Wed Jul 25 02:02:40 UTC 2012
patches/packages/libpng-1.2.50-i486-1_slack10.2.tgz: Upgraded.
Fixed incorrect type (int copy should be png_size_t copy) in png_inflate()
(fixes CVE-2011-3045).
Revised png_set_text_2() to avoid potential memory corruption (fixes
CVE-2011-3048).
Changed "a+w" to "u+w" in Makefile.in to fix CVE-2012-3386.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3045
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3048
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3386
(* Security fix *)
+--------------------------+
Thu Jun 14 05:02:39 UTC 2012
####################################################################
# NOTICE OF INPENDING EOL (END OF LIFE) FOR OLD SLACKWARE VERSIONS #
# #
# Effective August 1, 2012, security patches will no longer be #
# provided for the following versions of Slackware (which will all #
# be more than 5 years old at that time): #
# Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0. #
# If you are still running these versions you should consider #
# migrating to a newer version (preferably as recent as possible). #
# Alternately, you may make arrangements to handle your own #
# security patches. If for some reason you are unable to upgrade #
# or handle your own security patches, limited security support #
# may be available for a fee. Inquire at
[email protected]. #
####################################################################
patches/packages/bind-9.7.6_P1-i486-1_slack10.2.tgz: Upgraded.
This release fixes an issue that could crash BIND, leading to a denial of
service. It also fixes the so-called "ghost names attack" whereby a
remote attacker may trigger continued resolvability of revoked domain names.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1033
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1667
IMPORTANT NOTE: This is a upgraded version of BIND, _not_ a patched one.
It is likely to be more strict about the correctness of configuration files.
Care should be taken about deploying this upgrade on production servers to
avoid an unintended interruption of service.
(* Security fix *)
+--------------------------+
Wed May 23 00:14:52 UTC 2012
patches/packages/libxml2-2.6.32-i486-2_slack10.2.tgz: Upgraded.
Patched an off-by-one error in XPointer that could lead to a crash or
possibly the execution of arbitrary code.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3102
(* Security fix *)
+--------------------------+
Wed Apr 11 17:16:32 UTC 2012
patches/packages/samba-3.0.37-i486-5_slack10.2.tgz: Rebuilt.
This is a security release in order to address a vulnerability that allows
remote code execution as the "root" user. All sites running a Samba
server should update to the new Samba package and restart Samba.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1182
(* Security fix *)
+--------------------------+
Sat Apr 7 21:48:42 UTC 2012
patches/packages/libtiff-3.8.2-i486-4_slack10.2.tgz: Rebuilt.
Patched overflows that could lead to arbitrary code execution when parsing
a malformed image file.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1173
(* Security fix *)
+--------------------------+
Wed Feb 22 18:14:58 UTC 2012
patches/packages/libpng-1.2.47-i486-1_slack10.2.tgz: Upgraded.
All branches of libpng prior to versions 1.5.9, 1.4.9, 1.2.47, and 1.0.57,
respectively, fail to correctly validate a heap allocation in
png_decompress_chunk(), which can lead to a buffer-overrun and the
possibility of execution of hostile code on 32-bit systems.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3026
(* Security fix *)
+--------------------------+
Thu Nov 17 02:09:25 UTC 2011
patches/packages/bind-9.4_ESV_R5_P1-i486-1_slack10.2.tgz: Upgraded.
--- 9.4-ESV-R5-P1 released ---
3218. [security] Cache lookup could return RRSIG data associated with
nonexistent records, leading to an assertion
failure. [RT #26590]
(* Security fix *)
+--------------------------+
Fri Aug 12 23:20:00 UTC 2011
patches/packages/bind-9.4_ESV_R5-i486-1_slack10.2.tgz: Upgraded.
This BIND update addresses a couple of security issues:
* named, set up to be a caching resolver, is vulnerable to a user
querying a domain with very large resource record sets (RRSets)
when trying to negatively cache the response. Due to an off-by-one
error, caching the response could cause named to crash. [RT #24650]
[CVE-2011-1910]
* Change #2912 (see CHANGES) exposed a latent bug in the DNS message
processing code that could allow certain UPDATE requests to crash
named. [RT #24777] [CVE-2011-2464]
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1910
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2464
(* Security fix *)
+--------------------------+
Fri Jul 29 18:22:40 UTC 2011
patches/packages/libpng-1.2.46-i486-1_slack10.2.tgz: Upgraded.
Fixed uninitialized memory read in png_format_buffer()
(Bug report by Frank Busse, related to CVE-2004-0421).
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0421
(* Security fix *)
+--------------------------+
Mon Jun 20 00:49:34 UTC 2011
patches/packages/fetchmail-6.3.20-i486-1_slack10.2.tgz: Upgraded.
This release fixes a denial of service in STARTTLS protocol phases.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1947
http://www.fetchmail.info/fetchmail-SA-2011-01.txt
(* Security fix *)
+--------------------------+
Fri May 27 22:56:00 UTC 2011
patches/packages/bind-9.4_ESV_R4_P1-i486-1_slack10.2.tgz: Upgraded.
This release fixes security issues:
* A large RRSET from a remote authoritative server that results in
the recursive resolver trying to negatively cache the response can
hit an off by one code error in named, resulting in named crashing.
[RT #24650] [CVE-2011-1910]
* Zones that have a DS record in the parent zone but are also listed
in a DLV and won't validate without DLV could fail to validate. [RT
#24631]
For more information, see:
http://www.isc.org/software/bind/advisories/cve-2011-1910
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1910
(* Security fix *)
+--------------------------+
Fri Apr 8 06:58:48 UTC 2011
patches/packages/libtiff-3.8.2-i486-3_slack10.2.tgz: Rebuilt.
Patched overflows that could lead to arbitrary code execution when parsing
a malformed image file.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0192
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1167
(* Security fix *)
+--------------------------+
Thu Apr 7 04:07:29 UTC 2011
patches/packages/dhcp-3.1_ESV_R1-i486-1_slack10.2.tgz: Upgraded.
In dhclient, check the data for some string options for reasonableness
before passing it along to the script that interfaces with the OS.
This prevents some possible attacks by a hostile DHCP server.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0997
(* Security fix *)
+--------------------------+
Mon Feb 28 22:19:08 UTC 2011
patches/packages/samba-3.0.37-i486-4_slack10.2.tgz: Rebuilt.
Fix memory corruption denial of service issue.
For more information, see:
http://www.samba.org/samba/security/CVE-2011-0719
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0719
(* Security fix *)
+--------------------------+
Thu Feb 10 21:19:38 UTC 2011
patches/packages/sudo-1.7.4p6-i486-1_slack10.2.tgz: Upgraded.
Fix Runas group password checking.
For more information, see the included CHANGES and NEWS files, and:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0010
(* Security fix *)
+--------------------------+
Thu Dec 16 18:57:05 UTC 2010
patches/packages/bind-9.4_ESV_R4-i486-1_slack10.2.tgz: Upgraded.
This update fixes some security issues.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3613
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3614
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3615
(* Security fix *)
+--------------------------+
Sat Nov 20 21:20:27 UTC 2010
patches/packages/xpdf-3.02pl5-i486-1_slack10.2.tgz: Upgraded.
This update fixes security issues that could lead to an
application crash, or execution of arbitrary code.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3702
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3703
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3704
(* Security fix *)
+--------------------------+
Mon Sep 20 18:39:57 UTC 2010
patches/packages/bzip2-1.0.6-i486-1_slack10.2.tgz: Upgraded.
This update fixes an integer overflow that could allow a specially
crafted bzip2 archive to cause a crash (denial of service), or execute
arbitrary code.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0405
(* Security fix *)
+--------------------------+
Wed Sep 15 18:51:21 UTC 2010
patches/packages/sudo-1.7.4p4-i486-3_slack10.2.tgz: Rebuilt.
Hi folks, since the patches for old systems (8.1 - 10.2) were briefly
available containing a /var/lib with incorrect permissions, I'm issuing
these again just to be 100% sure that no systems out there will be left
with problems due to that. This should do it (third time's the charm).
+--------------------------+
Wed Sep 15 05:58:55 UTC 2010
patches/packages/sudo-1.7.4p4-i486-2_slack10.2.tgz: Rebuilt.
The last sudo packages accidentally changed the permissions on /var from
755 to 700. This build restores the proper permissions.
Thanks to Petri Kaukasoina for pointing this out.
+--------------------------+
Wed Sep 15 00:41:13 UTC 2010
patches/packages/samba-3.0.37-i486-3_slack10.2.tgz: Upgraded.
This upgrade fixes a buffer overflow in the sid_parse() function.
For more information, see:
http://www.samba.org/samba/security/CVE-2010-3069
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3069
(* Security fix *)
patches/packages/sudo-1.7.4p4-i486-1_slack10.2.tgz: Upgraded.
This fixes a flaw that could lead to privilege escalation.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2956
(* Security fix *)
+--------------------------+
Wed Jun 30 04:51:49 UTC 2010
patches/packages/libtiff-3.8.2-i486-2_slack10.2.tgz: Rebuilt.
This fixes image structure handling bugs that could lead to crashes or
execution of arbitrary code if a specially-crafted TIFF image is loaded.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1411
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2065
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2067
(* Security fix *)
patches/packages/libpng-1.2.44-i486-1_slack10.2.tgz: Upgraded.
This fixes out-of-bounds memory write bugs that could lead to crashes
or the execution of arbitrary code, and a memory leak bug which could
lead to application crashes.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1205
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2249
(* Security fix *)
+--------------------------+
Sun Jun 27 04:02:55 UTC 2010
patches/packages/bind-9.4.3_P5-i486-2_slack10.2.tgz: Rebuilt.
At least some of these updates for 2.4.x systems were built under a
2.6.x kernel, and didn't work. Sorry, I think I've fixed the
issue on this end this time. If the previous update did not work
for you, try this one.
+--------------------------+
Fri Jun 25 05:28:02 UTC 2010
patches/packages/bind-9.4.3_P5-i486-1_slack10.2.tgz: Upgraded.
This fixes possible DNS cache poisoning attacks when DNSSEC is enabled
and checking is disabled (CD).
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4022
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0097
(* Security fix *)
+--------------------------+
Fri Jun 18 18:09:28 UTC 2010
patches/packages/samba-3.0.37-i486-2_slack10.2.tgz: Rebuilt.
Patched a buffer overflow in smbd that allows remote attackers to cause
a denial of service (memory corruption and daemon crash) or possibly
execute arbitrary code via a crafted field in a packet.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2063
(* Security fix *)
+--------------------------+
Sun May 16 20:01:28 UTC 2010
patches/packages/fetchmail-6.3.17-i486-1_slack10.2.tgz: Upgraded.
A crafted header or POP3 UIDL list could cause a memory leak and crash
leading to a denial of service.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1167
(* Security fix *)
+--------------------------+
Fri Apr 30 01:07:12 UTC 2010
patches/packages/irssi-0.8.15-i486-2_slack10.2.tgz: Rebuilt.
Sorry, the perl modules were a mess in that last build on systems that
don't use a vendor_perl dir. This should work better.
+--------------------------+
Thu Apr 22 19:13:54 UTC 2010
patches/packages/irssi-0.8.15-i486-1_slack10.2.tgz: Upgraded.
From the NEWS file:
- Check if an SSL certificate matches the hostname of the server we are
connecting to.
- Fix crash when checking for fuzzy nick match when not on the channel.
Reported by Aurelien Delaitre (SATE 2009).
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1155
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1156
(* Security fix *)
+--------------------------+
Tue Apr 20 14:45:24 UTC 2010
patches/packages/sudo-1.7.2p6-i486-1_slack10.2.tgz: Upgraded.
This update fixes security issues that may give a user with permission
to run sudoedit the ability to run arbitrary commands.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0426
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1163
http://www.gratisoft.us/sudo/alerts/sudoedit_escalate.html
http://www.gratisoft.us/sudo/alerts/sudoedit_escalate2.html
(* Security fix *)
+--------------------------+
Mon Apr 5 03:06:19 UTC 2010
patches/packages/mozilla-thunderbird-2.0.0.24-i686-1.tgz: Upgraded.
This upgrade fixes some more security bugs.
For more information, see:
http://www.mozilla.org/security/known-vulnerabilities/thunderbird20.html
(* Security fix *)
+--------------------------+
Thu Dec 10 00:12:58 UTC 2009
patches/packages/ntp-4.2.2p3-i486-2_slack10.2.tgz: Rebuilt.
Prevent a denial-of-service attack involving spoofed mode 7 packets.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3563
(* Security fix *)
+--------------------------+
Wed Dec 2 20:51:55 UTC 2009
patches/packages/bind-9.4.3_P4-i486-1_slack10.2.tgz: Upgraded.
BIND 9.4.3-P4 is a SECURITY PATCH for BIND 9.4.3-P3. It addresses a
potential cache poisoning vulnerability, in which data in the additional
section of a response could be cached without proper DNSSEC validation.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4022
http://www.kb.cert.org/vuls/id/418861
(* Security fix *)
+--------------------------+
Wed Oct 28 01:23:19 UTC 2009
patches/packages/xpdf-3.02pl4-i486-1_slack10.2.tgz: Upgraded.
This update fixes several security issues that could lead to an
application crash, or execution of arbitrary code.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3603
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3604
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3605
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3606
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3608
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3609
(* Security fix *)
+--------------------------+
Sat Oct 3 18:19:00 CDT 2009
patches/packages/samba-3.0.37-i486-1_slack10.2.tgz:
This update fixes the following security issues.
A misconfigured /etc/passwd with no defined home directory could allow
security restrictions to be bypassed.
mount.cifs could allow a local user to read the first line of an arbitrary
file if installed setuid. (On Slackware, it was not installed setuid)
Specially crafted SMB requests could cause a denial of service.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2813
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2948
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2906
(* Security fix *)
+--------------------------+
Thu Aug 20 22:12:00 CDT 2009
patches/packages/mozilla-thunderbird-2.0.0.23-i686-1.tgz:
This upgrade fixes a security bug.
For more information, see:
http://www.mozilla.org/security/known-vulnerabilities/thunderbird20.html
(* Security fix *)
+--------------------------+
Fri Aug 14 13:42:26 CDT 2009
patches/packages/curl-7.12.2-i486-4_slack10.2.tgz:
This update fixes a security issue where a zero byte embedded in an SSL
or TLS certificate could fool cURL into validating the security of a
connection to a system that the certificate was not issued for. It has
been reported that at least one Certificate Authority allowed such
certificates to be issued.
For more information, see:
http://curl.haxx.se/docs/security.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2417
(* Security fix *)
+--------------------------+
Fri Aug 7 14:25:03 CDT 2009
patches/packages/samba-3.0.36-i486-1_slack10.2.tgz: Upgraded.
This is a bugfix release.
+--------------------------+
Thu Aug 6 00:48:30 CDT 2009
patches/packages/fetchmail-6.3.11-i486-1_slack10.2.tgz: Upgraded.
This update fixes an SSL NUL prefix impersonation attack through NULs in a
part of a X.509 certificate's CommonName and subjectAltName fields.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2666
(* Security fix *)
+--------------------------+
Wed Jul 29 23:10:01 CDT 2009
patches/packages/bind-9.4.3_P3-i486-1_slack10.2.tgz: Upgraded.
This BIND update fixes a security problem where a specially crafted
dynamic update message packet will cause named to exit resulting in
a denial of service.
An active remote exploit is in wide circulation at this time.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0696
https://www.isc.org/node/479
(* Security fix *)
+--------------------------+
Tue Jul 14 18:07:41 CDT 2009
patches/packages/dhcp-3.1.2p1-i486-1_slack10.2.tgz: Upgraded.
A stack overflow vulnerability was fixed in dhclient that could allow
remote attackers to execute arbitrary commands as root on the system,
or simply terminate the client, by providing an over-long subnet-mask
option.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0692
(* Security fix *)
+--------------------------+
Sat Jun 27 18:54:07 CDT 2009
patches/packages/mozilla-thunderbird-2.0.0.22-i686-1.tgz:
Upgraded to thunderbird-2.0.0.22.
This upgrade fixes some more security bugs.
For more information, see:
http://www.mozilla.org/security/known-vulnerabilities/thunderbird20.html
(* Security fix *)
+--------------------------+
Fri Jun 26 22:05:35 CDT 2009
patches/packages/samba-3.0.35-i486-1_slack10.2.tgz:
This upgrade fixes the following security issue:
o CVE-2009-1888:
In Samba 3.0.31 to 3.3.5 (inclusive), an uninitialized read of a
data value can potentially affect access control when "dos filemode"
is set to "yes".
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1888
(* Security fix *)
+--------------------------+
Fri Jun 19 18:22:20 CDT 2009
patches/packages/libpng-1.2.37-i486-1_slack10.2.tgz: Upgraded.
This update fixes a possible security issue. Jeff Phillips discovered an
uninitialized-memory-read bug affecting interlaced images that may have
security implications.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2042
(* Security fix *)
+--------------------------+
Wed Jun 3 18:09:52 CDT 2009
patches/packages/ntp-4.2.2p3-i486-1_slack10.2.tgz:
Patched a stack-based buffer overflow in the cookedprint function in
ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows arbitrary code
execution by a malicious remote NTP server.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0159
(* Security fix *)
+--------------------------+
Thu May 14 18:09:26 CDT 2009
patches/packages/cyrus-sasl-2.1.23-i486-1_slack10.2.tgz:
Upgraded to cyrus-sasl-2.1.23.
This fixes a buffer overflow in the sasl_encode64() function that could lead
to crashes or the execution of arbitrary code.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0688
(* Security fix *)
+--------------------------+
Sat May 9 18:03:41 CDT 2009
patches/packages/xpdf-3.02pl3-i486-1_slack10.2.tgz:
Upgraded to xpdf-3.02pl3.
This update fixes several overflows that may result in crashes or the
execution of arbitrary code as the xpdf user.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0146
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0147
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0165
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0166
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0799
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0800
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1179
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1181
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1182
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1183
(* Security fix *)
+--------------------------+
Mon Apr 20 23:27:45 CDT 2009
patches/packages/udev-064-i486-4_slack10.2.tgz:
This package has been patched to fix a local root hole.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1185
(* Security fix *)
+--------------------------+
Tue Mar 24 01:56:10 CDT 2009
patches/packages/lcms-1.18-i486-1_slack10.2.tgz: Upgraded to lcms-1.18.
This update fixes security issues discovered in LittleCMS by Chris Evans.
These flaws could cause program crashes (denial of service) or the execution
of arbitrary code as the user of the lcms-linked program.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0581
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0723
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0733
(* Security fix *)
patches/packages/mozilla-thunderbird-2.0.0.21-i686-1.tgz:
Upgraded to thunderbird-2.0.0.21.
This upgrade fixes some more security bugs.
For more information, see:
http://www.mozilla.org/security/known-vulnerabilities/thunderbird20.html
(* Security fix *)
+--------------------------+
Mon Mar 9 00:04:05 CDT 2009
patches/packages/curl-7.12.2-i486-3_slack10.2.tgz:
Patched curl-7.12.2.
This fixes a security issue where automatic redirection could be made to
follow file:// URLs, reading or writing a local instead of remote file.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0037
(* Security fix *)
+--------------------------+
Fri Feb 20 17:20:49 CST 2009
patches/packages/libpng-1.2.35-i486-1_slack10.2.tgz:
Upgraded to libpng-1.2.35.
This fixes multiple memory-corruption vulnerabilities due to a failure to
properly initialize data structures.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0040
ftp://ftp.simplesystems.org/pub/png/src/libpng-1.2.34-ADVISORY.txt
(* Security fix *)
+--------------------------+
Mon Jan 19 12:59:20 CST 2009
patches/packages/bind-9.3.6_P1-i486-3_slack10.2.tgz:
It appears there was a newer libdns.so installed on the Slackware 10.2
build box which caused the bind update for Slackware 10.2 to fail once
again, but I'm fairly sure that the third time is the charm. If not, let
me know and I'll build that box up again from a clean install.
My apologies for any inconvenience.
+--------------------------+
Thu Jan 15 16:48:00 CST 2009
patches/packages/bind-9.3.6_P1-i486-2_slack10.2.tgz:
Recompiled. The -1_slack10.2 package was compiled on a Slackware 10.2
system running a 2.6.x kernel, and this caused problems for machines running
the default 2.4.31 kernel. This package should run correctly.
+--------------------------+
Wed Jan 14 20:37:39 CST 2009
patches/packages/bind-9.3.6_P1-i486-1_slack10.2.tgz:
Upgraded to bind-9.3.6-P1.
Fixed checking on return values from OpenSSL's EVP_VerifyFinal and
DSA_do_verify functions to prevent spoofing answers returned from zones using
the DNSKEY algorithms DSA and NSEC3DSA.
For more information, see:
https://www.isc.org/node/373
http://www.ocert.org/advisories/ocert-2008-016.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0025
(* Security fix *)
patches/packages/ntp-4.2.4p6-i486-1_slack10.2.tgz:
[Sec 1111] Fix incorrect check of EVP_VerifyFinal()'s return value.
For more information, see:
https://lists.ntp.org/pipermail/announce/2009-January/000055.html
http://www.ocert.org/advisories/ocert-2008-016.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0021
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077
(* Security fix *)
+--------------------------+
Wed Dec 31 11:35:43 CST 2008
patches/packages/mozilla-thunderbird-2.0.0.19-i686-1.tgz:
Upgraded to thunderbird-2.0.0.19.
This upgrade fixes some more security bugs.
For more information, see:
http://www.mozilla.org/security/known-vulnerabilities/thunderbird20.html
(* Security fix *)
+--------------------------+
Thu Dec 18 12:44:59 CST 2008
patches/packages/mozilla-firefox-2.0.0.20-i686-1.tgz:
Upgraded to firefox-2.0.0.20.
This fixes some security issues:
For more information, see:
http://www.mozilla.org/security/known-vulnerabilities/firefox20.html
(* Security fix *)
+--------------------------+
Fri Nov 28 16:27:52 CST 2008
patches/packages/samba-3.0.33-i486-1_slack10.2.tgz:
Upgraded to samba-3.0.33.
This package fixes an important barrier against rogue clients reading from
uninitialized memory (though no proof-of-concept is known to exist).
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4314
(* Security fix *)
+--------------------------+
Thu Nov 20 18:14:27 CST 2008
patches/packages/mozilla-thunderbird-2.0.0.18-i686-1.tgz:
Upgraded to thunderbird-2.0.0.18.
This upgrade fixes some more security bugs.
For more information, see:
http://www.mozilla.org/security/known-vulnerabilities/thunderbird20.html
(* Security fix *)
+--------------------------+
Wed Nov 19 19:13:12 CST 2008
patches/packages/libxml2-2.6.32-i486-1_slack10.2.tgz:
Upgraded to libxml2-2.6.32 and patched.
This fixes vulnerabilities including denial of service, or possibly the
execution of arbitrary code as the user running a libxml2 linked application
if untrusted XML content is parsed.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4225
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4226
(* Security fix *)
+--------------------------+
Sat Nov 15 19:22:43 CST 2008
patches/packages/mozilla-firefox-2.0.0.18-i686-1.tgz:
Upgraded to firefox-2.0.0.18.
This fixes some security issues:
For more information, see:
http://www.mozilla.org/security/known-vulnerabilities/firefox20.html
(* Security fix *)
+--------------------------+
Mon Oct 13 13:58:21 CDT 2008
patches/packages/glibc-zoneinfo-2.3.5-noarch-11_slack10.2.tgz:
Upgraded to tzdata2008h for the latest world timezone changes.
+--------------------------+
Fri Sep 26 22:38:32 CDT 2008
patches/packages/mozilla-thunderbird-2.0.0.17-i686-1.tgz:
Upgraded to thunderbird-2.0.0.17.
This upgrade fixes some more security bugs.
For more information, see:
http://www.mozilla.org/security/known-vulnerabilities/thunderbird20.html
(* Security fix *)
+--------------------------+
Thu Sep 25 23:24:07 CDT 2008
patches/packages/mozilla-firefox-2.0.0.17-i686-1.tgz:
Upgraded to firefox-2.0.0.17.
This release fixes some more security vulnerabilities.
For more information, see:
http://www.mozilla.org/security/known-vulnerabilities/firefox20.html
(* Security fix *)
+--------------------------+
Wed Sep 17 02:28:20 CDT 2008
patches/packages/bind-9.3.5_P2-i486-1_slack10.2.tgz:
Upgraded to bind-9.3.5-P2.
This version has performance gains over bind-9.3.5-P1.
+--------------------------+
Wed Sep 3 19:51:43 CDT 2008
patches/packages/php-4.4.9-i486-1_slack10.2.tgz:
Upgraded to php-4.4.9. This upgrades the bundled PCRE library to fix
security issues, as well as fixing a few other security related bugs.
See the PHP4 ChangeLog for more details:
http://www.php.net/ChangeLog-4.php#4.4.9
Please note: PHP4 has been officially discontinued since last year, and
reached the announced EOL on 2008-08-08. Sites should consider migrating
to a supported release.
(* Security fix *)
+--------------------------+
Mon Sep 1 21:56:29 CDT 2008
patches/packages/samba-3.0.32-i486-1_slack10.2.tgz:
Upgraded to samba-3.0.32. This is a bugfix release. See the WHATSNEW.txt
file in the Samba docs for details on what has changed.
+--------------------------+
Mon Aug 4 14:03:01 CDT 2008
patches/packages/python-2.4.5-i486-1_slack10.2.tgz:
Upgraded to 2.4.5 and patched overflows and other security problems.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1679
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1721
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2315
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3142
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3144
(* Security fix *)
patches/packages/python-demo-2.4.5-i486-1_slack10.2.tgz: Upgraded.
patches/packages/python-tools-2.4.5-i486-1_slack10.2.tgz: Upgraded.
+--------------------------+
Mon Jul 28 22:05:06 CDT 2008
patches/packages/fetchmail-6.3.8-i486-1_slack10.2.tgz:
Patched to fix a possible denial of service when "-v -v" options are used.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2711
(* Security fix *)
patches/packages/mozilla-thunderbird-2.0.0.16-i686-1.tgz:
Upgraded to thunderbird-2.0.0.16.
This upgrade fixes some more security bugs.
For more information, see:
http://www.mozilla.org/security/known-vulnerabilities/thunderbird20.html
(* Security fix *)
+--------------------------+
Wed Jul 23 16:27:21 CDT 2008
patches/packages/dnsmasq-2.45-i486-1_slack10.2.tgz:
Upgraded to dnsmasq-2.45.
It was discovered that earlier versions of dnsmasq have DNS cache
weaknesses that are similar to the ones recently discovered in BIND.
This new release minimizes the risk of cache poisoning.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
(* Security fix *)
+--------------------------+
Wed Jul 16 17:14:13 CDT 2008
patches/packages/mozilla-firefox-2.0.0.16-i686-1.tgz:
Upgraded to firefox-2.0.0.16.
This release fixes some more security vulnerabilities.
For more information, see:
http://www.mozilla.org/security/known-vulnerabilities/firefox20.html
(* Security fix *)
+--------------------------+
Wed Jul 9 20:03:57 CDT 2008
patches/packages/bind-9.3.5_P1-i486-1_slack10.2.tgz:
Upgraded to bind-9.3.5-P1.
This upgrade addresses a security flaw known as the CERT VU#800113 DNS Cache
Poisoning Issue. This is the summary of the problem from the BIND site:
"A weakness in the DNS protocol may enable the poisoning of caching
recurive resolvers with spoofed data. DNSSEC is the only full solution.
New versions of BIND provide increased resilience to the attack."
It is suggested that sites that run BIND upgrade to one of the new packages
in order to reduce their exposure to DNS cache poisoning attacks.
For more information, see:
http://www.isc.org/sw/bind/bind-security.php
http://www.kb.cert.org/vuls/id/800113
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
(* Security fix *)
patches/packages/mozilla-firefox-2.0.0.15-i686-1.tgz:
Upgraded to firefox-2.0.0.15.
This release closes several possible security vulnerabilities and bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox
(* Security fix *)
+--------------------------+
Wed May 28 19:46:22 CDT 2008
patches/packages/samba-3.0.30-i486-1_slack10.2.tgz:
Upgraded to samba-3.0.30.
This is a security release in order to address CVE-2008-1105 ("Boundary
failure when parsing SMB responses can result in a buffer overrun").
For more information on the security issue, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1105
(* Security fix *)
+--------------------------+
Wed May 7 16:54:39 CDT 2008
patches/packages/mozilla-thunderbird-2.0.0.14-i686-1.tgz:
Upgraded to thunderbird-2.0.0.14.
This upgrade fixes some more security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#thunderbird
(* Security fix *)
testing/packages/php5/php-5.2.6-i486-1_slack10.2.tgz:
Upgraded to php-5.2.6. PHP4 was standard in Slackware 10.2, which is why
this package is provided "in place" under /testing rather than under
/patches (where upgrade tools might mistakenly grab and install it where
it would not be desirable.) PHP5 has never been officially supported in
Slackware 10.2, but we upgrade it anyway... :-)
This version of PHP contains many fixes and enhancements. Some of the fixes
are security related, and the PHP release announcement provides this list:
* Fixed possible stack buffer overflow in the FastCGI SAPI identified by
Andrei Nigmatulin.
* Fixed integer overflow in printf() identified by Maksymilian Aciemowicz.
* Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh.
* Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz.
* Properly address incomplete multibyte chars inside escapeshellcmd()
identified by Stefan Esser.
* Upgraded bundled PCRE to version 7.6
When last checked, CVE-2008-0599 was not yet open. However, additional
information should become available at this URL:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0599
The list reproduced above, as well as additional information about other
fixes in PHP 5.2.6 may be found in the PHP release announcement here:
http://www.php.net/releases/5_2_6.php
(* Security fix *)
+--------------------------+
Mon Apr 28 23:46:17 CDT 2008
patches/packages/libpng-1.2.27-i486-1_slack10.2.tgz:
Upgraded to libpng-1.2.27.
This fixes various bugs, the most important of which have to do with the
handling of unknown chunks containing zero-length data. Processing a PNG
image that contains these could cause the application using libpng to crash
(possibly resulting in a denial of service), could potentially expose the
contents of uninitialized memory, or could cause the execution of arbitrary
code as the user running libpng (though it would probably be quite difficult
to cause the execution of attacker-chosen code). We recommend upgrading the
package as soon as possible.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1382
ftp://ftp.simplesystems.org/pub/libpng/png/src/libpng-1.2.27-README.txt
(* Security fix *)
+--------------------------+
Sat Apr 19 23:49:25 CDT 2008
patches/packages/xine-lib-1.1.11.1-i686-3_slack10.2.tgz:
Recompiled, with --without-speex (we didn't ship the speex library in
Slackware anyway, but for reference this issue would be CVE-2008-1686),
and with --disable-nosefart (the recently reported as insecurely
demuxed NSF format). As before in -2, this package fixes the two
regressions mentioned in the release notes for xine-lib-1.1.12:
http://sourceforge.net/project/shownotes.php?release_id=592185&group_id=9655
(* Security fix *)
+--------------------------+
Thu Apr 17 16:25:55 CDT 2008
patches/packages/mozilla-firefox-2.0.0.14-i686-1.tgz:
Upgraded to firefox-2.0.0.14.
This upgrade fixes a potential security bug.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox
(* Security fix *)
+--------------------------+
Tue Apr 8 00:17:36 CDT 2008
patches/packages/xine-lib-1.1.11.1-i686-2_slack10.2.tgz:
Patched to fix playback failure affecting several media formats
accidentally broken in the xine-lib-1.1.11.1 release. Thanks to Diogo Sousa
for pointing me to the new release notes on xinehq.de.
+--------------------------+
Mon Apr 7 02:04:58 CDT 2008
patches/packages/bzip2-1.0.5-i486-1_slack10.2.tgz: Upgraded to bzip2-1.0.5.
Previous versions of bzip2 contained a buffer overread error that could cause
applications linked to libbz2 to crash, resulting in a denial of service.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1372
(* Security fix *)
patches/packages/m4-1.4.11-i486-1_slack10.2.tgz: Upgraded to m4-1.4.11.
In addition to bugfixes and enhancements, this version of m4 also fixes two
issues with possible security implications. A minor security fix with the
use of "maketemp" and "mkstemp" -- these are now quoted to prevent the
(rather unlikely) possibility that an unquoted string could match an
existing macro causing operations to be done on the wrong file. Also,
a problem with the '-F' option (introduced with version 1.4) could cause a
core dump or possibly (with certain file names) the execution of arbitrary
code. For more information on these issues, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1687
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1688
(* Security fix *)
+--------------------------+
Fri Apr 4 12:36:37 CDT 2008
patches/packages/openssh-5.0p1-i486-1_slack10.2.tgz:
Upgraded to openssh-5.0p1.
This version fixes a security issue where local users could hijack forwarded
X connections. Upgrading to the new package is highly recommended.
For more information on this security issue, please see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1483
(* Security fix *)
+--------------------------+
Mon Mar 31 23:33:58 CDT 2008
patches/packages/xine-lib-1.1.11.1-i686-1_slack10.2.tgz:
Upgraded to xine-lib-1.1.11.1.
Earlier versions of xine-lib suffer from an integer overflow which may lead
to a buffer overflow that could potentially be used to gain unauthorized
access to the machine if a malicious media file is played back. File types
affected this time include .flv, .mov, .rm, .mve, .mkv, and .cak.
For more information on this security issue, please see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1482
(* Security fix *)
+--------------------------+
Sat Mar 29 03:09:17 CDT 2008
patches/packages/mozilla-firefox-2.0.0.13-i686-1.tgz:
Upgraded to firefox-2.0.0.13.
This upgrade fixes some more security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox
(* Security fix *)
patches/packages/xine-lib-1.1.11-i686-1_slack10.2.tgz:
Earlier versions of xine-lib suffer from an array index bug that
may have security implications if a malicious RTSP stream is
played. Playback of other media formats is not affected.
If you use RTSP, you should probably upgrade xine-lib.
For more information on the security issue, please see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0073
(* Security fix *)
+--------------------------+
Sat Mar 1 15:55:28 CST 2008
patches/packages/mozilla-thunderbird-2.0.0.12-i686-1.tgz:
Upgraded to thunderbird-2.0.0.12.
This update fixes the following security related issues:
MFSA 2008-12: Heap buffer overflow in external MIME bodies
MFSA 2008-05: Directory traversal via chrome: URI
MFSA 2008-03: Privilege escalation, XSS, Remote Code Execution
MFSA 2008-01: Crashes with evidence of memory corruption (rv:1.8.1.12)
For more information, see:
http://www.mozilla.org/security/announce/2008/mfsa2008-12.html
http://www.mozilla.org/security/announce/2008/mfsa2008-05.html
http://www.mozilla.org/security/announce/2008/mfsa2008-03.html
http://www.mozilla.org/security/announce/2008/mfsa2008-01.html
These are the related CVE entries:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0304
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0418
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0415
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0412
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0413
(* Security fix *)
+--------------------------+
Thu Feb 14 17:37:11 CST 2008
patches/packages/apache-1.3.41-i486-1_slack10.2.tgz:
Upgraded to apache-1.3.41, the last regular release of the
Apache 1.3.x series, and a security bugfix-only release.
For more information about the security issues fixed, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6388
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5000
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3847
(* Security fix *)
patches/packages/mod_ssl-2.8.31_1.3.41-i486-1_slack10.2.tgz:
Upgraded to mod_ssl-2.8.31-1.3.41 to work with apache_1.3.41.
patches/packages/php-4.4.8-i486-1_slack10.2.tgz:
Upgraded to php-4.4.8. This is a security and bugfix release.
More information may be found here:
http://bugs.php.net/43010
This is the last regular release of PHP-4.4.x.
The EOL is scheduled for 2008-08-08.
(* Security fix *)
+--------------------------+
Tue Feb 12 23:07:34 CST 2008
patches/packages/mozilla-firefox-2.0.0.12-i686-1.tgz:
Upgraded to firefox-2.0.0.12.
This upgrade fixes some more security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox
(* Security fix *)
+--------------------------+
Mon Dec 31 18:49:52 CST 2007
patches/packages/glibc-zoneinfo-2.3.5-noarch-10_slack10.2.tgz:
Some deja vu. ;-)
Upgraded to tzdata2007k. A new year should be started with the
latest timezone data, so here it is.
Happy holidays, and a happy new year to all! :-)
+--------------------------+
Mon Dec 24 15:54:26 CST 2007
patches/packages/glibc-zoneinfo-2.3.5-noarch-9_slack10.2.tgz:
Upgraded to tzdata2007j. A new year should be started with the
latest timezone data, so here it is.
Happy holidays, and a happy new year to all! :-)
+--------------------------+
Mon Dec 10 12:45:35 CST 2007
patches/packages/samba-3.0.28-i486-1_slack10.2.tgz:
Upgraded to samba-3.0.28.
Samba 3.0.28 is a security release in order to address a boundary failure
in GETDC mailslot processing that can result in a buffer overrun leading
to possible code execution.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6015
http://www.samba.org/samba/history/samba-3.0.28.html
http://secunia.com/secunia_research/2007-99/advisory/
(* Security fix *)
+--------------------------+
Mon Dec 3 19:58:51 CST 2007
patches/packages/samba-3.0.27a-i486-1_slack10.2.tgz:
Upgraded to samba-3.0.27a.
This update fixes a crash bug regression experienced by smbfs clients caused
by the fix for CVE-2007-4572.
+--------------------------+
Sat Dec 1 16:57:18 CST 2007
patches/packages/rsync-2.6.9-i486-1_slack10.2.tgz:
Patched some security bugs.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4091
http://lists.samba.org/archive/rsync-announce/2007/000050.html
(* Security fix *)
patches/packages/mozilla-firefox-2.0.0.11-i686-1.tgz: Upgraded to Firefox
2.0.0.11, which fixed a bug introduced by the 2.0.0.10 update in the
<canvas> feature that affected some web pages and extensions.
+--------------------------+
Tue Nov 27 16:23:07 CST 2007
patches/packages/mozilla-firefox-2.0.0.10-i686-1.tgz:
Upgraded to firefox-2.0.0.10.
This upgrade fixes some more security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox
(* Security fix *)
+--------------------------+
Wed Nov 21 00:55:51 CST 2007
patches/packages/libpng-1.2.23-i486-1_slack10.2.tgz:
Upgraded to libpng-1.2.23.
Previous libpng versions may crash when loading malformed PNG files.
It is not currently known if this vulnerability can be exploited to
execute malicious code.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5266
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5267
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5268
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5269
(* Security fix *)
+--------------------------+
Tue Nov 20 16:49:58 CST 2007
patches/packages/mozilla-thunderbird-2.0.0.9-i686-1.tgz:
Upgraded to thunderbird-2.0.0.9.
This update fixes the following security related issues:
URIs with invalid %-encoding mishandled by Windows (MFSA 2007-36).
Crashes with evidence of memory corruption (MFSA 2007-29).
OK, so the first one obviously does not affect us. :-) The second fix has
to do with the same JavaScript handling problem fixed before in Firefox.
JavaScript is not enabled by default in Thunderbird, and the developers
(at least in MFSA 2007-36) do not recommend turning it on.
For more information, see:
http://www.mozilla.org/security/announce/2007/mfsa2007-36.html
http://www.mozilla.org/security/announce/2007/mfsa2007-29.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4841
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5339
(* Security fix *)
+--------------------------+
Fri Nov 16 17:22:18 CST 2007
patches/packages/samba-3.0.27-i486-1_slack10.2.tgz:
Upgraded to samba-3.0.27.
Samba 3.0.27 is a security release in order to address a stack buffer
overflow in nmbd's logon request processing, and remote code execution in
Samba's WINS server daemon (nmbd) when processing name registration followed
name query requests.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4572
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5398
(* Security fix *)
+--------------------------+
Mon Nov 12 01:25:34 CST 2007
patches/packages/kdegraphics-3.4.2-i486-3_slack10.2.tgz:
Patched xpdf related bugs.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3387
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4352
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5392
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5393
(* Security fix *)
patches/packages/xpdf-3.02pl2-i486-1_slack10.2.tgz:
Upgraded to xpdf-3.02pl2.
The pl2 patch fixes a crash in xpdf.
Some theorize that this could be used to execute arbitrary code if an
untrusted PDF file is opened, but no real-world examples are known (yet).
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3387
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4352
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5392
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5393
(* Security fix *)
+--------------------------+
Sat Nov 10 15:36:59 CST 2007
patches/packages/mozilla-firefox-2.0.0.9-i686-1.tgz:
Upgraded to firefox-2.0.0.9.
This upgrade improves the stability of Firefox.
For more information, see:
http://developer.mozilla.org/devnews/index.php/2007/11/01/firefox-2009-stability-update-now-available-for-download/
testing/packages/php5/php-5.2.5-i486-1_slack10.2.tgz:
Upgraded to php-5.2.5.
This fixes bugs and security issues.
For more information, see:
http://www.php.net/releases/5_2_5.php
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4887
(* Security fix *)
+--------------------------+
Thu Nov 1 22:03:53 CDT 2007
patches/packages/cups-1.1.23-i486-2_slack10.2.tgz:
Patched cups-1.1.23.
Errors in ipp.c may allow a remote attacker to crash CUPS resulting
in a denial of service.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4351
(* Security fix *)
+--------------------------+
Wed Oct 24 22:51:37 CDT 2007
patches/packages/mozilla-firefox-2.0.0.8-i686-1.tgz:
Upgraded to firefox-2.0.0.8.
This upgrade fixes some more security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox
(* Security fix *)
The ancient Firefox in slackware/xap will be left there, as we no longer
change the main tree after a release. It's strongly suggested that you
consider upgrading to a newer version, though.
+--------------------------+
Wed Oct 10 11:50:50 CDT 2007
patches/packages/glibc-zoneinfo-2.3.5-noarch-8_slack10.2.tgz:
Upgraded to timezone data from tzcode2007h and tzdata2007h.
This contains the latest timezone data from NIST, including some important
changes to daylight savings time in Brasil and New Zealand.
+--------------------------+
Wed Sep 12 15:20:06 CDT 2007
patches/packages/openssh-4.7p1-i486-1_slack10.2.tgz:
Upgraded to openssh-4.7p1.
From the OpenSSH release notes:
"Security bugs resolved in this release: Prevent ssh(1) from using a
trusted X11 cookie if creation of an untrusted cookie fails; found and
fixed by Jan Pechanec."
While it's fair to say that we here at Slackware don't see how this could
be leveraged to compromise a system, a) the OpenSSH people (who presumably
understand the code better) characterize this as a security bug, b) it has
been assigned a CVE entry, and c) OpenSSH is one of the most commonly used
network daemons. Better safe than sorry.
More information should appear here eventually:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4752
(* Security fix *)
patches/packages/samba-3.0.26a-i486-1_slack10.2.tgz:
Upgraded to samba-3.0.26a.
This fixes a security issue in all Samba 3.0.25 versions:
"Incorrect primary group assignment for domain users using the rfc2307
or sfu winbind nss info plugin."
For more information, see:
http://www.samba.org/samba/security/CVE-2007-4138.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4138
(* Security fix *)
testing/packages/php5/php-5.2.4-i486-1_slack10.2.tgz:
Upgraded to php-5.2.4. The PHP announcement says this version fixes over
120 bugs as well as "several low priority security bugs."
Read more about it here:
http://www.php.net/releases/5_2_4.php
(* Security fix *)
+--------------------------+
Sat Aug 18 15:00:32 CDT 2007
patches/packages/tcpdump-3.9.7-i486-1_slack10.2.tgz:
Upgraded to libpcap-0.9.7, tcpdump-3.9.7.
This new version fixes an integer overflow in the BGP dissector which
could possibly allow remote attackers to crash tcpdump or to execute
arbitrary code.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3798
(* Security fix *)
+--------------------------+
Fri Aug 10 22:39:13 CDT 2007
patches/packages/gimp-2.2.17-i486-1_slack10.2.tgz:
Upgraded to gimp-2.2.17, which fixes buffer overflows when decoding
certain image types.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2949
(* Security fix *)
patches/packages/qt-3.3.4-i486-5_slack10.2.tgz:
Patched to fix several format string bugs.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3388
(* Security fix *)
patches/packages/xpdf-3.02pl1-i486-1_slack10.2.tgz:
Upgraded to xpdf-3.02pl1. This fixes an integer overflow that could possibly
be leveraged to run arbitrary code if a malicious PDF file is processed.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3387
(* Security fix *)
+--------------------------+
Thu Jul 26 15:51:42 CDT 2007
patches/packages/bind-9.3.4_P1-i486-1_slack10.2.tgz:
Upgraded to bind-9.3.4_P1 to fix a security issue.
The query IDs in BIND9 prior to BIND 9.3.4-P1 are cryptographically weak.
For more information on this issue, see:
http://www.isc.org/index.pl?/sw/bind/bind-security.php
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2926
(* Security fix *)
+--------------------------+
Wed Jun 13 22:08:36 CDT 2007
patches/packages/libexif-0.6.16-i486-1_slack10.2.tgz:
Upgraded to libexif-0.6.16.
An integer overflow in libexif can crash applications that use the library
on malformed images. The upstream advisory indicates that this flaw could
also be used to execute arbitrary code in the context of the user, but no
exploit is known (by us) to exist among iDefense's researchers or in the
wild. But, as a crash bug and heap overflow one must suppose that the
possibility exists.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4168
(* Security fix *)
+--------------------------+
Fri Jun 1 19:54:09 CDT 2007
patches/packages/mozilla-firefox-1.5.0.12-i686-1.tgz:
Upgraded to firefox-1.5.0.12.
This upgrade fixes several possible security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox
(* Security fix *)
patches/packages/mozilla-thunderbird-1.5.0.12-i686-1.tgz:
Upgraded to thunderbird-1.5.0.12.
This upgrade fixes several possible security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#thunderbird
(* Security fix *)
+--------------------------+
Fri Jun 1 14:54:59 CDT 2007
testing/packages/php5/php-5.2.3-i486-1_slack10.2.tgz:
Upgraded to php-5.2.3.
Here's some basic information about the release from php.net:
"This release continues to improve the security and the stability of the
5.X branch as well as addressing two regressions introduced by the
previous 5.2 releases. These regressions relate to the timeout handling
over non-blocking SSL connections and the lack of HTTP_RAW_POST_DATA in
certain conditions. All users are encouraged to upgrade to this release."
For more complete information, see:
http://www.php.net/releases/5_2_3.php
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1900
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2756
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2872
(* Security fix *)
+--------------------------+
Fri May 25 11:27:02 CDT 2007
patches/packages/samba-3.0.25a-i486-1_slack10.2.tgz:
Upgraded to samba-3.0.25a. This fixes some major (non-security) bugs in
samba-3.0.25. See the WHATSNEW.txt for details.
+--------------------------+
Wed May 16 16:16:59 CDT 2007
patches/packages/libpng-1.2.18-i486-1_slack10.2.tgz:
Upgraded to libpng-1.2.18.
A grayscale PNG image with a malformed (bad CRC) tRNS chunk will crash some
libpng applications. This vulnerability has been assigned the identifiers
CVE-2007-2445 and CERT VU#684664.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2445
(* Security fix *)
+--------------------------+
Mon May 14 18:22:43 CDT 2007
patches/packages/samba-3.0.25-i486-1_slack10.2.tgz:
Upgraded to samba-3.0.25.
Security Fixes included in the Samba 3.0.25 release are:
o CVE-2007-2444
Versions: Samba 3.0.23d - 3.0.25pre2
Local SID/Name translation bug can result in
user privilege elevation
o CVE-2007-2446
Versions: Samba 3.0.0 - 3.0.24
Multiple heap overflows allow remote code execution
o CVE-2007-2447
Versions: Samba 3.0.0 - 3.0.24
Unescaped user input parameters are passed as
arguments to /bin/sh allowing for remote command
execution
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2444
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2446
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2447
(* Security fix *)
+--------------------------+
Mon May 7 21:56:52 CDT 2007
patches/packages/php-4.4.7-i486-1_slack10.2.tgz:
Upgraded to php-4.4.7.
This fixes bugs and improves security.
For more details, see:
http://www.php.net/releases/4_4_7.php
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1001
(* Security fix *)
testing/packages/php5/php-5.2.2-i486-1_slack10.2.tgz:
Upgraded to php-5.2.2.
This fixes bugs and improves security.
For more details, see:
http://www.php.net/releases/5_2_2.php
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1001
(* Security fix *)
+--------------------------+
Thu Apr 26 12:39:47 CDT 2007
patches/packages/x11-6.8.2-i486-10_slack10.2.tgz: Fixed some bugs in the
fontconfig upgrade... Put cache files in /var/cache/fontconfig, not
/var/X11R6/var/cache/fontconfig. Properly locate and compress fontconfig
man pages. Thanks to Eef Hartman for pointing these out.
patches/packages/x11-devel-6.8.2-i486-10_slack10.2.tgz: Recompiled.
patches/packages/x11-xdmx-6.8.2-i486-10_slack10.2.tgz: Recompiled.
patches/packages/x11-xnest-6.8.2-i486-10_slack10.2.tgz: Recompiled.
patches/packages/x11-xvfb-6.8.2-i486-10_slack10.2.tgz: Recompiled.
+--------------------------+
Thu Apr 19 18:53:08 CDT 2007
patches/packages/x11-6.8.2-i486-9_slack10.2.tgz:
Replaced freetype library with freetype-2.3.4.
This fixes an overflow parsing BDF fonts.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1351
(* Security fix *)
Upgraded to fontconfig-2.4.2.
patches/packages/x11-devel-6.8.2-i486-9_slack10.2.tgz:
Replaced freetype library with freetype-2.3.4.
This fixes an overflow parsing BDF fonts.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1351
(* Security fix *)
Upgraded to fontconfig-2.4.2.
patches/packages/x11-xnest-6.8.2-i486-9_slack10.2.tgz:
Recompiled.
patches/packages/x11-xvfb-6.8.2-i486-9_slack10.2.tgz:
Recompiled.
patches/packages/x11-xdmx-6.8.2-i486-9_slack10.2.tgz:
Recompiled.
patches/packages/xine-lib-1.1.6-i686-1_slack10.2.tgz:
Upgraded to xine-lib-1.1.6.
This fixes overflows in xine-lib in some little-used media formats in
xine-lib < 1.1.5 and other bugs in xine-lib < 1.1.6. The overflows in
xine-lib < 1.1.5 could definitely cause an application using xine-lib to
crash, and it is theorized that a malicious media file could be made to run
arbitrary code in the context of the user running the application.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1246
(* Security fix *)
+--------------------------+
Tue Apr 3 15:01:57 CDT 2007
patches/packages/file-4.20-i486-1_slack10.2.tgz:
Upgraded to file-4.20.
This fixes a heap overflow that could allow code to be executed as the
user running file (note that there are many scenarios where file might be
used automatically, such as in virus scanners or spam filters).
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1536
(* Security fix *)
patches/packages/qt-3.3.4-i486-4_slack10.2.tgz:
Patched an issue where the Qt UTF 8 decoder may in some instances fail to
reject overlong sequences, possibly allowing "/../" path injection or XSS
errors.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0242
(* Security fix *)
+--------------------------+
Mon Mar 26 20:54:55 CDT 2007
patches/packages/libwpd-0.8.9-i486-1_slack10.2.tgz:
Upgraded to libwpd-0.8.9.
Various overflows may lead to application crashes upon opening a specially
crafted WordPerfect file. This vulnerability could also conceivably be
used by an attacker to execute arbitrary code.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-002
(* Security fix *)
patches/packages/mozilla-firefox-1.5.0.11-i686-1.tgz:
Upgraded to mozilla-firefox-1.5.0.11.
This upgrade fixes several possible security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox
(* Security fix *)
+--------------------------+
Tue Mar 13 18:22:59 CDT 2007
patches/packages/php-4.4.6-i486-1_slack10.2.tgz:
Upgraded to php-4.4.6.
This version of PHP fixes a problem introduced with the last PHP release
where certain applications using "register_globals" may crash.
+--------------------------+
Wed Mar 7 18:01:55 CST 2007
patches/packages/gnupg-1.4.7-i486-1_slack10.2.tgz:
Upgraded to gnupg-1.4.7.
This fixes a security problem that can occur when GnuPG is used incorrectly.
Newer versions attempt to prevent such misuse.
For more information, see:
http://lists.gnupg.org/pipermail/gnupg-announce/2007q1/000251.html
(* Security fix *)
patches/packages/x11-6.8.2-i486-8_slack10.2.tgz: Patched.
This update fixes overflows in the dbe and render extensions. This could
possibly be exploited to overwrite parts of memory, possibly allowing
malicious code to execute, or (more likely) causing X to crash.
For information about some of the security fixes, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6101
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6102
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6103
(* Security fix *)
patches/packages/mozilla-firefox-1.5.0.10-i686-1.tgz:
Upgraded to firefox-1.5.0.10.
This upgrade fixes several possible security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox
(* Security fix *)
patches/packages/mozilla-thunderbird-1.5.0.10-i686-1.tgz:
Upgraded to thunderbird-1.5.0.10.
This upgrade fixes several possible security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#thunderbird
(* Security fix *)
+--------------------------+
Thu Feb 22 21:13:04 CST 2007
patches/packages/php-4.4.5-i486-1_slack10.2.tgz:
Upgraded to php-4.4.5 which improves stability and security.
For complete details, see
http://www.php.net.
For imformation about some of the security fixes, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0906
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0907
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0908
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0909
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0910
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0988
(* Security fix *)
testing/packages/php-5.2.1/php-5.2.1-i486-1_slack10.2.tgz:
Upgraded to php-5.2.1 which improves stability and security.
For imformation about some of the security fixes, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0906
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0907
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0908
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0909
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0910
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0988
(* Security fix *)
+--------------------------+
Sun Feb 18 15:20:36 CST 2007
patches/packages/glibc-zoneinfo-2.3.5-noarch-7_slack10.2.tgz:
Updated with tzdata2007b for impending Daylight Savings Time
changes in the US.
+--------------------------+
Wed Feb 7 12:29:05 CST 2007
patches/packages/samba-3.0.24-i486-1_slack10.2.tgz:
Upgraded to samba-3.0.24. From the WHATSNEW.txt file:
"Important issues addressed in 3.0.24 include:
o Fixes for the following security advisories:
- CVE-2007-0452 (Potential Denial of Service bug in smbd)
- CVE-2007-0453 (Buffer overrun in NSS host lookup Winbind
NSS library on Solaris)
- CVE-2007-0454 (Format string bug in afsacl.so VFS plugin)"
Samba is Slackware is vulnerable to the first issue, which can cause smbd
to enter into an infinite loop, disrupting Samba services. Linux is not
vulnerable to the second issue, and Slackware does not ship the afsacl.so
VFS plugin (but it's something to be aware of if you build Samba with
custom options).
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0452
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0453
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0454
(* Security fix *)
+--------------------------+
Fri Jan 26 22:46:30 CST 2007
patches/packages/bind-9.3.4-i486-1_slack10.2.tgz:
Upgraded to bind-9.3.4. This update fixes two denial of service
vulnerabilities where an attacker could crash the name server with
specially crafted malformed data.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0493
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0494
(* Security fix *)
+--------------------------+
Wed Jan 24 14:15:07 CST 2007
patches/packages/fetchmail-6.3.6-i486-1_slack10.2.tgz:
Upgraded to fetchmail-6.3.6. This fixes two security issues. First, a bug
introduced in fetchmail-6.3.5 could cause fetchmail to crash. However,
no stable version of Slackware ever shipped fetchmail-6.3.5. Second, a long
standing bug (reported by Isaac Wilcox) could cause fetchmail to send a
password in clear text or omit using TLS even when configured otherwise.
All fetchmail users are encouraged to consider using getmail, or to upgrade
to the new fetchmail packages.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5974
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5867
(* Security fix *)
+--------------------------+
Sat Dec 23 16:39:20 CST 2006
patches/packages/koffice-1.4.1-i486-3_slack10.2.tgz:
Patched to fix a security problem with KOffice's PPT file parsing.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6120
(* Security fix *)
patches/packages/mozilla-firefox-1.5.0.9-i686-1.tgz:
Upgraded to firefox-1.5.0.9.
This upgrade fixes several possible security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox
(* Security fix *)
patches/packages/mozilla-thunderbird-1.5.0.9-i686-1.tgz:
Upgraded to thunderbird-1.5.0.9.
This upgrade fixes several possible security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#thunderbird
(* Security fix *)
patches/packages/xine-lib-1.1.3-i686-1_slack10.2.tgz:
Upgraded to xine-lib-1.1.3 which fixes possible security problems
such as a heap overflow in libmms and a buffer overflow in the
Real Media input plugin.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2200
(* Security fix *)
+--------------------------+
Wed Dec 6 15:16:06 CST 2006
patches/packages/gnupg-1.4.6-i486-1_slack10.2.tgz:
Upgraded to gnupg-1.4.6. This release fixes a severe and exploitable
bug in earlier versions of gnupg. All gnupg users should update to the
new packages as soon as possible. For details, see the information
concerning CVE-2006-6235 posted on lists.gnupg.org:
http://lists.gnupg.org/pipermail/gnupg-announce/2006q4/000491.html
The CVE entry for this issue may be found here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6235
This update also addresses a more minor security issue possibly
exploitable when GnuPG is used in interactive mode. For more information
about that issue, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6169
(* Security fix *)
+--------------------------+
Fri Dec 1 15:03:20 CST 2006
patches/packages/libpng-1.2.14-i486-1_slack10.2.tgz:
Upgraded to libpng-1.2.14. This fixes a bug where a specially crafted PNG
file could crash applications that use libpng.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5793
(* Security fix *)
patches/packages/proftpd-1.3.0a-i486-1_slack10.2.tgz:
Upgraded to proftpd-1.3.0a plus an additional security patch. Several
security issues were found in proftpd that could lead to the execution of
arbitrary code by a remote attacker, including one in mod_tls that does
not require the attacker to be authenticated first.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5815
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6170
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6171
(* Security fix *)
patches/packages/tar-1.16-i486-1_slack10.2.tgz:
Upgraded to tar-1.16.
This fixes an issue where files may be extracted outside of the current
directory, possibly allowing a malicious tar archive, when extracted, to
overwrite any of the user's files (in the case of root, any file on the
system).
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6097
(* Security fix *)
+--------------------------+
Thu Nov 9 18:04:51 CST 2006
patches/packages/mozilla-firefox-1.5.0.8-i686-1.tgz:
Upgraded to firefox-1.5.0.8.
This upgrade fixes several possible security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox
(* Security fix *)
patches/packages/mozilla-thunderbird-1.5.0.8-i686-1.tgz:
Upgraded to thunderbird-1.5.0.8.
This upgrade fixes several possible security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#thunderbird
(* Security fix *)
+--------------------------+
Mon Nov 6 21:29:24 CST 2006
patches/packages/bind-9.3.2_P2-i486-1_slack10.2.tgz:
Upgraded to bind-9.3.2-P2. This fixes some security issues related to
previous fixes in OpenSSL. The minimum OpenSSL version was raised to
OpenSSL 0.9.7l and OpenSSL 0.9.8d to avoid exposure to known security flaws
in older versions (these patches were already issued for Slackware). If you
have not upgraded yet, get those as well to prevent a potentially exploitable
security problem in named. In addition, the default RSA exponent was changed
from 3 to 65537. RSA keys using exponent 3 (which was previously BIND's
default) will need to be regenerated to protect against the forging
of RRSIGs.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339
(* Security fix *)
+--------------------------+
Fri Nov 3 23:19:57 CST 2006
patches/packages/php-4.4.4-i486-2_slack10.2.tgz: Patched the UTF-8 overflow.
More details about the vulnerability may be found here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5465
(* Security fix *)
patches/packages/screen-4.0.3-i486-1_slack10.2.tgz: Upgraded to screen-4.0.3.
This addresses an issue with the way screen handles UTF-8 character encoding
that could allow screen to be crashed (or possibly code to be executed in the
context of the screen user) if a specially crafted sequence of pseudo-UTF-8
characters are displayed withing a screen session.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4573
(* Security fix *)
+--------------------------+
Wed Oct 25 15:45:46 CDT 2006
patches/packages/qt-3.3.4-i486-3_slack10.2.tgz: Patched.
This fixes an issue with Qt's handling of pixmap images that causes Qt linked
applications to crash if a specially crafted malicious image is loaded.
Inspection of the code in question makes it seem unlikely that this could
lead to more serious implications (such as arbitrary code execution), but it
is recommended that users upgrade to the new Qt package.
For more information, see:
http://www.trolltech.com/company/newsroom/announcements/press.2006-10-19.5434451733
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4811
(* Security fix *)
+--------------------------+
Fri Sep 29 00:21:27 CDT 2006
patches/packages/openssl-0.9.7l-i486-1_slack10.2.tgz:
Upgraded to shared libraries from openssl-0.9.7l.
See openssl package update below.
(* Security fix *)
patches/packages/openssh-4.4p1-i486-1_slack10.2.tgz:
Upgraded to openssh-4.4p1.
This fixes a few security related issues. From the release notes found at
http://www.openssh.com/txt/release-4.4:
* Fix a pre-authentication denial of service found by Tavis Ormandy,
that would cause sshd(8) to spin until the login grace time
expired.
* Fix an unsafe signal hander reported by Mark Dowd. The signal
handler was vulnerable to a race condition that could be exploited
to perform a pre-authentication denial of service. On portable
OpenSSH, this vulnerability could theoretically lead to
pre-authentication remote code execution if GSSAPI authentication
is enabled, but the likelihood of successful exploitation appears
remote.
* On portable OpenSSH, fix a GSSAPI authentication abort that could
be used to determine the validity of usernames on some platforms.
Links to the CVE entries will be found here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4924
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5051
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5052
After this upgrade, make sure the permissions on /etc/rc.d/rc.sshd are set
the way you want them. Future upgrades will respect the existing permissions
settings. Thanks to Manuel Reimer for pointing out that upgrading openssh
would enable a previously disabled sshd daemon.
Do better checking of passwd, shadow, and group to avoid adding
redundant entries to these files. Thanks to Menno Duursma.
(* Security fix *)
patches/packages/openssl-0.9.7l-i486-1_slack10.2.tgz:
Upgraded to openssl-0.9.7l.
This fixes a few security related issues:
During the parsing of certain invalid ASN.1 structures an error
condition is mishandled. This can result in an infinite loop which
consumes system memory (CVE-2006-2937). (This issue did not affect
OpenSSL versions prior to 0.9.7)
Thanks to Dr S. N. Henson of Open Network Security and NISCC.
Certain types of public key can take disproportionate amounts of
time to process. This could be used by an attacker in a denial of
service attack (CVE-2006-2940).
Thanks to Dr S. N. Henson of Open Network Security and NISCC.
A buffer overflow was discovered in the SSL_get_shared_ciphers()
utility function. An attacker could send a list of ciphers to an
application that uses this function and overrun a buffer.
(CVE-2006-3738)
Thanks to Tavis Ormandy and Will Drewry of the Google Security Team.
A flaw in the SSLv2 client code was discovered. When a client
application used OpenSSL to create an SSLv2 connection to a malicious
server, that server could cause the client to crash (CVE-2006-4343).
Thanks to Tavis Ormandy and Will Drewry of the Google Security Team.
Links to the CVE entries will be found here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343
(* Security fix *)
+--------------------------+
Tue Sep 19 14:07:49 CDT 2006
patches/packages/gzip-1.3.5-i486-1_slack10.2.tgz:
Upgraded to gzip-1.3.5, and fixed a variety of bugs.
Some of the bugs have possible security implications if gzip or its tools are
fed a carefully constructed malicious archive. Most of these issues were
recently discovered by Tavis Ormandy and the Google Security Team. Thanks
to them, and also to the ALT and Owl developers for cleaning up the patch.
For further details about the issues fixed, please see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0758
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0988
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1228
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4334
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4335
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4336
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4337
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4338
(* Security fix *)
+--------------------------+
Sat Sep 16 23:12:59 CDT 2006
patches/packages/x11-6.8.2-i486-7_slack10.2.tgz:i
Fixed an overflow in CID encoded Type1 font parsing.
For further reference, see:
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=411
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3739
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3740
(* Security fix *)
patches/packages/x11-devel-6.8.2-i486-7_slack10.2.tgz: Recompiled.
patches/packages/x11-xdmx-6.8.2-i486-7_slack10.2.tgz: Recompiled.
patches/packages/x11-xnest-6.8.2-i486-7_slack10.2.tgz: Recompiled.
patches/packages/x11-xvfb-6.8.2-i486-7_slack10.2.tgz: Recompiled.
+--------------------------+
Thu Sep 14 19:44:27 CDT 2006
patches/packages/mozilla-firefox-1.5.0.7-i686-1.tgz:
Upgraded to firefox-1.5.0.7.
This upgrade fixes several possible security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox
(* Security fix *)
patches/packages/mozilla-thunderbird-1.5.0.7-i686-1.tgz:
Upgraded to thunderbird-1.5.0.7.
This upgrade fixes several possible security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#thunderbird
(* Security fix *)
+--------------------------+
Thu Sep 14 05:30:50 CDT 2006
patches/packages/openssl-0.9.7g-i486-3_slack10.2.tgz: Patched an issue where
it is possible to forge certain kinds of RSA signatures.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339
patches/packages/openssl-solibs-0.9.7g-i486-3_slack10.2.tgz: Patched an issue
where it is possible to forge certain kinds of RSA signatures.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339
(* Security fix *)
+--------------------------+
Thu Sep 7 23:41:37 CDT 2006
patches/packages/bind-9.3.2_P1-i486-1_slack10.2.tgz:
Upgraded to bind-9.3.2_P1.
This update addresses a denial of service vulnerability.
BIND's CHANGES file says this:
2066. [security] Handle SIG queries gracefully. [RT #16300]
The best discussion I've found is in FreeBSD's advisory, so here's a link:
http://security.FreeBSD.org/advisories/FreeBSD-SA-06:20.bind.asc
Also, fixed some missing man pages. (noticed by Xavier Thomassin -- thanks)
(* Security fix *)
+--------------------------+
Tue Aug 22 15:20:32 CDT 2006
patches/packages/glibc-2.3.5-i486-6_slack10.2.tgz: Patched an issue with
kernel version parsing in ld-2.3.5.so that was leading glibc to treat 2.4
kernels with 4 version parts (such as 2.4.33.1) as if they supported NPTL,
leading to a crash at boot.
Added ru_RU.CP1251 locale support.
Updated timezone information from tzdata2006j.
Updated timezone utilities from tzcode2006j.
patches/packages/glibc-i18n-2.3.5-noarch-6_slack10.2.tgz: Rebuilt.
Added ru_RU.CP1251 locale support.
patches/packages/glibc-profile-2.3.5-i486-6_slack10.2.tgz: Recompiled.
patches/packages/glibc-solibs-2.3.5-i486-6_slack10.2.tgz: Patched an issue
with kernel version parsing in ld-2.3.5.so that was leading glibc to treat
2.4 kernels with 4 version parts (such as 2.4.33.1) as if they supported
NPTL, leading to a crash at boot.
patches/packages/glibc-zoneinfo-2.3.5-noarch-6_slack10.2.tgz:
Updated timezone information from tzdata2006j.
+--------------------------+
Fri Aug 18 00:27:05 CDT 2006
patches/packages/libtiff-3.8.2-i486-1_slack10.2.tgz:
Patched vulnerabilities in libtiff which were found by Tavis Ormandy of
the Google Security Team. These issues could be used to crash programs
linked to libtiff or possibly to execute code as the program's user.
A low risk command-line overflow in tiffsplit was also patched.
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3459
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3460
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3461
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3462
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3463
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3464
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3465
(* Security fix *)
patches/packages/php-4.4.4-i486-1_slack10.2.tgz: Upgraded to php-4.4.4.
Some of the security issues fixed in this release include:
* Added missing safe_mode/open_basedir checks inside the error_log(),
file_exists(), imap_open() and imap_reopen() functions.
* Fixed possible open_basedir/safe_mode bypass in cURL extension.
* Fixed a buffer overflow inside sscanf() function.
(* Security fix *)
testing/packages/php-5.1.5/php-5.1.5-i486-1_slack10.2.tgz:
Usually packages in /testing aren't patched or upgraded after a release,
but since quite a few people have probably deployed this one, and it is
a network service, an upgraded package is being provided.
Upgraded to php-5.1.5.
Some of the security issues fixed in this release include:
* Added missing safe_mode/open_basedir checks inside the error_log(),
file_exists(), imap_open() and imap_reopen() functions.
* Fixed possible open_basedir/safe_mode bypass in cURL extension and on
PHP 5 with realpath cache.
* Fixed a buffer overflow inside sscanf() function.
(* Security fix *)
+--------------------------+
Sat Aug 5 01:23:15 CDT 2006
patches/packages/php-4.4.3-i486-1_slack10.2.tgz:
Upgraded to php-4.4.3.
From the announcement of the release:
The security issues resolved include the following:
* Disallow certain characters in session names.
* Fixed a buffer overflow inside the wordwrap() function.
* Prevent jumps to parent directory via the 2nd parameter of the
tempnam() function.
* Improved safe_mode check for the error_log() function.
* Fixed cross-site scripting inside the phpinfo() function.
The PHP 4.4.3 release announcement may be found on their web site:
http://www.php.net
(* Security fix *)
+--------------------------+
Wed Aug 2 22:03:08 CDT 2006
patches/packages/gnupg-1.4.5-i486-1_slack10.2.tgz:
Upgraded to gnupg-1.4.5.
From the gnupg-1.4.5 NEWS file:
* Fixed 2 more possible memory allocation attacks. They are
similar to the problem we fixed with 1.4.4. This bug can easily
be be exploited for a DoS; remote code execution is not entirely
impossible.
(* Security fix *)
+--------------------------+
Sun Jul 30 21:30:17 CDT 2006
patches/packages/mysql-4.1.21-i486-1_slack10.2.tgz:
Upgraded to mysql-4.1.21.
This is a bugfix and security release.
For more details, see MySQL's news page about MySQL 4.1.21:
http://dev.mysql.com/doc/refman/4.1/en/news-4-1-21.html
The CVE entry may be found here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3469
Thanks to Nino Petkov for pointing out this MySQL release to me. :-)
(* Security fix *)
+--------------------------+
Fri Jul 28 17:37:42 CDT 2006
patches/packages/apache-1.3.37-i486-1_slack10.2.tgz:
Upgraded to apache-1.3.37.
From the announcement on httpd.apache.org:
This version of Apache is security fix release only. An off-by-one flaw
exists in the Rewrite module, mod_rewrite, as shipped with Apache 1.3
since 1.3.28, 2.0 since 2.0.46, and 2.2 since 2.2.0.
The Slackware Security Team feels that the vast majority of installations
will not be configured in a vulnerable way but still suggests upgrading to
the new apache and mod_ssl packages for maximum security.
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3747
And see Apache's announcement here:
http://www.apache.org/dist/httpd/Announcement1.3.html
(* Security fix *)
patches/packages/mod_ssl-2.8.28_1.3.37-i486-1_slack10.2.tgz:
Upgraded to mod_ssl-2.8.28-1.3.37.
+--------------------------+
Thu Jul 27 16:27:14 CDT 2006
patches/packages/mozilla-firefox-1.5.0.5-i686-1.tgz:
Upgraded to firefox-1.5.0.5.
This upgrade fixes several possible security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox
(* Security fix *)
patches/packages/mozilla-thunderbird-1.5.0.5-i686-1.tgz:
Upgraded to thunderbird-1.5.0.5.
This upgrade fixes several possible security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#thunderbird
(* Security fix *)
+--------------------------+
Wed Jul 26 15:51:51 CDT 2006
patches/packages/xine-lib-1.1.2-i686-1.tgz:
Upgraded to xine-lib-1.1.2.
According to xinehq.de's announcement:
There are three security fixes:
- CVE-2005-4048: possible buffer overflow in libavcodec (crafted PNGs);
- CVE-2006-2802: possible buffer overflow in the HTTP plugin;
- possible buffer overflow via bad indexes in specially-crafted AVI files.
(* Security fix *)
+--------------------------+
Tue Jul 25 14:19:42 CDT 2006
patches/packages/gimp-2.2.12-i486-1.tgz: Upgraded to gimp-2.2.12.
This release fixes a security hole in the XCF parser.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3404
(* Security fix *)
patches/packages/mutt-1.4.2.2i-i486-1_slack10.2.tgz:
Upgraded to mutt-1.4.2.2i.
This release fixes CVE-2006-3242, a buffer overflow that could be triggered
by a malicious IMAP server.
[Connecting to malicious IMAP servers must be common, right? -- Ed.]
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3242
(* Security fix *)
patches/packages/x11-6.8.2-i486-6_slack10.2.tgz:
Patched some more possible linux 2.6.x setuid() related bugs:
http://lists.freedesktop.org/archives/xorg-announce/2006-June/000100.html
Patched CVE-2006-1861 linux 2.6.x setuid() related bugs in freetype2.
(* Security fix *)
patches/packages/x11-devel-6.8.2-i486-6_slack10.2.tgz: Patched as above.
(* Security fix *)
patches/packages/x11-xdmx-6.8.2-i486-6_slack10.2.tgz: Rebuilt.
patches/packages/x11-xnest-6.8.2-i486-6_slack10.2.tgz: Rebuilt.
patches/packages/x11-xvfb-6.8.2-i486-6_slack10.2.tgz: Rebuilt.
+--------------------------+
Tue Jul 18 22:44:53 CDT 2006
patches/packages/samba-3.0.23-i486-2_slack10.2.tgz:
Patched a problem in nsswitch/wins.c that caused crashes in the wins
and/or winbind libraries.
Thanks to Mikhail Kshevetskiy for pointing out the issue and offering
a reference to the patch in Samba's source repository.
Also, this version of Samba evidently created a new dependency on libdm.so
(found in the xfsprogs package in non -current Slackware versions). This
additional dependency was not intentional, and has been corrected.
+--------------------------+
Fri Jul 14 17:17:17 CDT 2006
patches/packages/samba-3.0.23-i486-1_slack10.2.tgz:
Upgraded to samba-3.0.23.
This fixes a minor memory exhaustion DoS in smbd.
The CVE entry for this issue may be found here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3403
(* Security fix *)
+--------------------------+
Tue Jun 27 18:48:22 CDT 2006
patches/packages/arts-1.4.2-i486-2_slack10.2.tgz:
Patched to fix a possible exploit if artswrapper is setuid root (which,
by default, it is not) and the system is running a 2.6 kernel.
Systems running 2.4 kernels are not affected.
The official KDE security advisory may be found here:
http://www.kde.org/info/security/advisory-20060614-2.txt
The CVE entry for this issue may be found here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2916
(* Security fix *)
patches/packages/gnupg-1.4.4-i486-1_slack10.2.tgz:
This version fixes a memory allocation issue that could allow an attacker to
crash GnuPG creating a denial-of-service.
The CVE entry for this issue may be found here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3082
patches/packages/kdebase-3.4.2-i486-3_slack10.2.tgz:
Patched a problem with kdm where it could be abused to read any file
on the system.
The official KDE security advisory may be found here:
http://www.kde.org/info/security/advisory-20060614-1.txt
The CVE entry for this issue may be found here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2449
(* Security fix *)
+--------------------------+
Thu Jun 15 02:06:03 CDT 2006
patches/packages/sendmail-8.13.7-i486-1_slack10.2.tgz:
Upgraded to sendmail-8.13.7.
Fixes a potential denial of service problem caused by excessive recursion
leading to stack exhaustion when attempting delivery of a malformed MIME
message. This crashes sendmail's queue processing daemon, which in turn
can lead to two problems: depending on the settings, these crashed
processes may create coredumps which could fill a drive partition; and
such a malformed message in the queue will cause queue processing to
cease when the message is reached, causing messages that are later in
the queue to not be processed.
Sendmail's complete advisory may be found here:
http://www.sendmail.com/security/advisories/SA-200605-01.txt.asc
Sendmail has also provided an FAQ about this issue:
http://www.sendmail.com/security/advisories/SA-200605-01/faq.shtml
The CVE entry for this issue may be found here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1173
(* Security fix *)
patches/packages/sendmail-cf-8.13.7-noarch-1_slack10.2.tgz:
Upgraded to sendmail-8.13.7 configs.
+--------------------------+
Sat Jun 3 16:53:29 CDT 2006
patches/packages/mozilla-firefox-1.5.0.4-i686-1.tgz:
Upgraded to firefox-1.5.0.4.
This upgrade fixes several possible security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox
(* Security fix *)
patches/packages/mozilla-thunderbird-1.5.0.4-i686-1.tgz:
Upgraded to thunderbird-1.5.0.4.
This upgrade fixes several possible security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#thunderbird
(* Security fix *)
patches/packages/mysql-4.1.20-i486-1_slack10.2.tgz:
Upgraded to mysql-4.1.20. This fixes an SQL injection vulnerability.
For more details, see the MySQL 4.1.20 release announcement here:
http://lists.mysql.com/announce/364
The CVE entry for this issue will be found here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2753
+--------------------------+
Mon May 22 10:44:28 CDT 2006
patches/packages/bin-10.2-i486-2_10.2.tgz:
Upgraded to eject-2.1.4 to fix problems with 2.6 kernels (bugfix).
Patched a security problem in zoo's fullpath() function that was reported by
Jean-Sebastien Guay-Leroux. At first this didn't seem like much as zoo is
old and hardly used, but there are virus scanning programs that scan zoo
archives. It is a possible problem on any system running zoo like this in
an automated way, and (of course) could also cause problems if a user were
to open a malicious zoo archive manually. (though I'd be pretty suspicious
if someone were to mail me anything using "zoo" in 2006...)
(* Security fix *)
patches/packages/tetex-3.0-i486-2_10.2.tgz: Regenerated the etex.fmt files
with etex, not pdfetex. This is more appropriate since etex is a binary,
not a link to pdfetex. Thanks to John Breckenridge for reporting the issue.
Added --disable-a4, and fixed the texconfig for US paper default in the
build script. Thanks to Marc Benstein and Jingmin Zhou for reporting this.
Improved /tmp use security.
Patched a possible security issue in library code borrowed from xpdf that's
used in pdfetex.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3193
(* Security fix *)
+--------------------------+
Wed May 10 15:07:18 CDT 2006
patches/packages/apache-1.3.35-i486-2_slack10.2.tgz:
Patched to fix totally broken Include behavior.
Thanks to Francesco Gringoli for reporting this bug.
+--------------------------+
Tue May 9 00:48:46 CDT 2006
patches/packages/apache-1.3.35-i486-1_slack10.2.tgz:
Upgraded to apache-1.3.35.
From the official announcement:
Of particular note is that 1.3.35 addresses and fixes 1 potential
security issue: CVE-2005-3352 (cve.mitre.org)
mod_imap: Escape untrusted referer header before outputting in HTML
to avoid potential cross-site scripting. Change also made to
ap_escape_html so we escape quotes. Reported by JPCERT
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3352
(* Security fix *)
patches/packages/mod_ssl-2.8.26_1.3.35-i486-1_slack10.2.tgz:
Upgraded to mod_ssl-2.8.26-1.3.35.
This is an updated version designed for Apache 1.3.35.
patches/packages/mysql-4.1.19-i486-1.tgz:
Upgraded to mysql-4.1.19.
This fixes some minor security issues with possible information leakage.
Note that the information leakage bugs require that the attacker have
access to an account on the database. Also note that by default,
Slackware's rc.mysqld script does *not* allow access to the database
through the outside network (it uses the --skip-networking option).
If you've enabled network access to MySQL, it is a good idea to filter
the port (3306) to prevent access from unauthorized machines.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1516
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1517
(* Security fix *)
+--------------------------+
Wed May 3 21:55:38 CDT 2006
patches/packages/mozilla-firefox-1.5.0.3-i686-1.tgz:
Upgraded to firefox-1.5.0.3.
This upgrade fixes a crash bug that could possibly be used to
execute code as the Firefox user.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox
(* Security fix *)
+--------------------------+
Wed May 3 00:04:31 CDT 2006
patches/packages/x11-6.8.2-i486-5.tgz:
Patched with x11r6.9.0-mitri.diff and recompiled.
A typo in the X render extension allows an X client to crash the server
and possibly to execute arbitrary code as the X server user (typically
this is "root".)
The CVE entry for this issue may be found here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1526
The advisory from X.Org may be found here:
http://lists.freedesktop.org/archives/xorg/2006-May/015136.html
(* Security fix *)
patches/packages/x11-devel-6.8.2-i486-5.tgz:
Patched and recompiled libXrender.
(* Security fix *)
+--------------------------+
Sun Apr 30 17:38:15 CDT 2006
patches/packages/mozilla-thunderbird-1.5.0.2-i686-1.tgz:
Upgraded to thunderbird-1.5.0.2.
This upgrade fixes several possible security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#thunderbird
(* Security fix *)
+--------------------------+
Mon Apr 24 14:36:46 CDT 2006
patches/packages/mozilla-1.7.13-i486-1.tgz: Upgraded to mozilla-1.7.13.
This upgrade fixes several possible security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla
This release marks the end-of-life of the Mozilla 1.7.x series:
http://developer.mozilla.org/devnews/index.php/2006/04/12/sunset-announcement-for-fxtb-10x-and-mozilla-suite-17x/
Mozilla Corporation is recommending that users think about
migrating to Firefox and Thunderbird.
(* Security fix *)
+--------------------------+
Mon Apr 17 01:31:07 CDT 2006
patches/packages/mozilla-firefox-1.5.0.2-i686-1.tgz:
Upgraded to firefox-1.5.0.2.
This upgrade fixes several possible security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox
(* Security fix *)
+--------------------------+
Wed Mar 22 13:01:23 CST 2006
patches/packages/sendmail-8.13.6-i486-1.tgz: Upgraded to sendmail-8.13.6.
This new version of sendmail contains a fix for a security problem
discovered by Mark Dowd of ISS X-Force. From sendmail's advisory:
Sendmail was notified by security researchers at ISS that, under some
specific timing conditions, this vulnerability may permit a specifically
crafted attack to take over the sendmail MTA process, allowing remote
attackers to execute commands and run arbitrary programs on the system
running the MTA, affecting email delivery, or tampering with other
programs and data on this system. Sendmail is not aware of any public
exploit code for this vulnerability. This connection-oriented
vulnerability does not occur in the normal course of sending and
receiving email. It is only triggered when specific conditions are
created through SMTP connection layer commands.
Sendmail's complete advisory may be found here:
http://www.sendmail.com/company/advisory/index.shtml
The CVE entry for this issue may be found here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0058
(* Security fix *)
patches/packages/sendmail-cf-8.13.6-noarch-1.tgz:
Upgraded to sendmail-8.13.6 configuration files.
+--------------------------+
Mon Mar 13 20:42:48 CST 2006
patches/packages/gnupg-1.4.2.2-i486-1.tgz: Upgraded to gnupg-1.4.2.2.
There have been two security related issues reported recently with GnuPG.
From the GnuPG 1.4.2.1 and 1.4.2.2 NEWS files:
Noteworthy changes in version 1.4.2.2 (2006-03-08)
* Files containing several signed messages are not allowed any
longer as there is no clean way to report the status of such
files back to the caller. To partly revert to the old behaviour
the new option --allow-multisig-verification may be used.
Noteworthy changes in version 1.4.2.1 (2006-02-14)
* Security fix for a verification weakness in gpgv. Some input
could lead to gpgv exiting with 0 even if the detached signature
file did not carry any signature. This is not as fatal as it
might seem because the suggestion as always been not to rely on
th exit code but to parse the --status-fd messages. However it
is likely that gpgv is used in that simplified way and thus we
do this release. Same problem with "gpg --verify" but nobody
should have used this for signature verification without
checking the status codes anyway. Thanks to the taviso from
Gentoo for reporting this problem.
(* Security fix *)
+--------------------------+
Tue Feb 14 16:08:52 CST 2006
patches/packages/php-4.4.2-i486-3.tgz: Fixed some more bugs from the 4.4.2
release... hopefully the third time is the charm.
Replaced PEAR packages for which the 4.4.2 release contained incorrect
md5sums: Archive_Tar-1.3.1, Console_Getopt-1.2, and HTML_Template_IT-1.1.3.
(this last one was also not upgraded to the stable version that was released
on 2005-11-01) Sorry to have delayed the advisories, but these bugs had to
be fixed first. IMHO, the security issues are of dubious severity anyway,
or a more agressive approach would have been taken (though this would likely
have caused a lot of people to upgrade to the broken -1 or -2 package
revisions, so anyone who didn't know about this until now was probably saved
a hassle.)
Upgraded other PEAR modules to HTTP-1.4.0, Net_SMTP-1.2.8, and XML_RPC-1.4.5.
Thanks again to Krzysztof Oledzki for the bug report.
+--------------------------+
Fri Feb 10 17:32:28 CST 2006
patches/packages/php-4.4.2-i486-2.tgz: Rebuilt the package to
clean up some junk dotfiles that were installed in the /
directory. Harmless, but sloppy...
Thanks to Krzysztof Oledzki for pointing this out.
+--------------------------+
Thu Feb 9 15:09:26 CST 2006
patches/packages/fetchmail-6.3.2-i486-1.tgz: Upgraded to fetchmail-6.3.2.
Presumably this replaces all the known security problems with
a batch of new unknown ones. (fetchmail is improving, really ;-)
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3088
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4348
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0321
(* Security fix *)
patches/packages/imagemagick-6.2.3_3-i486-2.tgz: Patched and
recompiled. Several security issues have been backported to
this release.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4601
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0082
(* Security fix *)
patches/packages/kdegraphics-3.4.2-i486-2.tgz: Patched integer and
heap overflows in kpdf to fix possible security bugs with malformed
PDF files.
For more information, see:
http://www.kde.org/info/security/advisory-20051207-2.txt
http://www.kde.org/info/security/advisory-20060202-1.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3191
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3192
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3193
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3624
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3625
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3626
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3627
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3628
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0301
(* Security fix *)
patches/packages/kdelibs-3.4.2-i486-2.tgz: Patched a heap overflow
vulnerability in kjs, the JavaScript interpreter engine used by
Konqueror and other parts of KDE.
For more information, see:
http://www.kde.org/info/security/advisory-20060119-1.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0019
(* Security fix *)
patches/packages/mozilla-firefox-1.5.0.1-i686-1.tgz: Upgraded to
firefox-1.5.0.1. This fixes a DoS issue and some other security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox1.5.0.1
(* Security fix *)
patches/packages/openssh-4.3p1-i486-1.tgz: Upgraded to openssh-4.3p1.
This fixes a security issue when using scp to copy files that could
cause commands embedded in filenames to be executed.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0225
(* Security fix *)
patches/packages/php-4.4.2-i486-1.tgz: Upgraded to php-4.4.2.
Claims to fix "a few small security issues".
For more information, see:
http://www.php.net/release_4_4_2.php
(* Security fix *)
patches/packages/sudo-1.6.8p12-i486-1.tgz: Upgraded to sudo-1.6.8p12.
This fixes an issue where a user able to run a Python script through sudo
may be able to gain root access.
IMHO, running any kind of scripting language from sudo is still not safe...
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0151
(* Security fix *)
patches/packages/xpdf-3.01-i486-3.tgz: Recompiled with xpdf-3.01pl2.patch to
fix integer and heap overflows in xpdf triggered by malformed PDF files.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3191
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3192
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3193
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3624
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3625
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3626
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3627
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3628
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0301
(* Security fix *)
+--------------------------+
Fri Dec 9 20:19:31 CST 2005
patches/packages/bash-3.0-i486-4.tgz: Fixed an obscure bug where
suspending the first process started in a new shell would cause the
shell to hang.
Thanks to Grant Coady for discovering and fixing this bug.
patches/packages/bzip2-1.0.3-i486-2.tgz: Patched a minor bug in the
libbz2 shared library Makefile to enable support for large files.
Thanks to Timothy C. McGrath and Manuel Jose Blanca Molinos both of
whom pointed out this problem and provided fixes.
patches/packages/php-4.4.1-i486-2.tgz: Recompiled with a patch from PHP
CVS that fixes issues with SquirrelMail and possibly other PHP
applications. I'd hoped there would be a new PHP out quickly to
address this but since there isn't I'm making an exception to the
usual policy here on merging patches from CVS as a fair number of users
seem to be affected by this issue. Let me know if this doesn't help or
if any undesired side effects are noticed.
This problem was first reported here by Gerardo Exequiel Pozzi, but was
later reported by too many people to list. Thanks, everyone! :-)
+--------------------------+
Mon Nov 7 19:54:57 CST 2005
patches/packages/elm-2.5.8-i486-1.tgz: Upgraded to elm2.5.8.
This fixes a buffer overflow in the parsing of the Expires header that
could be used to execute arbitrary code as the user running Elm.
Thanks to Ulf Harnhammar for finding the bug and reminding me to get
out updated packages to address the issue.
A reference to the original advisory:
http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0688.html
+--------------------------+
Sat Nov 5 22:05:29 CST 2005
patches/packages/apache-1.3.34-i486-1.tgz: Upgraded to apache-1.3.34.
Fixes this minor security bug: "If a request contains both Transfer-Encoding
and Content-Length headers, remove the Content-Length, mitigating some HTTP
Request Splitting/Spoofing attacks."
(* Security fix *)
patches/packages/curl-7.12.2-i486-2.tgz: Patched. This addresses a buffer
overflow in libcurl's NTLM function that could have possible security
implications.
For more details, see:
http://curl.haxx.se/docs/security.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3185
(* Security fix *)
patches/packages/imapd-4.64-i486-1.tgz: Upgraded to imapd-4.64.
A buffer overflow was reported in the mail_valid_net_parse_work function.
However, this function in the c-client library does not appear to be called
from anywhere in imapd. iDefense states that the issue is of LOW risk to
sites that allow users shell access, and LOW-MODERATE risk to other servers.
I believe it's possible that it is of NIL risk if the function is indeed
dead code to imapd, but draw your own conclusions...
(* Security fix *)
patches/packages/koffice-1.4.1-i486-2.tgz: Patched.
Fixes a buffer overflow in KWord's RTF import discovered by Chris Evans.
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2971
(* Security fix *)
patches/packages/libxml2-2.6.22-i486-1.tgz: Upgraded to libxml2-2.6.22.
This fixes an issue where libxml2 had declared a variable XML_FEATURE_UNICODE
that was already used by the expat headers, causing PHP to fail to compile
when using Slackware's combination of ./configure options.
patches/packages/lynx-2.8.5rel.5-i486-1.tgz: Upgraded to lynx-2.8.5rel.5.
Fixes an issue where the handling of Asian characters when using lynx to
connect to an NNTP server (is this a common use?) could result in a buffer
overflow causing the execution of arbitrary code.
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3120
(* Security fix *)
patches/packages/mod_ssl-2.8.25_1.3.34-i486-1.tgz:
Upgraded to mod_ssl-2.8.25-1.3.34.
patches/packages/php-4.4.1-i486-1.tgz: Upgraded to php-4.4.1.
Fixes a number of bugs, including several minor security fixes relating to
the overwriting of the GLOBALS array.
(* Security fix *)
patches/packages/pine-4.64-i486-1.tgz: Upgraded to pine-4.64.
patches/packages/samba-3.0.20b-i486-1.tgz: Upgraded to samba-3.0.20b.
This includes various bugfixes. Thanks to Christopher Linnet for reporting
that this fixes a problem with printing to a printer on an XP machine from
CUPS. If you use such a configuration, you'll want this upgrade for sure.
patches/packages/wget-1.10.2-i486-1.tgz: Upgraded to wget-1.10.2.
This addresses a buffer overflow in wget's NTLM handling function that could
have possible security implications.
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3185
(* Security fix *)
+--------------------------+
Thu Oct 13 13:57:25 PDT 2005
patches/packages/openssl-0.9.7g-i486-2.tgz: Patched.
Fixed a vulnerability that could, in rare circumstances, allow an attacker
acting as a "man in the middle" to force a client and a server to negotiate
the SSL 2.0 protocol (which is known to be weak) even if these parties both
support SSL 3.0 or TLS 1.0.
For more details, see:
http://www.openssl.org/news/secadv_20051011.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2969
(* Security fix *)
patches/packages/openssl-solibs-0.9.7g-i486-2.tgz: Patched.
(* Security fix *)
+--------------------------+
Mon Oct 10 15:15:24 PDT 2005
patches/packages/xine-lib-1.0.3a-i686-1.tgz: Upgraded to xine-lib-1.0.3a.
This fixes a format string bug where an attacker, if able to upload malicious
information to a CDDB server and then get a local user to play a certain
audio CD, may be able to run arbitrary code on the machine as the user
running the xine-lib linked application.
For more information, see:
http://xinehq.de/index.php/security/XSA-2005-1
(* Security fix *)
+--------------------------+
Wed Oct 5 13:05:39 PDT 2005
patches/packages/mozilla-thunderbird-1.0.7-i686-1.tgz:
Upgraded to thunderbird-1.0.7.
This fixes a security issue where URLs passed on the command line to the
thunderbird shell script were not correctly protected against
interpretation by the shell. As a result, a malicious URL could contain
embedded shell commands which would then be executed as the user running
Thunderbird.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#Thunderbird
(* Security fix *)
+--------------------------+
Sun Sep 25 22:03:45 PDT 2005
patches/packages/x11-6.8.2-i486-4.tgz: Rebuilt with a modified patch for
an earlier pixmap overflow issue. The patch released by X.Org was
slightly different than the one that was circulated previously, and is
an improved version. There have been reports that the earlier patch
broke WINE and possibly some other programs.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2495
(* Security fix *)
patches/packages/x11-xdmx-6.8.2-i486-4.tgz: Patched and rebuilt.
patches/packages/x11-xnest-6.8.2-i486-4.tgz: Patched and rebuilt.
patches/packages/x11-xvfb-6.8.2-i486-4.tgz: Patched and rebuilt.
patches/packages/mozilla-1.7.12-i486-1.tgz: Upgraded to mozilla-1.7.12.
This fixes several security issues. For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#Mozilla
(* Security fix *)
patches/packages/mozilla-firefox-1.0.7-i686-1.tgz: Upgraded to firefox-1.0.7.
This fixes several security issues. For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#Firefox
(* Security fix *)
+--------------------------+
Tue Sep 13 12:24:53 PDT 2005
Slackware 10.2 is released.
Thanks to everyone to helped make it possible.
Enjoy! :-)
+--------------------------+
Tue Sep 13 10:54:29 PDT 2005
xap/gxine-0.4.8-i486-2.tgz: Fixed gxine.desktop icon path.
(Thanks to Peter Eszlari)
extra/isdn4k-utils/isdn4k-utils-CVS-2005-08-21.tar.bz2:
Upgraded to a recent snapshot of isdn4k-utils.
+--------------------------+
Tue Sep 13 02:15:06 PDT 2005
x/x11-6.8.2-i486-3.tgz: Patched an integer overflow in the X server pixmap
memory allocation that could potentially allow any X user to execute
arbitrary code with root privileges.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2495
(* Security fix *)
x/x11-devel-6.8.2-i486-3.tgz: Recompiled.
x/x11-docs-6.8.2-noarch-3.tgz: Rebuilt.
x/x11-docs-html-6.8.2-noarch-3.tgz: Rebuilt.
x/x11-fonts-100dpi-6.8.2-noarch-3.tgz: Rebuilt.
x/x11-fonts-cyrillic-6.8.2-noarch-3.tgz: Rebuilt.
x/x11-fonts-misc-6.8.2-noarch-3.tgz: Rebuilt.
x/x11-fonts-scale-6.8.2-noarch-3.tgz: Rebuilt.
x/x11-xdmx-6.8.2-i486-3.tgz: Recompiled.
x/x11-xnest-6.8.2-i486-3.tgz: Recompiled.
x/x11-xvfb-6.8.2-i486-3.tgz: Recompiled.
+--------------------------+
Mon Sep 12 22:48:09 PDT 2005
a/util-linux-2.12p-i486-2.tgz: Patched an issue with umount where if
the umount failed when the '-r' option was used, the filesystem would
be remounted read-only but without any extra flags specified in
/etc/fstab. This could allow an ordinary user able to mount a floppy
or CD (but with nosuid, noexec, nodev, etc in /etc/fstab) to run a
setuid binary from removable media and gain root privileges.
Reported to BugTraq by David Watson:
http://www.securityfocus.com/archive/1/410333
(* Security fix *)
ap/mdadm-2.1-i486-1.tgz: Upgraded to mdadm-2.1.
n/dnsmasq-2.23-i486-1.tgz: Upgraded to dnsmasq-2.23.
n/nmap-3.93-i486-1.tgz: Upgraded to nmap-3.93.
extra/k3b/k3b-0.12.4a-i486-1.tgz: Upgraded to k3b-0.12.4a.
extra/k3b/k3b-i18n-0.12.4-noarch-1.tgz: Upgraded to k3b-i18n-0.12.4.
+--------------------------+
Mon Sep 12 19:02:13 PDT 2005
a/aaa_elflibs-10.2.0-i486-3.tgz: Upgraded PCRE library.
a/dcron-2.3.3-i486-5.tgz: Added a patch to keep dcron from improperly
forking extra copies of itself in some circumstances.
(Thanks to Henrik Carlqvist)
a/mkinitrd-1.0.1-i486-3.tgz: Added tftp support to busybox, updated
README.initrd examples to refer to the 2.6.13 kernel.
ap/sox-12.17.8-i486-1.tgz: Upgraded to sox-12.17.8.
(Thanks to Peter Eszlari)
ap/vorbis-tools-1.1.1-i486-1.tgz: Upgraded to vorbis-tools-1.1.1.
(Thanks to Peter Eszlari)
l/libvorbis-1.1.1-i486-1.tgz: Upgraded to libvorbis-1.1.1.
(Thanks to Peter Eszlari)
l/libxml2-2.6.21-i486-1.tgz: Upgraded to libxml2-2.6.21.
l/libxslt-1.1.15-i486-1.tgz: Upgraded to libxslt-1.1.15.
l/pcre-6.4-i486-1.tgz: Upgraded to pcre-6.4.
n/dhcpcd-1.3.22pl4-i486-2.tgz: Patched an issue where a remote attacker can
cause dhcpcd to crash.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1848
(* Security fix *)
n/wget-1.10.1-i486-3.tgz: Install /etc/wgetrc properly.
(Thanks to Fred Emmott)
xap/gftp-2.0.18-i486-1.tgz: Upgraded to gftp-2.0.18.
(Thanks to Peter Eszlari)
xap/gxine-0.4.7-i486-1.tgz: Upgraded to gxine-0.4.8.
xap/sane-1.0.16-i486-1.tgz: Upgraded to sane-backends-1.0.16.
xap/xchat-2.4.5-i486-1.tgz: Upgraded to xchat-2.4.5.
xap/xpdf-3.01-i486-2.tgz: Added missing Bulgarian.nameToUnicode.
(Thanks to Dimitar Zhekov)
xap/xsane-0.97-i486-1.tgz: Upgraded to xsane-0.97.
extra/slackpkg/slackpkg-1.5.2-noarch-2.tgz:
Upgraded to slackpkg-1.5.2-noarch-2. (Thanks to Piter Punk)
+--------------------------+
Sat Sep 10 22:21:22 PDT 2005
OK, everything was set in stone except for these things. ;-)
There may still be a couple more changes (maybe), but this is pretty close.
a/aaa_base-10.2.0-noarch-2.tgz: Fixed rp-pppoe version number in email
to root. (thanks to Piter Punk)
a/aaa_elflibs-10.2.0-i486-2.tgz: Upgraded glib libraries to 2.6.6.
a/bash-3.0-i486-3.tgz: Added bash patch bash30-016.
(suggested by Fredrik Rinnestam and Xavier Thomassin)
Added a patch to prevent an issue with newer glibc versions and 2.4.x
kernels that leads to a bash hang if bash is recompiled on such a system.
(Thanks to Fredrik Rinnestam)
a/glibc-solibs-2.3.5-i486-5.tgz: Recompiled against header files from
linux 2.4.31 (linuxthreads version) and linux 2.6.13 (NPTL version).
a/glibc-zoneinfo-2.3.5-noarch-5.tgz: Rebuilt.
ap/vim-6.3.086-i486-1.tgz: Upgraded vim to patchlevel 86, and upgraded to
ctags-5.5.4.
l/esound-0.2.36-i486-1.tgz: Upgraded to esound-0.2.36.
l/glib2-2.6.6-i486-1.tgz: Upgraded to glib-2.6.6.
l/glibc-2.3.5-i486-5.tgz: Recompiled.
l/glibc-i18n-2.3.5-noarch-5.tgz: Rebuilt.
l/glibc-profile-2.3.5-i486-5.tgz: Recompiled.
l/gtk+2-2.6.10-i486-1.tgz: Upgraded to gtk+-2.6.10.
l/pango-1.8.2-i486-1.tgz: Upgraded to pango-1.8.2.
Thanks to Giacomo Lozito for pointing the bugfix releases of glib, gtk+,
and pango out. The 2.8 series still needs time to stabilize and may present
some compatibility issues (just a guess), and the version bump on atk-1.10.1
makes me want to play it safe on that one as well. We'll get to those in the
next -current.
l/sdl-1.2.9-i486-1.tgz: Upgraded to SDL-1.2.9, SDL_image-1.2.4,
SDL_mixer-1.2.6, and SDL_ttf-2.0.7.
n/nmap-3.90-i486-1.tgz: Upgraded to nmap-3.90. (suggested by many :-)
n/wget-1.10.1-i486-2.tgz: Change /etc/wgetrc to /etc/wgetrc.new so that it'll
be protected from replacement the next time this package is upgraded.
Suggested by Luigi Genoni.
xap/xvim-6.3.086-i486-1.tgz: Upgraded X version of vim to patchlevel 86, and
upgraded to ctags-5.5.4.
+--------------------------+
Thu Sep 8 17:48:59 PDT 2005
extra/linux-wlan-ng/linux-wlan-ng-0.2.1pre25_2.6.13-i486-1.tgz:
Recompiled for 2.6.13. Thanks to xgizzmo for catching the omission.
+--------------------------+
Thu Sep 8 13:24:58 PDT 2005
OK folks, this is just about ready to go. Consider nearly everything to
be set in stone at this point, especially the kernels. Zipslack has yet
to be built, and some of the documentation needs minor updating, but for
the most part this is how Slackware 10.2 is going to look. Expect a
release to happen sometime within the next week or so.
Also, a bit of advance warning: I'm going to be removing most of the
ISO images for old Slackware releases from ftp.slackware.com in order to
make room for the new release, so if you're running a mirror site and
want to save those, move them elsewhere now before they go. The ISO
images at slackware.osuosl.org in /pub/slackware-iso/ will remain, but
the ones at ftp.slackware.com and other sites under /pub/slackware are
all potentially on the chopping block.
a/aaa_base-10.2.0-noarch-1.tgz: Bumped version number to 10.2. Edited
initial email.
a/aaa_elflibs-10.2.0-i486-1.tgz: Updated initial library collection.
a/bin-10.2-i486-1.tgz: Upgraded to file-4.15.
a/cxxlibs-5.0.7-i486-1.tgz: Upgraded to libstdc++.so.5.0.7 from gcc-3.3.6.
a/gawk-3.1.5-i486-1.tgz: Upgraded to gawk-3.1.5.
a/hotplug-2004_09_23-noarch-5.tgz: Fix a minor syntax error in rc.hotplug.
(the logging test was always true even if syslogd was not running)
Thanks to Luis Castilho.
Blacklisted a new framebuffer module (arcfb.ko) in 2.6.13.
a/pkgtools-10.2.0-i486-5.tgz: Upgraded to dialog-1.0-20050306, which fixes
a bug that prevented the install-packages scripts from working.
Thanks to Krzysztof Oledzki for pointing out this bug.
a/reiserfsprogs-3.6.19-i486-1.tgz: Upgraded to reiserfsprogs-3.6.19.
a/usbutils-0.11-i486-3.tgz: Upgraded to latest usb.ids.
Note that newer versions of usbutils no longer include the usbmodules
utility, which breaks hotplugging of USB devices on 2.4.x kernels, so until
the default kernel is a 2.6.x version, this is the best version of usbutils
to include.
a/utempter-1.1.3-i486-1.tgz: Upgraded to libutempter-1.1.3.
ap/groff-1.19.1-i486-3.tgz: Fixed a /tmp bug in groffer. Groffer is a
script to display formatted output on the console or X, and is not normally
used in other scripts (for printers, etc) like most groff components are.
The risk from this bug is probably quite low. The fix was pulled from the
just-released groff-1.19.2. With Slackware 10.2 just around the corner it
didn't seem prudent to upgrade to that -- the diff from 1.19.1 to 1.19.2
is over a megabyte compressed.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0969
(* Security fix *)
ap/zsh-4.2.5-i486-1.tgz: Upgraded to zsh-4.2.5.
d/clisp-2.35-i486-1.tgz: Upgraded to clisp-2.35.
d/libtool-1.5.20-i486-1.tgz: Upgraded to libtool-1.5.20.
d/subversion-1.2.3-i486-1.tgz: Added subversion-1.2.3. This will be the last
last-minute addition in this release cycle. Suggested by many. :-)
kde/kdebase-3.4.2-i486-2.tgz: Patched a bug in Konqueror's handling of
characters such as '*', '[', and '?'.
Generated new kdm config files.
Added /opt/kde/man to $MANPATH.
Patched a security bug in kcheckpass that could allow a local user to
gain root privileges.
For more information, see:
http://www.kde.org/info/security/advisory-20050905-1.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2494
(* Security fix *)
l/jre-1_5_0_04-i586-2.tgz: Added /usr/lib/mozilla/plugins directory with a
link to the Java plugin.
l/t1lib-5.1.0-i486-1.tgz: Upgraded to t1lib-5.1.0.
n/dhcp-3.0.3-i486-1.tgz: Upgraded to dhcp-3.0.3.
n/iproute2-2.6.11_050330-i486-2.tgz: Fixed symlinks in /sbin.
Thanks to Krzysztof Oledzki for the Makefile patch.
n/mod_ssl-2.8.24_1.3.33-i486-1.tgz: Upgraded to mod_ssl-2.8.24-1.3.33.
From the CHANGES file:
Fix a security issue (CAN-2005-2700) where "SSLVerifyClient require" was
not enforced in per-location context if "SSLVerifyClient optional" was
configured in the global virtual host configuration.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2700
(* Security fix *)
n/openssh-4.2p1-i486-1.tgz: Upgraded to openssh-4.2p1.
From the OpenSSH 4.2 release announcement:
SECURITY: Fix a bug introduced in OpenSSH 4.0 that caused
GatewayPorts to be incorrectly activated for dynamic ("-D") port
forwardings when no listen address was explicitly specified.
(* Security fix *)
n/php-4.4.0-i486-4.tgz: Added --with-dom. Suggested by Joao Carvalho.
n/ppp-2.4.4b1-i486-1.tgz: Upgraded to ppp-2.4.4b1. This should fix the issues
people were having with demand dialing and persistant connections.
n/rp-pppoe-3.6-i486-1.tgz: Upgraded to rp-pppoe-3.6.
Thanks to Erik Jan Tromp for the build script improvements.
n/samba-3.0.20-i486-2.tgz: Fixed /usr/doc/samba-3.0.20/docs/using_samba
symlink. Thanks to Valentin Avram for the bug report.
n/tcpip-0.17-i486-35.tgz: Changed to a cleaner telnet patch borrowed from
OpenBSD. Two people, both using Slackware 9.1, informed me that the previous
patch for telnet was causing a segfault when used with short hostnames from
/etc/hosts (such as localhost). If anyone is having a similar problem with
other versions of Slackware, let me know. Thanks to Dragan Simic for
telling me about the improved patch.
Fixed a minor syntax error in rc.inet1 in the test for syslogd.pid.
(Thanks to Luis Castilho)
Added brctl and vconfig. (suggested by Jan Rafaj)
Increased timeout for dhcpcd.
Fixed a bit of bad grammar in rc.inet1.conf. ("appending" -> "prepending")
Added a new option "DHCP_IPADDR" to rc.inet1.conf to ask the DHCP server for
a specific IP address. (Thanks to James Michael Fultz for these last two)
n/wget-1.10.1-i486-1.tgz: Upgraded to wget-1.10.1.
xap/jre-symlink-1.0.6-noarch-2: Removed. This is obsolete now that the Java
packages contain symlinks in /usr/lib/mozilla/plugins and Mozilla and
Firefox have been patched to search for plugins in that directory.
xap/mozilla-1.7.11-i486-2.tgz: Patched mozilla startup script to
search for plugins in /usr/lib/mozilla/plugins after searching in
/usr/lib/mozilla-1.7.11/plugins.
xap/mozilla-firefox-1.0.6-i686-2.tgz: Patched firefox startup script to
search for plugins in /usr/lib/mozilla/plugins after searching in
/usr/lib/firefox-1.0.6/plugins.
xap/xpdf-3.01-i486-1.tgz: Upgraded to xpdf-3.01.
extra/bash-completion/bash-completion-20050721-noarch-1.tgz:
Upgraded to bash-completion-20050721.
extra/brltty/brltty-3.6.1-i486-1.tgz: Upgraded to brltty-3.6.1.
extra/grub/grub-0.97-i486-1.tgz: Upgraded to grub-0.97.
Thanks to Kent Robotti for the new version of grubconfig.
extra/jdk-1.5.0_04/jdk-1_5_0_04-i586-2.tgz: Added /usr/lib/mozilla/plugins
directory with a link to the Java plugin.
extra/slackpkg/slackpkg-1.5.1-noarch-2.tgz:
Upgraded to slackpkg-1.5.1-noarch-2. (Thanks to Piter Punk)
extra/slacktrack/slacktrack-1.26-i486-1.tgz: Upgraded to slacktrack-1.26_1.
(Thanks to Stuart Winter)
extra/slacktrack/slacktrack-examples-v1.01.tar.gz:
Upgraded slacktrack build script examples.
kernels/test26.s/: Added a 2.6.13 install kernel.
rootdisks/install.*, isolinux/initrd.img: Fixed install size estimate.
testing/packages/gnupg-1.4.2-i486-1.tgz: Upgraded to gnupg-1.4.2.
testing/packages/linux-2.6.13/alsa-driver-1.0.9b_2.6.13-i486-1.tgz:
Recompiled against Linux 2.6.13.
testing/packages/linux-2.6.13/kernel-generic-2.6.13-i486-1.tgz:
Upgraded to Linux 2.6.13 generic kernel.
testing/packages/linux-2.6.13/kernel-headers-2.6.13-i386-1.tgz:
Upgraded to Linux 2.6.13 kernel headers for x86.
testing/packages/linux-2.6.13/kernel-modules-2.6.13-i486-1.tgz:
Upgraded to Linux 2.6.13 kernel modules.
testing/packages/linux-2.6.13/kernel-source-2.6.13-noarch-1.tgz:
Upgraded to Linux 2.6.13 kernel source.
testing/packages/lvm2/device-mapper-1.01.04-i486-1.tgz:
Upgraded to device-mapper.1.01.04.
testing/packages/lvm2/lvm2-2.01.09-i486-1.tgz:
Upgraded to LVM2.2.01.09.
testing/packages/php-5.0.5/php-5.0.5-i486-4.tgz:
Upgraded to php-5.0.5 with --with-dom and --with-curl options.
+--------------------------+
Tue Aug 30 13:01:43 PDT 2005
a/jfsutils-1.1.8-i486-1.tgz: Upgraded to jfsutils-1.1.8.
a/pciutils-2.1.11-i486-6.tgz: Updated pci.ids.
a/procps-3.2.5-i486-1.tgz: Upgraded to procps-3.2.5.
Thanks to Stuart Winter for informing me that newer 2.6 kernels needed this.
ap/espgs-8.15rc4-i486-1.tgz: Upgraded to espgs-8.15rc4.
ap/mysql-4.1.14-i486-1.tgz: Upgraded to mysql-4.1.14.
kde/kdeedu-3.4.2-i486-2.tgz: Fixed a minor /tmp bug in kvoctrain.
(* Security fix *)
l/pcre-6.3-i486-1.tgz: Upgraded to pcre-6.3.
This fixes a buffer overflow that could be triggered by the processing of a
specially crafted regular expression. Theoretically this could be a security
issue if regular expressions are accepted from untrusted users to be
processed by a user with greater privileges, but this doesn't seem like a
common scenario (or, for that matter, a good idea). However, if you are
using an application that links to the shared PCRE library and accepts
outside input in such a manner, you will want to update to this new package.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491
(* Security fix *)
n/php-4.4.0-i486-3.tgz: Relinked with the system PCRE library, as the builtin
library has a buffer overflow that could be triggered by the processing of a
specially crafted regular expression.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491
(* Security fix *)
Upgraded PEAR::XMLRPC to version 1.4.0, which eliminates the use of the
insecure eval() function.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2498
(* Security fix *)
Recompiled with support for mbstring and cURL.
Thanks to Gerardo Exequiel Pozzi for pointing out that the new MySQL uses
UTF-8, which in turn requires that PHP support multibyte strings. Also,
thanks to Amrit for mentioning that the PHP cURL extentions are useful and
should be included.
n/samba-3.0.20-i486-1.tgz: Upgraded samba-3.0.20.
xap/gaim-1.5.0-i486-1.tgz: Upgraded to gaim-1.5.0.
This fixes some more security issues.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2103
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2102
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2370
(* Security fix *)
testing/packages/linux-2.6.12.5/alsa-driver-1.0.9b_2.6.12.5-i486-1.tgz
Recompiled against Linux 2.6.12.5.
testing/packages/linux-2.6.12.5/kernel-generic-2.6.12.5-i486-1.tgz
Upgraded to Linux 2.6.12.5 generic kernel.
testing/packages/linux-2.6.12.5/kernel-headers-2.6.12.5-i386-1.tgz
Upgraded to Linux 2.6.12.5 kernel headers for x86.
testing/packages/linux-2.6.12.5/kernel-modules-2.6.12.5-i486-1.tgz
Upgraded to Linux 2.6.12.5 kernel modules.
testing/packages/linux-2.6.12.5/kernel-source-2.6.12.5-noarch-1.tgz
Upgraded to Linux 2.6.12.5 kernel source.
testing/packages/php-5.0.4/php-5.0.4-i486-3.tgz: Relinked with the
system PCRE library, as the builtin library has a buffer overflow
that could be triggered by the processing of a specially crafted
regular expression.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491
(* Security fix *)
Upgraded PEAR::XMLRPC to version 1.4.0, which eliminates the use of the
insecure eval() function.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2498
(* Security fix *)
Recompiled with support for mbstring, cURL, and XSLT.
Thanks to Den (aka Diesel) for suggesting XSLT.
+--------------------------+
Thu Aug 4 22:33:48 PDT 2005
a/e2fsprogs-1.38-i486-2.tgz: Make sure pkgconfig files go to the right
place (/usr/lib/pkgconfig). Thanks to Chad Corkrum.
n/links-2.1pre18-i486-1.tgz: Upgraded to links-2.1pre18, which fixes some
bugs in Javascript handling. Suggested by Roberto Leandrini.
extra/bittornado/bittornado-0.3.12-noarch-1.tgz: Upgraded to bittornado-0.3.12.
Suggested by Adam Young.
+--------------------------+
Thu Aug 4 13:35:29 PDT 2005
a/sysvinit-2.84-i486-56.tgz: Enable swapping again in rc.S after all local
filesystems are mounted read-write. This makes sure that swapfiles get
activated with 2.6 kernels. Thanks to Jingmin (Jimmy) Zhou.
a/e2fsprogs-1.38-i486-1.tgz: Upgraded to e2fsprogs-1.38, needed for new
ext2fs boot label support. Thanks to Jerome Pinot for the heads-up.
l/taglib-1.4-i486-1.tgz: Upgraded to taglib-1.4, which will be needed by
various projects soon. Thanks to Sergei Mutovkin.
xap/xmms-1.2.10-i486-3.tgz: Patched a pause bug in XMMS. Thanks to
Erik Jan Tromp for the bug report and patch.
extra/ham/gmfsk-0.6-i486-2.tgz: Rebuilt to work with hamlib-1.2.4.
extra/ham/hamlib-1.2.4-i486-1.tgz: Upgraded to hamlib-1.2.4 .
extra/ham/proj-4.4.9-i486-1.tgz: Upgraded to proj-4.4.9.
extra/ham/tlf-0.9.23-i486-1.tgz: Upgraded to tlf-0.9.23.
extra/ham/xastir-1.6.0-i486-1.tgz: Upgraded to xastir-1.6.0.
extra/ham/xconvers-0.8.3-i486-1.tgz: Upgraded to xconvers-0.8.3.
extra/ham/xlog-1.2.2-i486-1.tgz: xlog-1.2.2.
Thanks to Arno Verhoeven for all the ham radio package updates!
+--------------------------+
Tue Aug 2 22:34:49 PDT 2005
n/proftpd-1.2.10-i486-4.tgz: Added mod_ctrls_admin module, which is needed to
make use of --enable-ctrls. Thanks again to Roberto Leandrini.
+--------------------------+
Tue Aug 2 15:34:18 PDT 2005
Hi folks,
I think it's time to consider this to be mostly frozen and concentrate on
beta testing in preparation for the Slackware 10.2 release, so there won't
be too many more upgrades and additions. Things are going to be pretty
busy for me over the next couple of weeks besides working on getting 10.2
finalized, but let me know about any issues that need fixing before the
release and I'll get to them just as soon as I can. Have fun!
kde/kdepim-3.4.2-i486-2.tgz: Patched a bug in KMail.
n/proftpd-1.2.10-i486-3.tgz: Recompiled with --enable-ctrls and
--enable-ipv6. Suggested by Roberto Leandrini.
xap/xine-lib-1.0.2-i686-1.tgz: Upgraded to xine-lib-1.0.2.
xap/xine-ui-0.99.4-i686-1.tgz: Upgraded to xine-ui-0.99.4.
extra/blackbox-0.70.0/blackbox-0.70.0-i486-1.tgz: Added
blackbox-0.70.0. This isn't in slackware/xap because there were some
things about it that struck me as not quite right, like the removal of
i18n support, and that the themes didn't seem to work any more (or at
least weren't included). If it's something I'm doing wrong, let me know,
otherwise this can stay here for now...
extra/slackpkg/slackpkg-1.5.0-noarch-3.tgz: Upgraded to
slackpkg-1.5.0-noarch-3 (fixed a mirror URL).
+--------------------------+
Mon Aug 1 11:25:46 PDT 2005
a/sysvinit-2.84-i486-55.tgz: In rc.6, try to use 'rc.inet1 stop' to
bring the network down. Thanks to Eric Hameleers for reminding me
that this sort of thing works now. :-)
extra/k3b/k3b-0.12.3-i486-2.tgz: Rebuilt to fix missing binaries. I
built this on the same machine, no changes to the build script other
than bumping the build number to 2... strange, but I'll take it.
extra/slackpkg/slackpkg-1.5.0-noarch-2.tgz: Upgraded to
slackpkg-1.5.0-noarch-2. Thanks to Piter Punk.
+--------------------------+
Sun Jul 31 17:08:43 PDT 2005
a/sysvinit-2.84-i486-54.tgz: In rc.6, try to use 'dhcpcd -k' to kill
dhcpcd, otherwise a cache file is left behind which may cause problems.
Thanks to Giacomo Rizzo for the bug report.
d/clisp-2.34-i486-1.tgz: Upgraded to clisp-2.34.
d/doxygen-1.4.4-i486-1.tgz: Upgraded to doxygen-1.4.4.
d/oprofile-0.9.1-i486-1.tgz: Upgraded to oprofile-0.9.1.
n/iptables-1.3.3-i486-1.tgz: Upgraded to iptables-1.3.3.
n/rsync-2.6.6-i486-1.tgz: Upgraded to rsync-2.6.6.
n/tcpip-0.17-i486-34.tgz: Upgraded ethtool to ethtool-3.
n/yptools-2.9-i486-1.tgz: Upgraded to yp-tools-2.9, ypbind-mt-1.19.1,
and ypserv-2.18.
xap/jre-symlink-1.0.6-noarch-2.tgz: Upgraded symlink for Mozilla 1.7.11.
xap/mozilla-1.7.11-i486-1.tgz: Upgraded to mozilla-1.7.11.
extra/k3b/k3b-0.12.3-i486-1.tgz: Upgraded to k3b-0.12.3.
extra/k3b/k3b-i18n-0.12.3-noarch-1.tgz: Upgraded to k3b-i18n-0.12.3.
+--------------------------+
Sat Jul 30 13:01:25 PDT 2005
a/smartmontools-5.33-i486-1.tgz: Upgraded to smartmontools-5.33.
a/udev-064-i486-2.tgz: Commented out the new lines in udev.rules. It seems
like these aren't really needed now that the symlink in
/etc/hotplug.d/default/ was restored, and having them there causes a race
race condition that can cause things like wireless adaptors that need to
load firmware to fail to initialize.
Thanks to Andreas Liebschner and Philip Langdale for helping debug this.
ap/espgs-8.15rc3-i486-2.tgz: Removed libtool file that wasn't supposed to be
in the package. Thanks to Mark Post. Also, I had a report that espgs was
not printing margins properly with the Epson C64 printer. If you notice
issues like that it is best to send the reports directly to the espgs
maintainers, as without the hardware in question (or even with, really)
there's little that I can do to fix bugs such as that here.
ap/joe-3.3-i486-1.tgz: Upgraded to joe-3.3.
ap/mc-4.6.1-i486-1.tgz: Upgraded to mc-4.6.1.
e/emacs-21.4a-i486-2.tgz: Patched emacs to change the order some X headers
are included, which fixes a keyboard problem with some non-US keyboards
when running under X.Org. Thanks to Emanuele Vicentini for pointing out
the issue and a patch.
e/emacs-nox-21.4a-i486-2.tgz: Recompiled.
+--------------------------+
Fri Jul 29 10:33:59 PDT 2005
a/etc-5.1-noarch-10.tgz: Added scanner group.
a/getty-ps-2.1.0b-i486-1.tgz: Upgraded to getty-ps-2.1.0b. Thanks to
Jan Rafaj for providing additional bugfixes for this package.
a/hotplug-2004_09_23-noarch-4.tgz: Changed firmware directory from
/usr/lib/hotplug/firmware to /lib/firmware.
Thanks to Lior Kadosh, Steve Caster, Lawrence Teo, Piter Punk, and
Vidar Madsen, all of whom reported this.
a/pkgtools-10.2.0-i486-4.tgz: Fixed toggling rc.dnsmasq and rc.saslauthd
in setup.services. Thanks to Eric Hameleers.
kde/koffice-1.4.1-i486-1.tgz: Upgraded to koffice-1.4.1.
kde/kdeaccessibility-3.4.2-i486-1.tgz: Upgraded to KDE 3.4.2.
kde/kdeaddons-3.4.2-i486-1.tgz: Upgraded to KDE 3.4.2.
kde/kdeadmin-3.4.2-i486-1.tgz: Upgraded to KDE 3.4.2.
kde/kdeartwork-3.4.2-i486-2.tgz: Upgraded to KDE 3.4.2.
kde/kdebase-3.4.2-i486-1.tgz: Upgraded to KDE 3.4.2.
kde/kdebindings-3.4.2-i486-1.tgz: Upgraded to KDE 3.4.2.
kde/kdeedu-3.4.2-i486-1.tgz: Upgraded to KDE 3.4.2.
kde/kdegames-3.4.2-i486-1.tgz: Upgraded to KDE 3.4.2.
kde/kdegraphics-3.4.2-i486-1.tgz: Upgraded to KDE 3.4.2.
kde/kdelibs-3.4.2-i486-1.tgz: Upgraded to KDE 3.4.2.
kde/kdemultimedia-3.4.2-i486-1.tgz: Upgraded to KDE 3.4.2.
kde/kdenetwork-3.4.2-i486-1.tgz: Upgraded to KDE 3.4.2.
kde/kdepim-3.4.2-i486-1.tgz: Upgraded to KDE 3.4.2.
kde/kdesdk-3.4.2-i486-1.tgz: Upgraded to KDE 3.4.2.
kde/kdetoys-3.4.2-i486-1.tgz: Upgraded to KDE 3.4.2.
kde/kdeutils-3.4.2-i486-1.tgz: Upgraded to KDE 3.4.2.
kde/kdevelop-3.2.2-i486-1.tgz: Upgraded to KDE 3.4.2.
kde/kdewebdev-3.4.2-i486-1.tgz: Upgraded to KDE 3.4.2.
kdei/kde-i18n-*.tgz: Upgraded to KDE 3.4.2 i18n packages.
kdei/koffice-l10n-*.tgz: Upgraded to KOffice 1.4.1 l10n packages.
l/arts-1.4.2-i486-1.tgz: Upgraded to arts-1.4.2.
l/fribidi-0.10.5-i486-1.tgz: Added fribidi-0.10.5, needed by AbiWord and
KDE.
l/jre-1_5_0_04-i586-1.tgz: Upgraded to Java(TM) 2 Platform Standard Edition
Runtime Environment Version 5.0, Release 4.
n/links-2.1pre17-i486-2.tgz: Recompiled without SDL, which was causing X
libraries to be indirectly linked. Thanks to Kirils Solovjovs.
n/tcpip-0.17-i486-33.tgz: Patched rc.inet1 to make sure that an attempt is
made to bring up the gateway whenever a new interface is loaded by hotplug.
Added support to bring up/down ethernet aliases, like: IFNAME[2]="eth0:1"
(Thanks to Andrey V. Panov for the aliases patch)
Patched two overflows in the telnet client that could allow the execution
of arbitrary code when connected to a malicious telnet server.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469
(* Security fix *)
xap/abiword-2.2.9-i486-1.tgz: Upgraded to abiword-2.2.9, which now links
with the new fribidi package. Thanks to Ryan Pavlik for telling me
about the new release, and to the AbiWord team for all the great work.
extra/j2sdk-1.5.0_04/j2sdk-1_5_0_04-i586-1.tgz: Upgraded to Java(TM) 2
Platform Standard Edition Development Kit Version 5.0, Release 4.
+--------------------------+
Tue Jul 26 23:35:18 PDT 2005
ap/vim-6.3.085-i486-1.tgz: Upgraded to patchlevel 85.
d/distcc-2.18.3-i486-2.tgz: Recompiled distccmon-gnome to use only
GTK+ libraries and not GNOME ones.
Thanks to Lasse Collin for suggesting --without-gnome --with-gtk.
d/guile-1.6.7-i486-1.tgz: Upgraded to guile-1.6.7.
n/links-2.1pre17-i486-1.tgz: Upgraded to links-2.1pre17.
n/imapd-4.63-i486-1.tgz: Upgraded to imapd from pine-4.63.
n/netatalk-2.0.3-i486-1.tgz: Upgraded to netatalk-2.0.3.
n/pine-4.63-i486-1.tgz: Upgraded to pine-4.63.
xap/mozilla-1.7.10-i486-2.tgz: Fixed a folder switching bug.
Thanks to Peter Santoro for pointing out the patch.
xap/xvim-6.3.085-i486-1.tgz: Upgraded to patchlevel 85.
+--------------------------+
Mon Jul 25 00:21:30 PDT 2005
n/wireless-tools-27-i486-2.tgz: Build against static libiw.
(Thanks to Lech Szychowski)
+--------------------------+
Sun Jul 24 22:57:27 PDT 2005
n/nail-11.24-i486-1.tgz: Upgraded to nail-11.24.
n/ppp-2.4.3-i486-1.tgz: Upgraded to ppp-2.4.3 and radiusclient-0.3.2.
+--------------------------+
Sun Jul 24 17:50:37 PDT 2005
a/hotplug-2004_09_23-noarch-3.tgz: Modified net.agent to use the new
rc.inet1 syntax (thanks to Eric Hameleers), and added several new
framebuffer modules and the eth1394 module to the blacklist.
a/pkgtools-10.2.0-i486-3.tgz: Added saslauthd and dnsmasq to the services
setup menu.
a/sysvinit-2.84-i486-53.tgz: Added support in /etc/rc.d/rc.M for
starting /etc/rc.d/rc.dnsmasq and /etc/rc.d/rc.saslauthd.
a/udev-064-i486-1.tgz: Upgraded to udev-064. With the help of two new
lines in udev.rules, and a symlink added in /etc/hotplug.d/default that
used to be added by earlier versions of hotplug, udev-064 appears to be
working! Thanks to Piter Punk for the rules and Kris Karas for the link.
l/libxml2-2.6.20-i486-1.tgz: Upgraded to libxml-2.6.20.
n/cyrus-sasl-2.1.21-i486-1.tgz: Upgraded to cyrus-sasl-2.1.21,
added missing /var/state/saslauthd directory and /etc/rc.d/rc.saslauthd
startup script. Thanks to Piter Punk for the help.
n/iproute2-2.6.11_050330-i486-1.tgz: Upgraded to iproute2-2.6.11-050330.
n/lftp-3.2.1-i486-1.tgz: Upgraded to lftp-3.2.1.
n/sendmail-8.13.4-i486-1.tgz: Upgraded to sendmail-8.13.4 compiled with
SASL support. Added a new cf file that supports SASL (this is not the
one installed by default):
/usr/share/sendmail/sendmail-slackware-tls-sasl.cf
Thanks to Joshua Rubin and Piter Punk for the help with SASL support.
n/sendmail-cf-8.13.4-noarch-1.tgz: Upgraded to sendmail-8.13.4, and
added a new sendmail-slackware-tls-sasl.mc config file.
n/tcpip-0.17-i486-32.tgz: Merged in many improvements to rc.inet1
scripts to allow alternate interface names and better networking
support. Thanks to Eric Hameleers for the really great job on this!
When starting rc.portmap for NFS clients, also start rpc.lockd and
rpc.statd, otherwise some Java applications may have problems due to a
lack of locking. Thanks to Dominik L. Borkowski and Piter Punk for
pointing out this issue.
n/wireless-tools-27-i486-1.tgz: Upgraded to wireless_tools.27.
Thanks to Eric Hameleers for the improved rc.wireless scripts.
rootdisks/install.*, rootdisks/network.dsk, rootdisks/pcmcia.dsk:
Fix /dev/urandom device (thanks to Daniel de Kok).
Bumped version number to 10.2.
+--------------------------+
Fri Jul 22 13:54:50 PDT 2005
ap/alsa-utils-1.0.9a-i486-2.tgz: Patched rc.alsa to try to load the OSS
compatibility modules with both 2.4 and 2.6 kernels.
Thanks to Cal Peake for the bug report.
ap/mysql-4.1.13-i486-1.tgz: Upgraded to mysql-4.1.13.
l/zlib-1.2.3-i486-1.tgz: Upgraded to zlib-1.2.3.
This fixes an additional crash not fixed by the patch to zlib-1.2.2.
(* Security fix *)
n/fetchmail-6.2.5.2-i486-1.tgz: Upgraded to fetchmail-6.2.5.2.
This fixes an overflow by which malicious or compromised POP3 servers
may overflow fetchmail's stack.
For more information, see:
http://fetchmail.berlios.de/fetchmail-SA-2005-01.txt
(* Security fix *)
xap/gxine-0.4.6-i486-1.tgz: Upgraded to gxine-0.4.6.
This fixes a format string vulnerability that allows remote attackers to
execute arbitrary code via a ram file with a URL whose hostname contains
format string specifiers.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1692
(* Security fix *)
xap/xlockmore-5.18-i486-1.tgz: Upgraded to xlockmore-5.18.
+--------------------------+
Fri Jul 22 10:33:41 PDT 2005
a/udev-058-i486-2.tgz: Added a line to udev.rules to (hopefully) help
with the ALSA issues:
KERNEL="controlC[0-9]", NAME="snd/%k", MODE="0666"
Now, it would seem to me that the already-existing line:
KERNEL="controlC[0-9]*", NAME="snd/%k", MODE="0666"
...should have already covered this. It works with previous versions
of udev just fine, and this seems to me to be a udev bug. Oh well,
give it a test and let me know if it's still causing any problems, in
which case I'll probably go back to 054 for the Slackware 10.2 release.
I'd rather not spend the next couple of months dorking around with
udev problems and not getting a Slackware release out because of it.
Thanks to Andris Pavenis for the one line udev.rules fix.
ap/groff-1.19.1-i486-2.tgz: Fixed missing gxditview man page.
Thanks to Stuart Winter.
kde/kdenetwork-3.4.1-i486-2.tgz: Patched overflows in libgadu (used by
kopete) that can cause a denial of service or arbitrary code execution.
For more information, see:
http://www.kde.org/info/security/advisory-20050721-1.txt
(* Security fix *)
xap/abiword-2.2.8-i486-1.tgz: Upgraded to abiword-2.2.8.
xap/fluxbox-0.9.13-i486-1.tgz: Upgraded to fluxbox-0.9.13.
xap/jre-symlink-1.0.6-noarch-1.tgz: Upgraded for firefox-1.0.6 and
Mozilla 1.7.10.
xap/mozilla-firefox-1.0.6-i686-1.tgz: Upgraded to firefox-1.0.6.
xap/mozilla-1.7.10-i486-1.tgz: Upgraded to mozilla-1.7.10.
This fixes several security issues. For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#Mozilla
(* Security fix *)
xap/mozilla-thunderbird-1.0.6-i686-1.tgz: Upgraded to thunderbird-1.0.6.
xap/windowmaker-0.92.0-i486-1.tgz: Upgraded to WindowMaker-0.92.0.
testing/packages/php-5.0.4/php-5.0.4-i486-2.tgz: Recompiled against
mysql-4.1.12. Thanks to Tyler McGrath for pointing out this needed
to be done.
+--------------------------+
Wed Jul 20 16:17:08 PDT 2005
a/glibc-solibs-2.3.5-i486-4.tgz: Recompiled, as I forgot that with both
linuxthreads and NPTL versions of glibc that the patch would have to be
applied twice. Thanks again to Dirk van Deun for pointing out my error.
a/glibc-zoneinfo-2.3.5-noarch-4.tgz: Rebuilt.
l/glibc-2.3.5-i486-4.tgz: Recompiled.
l/glibc-i18n-2.3.5-noarch-4.tgz: Rebuilt.
l/glibc-profile-2.3.5-i486-4.tgz: Recompiled.
+--------------------------+
Wed Jul 20 09:59:03 PDT 2005
a/glibc-solibs-2.3.5-i486-3.tgz: Recompiled with a patch to fix logging
in using NIS netgroups. Thanks to Dirk van Deun for the bug report and
patch.
a/glibc-zoneinfo-2.3.5-noarch-3.tgz: Rebuilt.
a/sysvinit-2.84-i486-52.tgz: In /etc/rc.d/rc.S, try to umount
/initrd/proc/ before umounting /initrd/.
a/udev-058-i486-1.tgz: Switched to udev-058, as newer versions still have
problems (these are probably caused by the elimination of the
/etc/hotplug.d/ directory, as this used to contain a link to udevstart).
It was pointed out that udev-062 and udev-063 do create the missing
devices if you run udevstart after boot (and possibly after plugging in
new devices), but udev-058 is working fine without any kludges and seems
to be the most stable version to use with 2.6.12.* kernels. Also, made
a fix in /etc/udev/scripts/make_extra_nodes to set a default LANG before
calling /bin/ls to look for cdrom and dvd devices (not all LANG settings
will produce the same number of fields with ls, which can break cd/dvd
symlinks). Thanks to Lukasz Stelmach for pointing out this bug.
e/emacs-21.4a-i486-1.tgz: Upgraded to emacs-21.4a.
This fixes a vulnerability in the movemail utility when connecting to a
malicious POP server that may allow the execution of arbitrary code as
the user running emacs.
(* Security fix *)
e/emacs-info-21.4a-noarch-1.tgz: Upgraded to emacs-21.4a.
e/emacs-leim-21.4-noarch-1.tgz: Upgraded to leim-21.4.
e/emacs-lisp-21.4a-noarch-1.tgz: Upgraded to emacs-21.4a.
e/emacs-misc-21.4a-noarch-1.tgz: Upgraded to emacs-21.4a.
e/emacs-nox-21.4a-i486-1.tgz: Upgraded to emacs-21.4a.
f/linux-howtos-20050718-noarch-1.tgz: Upgraded to Linux-HOWTOs-20050718.
l/glibc-2.3.5-i486-3.tgz: Recompiled with NIS netgroups patch.
l/glibc-i18n-2.3.5-noarch-3.tgz: Rebuilt.
l/glibc-profile-2.3.5-i486-3.tgz Recompiled with NIS netgroups patch.
n/dnsmasq-2.22-i486-1.tgz: Upgraded to dnsmasq-2.22.
This fixes an off-by-one overflow vulnerability may allow a DHCP
client to create a denial of service condition. Additional code was
also added to detect and defeat attempts to poison the DNS cache.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0876
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0877
(* Security fix *)
n/getmail-4.3.11-noarch-1.tgz: Upgraded to getmail-4.3.11.
kde/koffice-1.4.0b-i486-1.tgz: Upgraded to koffice-1.4.0b.
tcl/expect-5.43.0-i486-1.tgz: Upgraded to expect-5.43.0.
tcl/tcl-8.4.11-i486-1.tgz: Upgraded to tcl-8.4.11.
tcl/tclx-8.3.5-i486-2.tgz: Recompiled.
tcl/tix-8.1.4-i486-2.tgz: Recompiled.
tcl/tk-8.4.11-i486-1.tgz: Upgraded to tk-8.4.11.
xap/xchat-2.4.4-i486-1.tgz: Upgraded to xchat-2.4.4 (and compiled against
the new version of perl. Thanks to Steven E. Woolard for pointing out
that the old xchat package was still depending on the old perl. I've
been known to forget about that one since it doesn't put anything under
/usr/lib/perl/...)
testing/packages/linux-2.6.12.3/alsa-driver-1.0.9b_2.6.12.3-i486-1.tgz:
Recompiled against Linux 2.6.12.3.
testing/packages/linux-2.6.12.3/kernel-generic-2.6.12.3-i486-1.tgz:
Upgraded to Linux 2.6.12.3 generic kernel.
testing/packages/linux-2.6.12.3/kernel-headers-2.6.12.3-i386-1.tgz
Upgraded to Linux 2.6.12.3 kernel headers for x86.
testing/packages/linux-2.6.12.3/kernel-modules-2.6.12.3-i486-1.tgz
Upgraded to Linux 2.6.12.3 kernel modules.
testing/packages/linux-2.6.12.3/kernel-source-2.6.12.3-noarch-1.tgz
Upgraded to Linux 2.6.12.3 kernel source.
+--------------------------+
Fri Jul 15 00:31:30 PDT 2005
testing/packages/gcc-3.4.4/gcc-3.4.4-i486-1.tgz: Upgraded to gcc-3.4.4.
testing/packages/gcc-3.4.4/gcc-g++-3.4.4-i486-1.tgz: Upgraded to gcc-3.4.4.
testing/packages/gcc-3.4.4/gcc-g77-3.4.4-i486-1.tgz: Upgraded to gcc-3.4.4.
testing/packages/gcc-3.4.4/gcc-gnat-3.4.4-i486-1.tgz: Upgraded to gcc-3.4.4.
testing/packages/gcc-3.4.4/gcc-java-3.4.4-i486-1.tgz: Upgraded to gcc-3.4.4.
testing/packages/gcc-3.4.4/gcc-objc-3.4.4-i486-1.tgz: Upgraded to gcc-3.4.4.
+--------------------------+
Thu Jul 14 16:02:40 PDT 2005
a/devs-2.3.1-noarch-22.tgz: Added /dev/ACM* devices.
(Thanks to Manolis Tzanidakis)
a/pkgtools-10.2.0-i486-2.tgz: Merged in Jim Hawkins' fixed speed
optimizations for pkgtool.
a/udev-062-i486-1.tgz: Upgraded to udev-062.
This seems to be broken with regard to ALSA devices... I'd suggest
anyone using a 2.6 kernel "chmod 644 /etc/rc.d/rc.udev" unless you want
to help locate and report bugs. It's also possible that this has
something to do with the ever-changing syntax used in the udev.rules
config file. If you find any problems that can be attributed to that,
fixes would be appreciated. For now, rc.udev will be off by default.
ap/mysql-4.1.12-i486-1.tgz: Upgraded to mysql-4.1.12.
ap/texinfo-4.8-i486-1.tgz: Upgraded to texinfo-4.8.
d/perl-5.8.7-i486-1.tgz: Upgraded to perl-5.8.7, DBD-mysql-3.0002,
and DBI-1.48.
kde/kdebindings-3.4.1-i486-2.tgz: Recompiled against perl-5.8.7 and
j2sdk-1_5_0_03.
kde/koffice-1.4.0a-i486-2.tgz: Recompiled against mysql-4.1.12.
kde/qt-3.3.4-i486-2.tgz: Recompiled against mysql-4.1.12.
n/bitchx-1.1-i486-2.tgz: Recompiled against mysql-4.1.12.
n/irssi-0.8.9-i486-7.tgz: Recompiled against perl-5.8.7.
n/php-4.4.0-i486-2.tgz: Recompiled against mysql-4.1.12.
n/popa3d-1.0-i486-1.tgz: Upgraded to popa3d-1.0.
n/tcpdump-3.9.3-i486-1.tgz: Upgraded to libpcap-0.9.3 and tcpdump-3.9.3.
This fixes an issue where an invalid BGP packet can cause tcpdump to
go into an infinate loop, effectively disabling network monitoring.
(* Security fix *)
n/vsftpd-2.0.3-i486-1.tgz: Upgraded to vsftpd-2.0.3.
x/x11-6.8.2-i486-2.tgz: Reverted to the 6.8.1 version of the ATI Rage128
DRI module, as there's an undefined symbol in the newer version that
prevents it from loading and breaks direct rendering for these cards.
This bug has been reported on the freedesktop,org site but appears to
have been closed without a fix...
To observe the problem, on a system with a Rage128 card and DRI
configured, use this command: LIBGL_DEBUG=verbose glxinfo
(Thanks to Andrey V. Panov for the bug report)
xap/gaim-1.4.0-i486-1.tgz: Upgraded to gaim-1.4.0.
xap/imagemagick-6.2.3_3-i486-1.tgz: Upgraded to ImageMagick-6.2.3-3.
xap/jre-symlink-1.0.5-noarch-1.tgz: Upgraded for firefox-1.0.5.
xap/mozilla-firefox-1.0.5-i686-1.tgz: Upgraded to mozilla-firefox-1.0.5.
This fixes several security issues. For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#Firefox
(* Security fix *)
xap/mozilla-thunderbird-1.0.5-i686-1.tgz: Upgraded to thunderbird-1.0.5.
This fixes several security issues. For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#thunderbird1.0.5
(* Security fix *)
xap/xscreensaver-4.22-i486-2.tgz: Fixed location of man pages.
(Thanks to Alak Trakru)
xap/xv-3.10a-i486-4.tgz: Upgraded to the latest XV jumbo patches,
xv-3.10a-jumbo-fix-patch-20050410 and xv-3.10a-jumbo-enh-patch-20050501.
These fix a number of format string and other possible security issues in
addition to providing many other bugfixes and enhancements.
(Thanks to Greg Roelofs)
(* Security fix *)
testing/packages/linux-2.6.12.2/alsa-driver-1.0.9b_2.6.12.2-i486-1.tgz:
Recompiled for Linux 2.6.12.2.
testing/packages/linux-2.6.12.2/kernel-generic-2.6.12.2-i486-1.tgz
Upgraded to Linux 2.6.12.2 generic kernel (added loopback).
testing/packages/linux-2.6.12.2/kernel-headers-2.6.12.2-i386-1.tgz
Upgraded to Linux 2.6.12.2 kernel headers.
testing/packages/linux-2.6.12.2/kernel-modules-2.6.12.2-i486-1.tgz
Upgraded to Linux 2.6.12.2 kernel modules.
testing/packages/linux-2.6.12.2/kernel-source-2.6.12.2-noarch-1.tgz
Upgraded to Linux 2.6.12.2 kernel sources.
bootdisks/*: Regenerated bootdisks with "Slackware 10.2" label.
extra/bittorrent/bittorrent-4.1.3-noarch-1.tgz: Upgraded to bittorrent-4.1.3.
extra/slackpkg/slackpkg-1.4.1-noarch-5.tgz: Upgraded to
slackpkg-1.4.1-noarch-5. (Thanks to Piter Punk)
extra/slacktrack/slacktrack-1.25-i486-1.tgz: Upgraded to slacktrack-1.25_1.
(Thanks to Stuart Winter)
+--------------------------+
Mon Jul 11 15:06:22 PDT 2005
n/php-4.4.0-i486-1.tgz: Upgraded to php-4.4.0.
This new PHP package fixes a PEAR XML_RPC vulnerability. Sites that use
this PEAR class should upgrade to the new PHP package, or as a minimal
fix may instead upgrade the XML_RPC PEAR class with the following command:
pear upgrade XML_RPC
(* Security fix *)
+--------------------------+
Sun Jul 10 22:33:04 PDT 2005
a/pkgtools-10.2.0-i486-1.tgz: In xorgsetup, don't load the freetype module
twice in the outputted xorg.conf file. Also, fix the formatting of the
xorg.conf file. Thanks to Jonathan Woithe for the fixes!
d/gcc-3.3.6-i486-1.tgz: Upgraded to gcc-3.3.6.
d/gcc-g++-3.3.6-i486-1.tgz: Upgraded to gcc-3.3.6.
d/gcc-g77-3.3.6-i486-1.tgz: Upgraded to gcc-3.3.6.
d/gcc-gnat-3.3.6-i486-1.tgz: Upgraded to gcc-3.3.6.
d/gcc-java-3.3.6-i486-1.tgz: Upgraded to gcc-3.3.6.
d/gcc-objc-3.3.6-i486-1.tgz: Upgraded to gcc-3.3.6.
kde/kdeartwork-3.4.1-i486-2.tgz: Patched to fix using screensavers from
xscreensaver >= 4.21. Thanks to Chris Linnet for the fix!
l/libtiff-3.7.3-i486-1.tgz: Upgraded to libtiff-3.7.3.
n/iptables-1.3.2-i486-1.tgz: Upgraded to iptables-1.3.2.
n/rsync-2.6.5-i486-1.tgz: Upgraded to rsync-2.6.5.
tcl/hfsutils-3.2.6-i486-3.tgz: Patched to include <errno.h>, and recompiled
to fix problems on systems using NPTL. Thanks to Dominik L. Borkowski for
pointing out the issue.
xap/gkrellm-2.2.7-i486-1.tgz: Upgraded to gkrellm-2.2.7.
xap/xscreensaver-4.22-i486-1.tgz: Upgraded to xscreensaver-4.22.
+--------------------------+
Fri Jul 8 13:44:53 PDT 2005
l/gnet-2.0.7-i486-3.tgz: Fixed a missing '\' in the ./configure part
of the build that was causing the --prefix to be ignored (and which
I'd formulated an unnecessary patch to work around). Thanks to orlan.
l/libexif-0.6.12-i486-2.tgz: Included a patch from CVS to fix loading
of JPEGs from certain digital cameras in GIMP. This fix has been in
CVS for months, and many people have pointed it out here. Sorry about
the delay in fixing it, but I thought for sure upstream would have
issued a new release by now (long ago, really.)
l/zlib-1.2.2-i486-2.tgz: Patched an overflow in zlib that could cause
applications using zlib to crash. The overflow does not involve user
supplied data, and therefore does not allow the execution of arbitrary
code. However, it could still be used by a remote attacker to create
a denial of service.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2096
(* Security fix *)
xap/gimp-2.2.8-i486-1.tgz: Upgraded to gimp-2.2.8.
+--------------------------+
Thu Jun 23 16:06:53 PDT 2005
ap/groff-1.19.1-i486-1.tgz: Upgraded to groff-1.19.1.
I'd been putting this off upgrade off because of problems caused by
newer groff versions defaulting to ANSI color output, but found a patch
for man.local and mdoc.local that makes man pages render without color
by default. Hopefully this new groff version won't contain any other
surprises, but I think that was the big one...
ap/man-1.5p-i486-1.tgz: Upgraded to man-1.5p.
ap/vim-6.3.078-i486-1.tgz: Upgraded to patchlevel 78.
kde/koffice-1.4.0a-i486-1.tgz: Upgraded to koffice-1.4.0a.
(This requires the new libgsf and libwpd packages)
kdei/koffice-l10n-*.tgz: Upgraded to new KOffice translation packages.
l/libgsf-1.12.1-i486-1.tgz: Upgraded to libgsf-1.12.1.
l/libwpd-0.8.2-i486-1.tgz: Added libwpd-0.8.2 (needed by KWord).
n/wget-1.10-i486-1.tgz: Upgraded to wget-1.10.
xap/xvim-6.3.078-i486-1.tgz: Upgraded to patchlevel 78.
+--------------------------+
Tue Jun 21 21:56:16 PDT 2005
ap/sudo-1.6.8p9-i486-1.tgz: Upgraded to sudo-1.6.8p9.
This new version of Sudo fixes a race condition in command pathname handling
that could allow a user with Sudo privileges to run arbitrary commands.
For full details, see the Sudo site:
http://www.courtesan.com/sudo/alerts/path_race.html
(* Security fix *)
l/gtk+2-2.6.8-i486-1.tgz: Upgraded to gtk+-2.6.8.
Fixed /etc/gtk-2.0/gdk-pixbuf.loaders to list the SVG loader (svg_loader.so).
(Thanks very much to Alastair Poole for noticing that XFCE was not loading
SVG icons correctly, figuring out the problem, and sending in a fix)
+--------------------------+
Sun Jun 19 21:45:07 PDT 2005
l/jre-1_5_0_03-i586-1.tgz: This already-issued package fixes some
recently announced security issues that could allow applets to read
or write to local files. See:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-101748-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-101749-1
(* Security fix *)
extra/j2sdk-1.5.0_03/j2sdk-1_5_0_03-i586-1.tgz: Fixed the slack-desc
to not include the release version to prevent future mishaps. :-)
This already-issued package fixes some recently announced security
issues that could allow applets to read or write to local files.
See:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-101748-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-101749-1
(* Security fix *)
+--------------------------+
Tue Jun 14 18:40:39 PDT 2005
ap/flac-1.1.2-i486-2.tgz: Patched the XMMS plugin.
(thanks to Wim Speekenbrink for the patch)
l/glib2-2.6.5-i486-1.tgz: Upgraded to glib-2.6.5.
extra/k3b/k3b-0.12-i486-1.tgz: Upgraded to k3b-0.12.
extra/k3b/k3b-i18n-0.12-noarch-1.tgz: Upgraded to k3b-i18n-0.12.
+--------------------------+
Sun Jun 12 21:48:25 PDT 2005
a/bzip2-1.0.3-i486-1.tgz: Upgraded to bzip2-1.0.3.
a/openssl-solibs-0.9.7g-i486-1.tgz: Upgraded to openssl-0.9.7g libraries.
a/tcsh-6.14.00-i486-1.tgz: Upgraded to tcsh-6.14.00.
ap/espgs-8.15rc3-i486-1.tgz: Upgraded to espgs-8.15rc3, which should fix
problems with PNG and PDF while we wait for a final release on this one.
ap/flac-1.1.2-i486-1.tgz: Upgraded to flac-1.1.2. Note that the library
versions for FLAC have changed, so anything using the FLAC libraries
will need to be recompiled. If I've missed anything, let me know.
ap/vorbis-tools-1.0.1-i486-4.tgz: Recompiled against new Ogg/FLAC libraries.
d/doxygen-1.4.3-i486-1.tgz: Upgraded to doxygen-1.4.3.
kde/kdeaccessibility-3.4.1-i486-1.tgz: Upgraded to kdeaccessibility-3.4.1.
kde/kdeaddons-3.4.1-i486-1.tgz: Upgraded to kdeaddons-3.4.1.
kde/kdeadmin-3.4.1-i486-1.tgz: Upgraded to kdeadmin-3.4.1.
kde/kdeartwork-3.4.1-i486-1.tgz: Upgraded to kdeartwork-3.4.1.
kde/kdebase-3.4.1-i486-1.tgz: Upgraded to kdebase-3.4.1.
kde/kdebindings-3.4.1-i486-1.tgz: Upgraded to kdebindings-3.4.1.
kde/kdeedu-3.4.1-i486-1.tgz: Upgraded to kdeedu-3.4.1.
kde/kdegames-3.4.1-i486-1.tgz: Upgraded to kdegames-3.4.1.
kde/kdegraphics-3.4.1-i486-1.tgz: Upgraded to kdegraphics-3.4.1.
kde/kdelibs-3.4.1-i486-1.tgz: Upgraded to kdelibs-3.4.1.
kde/kdemultimedia-3.4.1-i486-1.tgz: Upgraded to kdemultimedia-3.4.1.
kde/kdenetwork-3.4.1-i486-1.tgz: Upgraded to kdenetwork-3.4.1.
kde/kdepim-3.4.1-i486-1.tgz: Upgraded to kdepim-3.4.1.
kde/kdesdk-3.4.1-i486-1.tgz: Upgraded to kdesdk-3.4.1.
kde/kdetoys-3.4.1-i486-1.tgz: Upgraded to kdetoys-3.4.1.
kde/kdeutils-3.4.1-i486-1.tgz: Upgraded to kdeutils-3.4.1.
kde/kdevelop-3.2.1-i486-1.tgz: Upgraded to kdevelop-3.2.1.
kde/kdewebdev-3.4.1-i486-1.tgz: Upgraded to kdewebdev-3.4.1.
kdei/kde-i18n-*-3.4.1-noarch-1.tgz: Upgraded to KDE 3.4.1 i18n packages.
l/arts-1.4.1-i486-1.tgz: Upgraded to arts-1.4.1.
l/aspell-0.60.2-i486-1.tgz: Upgraded to aspell-0.60.2.
Moved aspell data files into /usr/lib/aspell where most things look for them
rather than the default of /usr/lib/aspell-<VERSION>.
l/aspell-en-6.0_0-noarch-3.tgz: Moved data files into /usr/lib/aspell.
l/gnet-2.0.7-i486-2.tgz: Patched ./configure to not put the package
into /usr/local. Thanks to orlan for pointing out the problem.
l/jre-1_5_0_03-i586-1.tgz: Upgraded to Java(TM) 2 Platform Standard Edition
Runtime Environment Version 5.0, Release 3.
l/libao-0.8.6-i486-1.tgz: Upgraded to libao-0.8.6.
l/libogg-1.1.2-i486-1.tgz: Upgraded to libogg-1.1.2.
l/libvorbis-1.1.0-i486-1.tgz: Upgraded to libvorbis-1.1.0.
n/openssh-4.1p1-i486-1.tgz: Upgraded to openssh-4.1p1.
n/openssl-0.9.7g-i486-1.tgz: Upgraded to openssl-0.9.7g.
xap/gaim-1.3.1-i486-1.tgz: Upgraded to gaim-1.3.1 and gaim-encryption-2.38.
This fixes a couple of remote crash bugs, so users of the MSN and
Yahoo! chat protocols should upgrade to gaim-1.3.1.
(* Security fix *)
xap/gimp-2.2.7-i486-1.tgz: Upgraded to gimp-2.2.7.
xap/gimp-help-2-0.8-noarch-1.tgz: Upgraded to gimp-help-2-0.8.
xap/imagemagick-6.2.3_0-i486-1.tgz: Upgraded to ImageMagick-6.2.3-0.
xap/xine-lib-1.0.1-i686-2.tgz: Recompiled against new Ogg/FLAC libraries.
extra/aspell-word-lists: Updated and added several dictionaries, and moved
all data files from /usr/lib/aspell-0.60 to /usr/lib/aspell.
extra/j2sdk-1.5.0_03/j2sdk-1_5_0_03-i586-1.tgz: Upgraded to Java(TM) 2
Platform Standard Edition Development Kit Version 5.0, Release 3.
+--------------------------+
Wed Jun 8 22:25:08 PDT 2005
ap/alsa-utils-1.0.9a-i486-1.tgz: Upgraded to alsa-utils-1.0.9a.
l/alsa-driver-1.0.9b_2.4.31-i486-1.tgz: Upgraded to alsa-driver-1.0.9b,
which works great with both 2.4 and 2.6 kernels.
Big thanks to the ALSA developers for the quick fix! :-)
l/alsa-lib-1.0.9-i486-1.tgz: Upgraded to alsa-lib-1.0.9.
l/alsa-oss-1.0.9-i486-1.tgz: Upgraded to alsa-oss-1.0.9.
l/gnet-2.0.7-i486-1.tgz: Upgraded to gnet-2.0.7.
l/lcms-1.14-i486-1.tgz: Upgraded to lcms-1.14.
l/lesstif-0.94.4-i486-1.tgz: Upgraded to lesstif-0.94.4.
l/libexif-0.6.12-i486-1.tgz: Upgraded to libexif-0.6.12.
l/libgsf-1.12.0-i486-1.tgz: Upgraded to libgsf-1.12.0.
l/libidn-0.5.17-i486-1.tgz: Upgraded to libidn-0.5.17.
l/libieee1284-0.2.10-i486-1.tgz: Upgraded to libieee1284-0.2.10.
l/libtiff-3.7.2-i486-1.tgz: Upgraded to tiff-3.7.2.
l/libungif-4.1.3-i486-1.tgz: Upgraded to libungif-4.1.3.
l/libwmf-0.2.8.3-i486-1.tgz: Upgraded to libwmf-0.2.8.3.
l/libwmf-docs-0.2.8.3-noarch-1.tgz: Upgraded to libwmf-0.2.8.3 docs.
l/mhash-0.9.2-i486-1.tgz: Upgraded to mhash-0.9.2.
n/samba-3.0.14a-i486-1.tgz: Upgraded to samba-3.0.14a.
extra/linux-wlan-ng/linux-wlan-ng-0.2.1pre25_2.4.31-i486-1.tgz:
Recompiled for Linux 2.4.31.
extra/linux-wlan-ng/linux-wlan-ng-0.2.1pre25_2.6.11.11-i486-1.tgz
Recompiled for Linux 2.6.11.11.
testing/packages/linux-2.6.11.11/alsa-driver-1.0.9b_2.6.11.11-i486-1.tgz:
Upgraded to alsa-driver-1.0.9b (compiled for Linux 2.6.11.11).
+--------------------------+
Mon Jun 6 20:23:40 PDT 2005
a/kernel-ide-2.4.31-i486-1.tgz: Upgraded to Linux 2.4.31.
a/kernel-modules-2.4.31-i486-1.tgz: Upgraded to Linux 2.4.31 kernel modules.
d/kernel-headers-2.4.31-i386-1.tgz:
Upgraded to kernel headers from Linux 2.4.31.
k/kernel-source-2.4.31-noarch-1.tgz: Upgraded to Linux 2.4.31.
l/alsa-driver-1.0.8_2.4.31-i486-1.tgz: Recompiled for Linux 2.4.31.
alsa-driver-1.0.9a was tested, but attempting to load snd.o produces some
unresolved symbol errors (class_device_destroy and class_device_create).
Seems that the new version of ALSA requires some new features of the 2.6.x
kernel series. ALSA 1.0.8 works with both 2.4.x and 2.6.x kernels, so for
the time being ALSA will stay at 1.0.8. It would be nice to see these
features backported in an official 2.4.32 kernel, or an alsa-driver-1.0.9b
release that can work with either kernel branch...
bootdisks/*: Upgraded to Linux 2.4.31 bootdisks.
kernels/*: Upgraded to Linux 2.4.31 kernels.
isolinux/initrd.img, isolinux/network.dsk, isolinux/pcmcia.dsk,
rootdisks/install.*, rootdisks/network.dsk, rootdisks/pcmcia.dsk:
Updated kernel modules to 2.4.31.
testing/packages/linux-2.6.11.11/alsa-driver-1.0.8_2.6.11.11-i486-1.tgz:
Recompiled for Linux 2.6.11.11.
testing/packages/linux-2.6.11.11/kernel-generic-2.6.11.11-i486-1.tgz
Upgraded to Linux 2.6.11.11.
testing/packages/linux-2.6.11.11/kernel-headers-2.6.11.11-i386-1.tgz
Upgraded to kernel headers from Linux 2.6.11.11.
testing/packages/linux-2.6.11.11/kernel-modules-2.6.11.11-i486-1.tgz
Upgraded to kernel modules for Linux 2.6.11.11.
testing/packages/linux-2.6.11.11/kernel-source-2.6.11.11-noarch-1.tgz
Upgraded to kernel source for Linux 2.6.11.11.
+--------------------------+
Tue May 17 17:51:29 PDT 2005
xap/xfce-4.2.2-i486-1.tgz: Upgraded to xfce-4.2.2.
+--------------------------+
Mon May 16 15:27:24 PDT 2005
a/glibc-solibs-2.3.5-i486-2.tgz: Recompiled including a patch found
in Debian's glibc sources that fixes an issue with TLS that breaks
X and XMMS on machines that use nVidia's X drivers. This might
also be found in glibc CVS by now, but I'm not sure about that. In
any case, if you had problems before and you're using nVidia's
drivers, this should fix it. Also, I heard a few reports of trouble
with Firefox not working with NPTL -- maybe this will also fix that?
a/glibc-zoneinfo-2.3.5-noarch-2.tgz: Rebuilt.
l/glibc-2.3.5-i486-2.tgz: Recompiled with TLS fix.
l/glibc-i18n-2.3.5-noarch-2.tgz: Rebuilt.
l/glibc-profile-2.3.5-i486-2.tgz: Recompiled with TLS fix.
+--------------------------+
Sun May 15 20:12:03 PDT 2005
n/ncftp-3.1.9-i486-1.tgz: Upgraded to ncftp-3.1.9.
This corrects a vulnerability where a download from a hostile FTP
server might be written to an unintended location potentially
compromising system security or causing a denial of service.
For more details, see:
http://www.ncftp.com/ncftp/doc/changelog.html#3.1.5
(* Security fix *)
xap/jre-symlink-1.0.4-noarch-1.tgz: Upgraded Java(TM) symlink for new
versions of Mozilla Firefox and the Mozilla Suite.
xap/mozilla-1.7.8-i486-1.tgz: Upgraded to mozilla-1.7.8.
Two vulnerabilities found in Mozilla Firefox 1.0.3 when combined allow
an attacker to run arbitrary code. The Mozilla Suite version 1.7.7
is only partially vulnerable. For more details, see:
http://www.mozilla.org/security/announce/mfsa2005-42.html
(* Security fix *)
xap/mozilla-firefox-1.0.4-i686-1.tgz: Upgraded to firefox-1.0.4.
Two vulnerabilities found in Mozilla Firefox 1.0.3 when combined allow
an attacker to run arbitrary code. For more details, see:
http://www.mozilla.org/security/announce/mfsa2005-42.html
(* Security fix *)
+--------------------------+
Fri May 13 12:51:03 PDT 2005
Here's the (I'm sure) long awaited upgrade to Slackware's glibc to
include support for NPTL (the Native POSIX Thread Library). NPTL
works with newer kernels (meaning 2.6.x, or a 2.4 kernel that is
patched to support NPTL, but not an unmodified "vanilla" 2.4 kernel
such as Slackware uses) to provide improved performance for threads.
This difference can be quite dramatic in some situations. For example,
a benchmark test mentioned on Wikipedia started 100,000 threads
simultaneously in about 2 seconds on a system using NPTL. The same
test using the old Linuxthreads glibc thread support took around 15
minutes to run! For most applications that do not start large numbers
of threads the difference will not be so large, but for high traffic
servers, databases, or anything that runs large numbers of threads,
NPTL should bring big improvements in scalability and performance.
For compatibility, the regular (linuxthreads) libraries are installed
in /lib, and the new NPTL versions are installed in /lib/tls. Which
versions are used depends on the kernel you're using. If it's newer
than 2.6.4, then the NPTL libraries in /lib/tls will be used. TLS
stands for "thread-local storage", and the directory name /lib/tls is
a little bit misleading since now both the linuxthreads and NPTL
versions of glibc are compiled with TLS support included (this is
needed to produce versions of tools such as ldconfig that can run under
either kind of system).
Getting all the kinks out of the build script to be able to get this to
work with either 2.4 or 2.6 kernels and be able to switch back and forth
without issues was quite a challenge, to say the least, and would have
been much harder without all the good advice and help folks sent in to
help me along and give me important hints. A special thanks goes to
Chad Corkrum for sending in some ./configure options that really helped
get the ball rolling here.
Here's some information about compiling things using these libraries --
by default, if you compile something the headers and shared libraries
used to compile and link the binary will be the linuxthreads versions,
but when you go to run the binary it will link to the NPTL library
versions (and you'll get the NPTL speed improvements) if you are running
an NPTL capable kernel. In rare cases you may find that an old binary
doesn't work right when run against the NPTL libs, and in this case you
can force it to run against the linuxthreads versions by setting the
LD_ASSUME_KERNEL variable to assume the use of a 2.4.x (non-NPTL) kernel
so that NPTL will not be used. An easy way to see the effect of this is
to try something like the following while using an NPTL enabled kernel:
volkerdi@tree:~$ ldd /bin/bash
linux-gate.so.1 => (0xffffe000)
libtermcap.so.2 => /lib/libtermcap.so.2 (0xb7fcf000)
libdl.so.2 => /lib/tls/libdl.so.2 (0xb7fcb000)
libc.so.6 => /lib/tls/libc.so.6 (0xb7eaf000)
/lib/ld-linux.so.2 (0xb7feb000)
Note that in the example above, the binary is running against the NPTL
libraries in /lib/tls. Now, let's try setting LD_ASSUME_KERNEL:
volkerdi@tree:~$ LD_ASSUME_KERNEL=2.4.30 ldd /bin/bash
linux-gate.so.1 => (0xffffe000)
libtermcap.so.2 => /lib/libtermcap.so.2 (0xb7fcf000)
libdl.so.2 => /lib/libdl.so.2 (0xb7fcb000)
libc.so.6 => /lib/libc.so.6 (0xb7eb2000)
/lib/ld-linux.so.2 (0xb7feb000)
As you can see, now the binary is running against the linuxthreads
version of glibc in /lib. If you find old things that won't work with
NPTL (which should be rare), this is the method you'll want to use to
work around it.
Now for a little note about compiling things. In most cases it will be
just fine to compile against linuxthreads and run against NPTL, and this
approach will produce the most flexible binaries (ones that will run
against either linuxthreads or NPTL.) However, in some cases you might
want to use some of the new functions that are only available in NPTL,
and to do that you'll need to use the NPTL versions of pthread.h and
other headers that are different and link against the NPTL versions of
the glibc libraries. To do this you'll need to add these compile flags
to your build in an appropriate spot:
-I/usr/include/nptl -L/usr/lib/nptl
(and link with -lpthread, of course)
Have fun, and report any problems to
[email protected].
a/glibc-solibs-2.3.5-i486-1.tgz: Upgraded to glibc-2.3.5 shared libs.
a/glibc-zoneinfo-2.3.5-noarch-1.tgz: Upgraded to time zone files from
glibc-2.3.5.
l/glibc-2.3.5-i486-1.tgz: Upgraded to glibc-2.3.5.
l/glibc-i18n-2.3.5-noarch-1.tgz: Upgraded to glibc-2.3.5 i18n files.
l/glibc-profile-2.3.5-i486-1.tgz: Upgraded to glibc-2.3.5 profile libs.
xap/gaim-1.3.0-i486-1.tgz: Upgraded to gaim-1.3.0. This fixes a few
bugs which could be used by a remote attacker to annoy a GAIM user by
crashing GAIM and creating a denial of service.
(* Security fix *)
extra/linux-wlan-ng/linux-wlan-ng-0.2.1pre25_2.6.11.9-i486-1.tgz:
Recompiled linux-wlan-ng-0.2.1pre25 for Linux 2.6.11.9.
testing/packages/linux-2.6.11.9/alsa-driver-1.0.8_2.6.11.9-i486-1.tgz:
Recompiled for Linux 2.6.11.9.
testing/packages/linux-2.6.11.9/kernel-generic-2.6.11.9-i486-1.tgz:
Upgraded to Linux 2.6.11.9. Note that as far as these so-called
"sucker" kernels go, I won't be intending to follow every one that's
released, but I figure I might as well upgrade _occasionallly_, as
there's no reason to be testing for bugs that are already well-known.
Anyway, I guess my point here is that when 2.6.11.10 comes out (if it's
not out already ;-), I won't need everyone to be sending me email saying
"new kernel! new kernel!". If, on the other hand, you are personally
affected by a kernel bug that's fixed by a new kernel in this series
feel free to let me know about it. Thanks! :-)
testing/packages/linux-2.6.11.9/kernel-headers-2.6.11.9-i386-1.tgz:
Upgraded to kernel headers from Linux 2.6.11.9.
testing/packages/linux-2.6.11.9/kernel-modules-2.6.11.9-i486-1.tgz:
Upgraded to kernel modules for Linux 2.6.11.9.
testing/packages/linux-2.6.11.9/kernel-source-2.6.11.9-noarch-1.tgz:
Upgraded to kernel source for Linux 2.6.11.9.
+--------------------------+
Sun May 1 22:10:17 PDT 2005
a/hdparm-6.1-i486-1.tgz: Upgraded to hdparm-6.1.
a/kernel-ide-2.4.30-i486-1.tgz: Upgraded to Linux 2.4.30.
a/kernel-modules-2.4.30-i486-1.tgz: Upgraded to Linux 2.4.30 kernel modules.
d/kernel-headers-2.4.30-i386-1.tgz: Upgraded kernel headers from 2.4.30 kernel.
k/kernel-source-2.4.30-noarch-1.tgz: Upgraded to Linux 2.4.30 kernel source.
l/alsa-driver-1.0.8_2.4.30-i486-1.tgz: Recompiled for Linux 2.4.30.
l/gmp-4.1.4-i486-2.tgz: Recompiled with --enable-mpfr.
l/libgtkhtml-2.6.3-i486-1.tgz: Added libgtkhtml-2.6.3 (needed for GIMP's
help browser plugin).
l/librsvg-2.8.1-i486-1.tgz: Added librsvg-2.8.1 (needed for GIMP's SVG
support plugin).
n/bind-9.3.1-i486-1.tgz: Upgraded to bind-9.3.1.
n/getmail-4.3.7-noarch-1.tgz: Upgraded to getmail-4.3.7.
xap/gimp-2.2.6-i486-2.tgz: Rebuilt to include SVG and help browser plugins.
xap/gimp-help-2-0.7-noarch-1.tgz: Added help files for the GIMP image editor.
xap/gxine-0.4.4-i486-1.tgz: Upgraded to gxine-0.4.4.
xap/jre-symlink-1.0.3-noarch-2.tgz: Make sure the directories for the symlinks
are there. (thanks to Eric Le Bras for the bug report)
xap/xine-lib-1.0.1-i686-1.tgz: Upgraded to xine-lib-1.0.1.
This fixes some bugs in the MMS and Real RTSP streaming client code.
While the odds of this vulnerability being usable to a remote attacker are
low (but see the xine advisory), if you stream media from sites using these
protocols (and you think the sites might be "hostile" and will try to hack
into your xine client), then you might want to upgrade to this new version
of xine-lib. Probably the other fixes and enchancements in xine-lib-1.0.1
are a better rationale to do so, though.
For more details on the xine-lib security issues, see:
http://xinehq.de/index.php/security/XSA-2004-8
(* Security fix *)
bootdisks/*: Upgraded to Linux 2.4.30 bootdisks.
extra/linux-wlan-ng/linux-wlan-ng-0.2.1pre25_2.4.30-i486-1.tgz:
Recompiled linux-wlan-ng-0.2.1pre25 for Linux 2.4.30.
kernels/*: Upgraded to Linux 2.4.30 kernels.
isolinux/initrd.img, isolinux/network.dsk, isolinux/pcmcia.dsk,
rootdisks/install.*, rootdisks/network.dsk, rootdisks/pcmcia.dsk:
Updated kernel modules to 2.4.30.
+--------------------------+
Thu Apr 21 14:26:29 PDT 2005
d/binutils-2.15.92.0.2-i486-3.tgz: Upgraded to ksymoops-2.4.11.
d/cvs-1.11.20-i486-1.tgz: Upgraded to cvs-1.11.20.
From cvshome.org: "This version fixes many minor security issues in the
CVS server executable including a potentially serious buffer overflow
vulnerability with no known exploit. We recommend this upgrade for all CVS
servers!"
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0753
(* Security fix *)
d/python-2.4.1-i486-1.tgz: Upgraded to python-2.4.1.
From the python.org site: "The Python development team has discovered a flaw
in the SimpleXMLRPCServer library module which can give remote attackers
access to internals of the registered object or its module or possibly other
modules. The flaw only affects Python XML-RPC servers that use the
register_instance() method to register an object without a _dispatch()
method. Servers using only register_function() are not affected."
For more details, see:
http://python.org/security/PSF-2005-001/
(* Security fix *)
d/python-demo-2.4.1-noarch-1.tgz: Upgraded to python-2.4.1 demos.
d/python-tools-2.4.1-noarch-1.tgz: Upgraded to python-2.4.1 tools.
kde/kdebase-3.4.0-i486-2.tgz: Recompiled to link with Cyrus SASL.
kde/kdepim-3.4.0-i486-2.tgz: Recompiled to link with Cyrus SASL.
l/glib2-2.6.4-i486-1.tgz: Upgraded to glib-2.6.4.
l/gtk+2-2.6.7-i486-1.tgz: Upgraded to gtk+-2.6.7.
l/libxml2-2.6.19-i486-1.tgz: Upgraded to libxml2-2.6.19.
l/libxslt-1.1.14-i486-1.tgz: Upgraded to libxslt-1.1.14.
n/cyrus-sasl-2.1.20-i486-1.tgz: Added Cyrus SASL library (for Kmail).
xap/gaim-1.2.1-i486-1.tgz: Upgraded to gaim-1.2.1.
According to gaim.sf.net, this fixes a few denial-of-service flaws.
(* Security fix *)
xap/gimp-2.2.6-i486-1.tgz: Upgraded to gimp-2.2.6.
xap/jre-symlink-1.0.3-noarch-1.tgz: Upgraded Java(TM) symlink for Mozilla
Firefox and added an additional link for the Mozilla Suite.
xap/mozilla-1.7.7-i486-1.tgz: Upgraded to mozilla-1.7.7.
This fixes some security issues. For complete details, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html
(* Security fix *)
xap/mozilla-firefox-1.0.3-i686-1.tgz: Upgraded to firefox-1.0.3.
From the mozilla.org site: "Firefox 1.0.3 is a security update that is
part of our ongoing program to provide a safe Internet experience for our
customers. We recommend that all users upgrade to this latest version."
For complete details, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html
(* Security fix *)
xap/xscreensaver-4.21-i486-2.tgz: Patched to fix setgid shadow.
+--------------------------+
Tue Apr 5 12:52:00 PDT 2005
n/php-4.3.11-i486-1.tgz: Upgraded to php-4.3.11.
"This is a maintenance release that in addition to over 70 non-critical bug
fixes addresses several security issues inside the exif and fbsql extensions
as well as the unserialize(), swf_definepoly() and getimagesize() functions."
(* Security fix *)
testing/packages/php-5.0.4/php-5.0.4-i486-1.tgz: Upgraded to php-5.0.4.
Fixes various bugs (and security issues.)
(* Security fix *)
+--------------------------+
Sat Mar 26 23:04:41 PST 2005
a/hotplug-2004_09_23-noarch-2.tgz: Blacklisted a few more modules:
snd-atiixp-modem, snd-intel8x0m, snd-via82xx-modem, and intelfb.
Thanks to Tomas Matejicek, Piter PUNK, and Tobias Svensson for reporting
the problems with hotplug auto-loading these (in the rare event that your
machine actually needs them, they can be manually loaded somewhere else
in the boot scripts, such as rc.modules.)
a/infozip-5.52-i486-1.tgz: Upgraded to unzip-5.52 and zip-2.31.
a/gettext-0.14.3-i486-1.tgz: Upgraded to gettext-0.14.3.
ap/mysql-4.0.24-i486-1.tgz: Upgraded to mysql-4.0.24.
d/automake-1.9.5-noarch-1.tgz: Upgraded to automake-1.9.5.
d/gettext-tools-0.14.3-i486-1.tgz: Upgraded to gettext-0.14.3.
d/libtool-1.5.14-i486-1.tgz: Upgraded to libtool-1.5.14.
gnome/*: Removed from -current, and turned over to community support and
distribution. I'm not going to rehash all the reasons behind this, but it's
been under consideration for more than four years. There are already good
projects in place to provide Slackware GNOME for those who want it, and
these are more complete than what Slackware has shipped in the past. So, if
you're looking for GNOME for Slackware -current, I would recommend looking at
these two projects for well-built packages that follow a policy of minimal
interference with the base Slackware system:
http://gsb.sf.net
http://gware.sf.net
There is also Dropline, of course, which is quite popular. However, due to
their policy of adding PAM and replacing large system packages (like the
entire X11 system) with their own versions, I can't give quite the same sort
of nod to Dropline. Nevertheless, it remains another choice, and it's _your_
system, so I will also mention their project:
http://www.dropline.net/gnome/
Please do not incorrectly interpret any of this as a slight against GNOME
itself, which (although it does usually need to be fixed and polished beyond
the way it ships from upstream more so than, say, KDE or XFce) is a decent
desktop choice. So are a lot of others, but Slackware does not need to ship
every choice. GNOME is and always has been a moving target (even the
"stable" releases usually aren't quite ready yet) that really does demand a
team to keep up on all the changes (many of which are not always well
documented). I fully expect that this move will improve the quality of both
Slackware itself, and the quality (and quantity) of the GNOME options
available for it.
Folks, this is how open source is supposed to work. Enjoy. :-)
kde/kdeaccessibility-3.4.0-i486-1.tgz: Upgraded to kdeaccessibility-3.4.0.
kde/kdeaddons-3.4.0-i486-1.tgz: Upgraded to kdeaddons-3.4.0.
kde/kdeadmin-3.4.0-i486-1.tgz: Upgraded to kdeadmin-3.4.0.
kde/kdeartwork-3.4.0-i486-1.tgz: Upgraded to kdeartwork-3.4.0.
kde/kdebase-3.4.0-i486-1.tgz: Upgraded to kdebase-3.4.0.
kde/kdebindings-3.4.0-i486-1.tgz: Upgraded to kdebindings-3.4.0.
kde/kdeedu-3.4.0-i486-1.tgz: Upgraded to kdeedu-3.4.0.
kde/kdegames-3.4.0-i486-1.tgz: Upgraded to kdegames-3.4.0.
kde/kdegraphics-3.4.0-i486-1.tgz: Upgraded to kdegraphics-3.4.0.
kde/kdelibs-3.4.0-i486-1.tgz: Upgraded to kdelibs-3.4.0.
kde/kdemultimedia-3.4.0-i486-1.tgz: Upgraded to kdemultimedia-3.4.0.
kde/kdenetwork-3.4.0-i486-1.tgz: Upgraded to kdenetwork-3.4.0.
kde/kdepim-3.4.0-i486-1.tgz: Upgraded to kdepim-3.4.0.
kde/kdesdk-3.4.0-i486-1.tgz: Upgraded to kdesdk-3.4.0.
kde/kdetoys-3.4.0-i486-1.tgz: Upgraded to kdetoys-3.4.0.
kde/kdeutils-3.4.0-i486-1.tgz: Upgraded to kdeutils-3.4.0.
kde/kdevelop-3.2.0-i486-1.tgz: Upgraded to kdevelop-3.2.0.
kde/kdewebdev-3.4.0-i486-1.tgz: Upgraded to kdewebdev-3.4.0.
kde/koffice-1.3.5-i486-3.tgz: Recompiled.
kde/qt-3.3.4-i486-1.tgz: Upgraded to qt-3.3.4 (with -stl).
l/atk-1.9.1-i486-1.tgz: Upgraded to atk-1.9.1.
l/arts-1.4.0-i486-1.tgz: Upgraded to arts-1.4.0.
l/expat-1.95.8-i486-1.tgz: Upgraded to expat-1.95.8.
(thanks to Alak Trakru for updating the DESTDIR patch)
l/gtk+2-2.6.4-i486-1.tgz: Upgraded to gtk+-2.6.4.
l/libart_lgpl-2.3.17-i486-1.tgz: Upgraded to libart_lgpl-2.3.17.
l/libglade-2.4.2-i486-1.tgz: Upgraded to libglade-2.4.2.
l/libgsf-1.11.1-i486-1.tgz: Upgraded to libgsf-1.11.1.
l/libidl-0.8.5-i486-1.tgz: Upgraded to libidl-0.8.5, moved from /gnome.
(this is used by Mozilla)
l/libmikmod-3.1.11a-i486-1.tgz: Upgraded to libmikmod-3.1.11a, moved from
/gnome. (this is used by XMMS)
l/libxml2-2.6.18-i486-1.tgz: Upgraded to libxml2-2.6.18.
l/libxslt-1.1.13-i486-1.tgz: Upgraded to libxslt-1.1.13.
l/orbit-0.5.17-i386-1.tgz: Removed obsolete ORBit.
l/pango-1.8.1-i486-1.tgz: Upgraded to pango-1.8.1.
l/shared-mime-info-0.16-i486-1.tgz: Upgraded to shared-mime-info-0.16, moved
from /gnome.
l/startup-notification-0.8-i486-1.tgz: Upgraded to startup-notification-0.8.
n/nail-11.22-i486-1.tgz: Upgraded to nail-11.22.
n/samba-3.0.13-i486-1.tgz: Upgraded to samba-3.0.13.
xap/gaim-1.2.0-i486-1.tgz: Upgraded to gaim-1.2.0 and gaim-encryption-2.36.
(compiled against mozilla-1.7.6)
xap/gimp-2.2.4-i486-1.tgz: Upgraded to gimp-2.2.4.
xap/jre-symlink-1.0.2-noarch-1.tgz: Upgraded Java link for Firefox 1.0.2.
xap/mozilla-1.7.6-i486-1.tgz: Replaced Mozilla, upgraded to 1.7.6.
While I got surprisingly few negative comments about Mozilla's previous
removal from -current, I have decided put it back. Why? Well, it is a good
piece of software with a long and respected history. So, why then, would I
have removed it before? Did I lose my mind? ;-) My answer at the time was
that once the Mozilla Foundation indicated that the primary future direction
would be with Firefox and Thunderbird, and that active development on the
traditional Mozilla suite would end, then the writing was already on the
wall. Slackware does not aim to be a Home for Orphaned Software, and if
upstream ceases to support something, then I'll usually follow that lead in
fairly short order. However, Mozilla is being restored for now since I know
it has a strong following, but also because it provides some features (like
the composer) that FF/TB do not, and because the libraries are used in GAIM
to provide support for MSN. I am aware that GNUTLS can also be used for this
purpose, but after looking that (and its dependencies) over, I'd prefer to
not see that enter Slackware at this time. OpenSSL could also be used for
this support in GAIM, but unfortunately there is an incompatibility between
GAIM's GPL license and OpenSSL's BSD-with-advertising-clause license. This
resulting snafu reminds me of a short article by Grigor Gatchev that I
recently read on NewsForge, called "Metalicensing". It's still online, and
I'd suggest it (and the author's site) for a little additional reading on
the topic of free license incompatibilities, and how we might avoid
unintentionally setting these kinds of traps for ourselves. I look forward
to a world with the least possible restrictions on software development, and
I think that step one is to be on guard against accidentally tying our own
hands behind our backs. Having a redundant (but differently free) version
of every component and needing them _all_ to create a complete system does
not strike me as the optimal solution.
/* end "pseudo blog" :-) I hope I didn't offend anybody affiliated with
any of these fine projects, as that is definately not my intent... */
Back to the topic of _this package_, this Mozilla release fixes more than a
dozen security issues (many of which are probably minor and unlikely to
occur in real life, but you be the judge.)
Please see mozilla.org for a complete list.
(* Security fix *)
xap/mozilla-firefox-1.0.2-i686-1.tgz: Upgraded to firefox-1.0.2.
Fixes a GIF heap overflow and some other security issues.
Please see mozilla.org for a complete list.
(* Security fix *)
xap/mozilla-thunderbird-1.0.2-i686-1.tgz: Upgraded to thunderbird-1.0.2.
Fixes a GIF heap overflow and some other security issues.
Please see mozilla.org for a complete list.
(* Security fix *)
xap/xfce-4.2.1.1-i486-1.tgz: Upgraded to xfce-4.2.1.1.
xap/xscreensaver-4.21-i486-1.tgz: Upgraded to xscreensaver-4.21.
extra/k3b/k3b-0.11.23-i486-1.tgz: Upgraded to k3b-0.11.23.
extra/parted/parted-1.6.22-i486-1.tgz: Upgraded to parted-1.6.22.
testing/packages/gnupg-1.4.1-i486-1.tgz: Upgraded to gnupg-1.4.1.
+--------------------------+
Wed Mar 9 21:15:23 PST 2005
a/udev-054-i486-3.tgz: Fixed make_extra_nodes.sh to not require expr, which is
under /usr and might not be available. (thanks to Daniel de Kok)
n/nmap-3.81-i486-1.tgz: Upgraded to nmap-3.81.
n/openssh-4.0p1-i486-1.tgz: Upgraded to OpenSSH 4.0p1.
n/samba-3.0.11-i486-1.tgz: Upgraded to samba-3.0.11.
extra/bittornado/bittornado-0.3.10-noarch-1.tgz: Upgraded to BitTornado-0.3.10.
extra/bittorrent/bittorrent-4.0.0-noarch-1.tgz: Upgraded to BitTorrent-4.0.0.
+--------------------------+
Tue Mar 8 14:23:58 PST 2005
xap/mozilla-firefox-1.0.1-i686-2.tgz: Fixed default mailto: pref to use
Thunderbird. (thanks to Steven E. Woolard)
xap/mozilla-thunderbird-1.0-i686-2.tgz: Fixed default URL handler to use
Firefox for https:// as well as http://. (thanks to Steven E. Woolard)
Fixed background transparency of icon used by the thunderbird.desktop
file. (thanks to Jason Edson)
+--------------------------+
Mon Mar 7 22:16:12 PST 2005
a/udev-054-i486-2.tgz: Removed udev.permissions file and merged the
permissions configuration into the udev.rules file. Also, added support
for numbering multiple cdrom and dvd devices at boot time (thanks to
Michal Kosmulski for sending in the starting diff). Let me know if any
permissions bugs remain... sorry about that last batch 'o bugs -- my
fault for not reading the instructions carefully.
xap/jre-symlink-1.0.1-noarch-1.tgz: Adds a symlink to the Java(TM) plugin.
xap/mozilla-firefox-1.0.1-i686-1.tgz: Added Mozilla Firefox (from the
official binary distribution.) Thanks to the Mozilla Foundation! :-)
xap/mozilla-thunderbird-1.0-i686-1.tgz: Added Mozilla Thunderbird (also
from the official binary distribution.)
xap/mozilla-1.7.5-i486-1.tgz: Removed.
xap/mozilla-plugins-1.7.5-noarch-2.tgz: Removed.
xap/netscape-7.2-i686-1.tgz: Removed.
testing/packages/linux-2.6.11/alsa-driver-1.0.8_2.6.11-i486-1.tgz:
Upgraded to ALSA 1.0.8 for Linux 2.6.11.
testing/packages/linux-2.6.11/kernel-generic-2.6.11-i486-1.tgz:
Upgraded to Linux 2.6.11 generic x86 kernel.
testing/packages/linux-2.6.11/kernel-headers-2.6.11-i386-1.tgz:
Upgraded to Linux 2.6.11 kernel headers.
testing/packages/linux-2.6.11/kernel-modules-2.6.11-i486-1.tgz:
Upgraded to Linux 2.6.11 kernel modules.
testing/packages/linux-2.6.11/kernel-source-2.6.11-noarch-1.tgz:
Upgraded to Linux 2.6.11 kernel source.
+--------------------------+
Mon Feb 28 20:56:58 PST 2005
a/udev-054-i486-1.tgz: Upgraded to udev-054.
ap/espgs-8.15rc2-i486-1.tgz: Upgraded to espgs-8.15rc2.
d/flex-2.5.4a-i486-3.tgz: Replaced old "lex" script with a symlink.
(Thanks to Mike Sullivan)
d/gcc-3.3.5-i486-1.tgz: Upgraded to gcc-3.3.5.
d/gcc-g++-3.3.5-i486-1.tgz: Upgraded to gcc-3.3.5.
d/gcc-g77-3.3.5-i486-1.tgz: Upgraded to gcc-3.3.5.
d/gcc-gnat-3.3.5-i486-1.tgz: Upgraded to gcc-3.3.5.
d/gcc-java-3.3.5-i486-1.tgz: Upgraded to gcc-3.3.5.
d/gcc-objc-3.3.5-i486-1.tgz: Upgraded to gcc-3.3.5.
l/glib2-2.6.3-i486-1.tgz: Upgraded to glib-2.6.3.
l/gtk+2-2.6.3-i486-1.tgz: Upgraded to gtk+-2.6.3.
t/tetex-3.0-i486-1.tgz: Upgraded to teTeX 3.0.
t/tetex-doc-3.0-noarch-1.tgz: Upgraded to teTeX 3.0 documentation.
xap/gaim-1.1.4-i486-1.tgz: Upgraded to gaim-1.1.4 and gaim-encryption-2.35.
+--------------------------+
Mon Feb 14 10:31:43 PST 2005
Upgraded to X11R6.8.2 (these new -current X11 packages will also work just fine
on Slackware 10.1 since no libraries have changed since the 10.1 release)
x/x11-6.8.2-i486-1.tgz: Upgraded to X11R6.8.2.
x/x11-devel-6.8.2-i486-1.tgz: Upgraded to X11R6.8.2.
x/x11-docs-6.8.2-noarch-1.tgz: Upgraded to X11R6.8.2.
x/x11-docs-html-6.8.2-noarch-1.tgz: Upgraded to X11R6.8.2.
x/x11-fonts-100dpi-6.8.2-noarch-1.tgz: Upgraded to X11R6.8.2.
x/x11-fonts-cyrillic-6.8.2-noarch-1.tgz: Upgraded to X11R6.8.2.
x/x11-fonts-misc-6.8.2-noarch-1.tgz: Upgraded to X11R6.8.2.
x/x11-fonts-scale-6.8.2-noarch-1.tgz: Upgraded to X11R6.8.2.
x/x11-xdmx-6.8.2-i486-1.tgz: Upgraded to X11R6.8.2.
x/x11-xnest-6.8.2-i486-1.tgz: Upgraded to X11R6.8.2.
x/x11-xvfb-6.8.2-i486-1.tgz: Upgraded to X11R6.8.2.
+--------------------------+
Wed Feb 2 18:22:01 PST 2005
Released Slackware 10.1 stable.
Thanks to everyone who helped out with this release, and especially to the
folks at GUS-BR and SlackSec who helped (and continue to help) with handling
security issues for the last few months, to Andreas Liebschner for keeping
the website updated and running smoothly, to Theresa Elam for all her hard
work running store.slackware.com, to the folks on alt.os.linux.slackware for
pointing out bugs and offering suggestions, to the people on ##slackware
that I met on IRC (and some again in later emails), to Justin, Kyle, and Dean
from the Linux User Group of Rochester, MN who I got to hang out with while
"vacationing" at the Mayo Clinic, to everyone who signed my online Christmas
card (one of the nicest things I ever got), and to all the kind and patient
members of the Slackware community. I hope all of you will enjoy this new
Slackware release.
Have fun! :-)
Your Slackware Maintainer,
Pat
PS I'm looking forward to working with all of you towards the next one, too.
PPS Sorry if that was too much like an Academy Award speech. I could almost
hear that music shoving me off the stage. ;-)
