Mon Sep 28 18:49:31 EDT 2009
patches/packages/curl-7.12.2-s390-4_slack10.1.tgz:
This update fixes a security issue where a zero byte embedded in an SSL
or TLS certificate could fool cURL into validating the security of a
connection to a system that the certificate was not issued for. It has
been reported that at least one Certificate Authority allowed such
certificates to be issued.
For more information, see:
http://curl.haxx.se/docs/security.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2417
(* Security fix *)
+--------------------------+
Sun Aug 9 15:36:29 EDT 2009
patches/packages/bind-9.4.3_P3-s390-1_slack10.1.tgz: Upgraded.
This BIND update fixes a security problem where a specially crafted
dynamic update message packet will cause named to exit resulting in
a denial of service.
An active remote exploit is in wide circulation at this time.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0696
https://www.isc.org/node/479
(* Security fix *)
patches/packages/dhcp-3.1.2p1-s390-1_slack10.1.tgz: Upgraded.
A stack overflow vulnerability was fixed in dhclient that could allow
remote attackers to execute arbitrary commands as root on the system,
or simply terminate the client, by providing an over-long subnet-mask
option.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0692
(* Security fix *)
patches/packages/fetchmail-6.3.11-s390-1_slack10.1.tgz: Upgraded.
This update fixes an SSL NUL prefix impersonation attack through NULs in a
part of a X.509 certificate's CommonName and subjectAltName fields.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2666
(* Security fix *)
patches/packages/samba-3.0.36-s390-1_slack10.1.tgz: Upgraded.
This is a bugfix release.
+--------------------------+
Sun Jun 28 13:22:34 EDT 2009
patches/packages/samba-3.0.35-s390-1_slack10.1.tgz:
This upgrade fixes the following security issue:
o CVE-2009-1888:
In Samba 3.0.31 to 3.3.5 (inclusive), an uninitialized read of a
data value can potentially affect access control when "dos filemode"
is set to "yes".
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1888
(* Security fix *)
patches/packages/libpng-1.2.37-s390-1_slack10.1.tgz: Upgraded.
This update fixes a possible security issue. Jeff Phillips discovered an
uninitialized-memory-read bug affecting interlaced images that may have
security implications.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2042
(* Security fix *)
+--------------------------+
Sun Jun 7 19:06:22 EDT 2009
patches/packages/ntp-4.2.2p3-s390-1_slack10.1.tgz:
Patched a stack-based buffer overflow in the cookedprint function in
ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows arbitrary code
execution by a malicious remote NTP server.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0159
(* Security fix *)
+--------------------------+
Fri May 29 15:08:19 EDT 2009
patches/packages/xpdf-3.02pl3-s390-1_slack10.1.tgz:
Upgraded to xpdf-3.02pl3.
This update fixes several overflows that may result in crashes or the
execution of arbitrary code as the xpdf user.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0146
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0147
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0165
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0166
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0799
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0800
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1179
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1181
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1182
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1183
(* Security fix *)
+--------------------------+
Tue Apr 28 14:46:22 EDT 2009
patches/packages/lcms-1.18-s390-1_slack10.1.tgz: Upgraded to lcms-1.18.
This update fixes security issues discovered in LittleCMS by Chris Evans.
These flaws could cause program crashes (denial of service) or the execution
of arbitrary code as the user of the lcms-linked program.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0581
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0723
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0733
(* Security fix *)
+--------------------------+
Sun Mar 22 16:53:15 EDT 2009
patches/packages/apache-1.3.41-s390-1_slack10.1.tgz:
Upgraded to apache-1.3.41, the last regular release of the
Apache 1.3.x series, and a security bugfix-only release.
For more information about the security issues fixed, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6388
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5000
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3847
(* Security fix *)
patches/packages/bind-9.3.6_P1-s390-1_slack10.1.tgz:
Upgraded to bind-9.3.6-P1.
Fixed checking on return values from OpenSSL's EVP_VerifyFinal and
DSA_do_verify functions to prevent spoofing answers returned from zones using
the DNSKEY algorithms DSA and NSEC3DSA.
For more information, see:
https://www.isc.org/node/373
http://www.ocert.org/advisories/ocert-2008-016.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0025
(* Security fix *)
patches/packages/bzip2-1.0.5-s390-1_slack10.1.tgz: Upgraded to bzip2-1.0.5.
Previous versions of bzip2 contained a buffer overread error that could cause
applications linked to libbz2 to crash, resulting in a denial of service.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1372
(* Security fix *)
patches/packages/cups-1.1.23-s390-2_slack10.1.tgz:
Patched cups-1.1.23.
Errors in ipp.c may allow a remote attacker to crash CUPS resulting
in a denial of service.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4351
(* Security fix *)
patches/packages/curl-7.12.2-s390-3_slack10.1.tgz:
Patched curl-7.12.2.
This fixes a security issue where automatic redirection could be made to
follow file:// URLs, reading or writing a local instead of remote file.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0037
(* Security fix *)
patches/packages/dnsmasq-2.45-s390-1_slack10.1.tgz:
Upgraded to dnsmasq-2.45.
It was discovered that earlier versions of dnsmasq have DNS cache
weaknesses that are similar to the ones recently discovered in BIND.
This new release minimizes the risk of cache poisoning.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
(* Security fix *)
patches/packages/fetchmail-6.3.8-s390-1_slack10.1.tgz:
Patched to fix a possible denial of service when "-v -v" options are used.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2711
(* Security fix *)
patches/packages/glibc-zoneinfo-2.3.4-noarch-6_slack10.1.tgz:
Upgraded to tzdata2008h for the latest world timezone changes.
patches/packages/libpng-1.2.35-s390-1_slack10.1.tgz:
Upgraded to libpng-1.2.35.
This fixes multiple memory-corruption vulnerabilities due to a failure to
properly initialize data structures.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0040
ftp://ftp.simplesystems.org/pub/png/src/libpng-1.2.34-ADVISORY.txt
(* Security fix *)
patches/packages/libxml2-2.6.32-s390-1_slack10.1.tgz:
Upgraded to libxml2-2.6.32 and patched.
This fixes vulnerabilities including denial of service, or possibly the
execution of arbitrary code as the user running a libxml2 linked application
if untrusted XML content is parsed.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4225
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4226
(* Security fix *)
patches/packages/m4-1.4.11-s390-1_slack10.1.tgz: Upgraded to m4-1.4.11.
In addition to bugfixes and enhancements, this version of m4 also fixes two
issues with possible security implications. A minor security fix with the
use of "maketemp" and "mkstemp" -- these are now quoted to prevent the
(rather unlikely) possibility that an unquoted string could match an
existing macro causing operations to be done on the wrong file. Also,
a problem with the '-F' option (introduced with version 1.4) could cause a
core dump or possibly (with certain file names) the execution of arbitrary
code. For more information on these issues, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1687
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1688
(* Security fix *)
patches/packages/mod_ssl-2.8.31_1.3.41-s390-1_slack10.1.tgz:
Upgraded to mod_ssl-2.8.31-1.3.41 to work with apache_1.3.41.
patches/packages/ntp-4.2.4p6-s390-1_slack10.1.tgz:
[Sec 1111] Fix incorrect check of EVP_VerifyFinal()'s return value.
For more information, see:
https://lists.ntp.org/pipermail/announce/2009-January/000055.html
http://www.ocert.org/advisories/ocert-2008-016.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0021
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077
(* Security fix *)
patches/packages/openssh-5.0p1-s390-1_slack10.1.tgz:
Upgraded to openssh-5.0p1.
This version fixes a security issue where local users could hijack forwarded
X connections. Upgrading to the new package is highly recommended.
For more information on this security issue, please see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1483
(* Security fix *)
patches/packages/python-2.4.5-s390-1_slack10.1.tgz:
Upgraded to 2.4.5 and patched overflows and other security problems.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1679
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1721
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2315
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3142
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3144
(* Security fix *)
patches/packages/python-demo-2.4.5-noarch-1_slack10.1.tgz: Upgraded.
patches/packages/python-tools-2.4.5-noarch-1_slack10.1.tgz: Upgraded.
patches/packages/rsync-2.6.9-s390-1_slack10.1.tgz:
Patched some security bugs.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4091
http://lists.samba.org/archive/rsync-announce/2007/000050.html
(* Security fix *)
patches/packages/samba-3.0.33-s390-1_slack10.1.tgz:
Upgraded to samba-3.0.33.
This package fixes an important barrier against rogue clients reading from
uninitialized memory (though no proof-of-concept is known to exist).
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4314
(* Security fix *)
patches/packages/tcpdump-3.9.7-s390-1_slack10.1.tgz:
Upgraded to libpcap-0.9.7, tcpdump-3.9.7.
This new version fixes an integer overflow in the BGP dissector which
could possibly allow remote attackers to crash tcpdump or to execute
arbitrary code.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3798
(* Security fix *)
patches/packages/xine-lib-1.1.11.1-s390-3_slack10.1.tgz:
Recompiled, with --without-speex (we didn't ship the speex library in
Slackware anyway, but for reference this issue would be CVE-2008-1686),
and with --disable-nosefart (the recently reported as insecurely
demuxed NSF format). As before in -2, this package fixes the two
regressions mentioned in the release notes for xine-lib-1.1.12:
http://sourceforge.net/project/shownotes.php?release_id=592185&group_id=9655
(* Security fix *)
patches/packages/xpdf-3.02pl2-s390-1_slack10.1.tgz:
Upgraded to xpdf-3.02pl2.
The pl2 patch fixes a crash in xpdf.
Some theorize that this could be used to execute arbitrary code if an
untrusted PDF file is opened, but no real-world examples are known (yet).
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3387
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4352
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5392
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5393
(* Security fix *)
+--------------------------+
Mon May 28 04:33:54 EDT 2007
patches/packages/samba-3.0.25a-s390-1_slack10.1.tgz:
Upgraded to samba-3.0.25a. This fixes some major (non-security) bugs in
samba-3.0.25. See the WHATSNEW.txt for details.
+--------------------------+
Thu May 17 02:30:53 EDT 2007
patches/packages/libpng-1.2.18-s390-1_slack10.1.tgz:
Upgraded to libpng-1.2.18.
A grayscale PNG image with a malformed (bad CRC) tRNS chunk will crash some
libpng applications. This vulnerability has been assigned the identifiers
CVE-2007-2445 and CERT VU#684664.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2445
(* Security fix *)
patches/packages/samba-3.0.25-s390-1_slack10.1.tgz:
Upgraded to samba-3.0.25.
Security Fixes included in the Samba 3.0.25 release are:
o CVE-2007-2444
Versions: Samba 3.0.23d - 3.0.25pre2
Local SID/Name translation bug can result in
user privilege elevation
o CVE-2007-2446
Versions: Samba 3.0.0 - 3.0.24
Multiple heap overflows allow remote code execution
o CVE-2007-2447
Versions: Samba 3.0.0 - 3.0.24
Unescaped user input parameters are passed as
arguments to /bin/sh allowing for remote command
execution
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2444
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2446
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2447
(* Security fix *)
patches/packages/x11-6.8.1-s390-7_slack10.1.tgz: Fixed some bugs in the
fontconfig upgrade... Put cache files in /var/cache/fontconfig, not
/var/X11R6/var/cache/fontconfig. Properly locate and compress fontconfig
man pages. Thanks to Eef Hartman for pointing these out.
Replaced freetype library with freetype-2.3.4.
This fixes an overflow parsing BDF fonts.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1351
(* Security fix *)
Upgraded to fontconfig-2.4.2.
patches/packages/x11-devel-6.8.1-s390-7_slack10.1.tgz:
Replaced freetype library with freetype-2.3.4.
This fixes an overflow parsing BDF fonts.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1351
(* Security fix *)
Upgraded to fontconfig-2.4.2.
patches/packages/x11-xdmx-6.8.1-s390-7_slack10.1.tgz: Recompiled.
patches/packages/x11-xnest-6.8.1-s390-7_slack10.1.tgz: Recompiled.
patches/packages/x11-xvfb-6.8.1-s390-7_slack10.1.tgz: Recompiled.
patches/packages/xine-lib-1.1.6-s390-1_slack10.1.tgz:
Upgraded to xine-lib-1.1.6.
This fixes overflows in xine-lib in some little-used media formats in
xine-lib < 1.1.5 and other bugs in xine-lib < 1.1.6. The overflows in
xine-lib < 1.1.5 could definitely cause an application using xine-lib to
crash, and it is theorized that a malicious media file could be made to run
arbitrary code in the context of the user running the application.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1246
(* Security fix *)
+--------------------------+
Wed Apr 4 13:55:57 EDT 2007
patches/packages/file-4.20-s390-1_slack10.1.tgz:
Upgraded to file-4.20.
This fixes a heap overflow that could allow code to be executed as the
user running file (note that there are many scenarios where file might be
used automatically, such as in virus scanners or spam filters).
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1536
(* Security fix *)
+--------------------------+
Sat Mar 17 11:44:49 EDT 2007
patches/packages/bind-9.3.4-s390-1_slack10.1.tgz:
Upgraded to bind-9.3.4. This update fixes two denial of service
vulnerabilities where an attacker could crash the name server with
specially crafted malformed data.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0493
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0494
(* Security fix *)
patches/packages/fetchmail-6.3.6-s390-1_slack10.1.tgz:
Upgraded to fetchmail-6.3.6. This fixes two security issues. First, a bug
introduced in fetchmail-6.3.5 could cause fetchmail to crash. However,
no stable version of Slackware ever shipped fetchmail-6.3.5. Second, a long
standing bug (reported by Isaac Wilcox) could cause fetchmail to send a
password in clear text or omit using TLS even when configured otherwise.
All fetchmail users are encouraged to consider using getmail, or to upgrade
to the new fetchmail packages.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5974
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5867
(* Security fix *)
patches/packages/glibc-zoneinfo-2.3.4-noarch-2_slack10.1.tgz:
Updated with tzdata2007b for impending Daylight Savings Time
changes in the US.
patches/packages/gnupg-1.4.7-s390-1_slack10.1.tgz: Upgraded to gnupg-1.4.7.
This fixes a security problem that can occur when GnuPG is used incorrectly.
Newer versions attempt to prevent such misuse.
For more information, see:
http://lists.gnupg.org/pipermail/gnupg-announce/2007q1/000251.html
(* Security fix *)
patches/packages/samba-3.0.24-s390-1_slack10.1.tgz:
Upgraded to samba-3.0.24. From the WHATSNEW.txt file:
"Important issues addressed in 3.0.24 include:
o Fixes for the following security advisories:
- CVE-2007-0452 (Potential Denial of Service bug in smbd)
- CVE-2007-0453 (Buffer overrun in NSS host lookup Winbind
NSS library on Solaris)
- CVE-2007-0454 (Format string bug in afsacl.so VFS plugin)"
Samba is Slackware is vulnerable to the first issue, which can cause smbd
to enter into an infinite loop, disrupting Samba services. Linux is not
vulnerable to the second issue, and Slackware does not ship the afsacl.so
VFS plugin (but it's something to be aware of if you build Samba with
custom options).
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0452
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0453
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0454
(* Security fix *)
+--------------------------+
Sun Jan 14 17:48:08 EST 2007
patches/packages/gnupg-1.4.6-s390-1_slack10.1.tgz:
Upgraded to gnupg-1.4.6. This release fixes a severe and exploitable
bug in earlier versions of gnupg. All gnupg users should update to the
new packages as soon as possible. For details, see the information
concerning CVE-2006-6235 posted on lists.gnupg.org:
http://lists.gnupg.org/pipermail/gnupg-announce/2006q4/000491.html
The CVE entry for this issue may be found here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6235
This update also addresses a more minor security issue possibly
exploitable when GnuPG is used in interactive mode. For more information
about that issue, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6169
(* Security fix *)
patches/packages/libpng-1.2.14-s390-1_slack10.1.tgz:
Upgraded to libpng-1.2.14. This fixes a bug where a specially crafted PNG
file could crash applications that use libpng.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5793
(* Security fix *)
patches/packages/proftpd-1.3.0a-s390-1_slack10.1.tgz:
Upgraded to proftpd-1.3.0a plus an additional security patch. Several
security issues were found in proftpd that could lead to the execution of
arbitrary code by a remote attacker, including one in mod_tls that does
not require the attacker to be authenticated first.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5815
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6170
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6171
(* Security fix *)
patches/packages/tar-1.16-s390-1_slack10.1.tgz:
Upgraded to tar-1.16.
This fixes an issue where files may be extracted outside of the current
directory, possibly allowing a malicious tar archive, when extracted, to
overwrite any of the user's files (in the case of root, any file on the
system).
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6097
(* Security fix *)
patches/packages/xine-lib-1.1.3-s390-1_slack10.1.tgz:
Upgraded to xine-lib-1.1.3 which fixes possible security problems
such as a heap overflow in libmms and a buffer overflow in the
Real Media input plugin.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2200
(* Security fix *)
+--------------------------+
Mon Nov 13 13:52:10 EST 2006
patches/packages/bind-9.3.2_P2-s390-1_slack10.1.tgz:
Upgraded to bind-9.3.2-P2. This fixes some security issues related to
previous fixes in OpenSSL. The minimum OpenSSL version was raised to
OpenSSL 0.9.7l and OpenSSL 0.9.8d to avoid exposure to known security flaws
in older versions (these patches were already issued for Slackware). If you
have not upgraded yet, get those as well to prevent a potentially exploitable
security problem in named. In addition, the default RSA exponent was changed
from 3 to 65537. RSA keys using exponent 3 (which was previously BIND's
default) will need to be regenerated to protect against the forging
of RRSIGs.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339
(* Security fix *)
patches/packages/infozip-5.52-s390-2.tgz: Updated the SlackBuild script to
specify linux_noasm on the unzip build. This allows it to actually build.
+--------------------------+
Sat Nov 4 23:19:00 EST 2006
patches/packages/qt-3.3.3-s390-4_slack10.1.tgz: Patched.
This fixes an issue with Qt's handling of pixmap images that causes Qt linked
applications to crash if a specially crafted malicious image is loaded.
Inspection of the code in question makes it seem unlikely that this could
lead to more serious implications (such as arbitrary code execution), but it
is recommended that users upgrade to the new Qt package.
For more information, see:
http://www.trolltech.com/company/newsroom/announcements/press.2006-10-19.5434451733
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4811
(* Security fix *)
patches/packages/screen-4.0.3-s390-1_slack10.1.tgz: Upgraded to screen-4.0.3.
This addresses an issue with the way screen handles UTF-8 character encoding
that could allow screen to be crashed (or possibly code to be executed in the
context of the screen user) if a specially crafted sequence of pseudo-UTF-8
characters are displayed withing a screen session.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4573
(* Security fix *)
+--------------------------+
Sat Sep 30 00:31:52 EDT 2006
patches/packages/openssl-solibs-0.9.7l-s390-1_slack10.1.tgz:
Upgraded to shared libraries from openssl-0.9.7l.
See openssl package update below.
(* Security fix *)
patches/packages/openssh-4.4p1-s390-1_slack10.1.tgz:
Upgraded to openssh-4.4p1.
This fixes a few security related issues. From the release notes found at
http://www.openssh.com/txt/release-4.4:
* Fix a pre-authentication denial of service found by Tavis Ormandy,
that would cause sshd(8) to spin until the login grace time
expired.
* Fix an unsafe signal hander reported by Mark Dowd. The signal
handler was vulnerable to a race condition that could be exploited
to perform a pre-authentication denial of service. On portable
OpenSSH, this vulnerability could theoretically lead to
pre-authentication remote code execution if GSSAPI authentication
is enabled, but the likelihood of successful exploitation appears
remote.
* On portable OpenSSH, fix a GSSAPI authentication abort that could
be used to determine the validity of usernames on some platforms.
Links to the CVE entries will be found here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4924
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5051
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5052
After this upgrade, make sure the permissions on /etc/rc.d/rc.sshd are set
the way you want them. Future upgrades will respect the existing permissions
settings. Thanks to Manuel Reimer for pointing out that upgrading openssh
would enable a previously disabled sshd daemon.
Do better checking of passwd, shadow, and group to avoid adding
redundant entries to these files. Thanks to Menno Duursma.
(* Security fix *)
patches/packages/openssl-0.9.7l-s390-1_slack10.1.tgz:
Upgraded to openssl-0.9.7l.
This fixes a few security related issues:
During the parsing of certain invalid ASN.1 structures an error
condition is mishandled. This can result in an infinite loop which
consumes system memory (CVE-2006-2937). (This issue did not affect
OpenSSL versions prior to 0.9.7)
Thanks to Dr S. N. Henson of Open Network Security and NISCC.
Certain types of public key can take disproportionate amounts of
time to process. This could be used by an attacker in a denial of
service attack (CVE-2006-2940).
Thanks to Dr S. N. Henson of Open Network Security and NISCC.
A buffer overflow was discovered in the SSL_get_shared_ciphers()
utility function. An attacker could send a list of ciphers to an
application that uses this function and overrun a buffer.
(CVE-2006-3738)
Thanks to Tavis Ormandy and Will Drewry of the Google Security Team.
A flaw in the SSLv2 client code was discovered. When a client
application used OpenSSL to create an SSLv2 connection to a malicious
server, that server could cause the client to crash (CVE-2006-4343).
Thanks to Tavis Ormandy and Will Drewry of the Google Security Team.
Links to the CVE entries will be found here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343
(* Security fix *)
+--------------------------+
Mon Sep 25 02:35:09 EDT 2006
patches/packages/glibc-2.3.4-s390-2.tgz: Patched dl-load.c to fix a problem
with OpenSSH not allowing connections on some systems where privilege
separation and UseDNS were both set to "yes," which is the default for
Slack/390.
patches/packages/glibc-profile-2.3.4-s390-2.tgz: Rebuilt.
patches/packages/glibc-solibs-2.3.4-s390-2.tgz: Rebuilt
+--------------------------+
Sat Sep 23 19:46:27 EDT 2006
patches/packages/gzip-1.3.5-s390-1_slack10.1.tgz:
Upgraded to gzip-1.3.5, and fixed a variety of bugs.
Some of the bugs have possible security implications if gzip or its tools are
fed a carefully constructed malicious archive. Most of these issues were
recently discovered by Tavis Ormandy and the Google Security Team. Thanks
to them, and also to the ALT and Owl developers for cleaning up the patch.
For further details about the issues fixed, please see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0758
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0988
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1228
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4334
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4335
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4336
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4337
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4338
(* Security fix *)
+--------------------------+
Tue Sep 19 16:02:25 EDT 2006
patches/packages/openssl-0.9.7e-s390-5_slack10.1.tgz: Patched an issue where
it is possible to forge certain kinds of RSA signatures.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339
patches/packages/openssl-solibs-0.9.7e-s390-5_slack10.1.tgz: Patched an issue
where it is possible to forge certain kinds of RSA signatures.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339
(* Security fix *)
+--------------------------+
Sat Sep 9 21:20:13 EDT 2006
patches/packages/bind-9.3.2_P1-s390-1_slack10.1.tgz:
Upgraded to bind-9.3.2_P1.
This update addresses a denial of service vulnerability.
BIND's CHANGES file says this:
2066. [security] Handle SIG queries gracefully. [RT #16300]
The best discussion I've found is in FreeBSD's advisory, so here's a link:
http://security.FreeBSD.org/advisories/FreeBSD-SA-06:20.bind.asc
Also, fixed some missing man pages. (noticed by Xavier Thomassin -- thanks)
(* Security fix *)
patches/packages/bootshell-1.3-s390-2.tgz:
Rebuilt bootshell as static, not dynamic. If your /usr file
system isn't available, you still want to be able to log in
to your system so you can fix it. ;)
+--------------------------+
Sun Aug 27 14:40:37 EDT 2006
patches/packages/gnupg-1.4.5-s390-1_slack10.1.tgz:
Upgraded to gnupg-1.4.5.
From the gnupg-1.4.5 NEWS file:
* Fixed 2 more possible memory allocation attacks. They are
similar to the problem we fixed with 1.4.4. This bug can easily
be be exploited for a DoS; remote code execution is not entirely
impossible.
(* Security fix *)
patches/packages/libtiff-3.8.2-s390-1_slack10.1.tgz:
Patched vulnerabilities in libtiff which were found by Tavis Ormandy of
the Google Security Team. These issues could be used to crash programs
linked to libtiff or possibly to execute code as the program's user.
A low risk command-line overflow in tiffsplit was also patched.
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3459
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3460
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3461
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3462
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3463
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3464
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3465
(* Security fix *)
+--------------------------+
Sun Aug 6 17:16:38 EDT 2006
slackware/n/iproute2-2.6.9_ss040831-s390-1.tgz: Finally figured out how to
get this package to build (it was getting glibc double free errors during
the make process), by taking the tc/normal.c and tc/paretonormal.c code
from a newer version.
+--------------------------+
Sun Jul 30 01:45:17 EDT 2006
patches/packages/apache-1.3.37-s390-1_slack10.1.tgz:
Upgraded to apache-1.3.37.
From the announcement on httpd.apache.org:
This version of Apache is security fix release only. An off-by-one flaw
exists in the Rewrite module, mod_rewrite, as shipped with Apache 1.3
since 1.3.28, 2.0 since 2.0.46, and 2.2 since 2.2.0.
The Slackware Security Team feels that the vast majority of installations
will not be configured in a vulnerable way but still suggests upgrading to
the new apache and mod_ssl packages for maximum security.
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3747
And see Apache's announcement here:
http://www.apache.org/dist/httpd/Announcement1.3.html
(* Security fix *)
patches/packages/mod_ssl-2.8.28_1.3.37-s390-1_slack10.1.tgz:
Upgraded to mod_ssl-2.8.28-1.3.37.
patches/packages/mutt-1.4.2.2i-s390-1_slack10.1.tgz:
Upgraded to mutt-1.4.2.2i.
This release fixes CVE-2006-3242, a buffer overflow that could be triggered
by a malicious IMAP server.
[Connecting to malicious IMAP servers must be common, right? -- Ed.]
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3242
(* Security fix *)
patches/packages/samba-3.0.23-s390-2_slack10.1.tgz:
Patched a problem in nsswitch/wins.c that caused crashes in the wins
and/or winbind libraries.
Thanks to Mikhail Kshevetskiy for pointing out the issue and offering
a reference to the patch in Samba's source repository.
Also, this version of Samba evidently created a new dependency on libdm.so
(found in the xfsprogs package in non -current Slackware versions). This
additional dependency was not intentional, and has been corrected.
patches/packages/tcpip-0.17-s390-31c_slack10.1.tgz:
Repatched the telnet client with the official OpenBSD patch that had
already replaced the original security fix in Slackware 9.1, 10.2 and
-current. Thanks to Dragan Simic for reporting the issue, and my
apologies for taking so long to address the insufficiencies of the
original patch in Slackware 10.0 and 10.1.
+--------------------------+
Sun Jul 16 17:07:16 EDT 2006
patches/packages/samba-3.0.23-s390-1_slack10.1.tgz:
Upgraded to samba-3.0.23.
This fixes a minor memory exhaustion DoS in smbd.
The CVE entry for this issue may be found here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3403
(* Security fix *)
+--------------------------+
Sun Jul 2 17:41:43 EDT 2006
patches/packages/arts-1.3.2-s390-2_slack10.1.tgz:
Patched to fix a possible exploit if artswrapper is setuid root (which,
by default, it is not) and the system is running a 2.6 kernel.
Systems running 2.4 kernels are not affected.
The official KDE security advisory may be found here:
http://www.kde.org/info/security/advisory-20060614-2.txt
The CVE entry for this issue may be found here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2916
(* Security fix *)
patches/packages/gnupg-1.4.4-s390-1_slack10.1.tgz:
This version fixes a memory allocation issue that could allow an attacker to
crash GnuPG creating a denial-of-service.
The CVE entry for this issue may be found here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3082
patches/packages/kdebase-3.3.2-s390-3_slack10.1.tgz:
Patched a problem with kdm where it could be abused to read any file
on the system.
The official KDE security advisory may be found here:
http://www.kde.org/info/security/advisory-20060614-1.txt
The CVE entry for this issue may be found here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2449
(* Security fix *)
+--------------------------+
Thu Jun 15 14:33:56 EDT 2006
patches/packages/sendmail-8.13.7-s390-1_slack10.1.tgz:
Upgraded to sendmail-8.13.7.
Fixes a potential denial of service problem caused by excessive recursion
leading to stack exhaustion when attempting delivery of a malformed MIME
message. This crashes sendmail's queue processing daemon, which in turn
can lead to two problems: depending on the settings, these crashed
processes may create coredumps which could fill a drive partition; and
such a malformed message in the queue will cause queue processing to
cease when the message is reached, causing messages that are later in
the queue to not be processed.
Sendmail's complete advisory may be found here:
http://www.sendmail.com/security/advisories/SA-200605-01.txt.asc
Sendmail has also provided an FAQ about this issue:
http://www.sendmail.com/security/advisories/SA-200605-01/faq.shtml
The CVE entry for this issue may be found here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1173
(* Security fix *)
patches/packages/sendmail-cf-8.13.7-noarch-1_slack10.1.tgz:
Upgraded to sendmail-8.13.7 configs.
+--------------------------+
Sat Jun 10 18:53:23 EDT 2006
a/bash-3.0-s390-1.tgz: Downgraded to bash-3.0-s390-1, since the -2 version
seems to hang after the very first command issued.
+--------------------------+
Thu Jun 8 20:52:03 EDT 2006
a/s390-tools-1.2.4-s390-1.tgz: Moved s390-tools-1.2.4-s390-1.tgz from the
slackware/k directory to slackware/a. This is so that more people will
install it by default, since it contains zipl, which is a pretty
necessary package for any install.
patches/packages/mysql-4.0.27-s390-1_slack10.1.tgz:
Upgraded to mysql-4.0.27.
This fixes some minor security issues with possible information leakage.
Note that the information leakage bugs require that the attacker have
access to an account on the database. Also note that by default,
Slackware's rc.mysqld script does *not* allow access to the database
through the outside network (it uses the --skip-networking option).
If you've enabled network access to MySQL, it is a good idea to filter
the port (3306) to prevent access from unauthorized machines.
For more details, see the MySQL 4.0.27 release announcement here:
http://lists.mysql.com/announce/359
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1516
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1517
(* Security fix *)
+--------------------------+
Tue May 30 16:55:00 EDT 2006
patches/packages/apache-1.3.35-s390-2_slack10.1.tgz:
Upgraded to apache-1.3.35.
Patched to fix totally broken Include behavior.
From the official announcement:
Of particular note is that 1.3.35 addresses and fixes 1 potential
security issue: CVE-2005-3352 (cve.mitre.org)
mod_imap: Escape untrusted referer header before outputting in HTML
to avoid potential cross-site scripting. Change also made to
ap_escape_html so we escape quotes. Reported by JPCERT
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3352
(* Security fix *)
patches/packages/gnupg-1.4.2.2-s390-1.tgz: Upgraded to gnupg-1.4.2.2.
There have been two security related issues reported recently with GnuPG.
From the GnuPG 1.4.2.1 and 1.4.2.2 NEWS files:
Noteworthy changes in version 1.4.2.2 (2006-03-08)
* Files containing several signed messages are not allowed any
longer as there is no clean way to report the status of such
files back to the caller. To partly revert to the old behaviour
the new option --allow-multisig-verification may be used.
Noteworthy changes in version 1.4.2.1 (2006-02-14)
* Security fix for a verification weakness in gpgv. Some input
could lead to gpgv exiting with 0 even if the detached signature
file did not carry any signature. This is not as fatal as it
might seem because the suggestion as always been not to rely on
th exit code but to parse the --status-fd messages. However it
is likely that gpgv is used in that simplified way and thus we
do this release. Same problem with "gpg --verify" but nobody
should have used this for signature verification without
checking the status codes anyway. Thanks to the taviso from
Gentoo for reporting this problem.
(* Security fix *)
patches/packages/mod_ssl-2.8.26_1.3.35-s390-1_slack10.1.tgz:
Upgraded to mod_ssl-2.8.26-1.3.35.
This is an updated version designed for Apache 1.3.35.
patches/packages/mozilla-1.7.13-s390-1.tgz: Upgraded to mozilla-1.7.13.
This upgrade fixes several possible security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla
This release marks the end-of-life of the Mozilla 1.7.x series:
http://developer.mozilla.org/devnews/index.php/2006/04/12/sunset-announcement-for-fxtb-10x-and-m
ozilla-suite-17x/
Mozilla Corporation is recommending that users think about
migrating to Firefox and Thunderbird.
(* Security fix *)
patches/packages/mozilla-plugins-1.7.13-noarch-1.tgz:
Updated for mozilla-1.7.13.
patches/packages/sendmail-8.13.6-s390-1.tgz: Upgraded to sendmail-8.13.6.
This new version of sendmail contains a fix for a security problem
discovered by Mark Dowd of ISS X-Force. From sendmail's advisory:
Sendmail was notified by security researchers at ISS that, under some
specific timing conditions, this vulnerability may permit a specifically
crafted attack to take over the sendmail MTA process, allowing remote
attackers to execute commands and run arbitrary programs on the system
running the MTA, affecting email delivery, or tampering with other
programs and data on this system. Sendmail is not aware of any public
exploit code for this vulnerability. This connection-oriented
vulnerability does not occur in the normal course of sending and
receiving email. It is only triggered when specific conditions are
created through SMTP connection layer commands.
Sendmail's complete advisory may be found here:
http://www.sendmail.com/company/advisory/index.shtml
The CVE entry for this issue may be found here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0058
(* Security fix *)
patches/packages/sendmail-cf-8.13.6-noarch-1.tgz:
Upgraded to sendmail-8.13.6 configuration files.
patches/packages/x11-6.8.1-s390-5.tgz:
Patched with x11r6.9.0-mitri.diff and recompiled.
A typo in the X render extension allows an X client to crash the server
and possibly to execute arbitrary code as the X server user (typically
this is "root".)
The CVE entry for this issue may be found here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1526
The advisory from X.Org may be found here:
http://lists.freedesktop.org/archives/xorg/2006-May/015136.html
(* Security fix *)
patches/packages/x11-devel-6.8.1-s390-5.tgz:
Patched and recompiled libXrender.
(* Security fix *)
+--------------------------+
Mon Apr 03 01:16:00 EST 2006
patches/packages/fetchmail-6.3.2-s390-1.tgz: Upgraded to fetchmail-6.3.2.
Presumably this replaces all the known security problems with
a batch of new unknown ones. (fetchmail is improving, really ;-)
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3088
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4348
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0321
(* Security fix *)
patches/packages/kdegraphics-3.3.2-s390-5.tgz: Patched integer and
heap overflows in kpdf to fix possible security bugs with malformed
PDF files.
For more information, see:
http://www.kde.org/info/security/advisory-20051207-2.txt
http://www.kde.org/info/security/advisory-20060202-1.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3191
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3192
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3193
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3624
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3625
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3626
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3627
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3628
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0301
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0746
(* Security fix *)
patches/packages/kdelibs-3.3.2-s390-3.tgz: Patched a heap overflow
vulnerability in kjs, the JavaScript interpreter engine used by
Konqueror and other parts of KDE.
For more information, see:
http://www.kde.org/info/security/advisory-20060119-1.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0019
(* Security fix *)
patches/packages/openssh-4.3p1-s390-1.tgz: Upgraded to openssh-4.3p1.
This fixes a security issue when using scp to copy files that could
cause commands embedded in filenames to be executed.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0225
(* Security fix *)
patches/packages/sudo-1.6.8p12-s390-1.tgz: Upgraded to sudo-1.6.8p12.
This fixes an issue where a user able to run a Python script through sudo
may be able to gain root access.
IMHO, running any kind of scripting language from sudo is still not safe...
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0151
(* Security fix *)
patches/packages/xpdf-3.01-s390-3a.tgz: Recompiled with xpdf-3.01pl2.patch to
fix integer and heap overflows in xpdf triggered by malformed PDF files.
Included --with-Xm-includes option given to ./configure.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3191
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3192
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3193
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3624
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3625
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3626
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3627
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3628
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0301
(* Security fix *)
+--------------------------+
Sat Dec 17 14:05:00 EST 2005
patches/packages/apache-1.3.34-s390-1.tgz: Upgraded to apache-1.3.34.
Fixes this minor security bug: "If a request contains both Transfer-Encoding
and Content-Length headers, remove the Content-Length, mitigating some HTTP
Request Splitting/Spoofing attacks."
(* Security fix *)
patches/packages/curl-7.12.2-s390-2.tgz: Patched. This addresses a buffer
overflow in libcurl's NTLM function that could have possible security
implications.
For more details, see:
http://curl.haxx.se/docs/security.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3185
(* Security fix *)
patches/packages/elm-2.5.8-s390-1.tgz: Upgraded to elm2.5.8.
This fixes a buffer overflow in the parsing of the Expires header that
could be used to execute arbitrary code as the user running Elm.
Thanks to Ulf Harnhammar for finding the bug and reminding me to get
out updated packages to address the issue.
A reference to the original advisory:
http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0688.html
patches/packages/imapd-4.64-s390-1.tgz: Upgraded to imapd-4.64.
A buffer overflow was reported in the mail_valid_net_parse_work function.
However, this function in the c-client library does not appear to be called
from anywhere in imapd. iDefense states that the issue is of LOW risk to
sites that allow users shell access, and LOW-MODERATE risk to other servers.
I believe it's possible that it is of NIL risk if the function is indeed
dead code to imapd, but draw your own conclusions...
(* Security fix *)
patches/packages/koffice-1.3.5-s390-3.tgz: Patched.
Fixes a buffer overflow in KWord's RTF import discovered by Chris Evans.
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2971
(* Security fix *)
patches/packages/lynx-2.8.5rel.5-s390-1.tgz: Upgraded to lynx-2.8.5rel.5.
Fixes an issue where the handling of Asian characters when using lynx to
connect to an NNTP server (is this a common use?) could result in a buffer
overflow causing the execution of arbitrary code.
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3120
(* Security fix *)
patches/packages/mod_ssl-2.8.25_1.3.34-s390-1.tgz:
Upgraded to mod_ssl-2.8.25-1.3.34.
patches/packages/pine-4.64-s390-1.tgz: Upgraded to pine-4.64.
patches/packages/wget-1.10.2-s390-1.tgz: Upgraded to wget-1.10.2.
This addresses a buffer overflow in wget's NTLM handling function that could
have possible security implications.
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3185
(* Security fix *)
+--------------------------+
Sat Dec 17 01:13:00 EST 2005
patches/packages/dhcpcd-1.3.22pl4-s390-2.tgz: Patched an issue where a
remote attacker can cause dhcpcd to crash.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1848
(* Security fix *)
patches/packages/gaim-1.5.0-s390-1.tgz: Upgraded to gaim-1.5.0.
This fixes some more security issues.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2103
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2102
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2370
(* Security fix *)
patches/packages/kdebase-3.3.2-s390-2.tgz: Patched a security bug in
kcheckpass that could allow a local user to gain root privileges.
For more information, see:
http://www.kde.org/info/security/advisory-20050905-1.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2494
(* Security fix *)
patches/packages/mozilla-1.7.12-s390-1.tgz: Upgraded to mozilla-1.7.12.
This fixes several security issues. For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#Mozilla
(* Security fix *)
patches/packages/mozilla-plugins-1.7.12-noarch-1.tgz: Rebuilt.
patches/packages/openssl-0.9.7e-s390-2.tgz: Patched.
Fixed a vulnerability that could, in rare circumstances, allow an attacker
acting as a "man in the middle" to force a client and a server to negotiate
the SSL 2.0 protocol (which is known to be weak) even if these parties both
support SSL 3.0 or TLS 1.0.
For more details, see:
http://www.openssl.org/news/secadv_20051011.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2969
(* Security fix *)
patches/packages/openssl-solibs-0.9.7e-s390-2.tgz: Patched.
(* Security fix *)
patches/packages/pcre-6.3-s390-1.tgz: Upgraded to pcre-6.3.
This fixes a buffer overflow that could be triggered by the processing of a
specially crafted regular expression. Theoretically this could be a security
issue if regular expressions are accepted from untrusted users to be
processed by a user with greater privileges, but this doesn't seem like a
common scenario (or, for that matter, a good idea). However, if you are
using an application that links to the shared PCRE library and accepts
outside input in such a manner, you will want to update to this new package.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491
(* Security fix *)
patches/packages/php-4.3.11-s390-3.tgz: Relinked with the system PCRE library,
as the builtin library has a buffer overflow that could be triggered by the
processing of a specially crafted regular expression.
Note that this change requires the pcre package to be installed.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491
(* Security fix *)
Upgraded PEAR::XMLRPC to version 1.4.0, which eliminates the use of the
insecure eval() function.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2498
(* Security fix *)
patches/packages/util-linux-2.12p-s390-2.tgz: Patched an issue with
umount where if the umount failed when the '-r' option was used, the
filesystem would be remounted read-only but without any extra flags
specified in /etc/fstab. This could allow an ordinary user able to
mount a floppy or CD (but with nosuid, noexec, nodev, etc in
/etc/fstab) to run a setuid binary from removable media and gain
root privileges.
Reported to BugTraq by David Watson:
http://www.securityfocus.com/archive/1/410333
(* Security fix *)
patches/packages/x11-6.8.1-s390-4.tgz: Patched a pixmap overflow issue.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2495
(* Security fix *)
patches/packages/x11-xdmx-6.8.1-s390-4.tgz: Patched and rebuilt.
patches/packages/x11-xnest-6.8.1-s390-4.tgz: Patched and rebuilt.
patches/packages/x11-xvfb-6.8.1-s390-4.tgz: Patched and rebuilt.
patches/packages/xine-lib-1.0.3a-s390-1.tgz: Upgraded to xine-lib-1.0.3a.
This fixes a format string bug where an attacker, if able to upload malicious
information to a CDDB server and then get a local user to play a certain
audio CD, may be able to run arbitrary code on the machine as the user
running the xine-lib linked application.
For more information, see:
http://xinehq.de/index.php/security/XSA-2005-1
(* Security fix *)
testing/packages/php-5.0.5/php-5.0.5-s390-1.tgz: Upgraded to
php-5.0.5, which fixes security issues with XML-RPC and PCRE.
This new package now links with the system's shared PCRE library,
so be sure you have the new PCRE package from patches/packages/
installed.
Ordinarily packages in /testing are not considered supported, but
several people have written Pat to say that they are using php5
from /testing in a production environment and would like to see an
updated package, so here it is. The package in /testing was
replaced in /testing rather than putting it under /patches to
avoid any problems with automatic upgrade tools replacing php-4
packages with this one.
For more information on the security issues fixed, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2498
(* Security fix *)
+--------------------------+
Sat Jul 30 01:56:13 EDT 2005
patches/packages/dnsmasq-2.22-s390-1.tgz: Upgraded to dnsmasq-2.22.
This fixes an off-by-one overflow vulnerability may allow a DHCP
client to create a denial of service condition. Additional code was
also added to detect and defeat attempts to poison the DNS cache.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0876
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0877
(* Security fix *)
patches/packages/emacs-21.4a-s390-1.tgz: Upgraded to emacs-21.4a.
This fixes a vulnerability in the movemail utility when connecting to a
malicious POP server that may allow the execution of arbitrary code as
the user running emacs.
(* Security fix *)
patches/packages/emacs-info-21.4a-s390-1.tgz: Upgraded to emacs-21.4a.
patches/packages/emacs-leim-21.4-s390-1.tgz: Upgraded to leim-21.4.
patches/packages/emacs-lisp-21.4a-s390-1.tgz: Upgraded to emacs-21.4a.
patches/packages/emacs-misc-21.4a-s390-1.tgz: Upgraded to emacs-21.4a.
patches/packages/emacs-nox-21.4a-s390-1.tgz: Upgraded to emacs-21.4a.c
patches/packages/fetchmail-6.2.5.2-s390-1.tgz:
Upgraded to fetchmail-6.2.5.2.
This fixes an overflow by which malicious or compromised POP3 servers
may overflow fetchmail's stack.
For more information, see:
http://fetchmail.berlios.de/fetchmail-SA-2005-01.txt
(* Security fix *)
patches/packages/kdenetwork-3.3.2-s390-2.tgz: Patched overflows in
libgadu (used by kopete) that can cause a denial of service or
arbitrary code execution.
For more information, see:
http://www.kde.org/info/security/advisory-20050721-1.txt
(* Security fix *)
patches/packages/mozilla-1.7.10-s390-2.tgz: Fixed a folder switching bug.
Thanks to Peter Santoro for pointing out the patch.
patches/packages/tcpip-0.17-s390-31b.tgz: Patched two overflows in
the telnet client that could allow the execution of arbitrary code
when connected to a malicious telnet server.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469
(* Security fix *)
patches/packages/zlib-1.2.3-s390-1.tgz: Upgraded to zlib-1.2.3.
This fixes an additional crash not fixed by the patch to zlib-1.2.2.
(* Security fix *)
+--------------------------+
Tue Jul 26 01:53:00 EDT 2005
These GTK+ related packages fix some bugs that affect Firefox and
Acrobat Reader. Thanks to Helmut Schmid for the bug report. :-)
patches/packages/atk-1.9.1-s390-1.tgz: Upgraded to atk-1.9.1.
patches/packages/glib2-2.6.4-s390-1.tgz: Upgraded to glib-2.6.4.
patches/packages/gtk+2-2.6.7-s390-1.tgz: Upgraded to gtk+-2.6.7.
patches/packages/pango-1.8.1-s390-1.tgz: Upgraded to pango-1.8.1.
patches/packages/mozilla-1.7.10-s390-1.tgz: Upgraded to mozilla-1.7.10.
This fixes several security issues. For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#Mozilla
(* Security fix *)
patches/packages/mozilla-plugins-1.7.10-noarch-1.tgz: Upgraded Java(TM)
symlink for Mozilla.
patches/packages/ncftp-3.1.9-s390-1.tgz: Upgraded to ncftp-3.1.9.
This corrects a vulnerability where a download from a hostile FTP server
might be written to an unintended location potentially compromising system
security or causing a denial of service.
For more details, see:
http://www.ncftp.com/ncftp/doc/changelog.html#3.1.5
(* Security fix *)
patches/packages/php-4.3.11-s390-1.tgz: Upgraded to php-4.3.11.
"This is a maintenance release that in addition to over 70 non-critical bug
fixes addresses several security issues inside the exif and fbsql extensions
as well as the unserialize(), swf_definepoly() and getimagesize() functions."
(* Security fix *)
patches/packages/php-4.3.11-s390-2.tgz: Upgraded PEAR XML_RPC class.
This new PHP package fixes a PEAR XML_RPC vulnerability. Sites that use
this PEAR class should upgrade to the new PHP package, or as a minimal
fix may instead upgrade the XML_RPC PEAR class with the following command:
pear upgrade XML_RPC
(* Security fix *)
patches/packages/sudo-1.6.8p9-s390-1.tgz: Upgraded to sudo-1.6.8p9.
This new version of Sudo fixes a race condition in command pathname handling
that could allow a user with Sudo privileges to run arbitrary commands.
For full details, see the Sudo site:
http://www.courtesan.com/sudo/alerts/path_race.html
(* Security fix *)
patches/packages/tcpdump-3.9.3-s390-1.tgz: Upgraded to libpcap-0.9.3 and
tcpdump-3.9.3. This fixes an issue where an invalid BGP packet can
cause tcpdump to go into an infinate loop, effectively disabling network
monitoring.
(* Security fix *)
+--------------------------+
Sun Jul 24 23:00:00 EDT 2005
patches/packages/cvs-1.11.20-s390-1.tgz: Upgraded to cvs-1.11.20.
From cvshome.org: "This version fixes many minor security issues in the
CVS server executable including a potentially serious buffer overflow
vulnerability with no known exploit. We recommend this upgrade for all CVS
servers!"
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0753
(* Security fix *)
patches/packages/gaim-1.3.1-s390-1.tgz: Upgraded to gaim-1.3.1 and
gaim-encryption-2.38. This fixes a couple of remote crash bugs, so
users of the MSN and Yahoo! chat protocols should upgrade to gaim-1.3.1.
(* Security fix *)
patches/packages/gxine-0.4.6-s390-1.tgz: Upgraded to gxine-0.4.6.
This fixes a format string vulnerability that allows remote attackers to
execute arbitrary code via a ram file with a URL whose hostname contains
format string specifiers.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1692
(* Security fix *)
patches/packages/infozip-5.52-s390-1.tgz: Upgraded to unzip552.tar.gz and
zip231.tar.gz. These fix some buffer overruns if deep directory paths are
packed into a Zip archive which could be a security vulnerability (for
example, in a case of automated archiving or backups that use Zip). However,
it also appears that these now use certain assembly instructions that might
not be available on older CPUs, so if you have an older machine you may wish
to take this into account before deciding whether you should upgrade.
(* Security fix *)
patches/packages/python-2.4.1-s390-1.tgz: Upgraded to python-2.4.1.
From the python.org site: "The Python development team has discovered a flaw
in the SimpleXMLRPCServer library module which can give remote attackers
access to internals of the registered object or its module or possibly other
modules. The flaw only affects Python XML-RPC servers that use the
register_instance() method to register an object without a _dispatch()
method. Servers using only register_function() are not affected."
For more details, see:
http://python.org/security/PSF-2005-001/
(* Security fix *)
patches/packages/python-demo-2.4.1-noarch-1.tgz: Upgraded to python-2.4.1
demos.
patches/packages/python-tools-2.4.1-noarch-1.tgz: Upgraded to python-2.4.1
tools.
patches/packages/xine-lib-1.0.1-s390-1.tgz: Upgraded to xine-lib-1.0.1.
This fixes some bugs in the MMS and Real RTSP streaming client code.
While the odds of this vulnerability being usable to a remote attacker are
low (but see the xine advisory), if you stream media from sites using these
protocols (and you think the sites might be "hostile" and will try to hack
into your xine client), then you might want to upgrade to this new version
of xine-lib. Probably the other fixes and enchancements in xine-lib-1.0.1
are a better rationale to do so, though.
For more details on the xine-lib security issues, see:
http://xinehq.de/index.php/security/XSA-2004-8
(* Security fix *)
patches/packages/xv-3.10a-s390-2.tgz: Upgraded to the latest XV jumbo
patches, xv-3.10a-jumbo-fix-patch-20050410 and
xv-3.10a-jumbo-enh-patch-20050501. These fix a number of format string
and other possible security issues in addition to providing many other
bugfixes and enhancements.
(Thanks to Greg Roelofs)
(* Security fix *)
+--------------------------+
Sun Apr 10 18:48:07 EDT 2005
patches/packages/php-4.3.11-s390-1.tgz: Upgraded to php-4.3.11.
"This is a maintenance release that in addition to over 70 non-critical bug
fixes addresses several security issues inside the exif and fbsql extensions
as well as the unserialize(), swf_definepoly() and getimagesize() functions."
(* Security fix *)
+--------------------------+
Wed Mar 30 18:41:02 EST 2005
patches/packages/gaim-1.2.0-s390-1.tgz: Upgraded to gaim-1.2.0 and
gaim-encryption-2.36 (compiled against mozilla-1.7.6).
patches/packages/mozilla-1.7.6-s390-1.tgz: Upgraded to mozilla-1.7.6.
Fixes some security issues. Please see mozilla.org for a complete list.
(* Security fix *)
patches/packages/mozilla-plugins-1.7.6-noarch-1.tgz: Adjusted plugin
symlinks for Mozilla 1.7.6.
+--------------------------+
Sat Feb 19 17:24:00 EST 2005
a/pkgtools-10.1.0-s390-2: Reverted /sbin/pkgtool to the version used in
Slackware 10.0. While this version is slower to build the list of packages
when viewing or removing packages, it is far more forgiving of a slightly
corrupted or out of spec package database. There are many tools (like
checkinstall) that do not build packages the same way that Slackware's
makepkg does, and when these packages are installed the optimized version of
pkgtool runs into problems. These problems are caused by installing broken
packages, and should not be blamed on pkgtool (there are many ways to build a
tar+gz package that does not conform to the rules as defined by a makepkg
built tgz package, and it would be impossible to "fix" pkgtool to handle all
of them properly). Perhaps these optimizations will be looked at again for
Slackware 11, but IMHO a faster way to get a list of packages is to go into
/var/log/packages and use "ls" and "less", and a better way to remove them
is with removepkg. In any case, this version of pkgtool works better so
that's what will ship with Slackware 10.1.
Fixed a couple bugs and sped up pkgtool more.
Thanks to Jim Hawkins and Lasse Collin for the pkgtool patches.
Add a patch for removepkg to rmdir directories containing spaces.
Thanks to Thomas Pfaff for this patch.
l/esound-0.2.35-s390-1: Upgraded to esound-0.2.35.
l/imlib-1.9.15-s390-1: Upgraded to imlib-1.9.15. This fixes an image
decoder overflow in the BMP handling routines which could possibly be
exploited if a specially crafted BMP image is loaded. This seems like an
unlikely situation, but better safe than sorry...
(* Security fix *)
xap/rxvt-2.7.10-s390-2: Added --enable-xgetdefault to ./configure.
Thanks to Corvin for the suggestion. :-)
xap/xfce-4.2.0-s390-2: Fixed /etc/X11/xdg/xfce4/xinitrc perms.
(Thanks to Roberto Di Girolamo)
In xinitrc.xfce, make the /tmp/xrdb file in a more secure fashion.
+--------------------------+
Thu Feb 17 01:36:10 EST 2005
n/nfs-utils-1.0.7-s390-1.tgz: Upgraded to nfs-utils-1.0.7.
+--------------------------+
Mon Feb 7 14:37:00 EST 2004
a/glibc-solibs-2.3.4-s390-1.tgz: Upgraded to glibc-2.3.4.
a/glibc-zoneinfo-2.3.4-noarch-1.tgz: Upgraded to glibc-2.3.4.
l/glibc-2.3.4-s390-1.tgz: Upgraded to glibc-2.3.4.
l/glibc-i18n-2.3.4-noarch-1.tgz: Upgraded to glibc-2.3.4.
l/glibc-profile-2.3.4-s390-1.tgz: Upgraded to glibc-2.3.4.
+--------------------------+
Sun Feb 6 12:42:00 EST 2004
n/irssi-0.8.9-s390-4.tgz: Removed obsolete "botti" program.
+--------------------------+
Fri Feb 4 00:39:00 EST 2004
d/j2sdk-1.4.2-s390-1: Upgraded to IBM Java SDK 1.4.2.
kde/kdeedu-3.3.2-s390-2.tgz: Rebuilt, fixed incorrect permissions.
kde/kdelibs-3.3.2-s390-2.tgz: Rebuilt to work with Python 2.4.
Added kioslave patch.
kde/koffice-1.3.5-s390-2.tgz: Rebuilt to work with Python 2.4.
Patched kpdf crash.
l/sdl-1.2.8-s390-1.tgz: Upgraded to sdl-1.2.8.
n/bind-9.3.0-s390-2.tgz: Patched a possible denial of service in BIND's
validator code. The risk level on this bug is rather low, as the flaw
only affects BIND if DNSSEC is used. This is not the default setting.
(* Security fix *)
xap/mozilla-plugins-1.7.5-noarch-1.tgz: Upgraded to mozilla-plugins-1.7.5.
testing/packages/gcc-3.4.3/gcc-*.tgz: Upgraded to gcc-3.4.3.
+--------------------------+
Sun Jan 30 22:58:00 EST 2004
a/hdparm-5.8-s390-1.tgz: Upgraded to hdparm-5.8.
ap/mysql-4.0.23a-s390-1.tgz: Upgraded to mysql-4.0.23a.
I know there are newer production branches than 4.0.x, but don't think
such a change would be good at the last minute. It will be one of the
first orders of pre-11-current business, though.
ap/sudo-1.6.8p6-s390-1.tgz: Upgraded to sudo-1.6.8p6.
gnome/gthumb-2.6.3-s390-1.tgz: Upgraded to gthumb-2.6.3.
n/imapd-4.62-s390-1.tgz: Upgraded to imapd from pine-4.62.
n/nail-11.20-s390-1.tgz: Upgraded to nail-11.20.
n/pine-4.62-s390-1.tgz: Upgraded to pine-4.62.
n/popa3d-0.6.4.1-s390-1.tgz: Upgraded to popa3d-0.6.4.1.
n/tcpip-0.17-s390-3.tgz: Applied a couple of netconfig patches.
xap/xfce-4.2.0-s390-1.tgz: Upgraded to xfce-4.2.0. Fixed
/etc/X11/xdg/xfce4/xinitrc perms.
extra/slackpkg/slackpkg-1.4-noarch-9.tgz: Upgraded to slackpkg-1.4-noarch-9.
+--------------------------+
Sun Jan 30 01:38:00 EST 2004
l/libtiff-3.7.1-s390-1.tgz: Upgraded to libtiff-3.7.1, and patched a
transparency bug.
n/dnsmasq-2.20-s390-1.tgz: Upgraded to dnsmasq-2.20.
n/sendmail-8.13.3-s390-1.tgz: Upgraded to sendmail-8.13.3.
n/sendmail-cf-8.13.3-noarch-1.tgz: Upgraded to sendmail-8.13.3 config files.
x/x11-6.8.1-s390-3.tgz: Applied CAN-2004-0914 patch to libXpm. Unlikely to
ever be used in the real world other than (also unlikely) through a crash,
but I'm trying to pay attention to detail. :-)
(* Security fix *)
x/x11-devel-6.8.1-s390-3.tgz: Applied CAN-2004-0914 patch to libXpm.
xap/mozilla-1.7.5-s390-1.tgz: Upgraded to mozilla-1.7.5.
xap/xpdf-3.00-s390-3.tgz: Added three patches that prevent xpdf crashes.
+--------------------------+
Thu Jan 27 22:54:00 EST 2004
a/cups-1.1.23-s390-1.tgz: Upgraded to cups-1.1.23.
a/kernel-default-2.4.29-s390-1.tgz: Upgraded to Linux 2.4.29 kernel.
a/kernel-modules-2.4.29-s390-1.tgz: Upgraded to Linux 2.4.29 kernel modules.
a/udev-050-s390-1.tgz: Upgraded to udev-050.
ap/alsa-utils-1.0.8-s390-1.tgz: Upgraded to alsa-utils-1.0.8.
d/kernel-headers-2.4.29-s390-1.tgz: Upgraded to kernel-headers-2.4.29.
gnome/gdm-2.6.0.6-s390-1.tgz: Upgraded to gdm-2.6.0.6.
k/kernel-source-2.4.29-s390-1.tgz: Upgraded to Linux 2.4.29 kernel source.
kde/kdebindings-3.3.2-s390-1.tgz: Patched to work with Python 2.4.
l/alsa-lib-1.0.8-s390-1.tgz: Upgraded to alsa-lib-1.0.8.
l/alsa-oss-1.0.8-s390-1.tgz: Upgraded to alsa-oss-1.0.8.
n/gnupg-1.2.7-s390-1.tgz: Upgraded to gnupg-1.2.7.
n/stunnel-4.07-s390-1.tgz: Upgraded to stunnel-4.07.
xap/fluxbox-0.9.12-s390-1.tgz: Upgraded to fluxbox-0.9.12.
xap/gimp-2.2.3-s390-1.tgz: Upgraded to gimp-2.2.3.
xap/imagemagick-6.1.9_0-s390-1.tgz: Upgraded to ImageMagick-6.1.9-0.
xap/sane-1.0.15-s390-1.tgz: Upgraded to sane-backends-1.0.15.
xap/xchat-2.4.1-s390-1.tgz: Upgraded to xchat-2.4.1.
xap/xine-lib-1.0-s390-1.tgz: Upgraded to xine-lib-1.0.
xap/xscreensaver-4.19-s390-1.tgz: Upgraded to xscreensaver-4.19.
extra/bittornado/bittornado-0.3.9b-noarch-1.tgz: Upgraded to bittornado-0.3.9b
extra/bittorrent/bittorrent-3.9.1-noarch-1.tgz: Upgraded to bittorrent-3.9.1.
This is a beta, but the stable version does not work with Python 2.4, so
it seems prudent to switch.
extra/cpint-1.1.6/cpint-1.1.6_2.4.29-s390-1.tgz: Rebuilt against kernel 2.4.29 headers.
extra/inn/inn-2.4.2-s390-1.tgz: Upgraded to inn-2.4.2.
extra/slackpkg/slackpkg-1.3.1-noarch-3.tgz: Upgraded to slackpkg-1.3.1-noarch-3.
testing/packages/gnupg-1.4.0-s390-1.tgz: Upgraded to gnupg-1.4.0.
testing/packages/php-5.0.3/php-5.0.3-s390-1.tgz: Upgraded to php-5.0.3.
+--------------------------+
Thu Jan 27 01:57:00 EST 2004
a/module-init-tools-3.1-s390-1.tgz: Upgraded to module-init-tools-3.1 and
modutils-2.4.27.
a/util-linux-2.12p-s390-1.tgz: Upgraded to util-linux-2.12p.
d/binutils-2.15.92.0.2-s390-2.tgz: Upgraded to ksymoops-2.4.10.
Tried the newer binutils, but it couldn't compile ksymoops due to missing
symbols in libbfd.so we'll stick with 2.15.92.0.2 for now...
d/cvs-1.11.18-s390-1.tgz: Upgraded to cvs-1.11.18.
d/doxygen-1.4.0-s390-1.tgz: Upgraded to doxygen-1.4.0.
d/perl-5.8.6-s390-1.tgz: Upgraded to perl-5.8.6.
d/python-2.4-s390-1.tgz: Upgraded to python-2.4.
d/python-demo-2.4-noarch-1.tgz: Upgraded to python-2.4 demos.
d/python-tools-2.4-noarch-1.tgz: Upgraded to python-2.4 tools.
kde/kdegraphics-3.3.2-s390-2.tgz: Patched post-3.3.2 kpdf problems.
(* Security fix *)
l/libxml2-2.6.16-s390-1.tgz: Upgraded to libxml2-2.6.16.
l/libxslt-1.1.12-s390-1.tgz: Upgraded to libxslt-1.1.12.
l/taglib-1.3.1-s390-1.tgz: Upgraded to taglib-1.3.1.
n/getmail-4.2.5-noarch-1.tgz: Upgraded to getmail-4.2.5.
n/irssi-0.8.9-s390-3.tgz: Recompiled for perl-5.8.6.
xap/gaim-1.1.2-s390-1.tgz: Upgraded to gaim-1.1.1.
+--------------------------+
Wed Jan 26 01:33:00 EST 2004
a/openssl-solibs-0.9.7e-s390-1.tgz: Upgraded to openssl-0.9.7e.
d/automake-1.9.4-noarch-1.tgz: Upgraded to automake-1.9.4.
n/nfs-utils-1.0.7-s390-1.tgz: Upgraded to nfs-utils-1.0.7.
n/openssl-0.9.7e-s390-1.tgz: Upgraded to openssl-0.9.7e.
+--------------------------+
Fri Jan 21 17:16:00 EST 2004
a/tar-1.15.1-s390-1.tgz: Upgraded to tar-1.15.1.
+--------------------------+
Thu Jan 20 16:51:00 EST 2004
d/distcc-2.18.3-s390-1.tgz: Upgraded to distcc-2.18.3.
l/atk-1.9.0-s390-1.tgz: Upgraded to atk-1.9.0.
l/libpng-1.2.8-s390-1.tgz: Upgraded to libpng-1.2.8.
n/lftp-3.0.13-s390-1.tgz: Upgraded to lftp-3.0.13.
n/php-4.3.10-s390-1.tgz: Upgraded to php-4.3.10.
xap/gxine-0.4.1-s390-1.tgz: Upgraded to gxine-0.4.1.
xap/xine-ui-0.99.3-s390-1.tgz: Upgraded to xine-ui-0.99.3.
+--------------------------+
Thu Jan 20 00:23:00 EST 2004
kde/kdeaddons-3.3.2-s390-1.tgz: Upgraded to kdeaddons-3.3.2.
kde/kdepim-3.3.2-s390-1.tgz: Upgraded to kdepim-3.3.2.
kde/kdewebdev-3.3.2-s390-1.tgz: Upgraded to kdewebdev-3.3.2.
l/glib2-2.6.1-s390-1.tgz: Upgraded to glib2-2.6.1.
l/gtk+2-2.6.1-s390-1.tgz: Upgraded to gtk+2-2.6.1.
l/pango-1.8.0-s390-1.tgz: Upgraded to pango-1.8.0.
n/samba-3.0.10-s390-1.tgz: Upgraded to samba-3.0.10.
A possible buffer overrun in smbd could lead to code execution by a remote
user. For more details, see:
http://samba.cdpa.nsysu.edu.tw/samba/news/#can-2004-0882
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0882
(* Security fix *)
xap/gimp-2.2.1-s390-1.tgz: Upgraded to gimp-2.2.1.
+--------------------------+
Wed Jan 19 00:55:00 EST 2004
kde/kdeaccessibility-3.3.2-s390-1.tgz: Upgraded to kdeaccessibility-3.3.2.
kde/kdeadmin-3.3.2-s390-1.tgz: Upgraded to kdeadmin-3.3.2.
kde/kdeartwork-3.3.2-s390-1.tgz: Upgraded to kdeartwork-3.3.2.
kde/kdebase-3.3.2-s390-1.tgz: Upgraded to kdebase-3.3.2.
kde/kdeedu-3.3.2-s390-1.tgz: Upgraded to kdeedu-3.3.2.
kde/kdegames-3.3.2-s390-1.tgz: Upgraded to kdegames-3.3.2.
kde/kdegraphics-3.3.2-s390-1.tgz: Upgraded to kdegraphics-3.3.2.
kde/kdelibs-3.3.2-s390-1.tgz: Upgraded to kdelibs-3.3.2.
kde/kdemultimedia-3.3.2-s390-1.tgz: Upgraded to kdemultimedia-3.3.2.
kde/kdenetwork-3.3.2-s390-1.tgz: Upgraded to kdenetwork-3.3.2.
kde/kdesdk-3.3.2-s390-1.tgz: Upgraded to kdesdk-3.3.2.
kde/kdetoys-3.3.2-s390-1.tgz: Upgraded to kdetoys-3.3.2.
kde/kdeutils-3.3.2-s390-1.tgz: Upgraded to kdeutils-3.3.2.
kde/kdevelop-3.1.2-s390-1.tgz: Upgraded to kdevelop 3.1.2.
+--------------------------+
Mon Jan 17 23:46:00 EST 2004
a/kernel-default-2.4.28-s390-1.tgz: Upgraded to Linux 2.4.28 kernel.
a/kernel-modules-2.4.28-s390-1.tgz: Upgraded to Linux 2.4.28 kernel modules.
ap/alsa-utils-1.0.7-s390-1.tgz: Upgraded to alsa-utils-1.0.7.
ap/sudo-1.6.8p5-s390-1.tgz: Upgraded to sudo-1.6.8p5.
d/gdb-6.3-s390-1.tgz: Upgraded to gdb-6.3.
d/kernel-headers-2.4.28-s390-1.tgz: Upgraded to kernel-headers-2.4.28.
k/kernel-source-2.4.28-s390-1.tgz: Upgraded to Linux 2.4.28 kernel source.
kde/arts-1.3.2-s390-1.tgz: Upgraded to arts-1.3.2.
l/alsa-lib-1.0.7-s390-1.tgz: Upgraded to alsa-lib-1.0.7.
l/alsa-oss-1.0.7-s390-1.tgz: Upgraded to alsa-oss-1.0.7.
extra/cpint-1.1.6/cpint-1.1.6_2.4.28-s390-1.tgz: Rebuilt against kernel 2.4.28 headers.
+--------------------------+
Wed Dec 29 12:48:00 EST 2004
kde/koffice-1.3.5-s390-1.tgz: Upgraded to koffice-1.3.5.
kdei/koffice*.tgz: Upgraded to koffice-i18n-1.3.5.
+--------------------------+
Fri Nov 19 13:32:00 EST 2004
n/ppp-2.4.2-s390-2.tgz: Rebuilt without autconf and automake installed.
This allowed the Radius client piece to build.
+--------------------------+
Wed Nov 17 20:38:00 EST 2004
a/acpid-1.0.4-s390-2.tgz: Fixed perms of /usr/doc/acpid-1.0.4/samples/
directory.
+--------------------------+
Tue Nov 9 16:45:00 EST 2004
a/bash-3.0-s390-2.tgz: Applied official bash-3.0 patches 1-15, then reverted
to bash-3.0-s390-1. Apparently the new version of glibc causes bash
to hang after any command is issued. Pat got around this by compiling
this under a previous version of Slackware. I'm going to just not do
anything until glibc gets fixed, or enough people complain about the
bugs that got fixed in patches 1-15 to do what Pat did.
a/hotplug-2004_09_23-noarch-1.tgz: Upgraded to hotplug-2004_09_23.
a/pkgtools-10.1.0-s390-1.tgz: Patched pkgtools to dramatically improve the
speed of the "View" option. The patch was written by Jim Hawkins.
Fixed a typo in pkgtool.8. (thanks to "ldconfig")
a/util-linux-2.12h-s390-1.tgz: Upgraded to util-linux-2.12h.
ap/mdadm-1.8.0-s390-1.tgz: Upgraded to mdadm-1.8.0.
kde/koffice-1.3.4-s390-2.tgz: Patched a bug in xpdf-based code that could
cause a crash.
l/libexif-0.6.11-s390-1.tgz: Upgraded to libexif-0.6.11 (but retained
libexif.so.9.1.2 from libexif-0.5.12 to give third party packages
a chance to be recompiled).
n/lftp-3.0.11-s390-1.tgz: Upgraded to lftp-3.0.11.
n/samba-3.0.7-s390-2.tgz: Applied a patch from Samba CVS needed to fix smbtree
on systems using a recent glibc (such as the one here in Slackware -current).
n/tcpip-0.17-s390-2.tgz: Upgraded to ethtool-2 and tftp-hpa-0.40.
Fixed a DoS bug in ntalkd.
xap/gimp-2.0.6-s390-1.tgz: Upgraded to gimp-2.0.6.
extra/bison-1.875d/bison-1.875d-s390-1.tgz: Upgraded to bison-1.875d.
extra/slackpkg/slackpkg-1.3-noarch-4.tgz: Upgraded to slackpkg-1.3-noarch-4.
pasture/fvwm95-2.0.43ba-s390-1.tgz: Moved to /pasture.
pasture/ifhp-3.5.18-s390-1.tgz: Upgraded to ifhp-3.5.18.
pasture/lprng-3.8.28-s390-1.tgz: Upgraded to LPRng-3.8.28.
+--------------------------+
Mon Nov 8 22:07:00 EST 2004
a/udev-042-s390-1.tgz: Upgraded to udev-042.
kde/kdegraphics-3.3.1-s390-2.tgz: Patched a crash bug in kpdf.
+--------------------------+
Sun Nov 7 23:48:00 EST 2004
a/cups-1.1.22-s390-1.tgz: Upgraded to cups-1.1.22.
ap/mysql-4.0.22-s390-1.tgz: Upgraded to mysql-4.0.22.
d/binutils-2.15.92.0.2-s390-11.tgz: Upgraded to binutils-2.15.92.0.2.
n/apache-1.3.33-s390-1.tgz: Upgraded to apache-1.3.33.
This fixes one new security issue (the first issue, CAN-2004-0492, was fixed
in apache-1.3.32). The second bug fixed in 1.3.3 (CAN-2004-0940) allows a
local user who can create SSI documents to become "nobody". The amount of
mischief they could cause as nobody seems low at first glance, but it might
allow them to use kill or killall as nobody to try to create a DoS.
Mention PHP's mhash dependency in httpd.conf (thanks to Jakub Jankowski).
(* Security fix *)
n/mod_ssl-2.8.22_1.3.33-s390-1.tgz: Upgraded to mod_ssl-2.8.22_1.3.33.
+--------------------------+
Thu Nov 4 10:12:00 EST 2004
n/nail-11.13-s390-1.tgz: Upgraded to nail-11.13.
n/netatalk-2.0.1-s390-1.tgz: Upgraded to netatalk-2.0.1.
l/libxml2-2.6.15-s390-1.tgz: Upgraded to libxml2-2.6.15.
xap/imagemagick-6.1.2_4-s390-1.tgz: Upgraded to ImageMagick-6.1.2-4.
xap/windowmaker-0.91.0-s390-1.tgz: Upgraded to WindowMaker-0.91.0.
+--------------------------+
Wed Nov 3 18:48:00 EST 2004
libtiff-3.7.0-s390-1.tgz: Upgraded to libtiff-3.7.0.
This fixes several bugs that could lead to crashes, or could possibly allow
arbitrary code to be executed. For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0803
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0804
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0886
(* Security fix *)
xap/gnuchess-5.07-s390-1.tgz: Upgraded to gnuchess-5.07.
This package also contains Sjeng-Free-11.2, eboard-0.9.5, and xboard-4.2.7.
+--------------------------+
Tue Oct 26 17:55:00 EDT 2004
n/apache-1.3.32-s390-1.tgz: Upgraded to apache-1.3.32.
This addresses a heap-based buffer overflow in mod_proxy by
rejecting responses from a remote server with a negative
Content-Length. The flaw could crash the Apache child process,
or possibly allow code to be executed as the Apache user (but
only if mod_proxy is actually in use on the server).
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492
(* Security fix *)
n/mod_ssl-2.8.21_1.3.32-s390-1.tgz: Upgraded to mod_ssl-2.8.21-1.3.32.
Don't allow clients to bypass cipher requirements, possibly negotiating
a connection that the server does not consider secure enough.
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885
(* Security fix *)
+--------------------------+
Sun Oct 24 00:12:00 EDT 2004
xap/gaim-1.0.2-s390-1.tgz: .tgz: Upgraded to gaim-1.0.2 and gaim-encryption-2.32.
A buffer overflow in the MSN protocol handler for GAIM 0.79 to 1.0.1
allows remote attackers to cause a denial of service (application
crash) and may allow the execution of arbitrary code.
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0891
(* Security fix *)
+--------------------------+
Thu Oct 21 10:19:00 EDT 2004
xap/abiword-2.0.12-s390-1.tgz: Upgraded to abiword-2.0.12.
+--------------------------+
Thu Oct 21 01:23:00 EDT 2004
a/acpid-1.0.4-s390-1.tgz: Upgraded to acpid-1.0.4.
a/sysvinit-2.84-s390-2.tgz: In rc.S, make sure /tmp/.ICE-unix and
/tmp/.X11-unix exist and have proper permissions. X.Org no longer
creates these if they are missing which is a problem for users who
are using a tmpfs on /tmp.
In rc.S and rc.6, check /proc/ioports to make sure that the RTC lists
ports, and if so use a workaround to prevent hwclock from hanging.
In rc.M, don't start acpid if apmd is already running regardless of
the perms on rc.acpid.
ap/hpijs-1.7-s390-1.tgz: Upgraded to hpijs-1.7.
ap/lsof-4.72-s390-1.tgz: Upgraded to lsof-4.72.
ap/sox-12.17.6-s390-1.tgz: Upgraded to sox-12.17.6.
kde/kdeaddons-3.3.1-s390-1.tgz: Upgraded to kdeaddons-3.3.1.
kde/kdebindings-3.3.1-s390-1.tgz: Upgraded to kdebindings-3.3.1.
kde/kdepim-3.3.1-s390-1.tgz: Upgraded to kdepim-3.3.1.
kde/kdewebdev-3.3.1-s390-1.tgz: Upgraded to kdewebdev-3.3.1.
kde/koffice-1.3.4-s390-1.tgz: Upgraded to koffice-1.3.4.
l/libao-0.8.5-s390-1.tgz: Upgraded to libao-0.8.5.
n/curl-7.12.2-s390-1.tgz: Upgraded to curl-7.12.2.
n/dnsmasq-2.15-s390-1.tgz: Upgraded to dnsmasq-2.15.
n/nmap-3.75-s390-1.tgz: Upgraded to nmap-3.75.
Fixed nmapfe.desktop to follow freedesktop.org specs and
moved it to /usr/share/applications.
x/x11-6.8.1-s390-2.tgz: Rebuilt. X.Org made a few minor slient fixes to
the X11R6.8.1 (like the version number), so it seemed like a good idea
to rebuild.
x/x11-devel-6.8.1-s390-2.tgz: Rebuilt.
x/x11-docs-6.8.1-noarch-2.tgz: Rebuilt.
x/x11-docs-html-6.8.1-noarch-2.tgz: Rebuilt.
x/x11-fonts-100dpi-6.8.1-noarch-2.tgz: Rebuilt.
x/x11-fonts-cyrillic-6.8.1-noarch-2.tgz: Rebuilt.
x/x11-fonts-misc-6.8.1-noarch-2.tgz: Rebuilt.
x/x11-fonts-scale-6.8.1-noarch-2.tgz: Rebuilt.
x/x11-xdmx-6.8.1-s390-2.tgz: Rebuilt.
x/x11-xnest-6.8.1-s390-2.tgz: Patched to prevent an xnest crash.
x/x11-xvfb-6.8.1-s390-2.tgz: Rebuilt.
xap/gftp-2.0.17-s390-2.tgz: Build with .SlackBuild, not .build.
Fixed gftp.desktop.
xap/gucharmap-1.4.1-s390-2.tgz: Moved from /gnome.
xap/sane-1.0.14-s390-3.tgz: Upgraded to sane-frontends-1.0.13.
Build with .SlackBuild, not .build.
xap/xine-ui-0.99.2-s390-2.tgz: Fixed xine.desktop.
+--------------------------+
Tue Oct 19 22:37:00 EDT 2004
kde/kdeaccessibility-3.3.1-s390-1.tgz: Upgraded to kdeaccessibility-3.3.1.
kde/kdeadmin-3.3.1-s390-1.tgz: Upgraded to kdeadmin-3.3.1.
kde/kdeartwork-3.3.1-s390-1.tgz: Upgraded to kdeartwork-3.3.1.
kde/kdebase-3.3.1-s390-1.tgz: Upgraded to kdebase-3.3.1.
kde/kdeedu-3.3.1-s390-1.tgz: Upgraded to kdeedu-3.3.1.
kde/kdegames-3.3.1-s390-1.tgz: Upgraded to kdegames-3.3.1.
kde/kdegraphics-3.3.1-s390-1.tgz: Upgraded to kdegraphics-3.3.1.
kde/kdelibs-3.3.1-s390-1.tgz: Upgraded to kdelibs-3.3.1.
kde/kdemultimedia-3.3.1-s390-1.tgz: Upgraded to kdemultimedia-3.3.1.
kde/kdenetwork-3.3.1-s390-1.tgz: Upgraded to kdenetwork-3.3.1.
kde/kdesdk-3.3.1-s390-1.tgz: Upgraded to kdesdk-3.3.1.
kde/kdetoys-3.3.1-s390-1.tgz: Upgraded to kdesdk-3.3.1.
kde/kdeutils-3.3.1-s390-1.tgz: Upgraded to kdeutils-3.3.1.
kde/kdevelop-3.1.1-s390-1.tgz: Upgraded to kdevelop-3.1.1.
+--------------------------+
Mon Oct 18 22:20:00 EDT 2004
gnome/gst-plugins-0.8.5-s390-1.tgz: Upgraded to gst-plugins-0.8.5.
gnome/gstreamer-0.8.7-s390-1.tgz: Upgraded to gstreamer-0.8.7.
kde/qt-3.3.3-s390-2.tgz: Recompiled. Note that this includes the change
previously in /testing where the libqt.so -> libqt-mt.so symlinks have
been removed. (this shouldn't affect any recent binaries, but might
break some old ones)
l/arts-1.3.1-s390-1.tgz: Upgraded to arts-1.3.1.
l/glib2-2.4.7-s390-1.tgz: Upgraded to glib-2.4.7.
l/gtk+2-2.4.13-s390-1.tgz: Upgraded to gtk+-2.4.13.
l/lesstif-0.93.96-s390-1.tgz: Upgraded to lesstif-0.93.96.
l/libidn-0.5.8-s390-1.tgz: Added libidn-0.5.8.
l/libxml2-2.6.14-s390-1.tgz: Upgraded to libxml2-2.6.14.
l/libxslt-1.1.11-s390-1.tgz: Upgraded to libxslt-1.1.11.
l/pango-1.6.0-s390-1.tgz: Upgraded to pango-1.6.0.
l/pcre-5.0-s390-1.tgz: Upgraded to pcre-5.0.
xap/imagemagick-6.1.0_5-s390-1.tgz: Upgraded to ImageMagick-6.1.0-5.
xap/xine-lib-1rc6a-s390-2.tgz: Recompiled against new libFLAC.
+--------------------------+
Tue Oct 12 22:03:00 EDT 2004
a/glibc-solibs-2.3.3-s390-2.tgz: Updated from CVS. Added the files
in /usr/lib/gconv to glibc-solibs.
a/glibc-zoneinfo-2.3.3-noarch-2.tgz: Updated from CVS.
a/udev-035-s390-1.tgz: Upgraded to udev-035.
a/util-linux-2.12g-s390-2.tgz: Put the adjtimex docs in the
proper directory.
d/doxygen-1.3.9.1-s390-1.tgz: Upgraded to doxygen-1.3.9.1.
l/glibc-2.3.3-s390-2.tgz: Updated from CVS.
l/glibc-i18n-2.3.3-noarch-2.tgz: Updated from CVS.
n/getmail-4.2.2-noarch-1.tgz: Upgraded to getmail-4.2.2.
n/netatalk-2.0.0-s390-1.tgz: Upgraded to netatalk-2.0.0.
n/rsync-2.6.3-s390-1.tgz: Upgraded to rsync-2.6.3.
From the rsync NEWS file:
A bug in the sanitize_path routine (which affects a non-chrooted
rsync daemon) could allow a user to craft a pathname that would get
transformed into an absolute path for certain options (but not for
file-transfer names). If you're running an rsync daemon with chroot
disabled, *please upgrade*, ESPECIALLY if the user privs you run
rsync under is anything above "nobody".
Note that rsync, in daemon mode, sets the "use chroot" to true by
default, and (in this default mode) is not vulnerable to this issue.
I would strongly recommend against setting "use chroot" to false
even if you've upgraded to this new package.
(* Security fix *)
n/sendmail-8.13.1-s390-2.tgz: Recompiled with -DSOCKETMAP.
n/sendmail-cf-8.13.1-noarch-2.tgz: Rebuilt.
xap/fvwm-2.4.19-s390-1.tgz: Upgraded to fvwm-2.4.19.
xap/gaim-1.0.1-s390-1.tgz: Upgraded to gaim-1.0.1.
+--------------------------+
Fri Oct 8 02:15:00 EDT 2004
a/util-linux-2.12g-s390-1.tgz: Upgraded to util-linux-2.12g,
adjtimex-1.20, and ziptool-1.4.0.
d/doxygen-1.3.9-s390-1.tgz: Upgraded to doxygen-1.3.9.
d/guile-1.6.5-s390-1.tgz: Upgraded to guile-1.6.5.
n/slrn-0.9.8.1-s390-1.tgz: Upgraded to slrn-0.9.8.1.
+--------------------------+
Mon Oct 4 19:04:00 EDT 2004
ap/flac-1.1.1-s390-1.tgz: Upgraded to flac-1.1.1.
ap/vorbis-tools-1.0.1-s390-2.tgz: Recompiled against new libFLAC.
gnome/gst-plugins-0.8.1-s390-2.tgz: Recompiled against new libFLAC.
l/zlib-1.2.2-s390-1.tgz: Upgraded to zlib-1.2.2. This fixes a
possible DoS in earlier versions of zlib-1.2.x.
(* Security fix *)
n/dhcp-3.0.1-s390-1.tgz: Upgraded to dhcp-3.0.1.
n/getmail-4.2.0-noarch-1.tgz: Upgraded to getmail-4.2.0. Earlier
versions contained a local security flaw when used in an insecure
fashion (surprise, running something as root that writes to user-
controlled files or directories could allow the old symlink attack
to clobber system files! :-) From the getmail CHANGELOG:
This vulnerability is not exploitable if the administrator does
not deliver mail to the maildirs/mbox files of untrusted local
users, or if getmail is configured to use an external
unprivileged MDA. This vulnerability is not remotely exploitable.
Most users would not use getmail in such as way as to be vulnerable
to this flaw, but if your site does this package closes the hole.
I'd also recommend not using getmail like this. Either run it as the
user that owns the target mailbox, or deliver through an external MDA.
(* Security fix *)
n/sendmail-8.13.1-s390-1.tgz: Upgraded to sendmail-8.13.1.
n/sendmail-cf-8.13.1-noarch-1.tgz: Upgraded to sendmail-8.13.1 configs.
xap/xmms-1.2.10-s390-2.tgz: Added arts_output-0.7.1 aRts output plugin.
+--------------------------+
Tue Sep 28 21:25:00 EDT 2004
a/gawk-3.1.4-s390-1.tgz: Upgraded to GNU gawk-3.1.4.
ap/mdadm-1.7.0-s390-1.tgz: Upgraded to mdadm-1.7.0.
xap/gkrellm-2.2.4-s390-1.tgz: Upgraded to gkrellm-2.2.4.
+--------------------------+
Mon Sep 27 14:25:00 EDT 2004
xap/gimp-2.0.5-s390-1.tgz: Upgraded to gimp-2.0.5
+--------------------------+
Sat Sep 25 14:30:00 EDT 2004
n/php-4.3.9-s390-1.tgz: Upgraded to php-4.3.9.
testing/packages/php-5.0.2/php-5.0.2-s390-1.tgz: Upgraded to php-5.0.2.
+--------------------------+
Fri Sep 24 17:40:00 EDT 2004
d/automake-1.9.2-noarch-1.tgz: Upgraded to GNU automake-1.9.2.
d/kernel-headers-2.4.27-s390-1.tgz: Upgraded to Linux 2.4.27 kernel headers.
d/libtool-1.5.10-s390-1.tgz: Upgraded to GNU libtool-1.5.10.
kde/koffice-1.3.3-s390-1.tgz: Upgraded to koffice-1.3.3.
l/gmp-4.1.4-s390-1.tgz: Upgraded to GNU gmp-4.1.4.
l/gtk+2-2.4.10-s390-1.tgz: Upgraded to gtk+-2.4.10. This fixes security
issues in the image loader routines that can crash applications.
(* Security fix *)
n/bind-9.3.0-s390-1.tgz: Upgraded to bind-9.3.0.
x/x11*6.8.1-s390-1.tgz: Upgraded to X.Org's X11R6.8.1 release.
xap/gaim-1.0.0-s390-1.tgz: Upgraded to gaim-1.0.0.
xap/mozilla-plugins-1.7.3-noarch-1.tgz: Changed plugin symlinks for
Mozilla 1.7.3.
xap/xine-lib-1rc6a-s390-1.tgz: Upgraded to xine-lib-1-rc6a.
This release fixes a few overflows that could have security implications.
(* Security fix *)
xap/xsane-0.96-s390-1-1.tgz: Upgraded to xsane-0.96.
extra/k3b/k3b-i18n-0.11-noarch-2.tgz: Fixed path for locale files.
extra/k3b/k3b-0.11.17-s390-1.tgz: Upgraded to k3b-0.11.17.
+--------------------------+
Thu Sep 23 17:24:00 EDT 2004
a/pkgtools-10.0.0-s390-2.tgz: Changed the keyboard driver in the sample
/etc/X11/xorg.conf files from "Keyboard" to "kbd".
ap/cups-1.1.21-s390-1-.tgz: Upgraded to cups-1.1.21. This fixes a flaw
where a remote attacker can crash the CUPS server causing a denial of
service.
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0558
(* Security fix *)
ap/sudo-1.6.8p1-s390-1.tgz: Upgraded to sudo-1.6.8p1.
n/nail-11.7-s390-1.tgz: Upgraded to nail-11.7.
n/php-4.3.8-s390-2.tgz: Recompiled using --enable-exif in addition to
--with-exif.
n/proftpd-1.2.10-s390-2.tgz: Fixed slack-desc.
+--------------------------+
Wed Sep 22 22:45:00 EDT 2004
a/kernel-default-2.4.27-s390-1.tgz: Upgraded to Linux 2.4.27 kernel.
a/kernel-modules-2.4.27-s390-1.tgz: Upgraded to Linux 2.4.27 kernel modules.
a/glibc-solibs-2.3.3-s390-1.tgz: Upgraded to glibc-2.3.3. This is from
a CVS snapshot taken in early August. The official glibc-2.3.3 tarball
was released in such an obsolete condition (a snapshot from 8 months ago)
that I'd be surprised if any Linux distributions actually package it.
a/glibc-zoneinfo-2.3.3-noarch-1.tgz: Upgraded to glibc-2.3.3.
l/glibc-2.3.3-s390-1.tgz: Upgraded to glibc-2.3.3.
l/glibc-profile-2.3.3-s390-1.tgz: Upgraded to glibc-2.3.3 profile libs.
l/glibc-i18n-2.3.3-noarch-1.tgz: Upgraded to glibc-2.3.3 i18n files.
k/kernel-source-2.4.27-s390-1.tgz: Upgraded to Linux 2.4.27 kernel source.
extra/cpint-1.1.6_2.4.27-s390-1: Rebuilt against kernel 2.4.27 headers.
+--------------------------+
Tue Sep 21 19:44:00 EDT 2004
n/nmap-3.70-s390-2.tgz: Fixed missing docs translations.
xap/xlockmore-5.13-s390-1.tgz: Upgraded to xlockmore-5.13.
xap/xscreensaver-4.18-s390-1.tgz: Upgraded to xscreensaver-4.18.
xap/mozilla-1.7.3-s390-1.tgz: Upgraded to mozilla-1.7.3.
The Mozilla page says this fixes some "minor security holes".
It also breaks Galeon and Epiphany, and new versions of these have
still not appeared. In light of this, I think it's time to remove
these Gecko-based browsers. The future is going to be Firefox and
Thunderbird anyway, and I don't believe Galeon and Epiphany can be
compiled against Firefox's libraries.
(* Security fix *)
xap/imagemagick-6.0.8_1-s390-1.tgz: Upgraded to ImageMagick-6.0.8-1.
Removed spurious libtool library.
+--------------------------+
Sat Sep 18 19:00:00 EDT 2004
extra/kernel-default-2.4.21/kernel-default-2.4.21-s390-1.tgz: Moved from a/.
extra/kernel-modules-2.4.21/kernel-modules-2.4.21-s390-1.tgz: Moved from a/.
extra/kernel-source-2.4.21/kernel-source-2.4.21-s390-1.tgz: Moved from k/.
+--------------------------+
Fri Sep 17 17:59:00 EDT 2004
x/x11-6.7.0-s390-1.tgz: Upgraded to x11-6.7.0.
x/x11-devel-6.7.0-s390-1.tgz: Upgraded to x11-devel-6.7.0.
x/x11-docs-6.7.0-noarch-1.tgz: Upgraded to x11-docs-6.7.0.
x/x11-docs-html-6.7.0-noarch-1.tgz: Upgraded to x11-docs-html.
x/x11-fonts-100dpi-6.7.0-noarch-1.tgz: Upgraded to x11-fonts-100dpi-6.7.0.
x/x11-fonts-cyrillic-6.7.0-noarch-1.tgz: Upgraded to x11-fonts-cyrillic-6.7.0.
x/x11-fonts-misc-6.7.0-noarch-1.tgz: Upgraded to x11-fonts-misc-6.7.0.
x/x11-fonts-scale-6.7.0-noarch-1.tgz: Upgraded to x11-fonts-scale-6.7.0.
x/x11-xnest-6.7.0-s390-1.tgz: Upgraded to x11-xnest-6.7.0.
x/x11-xprt-6.7.0-s390-1.tgz: Upgraded to x11-xprt-6.7.0.
x/x11-xvfb-6.7.0-s390-1.tgz: Upgraded to x11-xvfb-6.7.0.
+--------------------------+
Wed Sep 15 22:05:00 EDT 2004
a/bash-3.0-s390-1.tgz: Upgraded to GNU bash-3.0.
a/reiserfsprogs-3.6.18-s390-1.tgz: Upgraded to reiserfsprogs-3.6.18.
ap/mysql-4.0.21-s390-1.tgz: Upgraded to mysql-4.0.21.
d/ccache-2.4-s390-1.tgz: Upgraded to ccache-2.4.
d/gdb-6.2.1-s390-1.tgz: Upgrade to gdb-6.2.1.
gnome/gnumeric-1.2.13-s390-1.tgz: Upgraded to gnumeric-1.2.13.
kde/kdeaccessibility-3.2.3-s390-1.tgz: Upgraded to kdeaccessibility-3.2.3.
kde/kdeaddons-3.2.3-s390-1.tgz: Upgraded to kdeaddons-3.2.3.
kde/kdeadmin-3.2.3-s390-1.tgz: Upgraded to kdeadmin-3.2.3.
kde/kdeartwork-3.2.3-s390-1.tgz: Upgraded to kdeartwork-3.2.3.
kde/kdebase-3.2.3-s390-1.tgz: Upgraded to kdebase-3.2.3.
kde/kdebindings-3.2.3-s390-1.tgz: Upgraded to kdebindings-3.2.3.
kde/kdeedu-3.2.3-s390-1.tgz: Upgraded to kdeedu-3.2.3.
kde/kdegames-3.2.3-s390-1.tgz: Upgraded to kdegames-3.2.3.
kde/kdegraphics-3.2.3-s390-1.tgz: Upgraded to kdegraphics-3.2.3.
kde/kdelibs-3.2.3-s390-1.tgz: Upgraded to kdelibs-3.2.3.
kde/kdemultimedia-3.2.3-s390-1.tgz: Upgraded to kdemultimedia-3.2.3.
kde/kdenetwork-3.2.3-s390-1.tgz: Upgraded to kdenetwork-3.2.3.
kde/kdepim-3.2.3-s390-1.tgz: Upgraded to kdepim-3.2.3.
kde/kdesdk-3.2.3-s390-1.tgz: Upgraded to kdesdk-3.2.3.
kde/kdetoys-3.2.3-s390-1.tgz: Upgraded to kdetoys-3.2.3.
kde/kdeutils-3.2.3-s390-1.tgz: Upgraded to kdeutils-3.2.3.
kde/kdevelop-3.0.4-s390-1.tgz: Upgraded to kdevelop-3.0.4.
kde/koffice-1.3.2-s390-1.tgz: Upgraded to koffice-1.3.2.
kde/quanta-3.2.3-s390-1.tgz: Upgraded to quanta-3.2.3.
l/arts-1.2.3-s390-2.tgz: Rebuilt.
l/libpng-1.2.7-s390-1.tgz: Upgraded to libpng-1.2.7.
l/taglib-1.3-s390-1.tgz: Upgraded to taglib-1.3.
n/dnsmasq-2.14-s390-1.tgz: Upgraded to dnsmasq-2.14.
n/getmail-4.1.5-noarch-1.tgz: Upgraded to getmail-4.1.5.
n/samba-3.0.7-s390-1.tgz: Upgraded to samba-3.0.7.
This fixes two Denial of Service vulnerabilities.
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0807
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0808
(* Security fix *)
xap/imagemagick-6.0.7_3-s390-1.tgz: Upgraded to ImageMagick-6.0.7-3.
testing/packages/kde-3.3/kdepim-3.3.0-s390-1.tgz: Upgraded to kdepim-3.3.0.
testing/packages/kde-3.3/kdeaddons-3.3.0-s390-1.tgz: Upgraded to kdeaddons-3.3.0.
testing/packages/kde-3.3/kdebindings-3.3.0-s390-1.tgz: Upgraded to kdebindings-3.3.0.
testing/packages/kde-3.3/kdewebdev-3.3.0-s390-2.tgz: Upgraded to kdewebdev-3.3.0.
testing/packages/kde-3.3/qt-3.3.3-s390-1.tgz: Removed the
libqt.so -> libqt-mt.so symlinks. These were a kludge added to help
run third party binaries that link with libqt rather than libqt-mt,
but now it's breaking things like the kdebindings build. The symlinks
were meant to allow some time to transition to the threaded Qt without
breaking existing apps. Hopefully not many broken apps are still left.
+--------------------------+
Wed Sep 15 01:10:00 EDT 2004
testing/packages/kde-3.3/kde/*.tgz: Rebuilt all KDE packages, and
fixed a couple build problems with kdemultimedia and kdebindings.
testing/packages/gcc-3.4.2/gcc*-3.4.2-s390-1.tgz: Upgraded to gcc-3.4.2.
+--------------------------+
Sun Sep 12 23:50:00 EDT 2004
ap/cdrtools-2.01-s390-1.tgz: Upgraded to cdrtools-2.01 and
zisofs-tools-1.0.6.
ap/dvd+rw-tools-5.21.4.10.8-s390-1.tgz: Upgraded to
dvd+rw-tools-5.21.4.10.8.
l/aspell-0.60-s390-1.tgz: Upgraded to GNU aspell-0.60
l/aspell-en-6.0_0-noarch-2.tgz: Upgraded to aspell6-en-6.0-0.
(Since all the word list packages needed to be rebuilt, but not
all had upgraded versions, they were all given a build of '2')
n/openssh-3.9p1-s390-1.tgz: Upgraded to openssh-3.9p1.
xap/fluxbox-0.9.10-s390-1.tgz: Upgraded to fluxbox-0.9.10.
This is the development version, but they say it's stable, so
I'll defer to upstream judgement.
extra/aspell-word-lists/: Rebuilt all word lists, and added many
new ones.
extra/bash-completion/bash-completion-20040711-noarch-1.tgz:
Upgraded to bash-completion-20040711.
+--------------------------+
Sun Sep 12 01:35:00 EDT 2004
kde/qt-3.3.3-s390-1.tgz: Upgraded to qt-3.3.3.
This fixes bugs in the image loading routines which could be
used by an attacker to run unauthorized code or create a
denial-of-service.
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0691
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0692
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0693
(* Security fix *)
l/arts-1.3.0-s390-1.tgz: Upgraded to arts-1.3.0.
pasture/fluxbox-0.1.14-s390-1.tgz: Moved to /pasture.
This is still officially the current stable version, but the
developers say it's old and unmaintained, so off to /pasture it goes.
testing/packages/kde-3.3/: Added KDE 3.3. This is in testing/ because of
a few problems Pat had with it (like crashes on logout, and no anti-
aliased fonts no matter what kpersonalizer settings are chosen).
I think it's a good idea to test it for a while and wait for patches
(or for kde-3.3.1). Oh, I'm also getting requests to add libidn, which
kde-3.3 apparently can use for jabber support, but libidn contains the
following warning in README-alpha:
"LIBIDN IS MOST LIKELY INSECURE. DO NOT USE IN A PRODUCTION ENVIRONMENT!"
As a result, I haven't added libidn yet. I haven't ruled it out entirely
either, but it's hard to get past a warning like that...
+--------------------------+
Fri Sep 10 21:10:00 EDT 2004
a/glibc-solibs-2.3.2-s390-2.tgz: Recompiled using 'strip -g' rather than
'strip --strip-unneeded' to avoid stripping symbols that are needed for
debugging threads.
a/glibc-zoneinfo-2.3.2-s390-2.tgz: Rebuilt.
d/m4-1.4.2-s390-1.tgz: Upgraded to GNU m4-1.4.2.
l/glib2-2.4.6-s390-1.tgz: Upgraded to glib-2.4.6.
l/glibc-2.3.2-s390-2.tgz: Recompiled using 'strip -g'.
l/glibc-i18n-2.3.2-s390-2.tgz: Recompiled.
l/gtk+2-2.4.9-s390-1.tgz: Upgraded to gtk+-2.4.9.
n/gnupg-1.2.6-s390-1.tgz: Upgraded to gnupg-1.2.6.
n/inetd-1.79s-s390-2.tgz: Added a vsftpd example to /etc/inetd.conf.
n/lftp-3.0.7-s390-1.tgz: Upgraded to lftp-3.0.7.
n/nmap-3.70-s390-1.tgz: Upgraded to nmap-3.70.
n/vsftpd-2.0.1-s390-1.tgz: Added vsftpd as Slackware's new default ftpd.
This may not have the rich feature set of ProFTPD, but simple is
probably more secure.
extra/glibc-extra-packages/glibc-debug-2.3.2-s390-2.tgz: Recompiled.
extra/glibc-extra-packages/glibc-profile-2.3.2-s390-2.tgz: Recompiled.
+--------------------------+
Wed Sep 8 01:45:00 EDT 2004
ap/alsa-utils-1.0.6-s390-1.tgz: Upgraded to alsa-utils-1.0.6.
ap/zsh-4.2.1-s390-1.tgz: Upgraded to zsh-4.2.1.
l/alsa-lib-1.0.6-s390-1.tgz: Upgraded to alsa-lib-1.0.6.
l/alsa-oss-1.0.6-s390-1.tgz: Upgraded to alsa-oss-1.0.6.
l/glibc-2.3.2-s390-1.tgz: Upgraded to glibc-2.3.2.
n/iptables-1.2.11-s390-1.tgz: Upgraded to iptables-1.2.11.
+--------------------------+
Mon Sep 6 00:15:00 EDT 2004
a/hdparm-5.7-s390-1.tgz: Upgraded to hdparm-5.7.
a/procps-3.2.3-s390-1.tgz: Upgraded to procps-3.2.3.
d/automake-1.9.1-noarch-1.tgz: Upgraded to automake-1.9.1.
d/gdb-6.2-s390-1-upgraded.tgz: Upgraded to gdb-6.2.
d/libtool-1.5.8-s390-1.tgz: libtool-1.5.8.
kde/kdebindings-3.2.1-s390-3.tgz: Recompiled for perl-5.8.5.
l/libpng-1.2.6-s390-1.tgz: Upgraded to libpng-1.2.6.
l/pango-1.4.1-s390-1.tgz: Upgraded to pango-1.4.1.
n/curl-7.12.1-s390-1.tgz: Upgraded to curl-7.12.1.
n/dnsmasq-2.10-s390-1.tgz: Upgraded to dnsmasq-2.10.
n/irssi-0.8.9-s390-2.tgz: Recompiled for perl-5.8.5.
n/nail-11.3-s390-1.tgz: Upgraded to nail-11.3.
n/ncftp-3.1.8-s390-1.tgz: Upgraded to ncftp-3.1.8.
xap/imagemagick-6.0.6_2-s390-1.tgz: Upgraded to ImageMagick-6.0.6-2.
xap/xchat-2.0.10-s390-1.tgz: Upgraded to xchat-2.0.10.
+--------------------------+
Sun Sep 5 02:00:00 EDT 2004
d/perl-5.8.5-s390-1.tgz: Upgraded to perl-5.8.5.
gnome/galeon-1.3.17-s390-1.tgz: Upgraded to galeon-1.3.17.
+--------------------------+
Sat Sep 4 18:50:00 EDT 2004
gnome/totem-0.99.15.1-s390-1.tgz: Upgraded to totem-0.99.15.1.
xap/xfce-4.0.6-s390-1.tgz: Upgraded to xfce-4.0.6.
xap/xine-lib-1rc5-s390-1.tgz: Upgraded to xine-lib-1-rc5.
xap/xine-ui-0.99.2-s390-1.tgz: Upgraded to xine-ui-0.99.2.
+--------------------------+
Mon Aug 30 16:52:00 EDT 2004
n/samba-3.0.6-s390-1.tgz: Upgraded to samba-3.0.6.
xap/gimp-2.0.4-s390-1.tgz: Upgraded to gimp-2.0.4.
xap/xsane-0.94-s390-1.tgz: Upgraded to xsane-0.94.
+--------------------------+
Sun Aug 29 22:19:00 EDT 2004
ap/gimp-print-4.2.7-s390-1.tgz: Upgraded to gimp-print-4.2.7.
d/distcc-2.17.1-s390-1.tgz: Upgraded to distcc-2.16.
d/doxygen-1.3.8-s390-1.tgz: Upgraded to doxygen-1.3.8.
l/glib2-2.4.5-s390-1.tgz: Upgraded to glib-2.4.4.
l/gtk+2-2.4.4-s390-1.tgz: Upgraded to gtk+-2.4.4.
n/getmail-4.1.1-noarch-1.tgz: Upgraded to getmail-4.0.0.
n/mod_ssl-2.8.19_1.3.31-s390-1.tgz: Upgraded to mod_ssl-2.8.19-1.3.31.
This fixes a security hole (ssl_log() related format string
vulnerability in mod_proxy hook functions), so sites using mod_ssl
should upgrade to the new version. Be sure to back up your existing
key files first.
(* Security fix *)
+--------------------------+
Sat Aug 28 22:13:00 EDT 2004
xap/gaim-0.82.1-s390-1.tgz: Upgraded to gaim-0.82.1-s390-1.
+--------------------------+
Thu Aug 26 12:37:21 EDT 2004
kde/koffice-1.3.2-s390-1.tgz: Upgraded to koffice-1.3.2.
kdei/koffice-i18n-*.tgz: Upgraded to koffice-i18n-1.3.2.
+--------------------------+
Tue Aug 24 19:39:23 EDT 2004
n/imapd-4.61-s390-1.tgz: Upgraded to IMAP4rev1 2004.352 from pine4.61.
n/php-4.3.8-s390-1.tgz: Upgraded to php-4.3.8.
This release fixes two security problems in PHP (memory_limit handling and
a problem in the strip_tags function). Sites using PHP should upgrade.
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0594
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0595
(* Security fix *)
n/pine-4.61-s390-1.tgz: Upgraded to pine4.61.
xap/gaim-0.81-s390-1.tgz: Upgraded to gaim-0.81 and gaim-encryption-2.28.
testing/packages/php-5.0.0/php-5.0.0-s390-1.tgz: Added php-5.0.0.
+--------------------------+
Sun Aug 22 17:45:00 EDT 2004
ap/sox-12.17.4-s390-2.tgz: Patched buffer overflows that could allow
a malicious WAV file to execute arbitrary code.
(* Security fix *)
l/libpng-1.2.5-s390-2.tgz: Patched possible security issues including
buffer and integer overflows and null pointer references. These
issues could cause program crashes, or possibly allow arbitrary code
embedded in a malicious PNG image to execute. The PNG library is
widely used within the system, so all sites should upgrade to the
new libpng package.
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599
(* Security fix *)
n/samba-3.0.5-s390-1.tgz: Upgraded to samba-3.0.5.
This fixes a buffer overflow in SWAT and another in the code supporting
the 'mangling method = hash' smb.conf option (which is not the default).
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0600
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0686
(* Security fix *)
xap/imagemagick-6.0.4_3-s390-1.tgz: Upgraded to ImageMagick-6.0.4-3.
Fixes PNG security issues.
(* Security fix *)
xap/mozilla-1.7.2-s390-1.tgz: Upgraded to Mozilla 1.7.2. This fixes three
security vulnerabilities. For details, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.2
(* Security fix *)
xap/mozilla-plugins-1.7.2-noarch-1.tgz: Changed plugin symlinks for Mozilla
1.7.2.
+--------------------------+
Wed Jul 07 10:34:56 EDT 2004
Slackware 10.0 (Intel) is released. Thanks to everyone who helped out!