Lighthouse 64 5.14.2 Beta 4

For talk and support relating specifically to Puppy derivatives
Message
Author
User avatar
meeki
Posts: 122
Joined: Mon 23 Jul 2012, 04:48
Location: Portland OR

LHPUPRECORD & Subsonic

#221 Post by meeki »

thanks to smokey01 beta testing I worked out a few buggs in LHPUP Record

new build notes:

# Fixes
- Smokey01 noted return to menu no explination if dir is false. Changed initial start dir to "/" to not risk this.
- Smokey01 noted lack of audio. Turns out that some audio cards lack chann selection in ffmpeg with alsa. now hw:0,0 also gives option for only card as hw:0

# Inprovments
- added check for dir selected. if not found tells user to pick a propper dir. then sends them back to main selection

_________________________________________________________________

****** to solve you audio prob select alsa hw:0 and not the defualt of hw:0,0
_____________________________________________________________________

LHPUPRecord-0.09

PET
http://dl.dropbox.com/u/12968946/lighth ... d-0.09.pet
MD5
http://dl.dropbox.com/u/12968946/lighth ... 09.pet.md5


:)

User avatar
meeki
Posts: 122
Joined: Mon 23 Jul 2012, 04:48
Location: Portland OR

#222 Post by meeki »

puppyt says:
Here's perhaps a project for you meeki - a java-based media server http://www.subsonic.org/pages/index.jsp. Would it be feasible to compile this in a 64-bit environment, or would a suite of lighter applications for media serving in Puppy do, instead? More nooby-friendly GUI's for Monkey- and Samba- servers perhaps, already in LH64?
Subsonic
Well got it done. Took some figuring on killing the PID process.
used the code found for Samba-Server and tweeked it for my uses. no author at the top of file in the bin folder so I dont know who to credit?
added java version checks to it so if user does not have java hes not left hanging wondering why it does not work.

Subsonic

(req java 6.x.x or higher)

PET
http://dl.dropbox.com/u/12968946/lighth ... ic-4.7.pet

MD5
http://dl.dropbox.com/u/12968946/lighth ... .7.pet.md5


I think I'm going to become the matainer of java pets in LHPUP this now makes #3

User avatar
meeki
Posts: 122
Joined: Mon 23 Jul 2012, 04:48
Location: Portland OR

#223 Post by meeki »

LHPUPJAVA

All the java sfs's / pet's for LHPUP can now be found at:
http://lhpupjava.puppytune.org/

I will keep it uptodate and place any new pet's / sfs's here for now on.

this way people don't have to scroll through the threads any more looking for them.

gcmartin

FLASH and JAVA in LH64

#224 Post by gcmartin »

A CLARIFICATION!!! I WRITE THIS AS IT SHOULD BE PUT INTO FOCUS!

There is NO experienced or reported exposures in LH64 in its presentation of JAVA or FLASH....NONE!

I am not suggesting that anyone who "percieves" a threat should not take steps to protect themselves.

But, it is TOTALLLY ERRONEOUS to suggest that because Microsoft/Apple may have exposures, that it THEREFORE CARRIES OVER TO Puppyland.

This is inaccurate.

Again, I, as well as many others applaud the persentation of LH64 and what is has done in the 64bit community of Puppyland. It produces a simple and easy to use distro that is secure, flexible, and tremendously functional for any/all new users and experienced users as well. The experiences one in the community know how to manipulate and change whatever they feel necessary. Newbies and lessor experienced users can use this distro OOTB without the need to install ANYTHING to do everything they can do from the top 10 Linuxes as well as Microsoft and Apple. This is an incredibly safe, stable, and effective distro for anyone who is in this community. LH64 is one of the, if not the, easiest as a full featured PUP as is offered in the Puppyland. Well positioned, and well thought-thru.

NOT ONE OF US CAN PRODUCE ANY...I REPEAT..."ANY" EXPOSURE THAT HAS CAUSE FOR SECURITY LOSS.

And, until someone shows an exposure, to "ALLUDE" that LH64 is somehow compromising our use is inaccurate and wrongly positioned in this thread!!!!!

Again, said differently, NEITHER, JAVA NOR FLASH COMPROMISES LH64,OOTB! Not in the past, not now!

Here to help

User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

#225 Post by Q5sys »

gcmartin wrote:A CLARIFICATION!!! I WRITE THIS AS IT SHOULD BE PUT INTO FOCUS!

There is NO experienced or reported exposures in LH64 in its presentation of JAVA or FLASH....NONE!

I am not suggesting that anyone who "percieves" a threat should not take steps to protect themselves.

But, it is TOTALLLY ERRONEOUS to suggest that because Microsoft/Apple may have exposures, that it THEREFORE CARRIES OVER TO Puppyland.

This is inaccurate.

Again, I, as well as many others applaud the persentation of LH64 and what is has done in the 64bit community of Puppyland. It produces a simple and easy to use distro that is secure, flexible, and tremendously functional for any/all new users and experienced users as well. The experiences one in the community know how to manipulate and change whatever they feel necessary. Newbies and lessor experienced users can use this distro OOTB without the need to install ANYTHING to do everything they can do from the top 10 Linuxes as well as Microsoft and Apple. This is an incredibly safe, stable, and effective distro for anyone who is in this community. LH64 is one of the, if not the, easiest as a full featured PUP as is offered in the Puppyland. Well positioned, and well thought-thru.

NOT ONE OF US CAN PRODUCE ANY...I REPEAT..."ANY" EXPOSURE THAT HAS CAUSE FOR SECURITY LOSS.

And, until someone shows an exposure, to "ALLUDE" that LH64 is somehow compromising our use is inaccurate and wrongly positioned in this thread!!!!!

Again, said differently, NEITHER, JAVA NOR FLASH COMPROMISES LH64,OOTB! Not in the past, not now!

Here to help
gcmartin,
I'm approaching this comment as someone who works in the computer security field to someone who is not as knowledgeable in the IT security field. So please dont take this as a person attack against you becuase ITS NOT!!!! However, Im going to take a guess that computer security isnt what you do for a living. The reason I say that is because you're statement is factually false.

An exploit in a software program, such as flash is independant of OS. The exploit within the program itself is the vulnerability. If you're argument was valid then there would be no reason to ever update Firefox or Opera or any other progrem just because an exloit has been found in a windows version of whatever program.
Computer exploits do NOT always boil down to what OS you are using. Example: Cross Site scripting attacks have nothing to do with what OS you are using. They will work on any incorrectly coded browser. Whether than browser is on Windows, Mac, or LInux. This is the very reason that when an exploit is released Firefox (for example), updates ALL of their versions across every OS platform.

An exploit in Firefox (for example) is just that. AN EXPLOIT IN FIREFOX. It doesnt matter what OS its running on, the browser has the exploit. The same holds true for Flash and Java. An exploit in Java can be completely OS independent.

example needed? Here is an example of the java exploit being used against a linux computer. It doesnt matter that the exploit was originally discovered on windows... since its a java exploit it works across every version of Java that wasnt properly patched.
Image

Also see: http://www.metasploit.com/modules/explo ... ned_applet For systems that another java exploit works against.
Metasploit project wrote:Exploit Targets
0 - Generic (Java Payload)
1 - Windows x86 (Native Payload) (default)
2 - Linux x86 (Native Payload)
3 - Mac OS X PPC (Native Payload)
4 - Mac OS X x86 (Native Payload)
Would this attack work against LHP running an older verison of java? Yes absolutely. *Why do you think TazOC released an update java package as soon as it was out?* Has it been done by anyone in this small community, probably not becuase there's not point wasting time and effort on something that will work because its program based and not OS based. We simply update our software and move on with our lives.

I understand your mindset, from a person who doesnt work with these issues day in and day out, you're viewpoint seems completely logical and it seems like its common sense. However sadly in the IT security world, things dont always work as everyone thinks it should. Sometimes the facts are VERY counterintuitive.
I speak for myself, and I believe that everyone else would agree, you're insight into some areas of puppy are fantastic. However I feel this is one area, where your knowledge, or perhaps lack there of, is going to prompt you to make statements which are in correct.

gcmartin

flash-java in LH64

#226 Post by gcmartin »

Understood
example needed? Here is an example of the java exploit being used against a linux computer. It doesnt matter that the exploit was originally discovered on windows... since its a java exploit it works across every version of Java that wasnt properly patched.
But, if you are suggesting that this exploit is being used against someone of us in LH64, I disagree. (As someone who has been in OS development and systems operations for the past 40 years!)

Were you attacked by this vulnerabilty? I hope is is not something to just raise a fear-level.

Sorry, as having been involve with DB, system, application and site security over the past years and the teams I have worked with in planning and deployment, I find the concerns raised here about JAVA and FLASH as ill placed.

This distro has NOT reported data loss or users being to attacked because JAVA (for OFFICE) or FLASH (for browsers) have been exploited to the detriment of community use.

Unless you are showing that it has, we should continue to support and push forward LH64 functionality versus raising fears to limit its flexibility. Limiting flexibility does NOT promote user acceptablilty for 64bit systems with all of the RAM that accompany these PCs.

But, should you or anyone want to share how to limit it after you begin its use, I would welcome and applaud the info.

Here to help

User avatar
James C
Posts: 6618
Joined: Thu 26 Mar 2009, 05:12
Location: Kentucky

#227 Post by James C »

http://krebsonsecurity.com/2012/08/secu ... -released/

If you don’t need Java, uninstall it from your system. This program is extremely buggy, and Oracle tends to take its time with security updates, behaving as if it didn’t have hundreds of millions of individual users. If you decide later that you do need Java, you can always reinstall the program. If you still want to keep Java, but only need it for specific Web sites, you can still dramatically reduce the risk from Java attacks just by disabling the plugin in your Web browser. In this case, I would suggest updating to the latest version and then adopting a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site that requires it.
If you plan to keep Java on your system, update it now. The exploit being used in the wild now has been shown to work against Windows, Mac and Linux systems running Java 7 Update versions 1 through 6.

Jasper

#228 Post by Jasper »

Hi,

My personal concern relates to malware set to "explode" at a future date e.g. 1st January 2013 when all my current backups would be likely to be corrupted and full recovery might be difficult or impossible. Is there any protection for Puppy users?

Secondly, Windows users frequently use an active anti-virus-malware protection program whereas Puppy users rarely have active guards. Can any active av program provide protection against, for example, some java exploits?

My regards

Jasper

#229 Post by Jasper »

Hi again,

With my 1024 pixel width, the display of text on page 16 of this thread is far wider than that.

With Opera I have it set to word wrap, but if anyone could explain how to achieve word wrap in SeaMonkey, Firefox and/or any other browser that might be a help to some of us.

My regards

User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

Re: flash-java in LH64

#230 Post by Q5sys »

gcmartin wrote:But, if you are suggesting that this exploit is being used against someone of us in LH64, I disagree. (As someone who has been in OS development and systems operations for the past 40 years!)

Were you attacked by this vulnerabilty? I hope is is not something to just raise a fear-level.

Sorry, as having been involve with DB, system, application and site security over the past years and the teams I have worked with in planning and deployment, I find the concerns raised here about JAVA and FLASH as ill placed.

This distro has NOT reported data loss or users being to attacked because JAVA (for OFFICE) or FLASH (for browsers) have been exploited to the detriment of community use.

Unless you are showing that it has, we should continue to support and push forward LH64 functionality versus raising fears to limit its flexibility. Limiting flexibility does NOT promote user acceptablilty for 64bit systems with all of the RAM that accompany these PCs.

But, should you or anyone want to share how to limit it after you begin its use, I would welcome and applaud the info.

Here to help
It seems that the basis of your agrument is that, since we are unaware of anyone using LHP getting attacked by this vulnerability (in java); we should not worry about it or be proactive.
A) We have no way of knowning if someone HAS been hit by this exploit or not, because not everyone who has Downloaded or used LHP is on this forum and actively reporting all their issues.
B) Even if we knew as an empirical fact that not a single user of LHP was hit by this exploit, it shouldnt matter. Just because something has not happened yet, does not mean that it wont.
Pretty much every security expert on the planet has said that certain programs which are known to be buggy should only be used when needed. This is, in fact, common sense. The same reason we dont have apache software running on our home computers. Yea it could give us some benefits for sharing files on our own local network, but the problems it introduces FAR outweigh the benefits.

Yes, Java can do some pretty cool stuff. But what benefit is a java music player? Is it better playing media files over a program coded in C or C++?
If we have a choice between two programs for playing music, one java and one C++ based. It makes more security sense to use the one that's not based on a horribly exploitable code platform. Unless the java based one offers some amazing feature that users simple cant live without... the cost/benefit analysis would tip in the favor of the non java based program.

This isnt about raising fear level. It's about educating people as to the potential risks involved in certain software packages. Fear Mongoring would be saying "NEVER USE JAVA OR YOUR COMPUTER WILL BE HACKED AND YOUR BANK ACCOUNT DRAINED!"
I dont think anyone who is speaking out about java being used is going to that extreme. We are simply saying (in my mind at least), know the risks you have, and use java only when its needed. Java does not need to be running or active on my machine when Im sleeping or out at the store shopping. For anyone to say, Java is great to use, use it all the time, and dont worry about the vast multitude of exploits for it; is doing nothing but promoting ignorance of the risk involved in using java.


Ignorance is NOT bliss. To argue that, since we dont know absolutely that there is a problem, we should act as if there isnt one; is silly. I'm not in any way advocating that we shouldnt use java at all. On the contrary, I have it on my system. But I install/uninstall it as I need it for certain programs. There is no benefit for me having it active when Im not useing it. All java does when not being used is introduce another attack vector into my system.

Thats why I keep Java and Flash as SFS files. I can load them when I need them, and unload them the rest of the time. A simple shell script coulld be written to load the SFS and activate the program I need, and then at program shutdown unload the SFS from memory. I havent done so because I dont consider it a hassle to mount/unmount the SFS if/when I need it.
Jasper wrote:Hi,

My personal concern relates to malware set to "explode" at a future date e.g. 1st January 2013 when all my current backups would be likely to be corrupted and full recovery might be difficult or impossible. Is there any protection for Puppy users?

Secondly, Windows users frequently use an active anti-virus-malware protection program whereas Puppy users rarely have active guards. Can any active av program provide protection against, for example, some java exploits?

My regards
To start off I'll quote the mantra "Backup often, backup early"
Second, you should have your backups stored on removable media somewhere other than attached to your computer.
Malware that is set to "explode" can only work if its lying in memory waiting to initiate. If/When it does it can only affect any storage device attached to your computer. A backup harddrive in your drawer wont be touched. So... if you do get popped, you can reload and go.
One reason I use frugral installs is so I can backup my system (my safe file) as often as I want. If one gets corrupted all I need to do is reinstally my system and copy the backedup safe file to my computer and I'm back in business.

As for A/V malware protection for linux. There are some. I personally use ESET Nod32 for linux. But.... its not free. Ironic you asked this, becuase I was working on packaging up an AV program for LHP this weekend and coming week. I was going to package up ClamAV. I prefer Nod32 becuase of its heuristics that actively scan memory. I find that its far superior to other AV products at detecting unknown virii.
That being said though, AV product cant guarantee protection against application exploits. It may be able to detect some through scanning programs in memory and what changes they are attempting to make, but it cant promise much. Once an exploit is known, usually AV companies do add those definitions into their products.
Jasper wrote:Hi again,

With my 1024 pixel width, the display of text on page 16 of this thread is far wider than that.

With Opera I have it set to word wrap, but if anyone could explain how to achieve word wrap in SeaMonkey, Firefox and/or any other browser that might be a help to some of us.

My regards
I dont know much about that... but this might be what you're looking for:
https://addons.mozilla.org/en-US/firefo ... word-wrap/

Jasper

#231 Post by Jasper »

Hi Q5sys,

Thank you very much for your help, but I am not totally clear and would appreciate clarification.

Say I collect a "tomorrow's time bomb" whilst on line now and I'm using sda1.

In another 30 minutes I do an incremental backup to my 2nd internal drive on sdb1.

It's the "in memory" bit that I don't entirely understand and ask whether I can always recover in this case.

My regards

User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

#232 Post by Q5sys »

Jasper wrote:Hi Q5sys,

Thank you very much for your help, but I am not totally clear and would appreciate clarification.

Say I collect a "tomorrow's time bomb" whilst on line now and I'm using sda1.

In another 30 minutes I do an incremental backup to my 2nd internal drive on sdb1.

It's the "in memory" bit that I don't entirely understand and ask whether I can always recover in this case.

My regards
Ok you get "tomorrow's time bomb" (TTB) using sda1. You backup to sdb1.
You disconnect sdb1 from your computer and put itin your drawer.
TTB on sdb1 cant do anything to the data on sdb1.
TTB is also sitting on sda1 which is on your computer.
But to run TTB needs to be in RAM.

TTB can only 'run' at the given time if its already excecuted and 'in memory' (RAM).
so when the TTB in ram hits the date it then activates. If its not in RAM and is just a file on your computer it cant do anything. The malware itself checks for the time stamp to run. If its dormant on your drive it cant check anything, since nothing will be telling TTB 'hey its the date, do stuff'

Malware works by lying in memory waiting to work. So lets say TTB is in ram... it'll delete your files on sda1 since thats plugged in. the files on sdb1 are ok, since they are disconnected.
You can re-install your system using your sdb1 backup, but you're re-installing TTB as well.
This is why you 'Backup Often'. that way you can go back and find a backup copy of your system BEFORE the infection took place.

Does that explain it to you more clearly?

I always recommend making a backup copy of your system immediately after you install everything. That way you know you have a good clean system as a backup.

Jasper

#233 Post by Jasper »

Hi Q5sys,

Thank you, as an explanation that is clear and what I had expected (though less technically).

Now today I get a 1st January 2013 time bomb - so all my backups made in the rest of this year are "corrupted" and "usefully" unrestorable in entirety.

If I already have and keep an uncorrupted backup it is way out of date, but is there a good chance that I might recover letters, emails, pictures, spreadsheets and any "data" made between today and the end of the year?

My apology if I am being a pain, but, apart from fire damage, this is my main concern (though I never spend time thinking about it as I am careful with my browsing habits and know of no other promising protective measures apart from an occasional av check).

My regards

User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

#234 Post by Q5sys »

Jasper wrote:Hi Q5sys,

Thank you, as an explanation that is clear and what I had expected (though less technically).

Now today I get a 1st January 2013 time bomb - so all my backups made in the rest of this year are "corrupted" and "usefully" unrestorable in entirety.

If I already have and keep an uncorrupted backup it is way out of date, but is there a good chance that I might recover letters, emails, pictures, spreadsheets and any "data" made between today and the end of the year?

My apology if I am being a pain, but, apart from fire damage, this is my main concern (though I never spend time thinking about it as I am careful with my browsing habits and know of no other promising protective measures apart from an occasional av check).

My regards
Yes if today you got a TTB for Jan 1, 2013, every backup would include it.
However if you're careful you could still extract letters/pictures/etc out of that backup without restoring the malware in that backup.

You could still mount the backup safe file and copy "ONLY" the data you want. However you would want to double check that you didnt get anything extra by checking /initrd/pup_rw before you shut down.

Puppyt
Posts: 907
Joined: Fri 09 May 2008, 23:37
Location: Moorooka, Queensland
Contact:

#235 Post by Puppyt »

Thanks guys for a truly scintillating debate - it's clear that while we won't all go down with any digital Titanic in the immediate future, it is comforting to know that there is a spectrum of choices we can make individually when deciding what level of prevention is better than putative cure.
That's really why I'm with Puppy - anyone here remember wasting a day of their life re-installing a Windows OS, updating all the aniti-virus, root-kits, trojans, firewalls (even if "free"ware - e.g., http://www.techsupportalert.com/pc/security-tools.html)? Sheesh - look at all those innovative ways that data can be modified and extracted without permission - bit like natural selection, and the advent of nasties like H1N1, Hendra, even permutations of the golden oldies of Avian and Spanish 'flu etc... Such a joy to now just replace a corrupted Puppy system quickly and easily with a backed-up save file...
My uni fell briefly to attack recently, although we haven't been fully informed of the details we were in shutdown with no off-campus, off-server exchanges permitted for a day while the system was purged (?) of the digital malaise. (It's a MS system, and supports only closed-source software at hideous expense for licensing.) It was an event that had a lot students commenting with the belief that Linux is more secure - I corrected them to the best of my knowledge, that it is certainly not a "closed system" and there are ways it can be potentially exploited. Great to see that active discussion here show that Puppy is ready to be ahead of the security curve, as/ if/ when the need arises. No wool pulled over the eyes of these sheepdogs...
Search engines for Puppy
[url]http://puppylinux.us/psearch.html[/url]; [url=https://cse.google.com/cse?cx=015995643981050743583%3Aabvzbibgzxo&q=#gsc.tab=0]Google Custom Search[/url]; [url]http://wellminded.net63.net/[/url] others TBA...

User avatar
tazoc
Posts: 1157
Joined: Mon 11 Dec 2006, 08:07
Location: Lower Columbia Basin WA US
Contact:

Browsing as spot

#236 Post by tazoc »

I'm no security expert, but I slept in a Holiday Inn! :D

I do recommend running browsers as an unprivileged user, spot (which is the default with Lighthouse64 and Fatdog64.) If you aren't sure which you are running, click Menu -> Setup -> Choose Default Browser.

To update Firefox use Menu -> Internet -> Firefox Update Help.

If you're starting the browser from a terminal,

Code: Select all

firefox-spot #default run as spot
firefox #run as root to install Firefox updates, otherwise don't!

google-chrome-spot
opera-spot
etc.

I'm not suggesting that it is unnecessary to keep JavaRE and Flash updated, rather that running as spot should minimize any security risks because spot cannot alter or remove files not owned by spot.

Also keep in mind that unless you're running multi-session, the LiveCD-R or DVD-R that you installed Lighthouse from is read-only, (and therefore not susceptible to malware for all practical purposes.) So booting from the LiveCD with puppy pfix=ram will give you a clean boot in case you need to restore a backup, access your data or, browse securely with no disk drives mounted.

Hope that helps,
TaZoC
[url=http://www.lhpup.org/][b][size=100]lhpup.org[/size][/b] [img]http://www.lhpup.org/gallery/images/favicon.png[/img][/url] [url=http://www.lhpup.org/release-lhp.htm#602]Lighthouse 64 6.02[/url]

Puppyt
Posts: 907
Joined: Fri 09 May 2008, 23:37
Location: Moorooka, Queensland
Contact:

#237 Post by Puppyt »

Thanks for that info re Spot, TaZoC -
I use the FF add-on "Zotero" copiously for my research, but as I have a habit of installing the incorrect software and totally borking my save file, I now keep my zotero storage files on a separate partition. Resurrection and backup is now a total breeze. However I then ran into problems with not being able to download linked pdfs into the literature repository of my choice - Spot would only let me save to the Downloads directory (under spot), and this means tedious double-movement of files to where I needed them, later. But thanks for pointing out this solution - when I want to use Zotero with minimum hassle (? barring security risks) in LH, I should go to the non-spot FF. This is a better solution to the "Out, dammn'd spot" route I was contemplating, thank you!

Could I ask that you might think of organising the Desktop Settings menu a little clearer? Some applications are global, while others are WM-specific and I don't know which works with what. I find my personal preference for Openbox WM, but I don't like desktop icons except my drive/partition/mount points. So show/hide desktop icons prevents those drive icons appearing. Instead of my usual preference for wbar, I found "Panel" already provided for my favourite apps - but thats XFCE and while I spent a while trying to incorporate it with an autostart script*, had to keep loading it up from the menu on reboots. Eventually I struck on your LXPanel - literally under my nose the whole time - so have a panel2 working to my liking. In short - even though it might involve a 4th-order of menus, might you consider arranging the desktop settings within WM-specific sub-menus?
That, or perhaps some other solution, like being able to edit the startup /autostart script from within PupControl etc., so we might mix'n'match WM features?
Sorry I'm not making a lot of sense, perhaps - up to my neck in exam preparations,
Cheers!


* can't recall the correct term. The script that loads sven etc., on startup of a given WM.

P.S. Will you be contemplating an LH repo for access from PPM, in future, in addition to the 'Lighthouse Update'?
Search engines for Puppy
[url]http://puppylinux.us/psearch.html[/url]; [url=https://cse.google.com/cse?cx=015995643981050743583%3Aabvzbibgzxo&q=#gsc.tab=0]Google Custom Search[/url]; [url]http://wellminded.net63.net/[/url] others TBA...

User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

Re: JavaRE-7u7, LibreOffice-3.6.1, get_libreoffice-0.17-L64

#238 Post by Q5sys »

tazoc wrote:JavaRE-7u7-x86_64 - recommended security update

SFS: http://www.lhpup.org/sfs/514-x86_64/?C=M;O=D 31M
or Pet: click Update icon on desktop -> get_updates 44M
http://www.oracle.com/technetwork/java/ ... 63279.html
Ironic since we've been having a discussion on Java exploits. Oracle has released yet another update for JRE. 7u9 was released to fix errors they introduced with their 7u7 update.
Gotta love systemic flaws which patching just creates more issues. :x
I think we're up to like 4 major java updates since August. :(

gcmartin

#239 Post by gcmartin »

Yeah, lets applaud the JAVA community for continually staying on top of things.

Oracle is a very good and has an honest reputation in the IT community over the past 30 years.

As chipsets, processor, and OS advance, it great to see that Open sources efforts stay consistent with advances.

There is a flaw in an augument that was recently posted, but I will not address it here. And, as TaZoC has pointed to, there have been steps taking in Puppyland, specifically, to minimize additional dangers that could be used as a path to exploit a running distro. As such, our community of PUPs and the PUP diversity make this a tremendously exhaustive effort for exploitation for a gain which is so small as it is completely worthless to attempt. And, we also MUST remember that our community is about one-tenth of 1 percent of all PCs in the world running Linux (all versions), Apple, Microsoft, etc.

This means that many measures in and out of this community have been taken as we have some confidence of safe passage as we use our system for any/all local services that comes with PUPs and especially with LH64.

But, again, lets also applaud our community developers for making a safe and easy to understand and use product as has been done for us.

Most, if not all, of us, are not exploited, now.

Here to help
P.S. This discussion really belongs elsewhere in the Puppy forum (and there already exist threads to address "Security" in this forum). Since, we do NOT have a security bug present, this latest discusssion is largely academic.

Maybe we should consider future discussion on security in that existing "Security" thread...maybe, huh?

User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

#240 Post by Q5sys »

gcmartin wrote:Yeah, lets applaud the JAVA community for continually staying on top of things.

Oracle is a very good and has an honest reputation in the IT community over the past 30 years.

As chipsets, processor, and OS advance, it great to see that Open sources efforts stay consistent with advances.

There is a flaw in an augument that was recently posted, but I will not address it here. And, as TaZoC has pointed to, there have been steps taking in Puppyland, specifically, to minimize additional dangers that could be used as a path to exploit a running distro. As such, our community of PUPs and the PUP diversity make this a tremendously exhaustive effort for exploitation for a gain which is so small as it is completely worthless to attempt. And, we also MUST remember that our community is about one-tenth of 1 percent of all PCs in the world running Linux (all versions), Apple, Microsoft, etc.

This means that many measures in and out of this community have been taken as we have some confidence of safe passage as we use our system for any/all local services that comes with PUPs and especially with LH64.

But, again, lets also applaud our community developers for making a safe and easy to understand and use product as has been done for us.

Most, if not all, of us, are not exploited, now.

Here to help
P.S. This discussion really belongs elsewhere in the Puppy forum (and there already exist threads to address "Security" in this forum). Since, we do NOT have a security bug present, this latest discusssion is largely academic.

Maybe we should consider future discussion on security in that existing "Security" thread...maybe, huh?
I haven no problem discussing things in a security thread, however this discussion has been centered around security within LHP. I see no reason for LHP users to have to search for another thread to read/learn/discuss security issues with LHP. As long as the discussion centers around particular security issues and how they impact LHP or LHP users directly; I dont see why it cant be in this thread. I do agree that general security discussion can be held elsewhere, but from my time on this forum I've noticed that usually doesnt occur, since many of those threads arent followed as much as the individual pupplet threads. C'est la vie, Je suppose.

Also I dont really see this discussion as academic. JRE 7u7 has security flaws in it. JRE7u7 is the most recent available version for LHP users. And currently (until this post) there hasnt been an update available for it. So everyone using LHP, unless they've compiled it themselves, is vunlerable.

To help recitify that I've used Alien's Slackbuild script to build openjre7u9 for everyone.
I'm hoping TazOC will release an offical LHP update to JRE when he's able. But until then, this will work.
http://puppy-linux.org/lhp514/openjre-7 ... 6_64-1.sfs

While I'm at it here is another updated SFS packages.
http://puppy-linux.org/lhp514/vlc-2.0.4-x86_64-1.sfs

If anyone has any issues with these, let me know.
Last edited by Q5sys on Tue 30 Oct 2012, 21:35, edited 1 time in total.

Post Reply