mirror of
git://slackware.nl/current.git
synced 2024-11-16 07:48:02 +01:00
1e755d579a
Several ELF objects were found to have rpaths pointing into /tmp, a world
writable directory. This could have allowed a local attacker to launch denial
of service attacks or execute arbitrary code when the affected binaries are
run by placing crafted ELF objects in the /tmp rpath location. All rpaths with
an embedded /tmp path have been scrubbed from the binaries, and makepkg has
gained a lint feature to detect these so that they won't creep back in.
a/kernel-firmware-20241001_95bfe08-noarch-1.txz: Upgraded.
a/kernel-generic-6.10.12-x86_64-1.txz: Upgraded.
a/pkgtools-15.1-noarch-12.txz: Rebuilt.
makepkg: when looking for ELF objects with --remove-rpaths or
--remove-tmp-rpaths, avoid false hits on files containing 'ELF' as part
of the directory or filename.
Also warn about /tmp rpaths after the package is built.
ap/cups-2.4.11-x86_64-1.txz: Upgraded.
ap/cups-browsed-2.0.1-x86_64-2.txz: Rebuilt.
Mitigate security issue that could lead to a denial of service or
the execution of arbitrary code.
Rebuilt with --with-browseremoteprotocols=none to disable incoming
connections, since this daemon has been shown to be insecure. If you
actually use cups-browsed, be sure to install the new
/etc/cups/cups-browsed.conf.new containing this line:
BrowseRemoteProtocols none
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2024-47176
(* Security fix *)
d/kernel-headers-6.10.12-x86-1.txz: Upgraded.
d/llvm-18.1.8-x86_64-3.txz: Rebuilt.
Remove rpaths from binaries.
(* Security fix *)
d/luajit-2.1.1727621189-x86_64-1.txz: Upgraded.
d/ruby-3.3.5-x86_64-2.txz: Rebuilt.
Remove rpaths from binaries.
(* Security fix *)
k/kernel-source-6.10.12-noarch-1.txz: Upgraded.
kde/kimageformats-5.116.0-x86_64-2.txz: Rebuilt.
Recompiled against openexr-3.3.0.
kde/kio-extras-23.08.5-x86_64-2.txz: Rebuilt.
Recompiled against openexr-3.3.0.
kde/krita-5.2.5-x86_64-2.txz: Rebuilt.
Recompiled against openexr-3.3.0.
kde/libindi-2.1.0-x86_64-1.txz: Upgraded.
l/cryfs-0.10.3-x86_64-13.txz: Rebuilt.
Remove rpaths from binaries.
(* Security fix *)
l/espeak-ng-1.51.1-x86_64-2.txz: Rebuilt.
Remove rpaths from binaries.
(* Security fix *)
l/ffmpeg-7.1-x86_64-1.txz: Upgraded.
l/gegl-0.4.48-x86_64-3.txz: Rebuilt.
Recompiled against openexr-3.3.0.
l/gst-plugins-bad-free-1.24.8-x86_64-2.txz: Rebuilt.
Recompiled against openexr-3.3.0.
l/imagemagick-7.1.1_38-x86_64-2.txz: Rebuilt.
Recompiled against openexr-3.3.0.
l/libgsf-1.14.53-x86_64-1.txz: Upgraded.
l/librsvg-2.58.5-x86_64-1.txz: Upgraded.
l/libvncserver-0.9.14-x86_64-3.txz: Rebuilt.
Remove rpaths from binaries.
(* Security fix *)
l/mozjs128-128.3.0esr-x86_64-1.txz: Upgraded.
l/netpbm-11.08.00-x86_64-1.txz: Upgraded.
l/opencv-4.10.0-x86_64-3.txz: Rebuilt.
Recompiled against openexr-3.3.0.
l/openexr-3.3.0-x86_64-1.txz: Upgraded.
Shared library .so-version bump.
l/python-glad2-2.0.8-x86_64-1.txz: Upgraded.
l/python-pyproject-hooks-1.2.0-x86_64-1.txz: Upgraded.
l/spirv-llvm-translator-18.1.4-x86_64-2.txz: Rebuilt.
Remove rpaths from binaries.
(* Security fix *)
l/woff2-20231106_0f4d304-x86_64-2.txz: Rebuilt.
Remove rpaths from binaries.
(* Security fix *)
n/openobex-1.7.2-x86_64-6.txz: Rebuilt.
Remove rpaths from binaries.
(* Security fix *)
x/marisa-0.2.6-x86_64-11.txz: Rebuilt.
Remove rpaths from binaries.
(* Security fix *)
xap/gimp-2.10.38-x86_64-2.txz: Rebuilt.
Recompiled against openexr-3.3.0.
xap/mozilla-firefox-128.3.0esr-x86_64-1.txz: Upgraded.
This update contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/firefox/128.3.0/releasenotes/
https://www.mozilla.org/security/advisories/mfsa2024-47
https://www.cve.org/CVERecord?id=CVE-2024-9392
https://www.cve.org/CVERecord?id=CVE-2024-9393
https://www.cve.org/CVERecord?id=CVE-2024-9394
https://www.cve.org/CVERecord?id=CVE-2024-8900
https://www.cve.org/CVERecord?id=CVE-2024-9396
https://www.cve.org/CVERecord?id=CVE-2024-9397
https://www.cve.org/CVERecord?id=CVE-2024-9398
https://www.cve.org/CVERecord?id=CVE-2024-9399
https://www.cve.org/CVERecord?id=CVE-2024-9400
https://www.cve.org/CVERecord?id=CVE-2024-9401
https://www.cve.org/CVERecord?id=CVE-2024-9402
(* Security fix *)
xap/xlockmore-5.80-x86_64-1.txz: Upgraded.
isolinux/initrd.img: Rebuilt.
kernels/*: Upgraded.
testing/packages/kernel-generic-6.11.1-x86_64-1.txz: Upgraded.
testing/packages/kernel-headers-6.11.1-x86-1.txz: Upgraded.
testing/packages/kernel-source-6.11.1-noarch-1.txz: Upgraded.
usb-and-pxe-installers/usbboot.img: Rebuilt.
98 lines
3.5 KiB
Text
98 lines
3.5 KiB
Text
|
|
Slackware initrd mini HOWTO
|
|
by Patrick Volkerding, volkerdi@slackware.com
|
|
Mon Sep 30 21:48:04 UTC 2024
|
|
|
|
This document describes how to create and install an initrd, which may be
|
|
required to use the 4.x kernel. Also see "man mkinitrd".
|
|
|
|
1. What is an initrd?
|
|
2. Why to I need an initrd?
|
|
3. How do I build the initrd?
|
|
4. Now that I've built an initrd, how do I use it?
|
|
|
|
|
|
1. What is an initrd?
|
|
|
|
Initrd stands for "initial ramdisk". An initial ramdisk is a very small
|
|
Linux filesystem that is loaded into RAM and mounted as the kernel boots,
|
|
and before the main root filesystem is mounted.
|
|
|
|
2. Why do I need an initrd?
|
|
|
|
The usual reason to use an initrd is because you need to load kernel
|
|
modules before mounting the root partition. Usually these modules are
|
|
required to support the filesystem used by the root partition (ext3, ext4,
|
|
btrfs, xfs), or perhaps the controller that the hard drive is attached
|
|
to (SCSI, RAID, etc). Essentially, there are so many different options
|
|
available in modern Linux kernels that it isn't practical to try to ship
|
|
many different kernels to try to cover everyone's needs. It's a lot more
|
|
flexible to ship a generic kernel and a set of kernel modules for it.
|
|
|
|
3. How do I build the initrd?
|
|
|
|
The easiest way to make the initrd is to use the mkinitrd script included
|
|
in Slackware's mkinitrd package. We'll walk through the process of
|
|
upgrading to the generic 6.10.12 Linux kernel using the packages
|
|
found in Slackware's slackware/a/ directory.
|
|
|
|
First, make sure the kernel/modules, and mkinitrd package are installed
|
|
(the current version numbers might be a little different, so this is just
|
|
an example):
|
|
|
|
installpkg kernel-generic-6.10.12-x86_64-1.txz
|
|
installpkg mkinitrd-1.4.11-x86_64-36.txz
|
|
|
|
Change into the /boot directory:
|
|
|
|
cd /boot
|
|
|
|
Now you'll want to run "mkinitrd". I'm using ext4 for my root filesystem,
|
|
and since the disk controller requires no special support the ext4 module
|
|
will be the only one I need to load:
|
|
|
|
mkinitrd -c -k 6.10.12 -m ext4
|
|
|
|
This should do two things. First, it will create a directory
|
|
/boot/initrd-tree containing the initrd's filesystem. Then it will
|
|
create an initrd (/boot/initrd.gz) from this tree. If you wanted to,
|
|
you could make some additional changes in /boot/initrd-tree/ and
|
|
then run mkinitrd again without options to rebuild the image. That's
|
|
optional, though, and only advanced users will need to think about that.
|
|
|
|
Here's another example: Build an initrd image using Linux 6.10.12
|
|
kernel modules for a system with an ext4 root partition on /dev/sdb3:
|
|
|
|
mkinitrd -c -k 6.10.12 -m ext4 -f ext4 -r /dev/sdb3
|
|
|
|
|
|
4. Now that I've built an initrd, how do I use it?
|
|
|
|
Now that you've got an initrd (/boot/initrd.gz), you'll want to load
|
|
it along with the kernel at boot time. If you use LILO for your boot
|
|
loader you'll need to edit /etc/lilo.conf and add a line to load the
|
|
initrd. Here's an example section of lilo.conf showing how this is
|
|
done:
|
|
|
|
# Linux bootable partition config begins
|
|
image = /boot/vmlinuz-generic
|
|
initrd = /boot/initrd.gz
|
|
root = /dev/sda6
|
|
label = Slackware
|
|
read-only
|
|
# Linux bootable partition config ends
|
|
|
|
The initrd is loaded by the "initrd = /boot/initrd.gz" line.
|
|
Just add the line right below the line for the kernel image you use.
|
|
Save the file, and then run LILO again ('lilo' at the command line).
|
|
You'll need to run lilo every time you edit lilo.conf or rebuild the
|
|
initrd.
|
|
|
|
Other bootloaders such as syslinux also support the use of an initrd.
|
|
See the documentation for those programs for details on using an
|
|
initrd with them.
|
|
|
|
|
|
---------
|
|
|
|
Have fun!
|