V.T. Eric Layton Posted February 10, 2013 Posted February 10, 2013 [slackware-security] openssl (SSA:2013-040-01) New openssl packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix security issues. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/openssl-1.0.1d-i486-1_slack14.0.txz: Upgraded. Make the decoding of SSLv3, TLS and DTLS CBC records constant time. This addresses the flaw in CBC record processing discovered by Nadhem Alfardan and Kenny Paterson. Details of this attack can be found at: http://www.isg.rhul.ac.uk/tls/ Thanks go to Nadhem Alfardan and Kenny Paterson of the Information Security Group at Royal Holloway, University of London (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and Emilia K?sper for the initial patch. (CVE-2013-0169) [Emilia K?sper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson] Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode ciphersuites which can be exploited in a denial of service attack. Thanks go to and to Adam Langley for discovering and detecting this bug and to Wolfgang Ettlinger for independently discovering this issue. (CVE-2012-2686) [Adam Langley] Return an error when checking OCSP signatures when key is NULL. This fixes a DoS attack. (CVE-2013-0166) [steve Henson] For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2686 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0166 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169 (* Security fix *) patches/packages/openssl-solibs-1.0.1d-i486-1_slack14.0.txz: Upgraded. (* Security fix *) +--------------------------+
V.T. Eric Layton Posted February 12, 2013 Posted February 12, 2013 [slackware-security] openssl (SSA:2013-042-01) New openssl packages are available for Slackware 14.0, and -current to fix a bug in openssl-1.0.1d. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/openssl-1.0.1e-i486-1_slack14.0.txz: Upgraded. This release fixes a regression in openssl-1.0.1d, where the fix for CVE-2013-0169 caused data corruption on CPUs with AES-NI support. patches/packages/openssl-solibs-1.0.1e-i486-1_slack14.0.txz: Upgraded. +--------------------------+
V.T. Eric Layton Posted February 15, 2013 Posted February 15, 2013 [slackware-security] pidgin (SSA:2013-044-01) New pidgin packages are available for Slackware 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix security issues. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/pidgin-2.10.7-i486-1_slack14.0.txz: Upgraded. This update fixes several security issues: Remote MXit user could specify local file path. MXit buffer overflow reading data from network. Sametime crash with long user IDs. Crash when receiving a UPnP response with abnormally long values. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0271 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0272 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0273 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0274 (* Security fix *) +--------------------------+
V.T. Eric Layton Posted February 21, 2013 Posted February 21, 2013 [slackware-security] mozilla-firefox (SSA:2013-050-01) New mozilla-firefox packages are available for Slackware 13.37, 14.0, and -current to fix security issues. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/mozilla-firefox-19.0-i486-1_slack14.0.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/firefox.html (* Security fix *) +--------------------------+ [slackware-security] mozilla-thunderbird (SSA:2013-050-02) New mozilla-thunderbird packages are available for Slackware 13.37, 14.0, and -current to fix security issues. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/mozilla-thunderbird-17.0.3-i486-1_slack14.0.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html (* Security fix *) +--------------------------+
V.T. Eric Layton Posted February 26, 2013 Posted February 26, 2013 [slackware-security] seamonkey (SSA:2013-056-01) New seamonkey packages are available for Slackware 13.37, 14.0, and -current to fix security issues. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/seamonkey-2.16-i486-1_slack14.0.txz: Upgraded. This update contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html (* Security fix *) patches/packages/seamonkey-solibs-2.16-i486-1_slack14.0.txz: Upgraded. +--------------------------+
V.T. Eric Layton Posted March 4, 2013 Posted March 4, 2013 [slackware-security] httpd (SSA:2013-062-01) New httpd packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix security issues. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/httpd-2.4.4-i486-1_slack14.0.txz: Upgraded. This update provides bugfixes and enhancements. Two security issues are fixed: * Various XSS flaws due to unescaped hostnames and URIs HTML output in mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp. [Jim Jagielski, Stefan Fritsch, Niels Heinen ] * XSS in mod_proxy_balancer manager interface. [Jim Jagielski, Niels Heinen ] For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3499 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4558 (* Security fix *) +--------------------------+
V.T. Eric Layton Posted March 7, 2013 Posted March 7, 2013 [slackware-security] sudo (SSA:2013-065-01) New sudo packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix security issues. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/sudo-1.8.6p7-i486-1_slack14.0.txz: Upgraded. This update fixes security issues that could allow a user to run commands without authenticating after the password timeout has already expired. Note that the vulnerability did not permit a user to run commands other than those allowed by the sudoers policy. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1775 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1776 (* Security fix *) +--------------------------+
V.T. Eric Layton Posted March 9, 2013 Posted March 9, 2013 [slackware-security] mozilla-thunderbird (SSA:2013-068-02) New mozilla-thunderbird packages are available for Slackware 13.37, 14.0, and -current to fix a security issue. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/mozilla-thunderbird-17.0.4esr-i486-1_slack14.0.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html (* Security fix *) +--------------------------+ ===== [slackware-security] mozilla-firefox (SSA:2013-068-01) New mozilla-firefox packages are available for Slackware 13.37, 14.0, and -current to fix a security issue. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/mozilla-firefox-19.0.2-i486-1_slack14.0.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/firefox.html (* Security fix *) +--------------------------+
V.T. Eric Layton Posted March 14, 2013 Posted March 14, 2013 [slackware-security] seamonkey (SSA:2013-072-02) New seamonkey packages are available for Slackware 13.37, 14.0, and -current to fix a security issue. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/seamonkey-2.16.1-i486-1_slack14.0.txz: Upgraded. This update contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html (* Security fix *) patches/packages/seamonkey-solibs-2.16.1-i486-1_slack14.0.txz: Upgraded. +--------------------------+ [slackware-security] perl (SSA:2013-072-01) New perl packages are available for Slackware 13.1, 13.37, 14.0, and -current to fix a security issue. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/perl-5.16.3-i486-1_slack14.0.txz: Upgraded. This update fixes a flaw in the rehashing code that can be exploited to carry out a denial of service attack against code that uses arbitrary user input as hash keys. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1667 (* Security fix *) +--------------------------+
V.T. Eric Layton Posted March 16, 2013 Posted March 16, 2013 [slackware-security] ruby (SSA:2013-075-01) New ruby packages are available for Slackware 13.1, 13.37, 14.0, and -current to fix security issues. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/ruby-1.9.3_p392-i486-1_slack14.0.txz: Upgraded. This release includes security fixes about bundled JSON and REXML. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0269 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1821 (* Security fix *) +--------------------------+
V.T. Eric Layton Posted March 24, 2013 Posted March 24, 2013 [slackware-security] php (SSA:2013-081-01) New php packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix security issues. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/php-5.4.13-i486-1_slack14.0.txz: Upgraded. This release fixes two security issues in SOAP: Added check that soap.wsdl_cache_dir conforms to open_basedir. Disabled external entities loading. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1635 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1643 (* Security fix *) +--------------------------+
V.T. Eric Layton Posted March 27, 2013 Posted March 27, 2013 [slackware-security] bind (SSA:2013-086-01) New bind packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix a security issue. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/bind-9.9.2_P2-i486-1_slack14.0.txz: Upgraded. This update fixes a critical defect in BIND 9 that allows an attacker to cause excessive memory consumption in named or other programs linked to libdns. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2266 https://kb.isc.org/article/AA-00871 (* Security fix *) +--------------------------+ [slackware-security] dhcp (SSA:2013-086-02) New dhcp packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix a security issue. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/dhcp-4.2.5_P1-i486-1_slack14.0.txz: Upgraded. This update replaces the included BIND 9 code that the DHCP programs link against. Those contained a defect that could possibly lead to excessive memory consumption and a denial of service. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2266 (* Security fix *) +--------------------------+
V.T. Eric Layton Posted March 29, 2013 Posted March 29, 2013 [slackware-security] libssh (SSA:2013-087-01) New libssh packages are available for Slackware 14.0, and -current to fix a security issue. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/libssh-0.5.4-i486-1_slack14.0.txz: Upgraded. This update fixes a possible denial of service issue. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0176 (* Security fix *) +--------------------------+
V.T. Eric Layton Posted April 3, 2013 Posted April 3, 2013 [slackware-security] mozilla-firefox (SSA:2013-093-01) New mozilla-firefox packages are available for Slackware 13.37, 14.0, and -current to fix security issues. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/mozilla-firefox-20.0-i486-1_slack14.0.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/firefox.html (* Security fix *) +--------------------------+ [slackware-security] mozilla-thunderbird (SSA:2013-093-02) New mozilla-thunderbird packages are available for Slackware 13.37, 14.0, and -current to fix security issues. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/mozilla-thunderbird-17.0.5-i486-1_slack14.0.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html (* Security fix *) +--------------------------+
V.T. Eric Layton Posted April 5, 2013 Posted April 5, 2013 [slackware-security] subversion (SSA:2013-095-01) New subversion packages are available for Slackware 13.0, 13.1, 13.37, 14.0, and -current to fix security issues. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/subversion-1.7.9-i486-1_slack14.0.txz: Upgraded. This update fixes some denial of service bugs: mod_dav_svn excessive memory usage from property changes mod_dav_svn crashes on LOCK requests against activity URLs mod_dav_svn crashes on LOCK requests against non-existant URLs mod_dav_svn crashes on PROPFIND requests against activity URLs mod_dav_svn crashes on out of range limit in log REPORT request For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1845 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1846 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1847 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1849 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1884 (* Security fix *) +--------------------------+
V.T. Eric Layton Posted April 8, 2013 Posted April 8, 2013 [slackware-security] seamonkey (SSA:2013-097-01) New seamonkey packages are available for Slackware 13.37, 14.0, and -current to fix security issues. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/seamonkey-2.17-i486-1_slack14.0.txz: Upgraded. This update contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html (* Security fix *) patches/packages/seamonkey-solibs-2.17-i486-1_slack14.0.txz: Upgraded. +--------------------------+
V.T. Eric Layton Posted April 20, 2013 Posted April 20, 2013 [slackware-security] xorg-server (SSA:2013-109-01) New xorg-server packages are available for Slackware 13.37, 14.0, and -current to fix a security issue. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/xorg-server-1.12.4-i486-1_slack14.0.txz: Upgraded. This update fixes an input flush bug with evdev. Under exceptional conditions (keyboard input during device hotplugging), this could leak a small amount of information intended for the X server. This issue was evaluated to be of low impact. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1940 http://lists.x.org/archives/xorg-devel/2013-April/036014.html (* Security fix *) patches/packages/xorg-server-xephyr-1.12.4-i486-1_slack14.0.txz: Upgraded. patches/packages/xorg-server-xnest-1.12.4-i486-1_slack14.0.txz: Upgraded. patches/packages/xorg-server-xvfb-1.12.4-i486-1_slack14.0.txz: Upgraded. +--------------------------+
V.T. Eric Layton Posted May 16, 2013 Posted May 16, 2013 [slackware-security] mozilla-thunderbird (SSA:2013-135-02) New mozilla-thunderbird packages are available for Slackware 13.37, 14.0, and -current to fix security issues. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/mozilla-thunderbird-17.0.6-i486-1_slack14.0.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html (* Security fix *) +--------------------------+ [slackware-security] mozilla-firefox (SSA:2013-135-01) New mozilla-firefox packages are available for Slackware 13.37, 14.0, and -current to fix security issues. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/mozilla-firefox-21.0-i486-1_slack14.0.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/firefox.html (* Security fix *) +--------------------------+
V.T. Eric Layton Posted May 16, 2013 Posted May 16, 2013 [slackware-security] mozilla-thunderbird x86_64 packages (SSA:2013-136-01) New mozilla-thunderbird packages are available for Slackware64 13.37 and 14.0. These were accidentally omitted from the last upload. Here are the details from the Slackware64 14.0 ChangeLog: +--------------------------+ patches/packages/mozilla-thunderbird-17.0.6-x86_64-1_slack14.0.txz: Upgraded. Here's the package that was missing from the last batch. The wrong entry in the ChangeLog was removed to prevent slackpkg from having trouble with it. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html (* Security fix *) +--------------------------+
V.T. Eric Layton Posted May 21, 2013 Posted May 21, 2013 [slackware-security] kernel (SSA:2013-140-01) New Linux kernel packages are available for Slackware 13.37 and 14.0 to fix a security issue. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/linux-3.2.45/*: Upgraded. Upgraded to new kernels that fix CVE-2013-2094, a bug that can allow local users to gain a root shell. Be sure to upgrade your initrd and reinstall LILO after upgrading the kernel packages. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2094 (* Security fix *) +--------------------------+
V.T. Eric Layton Posted June 11, 2013 Posted June 11, 2013 [slackware-security] php (SSA:2013-161-01) New php packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix a security issue. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/php-5.4.16-i486-1_slack14.0.txz: Upgraded. This is a bugfix release. It also fixes a security issue -- a heap-based overflow in the quoted_printable_encode() function, which could be used by a remote attacker to crash PHP or execute code as the 'apache' user. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2110 (* Security fix *) +--------------------------+
V.T. Eric Layton Posted June 24, 2013 Posted June 24, 2013 [slackware-security] curl (SSA:2013-174-01) New curl packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix a security issue. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/curl-7.29.0-i486-3_slack14.0.txz: Rebuilt. This fixes a minor security issue where a decode buffer boundary flaw in libcurl could lead to heap corruption. For more information, see: http://curl.haxx.se/docs/adv_20130622.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2174 (* Security fix *) +--------------------------+
V.T. Eric Layton Posted June 28, 2013 Posted June 28, 2013 [slackware-security] ruby (SSA:2013-178-01) New ruby packages are available for Slackware 13.1, 13.37, 14.0, and -current to fix a security issue. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/ruby-1.9.3_p448-i486-1_slack14.0.txz: Upgraded. This update patches a vulnerability in Ruby's SSL client that could allow man-in-the-middle attackers to spoof SSL servers via a valid certificate issued by a trusted certification authority. For more information, see: http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4073 (* Security fix *) +--------------------------+
V.T. Eric Layton Posted June 30, 2013 Posted June 30, 2013 [slackware-security] mozilla-firefox (SSA:2013-180-01) New mozilla-firefox packages are available for Slackware 13.37, 14.0, and -current to fix security issues. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/mozilla-firefox-17.0.7esr-i486-1_slack14.0.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html (* Security fix *) We had to switch to ESR here as well, as there's a problem running Firefox 22.0 on Slackware 14.0 under KDE (crash when oxygen-gtk2 is installed). Forcing people to uninstall oxygen-gtk2 isn't really an option for a security fix, and upgrading to the latest oxygen-gtk2 did not help. It's possible that future Firefox/Thunderbird security updates will always come from the ESR branch. +--------------------------+ [slackware-security] mozilla-thunderbird (SSA:2013-180-02) New mozilla-thunderbird packages are available for Slackware 13.37, 14.0, and -current to fix security issues. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/mozilla-thunderbird-17.0.7-i486-1_slack14.0.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html (* Security fix *) +--------------------------+
V.T. Eric Layton Posted July 10, 2013 Posted July 10, 2013 [slackware-security] dbus (SSA:2013-191-01) New dbus packages are available for Slackware 14.0, and -current to fix a security issue. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/dbus-1.4.20-i486-4_slack14.0.txz: Rebuilt. This update fixes a security issue where misuse of va_list could be used to cause a denial of service for system services. Vulnerability reported by Alexandru Cornea. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2168 (* Security fix *) +--------------------------+
V.T. Eric Layton Posted July 17, 2013 Posted July 17, 2013 [slackware-security] php (SSA:2013-197-01) New php packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix a security issue. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/php-5.4.17-i486-1_slack14.0.txz: Upgraded. This update fixes an issue where XML in PHP does not properly consider parsing depth, which allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted document that is processed by the xml_parse_into_struct function. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4113 (* Security fix *) +--------------------------+
V.T. Eric Layton Posted August 4, 2013 Posted August 4, 2013 [slackware-security] gnupg / libgcrypt (SSA:2013-215-01) New gnupg and libgcrypt packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix a security issue. New libgpg-error packages are also available for Slackware 13.1 and older as the supplied version wasn't new enough to compile the fixed version of libgcrypt. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/gnupg-1.4.14-i486-1_slack14.0.txz: Upgraded. Mitigate the Yarom/Falkner flush+reload side-channel attack on RSA secret keys. For more information, see: http://eprint.iacr.org/2013/448 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4242 (* Security fix *) patches/packages/libgcrypt-1.5.3-i486-1_slack14.0.txz: Upgraded. Mitigate the Yarom/Falkner flush+reload side-channel attack on RSA secret keys. For more information, see: http://eprint.iacr.org/2013/448 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4242 (* Security fix *) +--------------------------+
V.T. Eric Layton Posted August 6, 2013 Posted August 6, 2013 [slackware-security] bind (SSA:2013-218-01) New bind packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix a security issue. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/bind-9.9.3_P2-i486-1_slack14.0.txz: Upgraded. This update fixes a security issue where a specially crafted query can cause BIND to terminate abnormally, resulting in a denial of service. For more information, see: https://kb.isc.org/article/AA-01015 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4854 (* Security fix *) +--------------------------+ [slackware-security] httpd (SSA:2013-218-02) New httpd packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix security issues. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/httpd-2.4.6-i486-1_slack14.0.txz: Upgraded. This update addresses two security issues: * SECURITY: CVE-2013-1896 (cve.mitre.org) Sending a MERGE request against a URI handled by mod_dav_svn with the source href (sent as part of the request body as XML) pointing to a URI that is not configured for DAV will trigger a segfault. * SECURITY: CVE-2013-2249 (cve.mitre.org) mod_session_dbd: Make sure that dirty flag is respected when saving sessions, and ensure the session ID is changed each time the session changes. This changes the format of the updatesession SQL statement. Existing configurations must be changed. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1896 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2249 (* Security fix *) +--------------------------+ [slackware-security] samba (SSA:2013-218-03) New samba packages are available for Slackware 13.1, 13.37, 14.0, and -current to fix a security issue. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/samba-3.6.17-i486-1_slack14.0.txz: Upgraded. This update fixes missing integer wrap protection in an EA list reading that can allow authenticated or guest connections to cause the server to loop, resulting in a denial of service. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4124 (* Security fix *) +--------------------------+
V.T. Eric Layton Posted August 8, 2013 Posted August 8, 2013 [slackware-security] mozilla-firefox (SSA:2013-219-01) New mozilla-firefox packages are available for Slackware 13.37, 14.0, and -current to fix security issues. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/mozilla-firefox-17.0.8esr-i486-1_slack14.0.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html (* Security fix *) +--------------------------+ [slackware-security] mozilla-thunderbird (SSA:2013-219-02) New mozilla-thunderbird packages are available for Slackware 13.37, 14.0, and -current to fix security issues. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/mozilla-thunderbird-17.0.8-i486-1_slack14.0.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html (* Security fix *) +--------------------------+ [slackware-security] seamonkey (SSA:2013-219-03) New seamonkey packages are available for Slackware 14.0, and -current to fix security issues. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/seamonkey-2.20-i486-1_slack14.0.txz: Upgraded. This update contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html (* Security fix *) patches/packages/seamonkey-solibs-2.20-i486-1_slack14.0.txz: Upgraded. +--------------------------+
V.T. Eric Layton Posted August 22, 2013 Posted August 22, 2013 [slackware-security] hplip (SSA:2013-233-01) New hplip packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix a security issue. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/hplip-3.12.9-i486-2_slack14.0.txz: Rebuilt. This update fixes a stack-based buffer overflow in the hpmud_get_pml function that can allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted SNMP response with a large length value. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4267 (* Security fix *) +--------------------------+ [slackware-security] xpdf (SSA:2013-233-02) New xpdf packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix a security issue. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/xpdf-3.03-i486-1_slack14.0.txz: Upgraded. Sanitize error messages to remove escape sequences that could be used to exploit vulnerable terminal emulators. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2142 Thanks to mancha. (* Security fix *) +--------------------------+ [slackware-security] poppler (SSA:2013-233-03) New poppler packages are available for Slackware 14.0, and -current to fix a security issue. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/poppler-0.20.2-i486-2_slack14.0.txz: Rebuilt. Sanitize error messages to remove escape sequences that could be used to exploit vulnerable terminal emulators. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2142 (* Security fix *) +--------------------------+
Recommended Posts