://www.openwall.com/lists/oss-s...y/2021/04/08/1 |
Please ignore.
|
Thought this would be as good a place as any to post this, :)
Quote:
|
Does Slackware have any mitigations against Row Hammer attacks? Can enough sram be clustered together to use instead of dram (if one could afford it)?
|
Intel Processor Microcode Update (MCU) -> microcode-20210608 Release
https://github.com/intel/Intel-Linux...ode-Data-Files https://github.com/intel/Intel-Linux...releasenote.md |
Critical vulnerability in the Linux kernel:
https://cve.mitre.org/cgi-bin/cvenam...CVE-2021-33909 |
Slackware64-current is safe (kernel 5.13.4).
|
Quote:
|
Quote:
Quote:
For 64-bit the change log can be found here, http://www.slackware.com/changelog/s...php?cpu=x86_64 I highlighted the CVE number. |
I missed that. Sorry and thanks.
|
Linux glibc security fix created a nastier Linux bug
https://www.zdnet.com/article/linux-...ier-linux-bug/ Quote:
Sat Aug 7 19:04:04 UTC 2021 Quote:
|
Security fixes in Firefox & Thunderbird 91.0.1
https://slackware.osuosl.org/slackwa.../ChangeLog.txt Quote:
|
According to this page openssl.org/news/vulnerabilities-1.0.2.html openssl 1.0.2, while out of support since end of 2019 still have few vulnerabilities not fixed in Slackware 14.2's openssl package. [edited because first post]
|
According to BLFS MIT krb5-1.19.2 is affected by a denial-of-service security vulnerability, follow link:
https://www.linuxfromscratch.org/blf...fs/mitkrb.html , it needs: ------------------------- sed -i '210a if (sprinc == NULL) {\ status = "NULL_SERVER";\ errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;\ goto cleanup;\ }' src/kdc/do_tgs_req.c ------------------------- |
critical bug discovered in the kernel (from 5.10 to 5.15): https://threatpost.com/critical-linu...el-bug/176000/
With patch : https://github.com/torvalds/linux/co...799f76c88f7bb0 |
Quote:
Yes, it is a potentially serious bug, but how many people are using Linux clusters? |
Quote:
This is a typical bug severity classification : - critical - high-severity - medium-severity - low-severity |
Quote:
|
Quote:
|
It's this one.
|
OK - Got it. Thanks for noting it has been fixed.
I still question the severity. In my experience, people using distributed systems just want to get on with their work, rather than playing bad actor. |
Xorg has a bunch of new CVE's, Fixes are pending in X.Org Server Git.
https://www.phoronix.com/scan.php?pa...-December-2021 |
According to BLFS wpa_supplicant is affected by some CVE's vulnerabilities (normal in the classification of CVE's), follow link :
https://wiki.linuxfromscratch.org/blfs/ticket/15851 with 2 commits to solve the problems: https://w1.fi/cgit/hostap/commit/?id...72693cd7e96f15 and https://w1.fi/cgit/hostap/commit/wpa...dbc0cbeabb8b55 |
cryptsetup 2.4.3 and 2.3.7 (CVE-2021-4122 fix)
As just announced by Milan Broz on the dm-crypt mailing list in three emails:
Code:
The cryptsetup 2.4.3 stable release is available at Code:
The cryptsetup 2.3.7 stable release is available at Code:
Just note - for 2.2.x version (no longer supported, there will be no release) backport |
wpa_supplicant
https://www.cvedetails.com/cve/CVE-2022-23303/ https://www.cvedetails.com/cve/CVE-2022-23304/ Code:
The implementations of EAP-pwd in hostapd before 2.10 and wpa_supplicant before 2.10 are vulnerable https://w1.fi/security/2022-1/ v2.10 https://w1.fi/cgit/hostap/snapshot/h...ap_2_10.tar.gz |
buffer overflow in kernel, up to 5.16.1 included
https://seclists.org/oss-sec/2022/q1/55
CVE-2022-0185 -- Heap-based buffer overflow in kernel fs/fs_context Severity is high according to redhat https://bugzilla.redhat.com/show_bug.cgi?id=2040358 It seems to be fixed in kernel 5.16.2 commit 8b1530a3772ae5b49c6d8d171fd3146bb947430f Author: Jamie Hill-Daniel <jamie@hill-daniel.co.uk> Date: Tue Jan 18 08:06:04 2022 +0100 |
All times are GMT -5. The time now is 06:04 PM. |