Sunday, March 30, 2014

Security Update: OpenSSH, httpd, mozilla-nss, curl, firefox, thunderbird, and seamonkey

There are seven security updates that were released few days ago when i was in Malaysia, so i couldn't write a blog post about it. Those updates were:
  • httpd is now upgraded to 2.4.9 and applied back to Slackware 14.0. Unfortunately there is a minor bug about this update that it dropped MPM Event module if apr and apr-utils are not updated with the latest version, so a fix should be released on the next batch.
  • OpenSSH is upgraded to the latest version and this update is applied back to Slackware 13.0. This update also has a small minor bug that it doesn't create the new key, and it should be fixed on the next update as well.
  • mozilla-firefox is upgraded to 24.4 ESR for Slackware 14.1 and current
  • mozilla-thunderbird is upgraded to 24.4.0 for Slackware 14.1 and current
  • seamonkey is upgraded to 2.25 for Slackware 14.1 and current
  • nss is upgraded to 3.16 and applied to Slackware 14.0a and newer
  • curl is upgraded to 7.36 and applied back to Slackware 13.0 and newer 
On -current, there was one single update that is not part of the security update and it was tin which is upgraded to 2.2.0.

Thursday, March 27, 2014

Security Update: PHP

I totally forgot about this, even though i have it ready just the same day it was released. It must have been distracted due to my traveling preparation and also due to my work in the office. Thanks to Ryan who noticed it and let me know.

PHP in Slackware has been updated to the latest PHP 5.4.x stable release due to some vulnerabilities that can cause your CPU to rise up until 100% when using fileinfo function.

Tuesday, March 18, 2014

New Bitcoin Address

I have been playing with Bitcoin since early this month and i even put a new donation link to both my personal blog and this SlackBlogs replacing my paypal donation link since my paypal account got limited permanently. I used bitcoin client from SBo, but it requires lots of time to syncronize with the past transactions and so far, it has reached 18 GB of data and keep growing as more transactions occurred everyday. Plus, it caused some instability of my network card, so i decided to remove it from my computers.

This evening, i was having conversation with alienBOB (Eric Hameleers) and he mention another bitcoin client alternative, armory and Electrum. I decided to have a look on Electrum and turns out that it doesn't require me to do the syncronization all the time. This is perfect, as this app is so light and with small number of hard dependencies, it's also a good candidate for inclusion in SBo, so i wrote SlackBuild script for this application (including the dependency) and submit it to SBo.

I decided to use bitcoin as a way to accept donations on both of my blogs and here they are: bitcoin donation address on the right side of this blog. Use that address if you want to send donation to me. Any value is appreciated :)

Sunday, March 16, 2014

LibreOffice 4.2.2 for Slackware Users

Eric Hameleers has just published his LibreOffice packages along with other goodies he maintained on his repository. The new LibreOffice package is built on top of Slackware 14.1, but usable for Slackware-Current as well as -Current hasn't deviate much from -Stable.

You can get the updated version of LibreOffice from these mirrors:

Friday, March 14, 2014

Security Update: Samba

Another security update has been released for Slackware 14.0 and newer: samba. This single update fixed two security vulnerabilities at once:

  • CVE-2013-4496: Samba versions 3.4.0 and above allow the administrator to implement locking out Samba accounts after a number of bad password attempts. However, all released versions of Samba did not implement this check for password changes, such as are available over multiple SAMR and RAP interfaces, allowing password guessing attacks. 

  • CVE-2013-6442: Samba versions 4.0.0 and above have a flaw in the smbcacls command. If smbcacls is used with the "-C|--chown name" or "-G|--chgrp name" command options it will remove the existing ACL on the object being modified, leaving the file or directory unprotected.

Thursday, March 13, 2014

Security Update: mutt

Mutt has been upgraded to 1.5.23 to fix security vulnerability (buffer overflow) where malformed RFC2047 header lines could result in denial of service or potentially the execution of arbitrary code as the user running mutt.

This update is applied back to Slackware 13.37

Tuesday, March 11, 2014

Security Updates: udisks, udisks2

Two security updates were released today and they all came from the same project: udisks and udisks2. Both have the same CVE entries, meaning both are vulnerable to the same bugs. Both are applied to Slackware 14.0 and newer.

Here is the description found on the ChangeLog:
This update fixes a stack-based buffer overflow when handling long path names.  A malicious, local user could use this flaw to create a
  specially-crafted directory structure that could lead to arbitrary code
  execution with the privileges of the udisks daemon (root).

Thursday, March 6, 2014

Security Update: sudo

There's another security update for Slackware. This time, though, not all Slackware releases are affected. Only Slackware 13.0 up to 13.37 are affected, but they didn't get a major upgrade to 1.8.x and since this vulnerabilities only affected Sudo 1.6.9 through 1.8.4p5, Slackware 14.0 and 14.1 are not affected by this bug since it uses 1.8.6p7 and 1.8.6p8.

Nevertheless, Patrick updated the sudo package in -current to the latest 1.8.x branch, which is 1.8.9p5.

KDE 4.12.3 Released

This post should be posted yesterday, but i was too busy preparing for MATE 1.8 release and then i forgot about it. Sorry about that.

So, this March, KDE 4.12.3 has been released and as previous update, this update only applies to KDE Applications, since the workspace has been frozen since 4.11.x, although there is a new kde-workspace 4.11.7 for this release. Full changes about this release can be seen here.

Besides updating all KDE core packages, Eric Hameleers also give a surprise by updating several other packages like mentioned on his blog post:
Apart from all-new versions for the core applications, I also updated the oxygen-gtk2 and plasma-nm (and libnm-qt, libmm-qt) packages. I was unable to compile the latest oxygen-gtk3 release because Slackware’s GTK+-3 package is too old.
There is one interesting addition! There is a new package called kdeconnect-kde. Together with the kdeconnect-android app for your smartphone or tablet (no iPhone, surely you don’t own one??) it “fuses” your KDE desktop with your mobile device.
 I have tested this new kdeconnect application, but the only think i can do with my Z1 is ping and multimedia control (using VLC). The other features are not yet listed on my phone (some requires a laptop, such as battery status).

Give it a try and download it from these mirrors:

Wednesday, March 5, 2014

MATE 1.8 Released

After being developed for some months, finally this morning, i got a notification from the lead developer Stefano that he has released MATE 1.8 to public along with the blog post on MATE's official blog.

I will start building packages for Slackware 14.1, both 32/64 bit architecture and upload it to the official repository and also to it's mirror sites. For those who can't wait, you can build it from master branch as of today as it has been updated for 1.8 since few days ago.

We will make a new branch for this release soon, where bug fixes and updates for MATE 1.8 will be going to this branch and master will be used to track MATE 1.9 progress.

Here are the changes in MATE 1.8:

Caja (file manager)
  • Added option to use IEC units instead of SI units
  • Added “Open parent location” option in context menu in search view
Marco (window manager)
  • Added side-by-side tiling (windows snapping)
Panel
  • Added support to run dialog and main menu opening with metacity keybindings
  • Show a progress bar in logout dialog
Control center
  • Added support for Metacity as window manager
MATE Desktop library
  • Added MATE User Guide
  • Added mpaste tool for paste.mate-desktop.org
Eye Of MATE (image viewer)
  • Added shuffle mode in slideshow
Engrampa (file archiver)
  • Show always the “extract to” action in caja extension
Screensaver
  • Show date and time in lock dialog
Applets
  • Added undo functionality to sticky note applet
  • New “command” applet to show the output of a command
  • Rewritten “timer” applet in c
  • Mouse middle click on volume applet toggles mute state
Dropped packages
  • Replaced mate-doc-utils with yelp-tools
  • Replaced libmatekeyring/mate-keyring with libsecret/gnome-keyring
  • Replaced libmatewnck with libwnck
  • Replaced mucharmap with gucharmap
  • Replaced mate-bluetooth with blueman
  • Merged all caja extensions in a single package
Other improvements
  • Fixed a lot of code deprecations
  • Fixed a lot of bugs
  • Added and improved a lot of translations 
Enjoy MATE 1.8 and as always, feel free to give feedback to MSB project through our email: mateslackbuilds@gmail.com and also in our IRC channel: #msb on Freenode.

Tuesday, March 4, 2014

Security Update: gnutls

There's another security update released for Slackware 13.0 and goes forward to Slackware-Current and this time it's gnutls. The backported patch comes from Mancha who reported this on LQ.

There are still some packages that has been reported, but not yet fixed, such as file, imagemagick, and python.

Saturday, March 1, 2014

MATE 1.8 Coming Soon

This morning, i got an automatic email from MATE github account that three of the core packages of MATE (mate-common, mate-desktop, and libmatekbd) has been tagged 1.8.0 by Stefano Karapetsas.

While there hasn't any released tarballs yet in their public download repository, it seems that the MATE developers is ready to release MATE 1.8 this March and i believe it should be released pretty soon. Based on MATE 1.7.90 testing that has been conducted, it's very stable, fast, and consistent.

For those using MATE 1.6, upgrading to 1.8 is pretty straightforward and will be a smooth one. You might want to see new/renamed/removed packages from 1.6 -> 1.8 on MATE-1.8-CHANGES if you are planning to upgrade. Also, don't forget to check the KNOWN ISSUES and also UPGRADE instructions for more detailed step by step on how to upgrade to MATE 1.8.

For those who wonders what changes that has been applied to MATE 1.8 can see their roadmap which has been updated to move some targets postponed to MATE 1.10.

Visit the MSB project or our GitHub repository for more information about MATE SlackBuilds Project.

Security Update and Next Development Cycle

There was one security update releases yesterday and that was subversion. No other changes were made, both on stable and current release.

It's been almost 4 months since Slackware 14.1 gets released last November and there's no sign of the start of -current development again. Usually (based on history), it will start after 3-4 months after the last -stable release to give Pat some time to break from endless testing and debugging preparing for the stable release.

One of the most problematic problem for the next cycle is probably upstream's decision to integrate systemd in some projects. While this does not apply to all upstream projects, but i do hope that if it does, it should not be mandatory to have systemd installed and there's a configure parameter that can disable or build without systemd.

Speaking about systemd, Bart van der Hall has attempted to build systemd on top of Slackware and he has published his work on this home page. There's also a lengthy discussion about it on LQ, which is interesting to follow if you are curious about how to implement systemd on Slackware.

Personally i don't like the idea of systemd which tried to handle everything on your system with a massive changes, but i have my respect to Bart who keep doing his good work and finally produce something which is proven to be a working system without breaking compatibility with Slackware. He has given two options for users to build system with/without PAM support. Some members of LQ has given an early test and they reported it was working on their machines. Kudos to Bart.

For me personally, next current development cycle will be very interesting to follow. Well, it's always interesting to see every -current cycle :)

Warning:
Slackware-Current is the development snapshot for the next Slackware release. It's considered beta testing even though 99% of all cases it is very stable (it rarely break and if it does, it gets fixed very quick) and i even used it on my desktop and workstation at home and in the office.
Nevertheless, you should stick to Slackware 14.1 if you prefer to enjoy a stable release.