Mon Dec 20 09:21:29 BRST 2004 Hi GUYs, We Would like to be thankful all about these last weeks had helped the Slackware of all possible forms. We are locking up the works of this site with return of Patrick. Go SLACK! http://www.slackware.com/changelog/current.php?cpu=i386 Andreas Liebschner, Bruno H Collovini (Buick Sk), Ernani Azevedo, Roberto Freire Batista (Piter Punk) ------------------------------------------------------ Fri Dec 17 11:36:53 BRST 2004 For Current: ap/a2ps-4.13b-i386-1.tgz: Rebuilt ------------------------------------------------------- Wed Dec 15 03:07:22 BRDT 2004 For 8.1: patches/packages/proftpd-1.2.10-i386-1: Upgraded. Proftpd < 1.2.10 fails to properly check on files permissions. This allows a remote authenticated user to change permissions on a file. See the: For 10.0 patches/packages/nfs-utils-1.0.6-i486-3: Rebuild. -------------------------------------------------------- Sun Dec 12 13:26:03 BRST 2004 For Current: ap/a2ps-4.13b-i486-1.tgz: Rebuilt -------------------------------------------------------- Sun Dec 12 04:25:35 BRDT 2004 For 8.1: patches/packages/a2ps-4.13b-i386-3.tgz: Rebuilt. patches/packages/lvm-1.0.4-i386-2.tgz: Rebuilt. patches/packages/libxml2-2.6.16-i386-1.tgz: Upgraded. patches/packages/imlib-1.9.15-i386-1.tgz: Upgraded. patches/packages/j2sdk-1_4_2_06-i586-2.tgz: Upgraded. patches/packages/nfs-utils-1.0.6-i386-1.tgz: Upgraded. patches/packages/samba-3.0.9-i386-1.tgz: Removed. For 9.1: patches/packages/a2ps-4.13b-i386-3.tgz: Rebuilt patches/packages/nfs-utils-1.0.6-i486-2.tgz: Rebuilt For Current: n/nfs-utils-1.0.6-i486-3.tgz: Rebuilt. -------------------------------------------------------- Thu Dec 9 12:07:52 BRDT 2004 Someone brought up the issue that the package signature files do not appear as text in a browser. Michael Shuler information this simple tips. in httpd.conf: AddType text/plain .asc RemoveEncoding .tgz Thanks! We love simple tips and like many people help Slack. ;) -------------------------------------------------------- Mon Dec 06 11:52:38 BRST 2004 imagemagick-*: Upgraded Buffer overflow in the EXIF parsing routine in ImageMagick before 6.1.0 allows remote attackers to execute arbitrary code via a certain image file. It's fixed in imagemagick-5.5.7_33 and in 6.1.4_5 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0981 (* Security fix *) 9.1 slackware-9.1/patches/packages/imagemagick-5.5.7_33-i486-1.tgz 10.0 slackware-10.0/patches/packages/imagemagick-6.1.4_5-i486-1.tgz -------------------------------------------------------- Mon Nov 29 09:44:12 BRST 2004 lvm-1.0.x: Rebuilt A bug in lvm (1.5 through 2.1) allows local users to overwrite files via a symlink attack on temporary files. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0972 (* Security fix *) 9.0 slackware-9.0/patches/packages/lvm-1.0.6-i386-2.tgz 9.1 slackware-9.1/patches/packages/lvm-1.0.7-i486-2.tgz 10.0 slackware-10.0/patches/packages/lvm-1.0.8-i486-2.tgz current slackware-current/slackware/ap/lvm-1.0.8-i486-2.tgz ------------------------------------ libxml2-2.6.16: Upgraded to libxml2-2.6.16 Multiple buffer overflows may allow remote attackers to execute arbitrary code. 2.6.12 and 2.6.13 are affected, it's unsure if older versions are affected as well, you may want to upgrade to to libxml2 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0989 (* Security fix *) 9.1 slackware-9.1/patches/packages/libxml2-2.6.16-i486-1.tgz 10.0 slackware-10.0/patches/packages/libxml2-2.6.16-i486-1.tgz ------------------------------------ imlib-1.9.15-i486-1.tgz: Upgraded to imlib-1.9.15 Multiple heap-based buffer overflows in the imlib BMP image handler allow remote attackers to execute arbitrary code via a crafted BMP file. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0817 (* Security fix *) 9.1 slackware-9.1/patches/packages/imlib-1.9.15-i486-1.tgz 10.0 slackware-10.0/patches/packages/imlib-1.9.15-i486-1.tgz current slackware-current/slackware/l/imlib-1.9.15-i486-1.tgz ------------------------------------ x11-6.8.1-i486-2.tgz: Rebuilt. Forgot the *.la libraries in x11-6.8.1 package. Only in 10.0 packs. Note that the name of the keyboard driver in the xorg.conf file has changed from "Keyboard" to "kbd". You'll need to make this change in order to start X. 10.0 slackware-10.0/patches/packages/x11-*6.8.1-i486-2.tgz -------------------------------------------------------- **WARNING!** slackpkg don't works with those new security packages. It needs a FILELIST.TXT with all packages listed there, and we don't have this file in our parcial mirror. You need update the files manually: 1) Download the package 2) upgradepkg package -------------------------------------------------------- Wed Nov 25 11:19:32 BRST 2004 samba-3.0.9-i486-2.tgz: Upgrade to samba-3.0.9-i486-2. Fixed the current package. The first package are build with ldap support. Thanks Andrea Dieni! current slackware-current/slackware/n/samba-3.0.9-i486-2.tgz ------------------------------------------------------- Wed Nov 24 15:41:34 BRST 2004 sudo-1.6.8p4-i486-1.tgz: Upgraded to sudo-1.6.8p4. This fixes a bug that may could permit malicious users with permission to run a shell script that uses the bash shell to run arbitrary commands. For more details, see: http://www.sudo.ws/sudo/alerts/bash_functions.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1051 (* Security fix *) current slackware-current/slackware/ap/sudo-1.6.8p4-i486-1.tgz 10.0 slackware-10.0/patches/packages/sudo-1.6.8p4-i486-1.tgz 9.1 slackware-9.1/patches/packages/sudo-1.6.8p4-i386-1.tgz 9.0 slackware-9.0/patches/packages/sudo-1.6.8p4-i386-1.tgz 8.1 slackware-8.1/patches/packages/sudo-1.6.8p4-i386-1.tgz ------------------------------------ j2sdk-1_4_2_06-i586-2.tgz: Upgraded to j2sdk-1_4_2_06. Remote exploitation of a design vulnerability in Sun Microsystems Inc.'s Java Plug-in technology allows attackers to bypass the Java sandbox and all security restrictions imposed within Java Applets. For more details, see: http://java.sun.com/j2se/1.4.2/download.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1029 10.0 slackware-10.0/patches/packages/j2sdk-1_4_2_06-i586-2.tgz 9.1 slackware-9.1/patches/packages/j2sdk-1_4_2_06-i586-2.tgz ------------------------------------ j2re-1_4_2_06-i586-1.tgz: Upgraded to j2re-1_4_2_06-i586 Remote exploitation of a design vulnerability in Sun Microsystems Inc.'s Java Plug-in technology allows attackers to bypass the Java sandbox and all security restrictions imposed within Java Applets. For more details, see: http://java.sun.com/j2se/1.4.2/download.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1029 9.0 slackware-9.0/patches/packages/j2re-1_4_2_06-i586-1.tgz 8.1 slackware-8.1/patches/packages/j2re-1_4_2_06-i586-1.tgz ------------------------------------ samba-3.0.9-i486-1.tgz: Upgrade to samba-3.0.9-i486-1. A possible buffer overrun in smbd could lead to code execution by a remote user. For more details, see: http://samba.cdpa.nsysu.edu.tw/samba/news/#can-2004-0882 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0882 (* Security fix *) current slackware-current/slackware/n/samba-3.0.9-i486-1.tgz 10.0 slackware-10.0/patches/packages/samba-3.0.9-i486-1.tgz 9.1 9.0 8.1 Not affected. -------------------------- x/x11-6.8.1-i486-3.tgz: Rebuilt. libXpm stack and integer overflow issues. The XPM library which is part of the XFree86/XOrg project is used by several GUI applications to process XPM image files, so it seemed like a good idea to rebuild. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0914 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0687 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0688 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0692 (* Security fix *) current slackware-current/slackware/x/x11-*.tgz 10.0 slackware-10.0/patches/packages/x11-*.tgz +------------------------+ Thu Nov 18 19:04:09 BRST 2004 The community recently knew that Patrick will be absent to take care of his health. Bruno Henrique Collovini (aka Buick Sk), Ernani Azevedo (aka Azevedo, Man Slackpacks), and Roberto Freire Batista (aka Piter Punk) from GUS-BR Community will be keeping this fork ONLY with bugfixes for the Slackware while Patrick is out. Patrick had problems in order access slackware.com, and agree using slackware.org.br as a Security Fixes repository to Slackware Stable and Current as well. More information and Patrick Volkerding trust about this could be found here: (http://www.slackware.org.br/patrick-17-nov-2004-email.txt) The GUS-BR Security Team GPG key can be found here: (http://www.slackware.org.br/gus-br-key) or (ftp://ftp.slackware.org.br/pub/slackware/slackware-current-mr/GUS-BR_GPG-KEY) We really enjoy help from everyone!! Patrick! We go to keep the round Slackware until coming back of your vacations. ;) +------------------------+