Quote:
It really doesn't concern me because I write my own grub.cfg manually so for me it's more of a joke than a security vulnerability. Never used mkconfig, os-prober or any other grub scripts & Slackware doesn't require any of that mess because it ships with lilo. |
It's only affecting joke systems which update grub on each kernel update.
And to keep the thread on-topic, rather than argue about whether or not Slackware is affected by this joke vulnerability.. Here is something affecting each and every one of us web browser users: https://www.bleepingcomputer.com/new...rs-spellcheck/ |
Quote:
https://ftp.osuosl.org/pub/rpm/relea...4.18.0.tar.bz2 |
We will soon have a new Firefox release (105.0.1)
https://bugzilla.mozilla.org/show_bug.cgi?id=1786638 Code:
bugs: 1786638 |
KWayland
Code:
client/plasmashell: add fallback for applet popups https://invent.kde.org/frameworks/kw...ommit/d02188ad FYI: because of regression, Archlinux reverted this patch |
Vim
CVE-2022-3256 Code:
Use After Free in GitHub repository vim/vim prior to 9.0.0530. |
Vim
This one is dedicated to LuckyCyborg ;-) Cheers, my friend CVE-2022-3296 Code:
Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0577. |
Plasma Workspace
https://bugs.kde.org/show_bug.cgi?id=459309 Code:
1. Open Users settings Code:
set setInteractiveAuthorizationAllowed on SetPassword call https://invent.kde.org/plasma/plasma...ab599f01df97e8 |
kscreenlocker
Code:
PATCH] Set QSurfaceFormat::ResetNotification |
Vim
CVE-2022-3352 Code:
Use After Free in GitHub repository vim/vim prior to 9.0.0614. CVE-2022-3324 Code:
Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0598. |
Plasma-integration
Fix QtQuickRenderSettings from loading Code:
Currently the firstCall guard is broken and the code is never run. https://invent.kde.org/plasma/plasma...72d2c82286bd2f |
The last qt5 version in slackware-15.0 looks like 5.15.3_20220318 from 2022-03-03
However, it seems 2 patches were made upstream, after 2022-03-03 CVE-2022-27404-27405-27406-qtbase-5.15.diff (2022-07-26 13:27) CVE-2022-37434-qtbase-5.15.patch (2022-09-12 11:47) |
Bash 5.2
Code:
Starting bash with an invalid locale specification for LC_ALL/LANG/LC_CTYPE https://ftp.gnu.org/gnu/bash/bash-5....hes/bash52-002 |
Postfix 3.7.2
Code:
make -f Makefile.in MAKELEVEL= Makefiles https://gitweb.gentoo.org/repo/gento.../linux-6.patch |
For Slackware 15.0
In the Linux kernel 5.2 through 5.19.14 CVE-2022-41674 CVE-2022-42719 CVE-2022-42720 CVE-2022-42721 CVE-2022-42722 https://git.kernel.org/pub/scm/linux.../?h=queue/5.15 |
zlib 1.2.13
Fix the following CVE: CVE-2022-37434 https://github.com/madler/zlib/commi...1ae950166bece1 |
Quote:
https://www.phoronix.com/news/Linux-AMD-Old-Chipset-WA |
Quote:
|
Quote:
Thanks for the consideration. |
Xorg
https://nvd.nist.gov/vuln/detail/CVE-2022-3550 https://nvd.nist.gov/vuln/detail/CVE-2022-3551 https://nvd.nist.gov/vuln/detail/CVE-2022-3553 https://nvd.nist.gov/vuln/detail/CVE-2022-3554 https://nvd.nist.gov/vuln/detail/CVE-2022-3555 Note: All of them have been patched upstream for the next release |
Slackware64 15.0 + MultiLib / KDE and new xorg Packages
All --
Slackware64 15.0 + Multilib / KDE here ... Exited KDE to RunLevel 3 ; installed latest xorg Packages for Slackware64 15.0. From the latest ChangeLog: Code:
Mon Oct 17 19:31:45 UTC 2022 Everything is running fine here. -- kjh p.s. a big THANK YOU to Pat and the Dev Team |
Git v2.38.1, has been released to fix security concerns.
Quote:
|
kguiaddons
Code:
[PATCH] systemclipboard: Don't signals data source cancellation https://invent.kde.org/frameworks/kg...a30c1fd2.patch |
libTIFF 4.4.0
CVE-2022-3626 https://nvd.nist.gov/vuln/detail/CVE-2022-3626 Patch: https://gitlab.com/libtiff/libtiff/-...2c841047.patch CVE-2022-3627 https://nvd.nist.gov/vuln/detail/CVE-2022-3627 Patch: https://gitlab.com/libtiff/libtiff/-...2c841047.patch CVE-2022-3570 https://nvd.nist.gov/vuln/detail/CVE-2022-3570 Patch: https://gitlab.com/libtiff/libtiff/-...d10b094c.patch CVE-2022-3597 https://nvd.nist.gov/vuln/detail/CVE-2022-3597 Patch: https://gitlab.com/libtiff/libtiff/-...2c841047.patch CVE-2022-3598 https://nvd.nist.gov/vuln/detail/CVE-2022-3598 Patch: https://gitlab.com/libtiff/libtiff/-...4522fdff.patch CVE-2022-3599 https://nvd.nist.gov/vuln/detail/CVE-2022-3599 Patch: https://gitlab.com/libtiff/libtiff/-...094ff246.patch |
libexpat 2.5.0
Code:
Security fixes: |
I put it back in the right place
xorg-server-xwayland
xwayland/input: Do not ignore leave events Code:
Commit 8a5f3ddb2 ("set tag on our surface") introduced the use of tags https://gitlab.freedesktop.org/xorg/...ests/987.patch |
Long time no see :D
Vim CVE-2022-3705 Code:
A vulnerability was found in vim and classified as problematic. Affected by this issue is the function |
These excerpts are from an article about Fedora, but as it relates to OpenSSL, the security implications should apply to all Linux distributions.
Quote:
|
Quote:
There's also a Syndicated Linux News Article where it says everyone will need to patch ... OpenSSL 3.x. Is it something we should be worried about, I mean is there some software in Slackware using 3.x version at the moment? |
Quote:
Code:
The OpenSSL Project team has announced that, on November 1, 2022, they will |
1 Attachment(s)
kwin
x11: Don't force QT_NO_GLIB=1 Code:
This breaks certain apps, e.g. KDE System Settings when launched from https://invent.kde.org/plasma/kwin/-...624dfc981d281c e.g. see attch. |
kwin
x11: Don't force QT_QPA_PLATFORM=xcb Code:
We're setting this env variable because earlier we used it to force kwin to use https://invent.kde.org/plasma/kwin/-...2e19ef6d4ee3fd |
Quote:
Still not very happy about qtconfig being dropped by upstream, but it's good to see KDE devs still care about compatibility. |
@Pat
In order not to have all your links down in the changelog in the future Code:
29 septembre 2021 Code:
cve.mitre.org. PR_CONNECT_RESET_ERROR |
Thanks marav,
The only Kernel on Kernel.org with an open CVE is 5.19.17 CVE References: ChangeLog-5.19.17 references CVE-2022-1184. The new link format is this: Code:
Where: |
|
Quote:
The CVE I printed came from the Kernel ChangeLog which means it was addressed in the source for that Kernel. The Slackware Kernels are another matter -- All CVEs since the Last Kernel Update ( 5.15.63 ) are unmitigated. -- kjh This is the list of unmitigated CVEs for the Slackware 5.15.y Kernel: Code:
# grep CVE- linux-5.15.6[49]-ChangeLog linux-5.15.7[0-6]-ChangeLog |
Quote:
I missed the links in your post. Nice site ! Man, That's a lot of unresolved CVEs ! Thank you. -- kjh P.S. your sited site Linux Kernel CVEs > CVEs in Stream 5.15 shows a LOT more fixes than I found in the ChangeLogs. They seem to be grepping for the CVE Text. OTOH, all I did was grep the String 'CVE-' on the list of ChangeLogs since 5.15.63 on my local system like this: Code:
grep -- CVE- linux-5.15.6[49]-ChangeLog linux-5.15.7[0-6]-ChangeLog |
Quote:
Code:
The OpenSSL vulnerabilities made public today are an X.509 email address 4-byte buffer overflow (CVE-2022-3602) |
Quote:
No problem for Slackware 15.0 Thanks marav. -- kjh Code:
# ls -lad /var/log/packages/openssl* |
sysklogd before 2.4.0:
loses file mode on rotated files sysklogd before 2.4.1: can overread memory (no bounds checking) when parsing incoming messages Slackware-stable has 2.3.0 Slackware-current has 2.4.4 Sorry for the repost -- I was ignorant of this thread and it looks like this belongs here. |
Aspell 0.60.8
CVE-2019-25051 Code:
objstack in GNU Aspell 0.60.8 has a heap-based buffer overflow in acommon::ObjStack::dup_top [PATCH] objstack: assert that the alloc size will fit within a chunk to prevent a buffer overflow https://github.com/gnuaspell/aspell/...c6fd324a.patch |
mozilla-nss 3.84
CVE-2022-3479 Code:
A vulnerability found in nss. By this security vulnerability, nss client auth crash without The CVE lists <=nss-3.81 as vulnerable But doesn't seem to have been applied upstream https://gitweb.gentoo.org/repo/gento...76304a208eb817 fix-client-cert-crash.patch: https://gitweb.gentoo.org/repo/gento...rt-crash.patch |
Slackware 32bits: 15.0 & current
sysstat overflow on 32-bit systems https://www.cve.org/CVERecord?id=CVE-2022-39377 Code:
On 32 bit systems, an arithmetic overflow present in allocate_structures can be triggered Affected version : >= 9.1.6 Patched version : 12.7.1 https://github.com/sysstat/sysstat/s...q8r6-g56f-9w7x |
sddm
Code:
in Qt6 (and the KDE patch collection for Qt 5) genericunixservices will https://build.opensuse.org/package/v...patch?expand=1 |
xfce4-settings
Code:
In Xfce xfce4-settings before 4.16.4 and 4.17.x before 4.17.1, there is an argument Fix: Code:
4.16.4 |
python3
Code:
An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16. |
qt: wayland
The issue (for which I am also concerned) Code:
plasmashell crashes when hovering or clicking items on the Panel https://bugs.kde.org/show_bug.cgi?id=447717 [PATCH] Client: Ensure that wl_surface lives as long as qtquick render thread needs it Code:
wl_surface can be destroyed while qtquick render thread still uses it. |
polkit-qt
fix: memory leak Code:
agent listener does not reclaim private memory after destructing. https://invent.kde.org/libraries/pol...eda0777d6535e8 |
libtiff
CVE-2022-3970 Code:
A vulnerability was found in LibTIFF. It has been classified as critical. Patch: https://gitlab.com/libtiff/libtiff/-...0050e62617e3be |
All times are GMT -5. The time now is 10:16 PM. |