LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 07-02-2015, 10:31 PM   #391
mancha
Member
 
Registered: Aug 2012
Posts: 484

Original Poster
Rep: Reputation: Disabled

Update 20150702 UTC

  1. Mozilla

    Thirteen critical vulnerabilities (CVE-2015-2722, CVE-2015-2724, CVE-2015-2725, CVE-2015-2726, CVE-2015-2731,
    CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739,
    CVE-2015-2740) and numerous high, moderate, and low severity issues have been fixed in Firefox 39, Firefox ESR 38.1,
    and, when applicable, in Thunderbird 38.1.

    Recommendation: Update to Firefox 39 or ESR 38.1 and Thunderbird 38.1.

    Note: These versions of Firefox no longer accept DHE MODPs smaller than 1023 bits so are not vulnerable to Logjam
    (CVE-2015-4000).

  2. PHP

    PHP 5.4.42 fixes: an integer overflow in ftp_genlist that leads to a heap overflow (CVE-2015-4643); command injection
    in escapeshellarg (CVE-2015-4642); segfault in php_pgsql_meta_data (CVE-2015-4644); as well as three security
    issues in the bundled sqlite3 (CVE-2015-3414, CVE-2015-3415, and CVE-2015-3416).

    PHP 5.6.10 fixes: an integer overflow in ftp_genlist that leads to a heap overflow (CVE-2015-4643); command injection
    in escapeshellarg (CVE-2015-4642); several issues in bundled pcrelib (CVE-2015-2325, CVE-2015-2326); as well as
    three security issues in the bundled sqlite3 (CVE-2015-3414, CVE-2015-3415, and CVE-2015-3416).

    Recommendation: Slackware 14.1 users upgrade to PHP 5.4.42 / Slackware-current users upgrade to PHP 5.6.10.

  3. curl

    A flaw was discovered in curl 7.40.0 through 7.42.1, inclusive, such that libcurl can wrongly send HTTP credentials
    when re-using connections. (CVE-2015-3236)

    A flaw was discovered in curl 7.40.0 through 7.42.1, inclusive, such that libcurl can get tricked by a malicious SMB
    server to send off data it did not intend to. (CVE-2015-3237)

    Note: one might be tempted to downplay vulnerabilities in curl but it's important to keep in mind cmake, git, gnupg,
    among others, use libcurl for secure transport.

    Recommendation: Slackware 14.1 ships curl 7.36.0 and is unaffected by these particular issues but is affected by
    numerous others (see earlier posts). Slackware 14.1 and Slackware-current users should upgrade to curl 7.43.0 (sig).

  4. stunnel

    A flaw was discovered in stunnel 5.00 through 5.13, inclusive, that makes those versions vulnerable to having client
    certificate based authentication bypassed when the redirect option is enabled. (CVE-2015-3644)

    Note: Slackware 14.1/current aren't vulnerable to this particular issue because they ship stunnel 4.53. However, that
    version is vulnerable to several other issues (see earlier posts for more info).

    Recommendation: Upgrade to stunnel 5.19 (sig).

--mancha

Last edited by mancha; 07-02-2015 at 10:42 PM.
 
6 members found this post helpful.
Old 07-05-2015, 12:21 PM   #392
mats_b_tegner
Member
 
Registered: Nov 2009
Location: Gothenburg, Sweden
Distribution: Slackware64
Posts: 531

Rep: Reputation: 317Reputation: 317Reputation: 317Reputation: 317
Quote:
Originally Posted by mancha View Post
Update 20150702 UTC
  1. Mozilla

    Thirteen critical vulnerabilities (CVE-2015-2722, CVE-2015-2724, CVE-2015-2725, CVE-2015-2726, CVE-2015-2731,
    CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739,
    CVE-2015-2740) and numerous high, moderate, and low severity issues have been fixed in Firefox 39, Firefox ESR 38.1,
    and, when applicable, in Thunderbird 38.1.

    Recommendation: Update to Firefox 39 or ESR 38.1 and Thunderbird 38.1.

    Note: These versions of Firefox no longer accept DHE MODPs smaller than 1023 bits so are not vulnerable to Logjam
    (CVE-2015-4000).
Do you know where to find the source for Thunderbird 38.1.0? I can't find it on the Mozilla FTP-server.
 
Old 07-05-2015, 12:51 PM   #393
onebuck
Moderator
 
Registered: Jan 2005
Location: Summer Midwest USA, Central Illinois, Winter Central Florida
Distribution: SlackwareŽ
Posts: 13,388
Blog Entries: 31

Rep: Reputation: 2568Reputation: 2568Reputation: 2568Reputation: 2568Reputation: 2568Reputation: 2568Reputation: 2568Reputation: 2568Reputation: 2568Reputation: 2568Reputation: 2568
Member response

Hi,

Quote:
Originally Posted by mats_b_tegner View Post
Do you know where to find the source for Thunderbird 38.1.0? I can't find it on the Mozilla FTP-server.
Not really pertinent to the thread but; http://ftp.mozilla.org/pub/mozilla.org/
 
Old 07-05-2015, 01:05 PM   #394
mats_b_tegner
Member
 
Registered: Nov 2009
Location: Gothenburg, Sweden
Distribution: Slackware64
Posts: 531

Rep: Reputation: 317Reputation: 317Reputation: 317Reputation: 317
I said that the source code for Thunderbird 38.1.0 is not yet available on the FTP-site. It seems that it's delayed:
http://forums.mozillazine.org/viewto...f=29&t=2944817

Edit:
I'm downloading the 38.1.0 source code now...

Last edited by mats_b_tegner; 07-10-2015 at 12:34 PM. Reason: Thunderbird 38.1.0 is finally available
 
Old 07-08-2015, 07:18 PM   #395
slalik
Member
 
Registered: Nov 2014
Location: Moscow, Russia
Distribution: Slackware
Posts: 165

Rep: Reputation: 118Reputation: 118
https://mta.openssl.org/pipermail/op...ly/000037.html
Quote:
The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2d and 1.0.1p.
These releases will be made available on 9th July. They will fix a single security defect classified as "high" severity. This defect does not affect the 1.0.0 or 0.9.8 releases.
 
1 members found this post helpful.
Old 07-09-2015, 11:01 AM   #396
aaazen
Member
 
Registered: Dec 2009
Posts: 357

Rep: Reputation: Disabled
Quote:
Originally Posted by slalik View Post
Here is today's announcement:
https://mta.openssl.org/pipermail/op...ly/000040.html

Code:
OpenSSL Security Advisory [9 Jul 2015]
=======================================

Alternative chains certificate forgery (CVE-2015-1793)
======================================================

Severity: High

During certificate verification, OpenSSL (starting from version 1.0.1n and
1.0.2b) will attempt to find an alternative certificate chain if the first
attempt to build such a chain fails. An error in the implementation of this
logic can mean that an attacker could cause certain checks on untrusted
certificates to be bypassed, such as the CA flag, enabling them to use a valid
leaf certificate to act as a CA and "issue" an invalid certificate.

This issue will impact any application that verifies certificates including
SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.

This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.

OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d
OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p

...
 
Old 07-09-2015, 03:01 PM   #397
slalik
Member
 
Registered: Nov 2014
Location: Moscow, Russia
Distribution: Slackware
Posts: 165

Rep: Reputation: 118Reputation: 118
New openssl packages are already available!
 
Old 07-10-2015, 12:09 PM   #398
number22
Member
 
Registered: Sep 2006
Location: Earth
Distribution: Slackware 14.1 Slackware64-current multilib
Posts: 278
Blog Entries: 7

Rep: Reputation: Disabled
beware there are discrepancies of source files between many mirrors sites and ftp.slackware.com, source files have not been properly updated in mirrors sites.
 
Old 07-10-2015, 12:26 PM   #399
mats_b_tegner
Member
 
Registered: Nov 2009
Location: Gothenburg, Sweden
Distribution: Slackware64
Posts: 531

Rep: Reputation: 317Reputation: 317Reputation: 317Reputation: 317
PHP 5.6.11 and 5.4.43 fixes CVE-2015-3152.
 
Old 07-10-2015, 01:22 PM   #400
mralk3
Senior Member
 
Registered: May 2015
Location: Utah, USA
Distribution: Slackware 14.2 || Slackware-current && CentOS
Posts: 1,372

Rep: Reputation: 737Reputation: 737Reputation: 737Reputation: 737Reputation: 737Reputation: 737Reputation: 737
Thunderbird 38.1.0 is out and fixes a number of security flaws.

ftp://ftp.mozilla.org/pub/thunderbird/releases/38.1.0/

Quote:
Originally Posted by mancha View Post
Update 20150702 UTC

[LIST=1][*]Mozilla

Thirteen critical vulnerabilities (CVE-2015-2722, CVE-2015-2724, CVE-2015-2725, CVE-2015-2726, CVE-2015-2731,
CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739,
CVE-2015-2740) and numerous high, moderate, and low severity issues have been fixed in Firefox 39, Firefox ESR 38.1,
and, when applicable, in Thunderbird 38.1.

Recommendation: Update to Firefox 39 or ESR 38.1 and Thunderbird 38.1.

Note: These versions of Firefox no longer accept DHE MODPs smaller than 1023 bits so are not vulnerable to Logjam
(CVE-2015-4000).

[..snip..]

--mancha
 
1 members found this post helpful.
Old 07-11-2015, 05:26 PM   #401
mancha
Member
 
Registered: Aug 2012
Posts: 484

Original Poster
Rep: Reputation: Disabled
Update 20150711 UTC
  1. ca-certificates

    Quote:
    Originally Posted by slalik View Post
    New openssl packages are already available!
    Indeed, it was great to see a quick Slackware response to the CA-for-all issue in OpenSSL (CVE-2015-1793).

    That's a critically important fix because SSL/TLS security is premised not only on the proper implementation of secure cryptographic
    primitives but also on the integrity of the underlying trust model (root-to-leaf).

    Unfortunately, Slackware 14.1/current's default OpenSSL trusted root store, provided by ca-certificates, hasn't been updated
    since 2013 and countless many important changes have since been made. Those sufficiently bored can read the changelog for
    details.

    Recommendation: Slackware Linux should upgrade its default OpenSSL trusted root store, asap.

    Note: I don't like pointing out problems/issues without also providing solutions. So, I've put together a tarball with needed build
    materials: ca-certificates_20150426-slackbuild.tar.bz2 (sig)
Enjoy.

--mancha
 
6 members found this post helpful.
Old 07-11-2015, 07:41 PM   #402
j_v
Member
 
Registered: Oct 2011
Distribution: Slackware64
Posts: 364

Rep: Reputation: 67
Thank you very much, mancha.
 
1 members found this post helpful.
Old 07-12-2015, 02:41 AM   #403
Speek
Member
 
Registered: Sep 2003
Location: The Netherlands
Distribution: Slackware
Posts: 124

Rep: Reputation: 41
Thanks, mancha!
I got this message while building your package:
Code:
WARNING:  zero length file var/log/setup/setup.11.cacerts
You forgot to add this file in your package.
BTW. hilarious copyright notice :-)
 
2 members found this post helpful.
Old 07-12-2015, 03:02 AM   #404
mancha
Member
 
Registered: Aug 2012
Posts: 484

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Speek View Post
Thanks, mancha!
I got this message while building your package:
Code:
WARNING:  zero length file var/log/setup/setup.11.cacerts
You forgot to add this file in your package.
You're welcome and many thanks for catching & reporting the setup.11.cacerts omission. Just uploaded a new tarball that includes it:

SHA1 (ca-certificates_20150426-slackbuild.tar.bz2) = 398f7f5b209c1994a3c5c9cda9654931d0b4f885

Quote:
Originally Posted by Speek
BTW. hilarious copyright notice :-)
I was wondering who would notice it. Hah.

--mancha
 
2 members found this post helpful.
Old 07-12-2015, 12:10 PM   #405
mancha
Member
 
Registered: Aug 2012
Posts: 484

Original Poster
Rep: Reputation: Disabled
Notice: ca-certificates

For those using my ca-certificates package announced in post #401, make sure to update the look-up links using the new configure file:

Code:
# mv /etc/ca-certificates.conf.new /etc/ca-certificates.conf
# /usr/sbin/update-ca-certificates --fresh 1>/dev/null 2>&1
--mancha
 
6 members found this post helpful.
  


Reply

Tags
exploit, security, slackware


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[Slackware Security]: Some pending vulnerabilities... mancha Slackware 7 08-22-2013 09:08 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 04:47 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration