New Thunderbird packages are available for Slackware 10.2 and -current to fix a security issue:
MFSA 2005-59 Command-line handling on Linux allows shell execution
After several weeks of testing, the latest version of Dropline GNOME is finally available.
New X.Org server packages are available for Slackware 10.0, 10.1, 10.2, and -current to fix a security issue. An integer overflow in the pixmap handling code may allow the execution of arbitrary code through a specially crafted pixmap. Slackware 10.2 was patched against this vulnerability before its release, but new server packages are being issued for Slackware 10.2 and -current using an improved patch, as there were some bug reports using certain programs.
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2495
New Mozilla and Firefox packages are available for Slackware 10.0, 10.1, 10.2, and -current to fix security issues:
MFSA 2005-59 Command-line handling on Linux allows shell execution
MFSA 2005-58 Firefox 1.0.7 / Mozilla Suite 1.7.12 Vulnerability Fixes
MFSA 2005-57 IDN heap overrun using soft-hyphens
OSNews reports that Slackware 10.2 has been released
Slackware 10.2 Released
New util-linux packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, and -current to fix a security issue with umount. A bug in the '-r' option could allow flags in /etc/fstab to be improperly dropped on user-mountable volumes, allowing a user to gain root privileges.
New dhcpcd packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, and -current to fix a minor security issue. The dhcpcd daemon can be tricked into reading past the end of the DHCP buffer by a malicious DHCP server, which causes the dhcpcd daemon to crash and results in a denial of service. Of course, a malicious DHCP server could simply give you an IP address that wouldn't work, too, such as 127.0.0.1, but since people have been asking about this issue, here's a fix, and that's the extent of the impact. In other words, very little real impact.
New kdebase packages are available for Slackware 10.0, 10.1, and -current to fix a security issue with the kcheckpass program. Earlier versions of Slackware are not affected. A flaw in the way the program creates lockfiles could allow a local attacker to gain root privileges.
A new php5 package is available for Slackware 10.1 in /testing to fix security issues. PHP has been relinked with the shared PCRE library to fix an overflow issue with PHP's builtin PRCE code, and PEAR::XMLRPC has been upgraded to version 1.4.0 which eliminates the eval() function. The eval() function is believed to be insecure as implemented, and would be difficult to secure.
This advisory summarizes recent security fixes in Slackware -current.
New PHP packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, and -current to fix security issues. PHP has been relinked with the shared PCRE library to fix an overflow issue with PHP's builtin PRCE code, and PEAR::XMLRPC has been upgraded to version 1.4.0 which eliminates the eval() function. The eval() function is believed to be insecure as implemented, and would be difficult to secure.
Note that these new packages now require that the PCRE package be installed, so be sure to get the new package from the patches/packages/directory if you don't already have it. A new version of this (6.3) was also issued today, so be sure that is the one you install.
More details about these issues may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2498
New PCRE packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, and -current to fix a security issue. A buffer overflow could be triggered by a specially crafted regular expression. Any applications that use PCRE to process untrusted regular expressions may be exploited to run arbitrary code as the user running the application.
The PCRE library is also provided in an initial installation by the aaa_elflibs package, so if your system has a /usr/lib/libpcre.so.0 symlink, then you should install this updated package even if the PCRE package itself is not installed on the system.
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491
New gaim packages are available for Slackware 9.0, 9.1, 10.0, 10.1, and -current to fix some security issues. including:
AIM/ICQ away message buffer overflow
AIM/ICQ non-UTF-8 filename crash
Gadu-Gadu memory alignment bug
Sites that use GAIM should upgrade to the new version.
More details about these issues may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2103 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2102 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2370
New tcpip packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, and -current to fix a security issues with the telnet client. Overflows in the telnet client may lead to the execution of arbitrary code as the telnet user if the user connects to a malicious telnet server.
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469
New zlib packages are available for Slackware 10.0, 10.1, and -current to fix an additional crash issue. zlib 1.1.x is not affected.
New fetchmail packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, and -current to fix security issues. Connecting to a malicious or compromised POP3 server may overflow fetchmail's stack causing a crash or the execution of arbitrary code.
For more information about this issue, see:
http://fetchmail.berlios.de/fetchmail-SA-2005-01.txt
New gxine packages are available for Slackware 10.0, 10.1, and -current to fix a format string security issue.
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1692
New kdenetwork packages are available for Slackware 10.0, 10.1, and -current to fix security issues. Overflows in libgadu (used by kopete) that can cause a denial of service or arbitrary code execution.
More details about this vulnerability may be found here:
http://www.kde.org/info/security/advisory-20050721-1.txt
New Mozilla packages are available for Slackware 10.0, 10.1, and -current to fix various security issues and bugs. See the Mozilla site for a complete list of the issues patched:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#MozillaNew versions of the mozilla-plugins symlink creation package are also out for Slackware 10.0 and 10.1, and a new version of the jre-symlink package for Slackware -current.
New emacs packages are available for Slackware 10.1 and -current to a security issue with the movemail utility for retrieving mail from a POP mail server. If used to connect to a malicious POP server, it is possible for the server to cause the execution of arbitrary code as the user running emacs.
