My thoughts on Slackware, life and everything

Tag: vulnerability

I switched the blog’s theme

A blog  is something personal, and theming it just right is a challenge. You’ll surely have noticed that the theme of Alien Pastures has been changed overnight.

This blog started out with a theme by Andreas Viklund (wp-andreas01) but that did not scale well on mobile devices, also it did weird stuff with user comments. I liked its visual quality a lot but the usability challenges were not fixable even by rummaging around in its code.
Eventually I replaced that with a new theme by Rajeeb Banstola (techism) but during my recent WordPress blog-code update I realized that this techism theme had not been updated for years, the author’s website has disappeared and the Freemius SDK from which that theme is created has a XSS vulnerability. Real shame because I thought it was beautiful, light, responsive and it fixed the user comment issues I mentioned previously.

So I have used my December holiday to look for another theme, experimenting with several, but I wanted to end with one that at a minimum allows me to have two columns: one for the articles and one as a sidebar with widgets showing all kinds of permanent info. Three columns was what I had with wp-andreas01 and techism, but I could live without one of the two sidebars.

I finally found a theme collection created by Anders Norén. On his page teman he showcases several that I find appealing, but after some experimenting I chose his Lovecraft and Hemingway themes over Baskerville. I kept the visual style of the new theme as close as possible to the old one (header image, top menu, sidebar widgets etc).
A note about the header image – that one has changed a few times over the years. I always use a picture I have taken myself and I rotate them on occasion.

At the bottom I was able to add three widgets that otherwise would have gone into a left sidebar. I think it’s cleaner now. Plus, one of these bottom widgets shows posts that have been most popular during recent weeks. That’s always interesting information to you (visitors), previously I would be the only one with that overview – it shows in the blog’s admin dashboard.

I am still undecided whether Hemingway or Lovecraft will make it as my final choice. Hemingway theme shows the number of comments to each article and it’s visually somewhat more condensed. Lovecraft on the other hand is aesthetically more pleasing to my eye.

I hope you like and appreciate the change and the new interface does not pose any difficulty writing and posting your comments. Feel free to comment below of course!

Cheers, Eric

Chromium 100 out-of-band security update addresses (again) a single vulnerability

I have uploaded new chromium 100 packages for Slackware. The chromium-ungoogled 100 packages are currently being built and will follow shortly.
What’s with all these updates that follow rapidly on each others’ heels? Just like the recent Chromium 99 security update which addressed a single critical vulnerability, last monday Google announced on their official blog the immediate availability of Chromium 100.0.4896.75. This hotfix release plugs a single hole which Google deemed serious enough to warrant the update. See CVE-2022-1232. The difference with last week is that no known exploit of this vulnerability is reported yet.
Still, it’s highly recommended that you upgrade ASAP.

My Chromium 100.0.4896.75 packages can be downloaded from my own repository (or any mirror that has synced up), for instance:

Once I have finished compiling the un-googled version of chromium and uploaded the packages, I will mention it in the comments section below and you can download them from: https://slackware.nl/people/alien/slackbuilds/chromium-ungoogled/ or https://us.slackware.nl/people/alien/slackbuilds/chromium-ungoogled/ .

Until I get tired of compiling for Slackware 14.2 (aka once I have migrated my last server to 15.0) these packages will work on Slackware 14.2 and newer. I provide 32bit as well as 64bit variants.

Eric

Update to Flash Player plugs vulnerabilities

Adobe issued a security bulletin for their Adobe Flash Player. On APSB13-04 two CVE’s are mentioned – CVE-2013-0633 and CVE-2013-0634. Of those two, CVE-2013-0634 is the vulnerability which affects Linux users, because it is being exploited “in the wild” in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox.

There is an update available for Chrome browser (update to the latest release please) and for the Flash Player plugin for Firefox. I have a package for that flashplayer-plugin and therefore I pushed an update so that you can “safely” use Flash content again in Firefox.

Mind you – if you are using the beta Steam Client for Linux (i.e. the client for Valve Software’s gaming platform) you will have a package for that flash player because it is used to display the video content in the Steam client. If you use Steam on multilib Slackware64 then you will have a “compat32” package of that flashplayer-plugin – do not forget to update that one as well!

Packages for flashplayer-plugin 11.2.202.270 can be obtained (and used on Slackware 13.37 and higher, and perhaps even older releases) in the following places:

After the package upgrade, restart Firefox and visit this website to verify that your Flash Player Plugin is indeed the correct version: http://www.adobe.com/software/flash/about/

Eric

New version of VLC fixes security holes

The VideoLAN team have released version 1.0.6 of their VLC player. This version fixes several vulnerabilities which were found during development of the upcoming version 1.1.0.

I have built Slackware packages for vlc-1.0.6 (Slackware 13.0 32-bit and 64-bit) which you can find at the usual place, http://slackware.com/~alien/slackbuilds/vlc/. This is the release announcement in my repository’s ChangeLog.txt:

Fri Apr 23 10:35:49 UTC 2010
vlc: updated to 1.0.6. Several security holes were fixed in this release.
These packages do inotify-tools libnotify contain MP3/AAC audio encoders (playback of mp3/aac audio works fine); you can get packages with MP3/AAC encoding capability at http://slackware.org.uk/people/alien/restricted_slackbuilds/vlc/ as usual.
For playback of encrypted DVDs you’ll additionally need to install libdvdcss.

One remark: I found that the midi plugin (based on fluidsynth) does not work in this package because of a library linking error. I will try to get this resolved for Slackware 13.0 in a new build if I find the time (but KDE 4.4.3 is getting near). When I built a VLC package on Slackware-current, I did not have this issue however.

Note for those who run VLC on an older Slackware:

Older versions of the VideoLAN player will not get patched. Most notably the version 0.8.x which is still widely used. This version has already been vulnerable for some time, and the new vulnerabilities just get added to a growing list. Upgrading to the newest version will not be an option for everybody. Older releases of Slackware but also of other distro’s simply lack the libraries required by the current version of VLC. Too bad… or finally time to upgrade your Slackware?

Eric

© 2024 Alien Pastures

Theme by Anders NorenUp ↑