You are currently browsing the archives for posts tagged as Linux.
Wow, multiple security update in one day. Details of the updates are as follows:
Read the rest of Slackware Security Updates: Mozilla, kdenetwork, fetchmail, zlib and gxine »
Straight to the issues, I received two emails from Slackware Security mailing list detailing the following issues (italicised text is added myself):
New emacs packages are available for Slackware 10.1 and -current to (fix) a security issue with the movemail utility for retrieving mail from a POP mail server. If used to connect to a malicious POP server, it is possible for the server to cause the execution of arbitrary code as the user running emacs.
New dnsmasq packages are available for Slackware 10.0, 10.1, and -current to fix security issues. An off-by-one overflow vulnerability may allow a DHCP client to create a denial of service condition. Additional code was also added to detect and defeat attempts to poison the DNS cache.
More details about these issues may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0876
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0877
There are also tons of updates for Slackware-current, including heavy stuff like the glibc packages. You can use the Slackware package browser to obtain an updated version of these packages for your Slackware installation. Lazier and smarter people like me will use updating tools such as Swaret or slapt-get 
I got two emails from the Slackware Security mailing list a few minutes ago detailing the following issues:
New XV image viewer packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, and -current to fix security issues. Format string and other issues could cause a crash or execution of arbitrary code if a specially crafted image is loaded with XV.
New tcpdump packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, and -current to fix a security issue. A specially crafted BGP packet can cause tcpdump to go into an infinite loop, creating a denial of service where network monitoring is disabled.
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
Apparently there’s even more updates to Slackware-current, they are mostly version upgrades. You might want to see the full details from the changelog itself.
Happy Slacking!
New PHP packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, and -current to fix a security issue with the PEAR XML_RPC class that allows a remote attacker to run arbitrary PHP code. Sites that make use of this PHP library should upgrade to the new PHP package right away, or may instead upgrade the XML_RPC PEAR class with the following command:
pear upgrade XML_RPC
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1921
Details from the Slackware-current changelog:
+————————–+
php-4.4.0-i486-1.tgz: Upgraded to php-4.4.0.
This new PHP package fixes a PEAR XML_RPC vulnerability. Sites that use this PEAR class should upgrade to the new PHP package, or as a minimal fix may instead upgrade the XML_RPC PEAR class with the following command:
pear upgrade XML_RPC
(* Security fix *)
+————————–+
Update: There’s been a mistake in the build for 8.1, 9.0 and 9.1. Details are as follows:
Sorry folks, I mistakenly used a build template that was too new to build the first round of PHP packages for Slackware 8.1, 9.0, and 9.1, which tried to place the module in /usr/libexec/apache (older versions of Slackware use /usr/libexec instead), and tried to link to incorrect libraries and features. These packages have been replaced with working ones. The packages for 10.0, 10.1, and -current were OK.
I’ve just updated some files on my home box which runs Slackware-current when I noticed the following new file:
New: pkgtools-10.2.0-i486-1 (179 kB) - Installed: pkgtools-10.1.0-i486-4
Usually, the pkgtools package version numbering is consistent with the Slackware version it ships with. I guess when /etc/slackware-version file is updated, which by the way, is in the aaa_base package, then we’ll definitely know that things are cooking.
For now, all us Slackers can do is just wait patiently for more news
HTNet is © 2007 Azmeen Afandi and is proudly powered by WordPress. All posts are my thoughts and/or opinions on whatever issue that happens to be the topic. If you take them as facts, you're on your own. Don't come crying to me. Comments are owned by their respected posters, HTNet is not responsible for them in any way.
Ran 31 queries in 0.705 seconds.
