Last week was a black page in Open Source security with the publication of the Heartbleed vulnerability. For those of you who think the hype is overrated and no one will be able to get at your private keys and passwords, better check out the results of the Cloudflare Challenge (the SSL certificate for that site has been revoked in order to stop it from being abused so that page won’t load). Cloudflare’s security engineers were unable to exploit the vulnerability and retrieve their server’s private key so they confidently made it a public challenge… and at least three people independently obtained the server’s private key through the exploit! Proof was given by posting messages signed with that same private key. Read all about it on the Cloudflare blog. Don’t take this vulnerability too lightly! Slackware 14.0, 14.1 and -current users should apply the openssl patch packages as soon as possible. And if your machine was exposed to the Internet, running a secure web server (https://) then it is wise to revoke your SSL certificate and create a new one. It may also be a good idea to change the passwords of the accounts on that server.
Not just OpenSSL-protected web sites are affected; regular “client” software can be abused by attacks when these applications contain the vulnerable code because they statically link to the openssl library. I’ll post some more later, but here is the first fix:
The Document Foundation added a fix for Heartbleed to their latest LibreOffice 4.2.3 (codenamed ‘Fresh’) release. It took an additional day for me to get rid of the bugs in my revised SlackBuild script, because I had decided to split the “big” libreoffice package in three sub-packages. The SDK documentation (several hundreds of MB) has now moved into a separate package “libreoffice-sdkdoc” which you will not need unless you are a developer. And the KDE integration libraries have been moved into their own package as well: “libreoffice-kde-integration”. It’s these libraries which give the LibreOffice user interface the “KDE look” when you are running KDE, and make it use the KDE file dialogs. Some people experienced issues in KDE which were solved by removing these KDE libraries, and the new sub-package was born to help you get a better experience out of LibreOffice on Slackware. Note that if you are on KDE and simply “upgradepkg” the libreoffice package, your application will suddenly look very out of style, having switched to a GTK look & feel. All you need to do is “installpkg” the new libreoffice-kde-integration package.
If you are in need of stability, note that the official statement from the Document Foundation is that LibreOffice 4.2.3 is “the most feature rich version of the software, and is suited for early adopters willing to leverage a larger number of innovations. For enterprise deployments and for more conservative users, The Document Foundation suggests the more mature LibreOffice 4.1.5“. You can find Slackware packages for LibreOffice 4.1.5 in my repository onder the “14.0”directory. They were built on Slackware 14.0 and work well on Slackware 14.1 and -current.
Packages for Slackware 14.1 and -current are ready for download from the usual mirror locations:
- http://www.slackware.com/~alien/slackbuilds/libreoffice/ (master site)
- http://taper.alienbase.nl/mirrors/people/alien/slackbuilds/libreoffice/ (my own US mirror)
- http://repo.ukdw.ac.id/alien-libreoffice/ (Indonesia)
- http://alien.slackbook.org/slackbuilds/libreoffice/ (US)
- http://slackware.org.uk/people/alien/slackbuilds/libreoffice/ (UK)