New rsync 2.6.3 packages are available for Slackware 8.1, 9.0, 9.1, 10.0, and -current to a fix security issue when rsync is run as a non-chrooted server.
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-792
OSNews reports that Gnome may be dropped by Slackware
Dropline GNOME 2.8.0 for Slackware Linux is available
New getmail packages are available for Slackware 9.1, 10.0 and -current to fix a security issue. If getmail is used as root to deliver to user owned files or directories, it can be made to overwrite system files.
More details about this issue may be found in the Common
Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-880
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-881
New zlib packages are available for Slackware 10.0 and -current to fix a possible denial of service security issue.
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-797
New xine-lib packages are available for Slackware 10.0 and -current to fix security issues.
New Mozilla 1.7.3 packages are available for Slackware 10.0 and -current to fix security issues.
New GTK+ (version 2) packages are available for Slackware 10.0 and -current to fix issues in the image loader routines that can crash applications.
New CUPS packages are available for Slackware 9.1, 10.0, and -current to fix a denial of service issue where a malformed packet can crash the CUPS server.
New samba packages are available for Slackware 10.0 and -current.
These fix two denial of service vulnerabilities reported by
iDEFENSE. Slackware -current has been upgraded to samba-3.0.7, while the samba-3.0.5 included with Slackware 10.0 has been patched to fix these issues. Sites running Samba 3.x should upgrade to the new package. Versions of Samba before 3.0.x are not affected by these flaws.
Linuxit has posted a step by step Slackware Linux 10.0 installation guide
Dropline GNOME 2.6.2 has been released
New kdelibs and kdebase packages are available for Slackware 9.1, 10.0, and -current to fix security issues.
More details about this issues may be found in the Common
Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0689
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0690
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0721
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0746
The gaim package for Slackware Linux has been updated again
A couple of bugs were found in the gaim 0.82 release, and gaim-0.82.1 was released to fix them. In addition, gaim-encryption-2.29 did not work with gaim-0.82 due to changes in the header files, so the gaim-encryption plugin has also been updated to gaim-encryption-2.30.
New gaim packages are available for Slackware 9.1, 10.0 and -current to fix several security issues. Sites that use GAIM should upgrade to the new version.
New Qt packages are available for Slackware 9.0, 9.1, 10.0, and -current to fix security issues.
Bugs in the routines that handle PNG, BMP, GIF, and JPEG images may allow an attacker to cause unauthorized code to execute when a specially crafted image file is processed. These flaws may also cause crashes that lead to a denial of service.
More details about these issues may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0691
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0692
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0693
KDE 3.3 is now available for Slackware Linux 10.0
Updated sox packages are available for Slackware Linux
New sox packages are available for Slackware 8.1, 9.0, 9.1, 10.0, and -current to fix buffer overflow security issues that could allow a malicious WAV file to execute arbitrary code.
Updated imagemagick packages are available for Slackware Linux
New imagemagick packages are available for Slackware 9.1, 10.0, and -current to fix security issues with PNG images.
More details about the issues with PNG may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599
Updated Mozilla packages have been released for Slackware Linux
New Mozilla packages are available for Slackware 9.1, 10.0, and -current to fix a number of security issues. Slackware 10.0 and -current were upgraded to Mozilla 1.7.2, and Slackware 9.1 was upgraded to Mozilla 1.4.3. As usual, new versions of Mozilla require new versions of things that link with the Mozilla libraries, so for Slackware 10.0 and -current new versions of epiphany, galeon, gaim, and mozilla-plugins have also been provided. There don't appear to be epiphany and galeon versions that are compatible with Mozilla 1.4.3 and the GNOME in Slackware 9.1, so these are not provided and Epiphany and Galeon will be broken on Slackware 9.1 if the new Mozilla package is installed. Furthermore, earlier versions of Mozilla (such as the 1.3 series) were not fixed upstream, so versions of Slackware earlier than 9.1 will remain vulnerable to these browser issues. If you still use Slackware 9.0 or earlier, you may want to consider removing Mozilla or upgrading to a newer version.
In the previous advisory for libpng (SSA:2004-222-01), the URL provided for the Slackware 9.0 patch mistakenly pointed to the old unpatched package. Slackware 9.0 users should follow the URL below for the new package:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/libpng-1.2.5-i486-3.tgz6a7ab390a92dbd28f77a5780be2b5ac1 libpng-1.2.5-i486-3.tgz
Updated libpng packages has been released for Slackware Linux:
New libpng packages are available for Slackware 8.1, 9.0, 9.1, 10.0, and -current to fix security issues. These issues could cause program crashes, or possibly allow arbitrary code embedded in a malicious PNG image to execute. The PNG library is widely used within the system, so all sites should upgrade to the new libpng package.
An alternate samba package for Slackware 10.0 has been released:
It was pointed out that the new Samba packages for Slackware 10.0 (and -current) have a dependency on libattr.so that wasn't in the previous packages. Since it's not the intent to introduce new requirements in security patches (especially for stable versions), an alternate version of the samba package is being made available that does not require libattr.so.
The original samba-3.0.5-i486-1.tgz package for Slackware 10.0 will also remain in the patches directory (at least for now, since it was just referenced in a security advisory and the URL to it should remain working), and because the original package works fine if the xfsprogs package (which contains libattr) is installed. If you're running a full installation or have xfsprogs installed, you do not need to update samba again.
New mod_ssl packages are available for Slackware 8.1, 9.0, 9.1, 10.0 and -current to fix a security issue.
A format string vulnerability in mod_proxy hook functions could allow an attacker to run code as the mod_ssl user. Sites using mod_ssl should upgrade (be sure to back up your existing key files first).
New samba packages are available for Slackware 8.1, 9.0, 9.1, 10.0 and -current to fix security issues.
More details about these issues may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0600
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0686
Updated PHP packages are available for Slackware Linux 8.1 - 10.0:
New PHP packages are available for Slackware 8.1, 9.0, 9.1, 10.0, and -current to fix security issues (memory_limit handling and a problem in the strip_tags function). Sites using PHP should upgrade.
More details about this issue may be found in the Common
Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0594
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0595
iLUG-Cal has posted a review on Slackware Linux 10
OSNews has posted a review on Slackware Linux 10
Slackware Linux 10.0 has been released:
The first Slackware release of 2004, Slackware Linux 10.0 continues the more than ten-year Slackware tradition of simplicity, stability, and security.
Among the many program updates and distribution enhancements, you'll find two of the most advanced desktop environments available today: GNOME 2.6.1 (including a collection of pre-compiled GNOME applications), and KDE 3.2.3, the latest version of the award-winning K Desktop Environment. Slackware uses the 2.4.26 kernel bringing you advanced performance features such as the ReiserFS journaling filesystem, SCSI and ATA RAID volume support, and kernel support for X DRI (the Direct Rendering Interface) that brings high-speed hardware accelerated 3D graphics to Linux. Additional kernels allow installing Slackware using any of the journaling filesystems available for Linux, including ext3, ReiserFS, IBM's JFS, and SGI's XFS. For those Slackware users who are anxious to try the new 2.6.x kernel series, it is fully supported by the system. A precompiled Linux 2.6.7 kernel, modules, and source code are provided (along with complete instructions on how to install the new kernel).
Thanks Mark. Patrick Volkerding has released Slackware 10.0 RC2 today. This release include GNOME 2.6.2 and Mozilla 1.7.
Changelog Download
OSNews reports that Patrick Volkerding has released Slackware 10-RC1 today
A kernel update has been released for Slackware Linux:
New kernel packages are available for Slackware 8.1, 9.0, 9.1, and -current to fix a denial of service security issue. Without a patch to asm-i386/i387.h, a local user can crash the machine.
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0554
A cvs update is available for Slackware Linux:
New cvs packages that have been upgraded to cvs-1.11.17 are available for Slackware 8.1, 9.0, 9.1, and -current to fix various security issues. Sites running a CVS server should upgrade to the new CVS package right away.
KDE 3.2.3 is available for Slackware Linux 9.1
FootNotes reports that Dropline GNOME 2.6.1 for Slackware Linux has been released
A mod_ssl update is available for Slackware Linux:
New mod_ssl packages are available for Slackware 8.1, 9.0, 9.1, and -current to fix a security issue. The packages were upgraded to mod_ssl-2.8.18-1.3.31 fixing a buffer overflow that may allow remote attackers to execute arbitrary code via a client certificate with a long subject DN, if mod_ssl is configured to trust the issuing CA. Web sites running mod_ssl should upgrade to the new set of apache and mod_ssl packages. There are new PHP packages as well to fix a Slackware-specific local denial-of-service issue (an additional Slackware advisory SSA:2004-154-02 has been issued for PHP).
A PHP update has been released for Slackware Linux:
New PHP packages are available for Slackware 8.1, 9.0, 9.1, and -current to fix a security issue. These fix a problem in previous Slackware php packages where linking PHP against a static library in an insecure path (under /tmp) could allow a local attacker to place shared libraries at this location causing PHP to crash, or to execute arbitrary code as the PHP user (which is by default, "nobody").
Thanks to Bryce Nichols for researching and reporting this issue.
Updated cvs packages are now available for Slackware Linux:
New cvs packages are available for Slackware 8.1, 9.0, 9.1, and -current to fix a buffer overflow vulnerability which could allow an attacker to run arbitrary programs on the CVS server. Sites running a CVS server should upgrade to the new CVS package right away.
More details about this issue may be found in the Common
Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0396
Updated kdelibs packages has been released for Slackware Linux:
New kdelibs packages are available for Slackware 9.0, 9.1 and -current to fix security issues with URI handling.
More details about this issue may be found in the Common
Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0411
A mc update is available for Slackware Linux:
New mc packages are available for Slackware 9.0, 9.1, and -current to fix security issues that These could lead to a denial of service or the execution of arbitrary code as the user running mc.
Sites that use mc should upgrade to the new mc package.
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0226
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0231
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0232
An apache update has been released for Slackware Linux
New apache packages are available for Slackware 8.1, 9.0, 9.1, and -current to fix security issues. These include a possible denial-of-service attack as well as the ability to possible pipe shell escapes through Apache's errorlog (which could create an exploit if the error log is read in a terminal program that does not filter such escapes). We recommend that sites running Apache upgrade to the new Apache package.
An lha update has been released for Slackware Linux
New bin- packages are available for Slackware 8.1, 9.0, 9.1, and -current to fix buffer overflows and directory traversal vulnerabilities in the 'lha' archive utility. Sites using 'lha' should upgrade to the new bin package right away.
A xine-lib update (SSA:2004-124-03) has been released for Slackware Linux:
New xine-lib packages are available for Slackware 9.1 and -current to fix a security issue where playing a specially crafted Real RTSP stream could run malicious code as the user playing the stream.
rsync update (SSA:2004-124-01) has been released for Slackware Linux:
New rsync packages are available for Slackware 8.1, 9.0, 9.1, and -current to fix a security issue. When running an rsync server without the chroot option it is possible for an attacker to write outside of the allowed directory. Any sites running rsync in that mode should upgrade right away (and should probably look into using the chroot option as well).
A libpng update (SSA:2004-124-04) has been released for Slackware Linux:
New libpng packages are available for Slackware 9.0, 9.1, and -current to fix an issue where libpng could be caused to crash, perhaps creating a denial of service issue if network services are linked with it.
A sysklogd update is available for Slackware Linux:
New sysklogd packages are available for Slackware 8.1, 9.0, 9.1, and -current to fix a security issue where a user could cause syslogd to crash. Thanks to Steve Grubb who researched the issue.
An updated Kernel has been released for Slackware Linux:
New kernel packages are available for Slackware 9.1 and -current to fix security issues. Also available are new kernel modules packages (including alsa-driver), and a new version of the hotplug package for Slackware 9.1 containing some fixes for using 2.4.26 (and 2.6.x) kernel modules.
The most serious of the fixed issues is an overflow in ip_setsockopt(), which could allow a local attacker to gain root access, or to crash or reboot the machine. This bug affects 2.4 kernels from 2.4.22 - 2.4.25. Any sites running one of those kernel versions should upgrade right away. after installing the new kernel, be sure to run 'lilo'.
More details about the issues may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0394 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0424
An xine security update for Slackware Linux 9.1 has been released:
New xine packages are available for Slackware 9.1 and -current to fix security issues.
An utempter security update has been released for Slackware Linux 9.1
New utempter packages are available for Slackware 9.1 and -current to fix a security issue. (Slackware 9.1 was the first version of Slackware to use the libutempter library, and earlier versions of Slackware are not affected by this issue)
The utempter package provides a utility and shared library that allows terminal applications such as xterm and screen to update /var/run/utmp and /var/log/wtmp without requiring root privileges. Steve Grubb has identified an issue with utempter-0.5.2 where under certain circumstances an attacker could cause it to overwrite files through a symlink. This has been addressed by upgrading the utempter package to use Dmitry V. Levin's new implementation of libutempter that does not have this bug.
A cvs security update has been released for Slackware Linux
CVS is a client/server version control system. As a server, it is used to host source code repositories. As a client, it is used to access such repositories. This advisory affects both uses of CVS.
A security problem which could allow a server to create arbitrary files on a client machine, and another security problem which may allow a client to view files outside of the CVS repository have been fixed with the release of cvs-1.11.15.
Any sites running CVS should upgrade to the new CVS package.
