My thoughts on Slackware, life and everything

Tag: cve (Page 6 of 21)

Chromium security updates (and fix for 32-bit crash)

I have updated the ‘chromium‘, ‘chromium-ungoogled‘ and ‘chromium-widevine-plugin‘ packages in my repository.

For Chromium (-ungoogled) these are security updates. The new 89.0.4389.90 release addresses several critical vulnerabilities (it’s the third release in the 89 series in rapid succession actually, to fix critical bugs) but in particular it plugs a zero-day exploit that exists in the wild: CVE-2021-21193. You are urged to update your installation of Chromium (-ungoogled) ASAP.

I made chromium-ungoogled also available for Slackware 14.2, I hope that makes some people happy.

Since I had to build packages anyway, I took the opportunity to apply a patch that fixes the crashes on 32-bit systems with glibc-2.33 installed (i.e. on Slackware-current).
In that same chromium-distro-packagers group that is the home of the discussion about Google’s decision to cripple 3rd-party Chromium browsers, I had asked the Chromium team to address the crash Slackware users are experiencing. Google is no longer offering 32-bit binaries which means, issues like these are not likely to be caught in their own tests, but they are listening to the packagers who do build 32-bit binaries. Luckily. And the fix took a while to actually get implemented, but in the end it all worked out. I assume that the patch will end up in the Chromium source code after it passes the internal review process.

The Widevine plugin package for which I provided an update, is meant for chromium-ungoogled only. The ‘real’ Chromium does not need or use it, since Chromium downloads this CDM library automatically for you. The change to the package is small: it adds a compatibility symlink. That is not needed for chromium-ungoogled itself, but I was alerted to the fact that Spotify specifically looks for ‘libwidevinecdm.so’ in the toplevel Chromium library directory. The update takes care of that.

Also, this was the last package which i compiled for Chromium that contains my Google API Key as well as the OAuth client/secret credentials. I noticed that Chromium still works as before, even now after the 15 March deadline has passed, but future builds of my package will only contain my API key. That will leave the Safe Browsing functional, but it removes the Chrome Sync and other features. If you still want Chrome Sync to work with Chromium, I just want to point you to “/etc/chromium/01-apikeys.conf” in my future packages and get inspired by its content.

Have fun!
Eric

Chromium 86 update resolves critical security issue

chromium_iconGoogle developers have released Chromium 86 to the public. Head over to the “Stable Channel” blog to read more details about this new major version.

And then get the fresh packages for chromium-86.0.4240.75 ! This is an urgent upgrade request, because the new release plugs a critical security hole in the online payments code which gives the attacker full access to your local machine (CVE-2020-15967: Use after free in payments).

Chromium 86 addresses 34 other security issues, none of the others are critical.

The 86 release comes with some nice new features, like:

  • Background Tab Throttling: the tabs that you have open in the background get ‘throttled’ after 5 minutes of inactivity, so that they consume at most 1% of the CPU time.
  • HTTP forms on a HTTPS page: Chromium will warn you if you are about to enter form data over an insecure connection embedded in a secure web page.
  • Quick password check enhancements: in the Settings page for passwords (chrome://settings/passwords) you’ll find a “password check” button which validates your stored passwords against the database of leaked passwords. And now in Chromium 86, it will attempt to automatically open the “password change” page for affected web sites that conform to the  “well-known URL for changing passwords” W3C draft specification which many web sites already adopted after Apple initially introduced the feature.

But also this is useful to know:

  • FTP protocol depreciation: In Chromium 86, support for FTP URLs will be disabled for 1% of users, but you can still re-enable FTP URL support via the “–enable-ftp” commandline parameter to chromium. In Chromium 87, the support for FTP will be disabled for 50% of the active users and Chromium 88 will no longer support FTP links.
    The expectation is that Chromium 88 hits the “stable channel” on January 19th, 2021. Be warned!

Slackware packages for Chromium 86.0.4240.75 are in my package repository as 64bit and 32bit versions for both Slackware 14.2 and -current. See: https://slackware.nl/people/alien/slackbuilds/chromium/ (rsync://slackware.nl/mirrors/people/alien/slackbuilds/chromium/)

Enjoy! Eric

Chromium 84 packages available for Slackware

chromium_iconIt took a bit longer than usual to come up with packages for the recently released Chromium 84. Google’s “Stable Channel” blog for Chrome announced the version 84.0.4147.89 just over a week ago, but as I was traveling at the time (without computer) new packages needed to wait.

And just when I uploaded these packages to the mirror server I discovered that Google already released an update yesterday: 84.0.4147.94. That will have to wait since again I am busy at the moment. Enjoy the first 84 release though!

Chromium 84 sees a lot of bugs fixed, of which 38 are security fixes. There’s also the usual UI and engine improvements but there’s really not much visible on the User Interface side. With one exception: the ‘spam’ notification popups which some web sites bothered you with are now hidden by default under a button in the URL bar. By clicking that button you can decide to show the blocked popups (or not). This feature was implemented earlier by Mozilla in their Firefox browser where it was highly valued by its users.
Under the hood, the most notable change is that Google has removed support for the insecure TLS 1.0 and TLS 1.1 ciphers. Web servers which still use these for their HTTPS content will be blocked by default and you’ll see an error.

Slackware packages for Chromium 84.0.4147.89 are in my package repository already. They are available as 64bit versions for both Slackware 14.2 and -current and a 32bit version only for Slackware-current.
There is no new 32bit package for Slackware 14.2 unfortunately, because I have been unsuccessful in my attempts to compile the package. Let’s hope future releases allow me to compile the 32bit package for 14.2 again…

Note that because of the changed status of the Widevine library (which is now automatically downloaded and kept updated by the browser), a separate “chromium-widevine-plugin” package containing the Widevine DRM library is no longer required. Widevine is a Content Decryption Module (CDM) used by companies like Netflix and Disney+ to stream video to your computer in a Chromium browser window.

Also note (to the purists among you): even though support for Widevine CDM plugin has been built into my chromium package, that package is still built from Open Source software only. If you do not want theWidevine DRM library to be downloaded at all, you will have to recompile the chromium package after setting “USE_CDM=0” in the chromium.SlackBuild script. This can not be disabled at run-time.

Chromium packages: https://slackware.nl/people/alien/slackbuilds/chromium/ (rsync://slackware.nl/mirrors/people/alien/slackbuilds/chromium/)

Enjoy! Eric

Chromium and LibreOffice updates

Due to the Corona (COVID-19) crisis, Google decided to postpone the introduction of Chromium 81 to the stable channel. Understandably due to the challenges created by sending most developers home for their own safety and protection, which is a cause for less efficient work schedules.
Instead, there is an increased focus on addressing security related issues in Chromium 80 and releasing those in rapid succession. After all, any crisis attracts the worst of humankind to mess with the more gullible part of the population and browser based phishing and hack attempts are on the rise.

And so, yesterday there was another version upgrade, and I built the new chromium packages for Slackware 14.2 and -current already. The chromium-80.0.3987.149 release can be downloaded from any mirror – or upgraded using slackpkg/slackpkg+ if you use that.

In addition, new LibreOffice packages are available for Slackware -current.

You’ll get the latest and greatest ‘fresh’ release of 6.4.2 and unfortunately, no new packages for Slackware 14.2. I am unable to compile the 6.3 or 6.4 releases on the stable version of Slackware due to outdated/obsoleted libraries.

Note: among the packages for LibreOffice that are targeting Slackware-current, you will find a “libreoffice-kde-integration” package which adds Qt5 and KDE5 (aka Plasma5) support to the LibreOffice suite.
If you run Slackware-current but do not have KDE5 packages installed at all, don’t worry. LibreOffice will work great – the KDE integration package just will not add anything useful for you. On the other hand, if you have Plasma5 installed you will benefit from native file selection dialog windows and other integration features. And even if you do not have Plasma5 but you do have Qt5 installed, then you will be able to run LibreOffice with Qt5 User Interface elements instead of defaulting to GTK3.

If you want to compile LibreOffice 6.4.2 packages yourself using my SlackBuild script, then be aware that by default the KDE5 support is disabled. You will have to set the value of the script parameter “ADD_KDE5” to “YES”. Additionally you will have to install the packages that this functionality depends on otherwise the compilation will fail.
Read the ‘README.kde5‘ file in the source directory for the list of packages you’ll need. All of the required packages can be  found in my ‘ktown’ repository: https://slackware.nl/alien-kde/current/latest/

Enjoy! Eric

Updated packages in the past weeks: Plasma5, gcc_multilib, openjdk7 and more

I do regular updates of packages in my repository. I focus on the software that is popular, or relevant to Slackware. For the software with a high visibility I usually write a blog post to alert people to the new stuff.
During the last couple of weeks I have not been writing so much about updates due to personal circumstances, some of it has to do with the Corona outbreak.

I was also affected the death of Erik Jan Tromp (Slackware’s alphageek) early March just after I visited him for a final time in his apartment in Leeuwarden.


Anyway, here is a summary of what was refreshed during these weeks.

The new KDE-5_20.03 batch is now available for download from my ‘ktown‘ repository. As always, please remove KDE4 first (check the README for instructions if you still need those). These packages will not work on Slackware 14.2.
This March release contains the KDE Frameworks 5.68.0, Plasma 5.18.3 and Applications 19.12.3. All this on top of Qt 5.13.2.

Deps:
The most interesting event this month is of course the addition of qt5 and its dependencies to Slackware-current itself. I could remove several packages from my own ktown ‘deps’ section: OpenAL (renamed to openal-soft in Slackware), SDL_sound (integrated to Slackware’s sdl package), brotli, hyphen, libxkbcommon, socat, qt5, qt5-webkit, wayland, wayland-protocols and woff2.
I also updated the sip package so its version matches again with that in Slackware (the ktown version has Qt5 support which the Slackware version still needs to pick up). The qca-qt5 package was updated to the latest version.

Frameworks:
Frameworks 5.68.0 is an incremental stability release, see: https://www.kde.org/announcements/kde-frameworks-5.68.0.php.

Plasma:
Plasma 5.18.3 is the fourth incremental release of 5.18 LTS (Long Term Support). See https://www.kde.org/announcements/plasma-5.18.0.php for the full announcement including several video’s portraying the strong points of KDE’s desktop environment and https://www.kde.org/announcements/plasma-5.18.3.php for information on these latest updates.

Plasma-extra;
In plasma-extra I updated latte-dock.

Applications;
Applications 19.12.3 is a stability and bugfix update for the 19.12 cycle. Remember that I still call this ‘Applications‘ but KDE folk prefer the new name ‘Releases‘. See https://kde.org/announcements/releases/2020-03-apps-update/

Applications-extra:
In applications-extra I updated kstars and added a new package: labplot.

Telepathy:
KDE Telepathy is no longer part of my ‘ktown’ distribution of KDE Plasma5.

PAM support

My ‘ktown’ has two sub-repositories. The ‘latest‘ sub-repository is always meant to be used with the official Slackware-current packages. and the ‘testing‘ sub-repository is where I test stuff that is not yet ready to be adopted by the larger population.

Since last month, Slackware’s own ‘/testing’ area contains a set of packages that add PAM support to Slackware. My regular ktown aka ‘latest’ repository content is meant for an up-to-date Slackware-current without PAM. The ‘testing’ repository on the other hand is compiled against a pam-ified Slackware and can be used if you have added the new ‘testing’ PAM packages of Slackware-current to your system.
The packages that picked up PAM support are: kscreenlocker and plasma-workspace (in the ‘plasma’ directory),  and sddm-qt5 (in ‘plasma-extra’). A new package has been introduced as well: kwallet-pam (in the ‘plasma’ directory).

Where to get KDE Plasma5 for Slackware

Download the KDE-5_20.03 from the usual location at https://slackware.nl/alien-kde/current/ or one of its mirrors like http://slackware.uk/people/alien-kde/current/ .
Check out the README file in the root of the repository for detailed installation or upgrade instructions.

Development of Plasma5 is tracked in git: https://git.slackware.nl/ktown/ .

A new Plasma5 Live ISO is available at https://slackware.nl/slackware-live/latest/ (rsync://slackware.nl/mirrors/slackware-live/latest/) with user/pass being “live/live” as always.

While I was working on new Plasma5 packages, Pat Volkerding released packages for gcc 9.3.0 for Slackware-current. When I told him I did not have the time to compile multilib versions for the new gcc because I was busy, Pat responded by updating the gcc-multilib.SlackBuild script and compiling a set of multilib gcc packages for me. So what you download from my multilib repository was actually built by Pat this time.

For those who still use the older Java7, I updated my openjdk7/openjre7 packages to 7u251_b02 with the help of IcedTea 2.6.21 release. This is a security bugfix release, as these Java releases always are I guess.
I get questions from time to time why I do not release packages for Java 11, and my answer always is: I do not see the need. I build my packages using IcedTea framework and when they add support for newer Java versions than 8, I will release packages for that too.

There were several Chromium 80 updates in rapid succession during the last month, and the most recent version you can get from my repository now is 80.0.3987.132. I realize that there’s even a slightly newer release available but there’s only so much time to work on Slackware.

The advantage of having Qt5 in Slackware nowadays, is that it becomes a lot easier to compile a Calibre package for slackware-current. Nevertheless, the calibre package for Slackware 14.2 is still big because my Calibre packages contain all the dependencies inside and the version for Slackware 14.2 includes qt5 libraries.

I am regularly updating packages that are part of my ‘Digital Audio Workstation’ collection.
During the past weeks I updated the MuseScore package (Musescore can create, playback and print music scores) and along with that I updated the Qt5 based JackQtl graphical interface to the Jack2 audio server.
For my own laptop and desktop, I am now starting qjackctl in Plasma5 on login and all my ALSA and Pulseaudio sound pipes through Jack into my speakers now, without the need to change anything to Slackware’s default ALSA and Pulseaudio configurations.

Have fun! Eric

« Older posts Newer posts »

© 2024 Alien Pastures

Theme by Anders NorenUp ↑