Vulnerabilities.

Ag. D. Hatzimanikas a.hatzim at gmail.com
Wed Jul 9 15:21:09 PDT 2008


On Wed, Jul 09, at 01:10 Ken Moffat wrote:
> On Wed, Jun 25, 2008 at 01:58:22PM +0300, Ag. D. Hatzimanikas wrote:
> > 
> > I've gathered this information about vulnerable packages (could be more).
> > 
> > 
> > PACKAGE   | LINK| BOOK VERSION | RESOLUTION|
> > ____________________________________________
> > Ruby      | [1] | AFFECTED     | Upgrade   |
> > Freetype  | [2] | AFFECTED     | Upgrade   |
> > Libvorbis | [3] | AFFECTED     | [9]       | 
> > Openssl   | [4] | AFFECTED     | Upgrade   |
> > Imlib     | [5] | AFFECTED     | [10]      |
> > Libxslt   | [6] | AFFECTED     | Upgrade   |
> > Mplayer   | [7] | AFFECTED     | Upgrade   |
> > Libpng    | [8] | AFFECTED     | Upgrade   |
> > ============================================
> > 
>  Which leaves Ruby (I wouldn't touch that with a barge-pole, but I
> note lwn.net highlighted problems with the upgrade - it broke rails),

I don't think we need to update to 1.8.7 branch, but to the most recent
from the 1.8.6 branch (that I don't think it breaks rails), that is
today patch level 230, 
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p230.tar.bz2
released 20/6.

> imlib (I may use icewm, but I don't need this obsolete library), and
> Mplayer.  -ENO_INTEREST for those.
> 

Just to be sure. We are talking about imlib2, which I think is being used
by many of applications. For this vulnerability the author released an
update very briefly after the discovery, so we have the choice to fix it
by using the patch (I've posted the link) or by updating to 1.4.1.
I am trusting the author enough to recommend the update. It wouldn't
break anything, I am positive.

>  I'll also be doing firefox, again. 

Firefox? You are not talking about firefox-3 aren't you?
Because if you update to the new 3 branch, then a set of new packages
they need to be introduced in the book, (from top of my head) like
sqlite and hunspell and a patched libpng and also an obligatory (or
not) dependency to dbus - let me see (false) is optional.
However is a good release, which fixes many memory leaks (apart of
course the well know problems with the flash contents) and just for
this reason I would recommend the update. I am using it since X'mas
(beta releases) with good results.

-- 
http://wiki.linuxfromscratch.org/blfs/wiki/Hacking



More information about the blfs-dev mailing list