New kernel packages are available for Slackware 14.1, 14.2, and -current to fix a security issue.
Here are the details from the Slackware 14.2 ChangeLog: +--------------------------+ patches/packages/linux-4.4.88/*: Upgraded. This update fixes the security vulnerability known as "BlueBorne". The native Bluetooth stack in the Linux Kernel (BlueZ), starting at Linux kernel version 3.3-rc1 is vulnerable to a stack overflow in the processing of L2CAP configuration responses resulting in remote code execution in kernel space. Be sure to upgrade your initrd after upgrading the kernel packages. If you use lilo to boot your machine, be sure lilo.conf points to the correct kernel and initrd and run lilo as root to update the bootloader. If you use elilo to boot your machine, you should run eliloconfig to copy the kernel and initrd to the EFI System Partition. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000251 https://www.armis.com/blueborne (* Security fix *) +--------------------------+
Where to find the new packages: +-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you.
Upgrade the packages as root: # upgradepkg kernel-*.txz
If you are using an initrd, you'll need to rebuild it.
For a 32-bit SMP machine, use this command (substitute the appropriate kernel version if you are not running Slackware 14.2): # /usr/share/mkinitrd/mkinitrd_command_generator.sh -k 4.4.88-smp | bash
For a 64-bit machine, or a 32-bit uniprocessor machine, use this command (substitute the appropriate kernel version if you are not running Slackware 14.2): # /usr/share/mkinitrd/mkinitrd_command_generator.sh -k 4.4.88 | bash
Please note that "uniprocessor" has to do with the kernel you are running, not with the CPU. Most systems should run the SMP kernel (if they can) regardless of the number of cores the CPU has. If you aren't sure which kernel you are running, run "uname -a". If you see SMP there, you are running the SMP kernel and should use the 4.4.88-smp version when running mkinitrd_command_generator. Note that this is only for 32-bit -- 64-bit systems should always use 4.4.88 as the version.
If you are using lilo to boot the machine, you'll need to ensure that the machine is properly prepared before rebooting. Be sure that the image= line references the correct kernel file and then run "lilo" as root to reinstall the boot loader.
Source: Hewlett Packard Enterprise, Product Security Response Team
VULNERABILITY SUMMARY A potential security vulnerability has been identified in Comware 7 MSR Routers using PHP, Go, Apache Http Server, and Tomcat. The vulnerability known as "httpoxy" could be remotely exploited to execute arbitrary code.
References:
- CVE-2016-5385 - PHP - CVE-2016-5386 - Go - CVE-2016-5387 - Apache Http Server - CVE-2016-5388 - Tomcat
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HPE has made the following software updates available to resolve the vulnerability in the Comware 7 MSR Router products:
+ **MSR1000 (Comware 7) - Version: Fixed in R0605P13 Release** * HP Network Products - JG875A HP MSR1002-4 AC Router - JH060A HP MSR1003-8S AC Router * CVE's/ZDI's - CVE-2016-5385 - CVE-2016-5386 - CVE-2016-5387 - CVE-2016-5388
+ **MSR2000 (Comware 7) - Version: Fixed in R0605P13 Release** * HP Network Products - JG411A HP MSR2003 AC Router - JG734A HP MSR2004-24 AC Router - JG735A HP MSR2004-48 Router - JG866A HP MSR2003 TAA-compliant AC Router * CVE's/ZDI's - CVE-2016-5385 - CVE-2016-5386 - CVE-2016-5387 - CVE-2016-5388
+ **MSR3000 (Comware 7) - Version: Fixed in R0605P13 Release** * HP Network Products - JG404A HP MSR3064 Router - JG405A HP MSR3044 Router - JG406A HP MSR3024 AC Router - JG407A HP MSR3024 DC Router - JG408A HP MSR3024 PoE Router - JG409A HP MSR3012 AC Router - JG410A HP MSR3012 DC Router - JG861A HP MSR3024 TAA-compliant AC Router - JG409B HPE MSR3012 AC Router * CVE's/ZDI's - CVE-2016-5385 - CVE-2016-5386 - CVE-2016-5387 - CVE-2016-5388
+ **MSR4000 (Comware 7) - Version: Fixed in R0605P13 Release** * HP Network Products - JG402A HP MSR4080 Router Chassis - JG403A HP MSR4060 Router Chassis - JG412A HP MSR4000 MPU-100 Main Processing Unit - JG869A HP MSR4000 TAA-compliant MPU-100 Main Processing Unit * CVE's/ZDI's - CVE-2016-5385 - CVE-2016-5386 - CVE-2016-5387 - CVE-2016-5388
*Note:* Please contact support for any questions about this document
HISTORY Version:1 (rev.1) - 21 August 2017 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com.