V.T. Eric Layton Posted June 1, 2014 Posted June 1, 2014 [slackware-security] mariadb (SSA:2014-152-01) New mariadb packages are available for Slackware 14.1 and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mariadb-5.5.37-i486-1_slack14.1.txz: Upgraded. This update contains security fixes and improvements. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0384 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2419 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2430 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2431 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2432 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2436 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2438 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2440 (* Security fix *) +--------------------------+
V.T. Eric Layton Posted June 6, 2014 Posted June 6, 2014 [slackware-security] sendmail (SSA:2014-156-04) New sendmail packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/sendmail-8.14.9-i486-1_slack14.1.txz: Upgraded. This release fixes one security related bug by properly closing file descriptors (except stdin, stdout, and stderr) before executing programs. This bug could enable local users to interfere with an open SMTP connection if they can execute their own program for mail delivery (e.g., via procmail or the prog mailer). For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3956 (* Security fix *) patches/packages/sendmail-cf-8.14.9-noarch-1_slack14.1.txz: Upgraded. +--------------------------+ [slackware-security] openssl (SSA:2014-156-03) New openssl packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/openssl-1.0.1h-i486-1_slack14.1.txz: Upgraded. Multiple security issues have been corrected, including a possible man-in-the-middle attack where weak keying material is forced, denial of service, and the execution of arbitrary code. For more information, see: http://www.openssl.org/news/secadv_20140605.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0195 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0221 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470 (* Security fix *) patches/packages/openssl-solibs-1.0.1h-i486-1_slack14.1.txz: Upgraded. +--------------------------+ [slackware-security] libtasn1 (SSA:2014-156-02) New libtasn1 packages are available for Slackware 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/libtasn1-3.6-i486-1_slack14.1.txz: Upgraded. Multiple security issues have been corrected in the libtasn1 library. These errors allow a remote attacker to cause a denial of service, or possibly to execute arbitrary code. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3467 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3468 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3469 (* Security fix *) +--------------------------+ [slackware-security] gnutls (SSA:2014-156-01) New gnutls packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/gnutls-3.1.25-i486-1_slack14.1.txz: Upgraded. A security issue has been corrected in gnutls. This vulnerability affects the client side of the gnutls library. A server that sends a specially crafted ServerHello could corrupt the memory of a requesting client. This may allow a remote attacker to execute arbitrary code. Additional vulnerabilities in the embedded libtasn1 library have also been patched. Thanks to mancha for the backported patches. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3465 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3466 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3467 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3468 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3469 (* Security fix *) +--------------------------+
V.T. Eric Layton Posted June 7, 2014 Posted June 7, 2014 [slackware-security] mozilla-firefox (SSA:2014-157-01) New mozilla-firefox packages are available for Slackware 14.1 to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mozilla-firefox-24.6.0esr-i486-1_slack14.1.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html (* Security fix *) +--------------------------+
V.T. Eric Layton Posted June 9, 2014 Posted June 9, 2014 [slackware-security] php (SSA:2014-160-01) New php packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/php-5.4.29-i486-1_slack14.1.txz: Upgraded. This update fixes bugs and security issues, including a possible denial of service, and an issue where insecure default permissions on the FPM socket may allow local users to run arbitrary code as the apache user. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0185 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0237 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0238 (* Security fix *) +--------------------------+
V.T. Eric Layton Posted June 12, 2014 Posted June 12, 2014 [slackware-security] mozilla-thunderbird (SSA:2014-163-01) New mozilla-thunderbird packages are available for Slackware 14.1 and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mozilla-thunderbird-24.6.0-i486-1_slack14.1.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html (* Security fix *) +--------------------------+
V.T. Eric Layton Posted June 25, 2014 Posted June 25, 2014 [slackware-security] bind (SSA:2014-175-01) New bind packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/bind-9.9.5_P1-i486-1_slack14.1.txz: Upgraded. This fixes security issues and other bugs. Please note that the first CVE only affects Windows, and the second one was claimed to be fixed by an earlier version of BIND. But we'll update anyway just in case. :-) For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6230 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0591 (* Security fix *) +--------------------------+ [slackware-security] gnupg (SSA:2014-175-02) New gnupg packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/gnupg-1.4.17-i486-1_slack14.1.txz: Upgraded. This release includes a security fix to stop a denial of service using garbled compressed data packets which can be used to put gpg into an infinite loop. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4617 (* Security fix *) +--------------------------+ [slackware-security] gnupg2 (SSA:2014-175-03) New gnupg2 packages are available for Slackware 13.37, 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/gnupg2-2.0.24-i486-1_slack14.1.txz: Upgraded. This release includes a security fix to stop a denial of service using garbled compressed data packets which can be used to put gpg into an infinite loop. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4617 (* Security fix *) +--------------------------+ [slackware-security] samba (SSA:2014-175-04) New samba packages are available for Slackware 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/samba-4.1.9-i486-1_slack14.1.txz: Upgraded. This update fixes bugs and security issues, including a flaw in Samba's internal DNS server which can be exploited to cause a denial of service, a flaw in SRV_SNAPSHOT_ARRAY that permits attackers to leverage configurations that use shadow_copy* for vfs objects to reveal potentially private server information, a denial of service on the nmbd NetBIOS name services daemon, and a denial of service crash involving overwriting memory on an authenticated connection to the smbd file server. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0178 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0239 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0244 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3493 (* Security fix *) +--------------------------+ [slackware-security] seamonkey (SSA:2014-175-05) New seamonkey packages are available for Slackware 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/seamonkey-2.26.1-i486-1_slack14.1.txz: Upgraded. This update contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html (* Security fix *) patches/packages/seamonkey-solibs-2.26.1-i486-1_slack14.1.txz: Upgraded. +--------------------------+
V.T. Eric Layton Posted July 12, 2014 Posted July 12, 2014 [slackware-security] php (SSA:2014-192-01) New php packages are available for Slackware 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/php-5.4.30-i486-1_slack14.1.txz: Upgraded. This update fixes bugs and security issues. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0207 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3478 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3479 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3480 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3487 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3515 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3981 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4049 (* Security fix *) +--------------------------+
V.T. Eric Layton Posted July 24, 2014 Posted July 24, 2014 [slackware-security] httpd (SSA:2014-204-01) New httpd packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/httpd-2.4.10-i486-1_slack14.1.txz: Upgraded. This update fixes the following security issues: *) SECURITY: CVE-2014-0117 (cve.mitre.org) mod_proxy: Fix crash in Connection header handling which allowed a denial of service attack against a reverse proxy with a threaded MPM. [ben Reser] *) SECURITY: CVE-2014-0118 (cve.mitre.org) mod_deflate: The DEFLATE input filter (inflates request bodies) now limits the length and compression ratio of inflated request bodies to avoid denial of sevice via highly compressed bodies. See directives DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, and DeflateInflateRatioBurst. [Yann Ylavic, Eric Covener] *) SECURITY: CVE-2014-0226 (cve.mitre.org) Fix a race condition in scoreboard handling, which could lead to a heap buffer overflow. [Joe Orton, Eric Covener] *) SECURITY: CVE-2014-0231 (cve.mitre.org) mod_cgid: Fix a denial of service against CGI scripts that do not consume stdin that could lead to lingering HTTPD child processes filling up the scoreboard and eventually hanging the server. By default, the client I/O timeout (Timeout directive) now applies to communication with scripts. The CGIDScriptTimeout directive can be used to set a different timeout for communication with scripts. [Rainer Jung, Eric Covener, Yann Ylavic] For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0117 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0118 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231 (* Security fix *) +--------------------------+ [slackware-security] mozilla-firefox (SSA:2014-204-02) New mozilla-firefox packages are available for Slackware 14.1 and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mozilla-firefox-24.7.0esr-i486-1_slack14.1.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html (* Security fix *) +--------------------------+ [slackware-security] mozilla-thunderbird (SSA:2014-204-03) New mozilla-thunderbird packages are available for Slackware 14.1 and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mozilla-thunderbird-24.7.0-i486-1_slack14.1.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html (* Security fix *) +--------------------------+
V.T. Eric Layton Posted August 1, 2014 Posted August 1, 2014 [slackware-security] samba (SSA:2014-213-01) New samba packages are available for Slackware 14.1 and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/samba-4.1.11-i486-1_slack14.1.txz: Upgraded. This update fixes a remote code execution attack on unauthenticated nmbd NetBIOS name services. A malicious browser can send packets that may overwrite the heap of the target nmbd NetBIOS name services daemon. It may be possible to use this to generate a remote code execution vulnerability as the superuser (root). For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3560 (* Security fix *) +--------------------------+ [slackware-security] dhcpcd (SSA:2014-213-02) New dhcpcd packages are available for Slackware 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/dhcpcd-6.0.5-i486-3_slack14.1.txz: Rebuilt. This update fixes a security issue where a specially crafted packet received from a malicious DHCP server causes dhcpcd to enter an infinite loop causing a denial of service. Thanks to Tobias Stoeckmann for the bug report. (* Security fix *) +--------------------------+
V.T. Eric Layton Posted August 8, 2014 Posted August 8, 2014 [slackware-security] openssl (SSA:2014-220-01) New openssl packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/openssl-1.0.1i-i486-1_slack14.1.txz: Upgraded. This update fixes several security issues: Double Free when processing DTLS packets (CVE-2014-3505) DTLS memory exhaustion (CVE-2014-3506) DTLS memory leak from zero-length fragments (CVE-2014-3507) Information leak in pretty printing functions (CVE-2014-3508) Race condition in ssl_parse_serverhello_tlsext (CVE-2014-3509) OpenSSL DTLS anonymous EC(DH) denial of service (CVE-2014-3510) OpenSSL TLS protocol downgrade attack (CVE-2014-3511) SRP buffer overrun (CVE-2014-3512) Crash with SRP ciphersuite in Server Hello message (CVE-2014-5139) For more information, see: https://www.openssl.org/news/secadv_20140806.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3505 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3506 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3507 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3508 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3509 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3510 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3511 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3512 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5139 (* Security fix *) patches/packages/openssl-solibs-1.0.1i-i486-1_slack14.1.txz: Upgraded. (* Security fix *) +--------------------------+
V.T. Eric Layton Posted September 5, 2014 Posted September 5, 2014 [slackware-security] php (SSA:2014-247-01) New php packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/php-5.4.32-i486-1_slack14.1.txz: Upgraded. This update fixes bugs and security issues. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2497 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3538 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3587 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3597 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4670 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4698 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5120 (* Security fix *) +--------------------------+ [slackware-security] mozilla-firefox (SSA:2014-247-02) New mozilla-firefox packages are available for Slackware 14.1 and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mozilla-firefox-24.8.0esr-i486-1_slack14.1.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html (* Security fix *) +--------------------------+ [slackware-security] mozilla-thunderbird (SSA:2014-247-03) New mozilla-thunderbird packages are available for Slackware 14.1 and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mozilla-thunderbird-24.8.0-i486-1_slack14.1.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html (* Security fix *) +--------------------------+
V.T. Eric Layton Posted September 9, 2014 Posted September 9, 2014 [slackware-security] seamonkey (SSA:2014-252-01) New seamonkey packages are available for Slackware 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/seamonkey-2.29-i486-1_slack14.1.txz: Upgraded. This update contains security fixes and improvements. (* Security fix *) patches/packages/seamonkey-solibs-2.29-i486-1_slack14.1.txz: Upgraded. +--------------------------+
V.T. Eric Layton Posted September 25, 2014 Posted September 25, 2014 [slackware-security] bash (SSA:2014-267-01) New bash packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/bash-4.2.048-i486-1_slack14.1.txz: Upgraded. This update fixes a vulnerability in bash related to how environment variables are processed: trailing code in function definitions was executed, independent of the variable name. In many common configurations (such as the use of CGI scripts), this vulnerability is exploitable over the network. Thanks to Stephane Chazelas for discovering this issue. For more information, see: http://seclists.org/oss-sec/2014/q3/650 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 (* Security fix *) +--------------------------+ [slackware-security] mozilla-nss (SSA:2014-267-02) New mozilla-nss packages are available for Slackware 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mozilla-nss-3.16.5-i486-1_slack14.1.txz: Upgraded. Fixed an RSA Signature Forgery vulnerability. For more information, see: https://www.mozilla.org/security/announce/2014/mfsa2014-73.html (* Security fix *) +--------------------------+
V.T. Eric Layton Posted September 25, 2014 Posted September 25, 2014 [slackware-security] bash (SSA:2014-268-01) New bash packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/bash-4.2.048-i486-2_slack14.1.txz: Rebuilt. Patched an additional trailing string processing vulnerability discovered by Tavis Ormandy. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169 (* Security fix *) +--------------------------+
V.T. Eric Layton Posted September 26, 2014 Posted September 26, 2014 And another... [slackware-security] bash (rebuild for Slackware 13.0 only) (SSA:2014-268-02) New bash packages are available for Slackware 13.0 to fix a security issue. Here are the details from the Slackware 13.0 ChangeLog: +--------------------------+ patches/packages/bash-3.1.018-i486-3_slack13.0.txz: Rebuilt. The patch for CVE-2014-7169 needed to be rebased against bash-3.1 in order to apply correctly. Thanks to B. Watson for the bug report. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169 (* Security fix *) +--------------------------+
V.T. Eric Layton Posted September 29, 2014 Posted September 29, 2014 [slackware-security] mozilla-firefox (SSA:2014-271-01) New mozilla-firefox packages are available for Slackware 14.1 and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mozilla-firefox-24.8.1esr-i486-1_slack14.1.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html (* Security fix *) +--------------------------+ [slackware-security] mozilla-thunderbird (SSA:2014-271-02) New mozilla-thunderbird packages are available for Slackware 14.1 and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mozilla-thunderbird-24.8.1-i486-1_slack14.1.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html (* Security fix *) +--------------------------+ [slackware-security] seamonkey (SSA:2014-271-03) New seamonkey packages are available for Slackware 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/seamonkey-2.29.1-i486-1_slack14.1.txz: Upgraded. This update contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html (* Security fix *) patches/packages/seamonkey-solibs-2.29.1-i486-1_slack14.1.txz: Upgraded. +--------------------------+
V.T. Eric Layton Posted September 29, 2014 Posted September 29, 2014 Bash Patch #4 [slackware-security] bash (SSA:2014-272-01) New bash packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/bash-4.2.050-i486-1_slack14.1.txz: Upgraded. Another bash update. Here's some information included with the patch: "This patch changes the encoding bash uses for exported functions to avoid clashes with shell variables and to avoid depending only on an environment variable's contents to determine whether or not to interpret it as a shell function." After this update, an environment variable will not go through the parser unless it follows this naming structure: BASH_FUNC_*%% Most scripts never expected to import functions from environment variables, so this change (although not backwards compatible) is not likely to break many existing scripts. It will, however, close off access to the parser as an attack surface in the vast majority of cases. There's already another vulnerability similar to CVE-2014-6271 for which there is not yet a fix, but this hardening patch prevents it (and likely many more similar ones). Thanks to Florian Weimer and Chet Ramey. (* Security fix *) +--------------------------+
V.T. Eric Layton Posted October 16, 2014 Posted October 16, 2014 [slackware-security] openssl (SSA:2014-288-01) New openssl packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/openssl-solibs-1.0.1j-i486-1_slack14.1.txz: Upgraded. (* Security fix *) patches/packages/openssl-1.0.1j-i486-1_slack14.1.txz: Upgraded. This update fixes several security issues: SRTP Memory Leak (CVE-2014-3513): A flaw in the DTLS SRTP extension parsing code allows an attacker, who sends a carefully crafted handshake message, to cause OpenSSL to fail to free up to 64k of memory causing a memory leak. This could be exploited in a Denial Of Service attack. Session Ticket Memory Leak (CVE-2014-3567): When an OpenSSL SSL/TLS/DTLS server receives a session ticket the integrity of that ticket is first verified. In the event of a session ticket integrity check failing, OpenSSL will fail to free memory causing a memory leak. By sending a large number of invalid session tickets an attacker could exploit this issue in a Denial Of Service attack. SSL 3.0 Fallback protection: OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications to block the ability for a MITM attacker to force a protocol downgrade. Some client applications (such as browsers) will reconnect using a downgraded protocol to work around interoperability bugs in older servers. This could be exploited by an active man-in-the-middle to downgrade connections to SSL 3.0 even if both sides of the connection support higher protocols. SSL 3.0 contains a number of weaknesses including POODLE (CVE-2014-3566). Build option no-ssl3 is incomplete (CVE-2014-3568): When OpenSSL is configured with "no-ssl3" as a build option, servers could accept and complete a SSL 3.0 handshake, and clients could be configured to send them. For more information, see: https://www.openssl.org/news/secadv_20141015.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3513 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3567 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3568 (* Security fix *) +--------------------------+
V.T. Eric Layton Posted October 21, 2014 Posted October 21, 2014 [slackware-security] openssh (SSA:2014-293-01) New openssh packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/openssh-6.7p1-i486-1_slack14.1.txz: Upgraded. This update fixes a security issue that allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2653 (* Security fix *) +--------------------------+
V.T. Eric Layton Posted October 24, 2014 Posted October 24, 2014 [slackware-security] glibc (SSA:2014-296-01) New glibc packages are available for Slackware 14.1 and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/glibc-2.17-i486-8_slack14.1.txz: Rebuilt. This update fixes several security issues, and adds an extra security hardening patch from Florian Weimer. Thanks to mancha for help with tracking and backporting patches. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4424 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4412 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4237 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4788 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4458 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4043 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0475 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5119 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6040 (* Security fix *) patches/packages/glibc-i18n-2.17-i486-8_slack14.1.txz: Rebuilt. patches/packages/glibc-profile-2.17-i486-8_slack14.1.txz: Rebuilt. patches/packages/glibc-solibs-2.17-i486-8_slack14.1.txz: Rebuilt. patches/packages/glibc-zoneinfo-2014i-noarch-1_slack14.1.txz: Upgraded. Upgraded to tzcode2014i and tzdata2014i. +--------------------------+ [slackware-security] pidgin (SSA:2014-296-02) New pidgin packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ pidgin-2.10.10-i486-1_slack14.1.txz: Upgraded. This update fixes several security issues: Insufficient SSL certificate validation (CVE-2014-3694) Remote crash parsing malformed MXit emoticon (CVE-2014-3695) Remote crash parsing malformed Groupwise message (CVE-2014-3696) Malicious smiley themes could alter arbitrary files (CVE-2014-3697) Potential information leak from XMPP (CVE-2014-3698) For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3694 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3695 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3696 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3697 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3698 (* Security fix *) +--------------------------+
V.T. Eric Layton Posted October 30, 2014 Posted October 30, 2014 [slackware-security] wget (SSA:2014-302-01) New wget packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/wget-1.14-i486-3_slack14.1.txz: Rebuilt. This update fixes a symlink vulnerability that could allow an attacker to write outside of the expected directory. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4877 (* Security fix *) +--------------------------+
V.T. Eric Layton Posted November 4, 2014 Posted November 4, 2014 [slackware-security] mariadb (SSA:2014-307-01) New mariadb packages are available for Slackware 14.1 and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mariadb-5.5.40-i486-1_slack14.1.txz: Upgraded. This update contains security fixes and improvements. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6507 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6491 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6500 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6469 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6555 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6559 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6494 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6496 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6464 (* Security fix *) +--------------------------+ [slackware-security] mozilla-firefox (SSA:2014-307-02) New mozilla-firefox packages are available for Slackware 14.1 and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mozilla-firefox-31.2.0esr-i486-1_slack14.1.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html (* Security fix *) +--------------------------+ [slackware-security] php (SSA:2014-307-03) New php packages are available for Slackware 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/php-5.4.34-i486-1_slack14.1.txz: Upgraded. This update fixes bugs and security issues. #68044 (Integer overflow in unserialize() (32-bits only)). (CVE-2014-3669) #68113 (Heap corruption in exif_thumbnail()). (CVE-2014-3670) #68027 (Global buffer overflow in mkgmtime() function). (CVE-2014-3668) For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3669 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3670 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3668 (* Security fix *) +--------------------------+ [slackware-security] seamonkey (SSA:2014-307-04) New seamonkey packages are available for Slackware 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/seamonkey-2.30-i486-1_slack14.1.txz: Upgraded. This update contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html (* Security fix *) patches/packages/seamonkey-solibs-2.30-i486-1_slack14.1.txz: Upgraded. +--------------------------+
V.T. Eric Layton Posted November 17, 2014 Posted November 17, 2014 [slackware-security] mozilla-thunderbird (SSA:2014-320-01) New mozilla-thunderbird packages are available for Slackware 14.1 to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mozilla-thunderbird-31.2.0-i486-1_slack14.1.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html (* Security fix *) +--------------------------+
V.T. Eric Layton Posted December 3, 2014 Posted December 3, 2014 [slackware-security] mozilla-thunderbird (SSA:2014-337-01) New mozilla-thunderbird packages are available for Slackware 14.1 and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mozilla-thunderbird-31.3.0-i486-1_slack14.1.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html (* Security fix *) +--------------------------+
V.T. Eric Layton Posted December 11, 2014 Posted December 11, 2014 Slackware Updates - Multiple [slackware-security] wpa_supplicant (SSA:2014-344-07) New wpa_supplicant packages are available for Slackware 13.37, 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/wpa_supplicant-2.3-i486-1_slack14.1.txz: Upgraded. This update fixes a remote command-execution vulnerability caused by a failure to adequately sanitize user-supplied input. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3686 (* Security fix *) +--------------------------+ [slackware-security] seamonkey (SSA:2014-344-06) New seamonkey packages are available for Slackware 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/seamonkey-2.31-i486-1_slack14.1.txz: Upgraded. This update contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html (* Security fix *) patches/packages/seamonkey-solibs-2.31-i486-1_slack14.1.txz: Upgraded. +--------------------------+ [slackware-security] pidgin (SSA:2014-344-05) New pidgin packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/pidgin-2.10.11-i486-1_slack14.1.txz: Upgraded. This update contains login fixes for MSN and some XMPP servers. +--------------------------+ [slackware-security] openvpn (SSA:2014-344-04) New openvpn packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/openvpn-2.3.6-i486-1_slack14.1.txz: Upgraded. This update fixes a security issue that allows remote authenticated users to cause a denial of service (server crash) via a small control channel packet. For more information, see: https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8104 (* Security fix *) +--------------------------+ [slackware-security] openssh (SSA:2014-344-03) New openssh packages are available for Slackware 14.0, 14.1, and -current. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/openssh-6.7p1-i486-2_slack14.1.txz: Rebuilt. Restored support for tcpwrappers that was dropped by upstream. Thanks to mancha. +--------------------------+ [slackware-security] mozilla-firefox (SSA:2014-344-02) New mozilla-firefox packages are available for Slackware 14.1 to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mozilla-firefox-31.3.0esr-i486-1_slack14.1.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html (* Security fix *) +--------------------------+ [slackware-security] bind (SSA:2014-344-01) New bind packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/bind-9.9.6_P1-i486-1_slack14.1.txz: Upgraded. This update fixes a security issue where a failure to place limits on delegation chaining can allow an attacker to crash BIND or cause memory exhaustion. For more information, see: https://kb.isc.org/article/AA-01216 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8500 (* Security fix *) +--------------------------+
V.T. Eric Layton Posted December 23, 2014 Posted December 23, 2014 [slackware-security] ntp (SSA:2014-356-01) New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/ntp-4.2.8-i486-1_slack14.1.txz: Upgraded. In addition to bug fixes and enhancements, this release fixes several high-severity vulnerabilities discovered by Neel Mehta and Stephen Roettger of the Google Security Team. For more information, see: https://www.kb.cert.org/vuls/id/852879 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9293 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9294 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9295 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9296 (* Security fix *) +--------------------------+ [slackware-security] php (SSA:2014-356-02) New php packages are available for Slackware 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/php-5.4.36-i486-1_slack14.1.txz: Upgraded. This update fixes bugs and security issues. #68545 (NULL pointer dereference in unserialize.c). #68594 (Use after free vulnerability in unserialize()). (CVE-2014-8142) #68283 (fileinfo: out-of-bounds read in elf note headers). (CVE-2014-3710) For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3710 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8142 (* Security fix *) +--------------------------+ [slackware-security] xorg-server (SSA:2014-356-03) New xorg-server packages are available for Slackware 14.1 and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/xorg-server-1.14.3-i486-3_slack14.1.txz: Rebuilt. This update fixes many security issues discovered by Ilja van Sprundel, a security researcher with IOActive. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8091 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8092 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8093 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8094 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8095 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8096 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8097 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8098 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8099 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8100 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8101 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8102 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8103 (* Security fix *) patches/packages/xorg-server-xephyr-1.14.3-i486-3_slack14.1.txz: Rebuilt. patches/packages/xorg-server-xnest-1.14.3-i486-3_slack14.1.txz: Rebuilt. patches/packages/xorg-server-xvfb-1.14.3-i486-3_slack14.1.txz: Rebuilt. +--------------------------+
V.T. Eric Layton Posted January 10, 2015 Posted January 10, 2015 [slackware-security] openssl (SSA:2015-009-01) New openssl packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/openssl-1.0.1k-i486-1_slack14.1.txz: Upgraded. This update fixes several security issues: DTLS segmentation fault in dtls1_get_record (CVE-2014-3571) DTLS memory leak in dtls1_buffer_record (CVE-2015-0206) no-ssl3 configuration sets method to NULL (CVE-2014-3569) ECDHE silently downgrades to ECDH [Client] (CVE-2014-3572) RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204) DH client certificates accepted without verification [server] (CVE-2015-0205) Certificate fingerprints can be modified (CVE-2014-8275) Bignum squaring may produce incorrect results (CVE-2014-3570) For more information, see: https://www.openssl.org/news/secadv_20150108.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3571 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0206 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3569 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3572 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0205 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8275 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3570 (* Security fix *) patches/packages/openssl-solibs-1.0.1k-i486-1_slack14.1.txz: Upgraded. +--------------------------+
V.T. Eric Layton Posted January 18, 2015 Posted January 18, 2015 [slackware-security] freetype (SSA:2015-016-01) New freetype packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/freetype-2.5.5-i486-1_slack14.1.txz: Upgraded. This release fixes a security bug that could cause freetype to crash or run programs upon opening a specially crafted file. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2240 (* Security fix *) +--------------------------+ [slackware-security] mozilla-firefox (SSA:2015-016-02) New mozilla-firefox packages are available for Slackware 14.1 and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mozilla-firefox-31.4.0esr-i486-1_slack14.1.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html (* Security fix *) +--------------------------+ [slackware-security] mozilla-thunderbird (SSA:2015-016-03) New mozilla-thunderbird packages are available for Slackware 14.1 and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mozilla-thunderbird-31.4.0-i486-1_slack14.1.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html (* Security fix *) +--------------------------+ [slackware-security] seamonkey (SSA:2015-016-04) New seamonkey packages are available for Slackware 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/seamonkey-2.32-i486-1_slack14.1.txz: Upgraded. This update contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html (* Security fix *) patches/packages/seamonkey-solibs-2.32-i486-1_slack14.1.txz: Upgraded. +--------------------------+
V.T. Eric Layton Posted January 29, 2015 Posted January 29, 2015 [slackware-security] glibc (SSA:2015-028-01) New glibc packages are available for Slackware 13.0, 13.1, 13.37, 14.0, and 14.1 to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/glibc-2.17-i486-10_slack14.1.txz: Rebuilt. This update patches a security issue __nss_hostname_digits_dots() function of glibc which may be triggered through the gethostbyname*() set of functions. This flaw could allow local or remote attackers to take control of a machine running a vulnerable version of glibc. Thanks to Qualys for discovering this issue (also known as the GHOST vulnerability.) For more information, see: https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235 (* Security fix *) patches/packages/glibc-i18n-2.17-i486-10_slack14.1.txz: Rebuilt. patches/packages/glibc-profile-2.17-i486-10_slack14.1.txz: Rebuilt. patches/packages/glibc-solibs-2.17-i486-10_slack14.1.txz: Rebuilt. patches/packages/glibc-zoneinfo-2014j-noarch-1.txz: Upgraded. Upgraded to tzcode2014j and tzdata2014j. +--------------------------+
V.T. Eric Layton Posted February 17, 2015 Posted February 17, 2015 [slackware-security] patch (SSA:2015-047-01) New patch packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/patch-2.7.4-i486-1_slack14.1.txz: Upgraded. Patch no longer follows symbolic links to input and output files. This ensures that symbolic links created by git-style patches cannot cause patch to write outside the working directory. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1196 (* Security fix *) +--------------------------+ [slackware-security] seamonkey (SSA:2015-047-02) New seamonkey packages are available for Slackware 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/seamonkey-2.32.1-i486-1_slack14.1.txz: Upgraded. This update contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html (* Security fix *) patches/packages/seamonkey-solibs-2.32.1-i486-1_slack14.1.txz: Upgraded. +--------------------------+ [slackware-security] sudo (SSA:2015-047-03) New sudo packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/sudo-1.8.12-i486-1_slack14.1.txz: Upgraded. This update fixes a potential security issue by only passing the TZ environment variable it is considered safe. This prevents exploiting bugs in glibc's TZ parser that could be used to read files that the user does not have access to, or to cause a denial of service. For more information, see: http://www.sudo.ws/sudo/alerts/tz.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9680 (* Security fix *) +--------------------------+
Recommended Posts