LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   Status Update: Slackware LQ Security Thread (https://www.linuxquestions.org/questions/slackware-14/status-update-slackware-lq-security-thread-4175522182/)

mancha 10-15-2014 03:03 AM

Status Update: Slackware LQ Security Thread
 
Hi.

Many of you are familiar with [Slackware security] vulnerabilities outstanding 20140101 (aka "the security thread"). For those who aren't,
it's a thread where slackers (ranging from security-conscious end users to admins seeking to harden their systems) share and discuss
security concerns with a focus on solutions.

Unfortunately, its high posting volume makes navigating it a bit of a challenge.

To help with this, I recently put together a status report covering the period from 20140101 (thread's birth) through 20141014.

As was suggested to me, I am re-posting it here to raise visibility.

--mancha

Code:

                        LQ Slackware Vulnerability Thread Status Report (20141014)                               
                               
Package                CVE ID(s)        Posted                Reference        Status                Slackware Advisory

glibc                CVE-2012-4424        20131026        LQ Post                Vulnerable       
                CVE-2012-4412        20140620        2nd Post
                CVE-2013-4237
                CVE-2013-4788
                CVE-2013-4458

curl                CVE-2013-4545        20140101        LQ Post                Fixed                Advisory
                CVE-2013-6422

php                CVE-2013-6420        20140101        LQ Post                Fixed                Advisory

libgcrypt(gpg2)        CVE-2013-4576        20140101        LQ Post                Vulnerable
                                20140909        Update

samba                CVE-2013-4408        20140101        LQ Post                Fixed                Advisory
                CVE-2012-6150

xorg-server        CVE-2013-6424        20140101        LQ Post                Vulnerable

pixman                CVE-2013-6425        20140101        LQ Post                Vulnerable

openssl                CVE-2013-6449        20140106        LQ Post                Fixed                Advisory
                CVE-2013-6450
                CVE-2013-4353

libxfont        CVE-2013-6462        20140107        LQ Post                Fixed                Advisory

bind                CVE-2014-0591        20140114        LQ Post                Fixed                Advisory

curl                CVE-2014-0015        20140131        LQ Post                Fixed                Advisory
                CVE-2013-6422
                CVE-2013-4545

kernel                CVE-2014-0038        20140131        LQ Post                Fixed                Advisory

stunnel                CVE-2013-1762        20140207        LQ Post                Vulnerable

poppler                CVE-2013-7296        20140209        LQ Post                Vulnerable

icu4c                CVE-2013-2924        20131019        LQ Post                Vulnerable
                                20140211        2nd Post

mariadb                CVE-2014-0001        20140211        LQ Post                Fixed                Advisory

python                CVE-2014-1912        20140212        LQ Post                Vulnerable

gnutls                CVE-2014-1959        20140214        LQ Post                Fixed                Advisory

file                CVE-2014-1943        20140218        LQ Post                Vulnerable

imagemagick        CVE-2014-1958        20140222        LQ Post                Vulnerable
                CVE-2014-2030

gnutls                CVE-2014-0092        20140304        LQ Post                Fixed                Advisory

libssh                CVE-2014-0017        20140314        LQ Post                Vulnerable

file                CVE-2014-2270        20140314        LQ Post                Vulnerable

php                CVE-2014-1943        20140314        LQ Post                Fixed                Advisory
                CVE-2014-2270

freetype        CVE-2014-2240        20140314        LQ Post                Vulnerable
                CVE-2014-2241

udisks                CVE-2014-0004        20140314        LQ Post                Fixed                Advisory

udisks2                CVE-2014-0004        20140314        LQ Post                Fixed                Advisory

mutt                CVE-2014-0467        20140314        LQ Post                Fixed                Advisory

samba                CVE-2013-4496        20140314        LQ Post                Fixed                Advisory
                CVE-2013-6442

httpd                CVE-2014-0098        20140319        LQ Post                Fixed                Advisory
                CVE-2013-6438

curl                CVE-2014-0138        20140327        LQ Post                Fixed                Advisory
                CVE-2014-0139

openssh                CVE-2014-2653        20140407        LQ Post                Vulnerable

kernel                CVE-2014-2523        20140407        LQ Post                Vulnerable

openssl                CVE-2014-0160        20140407        LQ Post                Fixed                Advisory
                CVE-2014-0076

rsync                CVE-2014-2855        20140414        LQ Post                Vulnerable

kernel                CVE-2014-2706        20140421        LQ Post                Vulnerable

php                CVE-2014-0185        20140429        LQ Post                Fixed                Advisory

libxfont        CVE-2014-0209        20140515        LQ Post                Vulnerable
                CVE-2014-0210
                CVE-2014-0211

kernel                CVE-2014-0196        20140515        LQ Post                Vulnerable

mariadb                CVE-2014-0384        20140521        LQ Post                Fixed                Advisory
                CVE-2014-2419
                CVE-2014-2430
                CVE-2014-2431
                CVE-2014-2432
                CVE-2014-2436
                CVE-2014-2438
                CVE-2014-2440

gnutls                CVE-2014-3466        20140530        LQ Post                Fixed                Advisory

libtasn1        CVE-2014-3467        20140530        LQ Post                Fixed                Advisory
                CVE-2014-3468
                CVE-2014-3469

sendmail        CVE-2014-3956        20140602        LQ Post                Fixed                Advisory

php                CVE-2014-0237        20140604        LQ Post                Fixed                Advisory
                CVE-2014-0238

openssl                CVE-2014-0224        20140605        LQ Post                Fixed                Advisory
                CVE-2014-0221
                CVE-2014-0195
                CVE-2014-0198
                CVE-2010-5298
                CVE-2014-3470

kernel                CVE-2014-3153        20140606        LQ Post                Vulnerable

bind                CVE-2014-0591        20140612        LQ Post                Fixed                Advisory

glibc                CVE-2014-4043        20140620        LQ Post                Vulnerable

samba                CVE-2014-0239        20140621        LQ Post                Fixed                Advisory
                CVE-2014-0178

samba                CVE-2014-0244        20140623        LQ Post                Fixed                Advisory
                CVE-2014-3493

gnupg1                CVE-2014-4617        20140624        LQ Post                Fixed                Advisory

gnupg2                CVE-2014-4617        20140624        LQ Post                Fixed                Advisory

php                CVE-2014-0207        20140626        LQ Post                Fixed                Advisory
                CVE-2014-3478
                CVE-2014-3479
                CVE-2014-3480
                CVE-2014-3487
                CVE-2014-3515
                CVE-2014-3981
                CVE-2014-4049

httpd                CVE-2014-0231        20140720        LQ Post                Fixed                Advisory
                CVE-2014-0117
                CVE-2014-0118
                CVE-2014-0226

samba                CVE-2014-3560        20140801        LQ Post                Fixed                Advisory

openssl                CVE-2014-3508        20140807        LQ Post                Fixed                Advisory
                CVE-2014-5139
                CVE-2014-3509
                CVE-2014-3505
                CVE-2014-3506
                CVE-2014-3507
                CVE-2014-3510
                CVE-2014-3511
                CVE-2014-3512

glibc                CVE-2014-0475        20140906        LQ Post                Vulnerable
                CVE-2014-5119

procmail        CVE-2014-3618        20140906        LQ Post                Vulnerable

gpgme                CVE-2014-3564        20140906        LQ Post                Vulnerable

dbus                CVE-2014-3532        20140906        LQ Post                Vulnerable
                CVE-2014-3533
                CVE-2014-3477

lzo                CVE-2014-4607        20140906        LQ Post                Vulnerable

file                CVE-2014-3587        20140906        LQ Post                Vulnerable

subversion        CVE-2014-3522        20140906        LQ Post                Vulnerable
                CVE-2014-3528

ppp                CVE-2014-3158        20140909        LQ Post                Vulnerable

curl                CVE-2014-3613        20140913        LQ Post                Vulnerable
                CVE-2014-3620

dbus                CVE-2014-3635        20140916        LQ Post                Vulnerable
                CVE-2014-3636
                CVE-2014-3637
                CVE-2014-3638
                CVE-2014-3639

net-snmp        CVE-2014-2284        20140922        LQ Post                Vulnerable
                CVE-2014-3565

bash                CVE-2014-6271        20140924        LQ Post                Fixed                Advisory

bash                CVE-2014-7169        20140924        LQ Post                Fixed                Advisory

bash                CVE-2014-7186        20140926        LQ Post                Vulnerable (a)
                CVE-2014-7187

sysklogd        CVE-2014-3634        20140930        LQ Post                Vulnerable
                                20141003        2nd Post

bash                CVE-2014-6277        20141001        LQ Post                Vulnerable (a)
                CVE-2014-6278

python                CVE-2013-1752        20141013        LQ Post                Vulnerable
                CVE-2014-4616
                CVE-2014-4650
                CVE-2014-7185

getmail4        CVE-2014-7273        20141013        LQ Post                Vulnerable
                CVE-2014-7274
                CVE-2014-7275

libvncserver        CVE-2014-6501        20141013        LQ Post                Vulnerable
                CVE-2014-6502
                CVE-2014-6503
                CVE-2014-6504
                CVE-2014-6505

vim (ctags)        CVE-2014-7204        20141013        LQ Post                Vulnerable

----
(a) The Bash affix hardening patch Slackware deployed on 20140929 largely mitigates.


business_kid 10-15-2014 04:47 AM

Thanks for a comprehensive update.

So Slackware-current is still vulnerable where you listed it as such. I know those with servers online will take one attitude. For the ordinary user, how many of these matter?

mancha 10-15-2014 01:41 PM

Quote:

Originally Posted by business_kid (Post 5254009)
For the ordinary user, how many of these matter?

Hi.

Great question with no simple answer. After all, levels of risk aversion, use case profiles, etc. vary considerably by user (i.e. security is
not one-size-fits-all). Gurus and seasoned users can provide guidelines and recommendations to novices but ultimately each user needs
to answer that question for themselves.

The thread doesn't attempt to decide for you what should matter. Rather, in Slackwarian fashion, issue/solution sets are shared and
discussed unfiltered. That way individual slackers can make informed decisions about which security situations are of concern to them.

--mancha

metaschima 10-15-2014 08:15 PM

Thanks mancha, I like this thread a lot better than the original. Clear, concise, to the point and a great disclaimer that the user needs to decide for themselves, I couldn't have put it better. Keep it up.

sanjioh 10-16-2014 08:45 AM

wpa_supplicant v2.3 fixes CVE-2014-3686 (http://www.securityfocus.com/bid/70396/info)
This is quite urgent since it could lead to RCE.

Changelog of wpa_supplicant v2.3
http://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog

Poprocks 11-04-2014 02:55 PM

I guess I should finally upgrade my server from 14.0 to 14.1 given that there is now at least one set of security updates (ie, glibc) that have not been applied to 14.0 which still runs a vulnerable version of glibc according to the literature I have read.

ReaperX7 11-07-2014 12:26 AM

Curious because it just came out recently, but how is ConsoleKit-0.4.5 used by Slackware compared to ConsoleKit2-0.9.2 in terms of code vulnerability?

rob.rice 03-24-2015 02:29 PM

can slackpkg be used to automagicly update the system from the list posted at slackware.com
if so HOW?

willysr 03-24-2015 10:57 PM

yes, that's what slackpkg is used for ;)

bassmadrigal 03-25-2015 08:03 AM

Automagically? Not that I'm aware of without scripting it. But you probably shouldn't do it automatically so you can decide what new configs to keep, merge, or discard.

Just make sure you have a server selected in the mirrors file, then run the commands to check for updates and then to upgrade the packages.

mancha 03-25-2015 10:07 AM

Hello rob.rice, willysr, bassmadrigal.

I request you move this to a more appropriate thread. The purpose of this low-traffic thread is to provide occasional status updates for the security thread. Thanks.

bamunds 04-07-2015 10:07 AM

Hi mancha, thank you for this excellent summary thread and the links.
1) Any chance you might make a follow-up thread, or include in this one, how one should do a basic security of their Slackware?
2) Any chance you might provide instructions for earlier Slackware releases on how to build the Advisory for their release?
3) For newbies, any chance you might include a link to "updating using "&make&&makeinstall" or "slackpkg upgrade <app>" type instructions?

Thom1b 04-17-2015 01:17 AM

php-5.4.40.
 
Hi,

Quote:

The PHP development team announces the immediate availability of PHP
5.4.40. 14 security-related bugs were fixed in this release, including
CVE-2014-9709, CVE-2015-2301, CVE-2015-2783, CVE-2015-1352.
http://fr2.php.net/distributions/php-5.4.40.tar.bz2
http://fr2.php.net/distributions/php-5.4.40.tar.bz2.asc

pcninja 10-07-2015 12:54 PM

Can we get a more up-to-date list?

hendrickxm 06-08-2016 09:49 AM

Quote:

Originally Posted by pcninja (Post 5431315)
Can we get a more up-to-date list?

That would be great, thanks for the effort you put into this.


All times are GMT -5. The time now is 06:46 AM.