My thoughts on Slackware, life and everything

Month: July 2015 (Page 1 of 2)

Chromium 44 available (Netflix still works)

chromium_iconI have made new packages for the chromium browser and its widevine plugin. Chromium version 44 was released a bit earlier this week, and it took me a while to compile, because the new OpenJDK 7u85 and LibreOffice 5.0.0.rc3 packages were ahead of it in the build queue. Guess what… now that I am writing this blog article after uploading the packages for chromium-44.0.2403.89, I notice that there was a second release of Chromium 44 Stable… today. Which makes me wonder if there was a regression in the earlier source release.

That updated version 44.0.2403.107 may have to wait, because I will be unable to do a lot of Slackware related stuff until august; real life is catching up with me. If there are real useability issues with 44.0.2403.89, let me know and I will see if I can shift priorities or make the older 43.x packages available again. My initial (not exhaustive) testing showed no weirdness at least.

Regardless, it took a few iterations before I got the Widevine CDM adapter to compile properly. I had to look at my chromium-dev package’s history to remember what had changed in version 44. Once I applied that knowledge to the stable sources, it all began to come together. Netflix still works 🙂 … well, after you’ve installed/upgraded my chromium-widevine-plugin package of course. which contains the proprietary Content Decryption Module.

The new chromium source I compiled into a package, comes with several security fixes, and here are the CVE’s:

  • [$3000][446032] High CVE-2015-1271: Heap-buffer-overflow in pdfium. Credit to cloudfuzzer.
  • [$3000][459215] High CVE-2015-1273: Heap-buffer-overflow in pdfium. Credit to makosoft.
  • [$TBD][461858] High CVE-2015-1274: Settings allowed executable files to run immediately after download. Credit to  andrewm.bpi.
  • [$7500][462843] High CVE-2015-1275: UXSS in Chrome for Android. Credit to WangTao(neobyte) of Baidu X-Team.
  • [$TBD][472614] High CVE-2015-1276: Use-after-free in IndexedDB. Credit to Collin Payne.
  • [$5500][483981] High CVE-2015-1279: Heap-buffer-overflow in pdfium. Credit to mlafon.
  • [$5000][486947] High CVE-2015-1280: Memory corruption in skia. Credit to cloudfuzzer.
  • [$1000][487155] High CVE-2015-1281: CSP bypass. Credit to Masato Kinugawa.
  • [$TBD][487928] High CVE-2015-1282: Use-after-free in pdfium. Credit to Chamal de Silva.
  • [$TBD][492052] High CVE-2015-1283: Heap-buffer-overflow in expat. Credit to sidhpurwala.huzaifa.
  • [$2000][493243] High CVE-2015-1284: Use-after-free in blink. Credit to Atte Kettunen of OUSPG.
  • [$7500][504011] High CVE-2015-1286: UXSS in blink. Credit to anonymous.
  • [$1337][419383] Medium CVE-2015-1287: SOP bypass with CSS. Credit to filedescriptor.
  • [$1000][444573] Medium CVE-2015-1270: Uninitialized memory read in ICU. Credit to Atte Kettunen of OUSPG.
  • [$500][451456] Medium CVE-2015-1272: Use-after-free related to unexpected GPU process termination. Credit to Chamal de Silva.
  • [479743] Medium CVE-2015-1277: Use-after-free in accessibility. Credit to SkyLined.
  • [$500][482380] Medium CVE-2015-1278: URL spoofing using pdf files. Credit to Chamal de Silva.
  • [$1337][498982] Medium CVE-2015-1285: Information leak in XSS auditor. Credit to gazheyes.
  • [$500][479162] Low CVE-2015-1288: Spell checking dictionaries fetched over HTTP. Credit to mike@michaelruddy.com
  • [512110] CVE-2015-1289: Various fixes from internal audits, fuzzing and other initiatives.

Get my chromium packages in one of the usual locations:

Change the URL a bit to get the chromium-widevine-plugin  package.

Have fun! Eric

July ’15 OpenJDK security update: 7u85_b01

icedtea A new release of IcedTea  is available. Version 2.6.1 came right after last week’s 2.6.0 which paved the way for OpenJDK 7 “Update 85 Build 01” (resulting in a Slackware package openjdk-7u85_b01). This latest version of icedtea encompasses the July 2015 security updates for Java7. The release announcement can be found on the blog of release maintainer Andrew Hughes.

The upcoming release of icedtea 3.0.0 will move us to OpenJDK 8, but for now it is Java 7 you’ll still be using if you install my packages. A bit of patience is required.

A list of  CVE’s is associated with the new release. Here are all security fixes mentioned in the post:

 

Note about usage:

Remember that I release packages for the JRE (runtime) and the JDK (development kit) simultaneously, but you only need to install one of the two. The JRE is sufficient if you only want to run Java programs (including Java web plugins). Only in case where you’d want to develop Java programs and need a Java compiler, you are in need of the JDK package. Get them here.

The Java package (openjre as well as openjdk) has one dependency: rhino provides JavaScript support for OpenJDK.

Optionally: If you want to use Java in a web browser (which supports NPAPI plugins – this excludes Chrome & Chromium but you’ll be OK with all Mozilla [-compatible] browsers) then you’ll have to install my icedtea-web package too. While Oracle’s JDK contains a browser plugin, that one is closed-source and therefore Icedtea offers an open source variant which does a decent job.

If you want to test your browser plugin, check out the Java Tester page, or Oracle’s own verification page which of course urges you to upgrade to its own Java 8 instead:

OpenJDK-7u85_b01

If you want to compile this OpenJDK package yourself, you need to install apache-ant additionally. Note that the previous requirements of xalan & xerces packages have been dropped; ant will provide all required build functionality on its own now.

Have fun! Eric

And finally, Adobe’s afterthought

adobe_flash_8s600x600_2 Adobe must think Linux users are a bunch of retards. It took them several days to release an update for their legacy Flash Player plugin for Linux – took them so long actually that Mozilla decided to block Flash in their Firefox browser. Now that’s a statement.

Finally, here are the Slackware packages for flashplayer-plugin version 11.2.202.491. This version is a fix for several new zero-day exploits actively used on-line after the code leaked from the “Hacking Team” break-in, so it is urgently advised to upgrade if you are still using Flash. And even then, it appears that another zero-day exploit has been uncovered, which Adobe acknowledges in their security bulletin but for which the latest Flash release does not offer protection.

If you wonder why I don’t mention that I also created packages for the Chromium PepperFlash plugin, that’s because I released that two days ago already!

Download locations for the Flash plugins:

Eric

KDE 5_15.07 – July release for Slackware-current

Plasma5_lockedpowerpenguin Today my son had his last day at school – holiday time! We had little hope he would pass his semi-final year at the “middelbare school” but he managed to pull of a small miracle and passed anyway. Yay! His dad will sleep better now… and I used the relaxed mood to sit behind this computer and write a blog post about the July release of KDE 5 for Slackware-current. While my son went out to party, we slackers just install the latest and greatest software and pound it hard to see if any bugs seep out of the cracks.

The past month saw various KDE component releases which I let slip, because I intend to offer upgrades only when newer versions of all of Frameworks, Plasma and Applications are available. Well, there was Frameworks 5.11.0 several weeks ago but I skipped that one entirely, and today Frameworks 5.12.0 was released. The KDE Applications 15.04.3 release was already more than a week ago, and Plasma 5.3.2 one day before that, on 30 June.  Time for some package building, and because the Frameworks sourcecode was made available to packagers a number of days ago, I had them ready on wednesday… but needed to wait for the public release of the new Frameworks.

Now then, my July release of the next-gen KDE for slackware-current: KDE 5_15.07. Its main components, as said earlier, are Frameworks 5.12.0, Plasma 5.3.2 and Applications 15.04.3. The updates to Applications also contain the usual KDE 4 Long Term Support (LTS) updates for kdelibs, kdepimlibs, kdepim, kdepim-runtime and kde-workplace. Hopefully Pat will fold those LTS releases back into the official KDE 4 for Slackware-current.

What’s new in KDE 5_15.07?

Well… probably all sorts of improvements under the hood of the various packages, but nothing exciting jumps out that I feel compelled to tell you about. Overall, more stability and less bugs, let’s hope. Read the Release Notes and you’ll know it all. Hey, weekend ahead! Time is on your side.

Installing or upgrading Frameworks 5, Plasma 5 and Applications

As always, the accompanying README file contains full installation & upgrade instructions. Note that the packages are available in several subdirectories below “kde”, instead of directly in “kde”. This makes it easier for me to do partial updates of packages. The subdirectories are “kde4”, “kde4-extragear”, “frameworks” “plasma”, “plasma-extra” and “applications”.

Upgrading to this KDE 5 is not difficult this time, especially if you already are running KDE 5_15.04 or later. You will have to remove old KDE 4 packages manually. If you do not have KDE 4 installed at all, you will have to install some of Slackware’s own KDE 4 packages manually.

Note:

If you are using slackpkg+, have already moved to KDE 5_15.01 or newer and are adventurous, you can try upgrading using the following set of commands. This should work but feel free to send me improved instructions if needed (assuming in this example that you tagged my KDE 5 repository with the name “ktown_testing” in the configuration file “/etc/slackpkg/slackpkgplus.conf“):
# slackpkg update
# slackpkg install ktown_testing (to get the newly added packages from my repo)
# slackpkg install-new (to get the new official Slackware packages that were part of my deps previously)
# slackpkg upgrade ktown_testing (upgrade all existing packages to their latest versions)
# slackpkg upgrade-all (upgrade the remaining dependencies that were part of my repo previously)
# removepkg sddm-theme-breeze (gone after KDE 5_15.01)
# removepkg libmm-qt5 (gone after KDE 5_15.03)
# removepkg qt-gstreamer0 (gone after KDE 5_15.04)
# slackpkg reinstall qt-gstreamer (ensure that none of the overlapping files of qt-gstreamer0 are left)
# slackpkg reinstall kactivities-framework (ensure that you are using the frameworks version of kactivitymanagerd)

And doublecheck that you have not inadvertently blacklisted my packages in “/etc/slackpkg/blacklist“! Check for the existence of a line in that blacklist file that looks like “[0-9]+alien” and remove it if you find it!

Recommended reading material

There have been several posts now about KDE 5 for Slackware-current. All of them contain useful information, tips and gotchas that I do not want to repeat here, but if you want to read them, here they are: http://alien.slackbook.org/blog/tag/kde5/

A note on Frameworks

The KDE Frameworks are extensions on top of Qt 5.x and their usability is not limited to the KDE Software Collection. There are other projects which rely (in part) on the KDE Frameworks, and if you are looking for a proper Frameworks repository which is compatible with Slackware package managers such as slackpkg+, then you can use these URL’s to assure yourself of the latest Frameworks packages for Slackware-current (indeed, this is a sub-tree of my KDE 5 “testing” repository):

Where to get the new packages for Plasma 5

Download locations are listed below (you will find the sources in ./source/5/ and packages in /current/5/ subdirectories). If you are interested in the development of KDE 5 for Slackware, you can peek at my git repository too.

Using a mirror is preferred because you get more bandwidth from a mirror and it’s friendlier to the owners of the master server!

Have fun! Eric

July ’15 Security fixes for Adobe’s Flash web plugins (extra critical)

adobe_flash_8s600x600_2The recent hack of the “Hacking Team” -a company that makes money from creating spyware for repressive governments –  has uncovered evidence that they have been exploiting a yet unknown security hole which is present in all Adobe Flash players since version 7.  Obviously based on the  information obtained from the public dump of Hacking Team’s 400 GB Intranet data, there’s a Zero-Day exploit out there in the wild that is actively targeting computers (thanks mancha for the link). Adobe have released patched Flash player plugins today that fix this security hole and you are all urgently advised to update your flash player packages.

For your information: The updated Slackware package for chromium-pepperflash-plugin has version 18.0.0.204. The updated flashplayer-plugin has version 11.2.202.481. The Chromium plugin was taken from the Google Chrome 43.0.2357.132 RPM which was released yesterday. New packages for my own chromium package based on the sources of that same version are underway, expect those tomorrow.

Download locations for the Flash plugins:

If you are using the slackpkg+ extension for slackpkg, then you just run “slackpkg update && slackpkg update flash”. Alternatively, you can subscribe to my repository RSS feed to stay informed of any updates.

Eric

« Older posts

© 2024 Alien Pastures

Theme by Anders NorenUp ↑