Right, so is it an actual vulnerability, or is it a basic misunderstanding of the way the software works?

Can someone from the team chime in here please?

4 members found this post helpful.

I think they already have.

We now have a potential remote exploit that is mitigated by the typical home user modem/router that refuses all incoming connections by default or by the firewall that any competent sysadmin would put in place.

Contact has been made on this report, yet the only action in the ChangeLog in the subsequent three days is business as usual. If this was serious, I would have expected some report of compromised systems in the almost five years since the 14.2 release that so many find frustrating.

disappointing

Probably is something along with what Darth Vader said countless years ago: it's a very bad idea everybody to install tons of HTTP, FTP, GODKNOWSP servers by default, because of that Holly Full Install.

If I remember right, he evangelized for moving anything meaning network server on a separate category named "SRV" and which category to be unselected by default even on full install by installer.

But looks like any respectable Slacker can't live without having on his/hers/its HTPC at least INETD, Apache2 and two FTP servers...

I am not a competent sysadmin, in fact I am just an amateur playing with Slackware on his garage. I use it for nothing serious.

I should stop using Slackware because I am incompetent of using it?

That's exactly my definition of a competent sysadmin

1 members found this post helpful.

This report would best be categorized as a "supply chain" issue and we are trying to figure out what (if any) actual impact it might have and what (if anything) we can (assuming we should) do about it.

9 members found this post helpful.

No, you're the .

1 members found this post helpful.

Thank you, Mrs. Hazel!

Keen logic as usual...

Yet you feel to be very competent when giving advice. But I see this unfair: you are using Slackware for "nothing serious" yet still trying to have influence on its development. Maybe it is time to start to give advice - to Windows? RHEL - don't know what is your distro for your serious tasks. So I guess time to make decision - to be serious or not. Imagine your suggestion will be accepted - like passing to desktop release of firefox - but it does not influence you - cause no matter - your serious computer is somewhere. This looks poor - say accept suggestions of someone using Slackware for fun - in conclusion it looks like Slackware is for fun only. Say "have fun" (only). Now you are seriously pushing XWayland, pipewire - for fun (only)?

2 members found this post helpful.

Hmm, this is all a bit too vague for me. I have some ports open on both my router and my local Slackware machine firewall (because I use them), so what exactly is the current recommendation, to close all open Internet-facing ports?

What I read from rworkman's last post here; Yet no need to worry too much.

Had it been something straight-up obvious and easily perpetrated I would presume it had been dealt with already.
Or at least some advice would have been shared.

FWIW, I don't worry about this... Just do the usual due-dilligence one always should.


Thanks
--
KarlMag

1 members found this post helpful.

Having received the report I felt I had not enough knowledge to properly assess it, so I am glad you do that for all of us, thanks. I told the OP that whatever you and Patrick decide I'd follow suite.

Those services are disabled by default. If they aren't running, you can't be hit by vulnerabilities with them. Just stick with the default services...

What I don't understand is your love affair with everything Darth Vader. You continually bring up his posts years after he was banned... and the posts you bring up are usually about concepts that are generally anti-Slackware (like suggesting the installer offer partial installs here).

Slackware has always included a lot of software that many people won't use. Trying to change that is trying to change what Slackware is. Darth wasn't successful and you won't be either.

4 members found this post helpful.

First of all, neither Wayland, XWayland or even PipeWire was adopted by Slackware because I advocated them. If you look for someone who requested them to be added on Slackware, probably he's Mr. Hameleers.

What I advocated is exclusively based on my own experiments, where I observed that a different branch of XWayland works better, and that PipeWire does many jobs on Wayland/Plasma5, hence I tried to find the best way to run its daemons.

In other hand, I have no financial interests on making Slackware to have a better Wayland, XWayland, Wayland/Plasma5 or a better sound system based on PipeWire. So, you can say that everything I did, and I will do, is just a hobby.

Some people tunes cars as hobby, and just like them, mine hobby is just to make the Wayland support better on Slackware, which is one of the operating systems which I use. I use currently several other.

BUT, I earn my moneys from something entirely different of software: I am geologist - again, I ensure you that I will earn ZERO money if Slackware will have a better Wayland.

If you are curious about my "serious computer", it's a laptop given by the Company where I work, it runs Windows 10 and tons of Windows software which has no equivalent on open-source. It's not mine, and for any issue with it, a "competent sysadmin" of our Company should do his/her job.

Nope, even for my "serious computer" I am not a "competent sysadmin" - there's someone payed to do this job.