V.T. Eric Layton Posted August 30, 2013 Share Posted August 30, 2013 [slackware-security] gnutls (SSA:2013-242-01) New gnutls packages are available for Slackware 14.0, and -current to fix a security issue. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/gnutls-3.0.26-i486-1_slack14.0.txz: Upgraded. This update prevents a side-channel attack which may allow remote attackers to conduct distinguishing attacks and plaintext recovery attacks using statistical analysis of timing data for crafted packets. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1619 (* Security fix *) +--------------------------+ [slackware-security] php (SSA:2013-242-02) New php packages are available for Slackware 14.0, and -current to fix a security issue. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/php-5.4.19-i486-1_slack14.0.txz: Upgraded. Fixed handling null bytes in subjectAltName (CVE-2013-4248). For more information, see: http://cve.mitre.org...e=CVE-2013-4248 (* Security fix *) +--------------------------+ Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted August 30, 2013 Share Posted August 30, 2013 [slackware-security] gnutls (SSA:2013-242-03) New gnutls packages are available for Slackware 14.0 and -current to fix a security issue. Sorry about having to reissue this one -- I pulled it from ftp.gnu.org not realizing that the latest version there was actually months out of date. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/gnutls-3.0.31-i486-1_slack14.0.txz: Upgraded. [updated to the correct version to fix fetching the "latest" from gnu.org] This update prevents a side-channel attack which may allow remote attackers to conduct distinguishing attacks and plaintext recovery attacks using statistical analysis of timing data for crafted packets. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1619 (* Security fix *) +--------------------------+ Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted September 9, 2013 Share Posted September 9, 2013 [slackware-security] subversion (SSA:2013-251-01) New subversion packages are available for Slackware 14.0 and -current to fix a security issue. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/subversion-1.7.13-i486-1_slack14.0.txz: Upgraded. This update fixes a local privilege escalation vulnerability via symlink attack. For more information, see: http://subversion.apache.org/security/CVE-2013-4277-advisory.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4277 (* Security fix *) +--------------------------+ Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted September 18, 2013 Share Posted September 18, 2013 [slackware-security] glibc (SSA:2013-260-01) New glibc packages are available for Slackware 13.0, 13.1, 13.37, 14.0, and -current to fix security issues. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/glibc-2.15-i486-8_slack14.0.txz: Rebuilt. Patched to fix integer overflows in pvalloc, valloc, and posix_memalign/memalign/aligned_alloc. Thanks to mancha for the backported patch. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2013-4332 (* Security fix *) Also, as long as these packages were being respun anyway, I added a patch to fix the check for AVX opcodes. This was causing crashes on Xen. Thanks to Dale Gallagher. patches/packages/glibc-i18n-2.15-i486-8_slack14.0.txz: Rebuilt. patches/packages/glibc-profile-2.15-i486-8_slack14.0.txz: Rebuilt. patches/packages/glibc-solibs-2.15-i486-8_slack14.0.txz: Rebuilt. patches/packages/glibc-zoneinfo-2013d_2013d-noarch-8_slack14.0.txz: Rebuilt. +--------------------------+ [slackware-security] mozilla-firefox (SSA:2013-260-02) New mozilla-firefox packages are available for Slackware 13.37, 14.0, and -current to fix security issues. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/mozilla-firefox-17.0.9esr-i486-1_slack14.0.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html (* Security fix *) +--------------------------+ [slackware-security] mozilla-thunderbird (SSA:2013-260-03) New mozilla-thunderbird packages are available for Slackware 13.37, 14.0, and -current to fix security issues. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/mozilla-thunderbird-17.0.9esr-i486-1_slack14.0.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/thunderbirdESR.html (* Security fix *) +--------------------------+ Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted September 30, 2013 Share Posted September 30, 2013 [slackware-security] seamonkey (SSA:2013-271-01) New seamonkey packages are available for Slackware 14.0 and -current to fix security issues. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/seamonkey-2.21-i486-1_slack14.0.txz: Upgraded. This update contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html (* Security fix *) patches/packages/seamonkey-solibs-2.21-i486-1_slack14.0.txz: Upgraded. +--------------------------+ Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted October 15, 2013 Share Posted October 15, 2013 [slackware-security] gnupg (SSA:2013-287-01) New gnupg packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix security issues. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/gnupg-1.4.15-i486-1_slack14.0.txz: Upgraded. Fixed possible infinite recursion in the compressed packet parser. [CVE-2013-4402] Protect against rogue keyservers sending secret keys. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4402 (* Security fix *) +--------------------------+ [slackware-security] gnupg2 (SSA:2013-287-02) New gnupg2 packages are available for Slackware 13.37, 14.0, and -current to fix security issues. These packages will require the updated libgpg-error package. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/gnupg2-2.0.22-i486-1_slack14.0.txz: Upgraded. Fixed possible infinite recursion in the compressed packet parser. [CVE-2013-4402] Protect against rogue keyservers sending secret keys. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4402 (* Security fix *) +--------------------------+ [slackware-security] gnutls (SSA:2013-287-03) New gnutls packages are available for Slackware 12.1, 12.2, 13.0, 13.1, and 13.37 to fix security issues. Here are the details from the Slackware 13.37 ChangeLog: +--------------------------+ patches/packages/gnutls-2.10.5-i486-2_slack13.37.txz: Rebuilt. [updated to the correct version to fix fetching the "latest" from gnu.org] This update prevents a side-channel attack which may allow remote attackers to conduct distinguishing attacks and plaintext recovery attacks using statistical analysis of timing data for crafted packets. Other minor security issues are patched as well. Thanks to mancha for backporting these patches. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4128 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1569 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1573 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1619 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2116 (* Security fix *) +--------------------------+ [slackware-security] libgpg-error (SSA:2013-287-04) New libgpg-error packages are available for Slackware 13.37 and 14.0. These are needed for the updated gnupg2 package. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/libgpg-error-1.11-i486-1_slack14.0.txz: Upgraded. This package upgrade was needed by the new version of gnupg2. +--------------------------+ [slackware-security] xorg-server (SSA:2013-287-05) New xorg-server packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix a security issue. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/xorg-server-1.12.4-i486-2_slack14.0.txz: Rebuilt. Patched a use-after-free bug that can cause an X server crash or memory corruption. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4396 (* Security fix *) patches/packages/xorg-server-xephyr-1.12.4-i486-2_slack14.0.txz: Rebuilt. patches/packages/xorg-server-xnest-1.12.4-i486-2_slack14.0.txz: Rebuilt. patches/packages/xorg-server-xvfb-1.12.4-i486-2_slack14.0.txz: Rebuilt. +--------------------------+ Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted October 20, 2013 Share Posted October 20, 2013 [slackware-security] hplip (SSA:2013-291-01) New hplip packages are available for Slackware 13.1, 13.37, 14.0, and -current to fix security issues. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/hplip-3.12.9-i486-3_slack14.0.txz: Rebuilt. This fixes a polkit race condition that could allow local users to bypass intended access restrictions. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4325 (* Security fix *) +--------------------------+ [slackware-security] libtiff (SSA:2013-290-01) New libtiff packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix security issues. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/libtiff-3.9.7-i486-1_slack14.0.txz: Upgraded. Patched overflows, crashes, and out of bounds writes. Thanks to mancha for the backported patches. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2088 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2113 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4447 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4564 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1960 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1961 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4231 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4232 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4244 (* Security fix *) +--------------------------+ Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted November 3, 2013 Share Posted November 3, 2013 [slackware-security] mozilla-thunderbird (SSA:2013-307-01) New mozilla-thunderbird packages are available for Slackware 13.37, 14.0, and -current to fix security issues. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/mozilla-thunderbird-17.0.10esr-i486-1_slack14.0.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/thunderbirdESR.html (* Security fix *) +--------------------------+ Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted November 8, 2013 Share Posted November 8, 2013 Yes, it is that time again! After well over a year of planning, development, and testing, the Slackware Linux Project is proud to announce the latest stable release of the longest running distribution of the Linux operating system, Slackware version 14.1! We are sure you'll enjoy the many improvements. We've done our best to bring the latest technology to Slackware while still maintaining the stability and security that you have come to expect. Slackware is well known for its simplicity and the fact that we try to bring software to you in the condition that the authors intended. Slackware 14.1 brings many updates and enhancements, among which you'll find two of the most advanced desktop environments available today: Xfce 4.10.1, a fast and lightweight but visually appealing and easy to use desktop environment, and KDE 4.10.5, a recent stable release of the 4.10.x series of the award-winning KDE desktop environment. These desktops utilize udev, udisks, and udisks2, and many of the specifications from freedesktop.org which allow the system administrator to grant use of various hardware devices according to users' group membership so that they will be able to use items such as USB flash sticks, USB cameras that appear like USB storage, portable hard drives, CD and DVD media, MP3 players, and more, all without requiring sudo, the mount or umount command. Just plug and play. Slackware's desktop should be suitable for any level of Linux experience. Slackware uses the 3.10.17 kernel bringing you advanced performance features such as journaling filesystems, SCSI and ATA RAID volume support, SATA support, Software RAID, LVM (the Logical Volume Manager), and encrypted filesystems. Kernel support for X DRI (the Direct Rendering Interface) brings high-speed hardware accelerated 3D graphics to Linux. There are two kinds of kernels in Slackware. First there are the huge kernels, which contain support for just about every driver in the Linux kernel. These are primarily intended to be used for installation, but there's no real reason that you couldn't continue to run them after you have installed. The other type of kernel is the generic kernel, in which nearly every driver is built as a module. To use a generic kernel you'll need to build an initrd to load your filesystem module and possibly your drive controller or other drivers needed at boot time, configure LILO to load the initrd at boot, and reinstall LILO. See the docs in /boot after installing for more information. Slackware's Linux kernels come in both SMP and non-SMP types now. The SMP kernel supports multiple processors, multi-core CPUs, HyperThreading, and about every other optimization available. In our own testing this kernel has proven to be fast, stable, and reliable. We recommend using the SMP kernel even on single processor machines if it will run on them. Note that on x86_64 (64-bit), all the kernels are SMP capable. Here are some of the advanced features of Slackware 14.1: - Runs the 3.10.17 version of the Linux kernel from ftp.kernel.org. The 3.10.x series is well-tested, offers good performance, and will be getting long term support from kernel.org. For people interested in running the previous long term support kernel series, we've provided sample configuration files for Linux 3.4.66 under the /testing directory. And, to make it easier for people who want to compile the latest Linux kernel, we've also put configuration files for Linux 3.12 in /testing. - System binaries are linked with the GNU C Library, version 2.17. This version of glibc also has excellent compatibility with existing binaries. - X11 based on the X.Org Foundation's modular X Window System. This is X11R7.7, a new release, with many improvements in terms of performance and hardware support. - Installs gcc-4.8.2 as the default C, C++, Objective-C, Fortran-77/95/2003/2008, and Ada 95/2005/2012 compiler. - Also includes LLVM and Clang, an alternate compiler for C, C++, Objective-C and Objective-C++. - The x86_64 version of Slackware 14.1 supports installation and booting on machines using UEFI firmware. - Support for NetworkManager for simple configuration of wired and wireless network connections, including mobile broadband, IPv6, VPN, and more. Roam seamlessly between known networks, and quickly set up new connections. We've retained full support for the traditional Slackware networking scripts and for the wicd network manager, offering choice and flexibility to all levels of users. - Support for fully encrypted network connections with OpenSSL, OpenSSH, OpenVPN, and GnuPG. - Apache (httpd) 2.4.6 web server with Dynamic Shared Object support, SSL, and PHP 5.4.20. - USB, IEEE 1394 (FireWire), and ACPI support, as well as legacy PCMCIA and Cardbus support. This makes Slackware a great operating system for your laptop. - The udev dynamic device management system for Linux 3.x. This locates and configures most hardware automatically as it is added (or removed) from the system, loading kernel modules as needed. It works along with the kernel's devtmpfs filesystem to create access nodes in the /dev directory. - New development tools, including Perl 5.18.1, Python 2.7.5, Ruby 1.9.3-p448, Subversion 1.7.13, git-1.8.4, mercurial-2.7.2, graphical tools like Qt designer and KDevelop, and much more. - Updated versions of the Slackware package management tools make it easy to add, remove, upgrade, and make your own Slackware packages. Package tracking makes it easy to upgrade from Slackware 14.0 to Slackware 14.1 (see UPGRADE.TXT and CHANGES_AND_HINTS.TXT). The slackpkg tool can also help update from an older version of Slackware to a newer one, and keep your Slackware system up to date. In addition, the slacktrack utility will help you build and maintain your own packages. - Web browsers galore! Includes KDE's Konqueror 4.10.5, SeaMonkey 2.21 (this is the replacement for the Mozilla Suite), Mozilla Firefox ESR 24.1, as well as the Thunderbird 24.1 email and news client with advanced junk mail filtering. A script is also available in /extra to repackage Google Chrome as a native Slackware package. - The KDE Software Compilation 4.10.5, a complete desktop environment. This includes the Calligra productivity suite (previously known as KOffice), networking tools, GUI development with KDevelop, multimedia tools (including the Amarok music player and K3B disc burning software), the Konqueror web browser and file manager, dozens of games and utilities, international language support, and more. - A collection of GTK+ based applications including pidgin-2.10.7, gimp-2.8.6 (with many improvements including a single window mode), gkrellm-2.3.5, xchat-2.8.8, xsane-0.998, and pan-0.139. - A repository of extra software packages compiled and ready to run in the /extra directory. - Many more improved and upgraded packages than we can list here. For a complete list of core packages in Slackware 14.1, see this file: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/PACKAGES.TXT Downloading Slackware 14.1: --------------------------- The full version of Slackware Linux 14.1 is available for download from the central Slackware FTP site hosted by our friends at osuosl.org: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/ If the sites are busy, see the list of official mirror sites here: http://mirrors.slackware.com We will be setting up BitTorrent downloads for the official ISO images. Stay tuned to http://slackware.com for the latest updates. Instructions for burning the Slackware tree onto install discs may be found in the isolinux directory. Purchasing Slackware on CD-ROM or DVD: -------------------------------------- Or, please consider purchasing the Slackware Linux 14.1 six CD-ROM set or deluxe dual-sided DVD release directly from Slackware Linux, and you'll be helping to support the continued development of Slackware Linux! The DVD release has the 32-bit x86 Slackware 14.1 release on one side, and the 64-bit x86_64 Slackware 14.1 release on the other. Both sides are bootable for easy installation, and includes everything from both releases of Slackware 14.1, including the complete source code trees. The 6 CD-ROM release of Slackware 14.1 is the 32-bit x86 edition. It includes a bootable first CD-ROM for easy installation. The 6 CD-ROMs are labeled for easy reference. The Slackware 14.1 x86 6 CD-ROM set is $49.95 plus shipping, or choose the Slackware 14.1 x86/x86_64 dual-sided DVD (also $49.95 plus shipping). Slackware Linux is also available by subscription. When we release a new version of Slackware (which is normally once or twice a year) we ship it to you and bill your credit card for a reduced subscription price ($32.99 for the CD-ROM set, or $39.95 for the DVD) plus shipping. For shipping options, see the Slackware store website. Before ordering express shipping, you may wish to check that we have the product in stock. We make releases to the net at the same time as disc production begins, so there is a lag between the online release and the shipping of media. But, even if you download now you can still buy the official media later. You'll feel good, be helping the project, and have a great decorative item perfect for any computer room shelf. Ordering Information: --------------------- You can order online at the Slackware Linux store: http://store.slackware.com Other Slackware items like t-shirts, caps, pins, and stickers can also be found here. These will help you find and identify yourself to your fellow Slackware users. Order inquiries (including questions about becoming a Slackware reseller) may be directed to this address: info@slackware.com Have fun! :^) I hope you find Slackware to be useful, and thanks very much for your support of this project over the years. --- Patrick J. Volkerding Visit us on the web at: http://slackware.com Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted November 19, 2013 Share Posted November 19, 2013 [slackware-security] mozilla-firefox (SSA:2013-322-01) New mozilla-firefox packages are available for Slackware 13.37, 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mozilla-firefox-24.1.1esr-i486-1_slack14.1.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html (* Security fix *) +--------------------------+ [slackware-security] openssh (SSA:2013-322-02) New openssh packages are available for Slackware 14.1 and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/openssh-6.4p1-i486-1_slack14.1.txz: Upgraded. sshd(8): fix a memory corruption problem triggered during rekeying when an AES-GCM cipher is selected. For more information, see: http://www.openssh.com/txt/gcmrekey.adv http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4548 (* Security fix *) +--------------------------+ [slackware-security] samba (SSA:2013-322-03) New samba packages are available for Slackware 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/samba-4.1.1-i486-1_slack14.1.txz: Upgraded. This update fixes two security issues: * Samba versions 3.2.0 and above do not check the underlying file or directory ACL when opening an alternate data stream. * In setups which provide ldap(s) and/or https services, the private key for SSL/TLS encryption might be world readable. This typically happens in active directory domain controller setups. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4475 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4476 (* Security fix *) Added tdb.h, tdb.pc, and a libtdb.so symlink. Thanks to Matteo Bernardini. +--------------------------+ [slackware-security] seamonkey (SSA:2013-322-04) New seamonkey packages are available for Slackware 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/seamonkey-2.22-i486-1_slack14.1.txz: Upgraded. This update contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html (* Security fix *) patches/packages/seamonkey-solibs-2.22-i486-1_slack14.1.txz: Upgraded. +--------------------------+ Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted December 6, 2013 Share Posted December 6, 2013 [slackware-security] mozilla-nss (SSA:2013-339-01) New mozilla-nss packages are available for Slackware 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mozilla-nss-3.15.3-i486-1_slack14.1.txz: Upgraded. This update contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/announce/2013/mfsa2013-103.html (* Security fix *) +--------------------------+ [slackware-security] mozilla-thunderbird (SSA:2013-339-02) New mozilla-thunderbird packages are available for Slackware 13.37, 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mozilla-thunderbird-24.1.1-i486-1_slack14.1.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html (* Security fix *) +--------------------------+ [slackware-security] seamonkey (SSA:2013-339-03) New seamonkey packages are available for Slackware 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/seamonkey-2.22.1-i486-1_slack14.1.txz: Upgraded. This update contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html (* Security fix *) patches/packages/seamonkey-solibs-2.22.1-i486-1_slack14.1.txz: Upgraded. +--------------------------+ [slackware-security] hplip (SSA:2013-339-04) New hplip packages are available for Slackware 14.0 to fix a security issue. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/hplip-3.12.9-i486-4_slack14.0.txz: Rebuilt. This update disables the automatic upgrade feature which can be easily fooled into downloading an arbitrary binary and executing it. This issue affects only Slackware 14.0 (earlier versions do not have the feature, and newer ones had already disabled it). For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6427 (* Security fix *) +--------------------------+ Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted December 18, 2013 Share Posted December 18, 2013 [slackware-security] libiodbc (SSA:2013-350-01) New libiodbc packages are available for Slackware 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/libiodbc-3.52.8-i486-1_slack14.1.txz: Upgraded. This update fixes an rpath pointing to a location in /tmp that was found in two test programs (iodbctest and iodbctestw). This could have allowed a local attacker with write access to /tmp to add modified libraries (and execute arbitrary code) as any user running the test programs. Thanks to Christopher Oliver for the bug report. (* Security fix *) +--------------------------+ [slackware-security] libjpeg (SSA:2013-350-02) New libjpeg packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/libjpeg-v8a-i486-2_slack14.1.txz: Rebuilt. Fix use of uninitialized memory when decoding images with missing SOS data for the luminance component (Y) in presence of valid chroma data (Cr, Cb). This could allow remote attackers to obtain sensitive information from uninitialized memory locations via a crafted JPEG image. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6629 (* Security fix *) +--------------------------+ [slackware-security] llvm (SSA:2013-350-03) New llvm packages are available for Slackware 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/llvm-3.3-i486-3_slack14.1.txz: Rebuilt. The LLVM package included binaries with an rpath pointing to the build location in /tmp. This allows an attacker with write access to /tmp to add modified libraries (and execute arbitrary code) as any user running the LLVM binaries. This updated package rebuilds LLVM to exclude the build directories from the rpath information. Thanks to Christopher Oliver for the bug report. (* Security fix *) +--------------------------+ [slackware-security] mozilla-firefox (SSA:2013-350-04) New mozilla-firefox packages are available for Slackware 14.1 and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mozilla-firefox-24.2.0esr-i486-1_slack14.1.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html (* Security fix *) +--------------------------+ [slackware-security] mozilla-thunderbird (SSA:2013-350-05) New mozilla-thunderbird packages are available for Slackware 14.1 and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mozilla-thunderbird-24.2.0-i486-1_slack14.1.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/thunderbirdESR.html (* Security fix *) +--------------------------+ [slackware-security] ruby (SSA:2013-350-06) New ruby packages are available for Slackware 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/ruby-1.9.3_p484-i486-1_slack14.1.txz: Upgraded. This update fixes a heap overflow in floating point parsing. A specially crafted string could cause a heap overflow leading to a denial of service attack via segmentation faults and possibly arbitrary code execution. For more information, see: https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4164 (* Security fix *) +--------------------------+ [slackware-security] seamonkey (SSA:2013-350-07) New seamonkey packages are available for Slackware 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/seamonkey-2.23-i486-1_slack14.1.txz: Upgraded. This update contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html (* Security fix *) patches/packages/seamonkey-solibs-2.23-i486-1_slack14.1.txz: Upgraded. +--------------------------+ Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted December 21, 2013 Share Posted December 21, 2013 [slackware-security] gnupg (SSA:2013-354-01) New gnupg packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/gnupg-1.4.16-i486-1_slack14.1.txz: Upgraded. Fixed the RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis attack as described by Genkin, Shamir, and Tromer. For more information, see: http://www.cs.tau.ac.il/~tromer/acoustic/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4576 (* Security fix *) +--------------------------+ Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted January 14, 2014 Share Posted January 14, 2014 [slackware-security] libXfont (SSA:2014-013-01) New libXfont packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/libXfont-1.4.7-i486-1_slack14.1.txz: Upgraded. This update fixes a stack overflow when reading a BDF font file containing a longer than expected string, which could lead to crashes or privilege escalation. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6462 (* Security fix *) +--------------------------+ [slackware-security] openssl (SSA:2014-013-02) New openssl packages are available for Slackware 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/openssl-1.0.1f-i486-1_slack14.1.txz: Upgraded. This update fixes the following security issues: Fix for TLS record tampering bug CVE-2013-4353 Fix for TLS version checking bug CVE-2013-6449 Fix for DTLS retransmission bug CVE-2013-6450 For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4353 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6449 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6450 (* Security fix *) patches/packages/openssl-solibs-1.0.1f-i486-1_slack14.1.txz: Upgraded. +--------------------------+ [slackware-security] php (SSA:2014-013-03) New php packages are available for Slackware 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/php-5.4.24-i486-1_slack14.1.txz: Upgraded. The asn1_time_to_time_t function in ext/openssl/openssl.c in PHP before 5.3.28, 5.4.x before 5.4.23, and 5.5.x before 5.5.7 does not properly parse (1) notBefore and (2) notAfter timestamps in X.509 certificates, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted certificate that is not properly handled by the openssl_x509_parse function. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6420 (* Security fix *) +--------------------------+ [slackware-security] samba (SSA:2014-013-04) New samba packages are available for Slackware 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/samba-4.1.4-i486-1_slack14.1.txz: Upgraded. This update fixes a heap-based buffer overflow that may allow AD domain controllers to execute arbitrary code via an invalid fragment length in a DCE-RPC packet. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4408 (* Security fix *) +--------------------------+ Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted January 29, 2014 Share Posted January 29, 2014 [slackware-security] bind (SSA:2014-028-01) New bind packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/bind-9.9.4_P2-i486-1_slack14.1.txz: Upgraded. This update fixes a defect in the handling of NSEC3-signed zones that can cause BIND to be crashed by a specific set of queries. NOTE: According to the second link below, Slackware is probably not vulnerable since we aren't using glibc-2.18 yet. Might as well fix it anyway, though. For more information, see: https://kb.isc.org/article/AA-01078 https://kb.isc.org/article/AA-01085 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0591 (* Security fix *) +--------------------------+ [slackware-security] mozilla-nss (SSA:2014-028-02) New mozilla-nss packages are available for Slackware 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mozilla-nss-3.15.4-i486-1_slack14.1.txz: Upgraded. Upgraded to nss-3.15.4 and nspr-4.10.3. Fixes a possible man-in-the-middle issue. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1740 (* Security fix *) +--------------------------+ Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted February 9, 2014 Share Posted February 9, 2014 [slackware-security] mozilla-firefox (SSA:2014-039-01) New mozilla-firefox packages are available for Slackware 14.1 and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mozilla-firefox-24.3.0esr-i486-1_slack14.1.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html (* Security fix *) +--------------------------+ [slackware-security] mozilla-thunderbird (SSA:2014-039-02) New mozilla-thunderbird packages are available for Slackware 14.1 and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mozilla-thunderbird-24.3.0-i486-1_slack14.1.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html (* Security fix *) +--------------------------+ [slackware-security] seamonkey (SSA:2014-039-03) New seamonkey packages are available for Slackware 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/seamonkey-2.24-i486-1_slack14.1.txz: Upgraded. This update contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html (* Security fix *) patches/packages/seamonkey-solibs-2.24-i486-1_slack14.1.txz: Upgraded. +--------------------------+ Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted February 14, 2014 Share Posted February 14, 2014 [slackware-security] ntp (SSA:2014-044-02) New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/ntp-4.2.6p5-i486-5_slack14.1.txz: Rebuilt. All stable versions of NTP remain vulnerable to a remote attack where the "ntpdc -c monlist" command can be used to amplify network traffic as part of a denial of service attack. By default, Slackware is not vulnerable since it includes "noquery" as a default restriction. However, it is vulnerable if this restriction is removed. To help mitigate this flaw, "disable monitor" has been added to the default ntp.conf (which will disable the monlist command even if other queries are allowed), and the default restrictions have been extended to IPv6 as well. All users of the NTP daemon should make sure that their ntp.conf contains "disable monitor" to prevent misuse of the NTP service. The new ntp.conf file will be installed as /etc/ntp.conf.new with a package upgrade, but the changes will need to be merged into any existing ntp.conf file by the admin. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5211 http://www.kb.cert.org/vuls/id/348126 (* Security fix *) +--------------------------+ [slackware-security] curl (SSA:2014-044-01) New curl packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/curl-7.35.0-i486-1_slack14.1.txz: Upgraded. This update fixes a flaw where libcurl could, in some circumstances, reuse the wrong connection when asked to do an NTLM-authenticated HTTP or HTTPS request. For more information, see: http://curl.haxx.se/docs/adv_20140129.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0015 (* Security fix *) +--------------------------+ Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted February 20, 2014 Share Posted February 20, 2014 [slackware-security] gnutls (SSA:2014-050-01) New gnutls packages are available for Slackware 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/gnutls-3.1.21-i486-1_slack14.1.txz: Upgraded. This update fixes a flaw where a version 1 intermediate certificate would be considered as a CA certificate by GnuTLS by default. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1959 (* Security fix *) +--------------------------+ [slackware-security] mariadb, mysql (SSA:2014-050-02) New mariadb and mysql packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mariadb-5.5.35-i486-1_slack14.1.txz: Upgraded. This update fixes a buffer overflow in the mysql command line client which may allow malicious or compromised database servers to cause a denial of service (crash) and possibly execute arbitrary code via a long server version string. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0001 (* Security fix *) +--------------------------+ [slackware-security] kernel (SSA:2014-050-03) New kernel packages are available for Slackware 14.1 (64-bit) to fix a security issue. Here are the details from the Slackware64 14.1 ChangeLog: +--------------------------+ patches/packages/linux-3.10.17-2/*: These are new kernels that fix CVE-2014-0038, a bug that can allow local users to gain a root shell. Be sure to reinstall LILO (run "lilo" as root) after upgrading the kernel packages, or on UEFI systems, copy the appropriate kernel to /boot/efi/EFI/Slackware/vmlinuz). For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0038 (* Security fix *) +--------------------------+ Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted February 28, 2014 Share Posted February 28, 2014 [slackware-security] subversion (SSA:2014-058-01) New subversion packages are available for Slackware 14.0, 14.1, and -current to fix denial-of-service issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/subversion-1.7.16-i486-1_slack14.1.txz: Upgraded. Fix denial of service bugs. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4505 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4558 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0032 (* Security fix *) +--------------------------+ Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted March 4, 2014 Share Posted March 4, 2014 [slackware-security] gnutls (SSA:2014-062-01) New gnutls packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/gnutls-3.1.22-i486-1_slack14.1.txz: Upgraded. Fixed a security issue where a specially crafted certificate could bypass certificate validation checks. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0092 (* Security fix *) +--------------------------+ Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted March 6, 2014 Share Posted March 6, 2014 [slackware-security] sudo (SSA:2014-064-01) New sudo packages are available for Slackware 13.0, 13.1, and 13.37 to fix a security issue. Here are the details from the Slackware 13.37 ChangeLog: +--------------------------+ patches/packages/sudo-1.7.10p8-i486-1_slack13.37.txz: Upgraded. This update fixes a security issue where if the env_reset option is disabled in the sudoers file, a malicious user with sudo permissions may be able to run arbitrary commands with elevated privileges by manipulating the environment of a command the user is legitimately allowed to run. For more information, see: http://www.sudo.ws/sudo/alerts/env_add.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0106 (* Security fix *) +--------------------------+ Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted March 11, 2014 Share Posted March 11, 2014 [slackware-security] udisks, udisks2 (SSA:2014-070-01) New udisks and udisks2 packages are available for Slackware 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/udisks-1.0.5-i486-1_slack14.1.txz: Upgraded. This update fixes a stack-based buffer overflow when handling long path names. A malicious, local user could use this flaw to create a specially-crafted directory structure that could lead to arbitrary code execution with the privileges of the udisks daemon (root). For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0004 (* Security fix *) patches/packages/udisks2-2.1.3-i486-1_slack14.1.txz: Upgraded. This update fixes a stack-based buffer overflow when handling long path names. A malicious, local user could use this flaw to create a specially-crafted directory structure that could lead to arbitrary code execution with the privileges of the udisks daemon (root). For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0004 (* Security fix *) +--------------------------+ Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted March 13, 2014 Share Posted March 13, 2014 [slackware-security] mutt (SSA:2014-071-01) New mutt packages are available for Slackware 13.37, 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mutt-1.5.23-i486-1_slack14.1.txz: Upgraded. This update fixes a buffer overflow where malformed RFC2047 header lines could result in denial of service or potentially the execution of arbitrary code as the user running mutt. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0467 (* Security fix *) +--------------------------+ Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted March 14, 2014 Share Posted March 14, 2014 [slackware-security] samba (SSA:2014-072-01) New samba packages are available for Slackware 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/samba-4.1.6-i486-1_slack14.1.txz: Upgraded. This update fixes two security issues: CVE-2013-4496: Samba versions 3.4.0 and above allow the administrator to implement locking out Samba accounts after a number of bad password attempts. However, all released versions of Samba did not implement this check for password changes, such as are available over multiple SAMR and RAP interfaces, allowing password guessing attacks. CVE-2013-6442: Samba versions 4.0.0 and above have a flaw in the smbcacls command. If smbcacls is used with the "-C|--chown name" or "-G|--chgrp name" command options it will remove the existing ACL on the object being modified, leaving the file or directory unprotected. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4496 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6442 (* Security fix *) +--------------------------+ Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted March 16, 2014 Share Posted March 16, 2014 [slackware-security] php (SSA:2014-074-01) New php packages are available for Slackware 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/php-5.4.26-i486-1_slack14.1.txz: Upgraded. This update fixes a flaw where a specially crafted data file may cause a segfault or 100% CPU consumption when a web page uses fileinfo() on it. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1943 (* Security fix *) +--------------------------+ Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted March 29, 2014 Share Posted March 29, 2014 [slackware-security] curl (SSA:2014-086-01) New curl packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/curl-7.36.0-i486-1_slack14.1.txz: Upgraded. This update fixes four security issues. For more information, see: http://curl.haxx.se/docs/adv_20140326A.html http://curl.haxx.se/docs/adv_20140326B.html http://curl.haxx.se/docs/adv_20140326C.html http://curl.haxx.se/docs/adv_20140326D.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0138 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0139 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1263 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2522 (* Security fix *) +--------------------------+ [slackware-security] httpd (SSA:2014-086-02) New httpd packages are available for Slackware 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/httpd-2.4.9-i486-1_slack14.1.txz: Upgraded. This update addresses two security issues. Segfaults with truncated cookie logging. mod_log_config: Prevent segfaults when logging truncated cookies. Clean up the cookie logging parser to recognize only the cookie=value pairs, not valueless cookies. mod_dav: Keep track of length of cdata properly when removing leading spaces. Eliminates a potential denial of service from specifically crafted DAV WRITE requests. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438 (* Security fix *) +--------------------------+ [slackware-security] mozilla-firefox (SSA:2014-086-03) New mozilla-firefox packages are available for Slackware 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mozilla-firefox-24.4.0esr-i486-1_slack14.1.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html (* Security fix *) +--------------------------+ [slackware-security] mozilla-nss (SSA:2014-086-04) New mozilla-nss packages are available for Slackware 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mozilla-nss-3.16-i486-1_slack14.1.txz: Upgraded. This update fixes a security issue: The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name's U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1492 (* Security fix *) +--------------------------+ [slackware-security] mozilla-thunderbird (SSA:2014-086-05) New mozilla-thunderbird packages are available for Slackware 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mozilla-thunderbird-24.4.0-i486-1_slack14.1.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html (* Security fix *) +--------------------------+ [slackware-security] openssh (SSA:2014-086-06) New openssh packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/openssh-6.6p1-i486-1_slack14.1.txz: Upgraded. This update fixes a security issue when using environment passing with a sshd_config(5) AcceptEnv pattern with a wildcard. OpenSSH could be tricked into accepting any environment variable that contains the characters before the wildcard character. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2532 (* Security fix *) +--------------------------+ [slackware-security] seamonkey (SSA:2014-086-07) New seamonkey packages are available for Slackware 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/seamonkey-2.25-i486-1_slack14.1.txz: Upgraded. This update contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html (* Security fix *) patches/packages/seamonkey-solibs-2.25-i486-1_slack14.1.txz: Upgraded. +--------------------------+ Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted April 8, 2014 Share Posted April 8, 2014 [slackware-security] openssl (SSA:2014-098-01) New openssl packages are available for Slackware 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/openssl-1.0.1g-i486-1_slack14.1.txz: Upgraded. This update fixes two security issues: A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley and Bodo Moeller for preparing the fix. Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" by Yuval Yarom and Naomi Benger. Details can be obtained from: http://eprint.iacr.org/2014/140 For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0076 (* Security fix *) patches/packages/openssl-solibs-1.0.1g-i486-1_slack14.1.txz: Upgraded. +--------------------------+ Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted April 22, 2014 Share Posted April 22, 2014 [slackware-security] php (SSA:2014-111-02) New php packages are available for Slackware 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/php-5.4.27-i486-1_slack14.1.txz: Upgraded. This update fixes a security issue in the in the awk script detector which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7345 (* Security fix *) +--------------------------+ [slackware-security] libyaml (SSA:2014-111-01) New libyaml packages are available for Slackware 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/libyaml-0.1.6-i486-1_slack14.1.txz: Upgraded. This update fixes a heap overflow in URI escape parsing of YAML in Ruby, where a specially crafted string could cause a heap overflow leading to arbitrary code execution. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2525 https://www.ruby-lang.org/en/news/2014/03/29/heap-overflow-in-yaml-uri-escape-parsing-cve-2014-2525/ (* Security fix *) +--------------------------+ Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted April 30, 2014 Share Posted April 30, 2014 [slackware-security] mozilla-firefox (SSA:2014-119-01) New mozilla-firefox packages are available for Slackware 14.1 and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mozilla-firefox-24.5.0esr-i486-1_slack14.1.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html (* Security fix *) +--------------------------+ [slackware-security] mozilla-thunderbird (SSA:2014-119-02) New mozilla-thunderbird packages are available for Slackware 14.1 and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mozilla-thunderbird-24.5.0-i486-1_slack14.1.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html (* Security fix *) +--------------------------+ Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted May 12, 2014 Share Posted May 12, 2014 [slackware-security] seamonkey (SSA:2014-131-01) New seamonkey packages are available for Slackware 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/seamonkey-2.26-i486-1_slack14.1.txz: Upgraded. This update contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html (* Security fix *) patches/packages/seamonkey-solibs-2.26-i486-1_slack14.1.txz: Upgraded. +--------------------------+ Link to comment Share on other sites More sharing options...
Recommended Posts