SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Thirteen critical vulnerabilities (CVE-2015-2722, CVE-2015-2724, CVE-2015-2725, CVE-2015-2726, CVE-2015-2731,
CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739,
CVE-2015-2740) and numerous high, moderate, and low severity issues have been fixed in Firefox 39, Firefox ESR 38.1,
and, when applicable, in Thunderbird 38.1.
Recommendation: Update to Firefox 39 or ESR 38.1 and Thunderbird 38.1.
Note: These versions of Firefox no longer accept DHE MODPs smaller than 1023 bits so are not vulnerable to Logjam
(CVE-2015-4000).
PHP
PHP 5.4.42 fixes: an integer overflow in ftp_genlist that leads to a heap overflow (CVE-2015-4643); command injection
in escapeshellarg (CVE-2015-4642); segfault in php_pgsql_meta_data (CVE-2015-4644); as well as three security
issues in the bundled sqlite3 (CVE-2015-3414, CVE-2015-3415, and CVE-2015-3416).
PHP 5.6.10 fixes: an integer overflow in ftp_genlist that leads to a heap overflow (CVE-2015-4643); command injection
in escapeshellarg (CVE-2015-4642); several issues in bundled pcrelib (CVE-2015-2325, CVE-2015-2326); as well as
three security issues in the bundled sqlite3 (CVE-2015-3414, CVE-2015-3415, and CVE-2015-3416).
Recommendation: Slackware 14.1 users upgrade to PHP 5.4.42 / Slackware-current users upgrade to PHP 5.6.10.
curl
A flaw was discovered in curl 7.40.0 through 7.42.1, inclusive, such that libcurl can wrongly send HTTP credentials
when re-using connections. (CVE-2015-3236)
A flaw was discovered in curl 7.40.0 through 7.42.1, inclusive, such that libcurl can get tricked by a malicious SMB
server to send off data it did not intend to. (CVE-2015-3237)
Note: one might be tempted to downplay vulnerabilities in curl but it's important to keep in mind cmake, git, gnupg,
among others, use libcurl for secure transport.
Recommendation: Slackware 14.1 ships curl 7.36.0 and is unaffected by these particular issues but is affected by
numerous others (see earlier posts). Slackware 14.1 and Slackware-current users should upgrade to curl 7.43.0 (sig).
stunnel
A flaw was discovered in stunnel 5.00 through 5.13, inclusive, that makes those versions vulnerable to having client
certificate based authentication bypassed when the redirect option is enabled. (CVE-2015-3644)
Note: Slackware 14.1/current aren't vulnerable to this particular issue because they ship stunnel 4.53. However, that
version is vulnerable to several other issues (see earlier posts for more info).
The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2d and 1.0.1p.
These releases will be made available on 9th July. They will fix a single security defect classified as "high" severity. This defect does not affect the 1.0.0 or 0.9.8 releases.
OpenSSL Security Advisory [9 Jul 2015]
=======================================
Alternative chains certificate forgery (CVE-2015-1793)
======================================================
Severity: High
During certificate verification, OpenSSL (starting from version 1.0.1n and
1.0.2b) will attempt to find an alternative certificate chain if the first
attempt to build such a chain fails. An error in the implementation of this
logic can mean that an attacker could cause certain checks on untrusted
certificates to be bypassed, such as the CA flag, enabling them to use a valid
leaf certificate to act as a CA and "issue" an invalid certificate.
This issue will impact any application that verifies certificates including
SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.
This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.
OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d
OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p
...
beware there are discrepancies of source files between many mirrors sites and ftp.slackware.com, source files have not been properly updated in mirrors sites.
Indeed, it was great to see a quick Slackware response to the CA-for-all issue in OpenSSL (CVE-2015-1793).
That's a critically important fix because SSL/TLS security is premised not only on the proper implementation of secure cryptographic
primitives but also on the integrity of the underlying trust model (root-to-leaf).
Unfortunately, Slackware 14.1/current's default OpenSSL trusted root store, provided by ca-certificates, hasn't been updated
since 2013 and countless many important changes have since been made. Those sufficiently bored can read the changelog for
details.
Recommendation: Slackware Linux should upgrade its default OpenSSL trusted root store, asap.
Note: I don't like pointing out problems/issues without also providing solutions. So, I've put together a tarball with needed build
materials: ca-certificates_20150426-slackbuild.tar.bz2 (sig)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
