Wednesday, July 30, 2008

Small Updates

Small updates due to openSSL and Poppler being updated are being released today. It only happened in -Current and none of the updates are security related. Here's the -Current changelog:
Wed Jul 30 02:49:09 CDT 2008
a/hdparm-8.9-i486-1.tgz: Upgraded to hdparm-8.9.

kde/kdegraphics-3.5.9-i486-4.tgz: Recompiled against poppler-0.8.5.

kde/koffice-1.6.3-i486-4.tgz: Recompiled against poppler-0.8.5.

l/poppler-0.8.5-i486-1.tgz: Upgraded to poppler-0.8.5.

xap/gimp-2.4.6-i486-2.tgz: Recompiled against poppler-0.8.5.

xap/gxine-0.5.903-i486-1.tgz: Upgraded to gxine-0.5.903.

xap/imagemagick-6.4.2_5-i486-1.tgz: Upgraded to ImageMagick 6.4.2-5.

xap/windowmaker-20060427cvs-i486-1.tgz: Switched to a patched CVS snapshot to get this compiling again with gcc 4.x (against ImageMagick 6.4.2-5).

xap/xine-lib-1.1.14-i686-1.tgz: Upgraded to xine-lib-1.1.14.

Tue Jul 29 13:22:03 CDT 2008
n/proftpd-1.3.1-i486-2.tgz: Recompiled against new OpenSSL, since this evidently checks the OpenSSL version and will only run against the libraries it was compiled against. A small patch was also added to account for changes in the system includes.
Thanks to Martin Schmitz for the info and a pointer to the patch.

Tuesday, July 29, 2008

Pile of Security Updates

WOW!!!! surprise Bunch of security updates just come out of -Current and also -Stable tree. I was suprised to see lots of incoming email messages with slackware-security on the subject. Here they are:
Mon Jul 28 22:45:58 CDT 2008
a/openssl-solibs-0.9.8h-i486-1.tgz:
Upgraded to OpenSSL 0.9.8h shared libraries (see below).
(* Security fix *)

a/sysvinit-scripts-1.2-noarch-21.tgz: For now, quiet error output from update-mime-database, since KDE4 causes some "noise".

ap/vim-7.1.330-i486-1.tgz:
Upgraded to vim-7.1.330. This fixes several security issues related to the automatic processing of untrusted files.
For more information, see:
http://www.rdancer.org/vulnerablevim.html
(* Security fix *)

l/libxml2-2.6.32-i486-1.tgz: Upgraded to libxml2-2.6.32.

l/libxslt-1.1.24-i486-1.tgz: Upgraded to libxslt-1.1.24.
A buffer overflow when processing XSL stylesheets could result in the execution of arbitrary code.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1767
(* Security fix *)

l/pcre-7.7-i486-1.tgz: Upgraded to pcre-7.7.
Tavis Ormandy of the Google Security Team found a buffer overflow triggered when handling certain regular expressions. This could lead to a crash or possible execution of code as the user of the PCRE-linked application.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2371
(* Security fix *)

n/fetchmail-6.3.8-i486-3.tgz: Patched to fix a possible denial of service when "-v -v" options are used.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2711
(* Security fix *)

n/httpd-2.2.9-i486-1.tgz: Upgraded to httpd-2.2.9.
This release fixes flaws which could allow XSS attacks.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5000
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6388
(* Security fix *)

n/links-2.1-i486-1.tgz: Upgraded to links-2.1.
Unspecified vulnerability in Links before 2.1, when "only proxies" is enabled, has unknown impact and attack vectors related to providing "URLs to external programs."
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3329
(* Security fix *)

n/mtr-0.73-i486-1.tgz: Upgraded to mtr-0.73.
This fixes a minor security bug where a very long hostname in the trace path could lead to an overflow (and most likely just a crash).
(* Security fix *)

n/net-snmp-5.4.1.2-i486-1.tgz: Upgraded to net-snmp-5.4.1.2.
A vulnerability was discovered where an attacked could spoof an authenticated SNMPv3 packet due to incorrect HMAC checking. Also, a buffer overflow was found that could be exploited if an application using the net-snmp perl modules connects to a malicious server.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0960
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2292
(* Security fix *)

n/openldap-client-2.3.43-i486-1.tgz: Upgraded to openldap-2.3.43.
This release fixes a security issue in slapd (our package does not ship it.)

n/openssh-5.1p1-i486-1.tgz: Upgraded to openssh-5.1p1.
When upgrading OpenSSH, it is VERY IMPORTANT to also upgrade OpenSSL, or it is possible to be unable to log back into sshd!

n/openssl-0.9.8h-i486-1.tgz: Upgraded to OpenSSL 0.9.8h.
The Codenomicon TLS test suite uncovered security bugs in OpenSSL.
If OpenSSL was compiled using non-default options (Slackware's package is not), then a malicious packet could cause a crash. Also, a malformed TLS handshake could also lead to a crash.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0891
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1672
When upgrading OpenSSL, it is VERY IMPORTANT to also upgrade OpenSSH, or it is possible to be unable to log back into sshd!
(* Security fix *)

xap/gimp-2.4.6-i486-1.tgz: Upgraded to gimp-2.4.6.

xap/mozilla-thunderbird-2.0.0.16-i686-1.tgz: Upgraded to thunderbird-2.0.0.16.
This upgrade fixes some more security bugs.
For more information, see:
http://www.mozilla.org/security/known-vulnerabilities/thunderbird20.html
(* Security fix *)

xap/vim-gvim-7.1.330-i486-1.tgz: Upgraded to vim-gvim-7.1.330.
See "vim" above for details.
(* Security fix *)
xap/xscreensaver-5.06-i486-1.tgz: Upgraded to xscreensaver-5.06.

Order Arrived

About two months ago, i ordered a Serious Slackware T-shirt on Slackware Store. I had some trouble convincing the officer about my credit card because Indonesia was well known of high credit card fraud in the past (it's still is right now). Finally she (Theresa) was convinced after i showed her my CC number taken from my credit card issuer web site. So she confirmed that my order was shipped in 28 May 2008.

The normal delivery time should be about two weeks, but it arrived just know, meaning it arrived after two months. Actually, i was kinda pessimistic about the order, since it was over than one month. Perhaps it was lost or it didn't make it into my house. Well, i didn't expect this, but thank God it arrived safely kiss

Thursday, July 24, 2008

Security Update: dnsmasq

New security update has been released. This time is dnsmasq package. Along with that, beta version of JDK and JRE has been re-added and placed on /testing because the new version (update 7) does not fix the CUPS printing problem described earlier.
Wed Jul 23 16:39:43 CDT 2008
n/dnsmasq-2.45-i486-1.tgz:
Upgraded to dnsmasq-2.45.
It was discovered that earlier versions of dnsmasq have DNS cache weaknesses that are similar to the ones recently discovered in BIND.
This new release minimizes the risk of cache poisoning.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
(* Security fix *)

testing/packages/jdk-6u10_beta-i586-1.tgz: Added Java(TM) 2 Platform Standard Edition Runtime Environment Version 6.0 update 10 beta. Evidently the version 6.0 update 7 (stable) packages did not fix the CUPS printing issue, but these beta packages should (but remember, they are BETA releases).

testing/packages/jre-6u10_beta-i586-1.tgz: Added Java(TM) 2 Platform Standard Edition Development Kit Version 6.0 update 10 beta.
Both of these Java(TM) packages are suitable for use on Slackware 12.1 and probably on earlier releases as well.

Tuesday, July 22, 2008

Security Update: Firefox

It's quite late, but it's already out anyways, so get the latest Firefox 3 update on -Current (this package is only provided in -Current for now). Also, it consist of new configuration to allow allow
mailto: links to open in Thunderbird (or other mailers). See the changelog entries below for more detail:
Mon Jul 21 11:15:47 CDT 2008
xap/mozilla-firefox-3.0.1-i686-1.tgz:
Upgraded to Firefox 3.0.1.
This fixes some security issues:
For more information, see:http://www.mozilla.org/security/known-vulnerabilities/firefox30.html
Also, thanks to Phillip Warner for providing a configuration fix to allow mailto: links to open in Thunderbird (or other mailers). To use this, you may need to copy /usr/lib/firefox-3.0.1/defaults/profile/mimeTypes.rdf over your own mimeTypes.rdf under $HOME/.mozilla/firefox/{something}.default, or merge in the changes to your own mimeTypes.rdf.
( -current only )
(* Security fix *)

Sunday, July 20, 2008

Java Updates

Final version of JRE and JDK has been released by Sun Microsystem, so without any ADO, Pat has just included them in -Current because it can fix the printing problem caused by previous version. The changelog says that both version is compatible for Slackware 12.1 and earlier release.

Here's the latest -Current changelog:
Sat Jul 19 17:09:00 CDT 2008
l/jre-6u7-i586-1.tgz: Switched to Java(TM) 2 Platform Standard Edition Runtime Environment Version 6.0 update 7. This non-beta stable release should fix the printing issues with CUPS in the previous stable Java(TM) release.

extra/jdk-6/jdk-6u7-i586-1.tgz: Switched to Java(TM) 2 Platform Standard Edition Development Kit Version 6.0 update 7.
Both of these Java(TM) packages are suitable for use on Slackware 12.1 and probably on earlier releases as well.

Thursday, July 17, 2008

NVIdia Works Again on 2.6.26

Well, few days after 2.6.26 released, finally NVidia released a new driver which restores the compatibility with the kernel. In fact, i was one of the victim who ran into a problem when i tried to upgrade my kernel and compile my NVidia driver. It won't compile, since the changes in the kernel broke the driver.

Well, at least they have fixed it now and it should work on 2.6.26 also. Here's the information page:

173.xx
71.xx (Legacy)
96.xx (Legacy)

Security Fix: Seamonkey, Firefox

Two new security packages has been released: Firefox 2.0.0.16 and Seamonkey 1.1.11. It's been released to -Stable and also in -Current (Firefox in -Current will be upgraded to 3.0.1 soon as it has been released by Mozilla team).

In the -Current itself, several packages has been upgraded, like ntfs-3g, util-linux, mesa, and seamonkey itself. So far, the changes doesn't touch the toolchain, so it's still compatible with the patched-up 12.1 box. Pat will announce when they will break the compatibility againts 12.1. It's when the real -Current tree started big grin

Monday, July 14, 2008

2.6.26: Not For Me Yet

I have just upgraded to the latest 2.6.26 kernel. Too bad, my fun only last for few hours, since it's not for me. On my desktop at home, i couldn't compile the NVidia drivers, due to NVidia hasn't release any patch yet nor release new driver which is compatible with 2.6.26 series. No big problem though, as i can use the old nv driver, but with some consequences i will not be able to launch Compiz for a while until they shipped another driver. I'll be out for one or two days, and i hope they will have shipped that new driver when i came back home big grin

On my office desktop, i didn't use Compiz, so it's not the big deal. The problem is that the new kernel caused my hard drive to make noisy sound when it accessed the data. I don't know what's the cause, but it won't happened when i used the old kernel (2.6.25.9). Well, rather than killing my hard drive, i would stay with 2.6.25.x for now, as i don't need too much new features from 2.6.26 for now. I will have some test when 2.6.26.1 comes out.

Migrate to Alpine?

Pine, a famous text-based email client has reached it's end of development cycle and now it's being replaced by it's successors, Alpine. It has been stated on it's official website:

Pine is no longer under active development. Consider evaluating its successor, Alpine, which supports all of Pine's functionality and more.

Alpine looks promising to me, as it's backward compatible with the old pine, meaning that your data will be saved when you migrate (even though it's still recommended to do full backups before you start migrating to Alpine). Not only compatible, but it's also support more feature than pine. Right now, their latest version is 1.10, which fixed quite a lot of problems found and also include some new features.

For those who loved using Pine Patches from Eduardo Chappa, you will be pleased that he also provides patches to Alpine now.

The problem is that Alpine is not yet included in -Current tree. Probably Pat is busy preparing for the next KDE 4.1 or planning what to include in the next -Current tree or perhaps he's still on vacation. When i looked a bit, the SlackBuild script to build Pine should work on Alpine also, with some modifications to the application name and version. I just hope it would make it into -Current, as Pine is no longer developed by the upstream.

Friday, July 11, 2008

One At A Time

One by one, my colleagues are migrating to Linux. Today, i just helped another colleague of mine migrating to Slackware. He wanted to migrate to Linux for a long time, but in the past, whenever there's a temptation to use Windows again, he postponed his intention to use Linux until lately. He's very eager to try Linux and he wanted to do full migration, but he couldn't do it in one big step. For now, dual booting is the right choice, but he will try to use Linux as much as possible.

His first choice was Ubuntu. He tried using 7.04 (that's before he asked me to help him). It failed during partitioning phase. At this point, he asked me to look for it. I had Ubuntu 8.04 on my repository computer, so i tried to use it. The symptoms are the same, it failed during scanning the partition. I tried several ways, but i couldn't find the perfect solution for that.

Next trial is Mandriva 2008.1. Mandriva did detect the hard drive, but it couldn't find the correct driver for the device. It's a SATA hard drive with Intel SATA Controller (ICH 7 Family) on it. I tried to find some resources on the Internet, but no luck (perhaps i'm not too good at searching for hardware).

So finally i tried to use Slackware 12.1 (my favorite). Guess what? Yep.., it works perfectly cool. It detects the hard drive perfectly and the installation was supposed to be smooth if not for my mistake that i had to repeat some process. I forgot to format some partition as ext3, so the /home and /data is still in FAT32. I ran a problem when i logged in to normal account, as the partition is owned by root and not by the local users. I deleted the normal users and i knew that i had to repeat the installation process (not all of them, but only during the partition setup).

I boot the Slackware DVD again from InfoLinux and i re-format the partition as ext3 and then i reboot to the system. It didn't find the /home and /data again, since the entries in /etc/fstab is still pointing to vfat, which should be ext3. No big problem, as i didn't have normal user yet. I edit the fstab, reboot, and voila.. all the partition is now in place.

Next is setting the system. I ran some small configuration and also upgrading the package to the latest version in -Stable tree. I also installed OpenOffice.org because this is the primary need. Firefox is installed from -Current plus a flash player. Too bad Pidgin still unable to bypass the proxy, so we still had to use web-based yahoo messenger client. Besides all of this, the rest is perfect for him. He will start his exploration next week.

Well, it's a big step today. We make changes by changing one people at a time. At certain point, we will be amazed on how many people has we changed in the past big grin

Bunch of X updates

Today, several packages in x/ directory gets updated along with two new packages. Here's the latest -Current changelog:
Thu Jul 10 18:40:34 CDT 2008
d/nasm-2.03.01-i486-1.tgz: Upgraded to nasm-2.03.01.

x/compiz-0.7.6-i486-1.tgz: Upgraded to compiz-0.7.6.

xf86-video-ati-6.9.0-i486-1.tgz: Upgraded to xf86-video-ati-6.9.0.

xf86-video-mach64-6.8.0-i486-1.tgz: Added xf86-video-mach64-6.8.0.
This can be used alone with driver type "mach64" in xorg.conf, or with type "ati" using both this package and the ati driver package as a wrapper.

xf86-video-r128-6.8.0-i486-1.tgz: Added xf86-video-r128-6.8.0.
This can be used alone with driver type "r128" in xorg.conf, or with type "ati" using both this package and the ati driver package as a wrapper.

xf86-video-intel-2.3.2-i486-1.tgz: Upgraded to xf86-video-intel-2.3.2.

xf86-video-nv-2.1.10-i486-1.tgz: Upgraded to xf86-video-nv-2.1.10.

Thursday, July 10, 2008

Security Updates: Firefox, Seamonkey, Bind

Three security updates and one updated package has gone through -Stable and -Current. Bind and Seamonkey goes to -Current along with updated Pidgin package to make it work again with ICQ protocol which has been changed recently, while Firefox is also added in -Stable tree, because in -Current, Firefox 3 has been included to replace Firefox 2. Here's the latest -Current changelog:
Wed Jul 9 20:48:22 CDT 2008
n/bind-9.4.2_P1-i486-1.tgz:
Upgraded to bind-9.4.2-P1.
This upgrade addresses a security flaw known as the CERT VU#800113 DNS Cache Poisoning Issue. This is the summary of the problem from the BIND site: "A weakness in the DNS protocol may enable the poisoning of caching recurive resolvers with spoofed data. DNSSEC is the only full solution. New versions of BIND provide increased resilience to the attack." It is suggested that sites that run BIND upgrade to one of the new packages in order to reduce their exposure to DNS cache poisoning attacks.
For more information, see:
http://www.isc.org/sw/bind/bind-security.php
http://www.kb.cert.org/vuls/id/800113
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
(* Security fix *)

xap/pidgin-2.4.3-i486-1.tgz: Upgraded to pidgin-2.4.3.
This updates pidgin to work with the changed ICQ protocol.

xap/seamonkey-1.1.10-i486-1.tgz:
Upgraded to seamonkey-1.1.10.
This release closes several possible security vulnerabilities and bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#seamonkey
(* Security fix *)

Wednesday, July 2, 2008

Linux Hater's Blog


I was browsing through the net and i found this blog. What surprises me is the poll on the right side of this blog. The question of the blog at the time of writing this post (it could change anytime) is "Which community distro do you hate the most?" What's the answer? It surprises me, as Ubuntu community is the most hated and Slackware is the most loved community love struck

The total voters are more than one thousand votes and Slackware only get voted for 74 voters. Ubuntu, the number one distro (according to DistroWatch) is voted for over than 250 times (278 for precise). Ubuntu is so popular, but still there are people who dislike it's communities. I don't know why, but it's just a poll. It doesn't represent the actual facts that Ubuntu communities probably is the biggest one (currently).

I'm just happy to see that Slackware communities are not among those top three or top five. It proves that Slackware communities are probably friendly cool Look for LinuxQuestions for proof big grin

New Poll

Time to get new poll on the blog. This month's question is about KDE 4 in Slackware. We all know that KDE 4.1 will be shipped in the end of this month. Slackware didn't include it as the default window manager when 12.1 shipped like other Linux distro simply because it's not considered stable enough while stability is one of the key point for Slackware.

Robby Workman has tried to test this new KDE and provides the package (both source and binary) for you all to test in his web site. Some people has started to use KDE 4 and it's going bigger and bigger. The peak will be at the 4.1 release. Next Slackware release *might* include KDE 4.1. I say might because it's up to Patrick to decide. But from what i see in the Changelog, the next Slackware will targeting on KDE 4.1
Wed Jan 30 19:07:35 CST 2008
Great thanks are also due to the KDE team, not only for their tremendous accomplishments over the years, but for the gracious reception they gave to the members of the Slackware team who traveled to the release event. What a wonderful group of people! We had a great time there, learned a lot, and will be applying that knowledge and our new contacts within KDE to provide the best possible KDE experience for Slackware users. The next Slackware release will contain KDE 3.5.9, but we're targeting KDE 4.1.x for the one after that. The application end of things doesn't quite fully cover KDE3's functionality yet, but by then it will. As I'm sure most of you know, Robby has put up test packages of the initial KDE 4.0 release which I've tested and found to be consistent with what to expect from a developer's preview.

The look of the new desktop is stunning, and the use of SVG and hardware acceleration gives (IMHO) even something like MacOS a run for its money in terms of appearance and user-friendliness. We look forward with great anticipation to merging KDE4 when it is mature enough (and it's getting there fast), and then watching it just get better and better.
Once again, _huge_ thanks to our KDE friends! Stop by here any time. :-)
So, without any ado's, here's the new poll for all of you guys (and gals) winking

Poll Results

It's been a long two months since Slackware 12.1 is published and people have given their vote for the poll and it's time to show the result of the poll. The question was "Slackware 12.1 Released. What would you do?" We have a definite winner and here's the result:
Run fresh installation 131 (57%)
Manually upgrade (using upgradepkg) 39 (17%)
Automatic upgrade (using tools, such as slackpkg) 25 (10%)
Wait for public review and testing 3 (1%)
Running test in other test system 3 (1%)
Running in virtualization system 5 (2%)
Stick with the old version for now 11 (4%)
Stick with the Linux distribution i used currently 2 (0%)
Migrating to Slackware 10 (4%)

The majority of the voters chose to run fresh installation with more than half of the votes. Probably because they didn't want to go intro troubles for manual upgrades. The main reason is that you must do the proper ways unless you want to have a broken system (for example segfault condition all the time just because you forgot to upgrade glibc-solibs library in the beginning of the upgrade process).

Some people also love the availability of automatic tools that could help them upgrade to the next version. While i don't like this approach, some people think of it as a shortcut, because they don't have to think about lots of things as it has been taken care by the tools. Some tools are good at doing their jobs, and some don't, so pick it wisely big grin

I personally picked manually upgrade using upgradepkg, because i used -Current on my daily basis, so the default Slackware package management tools (pkgtools) is adequate for me. As long as you read the instructions, you will not get burned cool I have proven this for myself, as my laptop was based on Slackware 10.1 and i never ran fresh installation whenever next Slackware has been released. I upgraded them manually using upgradepkg and so far, it works perfectly love struck

Security Update: XOrg Server

Three security updates plus one update to fonts has been released on -Current version of Slackware. The security updates are related to XOrg packages. Soon, Slackware might migrate to XOrg 1.5 which has been released, but that would be in the next cycle of the -Current tree (it hasn't officially started yet).

Here's the latest -Current changelog:
Tue Jul 1 13:29:45 CDT 2008
x/wqy-zenhei-font-ttf-0.6.26_0-noarch-1.tgz:
Upgraded to wqy-zenhei-font-ttf-0.6.26-0.
Thanks to the WenQuanYi font authors for producing such a high-quality font.

x/xorg-server-1.4.2-i486-1.tgz:
Upgraded xorg-server to address denial of service and possible arbitrary code execution flaws reported in xorg-server 1.4 prior to 1.4.2.
For more information about the issues patched, please refer to:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1377
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1379
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2360
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2361
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2362
(* Security fix *)

x/xorg-server-xnest-1.4.2-i486-1.tgz: Security fixes (see CVE entries above).
(* Security fix *)

x/xorg-server-xvfb-1.4.2-i486-1.tgz: Security fixes (see CVE entries above).
(* Security fix *)