Status Update: Slackware LQ Security Thread

Hi.

Many of you are familiar with [Slackware security] vulnerabilities outstanding 20140101 (aka "the security thread"). For those who aren't,
it's a thread where slackers (ranging from security-conscious end users to admins seeking to harden their systems) share and discuss
security concerns with a focus on solutions.

Unfortunately, its high posting volume makes navigating it a bit of a challenge.

To help with this, I recently put together a status report covering the period from 20140101 (thread's birth) through 20141014.

As was suggested to me, I am re-posting it here to raise visibility.

--mancha

Code:

			LQ Slackware Vulnerability Thread Status Report (20141014)				
				
Package		CVE ID(s)	Posted		Reference	Status		Slackware Advisory

glibc		CVE-2012-4424	20131026	LQ Post		Vulnerable	
		CVE-2012-4412	20140620	2nd Post
		CVE-2013-4237
		CVE-2013-4788
		CVE-2013-4458

curl		CVE-2013-4545	20140101	LQ Post		Fixed		Advisory
		CVE-2013-6422

php		CVE-2013-6420	20140101	LQ Post		Fixed		Advisory

libgcrypt(gpg2)	CVE-2013-4576	20140101	LQ Post		Vulnerable
				20140909	Update

samba		CVE-2013-4408	20140101	LQ Post		Fixed		Advisory
		CVE-2012-6150

xorg-server	CVE-2013-6424	20140101	LQ Post		Vulnerable

pixman		CVE-2013-6425	20140101	LQ Post		Vulnerable

openssl		CVE-2013-6449	20140106	LQ Post		Fixed		Advisory
		CVE-2013-6450
		CVE-2013-4353

libxfont	CVE-2013-6462	20140107	LQ Post		Fixed		Advisory

bind		CVE-2014-0591	20140114	LQ Post		Fixed		Advisory

curl		CVE-2014-0015	20140131	LQ Post		Fixed		Advisory
		CVE-2013-6422
		CVE-2013-4545

kernel		CVE-2014-0038	20140131	LQ Post		Fixed		Advisory

stunnel		CVE-2013-1762	20140207	LQ Post		Vulnerable

poppler		CVE-2013-7296	20140209	LQ Post		Vulnerable

icu4c		CVE-2013-2924	20131019	LQ Post		Vulnerable
				20140211	2nd Post

mariadb		CVE-2014-0001	20140211	LQ Post		Fixed		Advisory

python		CVE-2014-1912	20140212	LQ Post		Vulnerable

gnutls		CVE-2014-1959	20140214	LQ Post		Fixed		Advisory

file		CVE-2014-1943	20140218	LQ Post		Vulnerable

imagemagick	CVE-2014-1958	20140222	LQ Post		Vulnerable
		CVE-2014-2030

gnutls		CVE-2014-0092	20140304	LQ Post		Fixed		Advisory

libssh		CVE-2014-0017	20140314	LQ Post		Vulnerable

file		CVE-2014-2270	20140314	LQ Post		Vulnerable

php		CVE-2014-1943	20140314	LQ Post		Fixed		Advisory
		CVE-2014-2270

freetype	CVE-2014-2240	20140314	LQ Post		Vulnerable
		CVE-2014-2241

udisks		CVE-2014-0004	20140314	LQ Post		Fixed		Advisory

udisks2		CVE-2014-0004	20140314	LQ Post		Fixed		Advisory

mutt		CVE-2014-0467	20140314	LQ Post		Fixed		Advisory

samba		CVE-2013-4496	20140314	LQ Post		Fixed		Advisory
		CVE-2013-6442

httpd		CVE-2014-0098	20140319	LQ Post		Fixed		Advisory
		CVE-2013-6438

curl		CVE-2014-0138	20140327	LQ Post		Fixed		Advisory
		CVE-2014-0139

openssh		CVE-2014-2653	20140407	LQ Post		Vulnerable

kernel		CVE-2014-2523	20140407	LQ Post		Vulnerable

openssl		CVE-2014-0160	20140407	LQ Post		Fixed		Advisory
		CVE-2014-0076

rsync		CVE-2014-2855	20140414	LQ Post		Vulnerable

kernel		CVE-2014-2706	20140421	LQ Post		Vulnerable

php		CVE-2014-0185	20140429	LQ Post		Fixed		Advisory

libxfont	CVE-2014-0209	20140515	LQ Post		Vulnerable
		CVE-2014-0210
		CVE-2014-0211

kernel		CVE-2014-0196	20140515	LQ Post		Vulnerable

mariadb		CVE-2014-0384	20140521	LQ Post		Fixed		Advisory
		CVE-2014-2419
		CVE-2014-2430
		CVE-2014-2431
		CVE-2014-2432
		CVE-2014-2436
		CVE-2014-2438
		CVE-2014-2440

gnutls		CVE-2014-3466	20140530	LQ Post		Fixed		Advisory

libtasn1	CVE-2014-3467	20140530	LQ Post		Fixed		Advisory
		CVE-2014-3468
		CVE-2014-3469

sendmail	CVE-2014-3956	20140602	LQ Post		Fixed		Advisory

php		CVE-2014-0237	20140604	LQ Post		Fixed		Advisory
		CVE-2014-0238

openssl		CVE-2014-0224	20140605	LQ Post		Fixed		Advisory
		CVE-2014-0221
		CVE-2014-0195
		CVE-2014-0198
		CVE-2010-5298
		CVE-2014-3470

kernel		CVE-2014-3153	20140606	LQ Post		Vulnerable

bind		CVE-2014-0591	20140612	LQ Post		Fixed		Advisory

glibc		CVE-2014-4043	20140620	LQ Post		Vulnerable

samba		CVE-2014-0239	20140621	LQ Post		Fixed		Advisory
		CVE-2014-0178

samba		CVE-2014-0244	20140623	LQ Post		Fixed		Advisory
		CVE-2014-3493

gnupg1		CVE-2014-4617	20140624	LQ Post		Fixed		Advisory

gnupg2		CVE-2014-4617	20140624	LQ Post		Fixed		Advisory

php		CVE-2014-0207	20140626	LQ Post		Fixed		Advisory
		CVE-2014-3478
		CVE-2014-3479
		CVE-2014-3480
		CVE-2014-3487
		CVE-2014-3515
		CVE-2014-3981
		CVE-2014-4049

httpd		CVE-2014-0231	20140720	LQ Post		Fixed		Advisory
		CVE-2014-0117
		CVE-2014-0118
		CVE-2014-0226

samba		CVE-2014-3560	20140801	LQ Post		Fixed		Advisory

openssl		CVE-2014-3508	20140807	LQ Post		Fixed		Advisory
		CVE-2014-5139
		CVE-2014-3509
		CVE-2014-3505
		CVE-2014-3506
		CVE-2014-3507
		CVE-2014-3510
		CVE-2014-3511
		CVE-2014-3512

glibc		CVE-2014-0475	20140906	LQ Post		Vulnerable
		CVE-2014-5119

procmail	CVE-2014-3618	20140906	LQ Post		Vulnerable

gpgme		CVE-2014-3564	20140906	LQ Post		Vulnerable

dbus		CVE-2014-3532	20140906	LQ Post		Vulnerable
		CVE-2014-3533
		CVE-2014-3477

lzo		CVE-2014-4607	20140906	LQ Post		Vulnerable

file		CVE-2014-3587	20140906	LQ Post		Vulnerable

subversion	CVE-2014-3522	20140906	LQ Post		Vulnerable
		CVE-2014-3528

ppp		CVE-2014-3158	20140909	LQ Post		Vulnerable

curl		CVE-2014-3613	20140913	LQ Post		Vulnerable
		CVE-2014-3620

dbus		CVE-2014-3635	20140916	LQ Post		Vulnerable
		CVE-2014-3636
		CVE-2014-3637
		CVE-2014-3638
		CVE-2014-3639

net-snmp	CVE-2014-2284	20140922	LQ Post		Vulnerable
		CVE-2014-3565

bash		CVE-2014-6271	20140924	LQ Post		Fixed		Advisory

bash		CVE-2014-7169	20140924	LQ Post		Fixed		Advisory

bash		CVE-2014-7186	20140926	LQ Post		Vulnerable (a)
		CVE-2014-7187

sysklogd	CVE-2014-3634	20140930	LQ Post		Vulnerable
				20141003	2nd Post

bash		CVE-2014-6277	20141001	LQ Post		Vulnerable (a)
		CVE-2014-6278

python		CVE-2013-1752	20141013	LQ Post		Vulnerable
		CVE-2014-4616
		CVE-2014-4650
		CVE-2014-7185

getmail4	CVE-2014-7273	20141013	LQ Post		Vulnerable
		CVE-2014-7274
		CVE-2014-7275

libvncserver	CVE-2014-6501	20141013	LQ Post		Vulnerable
		CVE-2014-6502
		CVE-2014-6503
		CVE-2014-6504
		CVE-2014-6505

vim (ctags)	CVE-2014-7204	20141013	LQ Post		Vulnerable

----
(a) The Bash affix hardening patch Slackware deployed on 20140929 largely mitigates.

Thanks for a comprehensive update.

So Slackware-current is still vulnerable where you listed it as such. I know those with servers online will take one attitude. For the ordinary user, how many of these matter?

Quote:

Originally Posted by business_kid For the ordinary user, how many of these matter?

Hi.

Great question with no simple answer. After all, levels of risk aversion, use case profiles, etc. vary considerably by user (i.e. security is
not one-size-fits-all). Gurus and seasoned users can provide guidelines and recommendations to novices but ultimately each user needs
to answer that question for themselves.

The thread doesn't attempt to decide for you what should matter. Rather, in Slackwarian fashion, issue/solution sets are shared and
discussed unfiltered. That way individual slackers can make informed decisions about which security situations are of concern to them.

--mancha

Thanks mancha, I like this thread a lot better than the original. Clear, concise, to the point and a great disclaimer that the user needs to decide for themselves, I couldn't have put it better. Keep it up.

wpa_supplicant v2.3 fixes CVE-2014-3686 (http://www.securityfocus.com/bid/70396/info)
This is quite urgent since it could lead to RCE.

Changelog of wpa_supplicant v2.3
http://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog

I guess I should finally upgrade my server from 14.0 to 14.1 given that there is now at least one set of security updates (ie, glibc) that have not been applied to 14.0 which still runs a vulnerable version of glibc according to the literature I have read.

Curious because it just came out recently, but how is ConsoleKit-0.4.5 used by Slackware compared to ConsoleKit2-0.9.2 in terms of code vulnerability?

can slackpkg be used to automagicly update the system from the list posted at slackware.com
if so HOW?

yes, that's what slackpkg is used for

Automagically? Not that I'm aware of without scripting it. But you probably shouldn't do it automatically so you can decide what new configs to keep, merge, or discard.

Just make sure you have a server selected in the mirrors file, then run the commands to check for updates and then to upgrade the packages.

Hello rob.rice, willysr, bassmadrigal.

I request you move this to a more appropriate thread. The purpose of this low-traffic thread is to provide occasional status updates for the security thread. Thanks.

Hi mancha, thank you for this excellent summary thread and the links.
1) Any chance you might make a follow-up thread, or include in this one, how one should do a basic security of their Slackware?
2) Any chance you might provide instructions for earlier Slackware releases on how to build the Advisory for their release?
3) For newbies, any chance you might include a link to "updating using "&make&&makeinstall" or "slackpkg upgrade <app>" type instructions?

Hi,

Quote:

The PHP development team announces the immediate availability of PHP 5.4.40. 14 security-related bugs were fixed in this release, including CVE-2014-9709, CVE-2015-2301, CVE-2015-2783, CVE-2015-1352.

http://fr2.php.net/distributions/php-5.4.40.tar.bz2
http://fr2.php.net/distributions/php-5.4.40.tar.bz2.asc

Can we get a more up-to-date list?

Quote:

Originally Posted by pcninja Can we get a more up-to-date list?

That would be great, thanks for the effort you put into this.