LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 03-02-2021, 03:25 PM   #916
Didier Spaier
LQ Addict
 
Registered: Nov 2008
Location: Paris, France
Distribution: Slint64-14.2.1.2 on Lenovo Thinkpad W520
Posts: 9,816

Rep: Reputation: Disabled

Quote:
Originally Posted by teoberi View Post
This is the reason why, although I tested GRUB in the virtual machine, I did not install it on the test server or on the production one.
GRUB 2.04 has quite a few issues (e.g. the BootHole vulnerability) and version 2.06 is still pending.
Funnily, Daniel just answered a few seconds ago to people complaining about the delayed 2.06 release:
Quote:
I am planning to cut 2.06-rc1 in matter of days...
But he didn't say how many...

I am testing my new packages and for some reason grub-mkconfig doesn't create the boot entries expected from os-prober. Investigating. Of course I won't ship this package as-is.
 
Old 03-02-2021, 03:41 PM   #917
Didier Spaier
LQ Addict
 
Registered: Nov 2008
Location: Paris, France
Distribution: Slint64-14.2.1.2 on Lenovo Thinkpad W520
Posts: 9,816

Rep: Reputation: Disabled
Quote:
Originally Posted by Didier Spaier View Post
I am testing my new packages and for some reason grub-mkconfig doesn't create the boot entries expected from os-prober. Investigating. Of course I won't ship this package as-is.
Found it. In the patch #116 a test is wrongly reverted. Now to get boot entries from os-prober one have to set GRUB_DISABLE_OS_PROBER=true instead of false. Go figure...

PS reported on the grub-devel mailing list.

Last edited by Didier Spaier; 03-02-2021 at 03:51 PM. Reason: PS added.
 
Old 03-02-2021, 11:33 PM   #918
gmgf
Senior Member
 
Registered: Jun 2012
Location: Bergerac, France
Distribution: Slackware
Posts: 2,000

Rep: Reputation: 837Reputation: 837Reputation: 837Reputation: 837Reputation: 837Reputation: 837Reputation: 837
Quote:
Originally Posted by Didier Spaier View Post
Daniel Kiper just released no less than 117 patches to fix vulnerabilities in GRUB.

I have pulled from git master and built a new GRUB package for Slint that I will upload today. I suggest to do the same for Slackware.
I use also the git version since the latest current package.

Last edited by gmgf; 03-02-2021 at 11:39 PM.
 
Old 03-03-2021, 04:04 PM   #919
Didier Spaier
LQ Addict
 
Registered: Nov 2008
Location: Paris, France
Distribution: Slint64-14.2.1.2 on Lenovo Thinkpad W520
Posts: 9,816

Rep: Reputation: Disabled
Quote:
Originally Posted by Didier Spaier View Post
Found it. In the patch #116 a test is wrongly reverted. Now to get boot entries from os-prober one have to set GRUB_DISABLE_OS_PROBER=true instead of false. Go figure...

PS reported on the grub-devel mailing list.
Will be fixed soon.
 
1 members found this post helpful.
Old 03-09-2021, 10:41 PM   #920
willysr
Senior Member
 
Registered: Jul 2004
Location: Jogja, Indonesia
Distribution: Slackware-Current
Posts: 4,276

Rep: Reputation: 1500Reputation: 1500Reputation: 1500Reputation: 1500Reputation: 1500Reputation: 1500Reputation: 1500Reputation: 1500Reputation: 1500Reputation: 1500Reputation: 1500
git 2.30.2 due to this report
 
1 members found this post helpful.
Old 03-13-2021, 12:22 PM   #921
mats_b_tegner
Member
 
Registered: Nov 2009
Location: Gothenburg, Sweden
Distribution: Slackware
Posts: 909

Rep: Reputation: 602Reputation: 602Reputation: 602Reputation: 602Reputation: 602Reputation: 602
Security flaws in -stable (14.2) kernel before version 4.4.260:
https://linux.slashdot.org/story/21/...oot-privileges
https://www.scmagazine.com/home/secu...-to-attackers/
https://blog.grimm-co.com/2021/03/ne...ux-kernel.html

Edit:
New kernel packages are available according to the latest ChangeLogs:
Quote:
Sun Mar 14 03:24:31 UTC 2021
patches/packages/kernel-firmware-20210305_e425f76-noarch-1.txz: Upgraded.
patches/packages/linux-4.4.261/*: Upgraded.
These updates fix various bugs and security issues, including the recently
announced iSCSI vulnerabilities allowing local privilege escalation.
Be sure to upgrade your initrd after upgrading the kernel packages.
If you use lilo to boot your machine, be sure lilo.conf points to the correct
kernel and initrd and run lilo as root to update the bootloader.
If you use elilo to boot your machine, you should run eliloconfig to copy the
kernel and initrd to the EFI System Partition.
For more information, see:
https://cve.mitre.org/cgi-bin/cvenam...CVE-2021-27363
https://cve.mitre.org/cgi-bin/cvenam...CVE-2021-27364
https://cve.mitre.org/cgi-bin/cvenam...CVE-2021-27365
(* Security fix *)

Last edited by mats_b_tegner; 03-14-2021 at 01:31 AM.
 
1 members found this post helpful.
Old 03-20-2021, 02:44 PM   #922
jmccue
Member
 
Registered: Nov 2008
Location: US
Distribution: slackware
Posts: 393

Rep: Reputation: 197Reputation: 197
XTerm

I ran across nvd.nist.gov - CVE-2021-27135, looks like it is specific to 14.2 and earlier. From what I read, the version on current is fine.

So I took the xterm source and build from Current slackware.osuosl.org xterm-366 and compiled and installed it on 14.2. So far so good. But if you have custom fonts in ~/.Xdefaults you may need to adjust them.
 
1 members found this post helpful.
Old 03-21-2021, 05:34 AM   #923
fskmh
Member
 
Registered: Jun 2002
Location: South Africa
Distribution: Custom slackware64-current
Posts: 290

Rep: Reputation: 85
CVE-2019-17498 libssh2 SSH_MSG_DISCONNECT

This is a bit of an oldie. It's mostly applicable to docker and flatpak: CVE-2019-17498
Quote:
In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.
A PoC exists although it's an exercise that requires docker and a user that wants to crash their own docker server.

This will mostly likely be fixed when upstream releases 1.9.1 because the patch comes from the main branch on github, but I'm submitting this for Pat's consideration in the meantime.
Code:
--- libssh2.SlackBuild.orig     2021-03-21 12:10:41.579936398 +0200
+++ libssh2.SlackBuild  2021-03-21 12:09:10.603865683 +0200
@@ -24,7 +24,7 @@
 
 PKGNAM=libssh2
 VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
-BUILD=${BUILD:-3}
+BUILD=${BUILD:-4}
 
 # Automatically determine the architecture we're building on:
 if [ -z "$ARCH" ]; then
@@ -77,6 +77,13 @@
   \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
   -exec chmod 644 {} \+
 
+# CVE-2019-17498
+[[ ! -f ${CWD}/CVE-2019-17498.patch ]] && \
+wget https://github.com/libssh2/libssh2/commit/1c6fa92b77e34d089493fe6d3e2c6c8775858b94.patch \
+-O ${CWD}/CVE-2019-17498.patch
+
+patch -Np1 -i ${CWD}/CVE-2019-17498.patch || exit 1
+
 CFLAGS="$SLKCFLAGS" \
 ./configure \
   --prefix=/usr \

Last edited by fskmh; 03-21-2021 at 05:36 AM.
 
Old 04-10-2021, 11:18 AM   #924
mats_b_tegner
Member
 
Registered: Nov 2009
Location: Gothenburg, Sweden
Distribution: Slackware
Posts: 909

Rep: Reputation: 602Reputation: 602Reputation: 602Reputation: 602Reputation: 602Reputation: 602
Linux kernel LTS versions prior to 5.10.29, 5.4.111, 4.19.186, 4.14.230, 4.9.266, and 4.4.266 are vulnerable to CVE-2021-29154
https://www.openwall.com/lists/oss-s...y/2021/04/08/1

Last edited by mats_b_tegner; Yesterday at 06:39 AM.
 
2 members found this post helpful.
Old Yesterday, 04:32 AM   #925
atelszewski
Member
 
Registered: Aug 2007
Distribution: Slackware
Posts: 907

Rep: Reputation: Disabled
Please ignore.

Last edited by atelszewski; Yesterday at 04:33 AM. Reason: Wrong thread
 
  


Reply

Tags
exploit, security, slackware


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[Slackware Security]: Some pending vulnerabilities... mancha Slackware 7 08-22-2013 09:08 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 02:23 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration