Wed Jun 26 12:26:20 PDT 2002

Wed Jun 26 12:26:20 PDT 2002
patches/packages/openssh.tgz: Upgraded to openssh-3.4p1.
This version enables privilege separation by default. The README.privsep file
says this about it:

Privilege separation, or privsep, is method in OpenSSH by which operations
that require root privilege are performed by a separate privileged monitor
process. Its purpose is to prevent privilege escalation by containing
corruption to an unprivileged process. More information is available at:
http://www.citi.umich.edu/u/provos/ssh/privsep.html

Note that ISS has released an advisory on OpenSSH (OpenSSH Remote Challenge
Vulnerability). Slackware is not affected by this issue, as we have never
included AUTH_BSD, S/KEY, or PAM. Unless at least one of these options is
compiled into sshd, it is not vulnerable. Further note that none of these
options are turned on in a default build from source code, so if you have
built sshd yourself you should not be vulnerable unless you've enabled one
of these options.

Regardless, the security provided by privsep is unquestionably better.
This time we (Slackware) were lucky, but next time we might not be.
Therefore we recommend that all sites running the OpenSSH daemon upgrade to
this new openssh package. After upgrading the package, restart the daemon
like this:

/etc/rc.d/rc.sshd restart

We would like to thank Theo and the rest of the OpenSSH team for
their quick handling of this issue, Niels Provos and Markus Friedl for
implementing privsep, and Solar Designer for working out issues with
privsep on 2.2 Linux kernels.
----------------------------
Sat Jun 22 12:16:12 PDT 2002
libsafe.tgz: Added libsafe, a library that intercepts and prevents buffer
overflow attacks such as the Apache chunking issue. If you are
continuing to run a Slackware 7.1 machine that is exposed to the
Internet, you would be well advised to install this.
------------------------------
Thu Apr 25 12:00:50 PDT 2002
patches/packages/sudo.tgz: Upgraded to sudo-1.6.6.
This version of sudo fixes a security problem whereby a local user may gain
root access through corruption of the heap (Off-By-Five).
This issue was discovered by Global InterSec LLC, and more information may
be found on their web site:
http://www.globalintersec.com/adv/sudo-2002041701.txt
The discussion on the site indicates that this problem may only be exploitable
on systems that use PAM, which Slackware does not use. However, in the
absence of proof, it still seems prudent to upgrade sudo immediately.
(* Security fix *)
----------------------------
Wed Mar 13 11:56:05 PST 2002
patches/packages/cvs.tgz: Fix dir perms: chmod 755 /usr/share/cvs/contrib/.
patches/packages/rsync.tgz: Upgraded to rsync-2.5.4 (fixes broken -z option).
----------------------------
Tue Mar 12 00:12:57 PST 2002
patches/packages/cvs.tgz: Gzipped the tmp diff so that it applies correctly.
Thanks to George Georgakis for pointing out the mistake.
(* Security fix *)
----------------------------
Mon Mar 11 18:05:52 PST 2002
patches/packages/cvs.tgz: Patched to link to the shared zlib on the system
instead of statically linking to the included zlib source. Also, use mktemp
to create files in /tmp files more safely.
(* Security fix *)
----------------------------
Mon Mar 11 15:09:26 PST 2002
patches/packages/rsync.tgz: Upgraded to rsync-2.5.3. This fixes two security
problems:

* Make sure that supplementary groups are removed from a server
process after changing uid and gid. (Ethan Benson) (Debian bug
#132272, CVE CAN-2002-0080)

* Fix zlib double-free bug. (Owen Taylor, Mark J Cox) (CVE CAN-2002-0059)

(* Security fix *)
----------------------------
Mon Mar 11 13:38:37 PST 2002
patches/packages/zlib.tgz: Upgraded to zlib-1.1.4. This fixes a security
problem which may introduce vulnerabilities into any program that links with
zlib. Quoting the advisory on zlib.org:

"Depending upon how and where the zlib routines are called from the given
program, the resulting vulnerability may have one or more of the following
impacts: denial of service, information leakage, or execution of arbitrary
code."

Sites are urged to upgrade the zlib package immediately.

The complete advisory may be found here:
http://www.zlib.org/advisory-2002-03-11.txt

(* Security fix *)
----------------------------
Mon Mar 11 10:57:50 PST 2002
patches/packages/openssh.tgz: Upgraded to openssh-3.1p1. When preparing the
update on Saturday evening, I neglected to copy the new openssh.tgz package
out of the source directory and into the packages directory. If you
downloaded it since then, check to see if you have a /usr/doc/openssh-3.1p1/
directory -- if not, you'll need to grab the new package and install it.
Sorry about that...
----------------------------
Sat Mar 9 19:38:19 PST 2002
patches/packages/openssh.tgz: Upgraded to openssh-3.1p1.

This fixes a security problem in the openssh package. All sites running
OpenSSH should upgrade immediately.

All versions of OpenSSH between 2.0 and 3.0.2 contain an off-by-one error
in the channel code. OpenSSH 3.1 and later are not affected. This bug can
be exploited locally by an authenticated user logging into a vulnerable
OpenSSH server or by a malicious SSH server attacking a vulnerable OpenSSH
client. This bug was discovered by Joost Pol <[email protected]>

(* Security fix *)
----------------------------
Fri Jan 25 14:25:51 PST 2002
patches/packages/rsync.tgz: Fixed a security hole by upgrading to
rsync-2.4.8pre1. This is the relevant information from the rsync NEWS file:

SECURITY FIXES:

* Signedness security patch from Sebastian Krahmer
<[email protected]> -- in some cases we were not sufficiently
careful about reading integers from the network.

(* Security fix *)
----------------------------
Tue Jan 15 15:04:14 PST 2002
packages/glibc.tgz, glibcso.tgz: Patched glibc-2.1.3.
Fixed a buffer overflow in the glob(3) function. This bug may be
exploited through external services that might make use of it, like the
port of OpenBSD's FTP server (not included in Slackware, but an example
that's known to be affected). It's highly recommended that internet-
connected machines or machines with local users who might try to exploit
setuid root binaries be upgraded as soon as possible.
Added glibc-crypt-2.1.
(* Security fix *)
packages/openssh.tgz: Added openssh-3.0.2p1.
packages/openssl.tgz: Added openssl-0.9.6c.
packages/ossllibs.tgz: Added openssl-0.9.6c shared libraries.
----------------------------
Sun Dec 9 13:21:41 PST 2001
packages/wuftpd.tgz: This package overwrites the wu-ftpd-2.6.1 installed
by Slackware 7.1 (which has a nasty security hole), with wu-ftpd-2.6.2,
recently released to fix the problem. But for how long?
Don't install this package -- install the one below.
packages/proftpd.tgz: This is proftpd-1.2.4. Slackware switched to
proftpd because of repeated security problems with wu-ftpd. You can too. :)
(* Security fix *)
----------------------------
Sun Aug 26 16:06:55 PDT 2001
An input validation error in sendmail has been discovered by Cade Cairns of
SecurityFocus. This problem can be exploited by local users to gain root
access. It is not exploitable by remote attackers without shell access.

It is recommended that all multiuser sites running sendmail upgrade to these
new packages:

packages/procmail.tgz: Upgraded to procmail-3.21. The ChangeLog mentions
these problems, but it's not known how serious they really are:
- SECURITY: don't do unsafe things from signal handlers:
- ignore TRAP when terminating because of a signal
- resolve the host and protocol of COMSAT when it is set
- save the absolute path form of $LASTFOLDER for the comsat
message when it is set
- only use the log buffer if it's safe
packages/sendmail.tgz: Upgraded to sendmail.8.11.6. Removed setup for MAPS,
since it's no longer a free service.
packages/smailcfg.tgz: Upgraded to sendmail.8.11.6 config files.

Detailed information about this security problem may be found here:
http://www.securityfocus.com/bid/3163
(* Security fix *)
----------------------------
Thu Aug 9 20:56:55 PDT 2001
An advisory from zen-parse on BugTraq today describes a hole in the netkit-0.17
telnetd daemon which is used in Slackware. All sites running telnet service are
advised to upgrade using one of these updated packages as soon as possible.
packages/tcpip1.tgz: New version of the tcpip1 package containing a
fixed /usr/sbin/in.telnetd.
packages/telnetd.tgz: A patch-package containing just the fixed
in.telnetd binary (for faster download).
(* Security fix *)
----------------------------
Wed May 16 12:36:56 PDT 2001
packages/samba.tgz: Upgraded to samba-2.0.9. This is a bug fix
release that fixes the security problem that samba-2.0.8 meant
to address.
----------------------------
Mon Apr 23 23:39:07 PDT 2001
packages/samba.tgz: Upgraded to samba-2.0.8. Earlier versions have
a temp file handling problem that could allow a local attacker to
write to arbitrary devices, possibly destroying data.
----------------------------
Sun Apr 8 12:37:44 PDT 2001
packages/xntp.tgz: Patched xntp3-5.93e against recently reported buffer
overflow problem. All sites running xntp from Slackware 7.1 should
either upgrade to this package or ensure that their /etc/ntp.conf does
not allow connections from untrusted hosts. To deny people access to
your time daemon (not a bad idea anyway if you're only running ntp to
keep your own clock updated) use this in /etc/ntp.conf:

# Don't serve time or stats to anyone else
restrict default ignore

----------------------------
Sat Mar 10 19:58:47 PST 2001
packages/gmc.tgz, mc.tgz: Upgraded to mc-4.5.51, patched to prevent
input validation error on directory names. More information can be found
here: http://www.securityfocus.com/vdb/?id=2016
Security Focus states, "Currently the SecurityFocus staff are not aware
of any exploits for this issue."
----------------------------
Mon Feb 26 22:30:38 PST 2001
packages/imapd.tgz: Upgraded to IMAP4rev1 2000.287 from pine4.33.
A remote exploit exists for the previously included version
of imapd, so all sites running imapd are urged to upgrade
to the new version immediately.
packages/pine.tgz: Upgraded to pine4.33.
----------------------------
Sat Feb 24 23:05:03 PST 2001
packages/sudo.tgz: Upgraded to sudo-1.6.3p6.
----------------------------
Sun Jan 28 17:43:29 PST 2001
packages/bind.tgz: Upgraded to bind-8.2.3.
----------------------------
Mon Nov 20 22:59:00 PST 2000
packages/ncurses.tgz: Upgraded to ncurses-5.2.
----------------------------
Fri Nov 10 20:24:04 PST 2000
packages/bind.tgz: Upgraded to bind-8.2.2-P7.
A bug in code intended to provide support for the transfer of compressed
zone files can crash the name server, resulting in denial of service.
More BIND security information can be found at:
http://www.isc.org/products/BIND/bind8.html
----------------------------
Wed Nov 1 12:35:58 PST 2000
packages/imapd.tgz: Upgraded to IMAP4rev1 2000.283 from pine-4.30.
packages/pine.tgz: Upgraded to pine-4.30.
Pine (versions 4.21 and before) contain a buffer overflow vulnerability
which allows a remote user to execute arbitrary code on the local client
by the sending of a special-crafted email message. The overflow occurs
during the periodic "new mail" checking of an open folder.
----------------------------
Mon Oct 23 14:09:22 PDT 2000
packages/xlock.tgz: Upgraded to xlockmore-4.17.2.
By providing a carefully crafted display variable to xlock, it is
possible for a local attacker to gain root access. Anyone running
xlock on a public machine should upgrade to this version of xlock
(or disable xlock) immediately.
----------------------------
Fri Oct 20 18:55:01 PDT 2000
packages/ppp.tgz: Fixed stupid /tmp bug in ppp-off. This could allow a
local user to corrupt system files.
----------------------------
Sat Oct 14 20:03:51 PDT 2000
packages/apache.tgz: Upgraded to apache_1.3.14.
It is recommended that sites using Apache upgrade to this
version of the apache package as soon as possible.
The following security problems are fixed with this version
of Apache (from the Apache announcement):
* A problem with the Rewrite module, mod_rewrite, allowed
access to any file on the web server under certain
circumstances
* The handling of Host: headers in mass virtual hosting
configurations, mod_vhost_alias, could allow access to
any file on the server
* If a cgi-bin directory is under the document root, the
source to the scripts inside it could be sent if using
mass virtual hosting
----------------------------
Thu Sep 28 19:45:07 PDT 2000
packages/tcpip1.tgz: Upgraded to wu-ftpd-2.6.1.
This fixes a possible format string hole reported on BugTraq.
----------------------------
Mon Sep 18 11:13:56 PDT 2000
packages/sysklogd.tgz: Upgraded to sysklogd-1.4. This fixes the
"klogd format bug" announced this morning on BugTraq.
----------------------------
Tue Sep 12 20:12:08 PDT 2000
packages/xchat.tgz: Upgraded to xchat-1.5.7.
This fixes the "X-Chat Command Execution Via URLs Vulnerability"
described on BugTraq.
A console version of X-Chat (xchat-text) has also been added to
this updated package.
----------------------------
Mon Sep 4 22:48:59 PDT 2000
This update fixes the three known locale-related vulnerabilities in glibc-2.1.3
recently reported on BugTraq that allow local users to gain root access. Thanks
to Solar Designer for putting together a set of patches from the current glibc
CVS version.
packages/glibcso.tgz: Recompiled with security patch for glibc-2.1.3.
packages/glibc.tgz: Recompiled with security patch for glibc-2.1.3.
packages/descrypt.tgz: Recompiled with security patch for glibc-2.1.3.
Note that if you don't reinstall this package after installing glibcso.tgz
and/or glibc.tgz, the C library will be limited to using MD5 crypt().
----------------------------
Sat Sep 2 01:26:24 PDT 2000
packages/perl.tgz: Patched suidperl to report hack attempts through syslog,
not /bin/mail. This patch closes a security hole through which local
users can gain root access using /usr/bin/suidperl5.6.0.