Tag: exploit (Page 1 of 2)

Chromium 100 out-of-band security update addresses (again) a single vulnerability

April 6, 2022 / alienbob / 18 Comments

I have uploaded new chromium 100 packages for Slackware. The chromium-ungoogled 100 packages are currently being built and will follow shortly.
What’s with all these updates that follow rapidly on each others’ heels? Just like the recent Chromium 99 security update which addressed a single critical vulnerability, last monday Google announced on their official blog the immediate availability of Chromium 100.0.4896.75. This hotfix release plugs a single hole which Google deemed serious enough to warrant the update. See CVE-2022-1232. The difference with last week is that no known exploit of this vulnerability is reported yet.
Still, it’s highly recommended that you upgrade ASAP.

My Chromium 100.0.4896.75 packages can be downloaded from my own repository (or any mirror that has synced up), for instance:

Once I have finished compiling the un-googled version of chromium and uploaded the packages, I will mention it in the comments section below and you can download them from: https://slackware.nl/people/alien/slackbuilds/chromium-ungoogled/ or https://us.slackware.nl/people/alien/slackbuilds/chromium-ungoogled/ .

Until I get tired of compiling for Slackware 14.2 (aka once I have migrated my last server to 15.0) these packages will work on Slackware 14.2 and newer. I provide 32bit as well as 64bit variants.

Eric

Another Chromium 96 update to patch a 0-day exploit

December 15, 2021 / alienbob / 10 Comments

I have uploaded a set of new packages for Chromium 96.0.4664.110. The package updates for chromium-ungoogled will follow shortly, they are still compiling.

This update follows on the heels of the previous one, and addresses a couple of severe/critical bugs.
One of them (being labeled as CVE-2021-4102, ‘use-after-free issue in the V8 JavaScript engine‘) is a zero-day vulnerability which is already actively exploited in the wild, according to Google’s report.

This is an urgent request to upgrade your package.
You can get the chromium and chromium-ungoogled packages from slackware.nl or its mirrors.

Eric

Update (Thu Dec 16 08:13:10 UTC 2021): packages for chromium-ungoogled are updated now as well. The slackware.com server is down but you can download from slackware.nl or any mirror.

Update your Chromium to 93.0.4577.82

September 15, 2021 / alienbob / 12 Comments

Today, I uploaded a set of Chromium 93.0.4577.82 packages for Slackware 14.2 and -current (32-bit as well as 64-bit).

According to yesterday’s official announcement on the Google blog, this release patches a number of vulnerabilites and two of them are zero-day vulnerabilities that are actively being exploited online.

The advice is to upgrade Chromium on your Slackware 14.2 and -current computers as soon as possible.

The ungoogled-chromium sources are lagging behind as usual, but I have hopes that a new source tarball will appear soon, now that we have a Chromium update which addresses multiple zero-days. Eloston, the project maintainer, seems AWOL but several contributors have a working patch set ready.

Stay safe! Eric

Chromium 78.0.3904.87 addresses an exploit in the wild

November 2, 2019 / alienbob / 2 Comments

The Chromium update of this week addresses a vulnerability for which an 0-day exploit is actively being used. It’s the CVE-2019-13720 (Use-after-free in audio) which was caught by Kaspersky’s exploit prevention program.

Fresh packages for Slackware 14.2 or -current are already available in my repository, so please upgrade at the earliest.

Cheers!

Eric

Update for OpenJDK 7 with IcedTea 2.3.4 plugs 0-day exploit.

January 16, 2013 / alienbob / 8 Comments

The past week was buzzing with the 0-day exploit for Oracle’s Java browser plugin, but according to CERT, the OpenJDK was affected as well by the underlying bug. Oracle “hastily” patched this critical vulnerability (CVE-2012-3174) although now it seems that only this particular “attack vector” was patched but the underlying vulnerability remains, leaving the way open to other exploits.

Come what may, an update of IcedTea followed soon after, which will build OpenJDK packages which incorporate fixes for the vulnerability. The version of IcedTea which I use (upped to 2.3.4) builds a OpenJDK 7 Update 9 package – the same version as we already have (no idea why they did not lift the update version to 10 or 11 unless this was a hasty fix for this particular 0-day exploit), so what I did for my openjdk & openjre packages was increase the package BUILD number from “1alien” to “2alien” so that you can use upgradepkg to upgrade to the new package.

It appears that one of the main developers: GNU.Andrew (Andrew John Hughes from Redhat) has not yet updated his blog with news of the new icedtea releases. The aforementioned mailinglist post was his, so I expect that he will update his blog with all the details soon.

Here is the list with security fixes in the IcedTea 2.3.4 build of OpenJDK 7u9:

Security fixes:
- S8004933, CVE-2012-3174: Improve MethodHandle interaction with libraries
- S8006017, CVE-2013-0422: Improve lookup resolutions
- S8006125: Update MethodHandles library interactions
Backports:
- S7197906: BlockOffsetArray::power_to_cards_back() needs to handle > 32 bit shifts
Bug fixes:
- G422525: Fix building with PaX enabled kernels.

Get my packages (Slackware 13,37 and newer) for OpenJDK 7u9_b30 build 2alien here and upgrade as soon as you can:

http://slackware.com/~alien/slackbuilds/openjdk/ , the primary location (but slow)
http://taper.alienbase.nl/mirrors/people/alien/slackbuilds/openjdk/ , my own fast mirror

Further packages that are recommended/required:

Optional: If you want a Java browser-plugin you must install icedtea-web (OpenJDK itself does not contain such a plugin).
Required: The rhino package is a dependency of the openjdk/openjre package. It contains the JavaScript engine for OpenJDK.

I will repeat these notes:

You need to install either the JRE or the JDK package. Not both of them! If you are not a Java developer and never compile Java code, then you do not need the openjdk package and it will be sufficient to install the (smaller) openjre package instead.
If you are migrating to OpenJDK after having used Oracle’s Java binaries, make sure that you have removed both “jre” and “jdk” packages. Run a command like “removepkg /var/log/packages/jdk-* ; removepkg /var/log/packages/jre-*” to get rid of both. Then install the openjdk or openjre package. Logout and log back in after this package removal/installation, so that you will get the proper Java environment.
Test your java browser plugin online: http://javatester.org/version.html or http://www.java.com/en/download/testjava.jsp .

After upgrading you should see this when running java or javac:

$ java -version
java version “1.7.0_09”
OpenJDK Runtime Environment (IcedTea7 2.3.4) (Slackware)
OpenJDK 64-Bit Server VM (build 23.2-b09, mixed mode)
$ javac -version
javac 1.7.0_09

I tested the new packages with a short game of MineCraft and running JMol… and had no issues.

Good luck! Eric

April 2024
M	T	W	T	F	S	S
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30

Fri, 19 Apr 2024 19:34:45 GMT April 19, 2024
15.0/aaa_glibc-solibs-2.33_multilib-x86_64-6alien.txz: Rebuilt. 15.0/glibc-2.33_multilib-x86_64-6alien.txz: Rebuilt. Addresses CVE-2024-2961 (* Security fix *) 15.0/glibc-i18n-2.33_multilib-x86_64-6alien.txz: Rebuilt. 15.0/glibc-profile-2.33_multilib-x86_64-6alien.txz: Rebuilt. 15.0/slackware64-compat32: Refreshed the *compat32 packages. current/aaa_glibc-solibs-2.39_multilib-x86_64-2alien.txz: Rebuilt. current/glibc-2.39_multilib-x86_64-2alien.txz: Rebuilt. Addresses CVE-2024-2961 (* Security fix *) current/glibc-i18n-2.39_multilib-x86_64-2alien.txz: Rebuilt. current/glibc-profile-2.39_multilib-x86_64-2alien.txz: Rebuilt. current/slackware64-compat32: Refreshed the *compat32 packages.
Mon, 1 Apr 2024 15:52:53 GMT April 1, 2024
current/compat32-tools: added l/duktape and n/nss-mdns to massconvert32.sh. current/slackware64-compat32: Refreshed the *compat32 packages.

Thu, 25 Apr 2024 17:58:17 GMT April 25, 2024
l/PyQt-builder-1.16.2-x86_64-1.txz: Upgraded. l/fribidi-1.0.14-x86_64-1.txz: Upgraded. l/libarchive-3.7.3-x86_64-2.txz: Rebuilt. Patched an out-of-bound error in the rar e8 filter that could allow for the execution of arbitrary code. Thanks to gmgf for the heads-up. For more information, see: https://github.com/advisories/GHSA-2jc9-36w4-pmqw https://www.cve.org/CVERecord?id=CVE-2024-26256 (* Security fix *) n/bluez-5.75-x86_64-3.txz: Rebuilt. [PATCH] shared/uhid: Fix crash if bt_uhid_destroy free replay structure. Thanks to sombragris. n/libgpg-error-1.49-x86_64-1.txz: […]

SlackBuilds.org changes for Sat, 20 Apr 2024 14:15:42 GMT
academic/cadabra2: Updated for version 2.4.5.6. academic/kissat: Added (SAT solver). academic/lammps: Remove doinst.sh. academic/lammps: Updated for version 2023.08.02_update3. academic/rpy2: Upgrade to version 3.5.16 academic/x48: Fixed MD5SUM. audio/amSynth: Updated for version 1.13.3. audio/bitwig-studio: Updated to 5.1.7 audio/kanola: Removed (Upstream is gone). audio/mpdscribble: Switch to meson. desktop/Tela-icon-theme: Updated for version 2024_04_19. desktop/ansiweather: Added (Weather in terminal). desktop/jwm: Updated […]

Tag: exploit (Page 1 of 2)

Chromium 100 out-of-band security update addresses (again) a single vulnerability

Another Chromium 96 update to patch a 0-day exploit

Update your Chromium to 93.0.4577.82

The advice is to upgrade Chromium on your Slackware 14.2 and -current computers as soon as possible.

Chromium 78.0.3904.87 addresses an exploit in the wild

Update for OpenJDK 7 with IcedTea 2.3.4 plugs 0-day exploit.

About this blog

Sponsoring

Categories

Subscribe to Blog via Email

My Favourites

Online me

Slackware

Calendar

slackbuilds

multilib

Slackware64-current

SBo

Meta

Top Posts & Pages

Recent posts

Recent comments