Main menu:

Sponsoring

Please consider a small donation:

 

 

Or you can donate bitcoin:

 

Thanks to TekLinks in Birmingham, AL, for providing colocation and bandwidth.

Page Rank

Fame

FOSS Force Best Blog--2013 Award

Recent posts

Recent comments

About this blog

I am Eric Hameleers, and this is where I think out loud.
More about me.

Search

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 375 other subscribers

My Favourites

Slackware

Calendar

May 2018
M T W T F S S
« Apr    
 123456
78910111213
14151617181920
21222324252627
28293031  

RSS Alien's Slackware packages

RSS Alien's unofficial KDE Slackware packages

RSS Alien's multilib packages

RSS Slackware64-current

RSS SBo

Meta

Security week

This week and the last, I have pushed quite a few packages into my repository that are meant to enhance the safety of your Slackware computer. If you have not been hiding under a stone for the past couple of weeks, you will have read about the Spectre/Meltdown vulnerabilities that plague many CPUs. Mostly Intel CPU’s, but the less harmful variants are also affecting AMD and ARM CPU’s. The broader Linux community is working hard to mitigate the effects of these vulnerabilities, and new kernels have landed in Slackware that have been recompiled with patched compilers so that the vulnerabilities will be harder (or impossible) to exploit.

These patched GCC compilers in Slackware 14.2 and -current needed a multilib variant of course, so you will find those in my multilib repository. For Slackware 14.2 that’s a set of all-new gcc-5.5.0 packages, i.e. the latest gcc 5 release available. In Slackware-current it’s of course the latest gcc 7: version 7.3.0. These compilers support “-mindirect-branch=thunk-extern“, allowing full mitigation of Spectre v2 in the kernel (when CONFIG_RETPOLINE is used).

Then there were the monthly Flash security vulnerabilities, patched by Adobe in version 28.0.0.161 of the flashplayer-plugin (NPAPI plugin for Mozilla based browsers) and the chromium-pepperflash-plugin (PPAPI plugin for Chromium based browsers).  This one was particularly nasty because a 0-day exploit was used actively to gain full control of vulnerable computers (including Linux computers).

The update of Chromium to version 64.0.3282.140 fixed one security related bug, but the previous stable release (the first 64 version I packaged two weeks ago) actually plugged a series of serious vulnerabilities with CVE‘s assigned to them. So, time to upgrade!
And this latest Chromium package of mine has one additional feature: I enabled HEVC/H.265 video playback in the embedded ffmpeg engine. Try it out here: http://www.h265files.com/embed-h265-video.php and notice that most other browsers (except Microsoft Edge and Apple Safari) do not support this video codec. Unfortunately, the online HTML5 tester does not detect this HEVC playback capability.

Another browser’s security update: Pale Moon plugs two vulnerabilities with their 27.7.2 release. Updated package available in my repository of course.

 

And to end this series, I will soon upload a patched plasma-workspace-5.11.3 package for Slackware64 14.2, for those of you who are running my ‘ktown’ Plasma5 desktop.
A vulnerability was discovered, allowing arbitrary command execution in the removable device notifier.
This bug is already fixed in Plasma 5.12, so those who run the Plasma5 Desktop on Slackware-current only need to wait until tomorrow to get an all-new monthly set of packages among which Plasma 5.12. Watch this blog for the news!

Comments

Comment from CWizard
Posted: February 9, 2018 at 21:05

Above and Beyond the Call….
Many thanks for all your hard work!
It is truly appreciated.

Comment from BrianA_MN
Posted: February 9, 2018 at 22:22

I just want to thank you for all the updates you continue to supply.

Comment from Robby
Posted: February 10, 2018 at 09:13

Thanks for all the hard work Eric. Know that it is greatly appreciated!

Pingback from Links 10/2/2018: GNU/Linux in Slot Machines, VLC 3.0, Mesa 18.0 RC4 | Techrights
Posted: February 10, 2018 at 22:28

[…] [Slackware] Security week […]

Comment from kjhambrick
Posted: February 11, 2018 at 19:34

Wow Eric !

Thanks a million for all your work

— kjh

Comment from Drakeo
Posted: February 12, 2018 at 22:45

I see on current your kde5 latest 2/12/2018 libtinfo has become an issue building chromium. I noticed ldconfig is not adding new lib’s on fresh install. hope this helps. I know all about the libtinfo. so.5 linking it. glibc has changed ?I been building cef3 a long time.

Comment from alienbob
Posted: February 12, 2018 at 23:14

My collection of Plasma5 (KDE5 if you wish) packages do not contain libtinfo, that package is part of Slackware-current.

I don’t install a libtinfo 5.x package anymore before compiling Chromium – it is not needed anymore. May be interesting to know that I compile the chromium package in my -current repository on Slackware 14.2 ….
Slackware-current ships a libtinfo.s0.6.0 but it never harmed the build.
I ran a test build of chromium-64.0.3282.119 on slackware64-current as recent as Feb 6th and did not experience any failures… you may have a local issue.

Comment from Ricardo J. Barberis
Posted: February 13, 2018 at 19:51

Eric, thank you for the updates, especially plasma-workspace for Slackware 14.2, very much appreciated!! 🙂

Comment from Eduardo
Posted: February 16, 2018 at 12:57

Thank you Eric!

Write a comment