After several weeks of testing, the latest version of Dropline GNOME is finally available.
New X.Org server packages are available for Slackware 10.0, 10.1, 10.2, and -current to fix a security issue. An integer overflow in the pixmap handling code may allow the execution of arbitrary code through a specially crafted pixmap. Slackware 10.2 was patched against this vulnerability before its release, but new server packages are being issued for Slackware 10.2 and -current using an improved patch, as there were some bug reports using certain programs.
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2495
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2495
New Mozilla and Firefox packages are available for Slackware 10.0, 10.1, 10.2, and -current to fix security issues:
MFSA 2005-59 Command-line handling on Linux allows shell execution
MFSA 2005-58 Firefox 1.0.7 / Mozilla Suite 1.7.12 Vulnerability Fixes
MFSA 2005-57 IDN heap overrun using soft-hyphens
MFSA 2005-59 Command-line handling on Linux allows shell execution
MFSA 2005-58 Firefox 1.0.7 / Mozilla Suite 1.7.12 Vulnerability Fixes
MFSA 2005-57 IDN heap overrun using soft-hyphens
New util-linux packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, and -current to fix a security issue with umount. A bug in the '-r' option could allow flags in /etc/fstab to be improperly dropped on user-mountable volumes, allowing a user to gain root privileges.
New dhcpcd packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, and -current to fix a minor security issue. The dhcpcd daemon can be tricked into reading past the end of the DHCP buffer by a malicious DHCP server, which causes the dhcpcd daemon to crash and results in a denial of service. Of course, a malicious DHCP server could simply give you an IP address that wouldn't work, too, such as 127.0.0.1, but since people have been asking about this issue, here's a fix, and that's the extent of the impact. In other words, very little real impact.
New kdebase packages are available for Slackware 10.0, 10.1, and -current to fix a security issue with the kcheckpass program. Earlier versions of Slackware are not affected. A flaw in the way the program creates lockfiles could allow a local attacker to gain root privileges.
A new php5 package is available for Slackware 10.1 in /testing to fix security issues. PHP has been relinked with the shared PCRE library to fix an overflow issue with PHP's builtin PRCE code, and PEAR::XMLRPC has been upgraded to version 1.4.0 which eliminates the eval() function. The eval() function is believed to be insecure as implemented, and would be difficult to secure.
This advisory summarizes recent security fixes in Slackware -current.
New PHP packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, and -current to fix security issues. PHP has been relinked with the shared PCRE library to fix an overflow issue with PHP's builtin PRCE code, and PEAR::XMLRPC has been upgraded to version 1.4.0 which eliminates the eval() function. The eval() function is believed to be insecure as implemented, and would be difficult to secure.
Note that these new packages now require that the PCRE package be installed, so be sure to get the new package from the patches/packages/directory if you don't already have it. A new version of this (6.3) was also issued today, so be sure that is the one you install.
More details about these issues may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2498
Note that these new packages now require that the PCRE package be installed, so be sure to get the new package from the patches/packages/directory if you don't already have it. A new version of this (6.3) was also issued today, so be sure that is the one you install.
More details about these issues may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2498
New PCRE packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, and -current to fix a security issue. A buffer overflow could be triggered by a specially crafted regular expression. Any applications that use PCRE to process untrusted regular expressions may be exploited to run arbitrary code as the user running the application.
The PCRE library is also provided in an initial installation by the aaa_elflibs package, so if your system has a /usr/lib/libpcre.so.0 symlink, then you should install this updated package even if the PCRE package itself is not installed on the system.
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491
The PCRE library is also provided in an initial installation by the aaa_elflibs package, so if your system has a /usr/lib/libpcre.so.0 symlink, then you should install this updated package even if the PCRE package itself is not installed on the system.
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491
New gaim packages are available for Slackware 9.0, 9.1, 10.0, 10.1, and -current to fix some security issues. including:
AIM/ICQ away message buffer overflow
AIM/ICQ non-UTF-8 filename crash
Gadu-Gadu memory alignment bug
Sites that use GAIM should upgrade to the new version.
More details about these issues may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2103
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2102
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2370
AIM/ICQ away message buffer overflow
AIM/ICQ non-UTF-8 filename crash
Gadu-Gadu memory alignment bug
Sites that use GAIM should upgrade to the new version.
More details about these issues may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2103
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2102
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2370
New tcpip packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, and -current to fix a security issues with the telnet client. Overflows in the telnet client may lead to the execution of arbitrary code as the telnet user if the user connects to a malicious telnet server.
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469
New zlib packages are available for Slackware 10.0, 10.1, and -current to fix an additional crash issue. zlib 1.1.x is not affected.
New fetchmail packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, and -current to fix security issues. Connecting to a malicious or compromised POP3 server may overflow fetchmail's stack causing a crash or the execution of arbitrary code.
For more information about this issue, see:
http://fetchmail.berlios.de/fetchmail-SA-2005-01.txt
For more information about this issue, see:
http://fetchmail.berlios.de/fetchmail-SA-2005-01.txt
New gxine packages are available for Slackware 10.0, 10.1, and -current to fix a format string security issue.
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1692
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1692
New kdenetwork packages are available for Slackware 10.0, 10.1, and -current to fix security issues. Overflows in libgadu (used by kopete) that can cause a denial of service or arbitrary code execution.
More details about this vulnerability may be found here:
http://www.kde.org/info/security/advisory-20050721-1.txt
More details about this vulnerability may be found here:
http://www.kde.org/info/security/advisory-20050721-1.txt
New Mozilla packages are available for Slackware 10.0, 10.1, and -current to fix various security issues and bugs. See the Mozilla site for a complete list of the issues patched:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#Mozilla
New versions of the mozilla-plugins symlink creation package are also out for Slackware 10.0 and 10.1, and a new version of the jre-symlink package for Slackware -current.
http://www.mozilla.org/projects/security/known-vulnerabilities.html#Mozilla
New versions of the mozilla-plugins symlink creation package are also out for Slackware 10.0 and 10.1, and a new version of the jre-symlink package for Slackware -current.
New emacs packages are available for Slackware 10.1 and -current to a security issue with the movemail utility for retrieving mail from a POP mail server. If used to connect to a malicious POP server, it is possible for the server to cause the execution of arbitrary code as the user running emacs.
New dnsmasq packages are available for Slackware 10.0, 10.1, and -current to fix security issues. An off-by-one overflow vulnerability may allow a DHCP client to create a denial of service condition. Additional code was also added to detect and defeat attempts to poison the DNS cache.
New tcpdump packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, and -current to fix a security issue. A specially crafted BGP packet can cause tcpdump to go into an infinite loop, creating a denial of service where network monitoring is disabled.
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1267
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1267
New XV image viewer packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, and -current to fix security issues. Format string and other issues could cause a crash or execution of arbitrary code if a specially crafted image is loaded with XV.
Sorry folks, I mistakenly used a build template that was too new to build the first round of PHP packages for Slackware 8.1, 9.0, and 9.1, which tried to place the module in /usr/libexec/apache (older versions of Slackware use /usr/libexec instead), and tried to link to incorrect libraries and features. These packages have been replaced with working ones. The packages for 10.0, 10.1, and -current were OK.
New PHP packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, and -current to fix a security issue with the PEAR XML_RPC class that allows a remote attacker to run arbitrary PHP code. Sites that make use of this PHP library should upgrade to the new PHP package right away, or may instead upgrade the XML_RPC PEAR class with the following command:
pear upgrade XML_RPC
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1921
pear upgrade XML_RPC
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1921
New zlib packages are available for Slackware 10.0, 10.1, and -current to fix a denial of service security issue. zlib 1.1.x is not affected.
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2096
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2096
New Sudo packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, and -current to fix a security issue. A race condition could allow a user with Sudo privileges to run arbitrary commands.
For more details, see:
http://www.courtesan.com/sudo/alerts/path_race.html
For more details, see:
http://www.courtesan.com/sudo/alerts/path_race.html
Sun has released a couple of security advisories pertaining to both the Java Runtime Environment and the Standard Edition Development Kit. These could allow applets to read or write to local files. For more details, Sun's advisories may be found here:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-101748-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-101749-1
Slackware repackage's Sun's Java(TM) binaries without changing them, so the packages from Slackware -current should be used for all glibc based Slackware versions.
http://sunsolve.sun.com/search/document.do?assetkey=1-26-101748-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-101749-1
Slackware repackage's Sun's Java(TM) binaries without changing them, so the packages from Slackware -current should be used for all glibc based Slackware versions.
New gaim packages are available for Slackware 9.0, 9.1, 10.0, 10.1, and -current to fix some minor security issues. Sites that use GAIM should upgrade to the new version.
From Slackware:
New ncftp packages are available for Slackware 10.0, 10.1, and -current to fix security issues.
More details about this issue may be found on the NcFTP site:
http://www.ncftp.com/ncftp/doc/changelog.html#3.1.5
More details about this issue may be found on the NcFTP site:
http://www.ncftp.com/ncftp/doc/changelog.html#3.1.5
New Mozilla packages are available for Slackware 10.0, 10.1, and -current to fix various security issues and bugs. See the Mozilla site for a complete list of the issues patched:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#Mozilla
Also updated is Firefox in Slackware -current.
New versions of the mozilla-plugins symlink creation package are also out for Slackware 10.0 and 10.1, and a new version of the jre-symlink package for Slackware -current.
http://www.mozilla.org/projects/security/known-vulnerabilities.html#Mozilla
Also updated is Firefox in Slackware -current.
New versions of the mozilla-plugins symlink creation package are also out for Slackware 10.0 and 10.1, and a new version of the jre-symlink package for Slackware -current.
New gaim packages are available for Slackware 9.0, 9.1, 10.0, 10.1, and -current to fix several security issues. Sites that use GAIM should upgrade to the new version.
New infozip (zip/unzip) packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, and -current to fix security issues.
New xine-lib packages are available for Slackware 10.0, 10.1, and -current to fix security issues. The xine frontends have also been upgraded.
For more details on the xine-lib security issues, see:
http://xinehq.de/index.php/security/XSA-2004-8
For more details on the xine-lib security issues, see:
http://xinehq.de/index.php/security/XSA-2004-8
New CVS packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, and -current to fix security issues.
New Python packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, and -current to fix a security issue in the SimpleXMLRPCServer library module.
New gaim packages are available for Slackware 9.0, 9.1, 10.0, 10.1, and -current to fix several security issues. Sites that use GAIM should upgrade to the new version.
New Mozilla packages are available for Slackware 10.0, 10.1, and -current to fix various security issues and bugs. See the Mozilla site for a complete list of the issues patched:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#Mozilla
Also updated is Firefox in Slackware -current.
New versions of the mozilla-plugins symlink creation package are also out for Slackware 10.0 and 10.1, and a new version of the jre-symlink package for Slackware -current.
http://www.mozilla.org/projects/security/known-vulnerabilities.html#Mozilla
Also updated is Firefox in Slackware -current.
New versions of the mozilla-plugins symlink creation package are also out for Slackware 10.0 and 10.1, and a new version of the jre-symlink package for Slackware -current.
New PHP packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, and -current to fix security issues.
More details about the issues may be found in the PHP ChangeLogs on the PHP web site: http://php.net
More details about the issues may be found in the PHP ChangeLogs on the PHP web site: http://php.net
New Mozilla packages are available for Slackware 9.1, 10.0, 10.1, and -current to fix various security issues and bugs.
OSNews has posted a review on Slackware Linux 10.1
Slackware 10.1 has been released
Saw over at OSNews that Slackware 10.1-Beta1 has been released
OSNews reports that Patrick Volkerding is back in good health
Patrick Volkerding has posted an update. Thanks Mark.
From Slashdot.org:
New apache packages are available for Slackware 8.1, 9.0, 9.1, 10.0, and -current to fix a security issue. Apache has been upgraded to version 1.3.33 which fixes a buffer overflow which may allow local users to execute arbitrary code as the apache user.
The mod_ssl package has also been upgraded to version 2.8.22_1.3.33.
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0940
The mod_ssl package has also been upgraded to version 2.8.22_1.3.33.
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0940
New libtiff packages are available for Slackware 8.1, 9.0, 9.1, 10.1, and -current to fix security issues that could lead to application crashes, or possibly execution of arbitrary code.
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0803
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0804
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0886
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0803
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0804
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0886
New apache and mod_ssl packages are available for Slackware 8.1, 9.0, 9.1, 10.0, and -current to fix security issues. Apache has been upgraded to version 1.3.32 which fixes a heap-based buffer overflow in mod_proxy. mod_ssl was upgraded from version mod_ssl-2.8.19-1.3.31 to version 2.8.21-1.3.32 which corrects a flaw allowing a client to use a cipher which the server does not consider secure enough.
A new PHP package (php-4.3.9) is also available for all of these platforms.
More details about these issues may be found in the Common
Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885
A new PHP package (php-4.3.9) is also available for all of these platforms.
More details about these issues may be found in the Common
Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885
New gaim packages are available for Slackware 9.0, 9.1, 10.0 and -current to fix a buffer overflow in the MSN protocol. Sites that use GAIM should upgrade to the new version.
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0891
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0891
