Tuesday, September 30, 2014

Another BASH Update

Here comes another bash update to fix more security vulnerabilities. This time, a patch from Florian Weimer changes the encoding bash uses for exported functions to avoid clashes with shell variables and to avoid depending only on an environment variable's contents to determine whether or not to interpret it as a shell function. This change causes a backward incompatible break, but most of your scripts should be safe and continue to work as it is, unless you use the affected features. As always, please upgrade ASAP.

Monday, September 29, 2014

Security Advisory: Firefox, Thunderbird, Seamonkey

Three security advisories were released this morning for Slackware 14.0, 14.1, and current machines. Seamonkey was released for Slackware 14.0 and newer while the rest were released for 14.1 and newer. The stable releases got ESR release for Firefox, but current will always follow the latest Firefox build available from Mozilla FTP Site.

Saturday, September 27, 2014

Bash Update for CVE-2014-7169 Fix

Another bash update for all Slackware releases has been pushed by Patrick as the official fix is now available on BASH's FTP site. The new update should fix the CVE-2014-7169 advisory as now i get the correct result after running the same exploit code that i mentioned on the previous blog post. I suggest that you quickly apply the update for your machines as soon as possible as there has been report of many attackers utilizing this vulnerabilities in the wild. The discussion hasn't ended yet, so stay tune for further updates :)

Friday, September 26, 2014

Second Patch on Bash Bug

The initial patch to fix the bash vulnerability was not fully fix the problem as Tavis Ormandy found another exploit to bash which lead to another CVE entry to be made : CVE-2014-7169. This new bug can be simply be solved by using a single line of code and it has been applied to all Slackware releases as of today, thanks to Pat quick response on this issue. Hopefully this finally fixed the bash bug.

Anyway, i can confirmed that the patch worked for Slackware{64}-14.1 (i didn't test other version), but on my desktop -current machine, the same exploit code is still working. Can anyone confirm  this?

Here's the safe exploit code used:

env X='() { (a)=>\' sh -c "echo date"; cat echo
Here's what i got in Slackware-14.1:
sh: X: line 1: syntax error near unexpected token `='                                                                                                        
sh: X: line 1: `'                                                                                                                                            
sh: error importing function definition for `X'                                                                                                              
date                                                                                                                                                         
cat: echo: No such file or directory

meanwhile this is what i got in my current machine:
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
Fri Sep 26 07:30:35 WIB 2014

In -current, lxc is also upgraded to the latest version as well.

Thursday, September 25, 2014

Two Security Advisories

There are two security advisories released today and you are advised to upgrade as soon as possible (don't worry, it won't cause problem as in iOS 8.0.1 update yesterday).

The first update is for bash which is known to be vulnerable due to how they handle environment variables. This bug affects many applications that uses bash scripts on their operations, namely httpd, ssh, dhclient, etc. This update is backported to all supported Slackware releases (13.0 to -current).

The second update is mozilla-nss which fixed the RSA Signature Forgery vulnerability. This update is applied only to Slackware 14.0 and newer

Thursday, September 18, 2014

Three Set of KDE Packages Released

Although KDE has released their KDE 4.14.1, KDE Framework 5, and Plasma 5 source code to public for few days, it doesn't mean that Eric Hamelers didn't notice. In fact, he has prepared the packages and release all of it at the day of the final set (Plasma) released yesterday by announcing it on his blog. Releasing it one by one is possible, but you will have to perform the update process three times, which may be inconvenience. This also gives us time to test the packages and make sure nothing is broken.

In general, KDE 4.14.1 is a minor update, polishing KDE applications to further improve the translations and provide bug fixes. Most of the efforts are now focused on porting the applications to use Qt5, QML, Framework 5 and Plasma 5. As always, these packages are intended to be installed on top of Slackware-Current machines and please read the README (KDE 4.14.1 and KDE 5).

The new directory for KDE5 is now changed to 5 (not 5.0.x anymore), so you might want to change the download script if you have one. Otherwise, just use the rsync an you are good to go.

Get the packages from these mirror sites:
Kudos to Eric Hameleers and have fun enjoying KDE 4.14.1 and Framework 5 + Plasma 5

Wednesday, September 10, 2014

Security Update: seamonkey

After Firefox and Thunderbird gets updated, seamonkey is following with another security advisory released for Slackware 14.0, 14.1, and -current. All releases gets an update to seamonkey 2.29.

In -current, the default stock has been raised to 3.14.18, the latest stable kernel maintained by Greg K-H. The ChangeLog is available on kernel.org's site. There has been some minor update on some packages, namely:
  • btrfs-progs: upgraded to 20140909
  • net-snmp: upgraded to 5.7.2.1
  • rdesktop: upgraded to 1.8.2 (request from LQ)

Friday, September 5, 2014

Security Update: Firefox, Thunderbird, and PHP

Three security advisories were released this morning. They are Firefox, Thunderbird, and PHP. PHP update is backported to Slackware 13.0, while Firefox and Thunderbird updates only applicable to Slackware 14.1 and current.

Slackware 14.1 will use the ESR version, while current continues to move forward by using the latest version from Mozilla, which is 32 (Firefox) and 31.1.0 (Thunderbird).