Updating Firefox in Slackware

eajam · 09-27-2014, 12:09 PM

Maybe I'm missing something here, but does the recent NSS package update fixes the problem with firefox when it was not compiled with the --with-system-nss option, according to its Slackbuild script. Firefox does not make use of any shared NSS shared library BTW. There is also the issue of having the vulnerable NSS share library(ies) under /usr/lib(64)/firefox-32.0/. For other apps that make use of NSS, if you don't have NSS installed, wouldn't you be toasted?

moisespedro · 09-27-2014, 02:58 PM

A bit off topic but I tried downloading all schmatzler's SlackBuilds with the following command and I can't spot what is wrong:

Code:

pedro@slack [~/SlackBuilds] $ for i in firefox gst-libav gst-plugins-bad gst-plugins-base gst-plugins good gst-plugins-ugly gstreamer do; lftp -c 'open http://schmatzler.de/my_slackbuilds/firefox-h264-mp3/SlackBuilds/; mirror $i'                                                                                       
bash: syntax error near unexpected token `lftp'

Didier Spaier · 09-27-2014, 03:05 PM

Put the semicolon before the do, not after. You also miss "; done" at the end of the statement.

Alien Bob · 09-27-2014, 03:06 PM

Quote:

Originally Posted by moisespedro

A bit off topic but I tried downloading all schmatzler's SlackBuilds with the following command and I can't spot what is wrong:

Code:

pedro@slack [~/SlackBuilds] $ for i in firefox gst-libav gst-plugins-bad gst-plugins-base gst-plugins good gst-plugins-ugly gstreamer do; lftp -c 'open http://schmatzler.de/my_slackbuilds/firefox-h264-mp3/SlackBuilds/; mirror $i'                                                                                       
bash: syntax error near unexpected token `lftp'

The correct command would be, after several syntax fixes:

Code:

for i in firefox gst-libav gst-plugins-bad gst-plugins-base gst-plugins good gst-plugins-ugly gstreamer ; do lftp -c "open http://schmatzler.de/my_slackbuilds/firefox-h264-mp3/SlackBuilds/; mirror $i" ; done

Eric

moisespedro · 09-27-2014, 03:11 PM

Thank you both.

mancha · 09-27-2014, 03:55 PM

Quote:

Originally Posted by eajam

Maybe I'm missing something here, but does the recent NSS package update fixes the problem with firefox when it was not compiled with the --with-system-nss option...?

Unfortunately you're not missing anything; you're right. Slackware's Firefox, Seamonkey, and Thunderbird remain vulnerable to the RSA forgery
issue (CVE-2014-1568) because they use their bundled NSS libraries (read my recommendations in this post). Note: this also affects Google's
Chrome browser.

By the way, it's now being called BERserk because of the BER encoding format and because these days Western culture expects sexy names
for high-profile vulnerabilities. You can read a bit about it here.

--mancha

schmatzler · 09-27-2014, 05:13 PM

Quote:

Originally Posted by moisespedro

A bit off topic but I tried downloading all schmatzler's SlackBuilds with the following command

You do realize that there's a link at the top that generates a ZIP file for you? ;-)

Nevertheless, I learned something about lftp. Nice.

moisespedro · 09-27-2014, 06:45 PM

Quote:

Originally Posted by schmatzler

You do realize that there's a link at the top that generates a ZIP file for you? ;-)

Nevertheless, I learned something about lftp. Nice.

To be honest I only noticed it later

eajam · 09-27-2014, 08:53 PM

Quote:

Originally Posted by mancha

Unfortunately you're not missing anything; you're right. Slackware's Firefox, Seamonkey, and Thunderbird remain vulnerable to the RSA forgery
issue (CVE-2014-1568)...

--mancha

I don't know then why weren't they upgraded, which is why I was asking if I had missed anything. I ended up rebuilding the Seamonkey packages, which took a while to compile, and I'm now rebuilding the other ones.

eloi · 09-28-2014, 07:03 AM

Some people, pretending to help, will teach you to "depend on" them. The price of their "easy" alternative, like they sell it, is you'll eventually depend on them like Windows users depend on Microsoft.

Personally I only trust in those that teach me how to solve issues on my own (take in care you'll find three, four of this kind in your life).

Alien Bob · 09-28-2014, 07:15 AM

Quote:

Originally Posted by eloi

Some people, pretending to help, will teach you to "depend on" them. The price of their "easy" alternative, like they sell it, is you'll eventually depend on them like Windows users depend on Microsoft.

Personally I only trust in those that teach me how to solve issues on my own (take in care you'll find three, four of this kind in your life).

How does that make sense in this thread?

Eric

eloi · 09-28-2014, 07:29 AM

Quote:

Originally Posted by Alien Bob

How does that make sense in this thread?

Well, I don't find sense in half of what you say and do, so we're even.

ruario · 09-28-2014, 08:31 AM

Quote:

Originally Posted by eloi

Well, I don't find sense in half of what you say and do, so we're even.

Alien bob asked a valid question. Your reply on the other hand seems to be a straight insult.

eajam · 09-28-2014, 09:40 AM

Although AlienBob is right in asking why was Elio feeling philosophical today on this forum, at the end of it all this is all silly. The question is why weren't the Mozilla packages, excluding the one for NSS, updated? I can build my own packages, thank you very much, but that's besides the point. Who knows, maybe I missed something here. But if, say, Firefox is not dynamically linked to the NSS libraries, plus makes it own set of NSS libraries available, how can the NSS package update solved the problem?

samyaza81 · 09-28-2014, 11:47 AM

there is portable linux version ftp://ftp.mozilla.org/pub/firefox/re...-x86_64/en-GB/
or slackwae current packages http://ftp.osuosl.org/pub/slackware/...0-x86_64-1.txz