LinuxQuestions.org - [Security] Mitigation & Patch

- Slackware (https://www.linuxquestions.org/questions/slackware-14/)

- - [Security] Mitigation & Patch (https://www.linuxquestions.org/questions/slackware-14/%5Bsecurity%5D-mitigation-and-patch-4175708118/)

Quote:

Originally Posted by Petri Kaukasoina (Post 6492747)

Slackware doesn't seem to be affected.

Slackware 15 anyway :) But maybe it is an issue with current ? see:

Quote:

Sat Mar 9 21:56:02 UTC 2024
a/xz-5.6.1-x86_64-1.txz: Upgraded.

Quote:

Originally Posted by jmccue (Post 6492750)

Slackware 15 anyway : But maybe it is an issue with current ? see:

That is why i posted it, I wasnt sure so I posted here so that we can find out if we are affected on current.

The malicious code is inserted only when building a deb or rpm package of xz. Probably because some systemd based distros patch openssh to use liblzma (part of xz) and the idea is to have a backdoor in sshd.

Quote:

Originally Posted by Petri Kaukasoina (Post 6492752)

I am thankful we dont have a backdoor in sshd then.....

Yeah, I'd heard about the potential for libarchive issues. With Tavis Ormandy on the case, I think if there's an issue it'll be handled quickly.

XWayland 23.2.5 and X.Org Server 21.1.12

CVE-2024-31080
CVE-2024-31081
CVE-2024-31082
CVE-2024-31083

Code:

Multiple issues have been found in the X server and Xwayland implementations

published by X.Org for which we are releasing security fixes for in

xorg-server-21.1.12 and xwayland-23.2.5.

https://lists.x.org/archives/xorg/20...il/061615.html

Apache HTTP Server 2.4.59 (released 2024-04-04)

*) SECURITY: CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by
memory exhaustion on endless continuation frames (cve.mitre.org)
HTTP/2 incoming headers exceeding the limit are temporarily
buffered in nghttp2 in order to generate an informative HTTP 413
response. If a client does not stop sending headers, this leads
to memory exhaustion.
Credits: Bartek Nowotarski (https://nowotarski.info/)

*) SECURITY: CVE-2024-24795: Apache HTTP Server: HTTP Response
Splitting in multiple modules (cve.mitre.org)
HTTP Response splitting in multiple modules in Apache HTTP
Server allows an attacker that can inject malicious response
headers into backend applications to cause an HTTP
desynchronization attack.
Users are recommended to upgrade to version 2.4.59, which fixes
this issue.
Credits: Keran Mu, Tsinghua University and Zhongguancun
Laboratory.

*) SECURITY: CVE-2023-38709: Apache HTTP Server: HTTP response
splitting (cve.mitre.org)
Faulty input validation in the core of Apache allows malicious
or exploitable backend/content generators to split HTTP
responses.
This issue affects Apache HTTP Server: through 2.4.58.
Credits: Orange Tsai (@orange_8361) from DEVCORE

nghttp2 v1.61.0 (released 2024-04-04)

Fixes CVE-2024-28182

polkit 124

Because of this new "systemd_dep"

Code:

../meson.build:222:37: ERROR: Unknown variable "systemd_dep".

that leads to a FTB if -Dsystemdsystemunitdir= isn't empty, we need these 2 patches:

https://gitweb.gentoo.org/repo/gento...-systemd.patch

https://gitweb.gentoo.org/repo/gento...md-fixup.patch

less

Code:

less(1) does not correctly escape newlines in pathnames when 

constructing command line of the input preprocessor. If a user ran 

less(1) on files with untrusted names, this could result in execution of 

arbitrary code.

https://www.openwall.com/lists/oss-s...y/2024/04/12/5

Fix:
https://github.com/gwsw/less/commit/007521ac3c95bc76

I've never liked that feature of less. I use the -L option here.

glibc

CVE-2024-2961

Code:

The iconv() function in the GNU C Library versions 2.39 and older may overflow the output 

buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, 

which may be used to crash an application or overwrite a neighbouring variable.

affected from 2.1.93 before 2.40

https://www.cve.org/CVERecord?id=CVE-2024-2961

https://sourceware.org/git/?p=glibc....C-SA-2024-0004