Security week

This week and the last, I have pushed quite a few packages into my repository that are meant to enhance the safety of your Slackware computer. If you have not been hiding under a stone for the past couple of weeks, you will have read about the Spectre/Meltdown vulnerabilities that plague many CPUs. Mostly Intel CPU’s, but the less harmful variants are also affecting AMD and ARM CPU’s. The broader Linux community is working hard to mitigate the effects of these vulnerabilities, and new kernels have landed in Slackware that have been recompiled with patched compilers so that the vulnerabilities will be harder (or impossible) to exploit.

These patched GCC compilers in Slackware 14.2 and -current needed a multilib variant of course, so you will find those in my multilib repository. For Slackware 14.2 that’s a set of all-new gcc-5.5.0 packages, i.e. the latest gcc 5 release available. In Slackware-current it’s of course the latest gcc 7: version 7.3.0. These compilers support “-mindirect-branch=thunk-extern“, allowing full mitigation of Spectre v2 in the kernel (when CONFIG_RETPOLINE is used).

Then there were the monthly Flash security vulnerabilities, patched by Adobe in version 28.0.0.161 of the flashplayer-plugin (NPAPI plugin for Mozilla based browsers) and the chromium-pepperflash-plugin (PPAPI plugin for Chromium based browsers).  This one was particularly nasty because a 0-day exploit was used actively to gain full control of vulnerable computers (including Linux computers).

The update of Chromium to version 64.0.3282.140 fixed one security related bug, but the previous stable release (the first 64 version I packaged two weeks ago) actually plugged a series of serious vulnerabilities with CVE‘s assigned to them. So, time to upgrade!
And this latest Chromium package of mine has one additional feature: I enabled HEVC/H.265 video playback in the embedded ffmpeg engine. Try it out here: http://www.h265files.com/embed-h265-video.php and notice that most other browsers (except Microsoft Edge and Apple Safari) do not support this video codec. Unfortunately, the online HTML5 tester does not detect this HEVC playback capability.

Another browser’s security update: Pale Moon plugs two vulnerabilities with their 27.7.2 release. Updated package available in my repository of course.

 

And to end this series, I will soon upload a patched plasma-workspace-5.11.3 package for Slackware64 14.2, for those of you who are running my ‘ktown’ Plasma5 desktop.
A vulnerability was discovered, allowing arbitrary command execution in the removable device notifier.
This bug is already fixed in Plasma 5.12, so those who run the Plasma5 Desktop on Slackware-current only need to wait until tomorrow to get an all-new monthly set of packages among which Plasma 5.12. Watch this blog for the news!

9 thoughts on “Security week




  1. Pingback: Links 10/2/2018: GNU/Linux in Slot Machines, VLC 3.0, Mesa 18.0 RC4 | Techrights


  2. I see on current your kde5 latest 2/12/2018 libtinfo has become an issue building chromium. I noticed ldconfig is not adding new lib’s on fresh install. hope this helps. I know all about the libtinfo. so.5 linking it. glibc has changed ?I been building cef3 a long time.


  3. My collection of Plasma5 (KDE5 if you wish) packages do not contain libtinfo, that package is part of Slackware-current.

    I don’t install a libtinfo 5.x package anymore before compiling Chromium – it is not needed anymore. May be interesting to know that I compile the chromium package in my -current repository on Slackware 14.2 ….
    Slackware-current ships a libtinfo.s0.6.0 but it never harmed the build.
    I ran a test build of chromium-64.0.3282.119 on slackware64-current as recent as Feb 6th and did not experience any failures… you may have a local issue.




Leave a Reply to BrianA_MN Cancel reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.