Jump to content


NEW UPDATES Slackware

slackware updates bruno v.t. eric layton

  • Please log in to reply
156 replies to this topic

#51 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 18,224 posts

Posted 12 April 2011 - 12:08 AM

[slackware-security]  kdelibs (SSA:2011-101-02)A new kdelibs package is available for Slackware 13.1 to fix a security issue.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/kdelibs-4.4.3-i486-2_slack13.1.txz:  Rebuilt.  Patched CVE-2011-1168.  For more information, see:    http://www.kde.org/i...-20110411-1.txt    http://cve.mitre.org...e=CVE-2011-1168  (* Security fix *)+--------------------------+=====[slackware-security]  libtiff (SSA:2011-098-01)New libtiff packages are available for Slackware 9.0, 9.1, 10.0, 10.1, 10.2,11.0, 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix security issues.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/libtiff-3.9.4-i486-2_slack13.1.txz:  Rebuilt.  Patched overflows that could lead to arbitrary code execution when parsing  a malformed image file.  For more information, see:    http://cve.mitre.org...e=CVE-2011-0192    http://cve.mitre.org...e=CVE-2011-1167  (* Security fix *)+--------------------------+======[slackware-security]  xrdb (SSA:2011-096-01)New xrdb packages are available for Slackware 12.0, 12.1, 12.2, 13.0, 13.1,and -current to fix a security issue.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/xrdb-1.0.9-i486-1_slack13.1.txz:  Upgraded.  This fixes a security issue where improperly sanitized input could lead to  privilege escalation or arbitrary command execution as root.  For more information, see:    http://cve.mitre.org...e=CVE-2011-0465  (* Security fix *)+--------------------------+

Posted Image


#52 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 18,224 posts

Posted 19 April 2011 - 12:13 PM

[slackware-security]  acl (SSA:2011-108-01)New acl packages are available for Slackware 11.0, 12.0, 12.1, 12.2, 13.0,13.1, and -current to fix a security issue.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/acl-2.2.50-i486-1_slack13.1.txz:  Upgraded.  Fix the --physical option in setfacl and getfacl to prevent symlink attacks.  Thanks to Martijn Dekker for the notification.  For more information, see:    http://cve.mitre.org...e=CVE-2009-4411  (* Security fix *)+--------------------------+

Posted Image


#53 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 18,224 posts

Posted 20 April 2011 - 10:45 AM

[slackware-security]  polkit (SSA:2011-109-01)New polkit packages are available for Slackware 13.1 and -current tofix a security issue.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/polkit-1_14bdfd8-i486-2_slack13.1.txz:  Rebuilt.  Patched to fix a race condition that could allow a local user to execute  arbitrary code as root.  Thanks to Neel Mehta of Google.  For more information, see:    http://cve.mitre.org...e=CVE-2011-1485  (* Security fix *)+--------------------------+

Posted Image


#54 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 18,224 posts

Posted 22 April 2011 - 11:09 AM

[slackware-security]  rdesktop (SSA:2011-110-01)New rdesktop packages are available for Slackware 11.0, 12.0, 12.1, 12.2,13.0, 13.1, and -current to fix a security issue.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/rdesktop-1.6.0-i486-2_slack13.1.txz:  Rebuilt.  Patched a traversal vulnerability (disallow /.. requests).    http://cve.mitre.org...e=CVE-2011-1595  (* Security fix *)+--------------------------+

Posted Image


#55 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 18,224 posts

Posted 28 April 2011 - 01:19 PM

Patrick J. Volkerding said:

Yes, it's that time again!  After many months of development and careful testing, we are proud to announce the release of Slackware version 13.37!    We are sure you'll enjoy the many improvements.  We've done our best to bring the latest technology to Slackware while still maintaining the stability and security that you have come to expect.  Slackware is well known for its simplicity and the fact that we try to bring software to you in the condition that the authors intended.    Slackware 13.37 brings many updates and enhancements...
http://slackware.com...ounce/13.37.php

Posted Image


#56 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 18,224 posts

Posted 03 May 2011 - 05:11 PM

[slackware-security]  mozilla-firefox (SSA:2011-122-01)New mozilla-firefox packages are available for Slackware 13.0, 13.1, 13.37,and -current to fix security issues.Here are the details from the Slackware 13.37 ChangeLog:+--------------------------+patches/packages/mozilla-firefox-4.0.1-i486-1_slack13.37.txz:  Upgraded.  This release contains security fixes and improvements.  For more information, see:    http://www.mozilla.o.../firefox36.html  (* Security fix *)+--------------------------+======[slackware-security]  mozilla-thunderbird (SSA:2011-122-02)New mozilla-thunderbird packages are available for Slackware 13.0, 13.1, 13.37,and -current to fix security issues.Here are the details from the Slackware 13.37 ChangeLog:+--------------------------+patches/packages/mozilla-thunderbird-3.1.10-i486-1_slack13.37.txz:  Upgraded.  This release contains security fixes and improvements.  For more information, see:    http://www.mozilla.o...nderbird30.html  (* Security fix *)+--------------------------+======[slackware-security]  seamonkey (SSA:2011-122-03)New seamonkey packages are available for Slackware 12.2, 13.0, and 13.1 tofix security issues.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/seamonkey-2.0.14-i486-1_slack13.1.txz:  Upgraded.  This release contains security fixes and improvements.  For more information, see:    http://www.mozilla.o...eamonkey20.html  (* Security fix *)patches/packages/seamonkey-solibs-2.0.14-i486-1_slack13.1.txz:  Upgraded.  (* Security fix *)+--------------------------+

Posted Image


#57 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 18,224 posts

Posted 14 May 2011 - 01:37 PM

-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1[slackware-security]  apr/apr-util (SSA:2011-133-01)New apr and apr-util packages are available for Slackware 11.0, 12.0, 12.1,12.2, 13.0, 13.1, 13.37, and -current to fix a security issue.Here are the details from the Slackware 13.37 ChangeLog:+--------------------------+patches/packages/apr-1.4.4-i486-1_slack13.37.txz:  Upgraded.  This fixes a possible denial of service due to an unconstrained, recursive  invocation of apr_fnmatch().  This function has been reimplemented using a  non-recursive algorithm.  Thanks to William Rowe.  For more information, see:    http://cve.mitre.org...e=CVE-2011-0419  (* Security fix *)patches/packages/apr-util-1.3.11-i486-1_slack13.37.txz:  Upgraded.+--------------------------+======[slackware-security]  httpd (SSA:2011-133-02)New httpd packages are available for Slackware 12.0, 12.1, 12.2, 13.0, 13.1,13.37, and -current.  These have been compiled against the new versions ofapr and apr-util, which were upgraded to fix a security issue that affectsApache httpd.  It is recommended that all three updates be applied.Here are the details from the Slackware 13.37 ChangeLog:+--------------------------+patches/packages/httpd-2.2.18-i486-1_slack13.37.txz:  Upgraded.  This is a bug fix release, but since the upgrades to apr/apr-util require at  least an httpd recompile we opted to upgrade to the newest httpd.+--------------------------+

Posted Image


#58 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 18,224 posts

Posted 26 May 2011 - 02:12 PM

[slackware-security]  apr/apr-util (SSA:2011-145-01)New apr and apr-util packages are available for Slackware 11.0, 12.0, 12.1,12.2, 13.0, 13.1, 13.37, and -current to fix a security issue in apr anda crash bug in apr-util.Here are the details from the Slackware 13.37 ChangeLog:+--------------------------+patches/packages/apr-1.4.5-i486-1_slack13.37.txz:  Upgraded.  This fixes a possible denial of service due to a problem with a loop in  the new apr_fnmatch() implementation consuming CPU.  For more information, see:    http://cve.mitre.org...e=CVE-2011-1928  (* Security fix *)patches/packages/apr-util-1.3.12-i486-1_slack13.37.txz:  Upgraded.  Fix crash because of NULL cleanup registered by apr_ldap_rebind_init().+--------------------------+=====[slackware-security]  httpd (SSA:2011-145-02)New httpd packages are available for Slackware 12.0, 12.1, 12.2, 13.0, 13.1,13.37, and -current to fix accidental ABI breakage caused by httpd-2.2.18.Here are the details from the Slackware 13.37 ChangeLog:+--------------------------+patches/packages/httpd-2.2.19-i486-1_slack13.37.txz:  Upgraded.  Revert ABI breakage in 2.2.18 caused by the function signature change  of ap_unescape_url_keep2f().  This release restores the signature from  2.2.17 and prior, and introduces ap_unescape_url_keep2f_ex().  Apache httpd-2.2.18 is considered abandoned.  All users must upgrade.+--------------------------+

Posted Image


#59 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 18,224 posts

Posted 21 June 2011 - 12:17 PM

[slackware-security]  fetchmail (SSA:2011-171-01)New fetchmail packages are available for Slackware 8.1, 9.0, 9.1, 10.0,10.1, 10.2, 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, 13.37, and -currentto fix a security issue.Here are the details from the Slackware 13.37 ChangeLog:+--------------------------+patches/packages/fetchmail-6.3.20-i486-1_slack13.37.txz:  Upgraded.  This release fixes a denial of service in STARTTLS protocol phases.  For more information, see:    http://cve.mitre.org...e=CVE-2011-1947    http://www.fetchmail...-SA-2011-01.txt  (* Security fix *)+--------------------------+

Posted Image


#60 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 18,224 posts

Posted 24 June 2011 - 01:48 PM

[slackware-security]  mozilla-firefox (SSA:2011-174-01)New mozilla-firefox packages are available for Slackware 13.0, 13.1,13.37, and -current to fix security issues.Here are the details from the Slackware 13.37 ChangeLog:+--------------------------+patches/packages/mozilla-firefox-5.0-i486-1_slack13.37.txz:  Upgraded.  This release contains security fixes and improvements.  For more information, see:    http://www.mozilla.o...es/firefox.html  (* Security fix *)+--------------------------+

Posted Image


#61 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 18,224 posts

Posted 28 June 2011 - 12:41 PM

[slackware-security]  pidgin (SSA:2011-178-01)New pidgin packages are available for Slackware 12.2, 13.0, 13.1, 13.37,and -current to fix a security issue.Here are the details from the Slackware 13.37 ChangeLog:+--------------------------+patches/packages/pidgin-2.9.0-i486-1_slack13.37.txz:  Upgraded.  Fixed a remote denial of service.  A remote attacker could set a specially  crafted GIF file as their buddy icon causing vulerable versions of pidgin  to crash due to excessive memory use.  For more information, see:    http://pidgin.im/news/security/?id=52    http://cve.mitre.org...e=CVE-2011-2485  (* Security fix *)+--------------------------+

Posted Image


#62 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 18,224 posts

Posted 08 July 2011 - 06:08 PM

[slackware-security]  bind (SSA:2011-189-01)New bind packages are available for Slackware 13.37, and -current tofix a security issue.Here are the details from the Slackware 13.37 ChangeLog:+--------------------------+patches/packages/bind-9.7.3_P3-i486-1_slack13.37.txz:  Upgraded.  A specially constructed packet will cause BIND 9 ("named") to exit,  affecting DNS service.  The issue exists in BIND 9.6.3 and newer.   "Change #2912 (see CHANGES) exposed a latent bug in the DNS message    processing code that could allow certain UPDATE requests to crash    named. This was fixed by disambiguating internal database    representation vs DNS wire format data. [RT #24777] [CVE-2011-2464]"  For more information, see:    http://cve.mitre.org...e=CVE-2011-2464  (* Security fix *)+--------------------------+=====[slackware-security]  mozilla-thunderbird (SSA:2011-189-02)New mozilla-thunderbird packages are available for Slackware 13.0, 13.1, 13.37,and -current to fix security issues.Here are the details from the Slackware 13.37 ChangeLog:+--------------------------+patches/packages/mozilla-thunderbird-3.1.11-i486-1_slack13.37.txz:  Upgraded.  This release contains security fixes and improvements.  For more information, see:    http://www.mozilla.o...nderbird30.html  (* Security fix *)+--------------------------+

Posted Image


#63 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 18,224 posts

Posted 15 July 2011 - 11:35 AM

[slackware-security]  mozilla-firefox (SSA:2011-195-02)New mozilla-firefox packages are available for Slackware 13.0 and 13.1 tofix security issues.Here are the details from the Slackware 13.1 ChangeLog:+--------------------------+patches/packages/mozilla-firefox-3.6.19-i686-1.txz:  Upgraded.  This release contains security fixes and improvements.  For more information, see:    http://www.mozilla.o.../firefox36.html  (* Security fix *)+--------------------------+=====[slackware-security]  seamonkey (SSA:2011-195-01)New seamonkey packages are available for Slackware 13.37, and -current tofix security issues.Here are the details from the Slackware 13.37 ChangeLog:+--------------------------+patches/packages/seamonkey-2.2-i486-1_slack13.37.txz:  Upgraded.  This update contains security fixes and improvements.  For more information, see:    http://www.mozilla.o...urity/announce/  (* Security fix *)patches/packages/seamonkey-solibs-2.2-i486-1_slack13.37.txz:  Upgraded.  This update contains security fixes and improvements.  For more information, see:    http://www.mozilla.o...urity/announce/  (* Security fix *)+--------------------------+

Posted Image


#64 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 18,224 posts

Posted 29 July 2011 - 10:04 PM

[slackware-security]  libpng (SSA:2011-210-01)New libpng packages are available for Slackware 8.1, 9.0, 9.1, 10.0,10.1, 10.2, 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, 13.37, and -currentto fix security issues.Here are the details from the Slackware 13.37 ChangeLog:+--------------------------+patches/packages/libpng-1.4.8-i486-1_slack13.37.txz:  Upgraded.  Fixed uninitialized memory read in png_format_buffer()  (Bug report by Frank Busse, related to CVE-2004-0421).  For more information, see:    http://cve.mitre.org...e=CVE-2011-0421  (* Security fix *)+--------------------------+[slackware-security]  dhcpcd (SSA:2011-210-02)New dhcpcd packages are available for Slackware 13.0, 13.1, 13.37,and -current to fix security issues.Here are the details from the Slackware 13.37 ChangeLog:+--------------------------+patches/packages/dhcpcd-5.2.12-i486-1_slack13.37.txz:  Upgraded.  Sanitize the host name provided by the DHCP server to insure that it does  not contain any shell metacharacters.  For more information, see:    http://cve.mitre.org...e=CVE-2011-0996  (* Security fix *)+--------------------------+[slackware-security]  samba (SSA:2011-210-03)New samba packages are available for Slackware 13.1, 13.37, and -current tofix security issues.Here are the details from the Slackware 13.37 ChangeLog:+--------------------------+patches/packages/samba-3.5.10-i486-1_slack13.37.txz:  Upgraded.  Fixed cross-site request forgery and cross-site scripting vulnerability  in SWAT (the Samba Web Administration Tool).  For more information, see:    http://cve.mitre.org...e=CVE-2011-2522    http://cve.mitre.org...e=CVE-2011-2694  (* Security fix *)+--------------------------+

Posted Image


#65 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 18,224 posts

Posted 12 August 2011 - 10:23 PM

[slackware-security]  bind (SSA:2011-224-01)New bind packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2,11.0, 12.0, 12.1, 12.2, 13.0, 13.1, 13.37, and -current to fix security issues.Here are the details from the Slackware 13.37 ChangeLog:+--------------------------+patches/packages/bind-9.7.4-i486-1_slack13.37.txz:  Upgraded.  This BIND update addresses a couple of security issues:  * named, set up to be a caching resolver, is vulnerable to a user    querying a domain with very large resource record sets (RRSets)    when trying to negatively cache the response. Due to an off-by-one    error, caching the response could cause named to crash. [RT #24650]    [CVE-2011-1910]  * Change #2912 (see CHANGES) exposed a latent bug in the DNS message    processing code that could allow certain UPDATE requests to crash    named. [RT #24777] [CVE-2011-2464]  For more information, see:    http://cve.mitre.org...e=CVE-2011-1910    http://cve.mitre.org...e=CVE-2011-2464  (* Security fix *)+--------------------------+

Posted Image


#66 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 18,224 posts

Posted 06 September 2011 - 10:44 PM

[slackware-security]  mozilla-firefox (SSA:2011-249-01) New mozilla-firefox packages are available for Slackware 13.0, 13.1, 13.37,and -current to fix security issues.Here are the details from the Slackware 13.37 ChangeLog:+--------------------------+patches/packages/mozilla-firefox-6.0.2-i486-1_slack13.37.txz:  Upgraded.  This release contains security fixes and improvements.  For more information, see:    http://www.mozilla.o.../firefox36.html    http://www.mozilla.o...es/firefox.html    http://www.mozilla.o...fsa2011-34.html  (* Security fix *)+--------------------------+[slackware-security]  mozilla-thunderbird (SSA:2011-249-02)New mozilla-thunderbird packages are available for Slackware 13.0, 13.1, 13.37,and -current to fix security issues.Here are the details from the Slackware 13.37 ChangeLog:+--------------------------+patches/packages/mozilla-thunderbird-3.1.13-i486-1_slack13.37.txz:  Upgraded.  This release contains security fixes and improvements.  For more information, see:    http://www.mozilla.o...nderbird31.html    http://www.mozilla.o...fsa2011-34.html  (* Security fix *)+--------------------------+[slackware-security]  seamonkey (SSA:2011-249-03)New seamonkey packages are available for Slackware 13.37 and -current tofix security issues.Here are the details from the Slackware 13.37 ChangeLog:+--------------------------+patches/packages/seamonkey-2.3.3-i486-1_slack13.37.txz:  Upgraded.  This update contains security fixes and improvements.  For more information, see:    http://www.mozilla.o...urity/announce/    http://www.mozilla.o...fsa2011-34.html  (* Security fix *)patches/packages/seamonkey-solibs-2.3.3-i486-1_slack13.37.txz:  Upgraded.  This update contains security fixes and improvements.  For more information, see:    http://www.mozilla.o...urity/announce/    http://www.mozilla.o...fsa2011-34.html  (* Security fix *)+--------------------------+

Posted Image


#67 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 18,224 posts

Posted 09 September 2011 - 04:24 PM

[slackware-security]  httpd (SSA:2011-252-01)Not long ago, httpd package updates were issued to clamp down on a denial of service bug that's seen some action in the wild.  New packages are availablefor Slackware 12.0, 12.1, 12.2, 13.0, 13.1, 13.37, and -current.Here are the details from the Slackware 13.37 ChangeLog:+--------------------------+patches/packages/httpd-2.2.20-i486-1_slack13.37.txz:  Upgraded.  SECURITY: CVE-2011-3192 (cve.mitre.org)  core: Fix handling of byte-range requests to use less memory, to avoid  denial of service. If the sum of all ranges in a request is larger than  the original file, ignore the ranges and send the complete file.  PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener]  For more information, see:    http://cve.mitre.org...e=CVE-2011-3192  (* Security fix *)+--------------------------+

Posted Image


#68 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 18,224 posts

Posted 14 October 2011 - 10:48 PM

[slackware-security]  httpd (SSA:2011-284-01)New httpd packages are available for Slackware 12.0, 12.1, 12.2, 13.0, 13.1,13.37, and -current to fix security issues.Here are the details from the Slackware 13.37 ChangeLog:+--------------------------+patches/packages/httpd-2.2.21-i486-1_slack13.37.txz:  Upgraded.  Respond with HTTP_NOT_IMPLEMENTED when the method is not  recognized.  [Jean-Frederic Clere]  SECURITY: CVE-2011-3348  Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20.  PR 51748. [<lowprio20 gmail.com>]  For more information, see:    http://cve.mitre.org...e=CVE-2011-3348  (* Security fix *)+--------------------------+

Posted Image


#69 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 18,224 posts

Posted 10 February 2012 - 05:34 PM

[slackware-security]  httpd (SSA:2012-041-01)

New httpd packages are available for Slackware 12.0, 12.1, 12.2, 13.0, 13.1,
13.37, and -current to fix security issues.  The apr-util package has also been
updated to the latest version.


Here are the details from the Slackware 13.37 ChangeLog:
+--------------------------+
patches/packages/apr-util-1.4.1-i486-1_slack13.37.txz:  Upgraded.
  Version bump for httpd upgrade.
patches/packages/httpd-2.2.22-i486-1_slack13.37.txz:  Upgraded.
  *) SECURITY: CVE-2011-3368 (cve.mitre.org)
     Reject requests where the request-URI does not match the HTTP
     specification, preventing unexpected expansion of target URLs in
     some reverse proxy configurations.  [Joe Orton]
  *) SECURITY: CVE-2011-3607 (cve.mitre.org)
     Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
     is enabled, could allow local users to gain privileges via a .htaccess
     file. [Stefan Fritsch, Greg Ames]
  *) SECURITY: CVE-2011-4317 (cve.mitre.org)
     Resolve additional cases of URL rewriting with ProxyPassMatch or
     RewriteRule, where particular request-URIs could result in undesired
     backend network exposure in some configurations.
     [Joe Orton]
  *) SECURITY: CVE-2012-0021 (cve.mitre.org)
     mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
     string is in use and a client sends a nameless, valueless cookie, causing
     a denial of service. The issue existed since version 2.2.17. PR 52256.
     [Rainer Canavan <rainer-apache 7val com>]
  *) SECURITY: CVE-2012-0031 (cve.mitre.org)
     Fix scoreboard issue which could allow an unprivileged child process
     could cause the parent to crash at shutdown rather than terminate
     cleanly.  [Joe Orton]
  *) SECURITY: CVE-2012-0053 (cve.mitre.org)
     Fix an issue in error responses that could expose "httpOnly" cookies
     when no custom ErrorDocument is specified for status code 400.
     [Eric Covener]
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3368
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3607
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4317
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0021
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0031
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0053
  (* Security fix *)
+--------------------------+

[slackware-security]  php (SSA:2012-041-02)

New php packages are available for Slackware 12.0, 12.1, 12.2, 13.0, 13.1,
13.37, and -current to fix security issues.


Here are the details from the Slackware 13.37 ChangeLog:
+--------------------------+
patches/packages/php-5.3.10-i486-1_slack13.37.txz:  Upgraded.
  Fixed arbitrary remote code execution vulnerability reported by Stefan
  Esser, CVE-2012-0830. (Stas, Dmitry)
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0830
  (* Security fix *)
+--------------------------+

[slackware-security]  glibc (SSA:2012-041-03)

New glibc packages are available for Slackware 13.1, 13.37, and -current to
fix a security issue.


Here are the details from the Slackware 13.37 ChangeLog:
+--------------------------+
patches/packages/glibc-2.13-i486-5_slack13.37.txz:  Rebuilt.
  Patched an overflow in tzfile.  This was evidently first reported in
  2009, but is only now getting around to being patched.  To exploit it,
  one must be able to write beneath /usr/share/zoneinfo, which is usually
  not possible for a normal user, but may be in the case where they are
  chroot()ed to a directory that they own.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5029
  (* Security fix *)
patches/packages/glibc-i18n-2.13-i486-5_slack13.37.txz:  Rebuilt.
patches/packages/glibc-profile-2.13-i486-5_slack13.37.txz:  Rebuilt.
  (* Security fix *)
patches/packages/glibc-solibs-2.13-i486-5_slack13.37.txz:  Rebuilt.
  (* Security fix *)
patches/packages/glibc-zoneinfo-2.13-noarch-5_slack13.37.txz:  Rebuilt.
+--------------------------+

[slackware-security]  proftpd (SSA:2012-041-04)

New proftpd packages are available for Slackware 11.0, 12.0, 12.1, 12.2, 13.0,
13.1, 13.37, and -current to fix security issues.


Here are the details from the Slackware 13.37 ChangeLog:
+--------------------------+
patches/packages/proftpd-1.3.4a-i486-1_slack13.37.txz:  Upgraded.
  This update fixes a use-after-free() memory corruption error,
  and possibly other unspecified issues.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4130
  (* Security fix *)
+--------------------------+

[slackware-security]  vsftpd (SSA:2012-041-05)

New vsftpd packages are available for Slackware 11.0, 12.0, 12.1, 12.2, 13.0,
13.1, 13.37, and -current to work around a vulnerability in glibc.


Here are the details from the Slackware 13.37 ChangeLog:
+--------------------------+
patches/packages/vsftpd-2.3.5-i486-1_slack13.37.txz:  Upgraded.
  Minor version bump, this also works around a hard to trigger heap overflow
  in glibc (glibc zoneinfo caching vuln).  For there to be any possibility
  to trigger the glibc bug within vsftpd, the non-default option
  "chroot_local_user" must be set in /etc/vsftpd.conf.
  Considered 1) low severity (hard to exploit) and 2) not a vsftpd bug
    Nevertheless:
  (* Security fix *)
+--------------------------+

Posted Image


#70 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 18,224 posts

Posted 15 June 2012 - 04:39 PM

[slackware-security]  seamonkey (SSA:2012-166-04)

New seamonkey packages are available for Slackware 13.37, and -current to
fix security issues.


Here are the details from the Slackware 13.37 ChangeLog:
+--------------------------+
  This update contains security fixes and improvements.
  For more information, see:
    http://www.mozilla.o.../seamonkey.html
  (* Security fix *)
+--------------------------+

[slackware-security]  mozilla-thunderbird (SSA:2012-166-03)

New mozilla-thunderbird packages are available for Slackware 13.37,
and -current to fix security issues.


Here are the details from the Slackware 13.37 ChangeLog:
+--------------------------+
  This release contains security fixes and improvements.
  For more information, see:
    http://www.mozilla.o...hunderbird.html
  (* Security fix *)
+--------------------------+

[slackware-security]  mozilla-firefox (SSA:2012-166-02)

New mozilla-firefox packages are available for Slackware 13.37, and -current to
fix security issues.


Here are the details from the Slackware 13.37 ChangeLog:
+--------------------------+
  This release contains security fixes and improvements.
  For more information, see:
    http://www.mozilla.o...es/firefox.html
  (* Security fix *)
+--------------------------+


[slackware-security]  bind (SSA:2012-166-01)

New bind packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2,
11.0, 12.0, 12.1, 12.2, 13.0, 13.1, 13.37, and -current to fix security issues.


Here are the details from the Slackware 13.37 ChangeLog:
+--------------------------+
  This release fixes an issue that could crash BIND, leading to a denial of
  service.  It also fixes the so-called "ghost names attack" whereby a
  remote attacker may trigger continued resolvability of revoked domain names.
  For more information, see:
    http://cve.mitre.org...e=CVE-2012-1033
    http://cve.mitre.org...e=CVE-2012-1667
  (* Security fix *)
+--------------------------+

Posted Image


#71 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 18,224 posts

Posted 14 July 2012 - 08:29 PM

[slackware-security]  php (SSA:2012-195-01)

New php packages are available for Slackware 12.0, 12.1, 12.2, 13.0, 13.1,
13.37, and -current to fix security issues.


Here are the details from the Slackware 13.37 ChangeLog:
+--------------------------+
patches/packages/php-5.3.14-i486-1_slack13.37.txz:  Upgraded.
  This release fixes a weakness in the DES implementation of crypt
  and a heap overflow issue in the phar extension.
  (* Security fix *)
+--------------------------+
[slackware-security]  pidgin (SSA:2012-195-02)

New pidgin packages are available for Slackware 12.2, 13.0, 13.1, 13.37,
and -current to fix security issues.


Here are the details from the Slackware 13.37 ChangeLog:
+--------------------------+
patches/packages/pidgin-2.10.6-i486-1_slack13.37.txz:  Upgraded.
  Fixes a security issue for users of MXit:  Incorrect handing of inline
  images in incoming instant messages can cause a buffer overflow and in
  some cases can be exploited to execute arbitrary code.
  For more information, see:
    http://cve.mitre.org...e=CVE-2012-3374
  (* Security fix *)
+--------------------------+

Posted Image


#72 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 18,224 posts

Posted 18 July 2012 - 07:47 PM

[slackware-security]  libexif (SSA:2012-200-01)

New libexif packages are available for Slackware 11.0, 12.0, 12.1, 12.2, 13.0,
13.1, 13.37, and -current to fix security issues.


Here are the details from the Slackware 13.37 ChangeLog:
+--------------------------+
patches/packages/libexif-0.6.21-i486-1_slack13.37.txz:  Upgraded.
  This update fixes a number of remotely exploitable issues in libexif
   with effects ranging from information leakage to potential remote
   code execution.
  For more information, see:
    http://sourceforge.n...msg_id=29534027
    http://cve.mitre.org...e=CVE-2012-2812
    http://cve.mitre.org...e=CVE-2012-2813
    http://cve.mitre.org...e=CVE-2012-2814
    http://cve.mitre.org...e=CVE-2012-2836
    http://cve.mitre.org...e=CVE-2012-2837
    http://cve.mitre.org...e=CVE-2012-2840
    http://cve.mitre.org...e=CVE-2012-2841
    http://cve.mitre.org...e=CVE-2012-2845
  (* Security fix *)
+--------------------------+


[slackware-security]  mozilla-firefox (SSA:2012-200-02)

New mozilla-firefox packages are available for Slackware 13.37 and -current to
fix security issues.


Here are the details from the Slackware 13.37 ChangeLog:
+--------------------------+
patches/packages/mozilla-firefox-14.0.1-i486-1_slack13.37.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    http://www.mozilla.o...es/firefox.html
  (* Security fix *)
+--------------------------+



[slackware-security]  seamonkey (SSA:2012-200-04)

New seamonkey packages are available for Slackware 13.37 and -current to
fix security issues.


Here are the details from the Slackware 13.37 ChangeLog:
+--------------------------+
patches/packages/seamonkey-2.11-i486-1_slack13.37.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    http://www.mozilla.o.../seamonkey.html
  (* Security fix *)
patches/packages/seamonkey-solibs-2.11-i486-1_slack13.37.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    http://www.mozilla.o.../seamonkey.html
  (* Security fix *)
+--------------------------+

[slackware-security]  mozilla-thunderbird (SSA:2012-200-03)

New mozilla-thunderbird packages are available for Slackware 13.37 and -current
to fix security issues.


Here are the details from the Slackware 13.37 ChangeLog:
+--------------------------+
patches/packages/mozilla-thunderbird-14.0-i486-1_slack13.37.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    http://www.mozilla.o...hunderbird.html
  (* Security fix *)
+--------------------------+

Posted Image


#73 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 18,224 posts

Posted 25 July 2012 - 01:15 PM

[slackware-security]  libpng (SSA:2012-206-01)

New libpng packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1,
10.2, 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, 13.37, and -current to fix
security issues.


Here are the details from the Slackware 13.37 ChangeLog:
+--------------------------+
patches/packages/libpng-1.4.12-i486-1_slack13.37.txz:  Upgraded.
  Fixed incorrect type (int copy should be png_size_t copy) in png_inflate()
  (fixes CVE-2011-3045).
  Revised png_set_text_2() to avoid potential memory corruption (fixes
    CVE-2011-3048).
  Changed "a+w" to "u+w" in Makefile.in to fix CVE-2012-3386.
  For more information, see:
    http://cve.mitre.org...e=CVE-2011-3045
    http://cve.mitre.org...e=CVE-2011-3048
    http://cve.mitre.org...e=CVE-2012-3386
  (* Security fix *)
+--------------------------+

Posted Image


#74 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 18,224 posts

Posted 27 July 2012 - 05:52 PM

[slackware-security]  bind (SSA:2012-209-01)

New bind packages are available for Slackware 12.0, 12.1, 12.2, 13.0, 13.1,
13.37, and -current to fix security issues.


Here are the details from the Slackware 13.37 ChangeLog:
+--------------------------+
patches/packages/bind-9.7.6_P2-i486-1_slack13.37.txz:  Upgraded.
  Prevents a named assert (crash) when validating caused by using
  "Bad cache" data before it has been initialized.  [RT #30025]
  ISC_QUEUE handling for recursive clients was updated to address a
  race condition that could cause a memory leak.  This rarely occurred
  with UDP clients, but could be a significant problem for a server
  handling a steady rate of TCP queries.  [RT #29539 & #30233]
  Under heavy incoming TCP query loads named could experience a
  memory leak which could lead to significant reductions in query
  response or cause the server to be terminated on systems with
  "out of memory" killers. [RT #29539]
  A condition has been corrected where improper handling of zero-length
  RDATA could cause undesirable behavior, including termination of
  the named process.  [RT #29644]
  (* Security fix *)
+--------------------------+

Posted Image


#75 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 18,224 posts

Posted 16 August 2012 - 01:36 PM

[slackware-security]  t1lib (SSA:2012-228-01)

New t1lib packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37,
and -current to fix security issues.


Here are the details from the Slackware 13.37 ChangeLog:
+--------------------------+
patches/packages/t1lib-5.1.2-i486-3_slack13.37.txz:  Rebuilt.
  Patched various overflows, crashes, and pointer bugs.
  For more information, see:
    http://cve.mitre.org...e=CVE-2010-2642
    http://cve.mitre.org...e=CVE-2011-0764
    http://cve.mitre.org...e=CVE-2011-1552
    http://cve.mitre.org...e=CVE-2011-1553
    http://cve.mitre.org...e=CVE-2011-1554
  (* Security fix *)
+--------------------------+

[slackware-security]  emacs (SSA:2012-228-02)

New emacs packages are available for Slackware 13.1, 13.37, and -current to
fix a security issue.


Here are the details from the Slackware 13.37 ChangeLog:
+--------------------------+
patches/packages/emacs-23.3-i486-2_slack13.37.txz:  Rebuilt.
  Patched to fix a security flaw in the file-local variables code.
  When the Emacs user option `enable-local-variables' is set to `:safe'
  (the default value is t), Emacs should automatically refuse to evaluate
  `eval' forms in file-local variable sections.  Due to the bug, Emacs
  instead automatically evaluates such `eval' forms.  Thus, if the user
  changes the value of `enable-local-variables' to `:safe', visiting a
  malicious file can cause automatic execution of arbitrary Emacs Lisp
  code with the permissions of the user.  Bug discovered by Paul Ling.
  For more information, see:
    http://cve.mitre.org...e=CVE-2012-3479
  (* Security fix *)
+--------------------------+

Posted Image






Also tagged with one or more of these keywords: slackware, updates, bruno, v.t. eric layton

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users