Vulneratbility - Slackware can be compromised - all versions affected
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I was just poking a bit of fun If there really is a serious vulnerability then I'd like to know about it (remote/local/which package/interim mitigations, etc), but there's got to be at least some details. As it stands, the thread contains no useful information.
I was just poking a bit of fun If there really is a serious vulnerability then I'd like to know about it (remote/local/which package/interim mitigations, etc), but there's got to be at least some details. As it stands, the thread contains no useful information.
Yes, the OP probably should've just emailed Pat or got on IRC. I can understand why he'd not disclose what it is publicly. A status update would be nice.
Possibly the OP is concerned that the slackware installer by default starts sshd without a firewall and with password login enabled. It also used to do that without testing the strength of the password and (if of low strength) warning the user that she was likely to be open to crackers, but maybe the installer checks password strength now (the libpwqualify package is provided by slackware-current). I thought that poor practice, particularly now that the networks scripts start IPv6 which tends not to be NATed, but it seems to be a policy decision by those who make such decisions.
Or it could be something completely different. Dunno.
A few weeks ago I found ways to infiltrate/compromise a Slackware system. I was not actively looking for weaknesses but stumbled upon it, by chance. I know you are all eagerly awaiting 15 to release but this issue should be addressed ASAP.
I am not going to disclose any details, yet, in order to minimize chances of exploitation of the vulnerability. I am, however, willing to work with anyone closely involved in the development of Slackware (except AlienBob) and provide instructions on how to confirm the vulnerability.
I am also willing to cooperate with any maintainer of a derivative of Slackware and check if those systems are affected, too.
I have patches ready for Slackware 14.2. With minor adjustments they should also work for other versions.
I found a biiiiiiiig scawwwwwy baaaaad thing but I won't tell you about it.
Just use my patch to fix a problem that doesn't exist because trust me I know better than you. I totally did not put my own back door in. I will only talk to my man Pat becuase I'm cool like that.
Hopefully crts is talking to Pat. All else is noise.
Yeah,
Before Pat gets involved there is nothing. Be it in private or out in the open.
And - as per how Pat seems to be doing stuff - he will check/test it and assess if there is any actual, real life problems going on.
If there is anything it'll be dealt with. If not, well...
But just announcing there is a problem and not telling anyone what it is is - on the best of days - Not Helpful!
(The words used in my head for describing this is much less safe for work than the squeaky-clean description above.)
Tempting as it would be for me to make a political statement, there have been many cases where individuals in other contexts explicitly express which pronouns should be used to refer to said individuals.
Some of those pronouns appear to be (as far as I can tell) recent inventions. The non-recent English language pronoun that does not assume that you are either male or female is "it".
The OP may not care about such things at all. There are some countries in North America (and some political subdivisions in other countries in the Western Hemisphere) where not referring to an individual with said individual's preferred pronouns is grounds for the government to take you to court and find you guilty of a criminal act.
In all honesty, even on Russian (which itself is a genderfied language, just like the Spanish, Italian or French) when cannot be identified the gender of subject(s), it is used the neutral case: Оно, Они - in translation: it, they/them
However, from what I heard, the Asian languages like Japanese, Korean, Thai, Chinese uses a particular case of neutral like in "unidentified person" which is different from the (common) neutral applied to non-humans and/or things.
So, probably an Asian may expect a similar grammatical construct even on the foreign languages. Just saying...
PS. I know some details about this because I watched some discussions between linguists who want to add this type of person neutral on Russian, as neologisms.
Last edited by LuckyCyborg; 05-04-2021 at 06:23 AM.
I know in Indonesian there's no grammatical gender, but there are words for man, woman, person. I'm not sure what modern usage is for someone who's nonbinary. "Orang?" Like "orang itu," person over there? I know sometimes "es" gets used in German, but it's not a standard thing, I don't think. It's definitely an ongoing discussion, namely because of the "es/it" connotation, although there are some gendered words, cf "das Mädchen," that are already neutral. (And again I'm out of practice with German, although I could probably opine over music easily.) If I were talking to a nonbinary German person, I'd probably try to sidestep pronouns, unless they told me which they prefer. Always best to err on the side of politeness in a language you don't speak natively.
Always wanted to learn Russian or Korean. Someday!
I suggested twice to the OP to email Patrick Volkerding if he wants that what he considers to be an issue be assessed. I don't know if he did, anyway I wouldn't mind that this thread be closed.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
If there really is a serious vulnerability then I'd like to know about it (remote/local/which package/interim mitigations, etc), but there's got to be at least some details. As it stands, the thread contains no useful information.
