SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Taking in care Slackware development modus operandi a bug tracking system (already invented) is of no use. Mailing lists servers are already provided and ready to use for the rest of functionality. Who think a forum is better for that is because ignores how to use mailing lists. Forums were adopted by users for the same reason all *reinventing the wheel new stuff* is adopted (i.e. systemd), ignorance and laziness.
as it stands bugs don't get fixed in systemd just marked as such
turning to a forum like this is the last resort
This is an out of cycle release to address a security issue:
hg serve --stdio could be tricked into granting authorized users access to the Python debugger. Thanks to Jonathan Claudius of Mozilla for reporting this issue
Not sure which older versions are affected and how severe it is (no CVE number provided in the release note).
as it stands bugs don't get fixed in systemd just marked as such
turning to a forum like this is the last resort
Turning to a Slackware forum about systemd issues is pointless. Take your baggage somewhere else... we don't want to see it.
*If* Slackware ever adopts systemd, it will be because Pat felt it was the best option (likely due to other projects relying too heavily on it that gutting random parts (like eudev and elogind) aren't enough anymore). Your random posts (or anyone's random posts) will have no factor in that decision. Pat is the BDFL of Slackware. He is the only person who has a decision in the matter.
However, there is no sign that Pat is considering this, so there's no reason to be spamming the forum with a bunch of systemd nonsense.
I saw that too but didn't post anything because this CVE is present since curl-7.52. Slackware-14.2 has curl-7.51.0.
Quote:
INFO
----
This flaw also affects the curl command line tool.
For version 7.52.0, we rearranged a lot of TLS code to bring support for HTTPS
proxies, which unfortunately made us accidentally bring this old flaw back!
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2017-7468 to this issue.
AFFECTED VERSIONS
-----------------
This flaw is relevant for all versions of curl and libcurl that support TLS
and client certificates.
- Affected versions: curl 7.52.0 to and including 7.53.1
- Not affected versions: curl < 7.52.0 and >= 7.54.0
* rndc "" could trigger an assertion failure in named. This flaw is
disclosed in (CVE-2017-3138). [RT #44924]
* Some chaining (i.e., type CNAME or DNAME) responses to upstream
queries could trigger assertion failures. This flaw is disclosed in
CVE-2017-3137. [RT #44734]
* dns64 with break-dnssec yes; can result in an assertion failure.
This flaw is disclosed in CVE-2017-3136. [RT #44653]
* If a server is configured with a response policy zone (RPZ) that
rewrites an answer with local data, and is also configured for
DNS64 address mapping, a NULL pointer can be read triggering a
server crash. This flaw is disclosed in CVE-2017-3135. [RT #44434]
* named could mishandle authority sections with missing RRSIGs,
triggering an assertion failure. This flaw is disclosed in
CVE-2016-9444. [RT #43632]
* named mishandled some responses where covering RRSIG records were
returned without the requested data, resulting in an assertion
failure. This flaw is disclosed in CVE-2016-9147. [RT #43548]
* named incorrectly tried to cache TKEY records which could trigger
an assertion failure when there was a class mismatch. This flaw is
disclosed in CVE-2016-9131. [RT #43522]
* It was possible to trigger assertions when processing responses
containing answers of type DNAME. This flaw is disclosed in
CVE-2016-8864. [RT #43465]
* Added the ability to specify the maximum number of records
permitted in a zone (max-records #. This provides a mechanism to
block overly large zone transfers, which is a potential risk with
slave zones from other parties, as described in CVE-2016-6170. [RT
#42143]
* It was possible to trigger an assertion when rendering a message
using a specially crafted request. This flaw is disclosed in
CVE-2016-2776. [RT #43139]
* Calling getrrsetbyname() with a non absolute name could trigger an
infinite recursion bug in lwresd or named with lwres configured if,
when combined with a search list entry from resolv.conf, the
resulting name is too long. This flaw is disclosed in
CVE-2016-2775. [RT #42694]
All of these issues are already fixed in the -Px releases, and Slackware patches have already been issued. BIND has a habit of repeating all the CVEs since the last major version when announcing a new stable branch.
These are a security releases in order to address the following defect:
o CVE-2017-7494 (Remote code execution from a writable share)
=======
Details
=======
o CVE-2017-7494:
All versions of Samba from 3.5.0 onwards are vulnerable to a remote
code execution vulnerability, allowing a malicious client to upload a
shared library to a writable share, and then cause the server to load
and execute it.
Changes:
--------
o Volker Lendecke <vl@samba.org>
* BUG 12780: CVE-2017-7494: Avoid remote code execution from a writable
share.
irssi 0.8.21 in Slackware 14.0 to 14.2 seems to be affected, too, but it looks like the 0.8.x release isn't supported any longer. If an upgrade to the 1.0.x series isn't feasible the patch from OpenBSD might help: http://marc.info/?l=openbsd-ports&m=149679056311479&w=2
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.