LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   [Slackware security] vulnerabilities outstanding 20140101 (https://www.linuxquestions.org/questions/slackware-14/%5Bslackware-security%5D-vulnerabilities-outstanding-20140101-a-4175489800/)

mancha 07-02-2015 10:31 PM

Update 20150702 UTC

  1. Mozilla

    Thirteen critical vulnerabilities (CVE-2015-2722, CVE-2015-2724, CVE-2015-2725, CVE-2015-2726, CVE-2015-2731,
    CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739,
    CVE-2015-2740) and numerous high, moderate, and low severity issues have been fixed in Firefox 39, Firefox ESR 38.1,
    and, when applicable, in Thunderbird 38.1.

    Recommendation: Update to Firefox 39 or ESR 38.1 and Thunderbird 38.1.

    Note: These versions of Firefox no longer accept DHE MODPs smaller than 1023 bits so are not vulnerable to Logjam
    (CVE-2015-4000).

  2. PHP

    PHP 5.4.42 fixes: an integer overflow in ftp_genlist that leads to a heap overflow (CVE-2015-4643); command injection
    in escapeshellarg (CVE-2015-4642); segfault in php_pgsql_meta_data (CVE-2015-4644); as well as three security
    issues in the bundled sqlite3 (CVE-2015-3414, CVE-2015-3415, and CVE-2015-3416).

    PHP 5.6.10 fixes: an integer overflow in ftp_genlist that leads to a heap overflow (CVE-2015-4643); command injection
    in escapeshellarg (CVE-2015-4642); several issues in bundled pcrelib (CVE-2015-2325, CVE-2015-2326); as well as
    three security issues in the bundled sqlite3 (CVE-2015-3414, CVE-2015-3415, and CVE-2015-3416).

    Recommendation: Slackware 14.1 users upgrade to PHP 5.4.42 / Slackware-current users upgrade to PHP 5.6.10.

  3. curl

    A flaw was discovered in curl 7.40.0 through 7.42.1, inclusive, such that libcurl can wrongly send HTTP credentials
    when re-using connections. (CVE-2015-3236)

    A flaw was discovered in curl 7.40.0 through 7.42.1, inclusive, such that libcurl can get tricked by a malicious SMB
    server to send off data it did not intend to. (CVE-2015-3237)

    Note: one might be tempted to downplay vulnerabilities in curl but it's important to keep in mind cmake, git, gnupg,
    among others, use libcurl for secure transport.

    Recommendation: Slackware 14.1 ships curl 7.36.0 and is unaffected by these particular issues but is affected by
    numerous others (see earlier posts). Slackware 14.1 and Slackware-current users should upgrade to curl 7.43.0 (sig).

  4. stunnel

    A flaw was discovered in stunnel 5.00 through 5.13, inclusive, that makes those versions vulnerable to having client
    certificate based authentication bypassed when the redirect option is enabled. (CVE-2015-3644)

    Note: Slackware 14.1/current aren't vulnerable to this particular issue because they ship stunnel 4.53. However, that
    version is vulnerable to several other issues (see earlier posts for more info).

    Recommendation: Upgrade to stunnel 5.19 (sig).

--mancha

mats_b_tegner 07-05-2015 12:21 PM

Quote:

Originally Posted by mancha (Post 5386475)
Update 20150702 UTC
  1. Mozilla

    Thirteen critical vulnerabilities (CVE-2015-2722, CVE-2015-2724, CVE-2015-2725, CVE-2015-2726, CVE-2015-2731,
    CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739,
    CVE-2015-2740) and numerous high, moderate, and low severity issues have been fixed in Firefox 39, Firefox ESR 38.1,
    and, when applicable, in Thunderbird 38.1.

    Recommendation: Update to Firefox 39 or ESR 38.1 and Thunderbird 38.1.

    Note: These versions of Firefox no longer accept DHE MODPs smaller than 1023 bits so are not vulnerable to Logjam
    (CVE-2015-4000).

Do you know where to find the source for Thunderbird 38.1.0? I can't find it on the Mozilla FTP-server.

onebuck 07-05-2015 12:51 PM

Member response
 
Hi,

Quote:

Originally Posted by mats_b_tegner (Post 5387495)
Do you know where to find the source for Thunderbird 38.1.0? I can't find it on the Mozilla FTP-server.

Not really pertinent to the thread but; http://ftp.mozilla.org/pub/mozilla.org/

mats_b_tegner 07-05-2015 01:05 PM

I said that the source code for Thunderbird 38.1.0 is not yet available on the FTP-site. It seems that it's delayed:
http://forums.mozillazine.org/viewto...f=29&t=2944817

Edit:
I'm downloading the 38.1.0 source code now...

slalik 07-08-2015 07:18 PM

https://mta.openssl.org/pipermail/op...ly/000037.html
Quote:

The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2d and 1.0.1p.
These releases will be made available on 9th July. They will fix a single security defect classified as "high" severity. This defect does not affect the 1.0.0 or 0.9.8 releases.

aaazen 07-09-2015 11:01 AM

Quote:

Originally Posted by slalik (Post 5389024)

Here is today's announcement:
https://mta.openssl.org/pipermail/op...ly/000040.html

Code:

OpenSSL Security Advisory [9 Jul 2015]
=======================================

Alternative chains certificate forgery (CVE-2015-1793)
======================================================

Severity: High

During certificate verification, OpenSSL (starting from version 1.0.1n and
1.0.2b) will attempt to find an alternative certificate chain if the first
attempt to build such a chain fails. An error in the implementation of this
logic can mean that an attacker could cause certain checks on untrusted
certificates to be bypassed, such as the CA flag, enabling them to use a valid
leaf certificate to act as a CA and "issue" an invalid certificate.

This issue will impact any application that verifies certificates including
SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.

This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.

OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d
OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p

...


slalik 07-09-2015 03:01 PM

New openssl packages are already available!

number22 07-10-2015 12:09 PM

beware there are discrepancies of source files between many mirrors sites and ftp.slackware.com, source files have not been properly updated in mirrors sites.

mats_b_tegner 07-10-2015 12:26 PM

PHP 5.6.11 and 5.4.43 fixes CVE-2015-3152.

mralk3 07-10-2015 01:22 PM

Thunderbird 38.1.0 is out and fixes a number of security flaws.

ftp://ftp.mozilla.org/pub/thunderbird/releases/38.1.0/

Quote:

Originally Posted by mancha (Post 5386475)
Update 20150702 UTC

[LIST=1][*]Mozilla

Thirteen critical vulnerabilities (CVE-2015-2722, CVE-2015-2724, CVE-2015-2725, CVE-2015-2726, CVE-2015-2731,
CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739,
CVE-2015-2740) and numerous high, moderate, and low severity issues have been fixed in Firefox 39, Firefox ESR 38.1,
and, when applicable, in Thunderbird 38.1.

Recommendation: Update to Firefox 39 or ESR 38.1 and Thunderbird 38.1.

Note: These versions of Firefox no longer accept DHE MODPs smaller than 1023 bits so are not vulnerable to Logjam
(CVE-2015-4000).

[..snip..]

--mancha


mancha 07-11-2015 05:26 PM

Update 20150711 UTC
  1. ca-certificates

    Quote:

    Originally Posted by slalik (Post 5389407)
    New openssl packages are already available!

    Indeed, it was great to see a quick Slackware response to the CA-for-all issue in OpenSSL (CVE-2015-1793).

    That's a critically important fix because SSL/TLS security is premised not only on the proper implementation of secure cryptographic
    primitives but also on the integrity of the underlying trust model (root-to-leaf).

    Unfortunately, Slackware 14.1/current's default OpenSSL trusted root store, provided by ca-certificates, hasn't been updated
    since 2013 and countless many important changes have since been made. Those sufficiently bored can read the changelog for
    details.

    Recommendation: Slackware Linux should upgrade its default OpenSSL trusted root store, asap.

    Note: I don't like pointing out problems/issues without also providing solutions. So, I've put together a tarball with needed build
    materials: ca-certificates_20150426-slackbuild.tar.bz2 (sig)
Enjoy.

--mancha

j_v 07-11-2015 07:41 PM

Thank you very much, mancha.

Speek 07-12-2015 02:41 AM

Thanks, mancha!
I got this message while building your package:
Code:

WARNING:  zero length file var/log/setup/setup.11.cacerts
You forgot to add this file in your package.
BTW. hilarious copyright notice :-)

mancha 07-12-2015 03:02 AM

Quote:

Originally Posted by Speek (Post 5390349)
Thanks, mancha!
I got this message while building your package:
Code:

WARNING:  zero length file var/log/setup/setup.11.cacerts
You forgot to add this file in your package.

You're welcome and many thanks for catching & reporting the setup.11.cacerts omission. Just uploaded a new tarball that includes it:

SHA1 (ca-certificates_20150426-slackbuild.tar.bz2) = 398f7f5b209c1994a3c5c9cda9654931d0b4f885

Quote:

Originally Posted by Speek
BTW. hilarious copyright notice :-)

I was wondering who would notice it. Hah.

--mancha

mancha 07-12-2015 12:10 PM

Notice: ca-certificates

For those using my ca-certificates package announced in post #401, make sure to update the look-up links using the new configure file:

Code:

# mv /etc/ca-certificates.conf.new /etc/ca-certificates.conf
# /usr/sbin/update-ca-certificates --fresh 1>/dev/null 2>&1

--mancha


All times are GMT -5. The time now is 04:23 PM.