LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 10-01-2014, 01:55 PM   #241
thirdm
Member
 
Registered: May 2013
Location: Massachusetts
Distribution: Slackware, OpenBSD, NetBSD
Posts: 233

Rep: Reputation: Disabled

Quote:
Even after patching, the old bash binary can still be "ressurrected" from memory
But can you add to the environment of a running bash and have it reparse its environment variables?
[sorry, reread the article and saw how it runs from /proc. Can I delete this message?]

Last edited by thirdm; 10-01-2014 at 02:04 PM. Reason: would like to delete
 
Old 10-01-2014, 04:02 PM   #242
mancha
Member
 
Registered: Aug 2012
Posts: 484

Original Poster
Rep: Reputation: Disabled
Update 20141001
  1. bash (ɥsɐq)

    So, the vulnerabilities Michal Zalewski, of Google, discovered and that I hinted at in post #225 have been made public. Here's a brief
    summary for you:

    • CVE-2014-6277

      By traversing a certain code-path, an uninitialized part of memory can end up getting treated as a valid pointer.

      Code:
      $ bash -c "myfunc(){ x(){ _;};x(){ _;}<<foo;}"
      Segmentation fault
      The good news is Slackware's Bash uses Bash's malloc version and scrambles memory contents on calls to malloc and free. This
      makes things much more difficult to exploit on Slackware because the pointer will always resolve to 0xdfdfdfdf. In other words,
      an adversary must find a way to overlap with this particular memory region. On systems where these Bash features are disabled
      (and I understand such exist), the pointer can easily be within an attacker's control. Score one for Bob.

    • CVE-2014-6278

      There's a way to trick the Bash parser with what appears to be nested empty command substitutions The reason this tricks the
      parser into executing arbitrary code is not clear and seems to only affect versions 4.2 and 4.3 (at least in this form). Pretty much,
      the vulnerability allows injection of code through a crafted "functional definition" of an environment variable (much like
      CVE-2014-6271 which you can read about in Unshocking the shell).

      Code:
      $ env BASH_FUNC_myfunc%%='() { _;}>_[$($())] { echo "evil code here";}' bash -c true
      evil code here
      The good news is the prefix/suffix hardening affords protection against external attackers because untrusted external input should
      never be able to set arbitrary environment variables. If they can due to buggy CGI scripts, or otherwise, they could exploit it.
      However, if that's true then all bets are off and there's a lot more to worry about than just shellshock and its ugly spawn. Take,
      for example, the ability to set SHELLOPTS and LD_PRELOAD to name just a couple.

    Stay tuned for upstream patches that fix these two issues (already coming down the pike).
--mancha

Last edited by mancha; 10-01-2014 at 05:44 PM. Reason: noop
 
1 members found this post helpful.
Old 10-03-2014, 06:21 AM   #243
colweb
LQ Newbie
 
Registered: Oct 2014
Location: planet Earth
Distribution: Slackware
Posts: 21

Rep: Reputation: Disabled
@mancha,

I did use your script (Bash security upgrades for Slackware 12.0, 12.1, and 12.2 [HOWTO]) to update an old server still running Slack 12.1 and that works perfectly. Many thanks for this script.

After the last update (patch level 22), bash on Slack 12.1 now gives this:

Code:
$ env BASH_FUNC_myfunc%%='() { _;}>_[$($())] { echo "evil code here";}' bash -c true
bash: myfunc: line 0: syntax error near unexpected token `{'
bash: myfunc: line 0: `myfunc () { _;}>_[$($())] { echo "evil code here";}'
bash: error importing function definition for `myfunc'
In order to use this same script to update my server with Slack 14.1 I changes it and it seems to work as it does create a new bash-4.2.052-x86_64-1.txz in /tmp. And upgradepkg does work as well.
However, somehow something is going wrong. Bash --version shows that the latest patch is applied but..

Code:
$ bash --version
GNU bash, version 4.2.52(2)-release (x86_64-slackware-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
$
$ env BASH_FUNC_myfunc%%='() { _;}>_[$($())] { echo "evil code here";}' bash -c true
evil code here
It still gives 'evil code here'.

Seems I'm doing something wrong, but I have no idea what?

Last edited by colweb; 10-03-2014 at 06:29 AM.
 
Old 10-03-2014, 06:47 AM   #244
mancha
Member
 
Registered: Aug 2012
Posts: 484

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by colweb View Post
@mancha,

I did use your script (Bash security upgrades for Slackware 12.0, 12.1, and 12.2 [HOWTO]) to update an old server still running Slack 12.1 and that works perfectly. Many thanks for this script.
Hi colweb. Glad the script worked for both your Slackware 12.x and 14.1 systems.

Quote:
Originally Posted by colweb View Post
However, somehow something is going wrong. Bash --version shows that the latest patch is applied but..
Code:
$ env BASH_FUNC_myfunc%%='() { _;}>_[$($())] { echo "evil code here";}' bash -c true
evil code here
It still gives 'evil code here'.

Seems I'm doing something wrong, but I have no idea what?
You're doing nothing wrong. The fixes for that issue (CVE-2014-6278) are not yet available. But, as I explain in my report on post #242,
the offending line only works on Bash 4.2 and 4.3 (not 3.1). It is unclear if Bash 3.1 is not vulnerable or simply not vulnerable to that
particular syntax construction.

--mancha
 
1 members found this post helpful.
Old 10-03-2014, 07:03 AM   #245
kfritz
Member
 
Registered: Aug 2006
Distribution: Slackware, OpenBSD, CentOS, Ubuntu
Posts: 99

Rep: Reputation: 31
ksyslogd

http://seclists.org/oss-sec/2014/q4/79

I saw that post and immediately tried it against the Slackware source, and it seems to patch and build cleanly. Then I realized mancha == mancha. Of course it works!

I expect we'll be seeing a patch from Pat soon?

Last edited by kfritz; 10-03-2014 at 07:21 AM. Reason: Doh! Can't edit title! It's sysklogd!
 
Old 10-03-2014, 09:23 AM   #246
colweb
LQ Newbie
 
Registered: Oct 2014
Location: planet Earth
Distribution: Slackware
Posts: 21

Rep: Reputation: Disabled
Quote:
Originally Posted by mancha View Post
the offending line only works on Bash 4.2 and 4.3 (not 3.1). It is unclear if Bash 3.1 is not vulnerable or simply not vulnerable to that
particular syntax construction.
--mancha
Ah, I see. Should have read your postings better.

Thanks.
 
Old 10-03-2014, 12:10 PM   #247
mancha
Member
 
Registered: Aug 2012
Posts: 484

Original Poster
Rep: Reputation: Disabled
Update 20141003

To follow up on a report by sanjioh in post #237, there was an issue identified in rsyslog and sysklogd where some invalid priority values
are allowed to propagate through the code. Rainer Gerhards, rsyslog project lead, has prepared two very detailed and well-written advisories
on this: CVE-2014-3634 and CVE-2014-3683.

  1. sysklogd

    In the case of sysklogd, this flaw results in out-of-bounds access to an element of the logging daemon's 'filed' structure. So far,
    my analysis reveals the amount of over/under read is insufficient to go beyond the limits of the structure so a daemon crash doesn't
    seem likely. The effect appears limited to improper message handling (or loss) of the message carrying the mal-formed priority value.
    However, the rsyslog team has been able to crash rsyslog v3 and its codebase is very similar to sysklogd's. So, I recommend being safe
    rather than sorry. (CVE-2014-3634)

    Recommendation: Upgrade to sysklogd 1.5.1

    Note: This is of more concern for those logging remote messages.

  2. rsyslog

    In the case of rsyslog, the impact appears significantly more severe because it's been confirmed the issue can trigger daemon crashes
    or possibly code execution. This is complicated by the fact that rsyslog's fix for CVE-2014-3634 was incomplete and introduced the
    possibility for large negative out-of-bounds access due to integer overflows. This has since been corrected and assigned CVE-2014-3683.

    I don't normally address applications that aren't part of Slackware proper in this thread. But in this particular case, because it was
    brought up in sanjioh's original comment, is offered by SBo, shares the root cause with sysklogd, and I'm particularly familiar with the
    issue, I'm making an exception. (CVE-2014-3634 and CVE-2014-3683)

    Recommendation: If you use rsyslog, upgrade to rsyslog 8.4.2 or rsyslog 7.6.7

    Note: This is of more concern for those logging remote messages.
Quote:
Originally Posted by kfritz View Post
http://seclists.org/oss-sec/2014/q4/79

I saw that post and immediately tried it against the Slackware source, and it seems to patch and build cleanly. Then I realized mancha == mancha. Of course it works!

I expect we'll be seeing a patch from Pat soon?
kfritz, we've had a few more back & forths in that thread since my 1st post in case you're interested. Also, yesterday I sent Pat an advance
copy of my patch so there might be an update coming - but I don't know.

--mancha

Last edited by mancha; 10-06-2014 at 04:38 AM. Reason: Update sysklogd recommendation
 
Old 10-03-2014, 08:33 PM   #248
RickKnight
LQ Newbie
 
Registered: Mar 2007
Posts: 10

Rep: Reputation: 0
Thanks again guys, I was able to patch my Slackware 12.0 to the latest patch (022) successfully.

Rick
 
Old 10-13-2014, 06:00 PM   #249
mancha
Member
 
Registered: Aug 2012
Posts: 484

Original Poster
Rep: Reputation: Disabled
Update 20141013

  1. Python

    • Directory traversal attack of CGIHTTPRequestHandler allows running arbitrary executables in the directory under which the server
      was started. Fixed in Python 2.7.6. (CVE N/A)

    • Unbound readline() resulting in denial of service in ftplib and nntplib. Fixed in Python 2.7.6 (CVE-2013-1752)

    • Unbound readline() resulting in denial of service in imaplib. Fixed in Python 2.7.7 (CVE-2013-1752)

    • Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c allows remote attackers to execute arbitrary code
      via a crafted string. Fixed in Python 2.7.7. (CVE-2014-1912) [see also: 20140212 report]

    • Insufficient bounds checking in the _json module allows an attacker to read arbitrary process memory. Fixed in Python 2.7.8.
      (CVE-2014-4616)

    • The CGIHTTPServer module does not properly handle URL-encoded path separators in URLs. This may enable attackers to disclose
      a CGI script's source code or execute arbitrary CGI scripts in the server's document root. Fixed in Python 2.7.8. (CVE-2014-4650)

    • Integer overflow in bufferobject.c allows context-dependent attackers to obtain sensitive information from process memory via a
      large size and offset in a "buffer" function. Fixed in Python 2.7.8 (CVE-2014-7185)

    Recommendation: Upgrade to Python 2.7.8 (sig)

  2. LibVNCServer

    • A malicious VNC server could advertise a very large screen size resulting in heap corruption, and possibly remote code execution
      on client-side. (CVE-2014-6501)

    • A malicious VNC server that advertises a large enough screen size could potentially inject code anywhere in client-side process
      memory through FramebufferUpdate messages. (CVE-2014-6052)

    • A malicious client could advertise a very large ClientCutText message size potentially causing a server crash. (CVE-2014-6053)

    • A malicious client could set the scaling factor to 0, which will result in a server crash. (CVE-2014-6054)

    • Multiple server-side stack overflows in File Transfer feature. (CVE-2014-6055)

    Recommendation: Rebuild LibVNCServer 0.9.9 after applying the following patches:
    LibVNCServer-0.9.9_CVE-2014-6051.diff
    LibVNCServer-0.9.9_CVE-2014-6052.diff
    LibVNCServer-0.9.9_CVE-2014-6053.diff
    LibVNCServer-0.9.9_CVE-2014-6054.diff
    LibVNCServer-0.9.9_CVE-2014-6055.diff
    Note: TigerVNC (provided in "extra") might be vulnerable to issues similar to some of the above. I'll provide updates as I learn more.

  3. getmail4

    • Getmail 4.0.0 through 4.43.0 allows IMAP MITM with arbitrary certificates. (CVE-2014-7273)

    • Getmail 4.44.0 allows IMAP MITM with valid/recognized certificates for an arbitrary hostname. (CVE-2014-7274)

    • Getmail 4.0.0 through 4.44.0 allows POP MITM with arbitrary certificates. (CVE-2014-7275)

    Recommendation: Upgrade to Getmail 4.46.0

  4. Exuberant Ctags (vim)

    Exuberant Ctags 5.8, as bundled by Slackware's vim, allows attackers to cause a denial of service (infinite loop and CPU and disk
    consumption) via a crafted JavaScript file. (CVE-2014-7204)

    Make sure you have a way to kill the process (i.e. other terminal ready to killall -9 ctags) before trying out the PoC because it will
    CPU/disk DoS the box. You've been warned, hic sunt dracones:

    Code:
    $ ctags CVE-2014-7204_poc.js
    Recommendation: Rebuild vim after editing vim.SlackBuild so it applies ctags-5.8_CVE-2014-7204.diff to the bundled exuberant-ctags.

--mancha

Last edited by mancha; 10-14-2014 at 01:45 AM. Reason: mention tigervnc
 
2 members found this post helpful.
Old 10-14-2014, 02:20 AM   #250
mancha
Member
 
Registered: Aug 2012
Posts: 484

Original Poster
Rep: Reputation: Disabled
Status Report 20141014

Back in June, GaZL pointed out the thread was getting difficult to follow. He suggested a state-of-play would help (i.e. summary of which
security issues had been patched and which remained outstanding).

I agree.

So, to mark the 250th post, I bit the bullet and put together the following thread status report (current through 20141014). Mozilla products
are excluded from the list; They usually get Slackware upgrades soon after Mozilla security announcements.

I hope this helps those having trouble sorting all the information out.

--mancha

Code:
			LQ Slackware Vulnerability Thread Status Report (20141014)				
				
Package		CVE ID(s)	Posted		Reference	Status		Slackware Advisory

glibc		CVE-2012-4424	20131026	LQ Post		Vulnerable	
		CVE-2012-4412	20140620	2nd Post
		CVE-2013-4237
		CVE-2013-4788
		CVE-2013-4458

curl		CVE-2013-4545	20140101	LQ Post		Fixed		Advisory
		CVE-2013-6422

php		CVE-2013-6420	20140101	LQ Post		Fixed		Advisory

libgcrypt(gpg2)	CVE-2013-4576	20140101	LQ Post		Vulnerable
				20140909	Update

samba		CVE-2013-4408	20140101	LQ Post		Fixed		Advisory
		CVE-2012-6150

xorg-server	CVE-2013-6424	20140101	LQ Post		Vulnerable

pixman		CVE-2013-6425	20140101	LQ Post		Vulnerable

openssl		CVE-2013-6449	20140106	LQ Post		Fixed		Advisory
		CVE-2013-6450
		CVE-2013-4353

libxfont	CVE-2013-6462	20140107	LQ Post		Fixed		Advisory

bind		CVE-2014-0591	20140114	LQ Post		Fixed		Advisory

curl		CVE-2014-0015	20140131	LQ Post		Fixed		Advisory
		CVE-2013-6422
		CVE-2013-4545

kernel		CVE-2014-0038	20140131	LQ Post		Fixed		Advisory

stunnel		CVE-2013-1762	20140207	LQ Post		Vulnerable

poppler		CVE-2013-7296	20140209	LQ Post		Vulnerable

icu4c		CVE-2013-2924	20131019	LQ Post		Vulnerable
				20140211	2nd Post

mariadb		CVE-2014-0001	20140211	LQ Post		Fixed		Advisory

python		CVE-2014-1912	20140212	LQ Post		Vulnerable

gnutls		CVE-2014-1959	20140214	LQ Post		Fixed		Advisory

file		CVE-2014-1943	20140218	LQ Post		Vulnerable

imagemagick	CVE-2014-1958	20140222	LQ Post		Vulnerable
		CVE-2014-2030

gnutls		CVE-2014-0092	20140304	LQ Post		Fixed		Advisory

libssh		CVE-2014-0017	20140314	LQ Post		Vulnerable

file		CVE-2014-2270	20140314	LQ Post		Vulnerable

php		CVE-2014-1943	20140314	LQ Post		Fixed		Advisory
		CVE-2014-2270

freetype	CVE-2014-2240	20140314	LQ Post		Vulnerable
		CVE-2014-2241

udisks		CVE-2014-0004	20140314	LQ Post		Fixed		Advisory

udisks2		CVE-2014-0004	20140314	LQ Post		Fixed		Advisory

mutt		CVE-2014-0467	20140314	LQ Post		Fixed		Advisory

samba		CVE-2013-4496	20140314	LQ Post		Fixed		Advisory
		CVE-2013-6442

httpd		CVE-2014-0098	20140319	LQ Post		Fixed		Advisory
		CVE-2013-6438

curl		CVE-2014-0138	20140327	LQ Post		Fixed		Advisory
		CVE-2014-0139

openssh		CVE-2014-2653	20140407	LQ Post		Vulnerable

kernel		CVE-2014-2523	20140407	LQ Post		Vulnerable

openssl		CVE-2014-0160	20140407	LQ Post		Fixed		Advisory
		CVE-2014-0076

rsync		CVE-2014-2855	20140414	LQ Post		Vulnerable

kernel		CVE-2014-2706	20140421	LQ Post		Vulnerable

php		CVE-2014-0185	20140429	LQ Post		Fixed		Advisory

libxfont	CVE-2014-0209	20140515	LQ Post		Vulnerable
		CVE-2014-0210
		CVE-2014-0211

kernel		CVE-2014-0196	20140515	LQ Post		Vulnerable

mariadb		CVE-2014-0384	20140521	LQ Post		Fixed		Advisory
		CVE-2014-2419
		CVE-2014-2430
		CVE-2014-2431
		CVE-2014-2432
		CVE-2014-2436
		CVE-2014-2438
		CVE-2014-2440

gnutls		CVE-2014-3466	20140530	LQ Post		Fixed		Advisory

libtasn1	CVE-2014-3467	20140530	LQ Post		Fixed		Advisory
		CVE-2014-3468
		CVE-2014-3469

sendmail	CVE-2014-3956	20140602	LQ Post		Fixed		Advisory

php		CVE-2014-0237	20140604	LQ Post		Fixed		Advisory
		CVE-2014-0238

openssl		CVE-2014-0224	20140605	LQ Post		Fixed		Advisory
		CVE-2014-0221
		CVE-2014-0195
		CVE-2014-0198
		CVE-2010-5298
		CVE-2014-3470

kernel		CVE-2014-3153	20140606	LQ Post		Vulnerable

bind		CVE-2014-0591	20140612	LQ Post		Fixed		Advisory

glibc		CVE-2014-4043	20140620	LQ Post		Vulnerable

samba		CVE-2014-0239	20140621	LQ Post		Fixed		Advisory
		CVE-2014-0178

samba		CVE-2014-0244	20140623	LQ Post		Fixed		Advisory
		CVE-2014-3493

gnupg1		CVE-2014-4617	20140624	LQ Post		Fixed		Advisory

gnupg2		CVE-2014-4617	20140624	LQ Post		Fixed		Advisory

php		CVE-2014-0207	20140626	LQ Post		Fixed		Advisory
		CVE-2014-3478
		CVE-2014-3479
		CVE-2014-3480
		CVE-2014-3487
		CVE-2014-3515
		CVE-2014-3981
		CVE-2014-4049

httpd		CVE-2014-0231	20140720	LQ Post		Fixed		Advisory
		CVE-2014-0117
		CVE-2014-0118
		CVE-2014-0226

samba		CVE-2014-3560	20140801	LQ Post		Fixed		Advisory

openssl		CVE-2014-3508	20140807	LQ Post		Fixed		Advisory
		CVE-2014-5139
		CVE-2014-3509
		CVE-2014-3505
		CVE-2014-3506
		CVE-2014-3507
		CVE-2014-3510
		CVE-2014-3511
		CVE-2014-3512

glibc		CVE-2014-0475	20140906	LQ Post		Vulnerable
		CVE-2014-5119

procmail	CVE-2014-3618	20140906	LQ Post		Vulnerable

gpgme		CVE-2014-3564	20140906	LQ Post		Vulnerable

dbus		CVE-2014-3532	20140906	LQ Post		Vulnerable
		CVE-2014-3533
		CVE-2014-3477

lzo		CVE-2014-4607	20140906	LQ Post		Vulnerable

file		CVE-2014-3587	20140906	LQ Post		Vulnerable

subversion	CVE-2014-3522	20140906	LQ Post		Vulnerable
		CVE-2014-3528

ppp		CVE-2014-3158	20140909	LQ Post		Vulnerable

curl		CVE-2014-3613	20140913	LQ Post		Vulnerable
		CVE-2014-3620

dbus		CVE-2014-3635	20140916	LQ Post		Vulnerable
		CVE-2014-3636
		CVE-2014-3637
		CVE-2014-3638
		CVE-2014-3639

net-snmp	CVE-2014-2284	20140922	LQ Post		Vulnerable
		CVE-2014-3565

bash		CVE-2014-6271	20140924	LQ Post		Fixed		Advisory

bash		CVE-2014-7169	20140924	LQ Post		Fixed		Advisory

bash		CVE-2014-7186	20140926	LQ Post		Vulnerable (a)
		CVE-2014-7187

sysklogd	CVE-2014-3634	20140930	LQ Post		Vulnerable
				20141003	2nd Post

bash		CVE-2014-6277	20141001	LQ Post		Vulnerable (a)
		CVE-2014-6278

python		CVE-2013-1752	20141013	LQ Post		Vulnerable
		CVE-2014-4616
		CVE-2014-4650
		CVE-2014-7185

getmail4	CVE-2014-7273	20141013	LQ Post		Vulnerable
		CVE-2014-7274
		CVE-2014-7275

libvncserver	CVE-2014-6501	20141013	LQ Post		Vulnerable
		CVE-2014-6502
		CVE-2014-6503
		CVE-2014-6504
		CVE-2014-6505

vim (ctags)	CVE-2014-7204	20141013	LQ Post		Vulnerable

----
(a) The Bash affix hardening patch Slackware deployed on 20140929 largely mitigates.

Last edited by mancha; 10-14-2014 at 03:53 PM. Reason: tidy footer
 
10 members found this post helpful.
Old 10-14-2014, 02:25 AM   #251
sanjioh
Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 92

Rep: Reputation: Disabled
hello mancha, and thanks for your amazing work. the recap is wonderful. if I may suggest a further improvement, maybe it would be nice to have it on the first post, to give it more visibility.
what do you think?
 
2 members found this post helpful.
Old 10-14-2014, 07:31 AM   #252
GazL
LQ Veteran
 
Registered: May 2008
Posts: 5,748

Rep: Reputation: 3622Reputation: 3622Reputation: 3622Reputation: 3622Reputation: 3622Reputation: 3622Reputation: 3622Reputation: 3622Reputation: 3622Reputation: 3622Reputation: 3622
Quote:
Originally Posted by mancha View Post
So, to mark the 250th post, I bit the bullet and put together the following thread status report (current through 20141014).
You sir, are an absolute Star!
Thankyou. I'm sure many people will appreciate this.
 
2 members found this post helpful.
Old 10-14-2014, 10:17 AM   #253
moisespedro
Senior Member
 
Registered: Nov 2013
Location: Brazil
Distribution: Slackware
Posts: 1,223

Rep: Reputation: 195Reputation: 195
Mancha, do you have more information on this?
http://www.theregister.co.uk/2014/10...drop_tomorrow/
 
Old 10-14-2014, 03:53 PM   #254
55020
Senior Member
 
Registered: Sep 2009
Location: Yorks. W.R. 167397
Distribution: Slackware
Posts: 1,307
Blog Entries: 4

Rep: Reputation: Disabled
http://securityreactions.tumblr.com/...-released-soon
 
1 members found this post helpful.
Old 10-14-2014, 06:54 PM   #255
mancha
Member
 
Registered: Aug 2012
Posts: 484

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by moisespedro View Post
Mancha, do you have more information on this?
http://www.theregister.co.uk/2014/10...drop_tomorrow/
moisespedro:

You can read details here.

I plan to add instructions on disabling SSLv3 to my disabling-SSLv2-on-OpenSSL thread. This might present some compatibility issues but
one would hope POODLE is incentive enough for clients/servers to abandon the 18-year-old protocol.

Meantime, those wanting to disable SSLv3 on Firefox: type about:config in the address bar and change security.tls.version.min from
the default of 0 (SSL 3.0) to 1 (TLS 1.0):

Code:
security.tls.version.min    1
--mancha

Last edited by mancha; 10-15-2014 at 07:32 PM. Reason: SSL3 is of voting age
 
4 members found this post helpful.
  


Reply

Tags
exploit, security, slackware


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[Slackware Security]: Some pending vulnerabilities... mancha Slackware 7 08-22-2013 10:08 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 08:38 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration