LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   [Slackware security] vulnerabilities outstanding 20140101 (https://www.linuxquestions.org/questions/slackware-14/%5Bslackware-security%5D-vulnerabilities-outstanding-20140101-a-4175489800/)

willysr 01-25-2015 08:58 AM

Flashplayer is handled by Robby in SBo

cwizardone 01-25-2015 09:16 AM

OpenSSL 1.0.2, a major release, is now available.

https://www.openssl.org/


Change log can be found here,

https://github.com/openssl/openssl/b...stable/CHANGES

metaschima 01-27-2015 12:25 PM

GHOST glibc Remote Code Execution Vulnerability Affects All Linux Systems
http://threatpost.com/ghost-glibc-re...systems/110679

ttk 01-27-2015 12:37 PM

CVE-2015-0235 is a glibc vulnerability, fixed in 2.18 (so -current shouldn't be vulnerable) but I'm not sure if the fix was applied to older Slackware releases (13.1, 14.0, 14.1). It wasn't recognized as a vulnerability until recently.

ETA: http://ma.ttias.be/critical-glibc-up...tbyname-calls/

ETA: Skywise in ##slackware tells me Slackware releases up to 14.1 have been tested and are indeed vulnerable.

mancha 01-27-2015 05:42 PM

Update 20150127

glibc (multiple issues)
  1. The wordexp function in glibc before 2.21 can ignore WRDE_NOCMD under certain input conditions resulting in the execution of a shell
    for command substitution when the application did not request it. This can be exploited by context-dependent attackers to execute
    arbitrary code (CVE-2014-7817)

    Solutions
    Slackware 14.1: Apply glibc-2.17_CVE-2014-7817.diff
    Slackware-current: Apply glibc-2.20_CVE-2014-7817.diff

  2. The getnetbyname function in glibc before 2.21 can enter an infinite loop if the DNS back-end is activated in the system Name Service
    Switch configuration, and the DNS resolver receives a positive answer while processing the network name. This can be exploited by
    context-dependent attackers to cause of denial of service. (CVE-2014-9402)

    Solutions
    Slackware 14.1: Apply glibc-2.17_CVE-2014-9402.diff
    Slackware-current: Apply glibc-2.20_CVE-2014-9402.diff

  3. A buffer overflow was discovered in __nss_hostname_digits_dots() in glibc prior to 2.18 that can be exploited locally and remotely via
    the gethostbyname* functions. (CVE-2015-0235 aka GHOST)

    Note: You can test vulnerability with CVE-2015-0235-test.c

    Solution
    Slackware 14.1: Apply glibc-2.17_CVE-2015-0235.diff
    Slackware-current: Not vulnerable

--mancha

Mark Pettit 01-28-2015 04:13 AM

Quote:

Originally Posted by mancha (Post 5307499)
Update 20150127

glibc (multiple issues)[*]A buffer overflow was discovered in __nss_hostname_digits_dots() in glibc prior to 2.18 that can be exploited locally and remotely via
the gethostbyname* functions. (CVE-2015-0235 aka GHOST)
Note: You can test vulnerability with CVE-2015-0235-test.c
Solution
Slackware 14.1: Apply glibc-2.17_CVE-2015-0235.diff
Slackware-current: Not vulnerable
[/LIST]--mancha

I trust we'll see some sort of actual slackware update soon ? Fixing a glibc issue from a diff patch above is probably beyond most people (myself incuded).

GazL 01-28-2015 05:33 AM

Quote:

Originally Posted by Mark Pettit (Post 5307657)
I trust we'll see some sort of actual slackware update soon ? Fixing a glibc issue from a diff patch above is probably beyond most people (myself incuded).

Not necessarily. Brad Spender's comment on lwn is interesting. He seems to be suggesting that this isn't nearly as "highly critical" as is being made out. Of course, that doesn't mean that someone isn't going to find something that is using it in such a way as to be exploitable at some point. Be interesting to see which way Pat jumps on this one.

metaschima 01-28-2015 10:36 AM

Remote code execution is a critical vulnerability, so it should be updated.

Angelo 01-28-2015 01:38 PM

Quote:

Originally Posted by GazL (Post 5307689)
Not necessarily. Brad Spender's comment on lwn is interesting. He seems to be suggesting that this isn't nearly as "highly critical" as is being made out. Of course, that doesn't mean that someone isn't going to find something that is using it in such a way as to be exploitable at some point. Be interesting to see which way Pat jumps on this one.

http://seclists.org/oss-sec/2015/q1/283

I'm not losing any sleep over this.

Didier Spaier 01-28-2015 04:02 PM

Stable Changelog for x86 (32-bit) + Attn. Slint users
 
Code:

Wed Jan 28 19:23:00 UTC 2015
patches/packages/glibc-2.17-i486-10_slack14.1.txz:  Rebuilt.
      This update patches a security issue __nss_hostname_digits_dots() function
      of glibc which may be triggered through the gethostbyname*() set of
      functions.  This flaw could allow local or remote attackers to take control
      of a machine running a vulnerable version of glibc.  Thanks to Qualys for
      discovering this issue (also known as the GHOST vulnerability.)
      For more information, see:
      https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
      (* Security fix *)
patches/packages/glibc-i18n-2.17-i486-10_slack14.1.txz:  Rebuilt.
patches/packages/glibc-profile-2.17-i486-10_slack14.1.txz:  Rebuilt.
patches/packages/glibc-solibs-2.17-i486-10_slack14.1.txz:  Rebuilt.
patches/packages/glibc-zoneinfo-2014j-noarch-1.txz:  Upgraded.
      Upgraded to tzcode2014j and tzdata2014j.
+--------------------------+

Thanks Patrick.

PS Attn. Slint users:

After upgrade of glibc-* you'll loose the internationalization of timeconfig.

To get it back, reinstall a Slint package for your Slackware version after upgrade of glibc-*':
Code:

upgradepkg --reinstall --install-new slint-<version>-noarch-20141218.txz
Caveat emptor: then you will loose the last updates of tzcode and tzdata. I'll provide updated Slint packages including them in the coming days and announce their availability in the Slint thread.

EDIT: the updated Slint packages are now available, see this post for instructions.

kenw232 01-28-2015 05:54 PM

How is ghost handled on x64? Are those packages coming shortly?

Didier Spaier 01-28-2015 05:58 PM

Quote:

Originally Posted by kenw232 (Post 5308000)
How is ghost handled on x64? Are those packages coming shortly?

http://www.slackware.com/changelog/s...php?cpu=x86_64

The mail from the Slackware-security mailing list has been sent and the packages are available on the main server.

kenw232 01-28-2015 06:19 PM

This is the correct URL to the new packages correct?

http://mirrors.slackware.com/slackwa...ches/packages/

Its just "glibc-2.17-x86_64-10_slack14.1.txt" does not say the "This update patches a security issue __nss_hostname_digits_dots() function"...

j_v 01-28-2015 07:41 PM

Quote:

Originally Posted by kenw232 (Post 5308008)
This is the correct URL to the new packages correct?

http://mirrors.slackware.com/slackwa...ches/packages/

Its just "glibc-2.17-x86_64-10_slack14.1.txt" does not say the "This update patches a security issue __nss_hostname_digits_dots() function"...

If you use slackpkg for updates, then the correct package(s) will be upgraded. If you are curious about the update info, you could read the ChangeLog.txt at the top of the release directory. That will be more informative about what the update concerns and likely what you are looking for.
http://mirrors.kernel.org/slackware/.../ChangeLog.txt

kenw232 01-28-2015 07:54 PM

Sounds good, thank you for your timely post..


All times are GMT -5. The time now is 12:21 PM.