Quote:
So what slackware code is actually using GnuTLS? I did a search of the current slackware64-current/source and found very little. It looks like two packages use it as they are built with "gnutls"
|
Gnome and CUPS, http://en.wikipedia.org/wiki/GnuTLS some of KDE, Apache and Wine may using it, GnuTLS project is very "precarious suspicious". It should drop Gnu from its name.
|
Quote:
Gnome is not included in the standard release of Slackware. CUPS specifically ignores GnuTLS as the build script contains this parameter: "--enable-gnutls=no" I didn't see GnuTLS in the Slackware KDE or Apache packages. Wine, like Gnome is not included in the standard release. |
Quote:
Code:
for dir in /bin /sbin /usr; do |
guanx, thanks, you beat me to it. yeah, simple bash script can easy tell:
another example code Code:
for file in /usr/bin ; do |
Update 20140314
|
Member Response
Hi,
I want too commend 'Mancha' along with other Slackers for contributing helpful information to the Slackware community here at LQ. I'm sure PV & team appreciates the endeavors of all for providing additional security assistance. Read the entire thread and found a lot of useful information. Thanks to all! :hattip: |
My Slackware deployments do not require a tin foil hat the size of a sombrero, but I also am very grateful to mancha for the investigation and fixes to security issues. It shows an ability beyond my ken.
On the file issue, it just goes to show the degree of difficulty that our BDFL faces in balancing usability with security. An upstream change made the basic nano utility segfault without a change to file to use a compiled magic file. http://www.linuxquestions.org/questi...le-4175455374/ Now a security issue has been uncovered. |
Yeah, stability and security have to be juggled carefully as they can affect one another. I'm only concerned about critical exploits, like privilege escalation / remotely rooting the system, etc. Lesser exploits are more of a concern on multi-user systems or for sysadmins, not me.
|
Quote:
knowing folks are appreciative and finding the information valuable. To slackers contributing alerts or solutions here, keep up the good work. --mancha |
Quote:
http://www.php.net/ChangeLog-5.php#5.4.26 |
This thread is great, I think OP is doing a job for a team by himself
|
FreeType
Two security issues have been identified in FreeType's CFF driver: CVE-2014-2240 (out-of-bounds stack read/write) CVE-2014-2241 (denial of service via triggerable assertion) Solution: Upgrade to FreeType 2.5.3. In order to compile FreeType 2.5.3 Harfbuzz needs to be updated as well. Mats |
Update 20140316
Quote:
Note: For those wishing to upgrade to FreeType 2.5.3:
|
https://www.mozilla.org/security/kno...irefoxESR.html
Firefox ESR 24.4.0 fixes some critical vulnerabilities. I'm trying to debug a failed build as I write. |
All times are GMT -5. The time now is 01:35 AM. |