LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 01-25-2015, 08:58 AM   #316
willysr
Senior Member
 
Registered: Jul 2004
Location: Jogja, Indonesia
Distribution: Slackware-Current
Posts: 4,134

Rep: Reputation: 1365Reputation: 1365Reputation: 1365Reputation: 1365Reputation: 1365Reputation: 1365Reputation: 1365Reputation: 1365Reputation: 1365Reputation: 1365

Flashplayer is handled by Robby in SBo
 
Old 01-25-2015, 09:16 AM   #317
cwizardone
LQ Guru
 
Registered: Feb 2007
Distribution: Slackware64-current with "True Multilib."
Posts: 5,569
Blog Entries: 1

Rep: Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967
OpenSSL 1.0.2, a major release, is now available.

https://www.openssl.org/


Change log can be found here,

https://github.com/openssl/openssl/b...stable/CHANGES

Last edited by cwizardone; 01-25-2015 at 10:13 AM.
 
Old 01-27-2015, 12:25 PM   #318
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 491Reputation: 491Reputation: 491Reputation: 491Reputation: 491
GHOST glibc Remote Code Execution Vulnerability Affects All Linux Systems
http://threatpost.com/ghost-glibc-re...systems/110679
 
1 members found this post helpful.
Old 01-27-2015, 12:37 PM   #319
ttk
Member
 
Registered: May 2012
Location: Sebastopol, CA
Distribution: Slackware64
Posts: 939
Blog Entries: 27

Rep: Reputation: 1318Reputation: 1318Reputation: 1318Reputation: 1318Reputation: 1318Reputation: 1318Reputation: 1318Reputation: 1318Reputation: 1318Reputation: 1318
CVE-2015-0235 is a glibc vulnerability, fixed in 2.18 (so -current shouldn't be vulnerable) but I'm not sure if the fix was applied to older Slackware releases (13.1, 14.0, 14.1). It wasn't recognized as a vulnerability until recently.

ETA: http://ma.ttias.be/critical-glibc-up...tbyname-calls/

ETA: Skywise in ##slackware tells me Slackware releases up to 14.1 have been tested and are indeed vulnerable.

Last edited by ttk; 01-28-2015 at 08:24 AM. Reason: fixing typo
 
2 members found this post helpful.
Old 01-27-2015, 05:42 PM   #320
mancha
Member
 
Registered: Aug 2012
Posts: 484

Original Poster
Rep: Reputation: Disabled
Update 20150127

glibc (multiple issues)
  1. The wordexp function in glibc before 2.21 can ignore WRDE_NOCMD under certain input conditions resulting in the execution of a shell
    for command substitution when the application did not request it. This can be exploited by context-dependent attackers to execute
    arbitrary code (CVE-2014-7817)

    Solutions
    Slackware 14.1: Apply glibc-2.17_CVE-2014-7817.diff
    Slackware-current: Apply glibc-2.20_CVE-2014-7817.diff

  2. The getnetbyname function in glibc before 2.21 can enter an infinite loop if the DNS back-end is activated in the system Name Service
    Switch configuration, and the DNS resolver receives a positive answer while processing the network name. This can be exploited by
    context-dependent attackers to cause of denial of service. (CVE-2014-9402)

    Solutions
    Slackware 14.1: Apply glibc-2.17_CVE-2014-9402.diff
    Slackware-current: Apply glibc-2.20_CVE-2014-9402.diff

  3. A buffer overflow was discovered in __nss_hostname_digits_dots() in glibc prior to 2.18 that can be exploited locally and remotely via
    the gethostbyname* functions. (CVE-2015-0235 aka GHOST)

    Note: You can test vulnerability with CVE-2015-0235-test.c

    Solution
    Slackware 14.1: Apply glibc-2.17_CVE-2015-0235.diff
    Slackware-current: Not vulnerable

--mancha
 
8 members found this post helpful.
Old 01-28-2015, 04:13 AM   #321
Mark Pettit
Member
 
Registered: Dec 2008
Location: Cape Town, South Africa
Distribution: Slackware 14.2 64 Multi-Lib
Posts: 553

Rep: Reputation: 223Reputation: 223Reputation: 223
Quote:
Originally Posted by mancha View Post
Update 20150127

glibc (multiple issues)[*]A buffer overflow was discovered in __nss_hostname_digits_dots() in glibc prior to 2.18 that can be exploited locally and remotely via
the gethostbyname* functions. (CVE-2015-0235 aka GHOST)
Note: You can test vulnerability with CVE-2015-0235-test.c
Solution
Slackware 14.1: Apply glibc-2.17_CVE-2015-0235.diff
Slackware-current: Not vulnerable
[/LIST]--mancha
I trust we'll see some sort of actual slackware update soon ? Fixing a glibc issue from a diff patch above is probably beyond most people (myself incuded).
 
Old 01-28-2015, 05:33 AM   #322
GazL
LQ Guru
 
Registered: May 2008
Posts: 5,479
Blog Entries: 14

Rep: Reputation: 3307Reputation: 3307Reputation: 3307Reputation: 3307Reputation: 3307Reputation: 3307Reputation: 3307Reputation: 3307Reputation: 3307Reputation: 3307Reputation: 3307
Quote:
Originally Posted by Mark Pettit View Post
I trust we'll see some sort of actual slackware update soon ? Fixing a glibc issue from a diff patch above is probably beyond most people (myself incuded).
Not necessarily. Brad Spender's comment on lwn is interesting. He seems to be suggesting that this isn't nearly as "highly critical" as is being made out. Of course, that doesn't mean that someone isn't going to find something that is using it in such a way as to be exploitable at some point. Be interesting to see which way Pat jumps on this one.
 
3 members found this post helpful.
Old 01-28-2015, 10:36 AM   #323
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 491Reputation: 491Reputation: 491Reputation: 491Reputation: 491
Remote code execution is a critical vulnerability, so it should be updated.
 
1 members found this post helpful.
Old 01-28-2015, 01:38 PM   #324
Angelo
Member
 
Registered: Mar 2003
Location: Connecticut
Distribution: Slackware, OpenBSD
Posts: 61

Rep: Reputation: 15
Quote:
Originally Posted by GazL View Post
Not necessarily. Brad Spender's comment on lwn is interesting. He seems to be suggesting that this isn't nearly as "highly critical" as is being made out. Of course, that doesn't mean that someone isn't going to find something that is using it in such a way as to be exploitable at some point. Be interesting to see which way Pat jumps on this one.
http://seclists.org/oss-sec/2015/q1/283

I'm not losing any sleep over this.
 
Old 01-28-2015, 04:02 PM   #325
Didier Spaier
LQ Addict
 
Registered: Nov 2008
Location: Paris, France
Distribution: Slint64-14.2.1.2 on Lenovo Thinkpad W520
Posts: 9,321

Rep: Reputation: Disabled
Stable Changelog for x86 (32-bit) + Attn. Slint users

Code:
Wed Jan 28 19:23:00 UTC 2015
patches/packages/glibc-2.17-i486-10_slack14.1.txz:  Rebuilt.
       This update patches a security issue __nss_hostname_digits_dots() function
       of glibc which may be triggered through the gethostbyname*() set of
       functions.  This flaw could allow local or remote attackers to take control
       of a machine running a vulnerable version of glibc.  Thanks to Qualys for
       discovering this issue (also known as the GHOST vulnerability.)
       For more information, see:
       https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt
       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
       (* Security fix *)
patches/packages/glibc-i18n-2.17-i486-10_slack14.1.txz:  Rebuilt.
patches/packages/glibc-profile-2.17-i486-10_slack14.1.txz:  Rebuilt.
patches/packages/glibc-solibs-2.17-i486-10_slack14.1.txz:  Rebuilt.
patches/packages/glibc-zoneinfo-2014j-noarch-1.txz:  Upgraded.
       Upgraded to tzcode2014j and tzdata2014j.
+--------------------------+
Thanks Patrick.

PS Attn. Slint users:

After upgrade of glibc-* you'll loose the internationalization of timeconfig.

To get it back, reinstall a Slint package for your Slackware version after upgrade of glibc-*':
Code:
upgradepkg --reinstall --install-new slint-<version>-noarch-20141218.txz
Caveat emptor: then you will loose the last updates of tzcode and tzdata. I'll provide updated Slint packages including them in the coming days and announce their availability in the Slint thread.

EDIT: the updated Slint packages are now available, see this post for instructions.

Last edited by Didier Spaier; 01-30-2015 at 05:58 PM. Reason: EDIT added.
 
Old 01-28-2015, 05:54 PM   #326
kenw232
Member
 
Registered: May 2006
Posts: 115

Rep: Reputation: 12
How is ghost handled on x64? Are those packages coming shortly?
 
Old 01-28-2015, 05:58 PM   #327
Didier Spaier
LQ Addict
 
Registered: Nov 2008
Location: Paris, France
Distribution: Slint64-14.2.1.2 on Lenovo Thinkpad W520
Posts: 9,321

Rep: Reputation: Disabled
Quote:
Originally Posted by kenw232 View Post
How is ghost handled on x64? Are those packages coming shortly?
http://www.slackware.com/changelog/s...php?cpu=x86_64

The mail from the Slackware-security mailing list has been sent and the packages are available on the main server.

Last edited by Didier Spaier; 01-28-2015 at 06:00 PM.
 
Old 01-28-2015, 06:19 PM   #328
kenw232
Member
 
Registered: May 2006
Posts: 115

Rep: Reputation: 12
This is the correct URL to the new packages correct?

http://mirrors.slackware.com/slackwa...ches/packages/

Its just "glibc-2.17-x86_64-10_slack14.1.txt" does not say the "This update patches a security issue __nss_hostname_digits_dots() function"...
 
1 members found this post helpful.
Old 01-28-2015, 07:41 PM   #329
j_v
Member
 
Registered: Oct 2011
Distribution: Slackware64
Posts: 364

Rep: Reputation: 67
Quote:
Originally Posted by kenw232 View Post
This is the correct URL to the new packages correct?

http://mirrors.slackware.com/slackwa...ches/packages/

Its just "glibc-2.17-x86_64-10_slack14.1.txt" does not say the "This update patches a security issue __nss_hostname_digits_dots() function"...
If you use slackpkg for updates, then the correct package(s) will be upgraded. If you are curious about the update info, you could read the ChangeLog.txt at the top of the release directory. That will be more informative about what the update concerns and likely what you are looking for.
http://mirrors.kernel.org/slackware/.../ChangeLog.txt
 
Old 01-28-2015, 07:54 PM   #330
kenw232
Member
 
Registered: May 2006
Posts: 115

Rep: Reputation: 12
Sounds good, thank you for your timely post..
 
  


Reply

Tags
exploit, security, slackware


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[Slackware Security]: Some pending vulnerabilities... mancha Slackware 7 08-22-2013 09:08 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 06:05 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration