LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   [Slackware security] vulnerabilities outstanding 20140101 (https://www.linuxquestions.org/questions/slackware-14/%5Bslackware-security%5D-vulnerabilities-outstanding-20140101-a-4175489800/)

abga 12-08-2019 05:43 PM

Is this thread no longer sticky?

bassmadrigal 12-08-2019 05:51 PM

I think for some reason they unstickied this one and kept this old and outdated one as the sticky...

abga 12-08-2019 06:14 PM

Well, maybe it's time to start a new one, without any date & "outstanding" in the title, like:
[Slackware security] Live Vulnerabilities Announcements & Reports

Thom1b 12-08-2019 11:08 PM

Hi,

Quote:

Originally Posted by abga (Post 6065938)
Well, maybe it's time to start a new one, without any date & "outstanding" in the title, like:
[Slackware security] Live Vulnerabilities Announcements & Reports

I think the thread Status Update: Slackware LQ Security Thread is the one.

abga 12-08-2019 11:29 PM

@Thom1b

Thanks! Noticed that already. It's all GazL's fault for calling it "active, and useful" :D
Now this one that contains all the fresh stuff & details will get flushed down the toilet ... forum thread list and will soon vanish.
I don't know if it's in the power of the mods, but I'd rather suggest to rename this thread, remove " outstanding 20140101 " from the title and keep it active & sticky.
Or, rename it in: [Slackware security] Live Vulnerabilities Announcements & Reports
- maybe other more suggestive name (I'm not a native English speaker and not very creative at this time (tired too)).

GazL 12-09-2019 05:20 AM

Yep, sorry guys, looks like my desire to tidy up the stickies backfired and they clobbered the wrong one.



Mods, please can you. re-sticky this active thead:
https://www.linuxquestions.org/quest...-a-4175489800/

and unsticky this dead one: https://www.linuxquestions.org/quest...ad-4175522182/



As for the title, it might be an idea to wait until Jan and start a new 2020 thread to use going forward, or start a new one when Slackware 15.0 releases. what do people think?

GazL 12-09-2019 05:39 AM

Quote:

Originally Posted by abga (Post 6065985)
Or, rename it in:
- maybe other more suggestive name (I'm not a native English speaker and not very creative at this time (tired too)).

'Live' might make people think it relates to Eric's Slackware-Live.

"[Slackware Security] Unresolved Vulnerability Announcements, Reports and Discussion" seems like an unambiguous title, if a little bit long.

Tonus 12-09-2019 10:03 AM

"[Slackware Security] Vulnerability Announcements, Reports and Discussion"

Since I hope a few become solved, that would be my vote

unSpawn 12-09-2019 03:52 PM

Quote:

Originally Posted by GazL (Post 6066069)
Yep, sorry guys, looks like my desire to tidy up the stickies backfired and they clobbered the wrong one.

Thanks for correcting. Reversed stickification.

GazL 12-09-2019 04:16 PM

Thanks UnSpawn, much appreciated.

bamunds 12-09-2019 05:43 PM

Quote:

Originally Posted by bamunds (Post 6065426)
So I just loaded firewalld running on my Slackware64 14.2 The environment is a single desktop behind a Modem/Router with IPv4 only service on the LAN, NAT enabled, and Firewall on. Some might ask why I'm running any firewall? Well I have been for years and yet I want to get experience and get ready to use a laptop when out and about. So simple setups in safe environment first. My firewalld zone is home and only irc,mdns, and samba-client are checked for services.


How would one convert the above commands to block this new IPv4 security issue in the firewalld entries? Can they be put in to FirewallD Direct Configuration?

Cheers, BrianA_MN

Turns out the Documentation for firewalld.conf clearly says that IPv4 rpfilter is controlled by sysctl.conf. So setting up sysctl.conf as stated above is exactly what to do. Thanks.

abga 12-09-2019 07:25 PM

Quote:

Originally Posted by GazL (Post 6066073)
'Live' might make people think it relates to Eric's Slackware-Live.

"[Slackware Security] Unresolved Vulnerability Announcements, Reports and Discussion" seems like an unambiguous title, if a little bit long.

I felt the "outstanding" would suggest that the vulnerabilities are not resolved and that is false, I know for sure Patrick is constantly monitoring & providing inputs in the thread and issues are getting resolved in no-time. The same goes for "current" - again unresolved?, additionally, for a visitor it can also suggest that Slackware is not doing a good job -, like : "look they have a thread for the outstanding(unresolved) security issues" :)
With "Live" I wanted to emphasize that the thread is active and "alive", that it should be used and monitored, but now I believe Tonus' formulation could be more suitable (with the plural for Discussion):
"[Slackware Security] Vulnerability Announcements, Reports and Discussions"

Glad it's back on sticky. :)

GazL 12-10-2019 02:49 AM

Quote:

Originally Posted by abga (Post 6066319)
I felt the "outstanding" would suggest that the vulnerabilities are not resolved and that is false,"

Actually, the original intention for the thread was as a place to draw attention to and discuss security related issues that need addressing on a Slackware system: either by local sysadms, or Pat, applying an upstream patch/update, or taking mitigating steps.

As such, "outstanding" and "unresolved" are appropriate. I prefer "unresolved" so as to avoid the multiple meanings "outstanding" has.

bassmadrigal 12-10-2019 08:04 PM

Quote:

Originally Posted by GazL (Post 6066384)
As such, "outstanding" and "unresolved" are appropriate. I prefer "unresolved" so as to avoid the multiple meanings "outstanding" has.

What I see abga trying to explain is that someone might look on page one and see a vulnerability from 2014 that they think hasn't been addressed. Without a proper way to edit the older posts in the thread when things are no longer outstanding or unresolved, it may lead someone to think that Slackware is insecure. Hopefully they won't come to that conclusion, but it is always possible.

If we had the ability to edit the first post and keep track of currently known vulnerabilities that don't have patches (or even recent ones that had patches already pushed out), it would make more sense to leave it as outstanding or unresolved.

But since I believe only moderators would have the ability to edit posts that old (and the topic name), we're stuck with the current name and OP.

I suppose if someone wanted to be gung-ho and maintain a slack-docs article on current vulnerabilities, they could open a new thread for new vulnerabilities announcements/reportings and then in the first post, they could link the slack-docs article that tracks current/recent vulnerabilities and their status on various Slackware versions. I certainly don't have the time and inclination to manage that, but it would certainly be a nice resource if someone is able to tackle it.

mats_b_tegner 01-18-2020 10:02 AM

Kernel 4.4.210 fixes the following CVEs: CVE-2019-14615, CVE-2019-14895
https://cdn.kernel.org/pub/linux/ker...ngeLog-4.4.210
https://cdn.kernel.org/pub/linux/ker...4.4.210.tar.xz


All times are GMT -5. The time now is 08:27 PM.