|
(this is not a follow-up to to Dugan/corvid)
Quote:
https://twitter.com/hackerfantastic/...104448/photo/1 (via sid77) http://lists.x.org/archives/xorg-ann...ry/002389.html |
I request the name of this thread be changed to something less likely to drive away Slackware users. These are NOT all security vulnerabilities, they are NOT all outstanding, and they are NOT critical.
In fact, I don't see why you don't submit these to Pat V. himself, if you believe they are so important. He might not even see them here. |
Quote:
|
Quote:
|
Quote:
Quote:
Quote:
But, you've got it backwards. Raising awareness, sharing information, and most importantly providing solutions for these issues, makes Slackware and its community stronger, not weaker. --mancha |
Have you submitted these to Pat V. ? If not, send him an e-mail.
I'm wondering where the other Slackware devs are, and what their comments on these issues are. I request at least that, otherwise this thread doesn't look right, and I don't like that. Slackware is a great distro and I don't like the image it is getting here in this thread. Maybe that wasn't the original intent, but that's what it is now. |
bind-9.9.4_P2
bind-9.9.4_P2 has been released and is highly recommended to upgrade.
https://kb.isc.org/article/AA-01078 |
Quote:
|
Quote:
Patrick has now released the updates. |
These packages have been updated:
http://www.slackware.com/security/li...ecurity&y=2014 So take them off the list. I also recommend that you post more information about each vulnerability instead of just " CVE-2013-4545 fixed.". Post what the fix does and how severe it is. I'm sure you want something that will benefit Slackware, so putting accurate, detailed information is much less likely to scare off users. At least post a link to the page that describes the problem and fix, and rate its severity. |
Security of your system is your responsibility, not Master Volkerding's. Seasoned systems administrators are current with the entries in https://isc.sans.edu/diary.html, and probably have read at least a few of the security-related white papers at SANs. In fact, there is enough information on that site to become qualified as a security expert, but if that's your goal, sign up for classes at http://www.sans.edu/ Be proactive.
For more in-depth information on CERT advisories, follow the links at: ftp://ftp.osuosl.org/pub/slackware/s.../ChangeLog.txt |
Update 20140129
For those wishing to address CVE-2013-6424 & CVE-2013-6425 by re-building xorg-server and pixman, I've placed patches at the vault: Building xorg-server and pixman can get a little hairy so I've also made Slackware 14.1 32-bit and 64-bit packages available:
Finally, I am providing CVE-2013-6425.ods, a LibreOffice spreadsheet proof-of-concept thanks to Ubuntu, which shows the DoS against X. Make sure you've saved everything you're working on before doing this because it'll crash the X server: Code:
$ scalc CVE-2013-6425.ods |
Well, that's more like it. I can see now that you are actually trying to help Slackware users. Providing patches and packages to fix these issues, and even a proof-of-concept is a great thing.
I apologize for doubting your good intentions earlier. May I recommend that you make your intentions more clear in your initial posts by explaining a bit about what you are trying to achieve. Writing a short statement about your concern on outstanding vulnerabilities, links to explanations of the vulnerabilities, saying that you e-mailed Mr. Pat V with them, and saying that you wish to help users resolve these vulnerabilities would do wonders on how people interpret your thread. Like 2 sentences is all it takes, and there won't be any more confusion. Again, I understand now that your intentions are good, but only after this last post. Lastly, just so people don't get me wrong, I would like to say that Slackware is a great distro, the best I've tried. I would like to help it out as much as I can, and I don't like to see its name tarnished. I reacted the way I did, because the intentions of the thread were unclear to me. Maybe they were clear to others. I guess maybe it is because I'm new here, and I don't know exactly how things are done. |
I say let the 'man from Mancha' continue however he sees fit. He's been doing great work around here for a while now which is much appreciated.
|
Er, the sky is not falling, yet.
"Integer underflow in the pixman_trapezoid_valid macro in pixman.h in Pixman before 0.32.0, as used in X.Org server and cairo, allows context-dependent attackers to cause a denial of service (crash) via a negative bottom value." We are already running 0.32.0. The vulnerable version was 0.30.0. BTW, who has the Intel Xorg driver installed? That isn't what Slackware distributed on November 8, 2013. We already have the fixed pixman.h in pixman and xorg. Here's the patch that was applied last October: http://lists.x.org/archives/xorg-dev...er/037996.html https://cve.mitre.org has re-vamped their website. A lot of legacy incidents appear to be new, but upon further investigation, you'll find they were closed last year. Just to be safe, though, I'm keeping my aluminum foil "Tin Woodman" hat within reach. |
| All times are GMT -5. The time now is 06:45 PM. |