LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   [Slackware security] vulnerabilities outstanding 20140101 (https://www.linuxquestions.org/questions/slackware-14/%5Bslackware-security%5D-vulnerabilities-outstanding-20140101-a-4175489800/)

Didier Spaier 01-28-2015 09:39 PM

And just subscribe to the slackware-security mailing list, you will receive all needed information in a timely manner for each security fix: availability of the packages, details of a ChangeLog, where to find the packages for all versions in concern, md5 signatures and installation instructions.

enine 01-29-2015 07:00 AM

What are thoughts on the Samba patch? I'm using Samba for the couple windows boxes used by the family but not running as a DC. I can't upgrade Samba as it breaks my ownCloud client.

kenw232 01-29-2015 01:04 PM

Is the only thing required to fix GHOST to upgrade glibc? Just this then - glibc-2.17-x86_64-10_slack14.1.txz?

blizzack 01-29-2015 01:57 PM

Quote:

Originally Posted by kenw232 (Post 5308448)
Is the only thing required to fix GHOST to upgrade glibc? Just this then - glibc-2.17-x86_64-10_slack14.1.txz?

almost!
if x86_64 is your arch then you'll want the 5 following files...
- glibc-2.17-x86_64-10_slack14.1.txz
- glibc-i18n-2.17-x86_64-10_slack14.1.txz
- glibc-profile-2.17-x86_64-10_slack14.1.txz
- glibc-solibs-2.17-x86_64-10_slack14.1.txz
- glibc-zoneinfo-2014j-noarch-1.txz

blizzack 01-29-2015 02:03 PM

multilib fix to ghost
 
if you're using a multilib setup you'll still need patches for that as well

Can anyone else confirm?

kenw232 01-29-2015 03:08 PM

How about recompiling some of my stuff? Bind, Apache, etc. They're ok? How do I check if named is statically linked or dynamically linked against glibc? Is it possible to statically link against glibc?

j_v 01-29-2015 04:07 PM

On my installation of 14.1, named and apache are both dynamically linked, which is the default for much of the installation. You can use the readelf utility to find out what libraries an elf binary is dynamically linked against:
Code:

readelf -d /usr/sbin/named

j_v 02-13-2015 10:25 PM

Quote:

Originally Posted by mancha (Post 5307499)
Update 20150127

glibc (multiple issues)
  1. The wordexp function in glibc before 2.21 can ignore WRDE_NOCMD under certain input conditions resulting in the execution of a shell
    for command substitution when the application did not request it. This can be exploited by context-dependent attackers to execute
    arbitrary code (CVE-2014-7817)

    Solutions
    Slackware 14.1: Apply glibc-2.17_CVE-2014-7817.diff
    Slackware-current: Apply glibc-2.20_CVE-2014-7817.diff

  2. The getnetbyname function in glibc before 2.21 can enter an infinite loop if the DNS back-end is activated in the system Name Service
    Switch configuration, and the DNS resolver receives a positive answer while processing the network name. This can be exploited by
    context-dependent attackers to cause of denial of service. (CVE-2014-9402)

    Solutions
    Slackware 14.1: Apply glibc-2.17_CVE-2014-9402.diff
    Slackware-current: Apply glibc-2.20_CVE-2014-9402.diff

  3. A buffer overflow was discovered in __nss_hostname_digits_dots() in glibc prior to 2.18 that can be exploited locally and remotely via
    the gethostbyname* functions. (CVE-2015-0235 aka GHOST)

    Note: You can test vulnerability with CVE-2015-0235-test.c

    Solution
    Slackware 14.1: Apply glibc-2.17_CVE-2015-0235.diff
    Slackware-current: Not vulnerable

--mancha

Any idea about the other two CVE's: 2014-7817 and 2014-9402? Were they deemed low priority? I patched for them, as well, so I'm not worried; just curious.

mancha 02-13-2015 10:59 PM

Quote:

Originally Posted by j_v (Post 5316878)
Any idea about the other two CVE's: 2014-7817 and 2014-9402? Were they deemed low priority? I patched for them, as well, so I'm not worried; just curious.

I don't know why they've not been patched in Slackware (which is what you're asking). But, CVE-2015-0235 does appear to be more
severe (at least as far as we know) because of the potential for arbitrary code exec and the identification of at least one remote vector.

--mancha

j_v 02-14-2015 08:27 AM

OK. Thanks for your reply. And thank you very much for all your efforts. I very much appreciate your work with Slackware security issues.

Thom1b 02-24-2015 12:41 AM

samba
 
Quote:

Samba 4.1.17, 4.0.25 and 3.6.25 have been issued as security releases in order
to address CVE-2015-0240 (Unexpected code execution in smbd.). For the sake of
completeness, Samba 4.2.0rc5 including a fix for this defect will follow soon,
but it won't be a dedicated security release and will therefore address other
bug fixes also.

o CVE-2015-0240:
All versions of Samba from 3.5.0 to 4.2.0rc4 are vulnerable to an
unexpected code execution vulnerability in the smbd file server
daemon.

A malicious client could send packets that may set up the stack in
such a way that the freeing of memory in a subsequent anonymous
netlogon packet could allow execution of arbitrary code. This code
would execute with root privileges.
https://download.samba.org/pub/samba...-4.1.17.tar.gz
https://download.samba.org/pub/samba...4.1.17.tar.asc

Thom1b 02-25-2015 09:56 PM

bind
 
Quote:

Release Notes for BIND Version 9.9.7

Security Fixes

* On servers configured to perform DNSSEC validation using managed
trust anchors (i.e., keys configured explicitly via managed-keys,
or implicitly via dnssec-validation auto; or dnssec-lookaside
auto;), revoking a trust anchor and sending a new untrusted
replacement could cause named to crash with an assertion failure.
This could occur in the event of a botched key rollover, or
potentially as a result of a deliberate attack if the attacker was
in position to monitor the victim's DNS traffic.
This flaw was discovered by Jan-Piet Mens, and is disclosed in
CVE-2015-1349. [RT #38344]
* A flaw in delegation handling could be exploited to put named into
an infinite loop, in which each lookup of a name server triggered
additional lookups of more name servers. This has been addressed by
placing limits on the number of levels of recursion named will
allow (default 7), and on the number of queries that it will send
before terminating a recursive query (default 50).
The recursion depth limit is configured via the max-recursion-depth
option, and the query limit via the max-recursion-queries option.
The flaw was discovered by Florian Maury of ANSSI, and is disclosed
in CVE-2014-8500. [RT #37580]
ftp://ftp.isc.org/isc/bind9/9.9.7/bind-9.9.7.tar.gz
ftp://ftp.isc.org/isc/bind9/9.9.7/bind-9.9.7.tar.gz.asc

hendrickxm 02-26-2015 03:19 PM

I am running glibc 2.19 on one of my machines. What backported patches and in which order should I apply them to issue all security issues?
Sorry again, found this:
[*]glibc 2.19
Code:

  # 2014-05:  We'll try building with the stock asm..
  ## Avoid the Intel optimized asm routines for now because they break
  ## the flash player.  We'll phase this in when it's safer to do so.
  #zcat $CWD/glibc.disable.broken.optimized.memcpy.diff.gz | patch -p1 --verbose || exit 1
  # Security patches:
  patch -p1 --verbose < $CWD/glibc-2.19_CVE-2014-4043.diff || exit 1
  patch -p1 --verbose < $CWD/glibc-2.19_CVE-2014-0475.diff || exit 1
  patch -p1 --verbose < $CWD/glibc-2.19_CVE-2014-5119.diff || exit 1
  patch -p1 --verbose < $CWD/glibc-2.19_CVE-2014-6040.diff || exit 1
  patch -p1 --verbose < $CWD/glibc-2.19_hardening.diff || exit 1

}

Adding CVE 2014-7817, CVE 2014-9402 and CVE 2015-0235 should do the job, I guess.

mancha 03-02-2015 03:41 AM

Update 20150302
  1. GnuPG

    A new side-channel attack, that extracts GnuPG private key material in a few seconds using simple consumer-grade radio equipment
    at a distance of 50cm, was recently disclosed. The attack's creators say the needed attack materials can be easily concealed in a
    pita bread. So, if you've recently been GPG'ing around any suspicious-looking gyros, I recommend re-keying. Read more about it
    here. (CVE-2014-3591)

    In addition to fixing the above, the new releases (below) fix data-dependent timing variations in modular exponentiation (cf. attack
    abstract). (CVE-2015-0837)

    Solutions:
    Upgrade to GnuPG 1.4.19 (sig)
    Upgrade to Libgcrypt 1.6.3 (sig) [for GnuPG 2]

    Note: If your GnuPG 2 is currently built against Libgcrypt 1.5.x, you'll need to re-build GnuPG 2 after upgrading Libgcrypt.
--mancha

mancha 03-18-2015 02:58 PM

20150318
  1. libXfont

    Three BFD font parsing vulnerabilities in libXfont were recently disclosed. The most likely attack vector is local users executing arbitrary
    code with the privileges of the X server (which in Slackware's case is root).

    • OOB write due to under-allocated buffer (CVE-2015-1802)
    • Read from invalid pointers caused by failed BFD parsing (CVE-2015-1803)
    • OOB memory access due to integer overflows (CVE-2015-1804)

    Solution for Slackware 14.1/current: Upgrade to libXfont 1.4.9 (sig)
--mancha


All times are GMT -5. The time now is 07:17 AM.