LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   Why are we only getting patches for 14.1 and current? (https://www.linuxquestions.org/questions/slackware-14/why-are-we-only-getting-patches-for-14-1-and-current-4175537621/)

donrich39 03-23-2015 01:08 PM
Why are we only getting patches for 14.1 and current?
 
It seems that we are only getting patches for Slack 14.1 and current. Even 14.0 hasn't gotten patches recently, firefox is at version 17.

dugan 03-23-2015 01:16 PM
The last patch for 14.0 was in mid February. Just a month and a week ago.

http://ftp.oregonstate.edu/pub/slack.../ChangeLog.txt

Was Firefox 17 (in 14.0) affected by the security vulnerabilities that affected the later versions that were included with 14.1, and which necessitated them being upgraded in 14.1?

T3slider 03-23-2015 01:19 PM
Older releases of Slackware get patches 'where feasible'. Slackware 14.0 received some patches last month. As for Firefox, as far as I know newer versions of Firefox will not compile on the older releases of Slackware (its dependencies are too old). You would be best off using ruario's latest-firefox script which downloads and repackages the official upstream Mozilla binary build, which is compiled for broad use and should still work on older versions of Slackware.

donrich39 03-23-2015 01:33 PM
OK, point taken.
I will investigate https://gist.github.com/ruario/9672798 as suggested by T3slider.
Thanks much.

donrich39 03-23-2015 02:20 PM
ruario's latest-firefox script is awesome!
Thanks so much.

bassmadrigal 03-23-2015 03:13 PM
He also has one for Chrome, if you're interested in running Chrome versions (it was always such a pain to update Chrome using the official method in extra/).

mancha 03-25-2015 10:18 PM
Quote:
Originally Posted by dugan (Post 5336473)
Was Firefox 17 (in 14.0) affected by the security vulnerabilities that affected the later versions that were included with 14.1, and which necessitated them being upgraded in 14.1?
The short answer is yes.

The longer answer is you can look at Mozilla's FF-ESR known vulnerabilities list. The mapping will not be one-to-one with FF ESR17
because some of the later vulnerabilities might be in code introduced after ESR17 EOL'd. On the other hand, there might be
undiscovered vulnerabilities in ESR17 code that has since been ripped out for non-security reasons in later versions. To make a
precise assessment you'll have to actually review source code.

However, there's another important dimension aside from security bugs in the FF codebase - the constant wave of implementation
improvements of secure protocols. For example, with regard to the recent'ish POODLE attack, FF34 disabled SSLv3 and FF35 went
further and introduced TLS_FALLBACK_SCSV.

Similarly, FF32 began phasing-in preloaded key-pinning and FF35 introduced HPKP. Both quite relevant given the recent troubling
news of an intermediate Certificate Authority, under CNNIC auspices, issuing fake Google certificates. Anyone using FF earlier than
FF33 would have thought those fake Google certs were OK (the browser would have taken them to be 100% valid).

I could go on but I think I've made my point. Yes, older FF versions do have vulnerabilities in their code and that's a problem. But
at least equally as important, older FFs lack significant innovations that address real-world security issues.

The moral of the story: keep your FF very up-to-date.

--mancha


All times are GMT -5. The time now is 08:50 AM.