New openssh packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix security issues.
More details about these issues may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4924 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5051 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5052
New x11 (X.Org) packages are available for Slackware 10.2, and -current to fix security issues due to overflows in font parsing.
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3739 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3740
New Firefox and Thunderbird packages are available for Slackware 10.2 and -current to fix security issues. In addition, a new Seamonkey package is available for Slackware -current to fix similar issues.
More details about the issues may be found here:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox http://www.mozilla.org/projects/security/known-vulnerabilities.html#thunderbird http://www.mozilla.org/projects/security/known-vulnerabilities.html#seamonkey
New openssl packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1,10.2, and -current to fix a signature forgery security issue.
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2006-4339As well as here:
http://www.openssl.org/news/secadv_20060905.txt
New bind packages are available for Slackware 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix a Denial of Service issue.
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4095 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4096As well as here:
http://www.isc.org/sw/bind/bind-security.phpThere are no known active exploits at this time.
OSNews is reporting that Patrick Volkerding has released Slackware 11 RC4.
Slackware 11.0 RC3 has been released
New php packages are available for Slackware 10.2 and -current to fix security and other issues.
More details about these issues may be found on the PHP website:
http://www.php.net
Slackware Linux 11.0 RC1 has been released
New php packages are available for Slackware 10.2 and -current to fix security and other issues.
More details about these issues may be found on the PHP website:
http://www.php.net
New mysql packages are available for Slackware 10.2 to fix security issues (and other bugs). For complete details about the many fixes addressed by this release, you can find MySQL's news article about the MySQL 4.1.21 Community Edition release here:
http://dev.mysql.com/doc/refman/4.1/en/news-4-1-21.htmlMore details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3469
New Firefox and Thunderbird packages are available for Slackware 10.2 and -current to fix security issues. In addition, a new Seamonkey package is available for Slackware -current to fix similar issues.
More details about the issues may be found here:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox http://www.mozilla.org/projects/security/known-vulnerabilities.html#thunderbird http://www.mozilla.org/projects/security/known-vulnerabilities.html#seamonkey
New mutt packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix a possible security issue.
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3242
New xine-lib packages are available for Slackware 10.2 and -current to fix security issues.
More details about these issues may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4048 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2802Evidently there is also an issue involving AVI files which has not been issued a CVE entry.
New x11 packages are available for Slackware 10.2 and -current to fix security issues. In addition, fontconfig and freetype have been split out from the x11 packages in -current, so if you run -current you'll also need to install those new packages.
More details about the issues may be found here:
http://lists.freedesktop.org/archives/xorg-announce/2006-June/000100.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1861
New gimp packages are available for Slackware 10.2 and -current to fix a possible security issue.
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3404
New Samba packages are available for Slackware 10.0, 10.1, 10.2, and -current.
In Slackware 10.0, 10.1, and 10.2, Samba was evidently picking up the libdm.so.0 library causing a Samba package issued primarily as a security patch to suddenly require a library that would only be present on the machine if the xfsprogs package (from the A series but marked "optional") was installed. Sorry -- this was not intentional, though I do know that I'm taking the chance of this kind of issue when trying to get security related problems fixed quickly (hopefully balanced with reasonable testing), and when the fix is achieved by upgrading to a new version rather than with the smallest patch possible to fix the known issue. However, I tend to trust that by following upstream sources as much as possible I'm also fixing some problems that aren't yet public.
So, all of the the 10.0, 10.1, and 10.2 packages have been rebuilt on systems without the dm library, and should be able to directly upgrade older samba packages without additional requirements. Well, unless they are also under /patches. ;-)
New Samba packages are available for Slackware 10.0, 10.1, 10.2, and -current to fix a security related (but in my own and also the Samba's team member who made their WHATSNEW.txt entry, "minor") denial of service issue.
New sendmail packages are available for Slackware 8.1, 9.0, 9.1, 10.0,
10.1, 10.2, and -current to fix a possible denial-of-service issue.
Sendmail's complete advisory may be found here:
http://www.sendmail.com/security/advisories/SA-200605-01.txt.ascSendmail has also provided an FAQ about this issue:
http://www.sendmail.com/security/advisories/SA-200605-01/faq.shtmlThe CVE entry for this issue may be found here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1173
New Firefox and Thunderbird packages are available for Slackware 10.2 and -current to fix security issues. In addition, a new Seamonkey package is available for Slackware -current to fix similar issues.
New mysql packages are available for Slackware 9.1, 10.0, 10.1, 10.2 and -current to fix security issues.
The MySQL packages shipped with Slackware 9.1, 10.0, and 10.1 may possibly leak sensitive information found in uninitialized memory to authenticated users. This is fixed in the new packages, and was already patched in Slackware 10.2 and -current. Since the vulnerabilities require a valid login and/or access to the database server, the risk is moderate. Slackware does not provide network access to a MySQL database by default.
New Firefox packages are available for Slackware 10.2 and -current to fix a security issue.
More details about the issues may be found here:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox1.5.0.3
New xorg and xorg-devel packages are available for Slackware 10.1, 10.2, and -current to fix a security issue. A typo in the X render extension in X.Org 6.8.0 or later allows an X client to crash the server and possibly to execute arbitrary code as the X server user (typically this is "root".)
New Thunderbird packages are available for Slackware 10.2 and -current to fix security issues.
New Mozilla packages are available for Slackware 10.0, 10.1, 10.2 and -current to fix multiple security issues.
More details about the issues may be found here:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozillaAlso note that this release marks the EOL (End Of Life) for the Mozilla Suite series. It's been a great run, so thanks to everyone who put in so much effort to make Mozilla a great browser suite. In the next Slackware release fans of the Mozilla Suite will be able to look forward to browsing with SeaMonkey, the Suite's successor. Anyone using an older version of Slackware may want to start thinking about migrating to another browser -- if not now, when the next problems with Mozilla are found.
Although the "sunset announcement" states that mozilla-1.7.13 is the final mozilla release, I wouldn't be too surprised to see just one more since there's a Makefile.in bug that needed to be patched here before Mozilla 1.7.13 would build. If a new release comes out and fixes only that issue, don't look for a package release on that as it's already fixed in these packages. If additional issues are fixed, then there will be new packages. Basically, if upstream un-EOLs this for a good reason, so will we.
New Firefox packages are available for Slackware 10.2 and -current to fix security issues.
More details about the issues may be found here:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox1.5.0.2
New sendmail packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix a security issue.
Sendmail's advisory concerning this issue may be found here:
http://www.sendmail.com/company/advisory/index.shtmlThis issue will appear in the Common Vulnerabilities and Exposures (CVE)database at the following location:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0058
A new kdegraphics package is available for Slackware 10.1 to fix a security issue. A portion of the recent security patch was missing in the version that was applied to kdegraphics-3.3.2 in Slackware 10.1. Other versions of Slackware are not affected by this specific missing patch issue.
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0746
New GnuPG packages are available for Slackware 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix security issues.
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0455 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0049
New openssh packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix a security issue.
More details about this issue may be found in the Common
Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0225
New kdelibs packages are available for Slackware 10.0, 10.1, and 10.2 to fix a security issue with kjs.
More details about this issue may be found in the Common
Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0019
New Firefox packages are available for Slackware 10.2 and -current to fix security issues.
More details about the issues may be found here:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox1.5.0.1
New sudo packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix a security issue.
More details about this issue may be found in the Common
Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0151
New fetchmail packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix security issues.
More details about this issue may be found in the Common
Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3088 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4348 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0321
New php packages are available for Slackware 10.2 and -current to fix minor security issues.
More details about these issues may be found on the PHP website:
http://www.php.net/release_4_4_2.php
New imagemagick packages are available for Slackware 10.2 and -current to fix security issues.
More details about this issue may be found in the Common
Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4601 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0082
New Elm packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix a security issue. A buffer overflow in the parsing of the Expires header could allow arbitrary code to be executed as the user running Elm.
New curl packages are available for Slackware 9.1, 10.0, 10.1, 10.2, and -current, and new wget packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current. These address a buffer overflow in NTLM handling which may present a security problem, though no public exploits are known at this time.
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3185
New KOffice packages are available for Slackware 9.1, 10.0, 10.1, 10.2, and -current to fix a security issue with KWord. A buffer overflow in the RTF import functionality could result in the execution of arbitrary code.
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2971
New imapd packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix (an alleged) security issue. See the details below for more information. Also, new Pine packages are provided since these are built together... why not? Might as well upgrade that too, while I'm fixing the fake security problem.
New apache packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix potential security issues:
* If a request contains both Transfer-Encoding and Content-Length headers, remove the Content-Length, mitigating some HTTP Request Splitting/Spoofing attacks.
* Added TraceEnable [on|off|extended] per-server directive to alter the behavior of the TRACE method.
It's hard to say how much real-world impact these have, as there's no more information about that in the announcement. The original Apache nnounement can be read here:
http://www.apache.org/dist/httpd/Announcement1.3.htmlNote that if you use mod_ssl, you will also need a new mod_ssl package. These have been provided for the same releases of Slackware.
New PHP packages are available for Slackware 10.2 and -current to fix minor security issues relating to the overwriting of the GLOBALS array.
It has been reported here that this new version of PHP also breaks squirrelmail and probably some other things. Given the vague nature of the security report, it's possible that the cure might be worse than the disease as far as this upgrade is concerned. If you encounter problems, you may wish to drop back to 4.4.0, and I believe that doing so is relatively safe. I understand at least some of the issues are fixed in CVS already, so perhaps another maintainance release is not far off.
Thanks to Gerardo Exequiel Pozzi for bringing the issues with 4.4.1 to my attention so that this additional information could be included here.
New Lynx packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix a security issue. An overflow could result in the execution of arbitrary code when using Lynx to connect to a malicious NNTP server.
New OpenSSL packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix a security issue. Under certain conditions, an attacker acting as a "man in the middle" may force a client and server to fall back to the less-secure SSL 2.0 protocol.
New xine-lib packages are available for Slackware 9.1, 10.0, 10.1, 10.2, and -current to fix a security issue. A format string bug may allow the execution of arbitrary code as the user running a xine-lib linked application. The attacker must provide (by uploading or running a server) specially crafted CDDB information and then get the user to play the referenced audio CD.
New Thunderbird packages are available for Slackware 10.2 and -current to fix a security issue:
MFSA 2005-59 Command-line handling on Linux allows shell execution
