- This topic has 7 replies, 3 voices, and was last updated Oct 31-11:08 pm by stevesr0.
-
Posts
-
stevesr0
Hi all,
I heard that Freetype has put out a patched version for a serious exploit. It is in the 2.10 series and the current version in the repos for my version 17 install of antiX is 2.6.
Anybody know if the version from freetype via sourceforge is problematic for antiX 17?
stevesr0
- This topic was modified 2 years, 6 months ago by christophe.
Xecure
Why download it via sourceforge?
Why not check first if it was resolved in Debian?
Is this the bug you are refering to? https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972586It appears to already be patched. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972586#29
antiX Live system enthusiast.
General Live Boot Parameters for antiX.Xecure
Update your packages.
antiX Live system enthusiast.
General Live Boot Parameters for antiX.Anonymous
due to today’s hiccups with the apt update mechanism https://www.antixforum.com/forums/topic/erros-during-the-update-process/
I’ll mention that if you want to expedite and manually retrieve the debfiles and install via “sudo dpkg -i”For an antix 17 64bit system:
http://security.debian.org/debian-security/pool/updates/main/f/freetype/libfreetype6_2.6.3-3.2+deb9u2_amd64.debIf the “-dev” pkg is also currently installed, on your system, install the base pkg first, THEN the dev pkg.
http://security.debian.org/debian-security/pool/updates/main/f/freetype/libfreetype6-dev_2.6.3-3.2+deb9u2_amd64.debFor an antix 17 32bit system, the appropriate 2.6.3-3.2+deb9u2* debs can be downloaded here
http://security.debian.org/debian-security/pool/updates/main/f/freetypeFor antiX 19, the suitable libfreetype6 debs are numbered v2.91xxxx*
Hi Xecure and skidoo,
Thanks for responses.
I do apt update && apt full-upgrade every day.
I didn’t get an error message, but there is only freeetype 2.6.3-3.2+deb9u2-amd64 listed in my repos.
It is already installed.
I understand the patched version is 2.10.It appears that I need a version newer than the ones in the AntiX 17 repos. My concern is always that in installing something from a different version or from git that I will end up with an incompatibility.
stevesr0
- This reply was modified 2 years, 6 months ago by stevesr0.
- This reply was modified 2 years, 6 months ago by stevesr0.
Xecure
All versions, be them “older or newer”, were patched in Debian, as you can see if you read the read I linked.
Do this in terminal:
apt changelog libfreetype6
and see the first entries in the changelog:freetype (2.6.3-3.2+deb9u2) stretch-security; urgency=medium * Non-maintainer upload by the LTS Team. * CVE-2020-15999 Fix heap buffer overflow. -- Thorsten Alteholz <debian@alteholz.de> Fri, 23 Oct 2020 19:03:02 +0200So the explot was fixed.
Thanks for reading until the end.
- This reply was modified 2 years, 6 months ago by Xecure. Reason: Pasted correct antiX 17 version changelog
antiX Live system enthusiast.
General Live Boot Parameters for antiX.Thanks, Xecure – I wasn’t familiar with using apt changelog, so you have taught me something useful.
Thanks skidoo – I am leery about installing things from different versions; I wonder (from what Xecure said) if the versions marked (SECURITY) are the patched versions for different debians?
This is solved for me. (I would mark it solved, but I looked at my opening message and there is no option to edit…)
stevesr0
- You must be logged in to reply to this topic.
