LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 09-13-2017, 03:30 PM   #646
atelszewski
Member
 
Registered: Aug 2007
Distribution: Slackware
Posts: 948

Rep: Reputation: Disabled

Hi,

Thanks.

--
Best regards,
Andrzej Telszewski
 
Old 09-13-2017, 04:59 PM   #647
atelszewski
Member
 
Registered: Aug 2007
Distribution: Slackware
Posts: 948

Rep: Reputation: Disabled
Hi,

Quote:
Originally Posted by volkerdi View Post
Waiting on proper upstream fixes.
Wouldn't it be this one: e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3 ?

4.4.88 with this fix has just been releases.

--
Best regards,
Andrzej Telszewski
 
1 members found this post helpful.
Old 09-14-2017, 07:43 PM   #648
chytraeus
Member
 
Registered: Dec 2008
Distribution: slackware64 openbsd
Posts: 105

Rep: Reputation: 11
cairo-1.14.6 CVE-2016-9082

CVE-2016-9082

Cairo 'cairo-png.c' Integer Overflow Vulnerability
http://www.securityfocus.com/bid/93931

A patch is provided here https://bugs.freedesktop.org/attachment.cgi?id=127421.
This patch is also used in Debian's libcairo2-1.14.8
 
3 members found this post helpful.
Old 09-15-2017, 04:07 PM   #649
majekw
LQ Newbie
 
Registered: May 2011
Distribution: Slackware
Posts: 15

Rep: Reputation: 23
Quote:
Originally Posted by atelszewski View Post
Hi,


Wouldn't it be this one: e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3 ?

4.4.88 with this fix has just been releases.

Bluez 5.47 is also out with the fixes for http://cve.mitre.org/cgi-bin/cvename...E-2017-1000250
 
1 members found this post helpful.
Old 09-17-2017, 10:33 AM   #650
Z5T1
Cucumber Benevolent Dictator for Life
 
Registered: Aug 2017
Distribution: Cucumber Linux
Posts: 22

Rep: Reputation: 28
A vulnerability in libgcrypt which makes it easier for attackers to discover a secret key:

CVE-2017-0379 (https://nvd.nist.gov/vuln/detail/CVE-2017-0379)

This has been fixed in libgcrypt 1.7.9. More details at http://security.cucumberlinux.com/se...ails.php?id=26
 
Old 09-17-2017, 02:17 PM   #651
Z5T1
Cucumber Benevolent Dictator for Life
 
Registered: Aug 2017
Distribution: Cucumber Linux
Posts: 22

Rep: Reputation: 28
A vulnerability in gdk-pixbuf allowing for a denial of service:

CVE-2017-6311 (https://nvd.nist.gov/vuln/detail/CVE-2017-6311)

This has been fixed in gdk-pixbuf 2.36.10
 
Old 09-20-2017, 03:19 AM   #652
Thom1b
Member
 
Registered: Mar 2010
Location: France
Distribution: Slackware
Posts: 476

Rep: Reputation: 333Reputation: 333Reputation: 333Reputation: 333
samba 4.4.16, 4.5.14, 4.6.8 are released with security fixes.

Quote:
Details
=======

o CVE-2017-12150:
A man in the middle attack may hijack client connections.

o CVE-2017-12151:
A man in the middle attack can read and may alter confidential
documents transferred via a client connection, which are reached
via DFS redirect when the original connection used SMB3.

o CVE-2017-12163:
Client with write access to a share can cause server memory contents to be
written into a file or printer.

For more details and workarounds, please see the security advisories:

o https://www.samba.org/samba/security...017-12150.html
o https://www.samba.org/samba/security...017-12151.html
o https://www.samba.org/samba/security...017-12163.html


Changes:
--------

o Jeremy Allison <jra@samba.org>
* BUG 12836: s3: smbd: Fix a read after free if a chained SMB1 call goes
async.
* BUG 13020: CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from
writing server memory to file.

o Ralph Boehme <slow@samba.org>
* BUG 12885: s3/smbd: Let non_widelink_open() chdir() to directories
directly.

o Stefan Metzmacher <metze@samba.org>
* BUG 12996: CVE-2017-12151: Keep required encryption across SMB3 dfs
redirects.
* BUG 12997: CVE-2017-12150: Some code path don't enforce smb signing
when they should.
 
Old 09-21-2017, 02:40 PM   #653
ttk
Senior Member
 
Registered: May 2012
Location: Sebastopol, CA
Distribution: Slackware64
Posts: 1,038
Blog Entries: 27

Rep: Reputation: 1484Reputation: 1484Reputation: 1484Reputation: 1484Reputation: 1484Reputation: 1484Reputation: 1484Reputation: 1484Reputation: 1484Reputation: 1484
A bunch of linux kernel CVEs were announced here:
https://lists.debian.org/debian-secu.../msg00243.html

Checking each against the kernels now in current, 14.2 and 14.1 revealed some outstanding vulnerabilities -- I think. Please double-check. All I did was check the kernel sources for the code which introduced the vulns and/or the existence of patches which fixed them, and didn't run POCs.

CVE-2017-7518: none (CONFIG_KVM=m in Slackware)
CVE-2017-7558: current
CVE-2017-10661: not sure
CVE-2017-11600: current, 14.2, 14.1
CVE-2017-12146: current, 14.2, 14.1
CVE-2017-12134: none (no xen in Slackware; those using xen sbo should use workaround "echo 2 > /sys/block/nvme0n1/queue/nomerges")
CVE-2017-12153: current, 14.2, 14.1
CVE-2017-12154: none (CONFIG_KVM=m in Slackware)
CVE-2017-14106: current, 14.2, 14.1 (not finding Linus' patch in net/ipv4/tcp.c)
CVE-2017-14140: 14.1
CVE-2017-14156: current, 14.2 (atyfb_base.c not present in 14.1)
CVE-2017-14340: 14.1
CVE-2017-14489: current, 14.2, 14.1
CVE-2017-14497: current
CVE-2017-1000111: 14.1
CVE-2017-1000112: not sure
CVE-2017-1000251: none
CVE-2017-1000252: current, 14.2
CVE-2017-1000370: not sure
CVE-2017-1000371: 14.1
CVE-2017-1000380: 14.1
 
3 members found this post helpful.
Old 10-02-2017, 09:32 AM   #654
CTM
Member
 
Registered: Apr 2004
Distribution: Slackware
Posts: 308

Rep: Reputation: 287Reputation: 287Reputation: 287
dnsmasq 2.78 has been released, which fixes a truckload of remotely-exploitable vulnerabilities.

2.78 release announcement
Google Security blog post on the vulnerabilities they discovered
 
2 members found this post helpful.
Old 10-04-2017, 09:26 AM   #655
mats_b_tegner
Member
 
Registered: Nov 2009
Location: Gothenburg, Sweden
Distribution: Slackware
Posts: 946

Rep: Reputation: 649Reputation: 649Reputation: 649Reputation: 649Reputation: 649Reputation: 649
curl 7.56.0

curl 7.56.0 fixes CVE-2017-1000254
https://curl.haxx.se/docs/adv_20171004.html
 
2 members found this post helpful.
Old 10-06-2017, 05:48 PM   #656
USUARIONUEVO
Senior Member
 
Registered: Apr 2015
Posts: 2,295

Rep: Reputation: 916Reputation: 916Reputation: 916Reputation: 916Reputation: 916Reputation: 916Reputation: 916Reputation: 916
lame , in current have CVE-2017-15018 , AND same in slackbuilds , but this is another question.

https://cve.mitre.org/cgi-bin/cvenam...CVE-2017-15018

the patch
https://git.archlinux.org/svntogit/p...=packages/lame

Last edited by USUARIONUEVO; 10-06-2017 at 06:45 PM.
 
2 members found this post helpful.
Old 10-12-2017, 03:37 PM   #657
USUARIONUEVO
Senior Member
 
Registered: Apr 2015
Posts: 2,295

Rep: Reputation: 916Reputation: 916Reputation: 916Reputation: 916Reputation: 916Reputation: 916Reputation: 916Reputation: 916
I posted in the current hread but , this probably need patch in 14.2 and other slack versions.

Xorg-server , ..again !


CVE-2017-12176: Unvalidated extra length in ProcEstablishConnection
CVE-2017-12177: dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo
CVE-2017-12178: Xi: fix wrong extra length check in ProcXIChangeHierarchy
CVE-2017-12179: Xi: integer overflow and unvalidated length in (S)ProcXIBarrierReleasePointer
CVE-2017-12180: hw/xfree86: unvalidated lengths
CVE-2017-12181: hw/xfree86: unvalidated lengths
CVE-2017-12182: hw/xfree86: unvalidated lengths
CVE-2017-12183: xfixes: unvalidated lengths
CVE-2017-12184: Unvalidated lengths
CVE-2017-12185: Unvalidated lengths
CVE-2017-12186: Unvalidated lengths
CVE-2017-12187: Unvalidated lengths
 
3 members found this post helpful.
Old 10-14-2017, 11:02 AM   #658
a4z
Senior Member
 
Registered: Feb 2009
Posts: 1,727

Rep: Reputation: 742Reputation: 742Reputation: 742Reputation: 742Reputation: 742Reputation: 742Reputation: 742
will Slackware update gcc to 5.5?

https://gcc.gnu.org/ml/gcc/2017-10/msg00064.html

the fixes since 5.3 are rather huge

https://gcc.gnu.org/bugzilla/buglist..._milestone=5.4
https://gcc.gnu.org/bugzilla/buglist..._milestone=5.5

and some of them are marked critical
 
1 members found this post helpful.
Old 10-14-2017, 01:45 PM   #659
volkerdi
Slackware Maintainer
 
Registered: Dec 2002
Location: Minnesota
Distribution: Slackware! :-)
Posts: 2,454

Rep: Reputation: 8347Reputation: 8347Reputation: 8347Reputation: 8347Reputation: 8347Reputation: 8347Reputation: 8347Reputation: 8347Reputation: 8347Reputation: 8347Reputation: 8347
Quote:
Originally Posted by a4z View Post
will Slackware update gcc to 5.5?
Since -current is already past the 5.x branch (on gcc-7.2.0), no we won't.
 
2 members found this post helpful.
Old 10-16-2017, 04:42 AM   #660
Didier Spaier
LQ Addict
 
Registered: Nov 2008
Location: Paris, France
Distribution: Slint64-15.0
Posts: 11,044

Rep: Reputation: Disabled
KRACK Attacks

I don't know if and when WPA supplicant will be patched.

https://www.krackattacks.com/

Details should published soon.

Meanwhile, I'd suggest to be careful with your WIFI connections, and prefer wired connections whenever possible, although no exploit seems to have been recorded at time of writing to my knowledge.
 
2 members found this post helpful.
  


Reply

Tags
exploit, security, slackware


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[Slackware Security]: Some pending vulnerabilities... mancha Slackware 7 08-22-2013 09:08 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 10:27 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration