LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   [Slackware security] vulnerabilities outstanding 20140101 (https://www.linuxquestions.org/questions/slackware-14/%5Bslackware-security%5D-vulnerabilities-outstanding-20140101-a-4175489800/)

Thom1b 12-08-2014 11:03 PM

Last bind versions are released with security fixes :
http://www.isc.org/blogs/important-s...visory-posted/

You can download it at (for slackware-14.1) :
- ftp://ftp.isc.org/isc/bind9/9.9.6-P1....9.6-P1.tar.gz
- ftp://ftp.isc.org/isc/bind9/9.9.6-P1...-P1.tar.gz.asc

BrZ 12-09-2014 12:49 PM

Here we go...

X.Org Security Advisory: Dec. 9, 2014

Mitigation
==========

While the fixes cover all the cases currently known to X.Org, these are
not the first issues in this area and are unlikely to be the last.

Users can reduce their exposure to issues similar to the ones in this
advisory via these methods:

* Configure the X server to prohibit X connections from the network
by passing the "-nolisten tcp" command line option to the X server.
Many OS distributions already set this option by default, and it
will be set by default in the upstream X.Org release starting with
Xorg 1.17.

* Disable GLX indirect contexts. Some implementations have a
configuration option for this. In Xorg 1.16 or newer, this can
be achieved by setting the '-iglx' X server command line option.
This option will be the default in Xorg 1.17 and later releases.

Consult your operating system's documentation for details on setting X
server command line options, as X servers are started by a variety of
different methods on different platforms (startx, gdm, kdm, xdm, etc.).

GazL 12-09-2014 04:08 PM

Quote:

Originally Posted by BrZ (Post 5282058)
* Disable GLX indirect contexts. Some implementations have a
configuration option for this. In Xorg 1.16 or newer, this can
be achieved by setting the '-iglx' X server command line option.
This option will be the default in Xorg 1.17 and later releases.

For the nvidia driver it looks like this is the option:
Code:

# /etc/X11/xorg.conf.d/87-nvidia.conf ##################################

Section "Device"
  Identifier "nvidia"
    Driver "nvidia"
    Option "AllowIndirectGLXProtocol" "false"
EndSection

########################################################################

... though somewhat confusingly, the documentation has two contradictory sections on this.
Quote:

For those who wish to disable the use of indirect GLX protocol on a given
X screen, setting the "AllowIndirectGLXProtocol" to a true value will
cause GLX CreateContext requests with the "direct" parameter set to
"False" to fail with a BadValue error.
and
Quote:

The NVIDIA GLX implementation will prohibit creation of indirect GLX
contexts if the AllowIndirectGLXProtocol option is set to False, or the
-iglx switch was passed to the X server (X.Org server 1.16 or higher), or
the X server defaulted to '-iglx'.
Of the two contradictory statements, the first one sounds like it's wrong (based on the option name).

allend 12-09-2014 04:47 PM

Quote:

Configure the X server to prohibit X connections from the network
by passing the "-nolisten tcp" command line option to the X server.
Many OS distributions already set this option by default, and it
will be set by default in the upstream X.Org release starting with
Xorg 1.17.
http://docs.slackware.com/howtos:sec..._-nolisten_tcp

BrZ 12-09-2014 05:11 PM

@GazL,

I saw it whle reading II Appendix B. X Config Options and I'm trying to understand their logic (or lack of).

Nvidia also issued an advisory and some driver updates.

xorg-server 1.16.2.901 just came out:
Quote:

This is the first RC for xserver 1.16.3. It includes fixes for today's security advisory, plus an fb fix for X.Org bug#54168, a few fixes for the present extension, and a documentation update for the new -iglx/+iglx command-line flags.
Cheers,
Julien

ttk 12-19-2014 08:26 PM

CVE-2014-9296 is a ntpd vulnerability, impacts all versions prior to 4.2.8:

https://ics-cert.us-cert.gov/advisories/ICSA-14-353-01

Thom1b 12-19-2014 10:24 PM

Quote:

Originally Posted by http://php.net/
The PHP development team announces the immediate availability of PHP 5.4.36. Two security-related bugs were fixed in this release, including the fix for CVE-2014-8142. All PHP 5.4 users are encouraged to upgrade to this version.

You can download it at :
http://us.php.net/distributions/php-5.4.36.tar.bz2
http://us.php.net/distributions/php-5.4.36.tar.bz2.asc

Didier Spaier 12-20-2014 12:02 PM

Quote:

Originally Posted by BrZ (Post 5282183)
xorg-server 1.16.2.901 just came out:

And today xorg-server 1.16.3 has been released that mostly addresses security advisory 2014-12-09. That fixes a bunch of vulnerabilities, including CVE-2014-8092, dating back september 1987 and introduced in X11R1, long before Linux and Slackware's birth ;)

metaschima 12-22-2014 07:08 PM

Quote:

Originally Posted by ttk (Post 5287843)
CVE-2014-9296 is a ntpd vulnerability, impacts all versions prior to 4.2.8:

I've had quite enough of these major ntpd vulnerabilities, I will keep it disabled until further notice. I have a feeling the protocol itself is outdated. I will use 'ntpd -q' to set the time once in a while and that's it.

ttk 12-22-2014 09:31 PM

Good idea. I've been using rsetdate (which uses the daytime protocol) in /etc/cron.daily since 1998'ish, and never touched it since because it jfw. It might not give me microseconds accuracy, but I don't need that.

Thom1b 01-08-2015 11:38 PM

openssl
 
openssl-1.0.1k and openssl-0.9.8zd are released with security fixes :
http://openssl.org/news/secadv_20150108.txt

cwizardone 01-09-2015 01:34 PM

Quote:

Originally Posted by Thom1b (Post 5298028)
openssl-1.0.1k and openssl-0.9.8zd are released with security fixes :
http://openssl.org/news/secadv_20150108.txt

It has been posted to both the stable and -current ChangeLogs,

http://www.slackware.com/changelog/

metaschima 01-13-2015 11:50 AM

This one seems to be a different libelf bug than the previously listed one:
http://web.nvd.nist.gov/view/vuln/de...=CVE-2014-9447

Thom1b 01-15-2015 10:48 PM

samba-4.1.16
 
Quote:

Samba 4.1.16 and 4.0.24 have been issued as security releases in order
to address CVE-2014-8143 (Elevation of privilege to Active Directory Domain
Controller). For the sake of completeness, Samba 4.2.0rc4 including a fix for
this defect will follow soon, but it won't be a dedicated security release
and will therefore address other bug fixes also.

For more details, please see
http://www.samba.org/samba/history/security.html


o CVE-2014-8143:
Samba's AD DC allows the administrator to delegate
creation of user or computer accounts to specific users or groups.

However, all released versions of Samba's AD DC did not implement the
additional required check on the UF_SERVER_TRUST_ACCOUNT bit in the
userAccountControl attributes.
https://download.samba.org/pub/samba...-4.1.16.tar.gz
https://download.samba.org/pub/samba...4.1.16.tar.asc

number22 01-24-2015 12:57 PM

libpng
gnutls
openssl
flashplayer-plugins

more new updates for them.


All times are GMT -5. The time now is 09:34 PM.