Welcome to our website
To take full advantage of all features you need to login or register. Registration is completely free and takes only a few seconds.
slackware-current security updates (SSA:2005-251-03)
Posted by Philipp Esselbach on: 09/09/2005 03:46 AM [ Print | 0 comment(s) ]
This advisory summarizes recent security fixes in Slackware -current.
Usually security advisories are not issued on problems that exist only within the test version of Slackware (slackware-current), but since it's so close to being released as Slackware 10.2, and since there have been several -cuurent-only issues recently, it has been decided that it would be a good idea to release a summary of all of the security fixes in Slackware -current for the last 2 weeks. Some of these are -current only, and some affect other versions of Slackware (and advisories for these have already been issued).
Here are the details from the Slackware -current ChangeLog:
+--------------------------+
ap/groff-1.19.1-i486-3.tgz: Fixed a /tmp bug in groffer. Groffer is a
script to display formatted output on the console or X, and is not normally
used in other scripts (for printers, etc) like most groff components are.
The risk from this bug is probably quite low. The fix was pulled from the
just-released groff-1.19.2. With Slackware 10.2 just around the corner it
didn't seem prudent to upgrade to that -- the diff from 1.19.1 to 1.19.2
is over a megabyte compressed.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0969
(* Security fix *)
kde/kdebase-3.4.2-i486-2.tgz: Patched a bug in Konqueror's handling of
characters such as '*', '[', and '?'.
Generated new kdm config files.
Added /opt/kde/man to $MANPATH.
Patched a security bug in kcheckpass that could allow a local user to
gain root privileges.
For more information, see:
http://www.kde.org/info/security/advisory-20050905-1.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2494
(* Security fix *)
n/mod_ssl-2.8.24_1.3.33-i486-1.tgz: Upgraded to mod_ssl-2.8.24-1.3.33.
From the CHANGES file:
Fix a security issue (CAN-2005-2700) where "SSLVerifyClient require" was
not enforced in per-location context if "SSLVerifyClient optional" was
configured in the global virtual host configuration.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2700
(* Security fix *)
n/openssh-4.2p1-i486-1.tgz: Upgraded to openssh-4.2p1.
From the OpenSSH 4.2 release announcement:
SECURITY: Fix a bug introduced in OpenSSH 4.0 that caused
GatewayPorts to be incorrectly activated for dynamic ("-D") port
forwardings when no listen address was explicitly specified.
(* Security fix *)
kde/kdeedu-3.4.2-i486-2.tgz: Fixed a minor /tmp bug in kvoctrain.
(* Security fix *)
n/php-4.4.0-i486-3.tgz: Relinked with the system PCRE library, as the builtin
library has a buffer overflow that could be triggered by the processing of a
specially crafted regular expression.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491
(* Security fix *)
Upgraded PEAR::XMLRPC to version 1.4.0, which eliminates the use of the
insecure eval() function.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2498
(* Security fix *)
xap/gaim-1.5.0-i486-1.tgz: Upgraded to gaim-1.5.0.
This fixes some more security issues.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2103
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2102
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2370
(* Security fix *)
testing/packages/php-5.0.4/php-5.0.4-i486-3.tgz: Relinked with the
system PCRE library, as the builtin library has a buffer overflow
that could be triggered by the processing of a specially crafted
regular expression.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491
(* Security fix *)
Upgraded PEAR::XMLRPC to version 1.4.0, which eliminates the use of the
insecure eval() function.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2498
(* Security fix *)
Recompiled with support for mbstring, cURL, and XSLT.
Thanks to Den (aka Diesel) for suggesting XSLT.
+--------------------------+
Where to find the new packages:
+-----------------------------+
Add of these packages are available in the slackware-current directory
on ftp.slackware.com:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/ap/groff-1.19.1-i486-3.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/kde/kdebase-3.4.2-i486-2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/mod_ssl-2.8.24_1.3.33-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/openssh-4.2p1-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/kde/kdeedu-3.4.2-i486-2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/php-4.4.0-i486-3.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/gaim-1.5.0-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/testing/packages/php-5.0.4/php-5.0.4-i486-3.tgz
A .asc file is provided next to each package. This can be used along
with 'gpg --verify' to verify the integrity of the packages.
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
Here are the details from the Slackware -current ChangeLog:
+--------------------------+
ap/groff-1.19.1-i486-3.tgz: Fixed a /tmp bug in groffer. Groffer is a
script to display formatted output on the console or X, and is not normally
used in other scripts (for printers, etc) like most groff components are.
The risk from this bug is probably quite low. The fix was pulled from the
just-released groff-1.19.2. With Slackware 10.2 just around the corner it
didn't seem prudent to upgrade to that -- the diff from 1.19.1 to 1.19.2
is over a megabyte compressed.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0969
(* Security fix *)
kde/kdebase-3.4.2-i486-2.tgz: Patched a bug in Konqueror's handling of
characters such as '*', '[', and '?'.
Generated new kdm config files.
Added /opt/kde/man to $MANPATH.
Patched a security bug in kcheckpass that could allow a local user to
gain root privileges.
For more information, see:
http://www.kde.org/info/security/advisory-20050905-1.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2494
(* Security fix *)
n/mod_ssl-2.8.24_1.3.33-i486-1.tgz: Upgraded to mod_ssl-2.8.24-1.3.33.
From the CHANGES file:
Fix a security issue (CAN-2005-2700) where "SSLVerifyClient require" was
not enforced in per-location context if "SSLVerifyClient optional" was
configured in the global virtual host configuration.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2700
(* Security fix *)
n/openssh-4.2p1-i486-1.tgz: Upgraded to openssh-4.2p1.
From the OpenSSH 4.2 release announcement:
SECURITY: Fix a bug introduced in OpenSSH 4.0 that caused
GatewayPorts to be incorrectly activated for dynamic ("-D") port
forwardings when no listen address was explicitly specified.
(* Security fix *)
kde/kdeedu-3.4.2-i486-2.tgz: Fixed a minor /tmp bug in kvoctrain.
(* Security fix *)
n/php-4.4.0-i486-3.tgz: Relinked with the system PCRE library, as the builtin
library has a buffer overflow that could be triggered by the processing of a
specially crafted regular expression.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491
(* Security fix *)
Upgraded PEAR::XMLRPC to version 1.4.0, which eliminates the use of the
insecure eval() function.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2498
(* Security fix *)
xap/gaim-1.5.0-i486-1.tgz: Upgraded to gaim-1.5.0.
This fixes some more security issues.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2103
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2102
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2370
(* Security fix *)
testing/packages/php-5.0.4/php-5.0.4-i486-3.tgz: Relinked with the
system PCRE library, as the builtin library has a buffer overflow
that could be triggered by the processing of a specially crafted
regular expression.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491
(* Security fix *)
Upgraded PEAR::XMLRPC to version 1.4.0, which eliminates the use of the
insecure eval() function.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2498
(* Security fix *)
Recompiled with support for mbstring, cURL, and XSLT.
Thanks to Den (aka Diesel) for suggesting XSLT.
+--------------------------+
Where to find the new packages:
+-----------------------------+
Add of these packages are available in the slackware-current directory
on ftp.slackware.com:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/ap/groff-1.19.1-i486-3.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/kde/kdebase-3.4.2-i486-2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/mod_ssl-2.8.24_1.3.33-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/openssh-4.2p1-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/kde/kdeedu-3.4.2-i486-2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/php-4.4.0-i486-3.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/gaim-1.5.0-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/testing/packages/php-5.0.4/php-5.0.4-i486-3.tgz
A .asc file is provided next to each package. This can be used along
with 'gpg --verify' to verify the integrity of the packages.
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
Related Threads
12/27/2010 07:28 PM: Setting up wireless network - Slackware 13.1 (0) by psg
02/02/2007 12:07 PM: Slackware 11.0 fails to boot (1) by danleff
08/03/2006 05:14 AM: Slackware driver for the modem ADSL 2 Barricade SMC7901BRA (1) by danleff
08/12/2005 04:08 AM: could use some help with slackware 10.1 and atheros wifi card (2) by cr4sh
06/09/2005 09:19 PM: Could use some help with slackware 10.1 and atheros wireless card!!! (0) by dannyjr088
04/20/2004 10:11 PM: ATI and Slackware (2) by jimf43
05/08/2004 03:41 AM: A7N8X-E Deluxe + Slackware Gigabit ethernet problems (3) by Panarello
07/16/2003 03:01 AM: SIL3112A Slackware Install (2) by Nitrus
05/05/2003 06:49 PM: Problems with qt in Slackware 9.0 (3) by Kanniball
12/10/2002 05:27 PM: Fasttrack MB 133 lite driver slackware 8.1 (0) by J-ke
02/02/2007 12:07 PM: Slackware 11.0 fails to boot (1) by danleff
08/03/2006 05:14 AM: Slackware driver for the modem ADSL 2 Barricade SMC7901BRA (1) by danleff
08/12/2005 04:08 AM: could use some help with slackware 10.1 and atheros wifi card (2) by cr4sh
06/09/2005 09:19 PM: Could use some help with slackware 10.1 and atheros wireless card!!! (0) by dannyjr088
04/20/2004 10:11 PM: ATI and Slackware (2) by jimf43
05/08/2004 03:41 AM: A7N8X-E Deluxe + Slackware Gigabit ethernet problems (3) by Panarello
07/16/2003 03:01 AM: SIL3112A Slackware Install (2) by Nitrus
05/05/2003 06:49 PM: Problems with qt in Slackware 9.0 (3) by Kanniball
12/10/2002 05:27 PM: Fasttrack MB 133 lite driver slackware 8.1 (0) by J-ke