SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
A buffer overflow (CVE-2014-1912) has been identified in Python with a fix planned for inclusion in 2.7.7. However, because
I don't know how long before that release, I decided to backport upstream's fix to Python 2.7.5 (Slackware 14.1's version)
and 2.7.6 (most recent 2.7.x release):
I am not sure I understand the point of this thread.
Keeping up with all the security issues is actually much more time consuming then maintaining a distribution like Slackware. It's a full time job for a dedicated team. PV provides a basic security support for Slackware keeping eye for important flaws and patching them. It's enough for home or small business users. Anyone who has ever used Slackware in larger production environment knows that he/she is on his/her own.
So what's the point of flashing here all these CVEs.
I am not sure I understand the point of this thread.
Keeping up with all the security issues is actually much more time consuming then maintaining a distribution like Slackware. It's a full time job for a dedicated team. PV provides a basic security support for Slackware keeping eye for important flaws and patching them. It's enough for home or small business users. Anyone who has ever used Slackware in larger production environment knows that he/she is on his/her own.
So what's the point of flashing here all these CVEs.
I've been looking at it as a way to alert other users of security risks so if they want to take their own action they can. mancha has been pretty good about pointing out the issues and then providing fixes for them. I'm happy mancha is taking the time to help out.
There is no need to sugar coating security flaws, don't need to question OP method of warning, I found this thread is very useful, at least, OP is trying be organized.
IMHO Slackware-security mailing list is much more organized and is the right method of reporting security issues and proposing patches.
Actually downloading unofficial "security" patches from forum posts is the worst practice I can imagine.
No offense to the OP but this sounds like an attempt to point out the obvious fact that PV cant keep up with ALL the security issues of Slackware. As I said above its mission impossible for a single maintainer. Slackware is what it is - one man show. There is no point of complaining about the time it takes to fix some vulnerability. Even a root exploit. As a Slackware user you are on your own. Take it or leave it.
I found emailing the security team takes care of problems Fast. I remembered I sent a email a while back about a issue and it was corrected a couple of hours latter.
I found emailing the security team takes care of problems Fast. I remembered I sent a email a while back about a issue and it was corrected a couple of hours latter.
It would be nice if mancha told us if he actually e-mails these to Pat V. or not.
It was discovered version 1 intermediate certificates were being incorrectly considered CA certificates by default since
version 2.11.5. Systems with CAs in their trusted root certificate store, which issue X.509 version 1 certificates, are
potentially vulnerable. [CVE-2014-1959 / GNUTLS-SA-2014-1]
Solution: Upgrade to GnuTLS 3.1.21 or apply this fix.
--mancha
Last edited by mancha; 02-14-2014 at 11:14 PM.
Reason: Update version where flaw was introduced.
A flaw (CVE-2014-1943) was discovered in the handling of indirect magic rules in the libmagic library where malicious
input can trigger an infinite recursion and cause a DoS (segmentation fault) or, theoretically, arbitrary code execution.
PoC:
Code:
$ echo -n "4552000000" | xxd -r -p | file -
Solution: Upgrade to file 5.17 or apply my backport fix (sig) to file 5.14.
Adobe has released security updates for Adobe Flash Player 12.0.0.44 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.336 and earlier versions for Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of reports that an exploit for CVE-2014-0502 exists in the wild, and recommends users update their product installations to the latest versions:
Users of Adobe Flash Player 11.2.202.336 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.341.
Two vulnerabilities have been identified in the way ImageMagick handles PSD images: 1) a boundary error during RLE decoding
(CVE-2014-1958), and 2) a buffer overrun when writing PSD images (CVE-2014-2030).
Solution: Rebuild ImageMagick 6.8.6-10 after applying my backport fix.
Note: I combined both fixes into a single patch because they're both in the Photoshop image processing code-base.
A security audit of GnuTLS, carried out by one of its primary developers, has identified serious flaws in its certificate validation
code (CVE-2014-0092). The vulnerabilities can be exploited via specially-crafted certificates to effectively circumvent certificate
validation checks.
Solution: Slackware deployed security fixes for Slackware 13.0 through current the day the issue became public (20140303).
I encourage those who've not yet applied these updates to do so as soon as possible.
Note: Slackware 12.1 and 12.2 systems can address this issue by rebuilding GnuTLS after applying Slackware 13.0's fix.
--mancha
Last edited by mancha; 03-04-2014 at 11:26 PM.
Reason: add audit attribution
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.