LinuxQuestions.org
Page 2 of 23 1 2 3412 Last »
Show 50 post(s) from this thread on one page

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   [Security] Mitigation & Patch (https://www.linuxquestions.org/questions/slackware-14/%5Bsecurity%5D-mitigation-and-patch-4175708118/)

marav 03-10-2022 10:15 PM
Quote:
Originally Posted by Tonus (Post 6336989)
Not so sure. Average users depend on Pat's reactivity and for more advanced or concerned users, there're mailing lists and so on...
This is not necessarily only for users, advanced or not
The main goal, here, is to post what people found elsewhere (nist.gov, gentoo, arch, ...) and give visibility for everyone, Mr. Volkerding icluded

This may or may not be useful, but it has the merit to exist.

If you look at the changelog, there are many patches that have been applied thanks to user reports.

Tonus 03-11-2022 07:30 AM
Yes indeed. I just believe our BDFL does not rely on sticky posts and subscribe to the most relevent threads.
I like the less for the number of sticky posts and subscribe to (too) much more threads.

marav 03-11-2022 08:21 AM
Quote:
Originally Posted by Tonus (Post 6337175)
Yes indeed. I just believe our BDFL does not rely on sticky posts and subscribe to the most relevent threads.
I like the less for the number of sticky posts and subscribe to (too) much more threads.
5 sticky threads is not that much (if we remove, in my POV, the useless one ...)

marav 03-25-2022 05:31 AM
zlib 1.2.11

zlib 1.2.11 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

CVE:
https://nvd.nist.gov/vuln/detail/CVE-2018-25032

Patch:
https://github.com/madler/zlib/commi...7c615f8020c531

marav 03-25-2022 05:39 PM
For Slackware 15.0

CVE:
https://nvd.nist.gov/vuln/detail/CVE-2022-0995

https://git.kernel.org/pub/scm/linux...9921b3cba63fbb

Fixed for kernel >= 5.15.29

https://git.kernel.org/pub/scm/linux...h=linux-5.15.y

marav 03-28-2022 07:50 PM
libarchive 3.6.0

CVE:
https://nvd.nist.gov/vuln/detail/CVE-2022-26280

Patch:
https://github.com/libarchive/libarc...8f94fce37d6aff

FTIO 03-30-2022 08:27 AM
Quote:
Originally Posted by Tonus (Post 6336989)
Not so sure. Average users depend on Pat's reactivity and for more advanced or concerned users, there're mailing lists and so on...
This. It seems easier to simply keep getting the 'upgrade' notices via e-mails that also already have the download link for the file.

marav 03-30-2022 09:24 AM
Vim 8.2.x

Use after free in utf_ptr2char in GitHub repository vim/vim prior to 8.2.4646

CVE-2022-1154:
https://nvd.nist.gov/vuln/detail/CVE-2022-1154

EDIT:
+
heap buffer overflow in get_one_sourceline in GitHub repository vim/vim prior to 8.2.
CVE-2022-1160:
https://nvd.nist.gov/vuln/detail/CVE-2022-1160


Update:
Latest version 8.2.46494650

ceed 03-30-2022 09:47 AM
Well it certainly seems that someone is finding this thread useful:

Code:
patches/packages/zlib-1.2.12-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes memory corruption when deflating (i.e., when compressing)
  if the input has many distant matches. Thanks to marav.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25032
  (* Security fix *)
As previously stated by the OP, the thread is not expressly for the benefit of end-users; but rather, a place slackers can report vulnerabilities spotted in the wild.

I think it's a valuable thread and agree that it ought to be pinned. Thanks to you marav.

Tonus 03-30-2022 03:39 PM
It's indeed a very valuable thread ! Do not misread me : I do not think it's useful to have it sticky. I believe our BDFL will/have subscribe/d.

marav 04-03-2022 05:55 AM
libtiff 4.3.0

Code:
A vulnerability classified as problematic was found in LibTIFF 4.3.0. Affected by this vulnerability is the
TIFF File Handler of tiff2ps. Opening a malicious file leads to a denial of service. The attack can be launched
remotely but requires user interaction.
The exploit has been disclosed to the public and may be used.
CVE:
https://nvd.nist.gov/vuln/detail/CVE-2022-1210

No patch yet

marav 04-07-2022 07:02 PM
xz 5.2.5

xzgrep: Fix escaping of malicious filenames (ZDI-CAN-16587).
Code:
Malicious filenames can make xzgrep to write to arbitrary files
or (with a GNU sed extension) lead to arbitrary code execution.

xzgrep from XZ Utils versions up to and including 5.2.5 are
affected. 5.3.1alpha and 5.3.2alpha are affected as well.
This patch works for all of them.

This bug was inherited from gzip's zgrep. gzip 1.12 includes
a fix for zgrep.
Patch:
https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch

marav 04-12-2022 07:25 PM
libimobiledevice-glue

Fix a memory leak
https://github.com/libimobiledevice/...e-glue/pull/21

Commit:
https://github.com/libimobiledevice/...6298a5d689c4fa

Daedra 04-12-2022 08:10 PM
Git 2.35.2

https://www.phoronix.com/scan.php?pa...CVE-2022-24765

Technically this doesn't really affect non-windows systems, but worth mentioning.

semiprime 04-13-2022 05:12 AM
Quote:
Originally Posted by Daedra (Post 6345712)

Git 2.35.2

https://www.phoronix.com/scan.php?pa...CVE-2022-24765

Technically this doesn't really affect non-windows systems, but worth mentioning.
According to https://lwn.net/Articles/891112/ and https://github.blog/2022-04-12-git-s...ity-announced/ the vulnerability affects multi-user systems, including Linux.


All times are GMT -5. The time now is 03:16 PM.
Page 2 of 23 1 2 3412 Last »
Show 50 post(s) from this thread on one page