SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I request the name of this thread be changed to something less likely to drive away Slackware users. These are NOT all security vulnerabilities, they are NOT all outstanding, and they are NOT critical.
In fact, I don't see why you don't submit these to Pat V. himself, if you believe they are so important. He might not even see them here.
These are NOT all security vulnerabilities, they are NOT all outstanding, and they are NOT critical.
These vulnerabilities are outstanding as of 20140113 and have security implications of varying degree. Claiming otherwise, as you've done twice now, is confusing to readers who might inadvertently believe you.
Quote:
Originally Posted by metaschima
In other words, don't let this thread chase you away from Slackware.
Quote:
Originally Posted by metaschima
If corvid posts again (that was his last post), then I'll believe it.
It's clear corvid's comment has given you the jitters. I wish he'd not made it here because as a result the thread is now more noise than signal (BTW, he made a similar comment in January 2012).
But, you've got it backwards. Raising awareness, sharing information, and most importantly providing solutions for these issues, makes Slackware and its community stronger, not weaker.
Have you submitted these to Pat V. ? If not, send him an e-mail.
I'm wondering where the other Slackware devs are, and what their comments on these issues are. I request at least that, otherwise this thread doesn't look right, and I don't like that. Slackware is a great distro and I don't like the image it is getting here in this thread. Maybe that wasn't the original intent, but that's what it is now.
But, you've got it backwards. Raising awareness, sharing information, and most importantly providing solutions for these issues, makes Slackware and its community stronger, not weaker.
I can see both sides here - but ultimately I agree with mancha because as the user/maintainer of a system running Slackware, I'd rather be aware of the current potential security issues (whatever their severity) and decide what to do about them, whilst I am awaiting an update in the Slackware tree. After all, if I have to rebuild a system that was compromised, that's going to take me a *lot* longer than preparing a patch myself or a short term work-around.
I also recommend that you post more information about each vulnerability instead of just " CVE-2013-4545 fixed.". Post what the fix does and how severe it is. I'm sure you want something that will benefit Slackware, so putting accurate, detailed information is much less likely to scare off users. At least post a link to the page that describes the problem and fix, and rate its severity.
Last edited by metaschima; 01-14-2014 at 11:50 AM.
Security of your system is your responsibility, not Master Volkerding's. Seasoned systems administrators are current with the entries in https://isc.sans.edu/diary.html, and probably have read at least a few of the security-related white papers at SANs. In fact, there is enough information on that site to become qualified as a security expert, but if that's your goal, sign up for classes at http://www.sans.edu/ Be proactive.
Note: upgrading xorg-server packages will overwrite proprietary video drivers so if you use those you'll need to re-install them after the upgrade.
Finally, I am providing CVE-2013-6425.ods, a LibreOffice spreadsheet proof-of-concept thanks to Ubuntu, which shows the DoS against X. Make sure you've saved everything you're working on before doing this because it'll crash the X server:
Well, that's more like it. I can see now that you are actually trying to help Slackware users. Providing patches and packages to fix these issues, and even a proof-of-concept is a great thing.
I apologize for doubting your good intentions earlier. May I recommend that you make your intentions more clear in your initial posts by explaining a bit about what you are trying to achieve. Writing a short statement about your concern on outstanding vulnerabilities, links to explanations of the vulnerabilities, saying that you e-mailed Mr. Pat V with them, and saying that you wish to help users resolve these vulnerabilities would do wonders on how people interpret your thread. Like 2 sentences is all it takes, and there won't be any more confusion. Again, I understand now that your intentions are good, but only after this last post.
Lastly, just so people don't get me wrong, I would like to say that Slackware is a great distro, the best I've tried. I would like to help it out as much as I can, and I don't like to see its name tarnished. I reacted the way I did, because the intentions of the thread were unclear to me. Maybe they were clear to others. I guess maybe it is because I'm new here, and I don't know exactly how things are done.
"Integer underflow in the pixman_trapezoid_valid macro in pixman.h in Pixman before 0.32.0, as used in X.Org server and cairo, allows context-dependent attackers to cause a denial of service (crash) via a negative bottom value."
We are already running 0.32.0. The vulnerable version was 0.30.0. BTW, who has the Intel Xorg driver installed? That isn't what Slackware distributed on November 8, 2013. We already have the fixed pixman.h in pixman and xorg. Here's the patch that was applied last October: http://lists.x.org/archives/xorg-dev...er/037996.html
https://cve.mitre.org has re-vamped their website. A lot of legacy incidents appear to be new, but upon further investigation, you'll find they were closed last year.
Just to be safe, though, I'm keeping my aluminum foil "Tin Woodman" hat within reach.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.