Slackware 1126 Published by

The following updates has been released for Slackware:

bind (SSA:2017-180-02)
httpd (SSA:2017-180-03)
libgcrypt (SSA:2017-180-04)
Slackware 14.1 kernel (SSA:2017-180-01)



bind (SSA:2017-180-02)

New bind packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues.


Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/bind-9.10.5_P2-i586-1_slack14.2.txz: Upgraded.
This update fixes a high severity security issue:
An error in TSIG handling could permit unauthorized zone transfers
or zone updates.
For more information, see:
https://kb.isc.org/article/AA-01503/0
https://kb.isc.org/article/AA-01504/0
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3142
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3143
(* Security fix *)
+--------------------------+


Where to find the new packages:
+-----------------------------+

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :):

Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.

Updated package for Slackware 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/bind-9.9.10_P2-i486-1_slack13.0.txz

Updated package for Slackware x86_64 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/bind-9.9.10_P2-x86_64-1_slack13.0.txz

Updated package for Slackware 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/bind-9.9.10_P2-i486-1_slack13.1.txz

Updated package for Slackware x86_64 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/bind-9.9.10_P2-x86_64-1_slack13.1.txz

Updated package for Slackware 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/bind-9.9.10_P2-i486-1_slack13.37.txz

Updated package for Slackware x86_64 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/bind-9.9.10_P2-x86_64-1_slack13.37.txz

Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/bind-9.9.10_P2-i486-1_slack14.0.txz

Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/bind-9.9.10_P2-x86_64-1_slack14.0.txz

Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/bind-9.9.10_P2-i486-1_slack14.1.txz

Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/bind-9.9.10_P2-x86_64-1_slack14.1.txz

Updated package for Slackware 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/bind-9.10.5_P2-i586-1_slack14.2.txz

Updated package for Slackware x86_64 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/bind-9.10.5_P2-x86_64-1_slack14.2.txz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/bind-9.11.1_P2-i586-1.txz

Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/bind-9.11.1_P2-x86_64-1.txz


MD5 signatures:
+-------------+

Slackware 13.0 package:
4a855f5e3fa128a4abac68b00d65c3ef bind-9.9.10_P2-i486-1_slack13.0.txz

Slackware x86_64 13.0 package:
91d856c0f5ae2f775a08c7a6ce7bb1a9 bind-9.9.10_P2-x86_64-1_slack13.0.txz

Slackware 13.1 package:
ca0c4f4f4e6d9c8261b2e1b385363a8e bind-9.9.10_P2-i486-1_slack13.1.txz

Slackware x86_64 13.1 package:
a3d6419bc4287c719877e6a912d04a32 bind-9.9.10_P2-x86_64-1_slack13.1.txz

Slackware 13.37 package:
105dc3696b8abdd39b9262878426c851 bind-9.9.10_P2-i486-1_slack13.37.txz

Slackware x86_64 13.37 package:
d0191c72b85fc479f85aafb7ac4ebeb9 bind-9.9.10_P2-x86_64-1_slack13.37.txz

Slackware 14.0 package:
fcb0568b682b82852915de806014619f bind-9.9.10_P2-i486-1_slack14.0.txz

Slackware x86_64 14.0 package:
594eb4de02aabb93a9a91173b12283c2 bind-9.9.10_P2-x86_64-1_slack14.0.txz

Slackware 14.1 package:
764b017792c297c87be1a2638fec8042 bind-9.9.10_P2-i486-1_slack14.1.txz

Slackware x86_64 14.1 package:
714b71e509a5b6808224d46a6b87a55d bind-9.9.10_P2-x86_64-1_slack14.1.txz

Slackware 14.2 package:
b2a695b4b2ca664463202c9e834c035b bind-9.10.5_P2-i586-1_slack14.2.txz

Slackware x86_64 14.2 package:
33402c08402a2ccbaa85f664f82221db bind-9.10.5_P2-x86_64-1_slack14.2.txz

Slackware -current package:
9d1ba79294a6743c425b63e87c4726f5 n/bind-9.11.1_P2-i586-1.txz

Slackware x86_64 -current package:
6a3e3071c59d369df9d21a04416adbb9 n/bind-9.11.1_P2-x86_64-1.txz


Installation instructions:
+------------------------+

Upgrade the package as root:
# upgradepkg bind-9.10.5_P2-i586-1_slack14.2.txz

Then, restart the name server:

# /etc/rc.d/rc.bind restart

httpd (SSA:2017-180-03)

New httpd packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues.


Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/httpd-2.4.26-i586-1_slack14.2.txz: Upgraded.
This update fixes security issues which may lead to an authentication bypass
or a denial of service:
important: ap_get_basic_auth_pw() Authentication Bypass CVE-2017-3167
important: mod_ssl Null Pointer Dereference CVE-2017-3169
important: mod_http2 Null Pointer Dereference CVE-2017-7659
important: ap_find_token() Buffer Overread CVE-2017-7668
important: mod_mime Buffer Overread CVE-2017-7679
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3167
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3169
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7659
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7668
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7679
(* Security fix *)
+--------------------------+


Where to find the new packages:
+-----------------------------+

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :):

Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.

Updated package for Slackware 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/httpd-2.2.32-i486-1_slack13.0.txz

Updated package for Slackware x86_64 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/httpd-2.2.32-x86_64-1_slack13.0.txz

Updated package for Slackware 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/httpd-2.2.32-i486-1_slack13.1.txz

Updated package for Slackware x86_64 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/httpd-2.2.32-x86_64-1_slack13.1.txz

Updated package for Slackware 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/httpd-2.2.32-i486-1_slack13.37.txz

Updated package for Slackware x86_64 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/httpd-2.2.32-x86_64-1_slack13.37.txz

Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/httpd-2.4.26-i486-1_slack14.0.txz

Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/httpd-2.4.26-x86_64-1_slack14.0.txz

Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/httpd-2.4.26-i486-1_slack14.1.txz

Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/httpd-2.4.26-x86_64-1_slack14.1.txz

Updated package for Slackware 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/httpd-2.4.26-i586-1_slack14.2.txz

Updated package for Slackware x86_64 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/httpd-2.4.26-x86_64-1_slack14.2.txz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/httpd-2.4.26-i586-1.txz

Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/httpd-2.4.26-x86_64-1.txz


MD5 signatures:
+-------------+

Slackware 13.0 package:
3f00c09d7f7fc679c60edea24aa2e24f httpd-2.2.32-i486-1_slack13.0.txz

Slackware x86_64 13.0 package:
398ee8c9e198e6f87dafa12092f52681 httpd-2.2.32-x86_64-1_slack13.0.txz

Slackware 13.1 package:
6c07977ed9799064aef4ac18f9b45df1 httpd-2.2.32-i486-1_slack13.1.txz

Slackware x86_64 13.1 package:
3a80ee6b2d459fe3b49476b205fa1472 httpd-2.2.32-x86_64-1_slack13.1.txz

Slackware 13.37 package:
ff470f6bbeb553d55a083ce023340dfd httpd-2.2.32-i486-1_slack13.37.txz

Slackware x86_64 13.37 package:
65e42ac5f38385c935fdf6937d52e44e httpd-2.2.32-x86_64-1_slack13.37.txz

Slackware 14.0 package:
145ed3cb94caf035f2399eede0ef05e3 httpd-2.4.26-i486-1_slack14.0.txz

Slackware x86_64 14.0 package:
9e48513a5508757dd856309dd7bc86ec httpd-2.4.26-x86_64-1_slack14.0.txz

Slackware 14.1 package:
8ddfb545db9fd25ce9a8c25f468c93d1 httpd-2.4.26-i486-1_slack14.1.txz

Slackware x86_64 14.1 package:
48dcd26874858ce96d83b102e8117877 httpd-2.4.26-x86_64-1_slack14.1.txz

Slackware 14.2 package:
c5e9b0490d7c2dc29c04e288956ea3e6 httpd-2.4.26-i586-1_slack14.2.txz

Slackware x86_64 14.2 package:
1947fc3942e8716580c84cbd92c42329 httpd-2.4.26-x86_64-1_slack14.2.txz

Slackware -current package:
231eee45f432bb10e8edd51d03cde20c n/httpd-2.4.26-i586-1.txz

Slackware x86_64 -current package:
2326f05f1e51895956b419d682122cdd n/httpd-2.4.26-x86_64-1.txz


Installation instructions:
+------------------------+

Upgrade the package as root:
# upgradepkg httpd-2.4.26-i586-1_slack14.2.txz

Then, restart Apache httpd:

# /etc/rc.d/rc.httpd stop
# /etc/rc.d/rc.httpd start

libgcrypt (SSA:2017-180-04)

New libgcrypt packages are available for Slackware 14.2 and -current to fix a security issue.


Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/libgcrypt-1.7.8-i586-1_slack14.2.txz: Upgraded.
Mitigate a local flush+reload side-channel attack on RSA secret keys
dubbed "Sliding right into disaster".
For more information, see:
https://eprint.iacr.org/2017/627
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7526
(* Security fix *)
+--------------------------+


Where to find the new packages:
+-----------------------------+

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :):

Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.

Updated package for Slackware 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/libgcrypt-1.7.8-i586-1_slack14.2.txz

Updated package for Slackware x86_64 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/libgcrypt-1.7.8-x86_64-1_slack14.2.txz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/libgcrypt-1.7.8-i586-1.txz

Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/libgcrypt-1.7.8-x86_64-1.txz


MD5 signatures:
+-------------+

Slackware 14.2 package:
204496613f4747c2d5578527483c4bd4 libgcrypt-1.7.8-i586-1_slack14.2.txz

Slackware x86_64 14.2 package:
22d1d1de8cfabc896afd94338df3d53c libgcrypt-1.7.8-x86_64-1_slack14.2.txz

Slackware -current package:
83f8139bb564ffbea9590a429c7ca856 n/libgcrypt-1.7.8-i586-1.txz

Slackware x86_64 -current package:
cfa6085a8832331bd70d484a92704af6 n/libgcrypt-1.7.8-x86_64-1.txz


Installation instructions:
+------------------------+

Upgrade the package as root:
# upgradepkg libgcrypt-1.7.8-i586-1_slack14.2.txz

Slackware 14.1 kernel (SSA:2017-180-01)

New kernel packages are available for Slackware 14.1 to fix security issues.


Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/linux-3.10.107/*: Upgraded.
This kernel fixes two "Stack Clash" vulnerabilities reported by Qualys.
The first issue may allow attackers to execute arbitrary code with elevated
privileges. Failed attack attempts will likely result in denial-of-service
conditions. The second issue can be exploited to bypass certain security
restrictions and perform unauthorized actions.
Be sure to upgrade your initrd after upgrading the kernel packages.
If you use lilo to boot your machine, be sure lilo.conf points to the correct
kernel and initrd and run lilo as root to update the bootloader.
If you use elilo to boot your machine, you should run eliloconfig to copy the
kernel and initrd to the EFI System Partition.
For more information, see:
https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000364
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000365
(* Security fix *)
In addition, a patch is included and preapplied to guard against other == sk
in unix_dgram_sendmsg. This bug has been known to cause Samba related stalls.
Thanks to Ben Stern for the bug report.
+--------------------------+


Where to find the new packages:
+-----------------------------+

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :):

Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.

Updated packages for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/linux-3.10.107/kernel-generic-3.10.107-i486-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/linux-3.10.107/kernel-generic-smp-3.10.107_smp-i686-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/linux-3.10.107/kernel-headers-3.10.107_smp-x86-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/linux-3.10.107/kernel-huge-3.10.107-i486-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/linux-3.10.107/kernel-huge-smp-3.10.107_smp-i686-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/linux-3.10.107/kernel-modules-3.10.107-i486-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/linux-3.10.107/kernel-modules-smp-3.10.107_smp-i686-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/linux-3.10.107/kernel-source-3.10.107_smp-noarch-1.txz

Updated packages for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/linux-3.10.107/kernel-generic-3.10.107-x86_64-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/linux-3.10.107/kernel-headers-3.10.107-x86-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/linux-3.10.107/kernel-huge-3.10.107-x86_64-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/linux-3.10.107/kernel-modules-3.10.107-x86_64-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/linux-3.10.107/kernel-source-3.10.107-noarch-1.txz


MD5 signatures:
+-------------+

Slackware 14.1 packages:
7a3dc2cd4c1067984d0cbc5e257eb0f8 kernel-generic-3.10.107-i486-1.txz
1ec7b64fec890841337dcb0b85c4189e kernel-generic-smp-3.10.107_smp-i686-1.txz
42be9d29509261878e11ee142ddc5835 kernel-headers-3.10.107_smp-x86-1.txz
c68758ab09860d8d9585eff27aa7b341 kernel-huge-3.10.107-i486-1.txz
1f27891b34076dfe3b1f1aa56c820017 kernel-huge-smp-3.10.107_smp-i686-1.txz
9b2f9044654c44b7fdaaf1dfa86c1f2b kernel-modules-3.10.107-i486-1.txz
68835ec8daffd1c101651cb1213917ea kernel-modules-smp-3.10.107_smp-i686-1.txz
c6b18ccd52ef37879f4791557b1350d1 kernel-source-3.10.107_smp-noarch-1.txz

Slackware x86_64 14.1 packages:
c363284f807203eb8fedfc0db35ab9c3 kernel-generic-3.10.107-x86_64-1.txz
7101db4ec1cbeb294f41fb65709fb030 kernel-headers-3.10.107-x86-1.txz
fef8c622ea91dcaeae915bf11de54aa1 kernel-huge-3.10.107-x86_64-1.txz
4985fb9284200278dd57f8ce14bc1670 kernel-modules-3.10.107-x86_64-1.txz
fdced05a099ab697bd91e75118163320 kernel-source-3.10.107-noarch-1.txz


Installation instructions:
+------------------------+

Upgrade the packages as root:
# upgradepkg kernel-*.txz

If you are using an initrd, you'll need to rebuild it.

For a 32-bit SMP machine, use this command (substitute the appropriate
kernel version if you are not running Slackware 14.2):
# /usr/share/mkinitrd/mkinitrd_command_generator.sh -k 3.10.107-smp | bash

For a 64-bit machine, or a 32-bit uniprocessor machine, use this command
(substitute the appropriate kernel version if you are not running
Slackware 14.2):
# /usr/share/mkinitrd/mkinitrd_command_generator.sh -k 3.10.107 | bash

Please note that "uniprocessor" has to do with the kernel you are running,
not with the CPU. Most systems should run the SMP kernel (if they can)
regardless of the number of cores the CPU has. If you aren't sure which
kernel you are running, run "uname -a". If you see SMP there, you are
running the SMP kernel and should use the 3.10.107-smp version when running
mkinitrd_command_generator. Note that this is only for 32-bit -- 64-bit
systems should always use 3.10.107 as the version.

If you are using lilo or elilo to boot the machine, you'll need to ensure
that the machine is properly prepared before rebooting.

If using LILO:
By default, lilo.conf contains an image= line that references a symlink
that always points to the correct kernel. No editing should be required
unless your machine uses a custom lilo.conf. If that is the case, be sure
that the image= line references the correct kernel file. Either way,
you'll need to run "lilo" as root to reinstall the boot loader.

If using elilo:
Ensure that the /boot/vmlinuz symlink is pointing to the kernel you wish
to use, and then run eliloconfig to update the EFI System Partition.