Saturday, February 21, 2009

Security Update: git and libpng

Two security updates has been released today along with several other updated packages on -Current and -Stable. Here they are:
Fri Feb 20 17:20:49 CST 2009
a/cpio-2.9-i486-1.tgz: Upgraded to cpio-2.9.

ap/cdrtools-2.01.01a57-i486-2.tgz: Fixed build script to put the charset conversion tables in /usr/lib/siconv. Hopefully this will work correctly with k3b now. Thanks to Krasimir Kazakov for the bug report.

ap/sqlite-3.6.11-i486-1.tgz: Upgraded to sqlite-3.6.11.

d/git- Upgraded to git-
This fixes a vulnerability where running git-diff or git-grep on a hostile git repository would result in the execution of arbirary code as the git user.
For more information, see:
(* Security fix *)

d/subversion-1.5.5-i486-1.tgz: Upgraded to subversion-1.5.5.

l/libpng-1.2.35-i486-1.tgz: Upgraded to libpng-1.2.35.
This fixes multiple memory-corruption vulnerabilities due to a failure to properly initialize data structures.
For more information, see:
(* Security fix *)

n/dnsmasq-2.47-i486-1.tgz: Upgraded to dnsmasq-2.47.

n/vsftpd-2.1.0-i486-1.tgz: Upgraded to vsftpd-2.1.0.

testing/packages/kde4/extragear/ktorrent-3.2-i486-1.tgz: Upgraded to ktorrent-3.2.

Thursday, February 12, 2009

Kdelibs Gets Reverted

Due to problem with KTorrent after kdelibs gets several patches, one of the patches in kdelibs is now reverted to make it work again with KTorrent. Here's the single change today:
Wed Feb 11 19:23:47 CST 2009
testing/packages/kde4/kde/kdelibs-4.2.0-i486-3.tgz: Reverted patch r918403 which broke ktorrent.

Tuesday, February 10, 2009

Security Update: wicd

wicd package has been upgraded to fix security problems found in D-BUS configuration which can lead to local information disclosure. Along with this update, another updates come along in -Current changelog, most of it are in /testing for KDE 4 packages.

Here is the latest -Current changelog:
Mon Feb 9 16:03:32 CST 2009
ap/cdrtools-2.01.01a57-i486-1.tgz: Upgraded to cdrtools-2.01.01a57.
Also, fixed a build script error so that the utilities look for locale files in the correct directory. Thanks to Krasimir Kazakov for the bug report.
Anyone who had problems with k3b previously should upgrade this package.

extra/wicd/wicd-1.5.9-noarch-1.tgz: Upgraded to wicd-1.5.9.
This fixes a security problem with the D-Bus configuration file that allows local users to intercept D-Bus messages, possibly including wireless network credentials.
For more information, see:
(* Security fix *)

testing/packages/kde4/deps/eigen2-r922425-i486-1.tgz: Upgraded to eigen2-r922425.

testing/packages/kde4/kde/kdelibs-4.2.0-i486-2.tgz: Added bugfix patches from SVN: r917170, r918403, r918654, r918838.

testing/packages/kde4/kde/kdevelop-3.9.91-i486-1.tgz: Upgraded to kdevelop-3.9.91.

testing/packages/kde4/kde/kdevplatform-0.9.91-i486-1.tgz: Upgraded to kdevplatform-0.9.91.

testing/packages/kde4/kde/koffice- Upgraded to koffice-

testing/packages/kde4/kde-l10n/koffice-l10n-*- Upgraded to koffice- l10n packages.

Friday, February 6, 2009

Converting OOo 3.0.1 Using rpm2tgz

Shortly after i found out that OOo 3.0.1 has come out few weeks ago, i downloaded the binary package (tar.gz) and use SlackBuild script from Slackbuilds project to convert the into a single RPM package. Unfortunately, the script need to be updated because there are several changes in OOo 3.0.1. Since at that time the script hasn't been updated by Robby (the current maintainer), i choose to use rpm2tgz to convert the RPM packages into tgz.

Based on my past problem, i find all files which should ends with .xml that gets converted into .xm and fixed it as soon as possible. Well, actually in OOo 3.0.1, the problem not only gets through .xml files, but also to .xcs and .xcu. This is why i got an invisible Impress menu described in my other blog. I reported into OOo issue tracker and the problem has been fixed in just two days.

For those who had the same problem as i do, use this command to find which files which gets renamed
find /opt/* -name "*.xc"
I got this as the result in my system


The solution is very simple. Rename all .xc in schema directory into .xcs and the rest are .xcu. After doing this, restart your OOo and voila, everything is back to normal again.

Since SlackBuild script for OOo 3.0.1 has been released, it's suggested that you use SlackBuild script instead of playing with rpm2tgz unless you want to do above update manually big grin

Security Update: Mozilla Firefox

One security update has been released today, which is Mozilla Firefox. Another update in -Current is ghostscript, which is upgraded to higher version after being tested by ABE Shin-ichi. Here's the latest -Current changelog:
Thu Feb 5 15:19:56 CST 2009
ap/ghostscript-8.64-i486-1.tgz: Upgraded to ghostscript-8.64.
Thanks to ABE Shin-ichi updating the build script and testing CJK output.

Upgraded to firefox-3.0.6.
This fixes some security issues:
For more information, see:
(* Security fix *)

Finding Slackware Packages Easily

Most of Debian and/or it's derivatives uses apt-get to find the packages they wanted to install on their system. This is working as Debian has a very large repositories which contains lots of packages. The same goes with some other big distribution like Mandriva and OpenSUSE. What about Slackware?

Slackware do not have official repositories outside (and for now) which is maintained by Patrick himself. There are however other repositories which contains SlackBuild Script and/or Slackware packages, like LinuxPackages, Slacky.EU and SlackBuilds project.

Tony from Russia has developed a nice system called SlackFind, a Slackware Packages Search System, which is like Slackware's Package Browser, but instead of searching for official packages, SlackFind can find through several repositories and look for SlackBuild or Slackware packages. So far, they have listed about 7 repositories on their system, but i think it's just a matter of time before more and more repositories are added into their system.

Please note that their system only contains the metadata about the repositories and linked them in on each action. The site do not save any packages/SlackBuild script on their own site.

Tuesday, February 3, 2009

Security Update: xdg-utils

There is one security update that was released today by Slackware Security Team, which is xdg-utils. It's applicable to Slackware 12.2 and -Current. Here's the long description about the bug in -Current changelog:
Mon Feb 2 17:47:18 CST 2009
This update fixes two security issues. First, use of xdg-open in /etc/mailcap was found to be unsafe -- xdg-open passes along downloaded files without indicating what mime type they initially presented themselves as, leaving programs further down the processing chain to discover the file type again. This makes it rather trivial to present a script (such as a .desktop file) as a document type (like a PDF) so that it looks safe to click on in a browser, but will result in the execution of an arbitrary script. It might be safe to send files to trusted applications in /etc/mailcap, but it does not seem to be safe to send files to xdg-open in /etc/mailcap.
This package will comment out calls to xdg-open in /etc/mailcap if they are determined to have been added by a previous version of this package.
If you've made any local customizations to /etc/mailcap, be sure to check that there are no uncommented calls to xdg-open after installing this update.
Thanks to Manuel Reimer for discovering this issue.
For more information, see:
Another bug in xdg-open fails to sanitize input properly allowing the execution of arbitrary commands. This was fixed in the xdg-utils repository quite some time ago (prior to the inclusion of xdg-utils in Slackware), but was never fixed in the official release of xdg-utils. The sources for xdg-utils in Slackware have now been updated from the repo to fix the problem.
For more information, see:
(* Security fix *)

Sunday, February 1, 2009

More and More

Since i have been able to upgrade my KDE into KDE 4.2.0 and display some screenshots on Facebook and write small HOWTO to do that, many people that i know have been using KDE 4.2.0 in their computer/laptop as well. There is one people i know who rushed into his friend's house just to download KDE 4.2.0 packages after he read the announcement laughing. Others spent his day just to upgrade to KDE 4.2.0.

I think KDE 4.2.0 is quite phenomenal and this is the answer they have been expecting after (IMHO) a bad debut on KDE 4.0.0 back in last year. Even though it's not yet perfect and still not as configurable as KDE 3.5.10, it's worth mentioning that KDE 4.2.0 is the best of all KDE release so far. Many requests has been fulfilled and takes place on KDE 4.2.0.

We shall see more updates when KDE 4.2.1 shipped this month. I agree with monthly incremental model used by KDE team to release each KDE version. It gives a packager some time to prepare the resources and taking notes what has been changed in the build requirements.

While working with monthly updates, KDE team also progressing on KDE 4.3.0. Vavai has been using KDE 4.3.0 on his OpenSUSE system.

New Poll

Ok, time to start a new poll. This time, it's related to KDE 4.2.0. We all know that KDE 4.2.0 has been included in /testing tree under Slackware-Current development branch. I would like to know what are people's opinion about KDE 4.2.0. Please give your votes and we will see the results by the end of this month.

I myself have used KDE 4.2.0 on my laptop and my desktop at office, and found it very interesting. I hope it gives the same experience as you do cool

Poll Result

Ok, one month has passed since the last poll time period, so it's time to display the result. Last month's question was "Have You Used Slackware 12.2 Yet?" There were 127 voters and the results are below:

Definitely Yes 93 (73%)
Hell No 6 (4%)
I'm planning to use it 28 (22%)

Majority of the voters has used Slackware 12.2 with almost 3/4 of the voters. They may find Slackware 12.2 stable enough to migrate. Others may pick Slackware 12.2 because it's considered mature and easy to manage from sysadmin perspective, even though it also applies for common home users as well.

Stay tune for another poll shortly big grin