An Indian security researcher has discovered a highly critical flaw in X.Org Server package that impacts OpenBSD and most Linux distributions, including Debian, Ubuntu, CentOS, Red Hat, and Fedora.
Xorg X server is a popular open-source implementation of the X11 system
(display server) that offers a graphical environment to a wider range of
hardware and OS platforms. It serves as an intermediary between client
and user applications to manage graphical displays.
According to a blog post published by software security engineer Narendra Shinde,
Xorg X server doesn't correctly handle and validate arguments for at
least two command-line parameters, allowing a low-privileged user to
execute malicious code and overwrite any file—including files owned by
privileged users like root.
The flaw, tracked as CVE-2018-14665, was introduced in X.Org
server 1.19.0 package that remained undetected for almost two years and
could have been exploited by a local attacker on the terminal or via SSH
to elevate their privileges on a target system.
The two vulnerable parameters in question are:
-modulepath: to set a directory path to search for Xorg server modules,
-logfile: to set a new log file for the Xorg server, instead
of using the default log file that is located at /var/log/Xorg.n.log on
Changelog Thu Oct 25 19:21:09 UTC 2018 :x/libinput-1.12.2-x86_64-1.txz: Upgraded. x/xorg-server-1.20.3-x86_64-1.txz: Upgraded. x/xorg-server-xephyr-1.20.3-x86_64-1.txz: Upgraded. x/xorg-server-xnest-1.20.3-x86_64-1.txz: Upgraded. x/xorg-server-xvfb-1.20.3-x86_64-1.txz: Upgraded.
Firefox 60 is carrying with it the removal of trust for Symantec certificates issued prior to June 1st, 2016, with the exception of certificates issued by a few subordinate CAs that are controlled by Apple and Google. This change affects all Symantec brands including GeoTrust, RapidSSL, Thawte, and VeriSign.
I'm pleased to announce un new Current ISO for March 2018.
This rolling release introduces native Qt support, wxWidgets support, and focuses on migrating to Python3. The Lollypop music collection manager replaces Gmusicbrowser with Kid3 as tag mass editor. VLC replaces mpv as default media player. Office suite is Libreoffice version 6.0.2, Web browser is Firefox 58.0.2. For packagers the new SlackBuild tool is included. Many other changes can be found in the changelog.
Recently, if you take a look at the Zenwalk changelog, you may have noticed the addition of a new tool called SlackBuild.
This script is intended to build auto-magically most "simple" packages. It can be customized with optional hook subscripts (build.sh configure.sh postbuild.sh prebuild.sh) to handle complex packages builds.
Anyway, for most simple packages (for example : a library package called "foobar") all you have to do is :
put the source alone in a directory (ie : foobar-1.1.tar.gz)
put the slack-desc for foobar in this same directory (if you omit the slackdesc, a generic description for foobar will be generated)
run "SlackBuild foobar" inside the directory
As a result you will get a binary slackware package for the software foobar 1.1