Vulneratbility - Slackware can be compromised - all versions affected
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
We now have a potential remote exploit that is mitigated by the typical home user modem/router that refuses all incoming connections by default or by the firewall that any competent sysadmin would put in place.
Contact has been made on this report, yet the only action in the ChangeLog in the subsequent three days is business as usual. If this was serious, I would have expected some report of compromised systems in the almost five years since the 14.2 release that so many find frustrating.
We now have a potential remote exploit that is mitigated by the typical home user modem/router that refuses all incoming connections by default or by the firewall that any competent sysadmin would put in place.
Contact has been made on this report, yet the only action in the ChangeLog in the subsequent three days is business as usual. If this was serious, I would have expected some report of compromised systems in the almost five years since the 14.2 release that so many find frustrating.
Right, so is it an actual vulnerability, or is it a basic misunderstanding of the way the software works?
Probably is something along with what Darth Vader said countless years ago: it's a very bad idea everybody to install tons of HTTP, FTP, GODKNOWSP servers by default, because of that Holly Full Install.
If I remember right, he evangelized for moving anything meaning network server on a separate category named "SRV" and which category to be unselected by default even on full install by installer.
But looks like any respectable Slacker can't live without having on his/hers/its HTPC at least INETD, Apache2 and two FTP servers...
Last edited by LuckyCyborg; 05-09-2021 at 11:18 AM.
We now have a potential remote exploit that is mitigated by the typical home user modem/router that refuses all incoming connections by default or by the firewall that any competent sysadmin would put in place.
Contact has been made on this report, yet the only action in the ChangeLog in the subsequent three days is business as usual. If this was serious, I would have expected some report of compromised systems in the almost five years since the 14.2 release that so many find frustrating.
I am not a competent sysadmin, in fact I am just an amateur playing with Slackware on his garage. I use it for nothing serious.
I should stop using Slackware because I am incompetent of using it?
Last edited by LuckyCyborg; 05-09-2021 at 11:28 AM.
This report would best be categorized as a "supply chain" issue and we are trying to figure out what (if any) actual impact it might have and what (if anything) we can (assuming we should) do about it.
I am not a competent sysadmin, in fact I am just an amateur playing with Slackware on his garage. I use it for nothing serious.
Yet you feel to be very competent when giving advice. But I see this unfair: you are using Slackware for "nothing serious" yet still trying to have influence on its development. Maybe it is time to start to give advice - to Windows? RHEL - don't know what is your distro for your serious tasks. So I guess time to make decision - to be serious or not. Imagine your suggestion will be accepted - like passing to desktop release of firefox - but it does not influence you - cause no matter - your serious computer is somewhere. This looks poor - say accept suggestions of someone using Slackware for fun - in conclusion it looks like Slackware is for fun only. Say "have fun" (only). Now you are seriously pushing XWayland, pipewire - for fun (only)?
Hmm, this is all a bit too vague for me. I have some ports open on both my router and my local Slackware machine firewall (because I use them), so what exactly is the current recommendation, to close all open Internet-facing ports?
Hmm, this is all a bit too vague for me. I have some ports open on both my router and my local Slackware machine firewall (because I use them), so what exactly is the current recommendation, to close all open Internet-facing ports?
What I read from rworkman's last post here; Yet no need to worry too much.
Had it been something straight-up obvious and easily perpetrated I would presume it had been dealt with already.
Or at least some advice would have been shared.
FWIW, I don't worry about this... Just do the usual due-dilligence one always should.
This report would best be categorized as a "supply chain" issue and we are trying to figure out what (if any) actual impact it might have and what (if anything) we can (assuming we should) do about it.
Having received the report I felt I had not enough knowledge to properly assess it, so I am glad you do that for all of us, thanks. I told the OP that whatever you and Patrick decide I'd follow suite.
Probably is something along with what Darth Vader said countless years ago: it's a very bad idea everybody to install tons of HTTP, FTP, GODKNOWSP servers by default, because of that Holly Full Install.
If I remember right, he evangelized for moving anything meaning network server on a separate category named "SRV" and which category to be unselected by default even on full install by installer.
But looks like any respectable Slacker can't live without having on his/hers/its HTPC at least INETD, Apache2 and two FTP servers...
Those services are disabled by default. If they aren't running, you can't be hit by vulnerabilities with them. Just stick with the default services...
What I don't understand is your love affair with everything Darth Vader. You continually bring up his posts years after he was banned... and the posts you bring up are usually about concepts that are generally anti-Slackware (like suggesting the installer offer partial installs here).
Slackware has always included a lot of software that many people won't use. Trying to change that is trying to change what Slackware is. Darth wasn't successful and you won't be either.
Yet you feel to be very competent when giving advice. But I see this unfair: you are using Slackware for "nothing serious" yet still trying to have influence on its development. Maybe it is time to start to give advice - to Windows? RHEL - don't know what is your distro for your serious tasks. So I guess time to make decision - to be serious or not. Imagine your suggestion will be accepted - like passing to desktop release of firefox - but it does not influence you - cause no matter - your serious computer is somewhere. This looks poor - say accept suggestions of someone using Slackware for fun - in conclusion it looks like Slackware is for fun only. Say "have fun" (only). Now you are seriously pushing XWayland, pipewire - for fun (only)?
First of all, neither Wayland, XWayland or even PipeWire was adopted by Slackware because I advocated them. If you look for someone who requested them to be added on Slackware, probably he's Mr. Hameleers.
What I advocated is exclusively based on my own experiments, where I observed that a different branch of XWayland works better, and that PipeWire does many jobs on Wayland/Plasma5, hence I tried to find the best way to run its daemons.
In other hand, I have no financial interests on making Slackware to have a better Wayland, XWayland, Wayland/Plasma5 or a better sound system based on PipeWire. So, you can say that everything I did, and I will do, is just a hobby.
Some people tunes cars as hobby, and just like them, mine hobby is just to make the Wayland support better on Slackware, which is one of the operating systems which I use. I use currently several other.
BUT, I earn my moneys from something entirely different of software: I am geologist - again, I ensure you that I will earn ZERO money if Slackware will have a better Wayland.
If you are curious about my "serious computer", it's a laptop given by the Company where I work, it runs Windows 10 and tons of Windows software which has no equivalent on open-source. It's not mine, and for any issue with it, a "competent sysadmin" of our Company should do his/her job.
Nope, even for my "serious computer" I am not a "competent sysadmin" - there's someone payed to do this job.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.