| |||||||||||||
|
| |||||||||||||
Tuesday's security updates
CentOS has updated C6: qemu-kvm
(code execution).
Debian has updated rails (fixes a regression introduced in the previous update) and openssl (denial of service). Fedora has updated emacs (F16; F15: privilege escalation), F16: kernel (privilege escalation/restriction bypass), F15: openssl (denial of service), and F15: xkeyboard-config (screensaver lock bypass). Gentoo has updated freetype (multiple vulnerabilities), jasper (two code execution flaws), fwbuilder (symlink attack/privilege escalation), tor (code execution/information disclosure), mit-krb5 (multiple vulnerabilities), and mit-krb5-appl (privilege escalation/code execution). Oracle has updated OL6: qemu-kvm (code execution/restriction bypass) and OL5: kvm (denial of service/code execution). Red Hat has updated qemu-kvm (code execution), kvm (denial of service/code execution), and kernel (privilege escalation). Scientific Linux has updated SL5: kvm (denial of service/code execution). SUSE has updated libxml2 (code execution). Ubuntu has updated linux-lts-backport-natty (denial of service/information leak), linux-lts-backport-oneiric (multiple vulnerabilities), 10.10 (denial of service/information leak), rsyslog (denial of service), qemu-kvm (code execution), and thunderbird (multiple vulnerabilities). (Log in to post comments)
Tuesday's security updates Posted Jan 25, 2012 2:42 UTC (Wed) by pr1268 (subscriber, #24648) [Link] The lack of mentioning any security update from Slackware for the past few months here at LWN had me concerned that LWN is no longer tracking Slackware Security Advisories. But, after I looked at Slackware's own security advisory page and noticed no SSA's since October 14, I'm now concerned from different angle... Either Slackware's choice of packages and kernel don't suffer from the same issues as the "big distros", or someone's asleep at the switch. FWIW Slackware's newest "stable" version is 13.37 whose kernel version is 2.6.37.6. —Curious Slackware User
Tuesday's security updates Posted Jan 25, 2012 10:14 UTC (Wed) by DG (subscriber, #16978) [Link]
Slackware tends to follow the upstream release quite closely and doesn't normally enable as many options at compile time - as other distros - which may make some of their packages safe from exploits which may affect others. Slackware also has far fewer packages...
But, I felt the same a few years ago and this was one of the reasons I switched to Debian/Ubuntu - as they do release regular security updates, which made me feel somewhat 'safer'.
Tuesday's security updates Posted Jan 25, 2012 18:04 UTC (Wed) by rahulsundaram (subscriber, #21946) [Link]
"Slackware tends to follow the upstream release quite closely and doesn't normally enable as many options at compile time - as other distros - which may make some of their packages safe from exploits which may affect others. Slackware also has far fewer packages..."
These explanations aren't sufficient to explain the lack of security updates since October. There has definitely been several important security flaws fixed since that time period in core components.
Tuesday's security updates Posted Jan 25, 2012 19:23 UTC (Wed) by ris (editor, #5) [Link]
The Slackware changelog:
http://www.slackware.com/changelog/current.php?cpu=i386 notes some security updates; e.g. the entry for Nov 27 has security fixes for mozilla. Updates have happened, but no advisories have been sent to the security list. I'd say 'follow the changelog' but that too has been silent for over a month.
|
|
||||||||||||