ken at linuxfromscratch.org
Tue Jul 8 17:10:58 PDT 2008
On Wed, Jun 25, 2008 at 01:58:22PM +0300, Ag. D. Hatzimanikas wrote:
> I've gathered this information about vulnerable packages (could be more).
> PACKAGE | LINK| BOOK VERSION | RESOLUTION|
> Ruby |  | AFFECTED | Upgrade |
> Freetype |  | AFFECTED | Upgrade |
> Libvorbis |  | AFFECTED |  |
> Openssl |  | AFFECTED | Upgrade |
> Imlib |  | AFFECTED |  |
> Libxslt |  | AFFECTED | Upgrade |
> Mplayer |  | AFFECTED | Upgrade |
> Libpng |  | AFFECTED | Upgrade |
So, last night I couldn't sleep - again [ for people in the UK
whose doctors are under pressure to prescribe: Symvastatin - just
say no! ] and I thought I'd do some photo editing on my 6.3 box,
until I remembered that firefox needed to be updated there. And by
a somewhat circuitous route I got back to here.
Tonight, I was so pleased that I'd got the hang of 'svn merge' that
I overlooked I wasn't applying the patch (thanks, Randy), so clearly
that is my first task. Of the vulnerabilities you've highlighted, I
can probably do the following -
and from those that came up later in the thread, I can probably do
poppler, and perhaps fetchmail (I use it, but only on x86_64-64).
Oh, and perl-5.8.8 : I've no idea where the LFS book is headed
after the discussions about package management, and I was half
expecting it to move to 5.10 (which has its own vulnerability), but
in the meantime I should be able to pull the patch(es) from
I'm not sure about xorg-server - I'll defer to Dan on what we
should be doing there.
As to openssl, I'm very much "don't know" - I do my best to build
_without_ static libraries for my own use, and in the past I've had
problems trying to upgrade this on my x86_64-64 server, so I guess
I'm not the right man for this.
Which leaves Ruby (I wouldn't touch that with a barge-pole, but I
note lwn.net highlighted problems with the upgrade - it broke rails),
imlib (I may use icewm, but I don't need this obsolete library), and
Mplayer. -ENO_INTEREST for those.
I'll also be doing firefox, again. Possibly, there are similar
sets of problems with seamonkey or even thunderbird, but I don't
care about those.
So, give me two or three days and I hope to fix most of these. But
I do wonder whether we ought to have some additional comments in the
book on security ? A regular distro updates its packages as
vulnerabilities become known. We sometimes do this, more often we
just upgrade to a newer version. The long gestation of 6.3 has been
a bit unusual - a lot more backported fixes than usual. Perhaps we
should be spelling out to our users that they need to monitor
vulnerabilities for themselves ?
Alternatively, perhaps we should just put a big warning "some of
these packages have known vulnerabilities - too bad! " ? (like the
'nobody cared' messages from the kernel).
das eine Mal als Tragödie, das andere Mal als Farce
More information about the blfs-dev