(old)Puppy Linux Discussion Forum

I've tested it in my old laptop

Thanks for trying out AtomicPup-XIX.

IMHO its a good fit for these old netbooks, there's still plenty of the 10" versions floating around at ebay <US$100.

In Other News: YouTube is once again playing naughty, and the 'old method' of downloading the replay no longer works. Since the Download as mp4 addon is installed, use that on the error page (formerly known as the video page), saving as 360p to save space. Warning that some movies exceed 500Mb (3x the size of the distro) !

Regards
8Geee

Just noticed a curl update from 7.61.1 -->7.62 dated 10/31.

One of the patches is for buffer overrun in the SASL authentication code. Rather important.

After D/L the docs can be removed, and the dot packages file can be moved to builtin with removal of old file.

Regards
8Geee

Slackware has released an update to OpenSSL that is very important.

"This update fixes a timing side-channel flaw on processors which implement SMT/Hyper-Threading architectures, and a side channel attack on DSA signature generation that could allow an attacker to recover the private key."

I have had to bust this update as it borqs both epdf and FreeOffice 6.97. DO NOT UPGRADE !!!

Regards
8Geee

Recently, Slackware published an update to OpenSSL. Within that update was a very troubling patch for ANY TLS security using the ECDSA method. Although the full patch borqued AtomicPup-XIX, this one patch is the most important update.

SORRY: this particular update is not necessary when running an ATOM CPU BEFORE 2012. This is the intended target of AtomicPup-XIX. The tracing of this security request is not the SSL vunerability, but in reality a CPU security compromise. The CPU security compromise is based upon Speculative Execution and Out-of-Order execution on/in more advanced CPU's (read: 64-bit). Since the Intel Atom processors built before 2012 are essentially 32-bit and do not have any form of Speculation/OoE, the cracking of the SSL information (read: key-exchange) is mitigated at the CPU level. That means the browser, for the most part, is also OK on the client side. But the server-side, as always, runs a risk of not being up to date.

I do note that there are versions of 64-bit ATOMS that are also immune. Generally, these were built in 2010 or 11.

To fix the erroneous patch

Disconnect from the internet and open FF-27.
Be careful and enter ECDSA into address bar.
Allow True (Double-Click) these three...

security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256
security.ssl3.ecdhe_ecdsa_aes_256_sha
security.ssl3.ecdhe_ecdsa_aes_256_sha1

Close browser then MENU--> Shutdown --> Restart Graphical engine

Reconnect to internet.

Sorry about this, hope this helps.

Regards
8Geee

Please note the changes in the above two most recent posts.

DO NOT UPDATE to OPENSSL 1.0.2q if using an ATOM processor.
Check your ECDSA curves as above in FireFox27.

Regards
8Geee

Both of these were updated by slackware yesterday Dec. 5, 2018.

For AtomicPup-XIX use the 'Slackware14.2 i586' version.

Highlight and paste the link in a new tab.
Click YES in Yellow box, and OK when loading and completed.
When finished with both, close browser and disconnect from internet.
Navigate ROX-filer to /usr/lib and open
The following symlinks must be made
Remove nettle4.7 and symlink from nettle6.5 (right-click --> Link) back to 4.7, typing 4.7 into the address box.
Remove libgnutls28.43.0 and symlink libgnutls30.23.0 as above.
Check libgnutls-openssl for version 27.0.2

At this point navigate to /usr/doc to remove the doc files.
Then /root/.packages (hidden file) to move the new file-lists into the builtin folder. You may remove the older versions if needed.

Close ROX-filer and all other items and perform a shutdown.
After 5 minutes restart, and reconnect to internet as needed.

Regards
8Geee

If you are having trouble downloading at YouTube or other sites, nic007 has passed along this site as a fine alternative. One can select mp3 or mp4. The mp3 can have the compression altered (128K, 192K, 320K at least). I am not sure about video size yet but usually 360p or 720p is offered at YouTube.

This link will be included with the default bookmarks next update. You can simply add it now by saving your current bookmarks, then go to ~/my-applications/MyFiles to reload the default bookmark2 file, add the new link, and Save As HTML to the default location above. Then Import your original bookmarks.

Regards and thanks again to nic007
8Geee

Slackware has a security patch for curl.
The patch upgrades 7.62 --> 7.64

The usr/doc files may be deleted, and root/.packages file for the new update should be moved to builtin. The old packages file may be removed.

Regards
8Geee

Hey @8Geee the torrent file on archive.org fails when I load it into my rtorrent instance, the tracker returns that the torrent is not valid or authorized on that tracker. Can you double-check? Was successfully able to download it by hand but wanted to get the torrented archive.

Can't help with that one, I do not use torrents. Sorry.

Slackware has released a security update for gnutls. This is to be done at slackware dot com -->security advisories --> 2019

Though not directly applicable to the default AtomicPup-XIX,
if you have updated your choice of browser, and it accepts TLS 1.3 (FireFox 50 or newer, for example), then this update directly affects AtomicPup-XIX.

I will opine that this should be done anyway, as the update protects any future decisions made concerning browser, and puppy's own internal security in selecting TLS1.3 certs. /MHO

There is one symlink needed in usr/lib
remove libgnutls.so.30.23.0 then
symlink the 30.23.2 version back to the 30.23.0

The root/.packages file should have this update list moved to the builtin folder.

A brief look at the problem.

Regards
8Geee

Slackware has just released an update to curl 7.64.1 --> 7.65.0

The usr/doc files may be deleted, and root/.packages file for the new update should be moved to builtin. The old packages file may be removed. No symlinks are needed.

Regards
8Geee

I need to pass this WARNING on...

Do not upgrade rdesktop, the listed Slackware14.0 version WILL borque puppy- it WILL NOT BOOT.

In fact its not really needed UNLESS using VLC as a youtube server to stream vids.

The current rdesktop can be removed using the file list in /root/.packages

Regards
8Geee

Recently it has been discovered and announced that certain TLS1.2 encryption schemes are vunerable to cracking attempts. In an indirect way, this is related to derivatives of Meltdown/Spectre.

AtomicPup-XIX uses two of these schemes, and the Qualys Client-Side Test has affirmed this with a "WEAK" rating (unsuitable for use). Since this is encryption scheme AND there IS hyperthreading of ANY TYPE involved, Firefox27, or whatever you have installed, needs to FALSE these schemes, so they are not selected.

DISCONNECT FROM THE INTERNET
Oen Firefox and in Firefox address bar type about:config
Click I'll be careful
In the search bar type ssl
scroll down the listing to these two consecutive entries

security.ssl3.ecdhe_ecdsa_aes_128_sha
security.ssl3.ecdhe_ecdsa_aes_256_sha

Double click each one to make FALSE
Close the Browser
Click Menu --> Shutdown --> Restart Graphical Server
Upon the Refresh you may reconnect to internet

Regards
8Geee

Slackware has released an update for CURL to version 7.65.2
There are no symlinks needed, and usr/docs may be removed.

In Other News: AtomicPup-XIX is rather stable as you may have noticed. Just a tweak here and there, primarily relating to CURL. I don't see the need for an update, unless a major revision comes along.

Regards
8Geee

There are two recent security patches to pass along.

The first is curl from 7.65.2 --> 7.66.
After the downloading as pet package, the old libcurl7.5.0 needs to be deleted with a symlink from libcurl7.6.0 back to 7.5.0 The usr/doc file can be removed if not needed, and the root/.packages file needs the new txt file moved to builtin with removal of old file.

Second is expat2.2.2 --> 2.2.8
In the same manner as above, delete libexpat1.6.4 with symlink from libexpat 1.6.10 back to 1.6.4. The doc file can be deleted and the root.package file moved with deleetion of old version.

Regards
8Geee

a note here that if not using rdesktop, to remove it using the root/.packages file as guide.

Ooops, I've been remiss about posting this update. I have installed them, and been running without problems for a month now.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

At slackware security updates is a laundry-list of corrections for tcpdump. However, one must first update pcap to handle the new corrections.

The pcap update is here. Install this as a Puppy Package by clicking YES in the yellow box. Answer both questions OK when they appear.

In usr/lib delete libpcap.so.1.8.1 and make a symlink from the new 1.9.1 version back to 1.8.1 by altering the "9" to "8".

Next is tcpdump...
The update for tcpdump 4.9.3 is here. Click Yes in the yellow box, and OK when asked.

In usr/sbin delete the tcpdump.4.9.2 version and make a symlink back to 4.9.2 by altering the "3" to "2". Make a second symlink to the 4.9.3 version by removing the /usr from the path. (If an app or program erroneously calls /sbin instead of /usr/sbin)

When this completed, the /usr/docs files can be removed and the /root/.packages file can be updated by moving the two new text files to the builtin folder with removal of the old version.

A bit lengthy to write, not hard to do

Regards
8Geee

This is the starting post for AtomicPup2020, an update to the XIX and 18 versions. A few tweaks to menu icons and the usual updates from slackware current to this posting. Just an update for those who would rather not remaster/update themselves. See the 1st post for full details of the spin

Thanks and regards
8Geee

I'm really a nervous noob. Yesterday I thought I installed Puppeee 1.0 only to find that it is not persistent. Further research brought me here. If I go with this flavor can you please instruct me how to make it persistent?