Vulnerabilities.

Ken Moffat ken at linuxfromscratch.org
Tue Jul 8 17:10:58 PDT 2008


On Wed, Jun 25, 2008 at 01:58:22PM +0300, Ag. D. Hatzimanikas wrote:
> 
> I've gathered this information about vulnerable packages (could be more).
> 
> 
> PACKAGE   | LINK| BOOK VERSION | RESOLUTION|
> ____________________________________________
> Ruby      | [1] | AFFECTED     | Upgrade   |
> Freetype  | [2] | AFFECTED     | Upgrade   |
> Libvorbis | [3] | AFFECTED     | [9]       | 
> Openssl   | [4] | AFFECTED     | Upgrade   |
> Imlib     | [5] | AFFECTED     | [10]      |
> Libxslt   | [6] | AFFECTED     | Upgrade   |
> Mplayer   | [7] | AFFECTED     | Upgrade   |
> Libpng    | [8] | AFFECTED     | Upgrade   |
> ============================================
> 
 So, last night I couldn't sleep - again [ for people in the UK
whose doctors are under pressure to prescribe: Symvastatin - just
say no! ] and I thought I'd do some photo editing on my 6.3 box,
until I remembered that firefox needed to be updated there.  And by
a somewhat circuitous route I got back to here.

 Tonight, I was so pleased that I'd got the hang of 'svn merge' that
I overlooked I wasn't applying the patch (thanks, Randy), so clearly
that is my first task.  Of the vulnerabilities you've highlighted, I
can probably do the following -

freetype
libvorbis
libxslt
libpng

and from those that came up later in the thread, I can probably do
poppler, and perhaps fetchmail (I use it, but only on x86_64-64).

 Oh, and perl-5.8.8 : I've no idea where the LFS book is headed
after the discussions about package management, and I was half
expecting it to move to 5.10 (which has its own vulnerability), but
in the meantime I should be able to pull the patch(es) from
redhat-enterprise.

 I'm not sure about xorg-server - I'll defer to Dan on what we
should be doing there.

 As to openssl, I'm very much "don't know" - I do my best to build
_without_ static libraries for my own use, and in the past I've had
problems trying to upgrade this on my x86_64-64 server, so I guess
I'm not the right man for this.

 Which leaves Ruby (I wouldn't touch that with a barge-pole, but I
note lwn.net highlighted problems with the upgrade - it broke rails),
imlib (I may use icewm, but I don't need this obsolete library), and
Mplayer.  -ENO_INTEREST for those.

 I'll also be doing firefox, again.  Possibly, there are similar
sets of problems with seamonkey or even thunderbird, but I don't
care about those.

 So, give me two or three days and I hope to fix most of these.  But
I do wonder whether we ought to have some additional comments in the
book on security ?  A regular distro updates its packages as
vulnerabilities become known.  We sometimes do this, more often we
just upgrade to a newer version.  The long gestation of 6.3 has been
a bit unusual - a lot more backported fixes than usual.  Perhaps we
should be spelling out to our users that they need to monitor
vulnerabilities for themselves ?

 Alternatively, perhaps we should just put a big warning "some of
these packages have known vulnerabilities - too bad! " ? (like the
'nobody cared' messages from the kernel).

ĸen
-- 
das eine Mal als Tragödie, das andere Mal als Farce



More information about the blfs-dev mailing list