VectorLinux
April 23, 2014, 07:35:14 pm *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Visit our home page for VL info. To search the old message board go to http://vectorlinux.com/forum1. The first VL forum is temporarily offline until we can find a host for it. Thanks for your patience.
 
Now powered by KnowledgeDex.
   Home   Help Search Login Register  
Please support VectorLinux!
Pages: 1 [2] 3
  Print  
Author Topic: Danger! New exploit - VL standard vulnerable!  (Read 25299 times)
toothandnail
Tester
Vectorian
****
Posts: 2527


« Reply #15 on: September 18, 2008, 12:33:27 am »

I just tried the "fix" on my 5.9 standard system.  After it finished running, I got the message:

Quote
Executing install script for novmsplice-1.0_2.6.22.14-i586-1vl59...
Done

Would someone let me know if this "fix" was not necessary?  I plan on administering it to several other machines.

John


I would certainly apply it to any unpatched 5.9 Standard system.

paul.
Logged
never_stop_learning
Vectorite
***
Posts: 263


WWW
« Reply #16 on: September 18, 2008, 10:15:23 pm »

I just tried the "fix" on my 5.9 standard system.  After it finished running, I got the message:

Quote
Executing install script for novmsplice-1.0_2.6.22.14-i586-1vl59...
Done

Would someone let me know if this "fix" was not necessary?  I plan on administering it to several other machines.

John


I would certainly apply it to any unpatched 5.9 Standard system.

paul.

Is this patch required for 5.9 Light and/or 5.9 SOHO?
Logged

Laptop: IBM X60s (Centrino/Duo, 2gb ram, 80gb hd) VL 6.0 Std
Netbook: HP Mini (Intel Atom 1ghz, 2gb ram, 16gb SSD + 8gb flash ) VL 6.0 Std
Desktop: Dell Dimension 5150 (P4 3ghz, 2gb ram, 80gb hd) VL 6.0 Std
Wife's Desktop: Gateway (P4 2ghz, 1gb ram, 80gb hd) VL 6.0 Std
caitlyn
Packager
Vectorian
****
Posts: 2839



WWW
« Reply #17 on: September 18, 2008, 10:33:56 pm »

No, VL Light and VL SOHO were released months after Standard.  The kernel included in the iso is already patched.

There are quite a number of other security vulnerabilities in both Light and SOHO.  For example, the version of xine-lib included is vulnerable to both DOS and buffer overflow attacks.  A newer package is in our patches repository.  Similarly, Firefox and Seamonkey should be upgraded in SOHO.  The Seamonkey package is in patches.  If you don't need language packs go ahead and grab the Firefox 3.0.1 package out of testing.  It's only received positive comments so far. 

Basic rule:  if it's in patches it is either a bugfix or a security fix.  Some of those packages are already in SOHO and/or Light, some aren't.  The ones that aren't should be upgraded.
Logged

eMachines EL-1300G desktop, 1.6GHz AMD Athlon 2650e CPU, 4GB RAM, nVidia GeForce 6150 SE video
VLocity Linux 7.0-rc1

HP Mini 110 netbook, 1.6GHz Intel Atom CPU, 2GB RAM, Intel 950 video
VL 7.0 Light
sledgehammer
Vectorian
****
Posts: 1397



« Reply #18 on: September 19, 2008, 03:51:46 am »

After reading the recent comments of toothandnail, never_stop_learning, and caitlyn, I went to gslapt, disabled all but the "patches" repositories, then installed all patches which related to programs I know I use PLUS, when I was unsure, I installed those packages too.  Several times this involved a downgrade or a conflict with something else, and in those instances I did not install the patch.  Then I put the old repositories back into gslapt.

Was this, roughly, a wise thing to do? 

Is there an easy way to get 5.9 standard with the patches already installed.  We are putting it (5.9 standard) on about 20 machines this Saturday and it would be nice to load a version of 5.9 which includes the latest packages.

John
Logged

VL7.0 xfce4 Samsung RF511
caitlyn
Packager
Vectorian
****
Posts: 2839



WWW
« Reply #19 on: September 19, 2008, 07:53:58 am »

Hi, John,

You should always have patches, packages, and extra enabled on a working system.   Updates to packages that came from extra go into extra, not patches.  You shouldn't have testing enabled when doing upgrades as that can cause breakage..  I've never experienced what you described.  Since we're trying to address any issues with the repository can you be specific about the errors you received?  Nothing should have been a downgrade or earlier version unless you've installed packages from third party sources (non-VL) and their should have been no conflicts.   It is possible that a new package will pull a new dependency from extra or packages which may have been part of the problem.

There are some libraries in patches that you wouldn't need except as dependencies for other packages.  I would only upgrade packages you already have installed unless there is a new dependency and gslapt should handle that automatically.

No, there is no updated iso for VL 5.9 Standard.  I'm actually not aware of any distro that offers intermediate isos between releases.

The easiest way to upgrade a system to the current level after a fresh install is to, in a terminal window, as root, use these commands:

Code:
slapt-get --update
slapt-get upgrade

This is fairly quick and will pull all the required patches and upgrades.  You don't need to worry about software in the extra repository as that repository  should contain only the latest versions we have available and have tested.
Logged

eMachines EL-1300G desktop, 1.6GHz AMD Athlon 2650e CPU, 4GB RAM, nVidia GeForce 6150 SE video
VLocity Linux 7.0-rc1

HP Mini 110 netbook, 1.6GHz Intel Atom CPU, 2GB RAM, Intel 950 video
VL 7.0 Light
Witek Mozga
Vectorite
***
Posts: 113



WWW
« Reply #20 on: September 19, 2008, 12:50:16 pm »

I'm actually not aware of any distro that offers intermediate isos between releases.

Some do, however in an unofficial way. Slackware current ISO is made every tuesday and can be downloaded from http://ftp://ftp.slackware.no/pub/linux/slackware/slackware-current-iso
Beside current ISO, there is also Slackware dvd 12.1 iso with crucial fixes only.

Logged

caitlyn
Packager
Vectorian
****
Posts: 2839



WWW
« Reply #21 on: September 19, 2008, 01:24:44 pm »

That's nice.  We still don't have intermediate isos.
Logged

eMachines EL-1300G desktop, 1.6GHz AMD Athlon 2650e CPU, 4GB RAM, nVidia GeForce 6150 SE video
VLocity Linux 7.0-rc1

HP Mini 110 netbook, 1.6GHz Intel Atom CPU, 2GB RAM, Intel 950 video
VL 7.0 Light
sledgehammer
Vectorian
****
Posts: 1397



« Reply #22 on: September 19, 2008, 06:06:12 pm »

Caitlyn asked: 
Quote
can you be specific about the errors you received?

I do download programs from the web on occasion.   Flpsed and dosemu always and lately Symphony, to name some that quickly come to mind.  I also generally keep the testing repository active (won't default to that anymore).

Here are the errors:

Firefox 2.0.0.14 gives dependency error:  firefox: Depends: orbit2 >= 2.14.8-i586-1vl59

icon-naming-utils: Depends: perl-XML-Simple >= 2.18-i586-1vl59 | perl-XML-Writer >= 2.18-i586-1vl59

libgnomeprint 2.2.0 requires downgrade

libmad 0.15.1b requires downgrade

scribus 1.3.3.11: Depends:   cups >= 1.3.6-i586-2vl59

vasmCC 1.0.12 says downgrade

vpackager 1.0.11 vpackager: Depends: cmake >= 2.4.6

I think that's all.


« Last Edit: September 19, 2008, 06:12:48 pm by sledgehammer » Logged

VL7.0 xfce4 Samsung RF511
caitlyn
Packager
Vectorian
****
Posts: 2839



WWW
« Reply #23 on: September 19, 2008, 06:56:52 pm »

I've never seen a message requiring downgrade.  I'd enable packages and extra and try it at the command line with slapt-get.  It won't do anything without your confirmation.  I suspect some of the dependencies you need for newer versions are in packages or extra.
Logged

eMachines EL-1300G desktop, 1.6GHz AMD Athlon 2650e CPU, 4GB RAM, nVidia GeForce 6150 SE video
VLocity Linux 7.0-rc1

HP Mini 110 netbook, 1.6GHz Intel Atom CPU, 2GB RAM, Intel 950 video
VL 7.0 Light
sledgehammer
Vectorian
****
Posts: 1397



« Reply #24 on: September 19, 2008, 08:46:55 pm »

You're right.  It doesn't say "requires" downgrade.  It just gives no option other than to downgrade.  Example:  When I click on downgrade I get the error: libgnomeprint: Depends:   cups >= 1.3.6-i586-2vl59.

In any event, the system works great and I am not complaining. 

John
Logged

VL7.0 xfce4 Samsung RF511
caitlyn
Packager
Vectorian
****
Posts: 2839



WWW
« Reply #25 on: September 20, 2008, 06:06:02 am »

The problem is definitely that you don't have the necessary repositories enabled.  The version of cups currently in the repository is 1.3.7.  I'd enable patches, packages, and extra and try again.
Logged

eMachines EL-1300G desktop, 1.6GHz AMD Athlon 2650e CPU, 4GB RAM, nVidia GeForce 6150 SE video
VLocity Linux 7.0-rc1

HP Mini 110 netbook, 1.6GHz Intel Atom CPU, 2GB RAM, Intel 950 video
VL 7.0 Light
never_stop_learning
Vectorite
***
Posts: 263


WWW
« Reply #26 on: September 20, 2008, 07:39:38 am »

John - caitlyn is correct. Bring your laptop to our computer refurbishing session this AM and I'll walk you through this process.....
Logged

Laptop: IBM X60s (Centrino/Duo, 2gb ram, 80gb hd) VL 6.0 Std
Netbook: HP Mini (Intel Atom 1ghz, 2gb ram, 16gb SSD + 8gb flash ) VL 6.0 Std
Desktop: Dell Dimension 5150 (P4 3ghz, 2gb ram, 80gb hd) VL 6.0 Std
Wife's Desktop: Gateway (P4 2ghz, 1gb ram, 80gb hd) VL 6.0 Std
sledgehammer
Vectorian
****
Posts: 1397



« Reply #27 on: September 20, 2008, 10:52:46 pm »

Caitlyn, here is my report.  Though no action is requested, someone might find it helpful.

I ignored your caution that this was to be done following a new install and, on my system, ran:

slapt-get --update
slapt-get --upgrade

That seemed to work, though as the screen flashed by I thought I saw a couple of errors in cups.  No doubt I will learn if this is a problem on Monday, when I try to print something.  I doubt I will have problems.

I then went into gslapt and disabled all except the patches repository and had a look.  Everything seemed fine (much better) but the following programs were not installed:

libgnomeprint 2.2.0
libmad 0.15.1b
vasmCC 1.0.12

I clicked on each and each gave me only a download option. I clicked through the download and got no dependency error (I had received such an error before running the upgrade as I reported yesterday).  I unmarked each file.  I added back the packages and extra repositories and got out of gslapt without executing anything.

I then tried vasmCC (ver 1.06 is on my system) for the heck of it (I use vasm, which works fine) and got the following error:

Quote
[2] Cannot load class 'FAltMain': Version too old. Please recompile the project.
?

I have no present intention of doing anything, much less recompiling some project, as everything I use is working fine.

Also, wifi-radar no longer appears in the menu and has to be started from the terminal.  This happened yesterday, when I was fooling around with patches in gslapt. 

Thanks for your help.

John
Logged

VL7.0 xfce4 Samsung RF511
caitlyn
Packager
Vectorian
****
Posts: 2839



WWW
« Reply #28 on: September 21, 2008, 08:44:26 am »

Hi,, John,

All I can say is your results are completely different than mine and completely different than those who did the same in another thread.  wifi-radar is in my menu, the latest vasmCC works, cups and libgnomeprint work, and so on.  I don't know what's different about your system but something sure is.

For most people the type of upgrade I suggested just works.
Logged

eMachines EL-1300G desktop, 1.6GHz AMD Athlon 2650e CPU, 4GB RAM, nVidia GeForce 6150 SE video
VLocity Linux 7.0-rc1

HP Mini 110 netbook, 1.6GHz Intel Atom CPU, 2GB RAM, Intel 950 video
VL 7.0 Light
sledgehammer
Vectorian
****
Posts: 1397



« Reply #29 on: September 21, 2008, 09:14:18 am »

If it can be screwed up, I can do it.  Ask laganon.  The name sledgehammer has some history to it. When I, for example, get something off slacky.eu (?), never_stop_learning cringes. These problems are mine, not Vector's, though those following my travails might find them helpful on occasion to make Vector even more bullet-proof.   My theory is that eventually one reaches a state where the mind starts to understand a little bit how software works...starts to see the big picture.  Perhaps someday, my mind will get there. Its certainly not there yet.

Anyway, 99% of the errors went away when I did the update.

Thanks again. 

John
« Last Edit: September 21, 2008, 09:16:00 am by sledgehammer » Logged

VL7.0 xfce4 Samsung RF511
Pages: 1 [2] 3
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Valid XHTML 1.0! Valid CSS!