213 replies to this topic

[V.T. Eric Layton]

[slackware-security]  mozilla-thunderbird (SSA:2010-295-03)New mozilla-thunderbird packages are available for Slackware 13.1 and -currentto fix security issues.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/mozilla-thunderbird-3.0.9-i686-1.txz:  Upgraded.  This upgrade fixes some more security bugs.  For more information, see:    http://www.mozilla.o...nderbird30.html  (* Security fix *)+--------------------------+======[slackware-security]  mozilla-firefox (SSA:2010-295-02)New mozilla-firefox packages are available for Slackware 13.0, 13.1,and -current to fix security issues.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/mozilla-firefox-3.6.11-i686-1.txz:  Upgraded.  This fixes some security issues.  For more information, see:    http://www.mozilla.o.../firefox36.html  (* Security fix *)+--------------------------+======[slackware-security]  glibc (SSA:2010-295-01)New glibc packages are available for Slackware 12.0, 12.1, 12.2, 13.0, 13.1,and -current to fix a security issue.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/glibc-2.11.1-i486-4_slack13.1.txz:  Rebuilt.  Patched "dynamic linker expands $ORIGIN in setuid library search path".  This security issue allows a local attacker to gain root if they can create  a hard link to a setuid root binary.  Thanks to Tavis Ormandy.  For more information, see:    http://cve.mitre.org...e=CVE-2010-3847    http://seclists.org/...re/2010/Oct/257  (* Security fix *)patches/packages/glibc-i18n-2.11.1-i486-4_slack13.1.txz:  Rebuilt.patches/packages/glibc-profile-2.11.1-i486-4_slack13.1.txz:  Rebuilt.patches/packages/glibc-solibs-2.11.1-i486-4_slack13.1.txz:  Rebuilt.patches/packages/glibc-zoneinfo-2.11.1-noarch-4_slack13.1.txz:  Rebuilt.+--------------------------+

[V.T. Eric Layton]

[slackware-security]  seamonkey (SSA:2010-300-01)New seamonkey packages are available for Slackware 12.2, 13.0, 13.1,and -current to fix security issues.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/seamonkey-2.0.9-i486-1_slack13.1.txz:  Upgraded.  This release fixes some more security vulnerabilities.  For more information, see:    http://www.mozilla.o...eamonkey20.html  (* Security fix *)patches/packages/seamonkey-solibs-2.0.9-i486-1_slack13.1.txz:  Upgraded.+--------------------------+

[V.T. Eric Layton]

[slackware-security]  glibc (SSA:2010-301-01)New glibc packages are available for Slackware 12.0, 12.1, 12.2, 13.0, 13.1,and -current to fix a security issue.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/glibc-2.11.1-i486-5_slack13.1.txz:  Rebuilt.  Patched "The GNU C library dynamic linker will dlopen arbitrary DSOs  during setuid loads."  This security issue allows a local attacker to  gain root by specifying an unsafe DSO in the library search path to be  used with a setuid binary in LD_AUDIT mode.  Bug found by Tavis Ormandy (with thanks to Ben Hawkes and Julien Tinnes).  For more information, see:    http://cve.mitre.org...e=CVE-2010-3856    http://seclists.org/...re/2010/Oct/344  (* Security fix *)patches/packages/glibc-i18n-2.11.1-i486-5_slack13.1.txz:  Rebuilt.patches/packages/glibc-profile-2.11.1-i486-5_slack13.1.txz:  Rebuilt.patches/packages/glibc-solibs-2.11.1-i486-5_slack13.1.txz:  Upgraded.  (* Security fix *)patches/packages/glibc-zoneinfo-2.11.1-noarch-5_slack13.1.txz:  Upgraded.  Rebuilt to tzcode2010n and tzdata2010n.+--------------------------+=====[slackware-security]  mozilla-firefox (SSA:2010-301-02)New mozilla-firefox packages are available for Slackware 13.0, 13.1,and -current to fix security issues.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/mozilla-firefox-3.6.12-i686-1.txz:  Upgraded.  This fixes some security issues.  For more information, see:    http://www.mozilla.o.../firefox36.html  (* Security fix *)+--------------------------+

[V.T. Eric Layton]

[slackware-security]  seamonkey (SSA:2010-305-01)New seamonkey packages are available for Slackware 12.2, 13.0, 13.1,and -current to fix security issues.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/seamonkey-2.0.10-i486-1_slack13.1.txz:  Upgraded.  This release fixes some more security vulnerabilities.  For more information, see:    http://www.mozilla.o...eamonkey20.html  (* Security fix *)patches/packages/seamonkey-solibs-2.0.10-i486-1_slack13.1.txz:  Upgraded.+--------------------------+

[V.T. Eric Layton]

[slackware-security]  pidgin (SSA:2010-305-02)New pidgin packages are available for Slackware 12.0, 12.1, 12.2, 13.0, 13.1,and -current to fix a security issue.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/pidgin-2.7.5-i486-1_slack13.1.txz:  Upgraded.  This update addresses some denial of service bugs.  For more information, see:    http://cve.mitre.org...e=CVE-2010-3711  (* Security fix *)+--------------------------+=====[slackware-security]  proftpd (SSA:2010-305-03)New proftpd packages are available for Slackware 11.0, 12.0, 12.1, 12.2, 13.0,13.1, and -current to a fix security issue.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/proftpd-1.3.3c-i486-1_slack13.1.txz:  Upgraded.  Fixed Telnet IAC stack overflow vulnerability (ZDI-CAN-925), which can  allow remote execution of arbitrary code as the user running the  ProFTPD daemon.  Thanks to TippingPoint and the Zero Day Initiative (ZDI).  For more information, see:    http://cve.mitre.org...e=CVE-2010-3867  (* Security fix *)+--------------------------+

[V.T. Eric Layton]

[slackware-security]  mozilla-thunderbird (SSA:2010-317-01)New mozilla-thunderbird packages are available for Slackware 13.0,13.1, and -current to fix security issues.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/mozilla-thunderbird-3.0.10-i686-1.txz:  Upgraded.  This upgrade fixes some more security bugs.  For more information, see:    http://www.mozilla.o...nderbird30.html  (* Security fix *)+--------------------------+As noted in the Slackware 13.0 ChangeLog, this is a major update there:+--------------------------+patches/packages/mozilla-thunderbird-3.0.10-i686-1.txz:  Upgraded.  With Thunderbird 2.x unmaintained, it seems like a good idea to provide a  upgrade to Thunderbird 3.x for security reasons.  This will bring with it  quite a bit of changed functionality, so be prepared...  one hint is that  it will now make local copies of remote mailboxes by default, so you will  need to have enough disk space to handle that.  For more information, see:    http://www.mozilla.o...nderbird30.html  (* Security fix *)+--------------------------+Special Note: This update will install T-bird 3.0 on your Slack 13.0 system... BE AWARE. T-bird 3.0 is much different from 2.0. Many of your extensions and customizations will NOT work with the newer version.

[V.T. Eric Layton]

[slackware-security]  xpdf (SSA:2010-324-01)New xpdf packages are available for Slackware 9.1, 10.0, 10.1, 10.2, 11.0,12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix security issues.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/xpdf-3.02pl5-i486-1_slack13.1.txz:  Upgraded.  This update fixes security issues that could lead to an  application crash, or execution of arbitrary code.  For more information, see:    http://cve.mitre.org...e=CVE-2010-3702    http://cve.mitre.org...e=CVE-2010-3703    http://cve.mitre.org...e=CVE-2010-3704  (* Security fix *)+--------------------------+=====[slackware-security]  poppler (SSA:2010-324-02)New poppler packages are available for Slackware 12.0, 12.1, 12.2, 13.0, 13.1,and -current to fix security issues.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/poppler-0.12.4-i486-2_slack13.1.txz:  Rebuilt.  This updated package includes patches based on xpdf 3.02pl5.  For more information, see:    http://cve.mitre.org...e=CVE-2010-3702    http://cve.mitre.org...e=CVE-2010-3703    http://cve.mitre.org...e=CVE-2010-3704  (* Security fix *)+--------------------------+

[V.T. Eric Layton]

[slackware-security]  openssl (SSA:2010-326-01)New openssl packages are available for Slackware 11.0, 12.0, 12.1, 12.2, 13.0,13.1, and -current to fix security issues.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/openssl-0.9.8p-i486-1_slack13.1.txz:  Rebuilt.  This OpenSSL update contains some security related bugfixes.  For more information, see the included CHANGES and NEWS files, and:    http://www.openssl.o...dv_20101116.txt    http://cve.mitre.org...e=CVE-2010-2939    http://cve.mitre.org...e=CVE-2010-3864 (* Security fix *)patches/packages/openssl-solibs-0.9.8p-i486-1_slack13.1.txz:  Rebuilt. (* Security fix *)+--------------------------+

[V.T. Eric Layton]

[slackware-security]  cups (SSA:2010-333-01)New cups packages are available for Slackware 12.0, 12.1, 12.2, 13.0, 13.1,and -current to fix security issues.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/cups-1.4.5-i486-1_slack13.1.txz:  Upgraded.  Fixed memory corruption bugs that could lead to a denial of service  or possibly execution of arbitrary code through a crafted IPP request.    http://cve.mitre.org...e=CVE-2010-2941  (* Security fix *)+--------------------------+

[V.T. Eric Layton]

[slackware-security]  openssl (SSA:2010-340-01)New openssl packages are available for Slackware 11.0, 12.0, 12.1, 12.2, 13.0,13.1, and -current to fix security issues.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/openssl-0.9.8q-i486-1_slack13.1.txz:  Upgraded.  This OpenSSL update contains some security related bugfixes.  For more information, see the included CHANGES and NEWS files, and:    http://www.openssl.o...dv_20101202.txt    http://cve.mitre.org...e=CVE-2010-4180    http://cve.mitre.org...e=CVE-2010-4252  (* Security fix *)patches/packages/openssl-solibs-0.9.8q-i486-1_slack13.1.txz:  Upgraded.  (* Security fix *)+--------------------------+

[V.T. Eric Layton]

[slackware-security]  mozilla-firefox (SSA:2010-343-01)New mozilla-firefox packages are available for Slackware 13.0, 13.1,and -current to fix security issues.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/mozilla-firefox-3.6.13-i686-1.txz:  Upgraded.  This fixes some security issues.  For more information, see:    http://www.mozilla.o.../firefox36.html  (* Security fix *)+--------------------------+=====[slackware-security]  mozilla-thunderbird (SSA:2010-343-02)New mozilla-thunderbird packages are available for Slackware 13.0, 13.1,and -current to fix security issues.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/mozilla-thunderbird-3.0.11-i686-1.txz:  Upgraded.  This upgrade fixes some more security bugs.  For more information, see:    http://www.mozilla.o...nderbird30.html  (* Security fix *)+--------------------------+

[V.T. Eric Layton]

[slackware-security]  seamonkey (SSA:2010-344-01)New seamonkey packages are available for Slackware 12.2, 13.0, and 13.1 tofix security issues.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/seamonkey-2.0.11-i486-1_slack13.1.txz:  Upgraded.  This release fixes some more security vulnerabilities.  For more information, see:    http://www.mozilla.o...eamonkey20.html  (* Security fix *)patches/packages/seamonkey-solibs-2.0.11-i486-1_slack13.1.txz:  Upgraded.  (* Security fix *)+--------------------------+

[V.T. Eric Layton]

[slackware-security]  bind (SSA:2010-350-01)New bind packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2,11.0, 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix security issues thatcould allow attackers to successfully query private DNS records, or cause adenial of service.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/bind-9.4_ESV_R4-i486-1_slack13.1.txz:  Upgraded.  This update fixes some security issues.  For more information, see:    http://cve.mitre.org...e=CVE-2010-3613    http://cve.mitre.org...e=CVE-2010-3614    http://cve.mitre.org...e=CVE-2010-3615  (* Security fix *)+--------------------------+

[V.T. Eric Layton]

[slackware-security]  php (SSA:2010-357-01)New php packages are available for Slackware 11.0, 12.0, 12.1, 12.2, 13.0,13.1, and -current to fix security issues.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/php-5.2.16-i486-1_slack13.1.txz:  Upgraded.  This fixes many bugs, including some security issues.  For more information, see:    http://cve.mitre.org...e=CVE-2010-3436    http://cve.mitre.org...e=CVE-2010-3709    http://cve.mitre.org...e=CVE-2010-4150  (* Security fix *)+--------------------------+======[slackware-security]  proftpd (SSA:2010-357-02)New proftpd packages are available for Slackware 11.0, 12.0, 12.1, 12.2, 13.0,13.1, and -current to fix security issues.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/proftpd-1.3.3d-i486-1_slack13.1.txz:  Upgraded.  This update fixes an unbounded copy operation in sql_prepare_where() that  could be exploited to execute arbitrary code.  However, this only affects  servers that use the sql_mod module (which Slackware does not ship), and  in addition the ability to exploit this depends on an SQL injection bug  that was already fixed in proftpd-1.3.2rc2 (this according to upstream).  So in theory, this fix should only be of academic interest.  But in practice, better safe than sorry.  (* Security fix *)+--------------------------+

[V.T. Eric Layton]

[slackware-security]  pidgin (SSA:2010-361-01)New pidgin packages are available for Slackware 12.0, 12.1, 12.2, 13.0, 13.1,and -current to fix a denial of service security issue.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/pidgin-2.7.9-i486-1_slack13.1.txz:  Upgraded.  Fixed denial-of-service flaw in the MSN protocol.  (* Security fix *)+--------------------------+

[V.T. Eric Layton]

[slackware-security]  php (SSA:2011-010-01)New php packages are available for Slackware 11.0, 12.0, 12.1, 12.2, 13.0,13.1, and -current to fix a security issue.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/php-5.2.17-i486-1_slack13.1.txz:  Upgraded.  This update fixes an infinite loop with conversions from string to  double that may result in a denial of service.  For more information, see:    http://cve.mitre.org...e=CVE-2010-4645  (* Security fix *)+--------------------------+

[V.T. Eric Layton]

[slackware-security]  apr-util (SSA:2011-041-01)New apr and apr-util packages are available for Slackware 11.0, 12.0, 12.1,12.2, 13.0, 13.1, and -current to fix a security issue.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/apr-1.3.12-i486-1_slack13.1.txz:  Upgraded.patches/packages/apr-util-1.3.10-i486-1_slack13.1.txz:  Upgraded.  Fixes a memory leak and DoS in apr_brigade_split_line().  For more information, see:    http://cve.mitre.org...e=CVE-2010-1623  (* Security fix *)+--------------------------+======[slackware-security]  expat (SSA:2011-041-02)New expat packages are available for Slackware 11.0, 12.0, 12.1, 12.2, 13.0,13.1, and -current to fix security issues.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/expat-2.0.1-i486-2_slack13.1.txz:  Upgraded.  Fixed various crash and hang bugs.  For more information, see:    http://cve.mitre.org...e=CVE-2009-2625    http://cve.mitre.org...e=CVE-2009-3560    http://cve.mitre.org...e=CVE-2009-3720  (* Security fix *)+--------------------------+======[slackware-security]  httpd (SSA:2011-041-03)New httpd packages are available for Slackware 12.0, 12.1, 12.2, 13.0, 13.1,and -current to fix security issues.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/httpd-2.2.17-i486-1_slack13.1.txz:  Upgraded.  This fixes some denial of service bugs in the bundled libraries.  On Slackware we do not use the bundled expat or apr-util, so the  issues are also fixed in those external libraries.  For more information, see:    http://cve.mitre.org...e=CVE-2009-3560    http://cve.mitre.org...e=CVE-2009-3720    http://cve.mitre.org...e=CVE-2010-1623  (* Security fix *)+--------------------------+======[slackware-security]  openssl (SSA:2011-041-04)New openssl packages are available for 11.0, 12.0, 12.1, 12.2, 13.0, 13.1,and -current to fix a security issue.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/openssl-0.9.8r-i486-1_slack13.1.txz:  Upgraded.  This OpenSSL update fixes an "OCSP stapling vulnerability".  For more information, see the included CHANGES and NEWS files, and:    http://www.openssl.o...dv_20110208.txt    http://cve.mitre.org...e=CVE-2011-0014  (* Security fix *)  Patched certwatch to work with recent versions of "file".  Thanks to Ulrich Sch?fer and Jan Rafaj.patches/packages/openssl-solibs-0.9.8r-i486-1_slack13.1.txz:  Upgraded.  (* Security fix *)+--------------------------+======[slackware-security]  sudo (SSA:2011-041-05)New sudo packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2,11.0, 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix a security issue.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/sudo-1.7.4p6-i486-1_slack13.1.txz:  Upgraded.  Fix Runas group password checking.  For more information, see the included CHANGES and NEWS files, and:    http://cve.mitre.org...e=CVE-2011-0010  (* Security fix *)+--------------------------+

[V.T. Eric Layton]

[slackware-security]  pidgin (SSA:2011-055-01)New pidgin packages are available for Slackware 12.0, 12.1, 12.2, 13.0, 13.1,and -current to fix a security issue.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/pidgin-2.7.10-i486-1_slack13.1.txz:  Upgraded.  Fixed potential information disclosure issue in libpurple.  (* Security fix *)+--------------------------+

[V.T. Eric Layton]

[slackware-security]  mozilla-firefox (SSA:2011-060-01)New mozilla-firefox packages are available for Slackware 13.0, 13.1,and -current to fix security issues.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/mozilla-firefox-3.6.14-i686-1.txz:  Upgraded.  Firefox 3.6.14 is a regular security and stability update to Firefox 3.6.x.  (* Security fix *)+--------------------------+

[V.T. Eric Layton]

[slackware-security]  mozilla-firefox (SSA:2011-068-02)New mozilla-firefox packages are available for Slackware 13.0, 13.1,and -current to fix security issues.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/mozilla-firefox-3.6.15-i686-1.txz:  Upgraded.  Firefox 3.6.15 is a security and stability update to Firefox 3.6.x.  (* Security fix *)+--------------------------+

[V.T. Eric Layton]

[slackware-security]  seamonkey (SSA:2011-068-01)New seamonkey packages are available for Slackware 12.2, 13.0, 13.1,and -current to fix security issues.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/seamonkey-2.0.12-i486-1_slack13.1.txz:  Upgraded.  This release fixes some more security vulnerabilities.  For more information, see:    http://www.mozilla.o...eamonkey20.html  (* Security fix *)patches/packages/seamonkey-solibs-2.0.12-i486-1_slack13.1.txz:  Upgraded.  (* Security fix *)+--------------------------+

[V.T. Eric Layton]

[slackware-security]  subversion (SSA:2011-070-01)New subversion packages are available for Slackware 12.0, 12.1, 12.2, 13.0,13.1, and -current to fix a security issue.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/subversion-1.6.16-i486-1_slack13.1.txz:  Upgraded.  Fixed a remotely triggerable NULL-pointer dereference in mod_dav_svn.  For more information, see:    http://subversion.ap...15-advisory.txt    http://cve.mitre.org...e=CVE-2011-0715 (* Security fix *)+--------------------------+

[V.T. Eric Layton]

[slackware-security]  seamonkey (SSA:2011-086-01)New seamonkey packages are available for Slackware 12.2, 13.0, 13.1,and -current to fix a security issue.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/seamonkey-2.0.13-i486-1_slack13.1.txz:  Upgraded.  This release fixes a security vulnerability by blacklisting several  invalid HTTPS certificates.  For more information, see:    http://www.mozilla.o...fsa2011-11.html  (* Security fix *)patches/packages/seamonkey-solibs-2.0.13-i486-1_slack13.1.txz:  Upgraded.+--------------------------+=====[slackware-security]  mozilla-firefox (SSA:2011-086-02)New mozilla-firefox packages are available for Slackware 13.0 and 13.1to fix a security issue.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/mozilla-firefox-3.6.16-i686-1.txz:  Upgraded.  This release fixes a security vulnerability by blacklisting several  invalid HTTPS certificates.  For more information, see:    http://www.mozilla.o...fsa2011-11.html  (* Security fix *)+--------------------------+=====[slackware-security]  shadow (SSA:2011-086-03)New shadow packages are available for Slackware 13.1 and -current tofix a security issue.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/shadow-4.1.4.3-i486-1_slack13.1.txz:  Rebuilt.  This release fixes a security issue where local users may be able to add  themselves to NIS groups through chfn and chsh.  For more information, see:    http://cve.mitre.org...e=CVE-2011-0721  (* Security fix *)  Thanks to Gary Langshaw for collecting important additional patches from svn.+--------------------------+

[V.T. Eric Layton]

[slackware-security]  dhcp (SSA:2011-097-01)New dhcp packages are available for Slackware 9.0, 9.1, 10.0, 10.1, 10.2, 11.0,12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix a security issue.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/dhcp-4.1_ESV_R2-i486-1_slack13.1.txz:  Upgraded.  In dhclient, check the data for some string options for reasonableness  before passing it along to the script that interfaces with the OS.  This prevents some possible attacks by a hostile DHCP server.  For more information, see:    http://cve.mitre.org...e=CVE-2011-0997  (* Security fix *)+--------------------------+

[V.T. Eric Layton]

[slackware-security]  shadow (SSA:2011-101-01)New shadow packages are available for Slackware 13.1, and -current to fix asecurity issue.Here are the details from the Slackware  13.1 ChangeLog:+--------------------------+patches/packages/shadow-4.1.4.3-i486-2_slack13.1.txz:  Rebuilt.  Corrected a packaging error where incorrect permissions on /usr/sbin/lastlog  and /usr/sbin/faillog allow any user to set login failure limits on any  other user (including root), potentially leading to a denial of service.  Thanks to pyllyukko for discovering and reporting this vulnerability.  (* Security fix *)+--------------------------+