Jump to content

Slackware Updates and Other News


Bruno

Recommended Posts

V.T. Eric Layton

[slackware-security] openssl (SSA:2013-040-01)

 

New openssl packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37,

14.0, and -current to fix security issues.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/openssl-1.0.1d-i486-1_slack14.0.txz: Upgraded.

Make the decoding of SSLv3, TLS and DTLS CBC records constant time.

This addresses the flaw in CBC record processing discovered by

Nadhem Alfardan and Kenny Paterson. Details of this attack can be found

at: http://www.isg.rhul.ac.uk/tls/

Thanks go to Nadhem Alfardan and Kenny Paterson of the Information

Security Group at Royal Holloway, University of London

(www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and

Emilia K?sper for the initial patch.

(CVE-2013-0169)

[Emilia K?sper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]

Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode

ciphersuites which can be exploited in a denial of service attack.

Thanks go to and to Adam Langley for discovering

and detecting this bug and to Wolfgang Ettlinger

for independently discovering this issue.

(CVE-2012-2686)

[Adam Langley]

Return an error when checking OCSP signatures when key is NULL.

This fixes a DoS attack. (CVE-2013-0166)

[steve Henson]

For more information, see:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2686

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0166

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169

(* Security fix *)

patches/packages/openssl-solibs-1.0.1d-i486-1_slack14.0.txz: Upgraded.

(* Security fix *)

+--------------------------+

Link to comment
Share on other sites

  • Replies 213
  • Created
  • Last Reply

Top Posters In This Topic

  • V.T. Eric Layton

    206

  • Bruno

    8

V.T. Eric Layton

[slackware-security] openssl (SSA:2013-042-01)

 

New openssl packages are available for Slackware 14.0, and -current to

fix a bug in openssl-1.0.1d.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/openssl-1.0.1e-i486-1_slack14.0.txz: Upgraded.

This release fixes a regression in openssl-1.0.1d, where the fix for

CVE-2013-0169 caused data corruption on CPUs with AES-NI support.

patches/packages/openssl-solibs-1.0.1e-i486-1_slack14.0.txz: Upgraded.

+--------------------------+

Link to comment
Share on other sites

V.T. Eric Layton

[slackware-security] pidgin (SSA:2013-044-01)

 

New pidgin packages are available for Slackware 12.2, 13.0, 13.1, 13.37, 14.0,

and -current to fix security issues.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/pidgin-2.10.7-i486-1_slack14.0.txz: Upgraded.

This update fixes several security issues:

Remote MXit user could specify local file path.

MXit buffer overflow reading data from network.

Sametime crash with long user IDs.

Crash when receiving a UPnP response with abnormally long values.

For more information, see:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0271

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0272

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0273

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0274

(* Security fix *)

+--------------------------+

Link to comment
Share on other sites

V.T. Eric Layton

[slackware-security] mozilla-firefox (SSA:2013-050-01)

 

New mozilla-firefox packages are available for Slackware 13.37, 14.0,

and -current to fix security issues.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/mozilla-firefox-19.0-i486-1_slack14.0.txz: Upgraded.

This release contains security fixes and improvements.

For more information, see:

http://www.mozilla.org/security/known-vulnerabilities/firefox.html

(* Security fix *)

+--------------------------+

 

 

[slackware-security] mozilla-thunderbird (SSA:2013-050-02)

 

New mozilla-thunderbird packages are available for Slackware 13.37, 14.0,

and -current to fix security issues.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/mozilla-thunderbird-17.0.3-i486-1_slack14.0.txz: Upgraded.

This release contains security fixes and improvements.

For more information, see:

http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html

(* Security fix *)

+--------------------------+

Link to comment
Share on other sites

V.T. Eric Layton

[slackware-security] seamonkey (SSA:2013-056-01)

 

New seamonkey packages are available for Slackware 13.37, 14.0, and -current to

fix security issues.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/seamonkey-2.16-i486-1_slack14.0.txz: Upgraded.

This update contains security fixes and improvements.

For more information, see:

http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html

(* Security fix *)

patches/packages/seamonkey-solibs-2.16-i486-1_slack14.0.txz: Upgraded.

+--------------------------+

Link to comment
Share on other sites

V.T. Eric Layton

[slackware-security] httpd (SSA:2013-062-01)

 

New httpd packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37,

14.0, and -current to fix security issues.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/httpd-2.4.4-i486-1_slack14.0.txz: Upgraded.

This update provides bugfixes and enhancements.

Two security issues are fixed:

* Various XSS flaws due to unescaped hostnames and URIs HTML output in

mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp.

[Jim Jagielski, Stefan Fritsch, Niels Heinen ]

* XSS in mod_proxy_balancer manager interface. [Jim Jagielski,

Niels Heinen ]

For more information, see:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3499

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4558

(* Security fix *)

+--------------------------+

Link to comment
Share on other sites

V.T. Eric Layton

[slackware-security] sudo (SSA:2013-065-01)

 

New sudo packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37,

14.0, and -current to fix security issues.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/sudo-1.8.6p7-i486-1_slack14.0.txz: Upgraded.

This update fixes security issues that could allow a user to run commands

without authenticating after the password timeout has already expired.

Note that the vulnerability did not permit a user to run commands other

than those allowed by the sudoers policy.

For more information, see:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1775

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1776

(* Security fix *)

+--------------------------+

Link to comment
Share on other sites

V.T. Eric Layton

[slackware-security] mozilla-thunderbird (SSA:2013-068-02)

 

New mozilla-thunderbird packages are available for Slackware 13.37, 14.0,

and -current to fix a security issue.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/mozilla-thunderbird-17.0.4esr-i486-1_slack14.0.txz: Upgraded.

This release contains security fixes and improvements.

For more information, see:

http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html

(* Security fix *)

+--------------------------+

 

=====

 

[slackware-security] mozilla-firefox (SSA:2013-068-01)

 

New mozilla-firefox packages are available for Slackware 13.37, 14.0,

and -current to fix a security issue.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/mozilla-firefox-19.0.2-i486-1_slack14.0.txz: Upgraded.

This release contains security fixes and improvements.

For more information, see:

http://www.mozilla.org/security/known-vulnerabilities/firefox.html

(* Security fix *)

+--------------------------+

Link to comment
Share on other sites

V.T. Eric Layton

[slackware-security] seamonkey (SSA:2013-072-02)

 

New seamonkey packages are available for Slackware 13.37, 14.0, and -current to

fix a security issue.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/seamonkey-2.16.1-i486-1_slack14.0.txz: Upgraded.

This update contains security fixes and improvements.

For more information, see:

http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html

(* Security fix *)

patches/packages/seamonkey-solibs-2.16.1-i486-1_slack14.0.txz: Upgraded.

+--------------------------+

 

 

[slackware-security] perl (SSA:2013-072-01)

 

New perl packages are available for Slackware 13.1, 13.37, 14.0, and -current

to fix a security issue.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/perl-5.16.3-i486-1_slack14.0.txz: Upgraded.

This update fixes a flaw in the rehashing code that can be exploited

to carry out a denial of service attack against code that uses arbitrary

user input as hash keys.

For more information, see:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1667

(* Security fix *)

+--------------------------+

Link to comment
Share on other sites

V.T. Eric Layton

[slackware-security] ruby (SSA:2013-075-01)

 

New ruby packages are available for Slackware 13.1, 13.37, 14.0, and -current

to fix security issues.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/ruby-1.9.3_p392-i486-1_slack14.0.txz: Upgraded.

This release includes security fixes about bundled JSON and REXML.

For more information, see:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0269

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1821

(* Security fix *)

+--------------------------+

 

Link to comment
Share on other sites

V.T. Eric Layton

[slackware-security] php (SSA:2013-081-01)

 

New php packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37,

14.0, and -current to fix security issues.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/php-5.4.13-i486-1_slack14.0.txz: Upgraded.

This release fixes two security issues in SOAP:

Added check that soap.wsdl_cache_dir conforms to open_basedir.

Disabled external entities loading.

For more information, see:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1635

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1643

(* Security fix *)

+--------------------------+

Link to comment
Share on other sites

V.T. Eric Layton

[slackware-security] bind (SSA:2013-086-01)

 

New bind packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37,

14.0, and -current to fix a security issue.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/bind-9.9.2_P2-i486-1_slack14.0.txz: Upgraded.

This update fixes a critical defect in BIND 9 that allows an attacker

to cause excessive memory consumption in named or other programs linked

to libdns.

For more information, see:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2266

https://kb.isc.org/article/AA-00871

(* Security fix *)

+--------------------------+

 

[slackware-security] dhcp (SSA:2013-086-02)

 

New dhcp packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37,

14.0, and -current to fix a security issue.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/dhcp-4.2.5_P1-i486-1_slack14.0.txz: Upgraded.

This update replaces the included BIND 9 code that the DHCP programs

link against. Those contained a defect that could possibly lead to

excessive memory consumption and a denial of service.

For more information, see:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2266

(* Security fix *)

+--------------------------+

Link to comment
Share on other sites

V.T. Eric Layton

[slackware-security] libssh (SSA:2013-087-01)

 

New libssh packages are available for Slackware 14.0, and -current to

fix a security issue.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/libssh-0.5.4-i486-1_slack14.0.txz: Upgraded.

This update fixes a possible denial of service issue.

For more information, see:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0176

(* Security fix *)

+--------------------------+

Link to comment
Share on other sites

V.T. Eric Layton

[slackware-security] mozilla-firefox (SSA:2013-093-01)

 

New mozilla-firefox packages are available for Slackware 13.37, 14.0,

and -current to fix security issues.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/mozilla-firefox-20.0-i486-1_slack14.0.txz: Upgraded.

This release contains security fixes and improvements.

For more information, see:

http://www.mozilla.org/security/known-vulnerabilities/firefox.html

(* Security fix *)

+--------------------------+

 

 

 

[slackware-security] mozilla-thunderbird (SSA:2013-093-02)

 

New mozilla-thunderbird packages are available for Slackware 13.37, 14.0,

and -current to fix security issues.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/mozilla-thunderbird-17.0.5-i486-1_slack14.0.txz: Upgraded.

This release contains security fixes and improvements.

For more information, see:

http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html

(* Security fix *)

+--------------------------+

Link to comment
Share on other sites

V.T. Eric Layton

[slackware-security] subversion (SSA:2013-095-01)

 

New subversion packages are available for Slackware 13.0, 13.1, 13.37, 14.0,

and -current to fix security issues.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/subversion-1.7.9-i486-1_slack14.0.txz: Upgraded.

This update fixes some denial of service bugs:

mod_dav_svn excessive memory usage from property changes

mod_dav_svn crashes on LOCK requests against activity URLs

mod_dav_svn crashes on LOCK requests against non-existant URLs

mod_dav_svn crashes on PROPFIND requests against activity URLs

mod_dav_svn crashes on out of range limit in log REPORT request

For more information, see:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1845

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1846

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1847

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1849

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1884

(* Security fix *)

+--------------------------+

Link to comment
Share on other sites

V.T. Eric Layton

[slackware-security] seamonkey (SSA:2013-097-01)

 

New seamonkey packages are available for Slackware 13.37, 14.0, and -current to

fix security issues.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/seamonkey-2.17-i486-1_slack14.0.txz: Upgraded.

This update contains security fixes and improvements.

For more information, see:

http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html

(* Security fix *)

patches/packages/seamonkey-solibs-2.17-i486-1_slack14.0.txz: Upgraded.

+--------------------------+

Link to comment
Share on other sites

  • 2 weeks later...
V.T. Eric Layton

[slackware-security] xorg-server (SSA:2013-109-01)

 

New xorg-server packages are available for Slackware 13.37, 14.0, and -current

to fix a security issue.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/xorg-server-1.12.4-i486-1_slack14.0.txz: Upgraded.

This update fixes an input flush bug with evdev. Under exceptional

conditions (keyboard input during device hotplugging), this could leak

a small amount of information intended for the X server.

This issue was evaluated to be of low impact.

For more information, see:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1940

http://lists.x.org/archives/xorg-devel/2013-April/036014.html

(* Security fix *)

patches/packages/xorg-server-xephyr-1.12.4-i486-1_slack14.0.txz: Upgraded.

patches/packages/xorg-server-xnest-1.12.4-i486-1_slack14.0.txz: Upgraded.

patches/packages/xorg-server-xvfb-1.12.4-i486-1_slack14.0.txz: Upgraded.

+--------------------------+

Link to comment
Share on other sites

  • 4 weeks later...
V.T. Eric Layton

[slackware-security] mozilla-thunderbird (SSA:2013-135-02)

 

New mozilla-thunderbird packages are available for Slackware 13.37, 14.0,

and -current to fix security issues.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/mozilla-thunderbird-17.0.6-i486-1_slack14.0.txz: Upgraded.

This release contains security fixes and improvements.

For more information, see:

http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html

(* Security fix *)

+--------------------------+

 

[slackware-security] mozilla-firefox (SSA:2013-135-01)

 

New mozilla-firefox packages are available for Slackware 13.37, 14.0,

and -current to fix security issues.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/mozilla-firefox-21.0-i486-1_slack14.0.txz: Upgraded.

This release contains security fixes and improvements.

For more information, see:

http://www.mozilla.org/security/known-vulnerabilities/firefox.html

(* Security fix *)

+--------------------------+

Link to comment
Share on other sites

V.T. Eric Layton

[slackware-security] mozilla-thunderbird x86_64 packages (SSA:2013-136-01)

 

New mozilla-thunderbird packages are available for Slackware64 13.37 and

14.0. These were accidentally omitted from the last upload.

 

 

Here are the details from the Slackware64 14.0 ChangeLog:

+--------------------------+

patches/packages/mozilla-thunderbird-17.0.6-x86_64-1_slack14.0.txz: Upgraded.

Here's the package that was missing from the last batch. The wrong entry in

the ChangeLog was removed to prevent slackpkg from having trouble with it.

This release contains security fixes and improvements.

For more information, see:

http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html

(* Security fix *)

+--------------------------+

Link to comment
Share on other sites

V.T. Eric Layton

[slackware-security] kernel (SSA:2013-140-01)

 

New Linux kernel packages are available for Slackware 13.37 and 14.0 to fix

a security issue.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/linux-3.2.45/*: Upgraded.

Upgraded to new kernels that fix CVE-2013-2094, a bug that can allow local

users to gain a root shell. Be sure to upgrade your initrd and reinstall

LILO after upgrading the kernel packages.

For more information, see:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2094

(* Security fix *)

+--------------------------+

Link to comment
Share on other sites

  • 3 weeks later...
V.T. Eric Layton

[slackware-security] php (SSA:2013-161-01)

 

New php packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37,

14.0, and -current to fix a security issue.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/php-5.4.16-i486-1_slack14.0.txz: Upgraded.

This is a bugfix release. It also fixes a security issue -- a heap-based

overflow in the quoted_printable_encode() function, which could be used by

a remote attacker to crash PHP or execute code as the 'apache' user.

For more information, see:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2110

(* Security fix *)

+--------------------------+

Link to comment
Share on other sites

  • 2 weeks later...
V.T. Eric Layton

[slackware-security] curl (SSA:2013-174-01)

 

New curl packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37,

14.0, and -current to fix a security issue.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/curl-7.29.0-i486-3_slack14.0.txz: Rebuilt.

This fixes a minor security issue where a decode buffer boundary flaw in

libcurl could lead to heap corruption.

For more information, see:

http://curl.haxx.se/docs/adv_20130622.html

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2174

(* Security fix *)

+--------------------------+

Link to comment
Share on other sites

V.T. Eric Layton

[slackware-security] ruby (SSA:2013-178-01)

 

New ruby packages are available for Slackware 13.1, 13.37, 14.0, and -current

to fix a security issue.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/ruby-1.9.3_p448-i486-1_slack14.0.txz: Upgraded.

This update patches a vulnerability in Ruby's SSL client that could allow

man-in-the-middle attackers to spoof SSL servers via a valid certificate

issued by a trusted certification authority.

For more information, see:

http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4073

(* Security fix *)

+--------------------------+

Link to comment
Share on other sites

V.T. Eric Layton

[slackware-security] mozilla-firefox (SSA:2013-180-01)

 

New mozilla-firefox packages are available for Slackware 13.37, 14.0,

and -current to fix security issues.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/mozilla-firefox-17.0.7esr-i486-1_slack14.0.txz: Upgraded.

This release contains security fixes and improvements.

For more information, see:

http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html

(* Security fix *)

We had to switch to ESR here as well, as there's a problem running Firefox

22.0 on Slackware 14.0 under KDE (crash when oxygen-gtk2 is installed).

Forcing people to uninstall oxygen-gtk2 isn't really an option for a

security fix, and upgrading to the latest oxygen-gtk2 did not help.

It's possible that future Firefox/Thunderbird security updates will always

come from the ESR branch.

+--------------------------+

 

 

[slackware-security] mozilla-thunderbird (SSA:2013-180-02)

 

New mozilla-thunderbird packages are available for Slackware 13.37, 14.0,

and -current to fix security issues.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/mozilla-thunderbird-17.0.7-i486-1_slack14.0.txz: Upgraded.

This release contains security fixes and improvements.

For more information, see:

http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html

(* Security fix *)

+--------------------------+

Link to comment
Share on other sites

  • 2 weeks later...
V.T. Eric Layton

[slackware-security] dbus (SSA:2013-191-01)

 

New dbus packages are available for Slackware 14.0, and -current to fix a

security issue.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/dbus-1.4.20-i486-4_slack14.0.txz: Rebuilt.

This update fixes a security issue where misuse of va_list could be used to

cause a denial of service for system services.

Vulnerability reported by Alexandru Cornea.

For more information, see:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2168

(* Security fix *)

+--------------------------+

Link to comment
Share on other sites

V.T. Eric Layton

[slackware-security] php (SSA:2013-197-01)

 

New php packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37,

14.0, and -current to fix a security issue.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/php-5.4.17-i486-1_slack14.0.txz: Upgraded.

This update fixes an issue where XML in PHP does not properly consider

parsing depth, which allows remote attackers to cause a denial of service

(heap memory corruption) or possibly have unspecified other impact via a

crafted document that is processed by the xml_parse_into_struct function.

For more information, see:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4113

(* Security fix *)

+--------------------------+

Link to comment
Share on other sites

  • 3 weeks later...
V.T. Eric Layton

[slackware-security] gnupg / libgcrypt (SSA:2013-215-01)

 

New gnupg and libgcrypt packages are available for Slackware 12.1, 12.2, 13.0,

13.1, 13.37, 14.0, and -current to fix a security issue. New libgpg-error

packages are also available for Slackware 13.1 and older as the supplied

version wasn't new enough to compile the fixed version of libgcrypt.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/gnupg-1.4.14-i486-1_slack14.0.txz: Upgraded.

Mitigate the Yarom/Falkner flush+reload side-channel attack on RSA

secret keys.

For more information, see:

http://eprint.iacr.org/2013/448

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4242

(* Security fix *)

patches/packages/libgcrypt-1.5.3-i486-1_slack14.0.txz: Upgraded.

Mitigate the Yarom/Falkner flush+reload side-channel attack on RSA

secret keys.

For more information, see:

http://eprint.iacr.org/2013/448

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4242

(* Security fix *)

+--------------------------+

Link to comment
Share on other sites

V.T. Eric Layton

[slackware-security] bind (SSA:2013-218-01)

 

New bind packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37,

14.0, and -current to fix a security issue.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/bind-9.9.3_P2-i486-1_slack14.0.txz: Upgraded.

This update fixes a security issue where a specially crafted query can cause

BIND to terminate abnormally, resulting in a denial of service.

For more information, see:

https://kb.isc.org/article/AA-01015

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4854

(* Security fix *)

+--------------------------+

 

 

[slackware-security] httpd (SSA:2013-218-02)

 

New httpd packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37,

14.0, and -current to fix security issues.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/httpd-2.4.6-i486-1_slack14.0.txz: Upgraded.

This update addresses two security issues:

* SECURITY: CVE-2013-1896 (cve.mitre.org) Sending a MERGE request against

a URI handled by mod_dav_svn with the source href (sent as part of the

request body as XML) pointing to a URI that is not configured for DAV

will trigger a segfault.

* SECURITY: CVE-2013-2249 (cve.mitre.org) mod_session_dbd: Make sure that

dirty flag is respected when saving sessions, and ensure the session ID

is changed each time the session changes. This changes the format of the

updatesession SQL statement. Existing configurations must be changed.

For more information, see:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1896

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2249

(* Security fix *)

+--------------------------+

 

[slackware-security] samba (SSA:2013-218-03)

 

New samba packages are available for Slackware 13.1, 13.37, 14.0, and -current

to fix a security issue.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/samba-3.6.17-i486-1_slack14.0.txz: Upgraded.

This update fixes missing integer wrap protection in an EA list reading

that can allow authenticated or guest connections to cause the server to

loop, resulting in a denial of service.

For more information, see:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4124

(* Security fix *)

+--------------------------+

Link to comment
Share on other sites

V.T. Eric Layton

[slackware-security] mozilla-firefox (SSA:2013-219-01)

 

New mozilla-firefox packages are available for Slackware 13.37, 14.0,

and -current to fix security issues.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/mozilla-firefox-17.0.8esr-i486-1_slack14.0.txz: Upgraded.

This release contains security fixes and improvements.

For more information, see:

http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html

(* Security fix *)

+--------------------------+

 

 

[slackware-security] mozilla-thunderbird (SSA:2013-219-02)

 

New mozilla-thunderbird packages are available for Slackware 13.37, 14.0,

and -current to fix security issues.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/mozilla-thunderbird-17.0.8-i486-1_slack14.0.txz: Upgraded.

This release contains security fixes and improvements.

For more information, see:

http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html

(* Security fix *)

+--------------------------+

 

 

 

[slackware-security] seamonkey (SSA:2013-219-03)

 

New seamonkey packages are available for Slackware 14.0, and -current to

fix security issues.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/seamonkey-2.20-i486-1_slack14.0.txz: Upgraded.

This update contains security fixes and improvements.

For more information, see:

http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html

(* Security fix *)

patches/packages/seamonkey-solibs-2.20-i486-1_slack14.0.txz: Upgraded.

+--------------------------+

Link to comment
Share on other sites

  • 2 weeks later...
V.T. Eric Layton

[slackware-security] hplip (SSA:2013-233-01)

 

New hplip packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37,

14.0, and -current to fix a security issue.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/hplip-3.12.9-i486-2_slack14.0.txz: Rebuilt.

This update fixes a stack-based buffer overflow in the hpmud_get_pml

function that can allow remote attackers to cause a denial of service

(crash) and possibly execute arbitrary code via a crafted SNMP response

with a large length value.

For more information, see:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4267

(* Security fix *)

+--------------------------+

 

 

[slackware-security] xpdf (SSA:2013-233-02)

 

New xpdf packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37,

14.0, and -current to fix a security issue.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/xpdf-3.03-i486-1_slack14.0.txz: Upgraded.

Sanitize error messages to remove escape sequences that could be used to

exploit vulnerable terminal emulators.

For more information, see:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2142

Thanks to mancha.

(* Security fix *)

+--------------------------+

 

 

[slackware-security] poppler (SSA:2013-233-03)

 

New poppler packages are available for Slackware 14.0, and -current to fix a

security issue.

 

 

Here are the details from the Slackware 14.0 ChangeLog:

+--------------------------+

patches/packages/poppler-0.20.2-i486-2_slack14.0.txz: Rebuilt.

Sanitize error messages to remove escape sequences that could be used to

exploit vulnerable terminal emulators.

For more information, see:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2142

(* Security fix *)

+--------------------------+

Link to comment
Share on other sites


×
×
  • Create New...