SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Slackware64 15.0 + MultiLib / KDE and new xorg Packages
All --
Slackware64 15.0 + Multilib / KDE here ...
Exited KDE to RunLevel 3 ; installed latest xorg Packages for Slackware64 15.0.
From the latest ChangeLog:
Code:
Mon Oct 17 19:31:45 UTC 2022
patches/packages/xorg-server-1.20.14-x86_64-4_slack15.0.txz: Rebuilt.
xkb: proof GetCountedString against request length attacks.
xkb: fix some possible memleaks in XkbGetKbdByName.
xquartz: Fix a possible crash when editing the Application menu due
to mutating immutable arrays.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3550
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3551
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3553
(* Security fix *)
patches/packages/xorg-server-xephyr-1.20.14-x86_64-4_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-4_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-4_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xwayland-21.1.4-x86_64-3_slack15.0.txz: Rebuilt.
xkb: proof GetCountedString against request length attacks.
xkb: fix some possible memleaks in XkbGetKbdByName.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3550
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3551
(* Security fix *)
Distribution: Slackware64-current with "True Multilib" and KDE4Town.
Posts: 9,152
Rep:
Git v2.38.1, has been released to fix security concerns.
Quote:
From: Junio C Hamano <gitster@pobox.com>
To: git@vger.kernel.org
Cc: Linux Kernel <linux-kernel@vger.kernel.org>, git-packagers@googlegroups.com
Subject: [ANNOUNCE] Git v2.38.1 and others
Date: Tue, 18 Oct 2022 10:01:54 -0700 [thread overview]
Message-ID: <xmqq4jw1uku5.fsf@gitster.g> (raw)
A maintenance release v2.38.1, together with releases for older
maintenance tracks v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5,
v2.35.5, v2.36.3, and v2.37.4, are now available at the usual
places.
These maintenance releases are to address the security issues
identified as CVE-2022-39253 and CVE-2022-39260.........
[PATCH] systemclipboard: Don't signals data source cancellation
Right now we emit "selectionChanged" when either:
- we get an external new selection
- our own selection gets cancelled
Semantically that's correct, if our own selection gets cancelled there's
no data in the clipboard, globally it's changed.
Pragmatically, we don't need to know about the latter event. It's not
useful information for userspace code - and worst means we process
events twice if clipboard is transferred from klipper to a client.
This fixes a major issue with klipper when a user disables middle click
paste. The compositor sends a cancel event on new clipboards, klipper
detects the clipboard is empty and populates it.
Security fixes:
CVE-2022-43680 -- Fix heap use-after-free after overeager
destruction of a shared DTD in function
XML_ExternalEntityParserCreate in out-of-memory situations.
Expected impact is denial of service or potentially
arbitrary code execution.
Commit 8a5f3ddb2 ("set tag on our surface") introduced the use of tags
to differentiate our own surfaces, and commit a1d14aa8c ("Clear the
"xwl-window" tag on unrealize") removed the tags before the surfaces are
actually destroyed.
Xwayland would then rely on these tags on the surface to decide whether
to ignore or to process the Wayland event in various places.
However, in doing so, it also checked for the tag on keyboard leave
events.
As a result, if the keyboard leave events is received after the X11
window is unrealized, keyboard_handle_leave() would not queue the
LeaveNotify events for the DIX to proceed, and the key repeat would
kick in and repeat the key event indefinitely.
A vulnerability was found in vim and classified as problematic. Affected by this issue is the function
qf_update_buffer of the file quickfix.c of the component autocmd Handler. The manipulation leads to use
after free. The attack may be launched remotely. Upgrading to version 9.0.0805 is able to address this issue.
The name of the patch is d0fab10ed2a86698937e3c3fed2f10bd9bb5e731. It is recommended to upgrade the affected
component. The identifier of this vulnerability is VDB-212324.
Distribution: Slackware64-current with "True Multilib" and KDE4Town.
Posts: 9,152
Rep:
These excerpts are from an article about Fedora, but as it relates to OpenSSL, the security implications should apply to all Linux distributions.
Quote:
......a "critical" openSSL vulnerability yet to be made public.....
.......Details of this "critical" security vulnerability in OpenSSL aren't yet public but should see its embargo lifted next Tuesday. We'll see how nasty this latest OpenSSL vulnerability is on Tuesday but it's ranked critical.......
These excerpts are from an article about Fedora, but as it relates to OpenSSL, the security implications should apply to all Linux distributions.
There were a few comments around saying 1.1.1 version is apparently unaffected by this vulnerability.
There's also a Syndicated Linux News Article where it says everyone will need to patch ... OpenSSL 3.x.
Is it something we should be worried about, I mean is there some software in Slackware using 3.x version at the moment?
There were a few comments around saying 1.1.1 version is apparently unaffected by this vulnerability.
Indeed
Code:
The OpenSSL Project team has announced that, on November 1, 2022, they will
release OpenSSL version 3.0.7, which will fix a critical vulnerability in the
popular open-source cryptographic library (but does not affect OpenSSL versions before 3.0).
We're setting this env variable because earlier we used it to force kwin to use
its special QPA so we need to change that back to something sensible.
However setting it to Wayland breaks apps that ship their own Qt with missing or
broken Wayland support.
Set it to be empty instead. Well-behaved Qt apps will use Wayland regardless
because of XDG_SESSION_TYPE.
Interesting, this might fix some qt5ct compatibility issues since it really does depend on QT_QPA_PLATFORMTHEME=qt5ct being set.
Still not very happy about qtconfig being dropped by upstream, but it's good to see KDE devs still care about compatibility.
In order not to have all your links down in the changelog in the future
Code:
29 septembre 2021
This is the first step in transitioning from the old CVE.MITRE.ORG website.
The phased quarterly transition process began today and will last for up to one year.
During the quarterly transition, new releases of this website will occur every quarter,
and the new CVE.ORG website will operate concurrently with the CVE.MITRE.ORG website.
Upon completion of the phased transition, the CVE.MITRE.ORG website will be archived and retired.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.