Sat Mar 29 14:16:19 PST 2003 patches/packages/sendmail.tgz: Patched sendmail 8.11.6 using the offical security patches from sendmail (sendmail.8.11.6.security.cr.patch as used before, and prescan.8.11.6.patch to fix a new vulnerability). This update will also change the reported version string to "8.11.6p2". (* Security fix *) patches/packages/smailcfg.tgz: Regenerated config files. +--------------------------+ Tue Mar 4 14:22:38 PST 2003 patches/packages/sendmail.tgz: Patched sendmail 8.11.6 using the offical security patch from sendmail (sendmail.8.11.6.security.cr.patch). Fixes a remote buffer overflow in header parsing by dropping sender and recipient header comments if the comments are too long. Problem noted by Mark Dowd of ISS X-Force. (* Security fix *) patches/packages/smailcfg.tgz: Regenerated config files. ---------------------------- Wed Sep 18 13:26:52 PDT 2002 patches/packages/openssh.tgz: Recompiled against openssl-0.9.6e. This update fixes a problem where sshd fails to run that was introduced with the last openssl update. ---------------------------- Wed Jul 31 13:31:35 PDT 2002 patches/packages/openssl.tgz: Upgraded to openssl-0.9.6e, which fixes 4 potentially remotely exploitable bugs. For details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0659 (* Security fix *) patches/packages/ossllibs.tgz: Upgraded to openssl-0.9.6e, which fixes 4 potentially remotely exploitable bugs. For details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0659 (* Security fix *) ---------------------------- Wed Jun 26 12:09:16 PDT 2002 patches/packages/openssh.tgz: Upgraded to openssh-3.4p1. This version enables privilege separation by default. The README.privsep file says this about it: Privilege separation, or privsep, is method in OpenSSH by which operations that require root privilege are performed by a separate privileged monitor process. Its purpose is to prevent privilege escalation by containing corruption to an unprivileged process. More information is available at: http://www.citi.umich.edu/u/provos/ssh/privsep.html Note that ISS has released an advisory on OpenSSH (OpenSSH Remote Challenge Vulnerability). Slackware is not affected by this issue, as we have never included AUTH_BSD, S/KEY, or PAM. Unless at least one of these options is compiled into sshd, it is not vulnerable. Further note that none of these options are turned on in a default build from source code, so if you have built sshd yourself you should not be vulnerable unless you've enabled one of these options. Regardless, the security provided by privsep is unquestionably better. This time we (Slackware) were lucky, but next time we might not be. Therefore we recommend that all sites running the OpenSSH daemon (sshd, enabled by default in Slackware 8.0) upgrade to this new openssh package. After upgrading the package, restart the daemon like this: /etc/rc.d/rc.sshd restart We would like to thank Theo and the rest of the OpenSSH team for their quick handling of this issue, Niels Provos and Markus Friedl for implementing privsep, and Solar Designer for working out issues with privsep on 2.2 Linux kernels. ---------------------------- Wed Jun 19 19:48:30 PDT 2002 patches/packages/apache.tgz: Upgraded to apache-1.3.26. This fixes the issue described in: "CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability" (* Security fix *) patches/packages/mod_ssl.tgz: Upgraded to mod_ssl-2.8.9_1.3.26. ---------------------------- Fri May 3 12:17:25 PDT 2002 patches/packages/nautilus.tgz: Patched to fix metadata security problems. Nautilus was patched and recompiled to fix a problem which would allow a malicious user to mount a symlink attack to overwrite another user's files. Thanks to Joe Testa and Rapid 7, Inc. for finding this problem, and to Havoc Pennington for sharing Red Hat's backport of the CVS fixes with us. (* Security fix *) ---------------------------- Thu Apr 25 12:00:50 PDT 2002 patches/packages/sudo.tgz: Upgraded to sudo-1.6.6. This version of sudo fixes a security problem whereby a local user may gain root access through corruption of the heap (Off-By-Five). This issue was discovered by Global InterSec LLC, and more information may be found on their web site: http://www.globalintersec.com/adv/sudo-2002041701.txt The discussion on the site indicates that this problem may only be exploitable on systems that use PAM, which Slackware does not use. However, in the absence of proof, it still seems prudent to upgrade sudo immediately. (* Security fix *) ---------------------------- Thu Mar 14 17:35:52 PST 2002 patches/packages/mod_php.tgz: Rebuilt using a --with-png-dir= flag to build in PNG support. (thanks to christian laubscher for noticing it was missing) Added standalone PHP binary. ---------------------------- Wed Mar 13 11:56:05 PST 2002 patches/packages/cvs.tgz: Fix dir perms: chmod 755 /usr/share/cvs/contrib/. patches/packages/rsync.tgz: Upgraded to rsync-2.5.4 (fixes broken -z option). ---------------------------- Tue Mar 12 00:12:57 PST 2002 patches/packages/cvs.tgz: Gzipped the tmp diff so that it applies correctly. Thanks to George Georgakis for pointing out the mistake. (* Security fix *) ---------------------------- Mon Mar 11 17:54:12 PST 2002 patches/packages/cvs.tgz: Patched to link to the shared zlib on the system instead of statically linking to the included zlib source. Also, use mktemp to create files in /tmp files more safely. (* Security fix *) ---------------------------- Mon Mar 11 15:09:26 PST 2002 patches/packages/rsync.tgz: Upgraded to rsync-2.5.3. This fixes two security problems: * Make sure that supplementary groups are removed from a server process after changing uid and gid. (Ethan Benson) (Debian bug #132272, CVE CAN-2002-0080) * Fix zlib double-free bug. (Owen Taylor, Mark J Cox) (CVE CAN-2002-0059) (* Security fix *) ---------------------------- Mon Mar 11 13:32:40 PST 2002 patches/packages/zlib.tgz: Upgraded to zlib-1.1.4. This fixes a security problem which may introduce vulnerabilities into any program that links with zlib. Quoting the advisory on zlib.org: "Depending upon how and where the zlib routines are called from the given program, the resulting vulnerability may have one or more of the following impacts: denial of service, information leakage, or execution of arbitrary code." Sites are urged to upgrade the zlib package immediately. The complete advisory may be found here: http://www.zlib.org/advisory-2002-03-11.txt (* Security fix *) ---------------------------- Thu Mar 7 12:00:18 PST 2002 patches/packages/openssh.tgz: Upgraded to openssh-3.1p1. This fixes a security problem in the openssh package. All sites running OpenSSH should upgrade immediately. All versions of OpenSSH between 2.0 and 3.0.2 contain an off-by-one error in the channel code. OpenSSH 3.1 and later are not affected. This bug can be exploited locally by an authenticated user logging into a vulnerable OpenSSH server or by a malicious SSH server attacking a vulnerable OpenSSH client. This bug was discovered by Joost Pol (* Security fix *) ---------------------------- Sat Mar 2 22:45:25 PST 2002 patches/packages/mod_php.tgz: Upgraded to PHP 4.1.2. This fixes several security problems in the POST handling code used for uploading files through forms. All sites using PHP are urged to upgrade as soon as possible. A workaround for securing systems running PHP 4.0.3 or above (which includes Slackware 8.0) is to add this directive to the php.ini: file_uploads = Off (* Security fix *) ---------------------------- Fri Jan 25 14:25:51 PST 2002 patches/packages/rsync.tgz: Fixed a security hole by upgrading to rsync-2.4.8pre1. This is the relevant information from the rsync NEWS file: SECURITY FIXES: * Signedness security patch from Sebastian Krahmer -- in some cases we were not sufficiently careful about reading integers from the network. (* Security fix *) ---------------------------- Mon Jan 21 13:21:07 PST 2002 patches/packages/at.tgz: Fixed a buffer overflow. (* Security fix *) patches/packages/sudo.tgz: Upgraded to sudo-1.6.5p1. This fixes a vulnerability where the mail system could be exploited. So far, the only working examples of this problem require Postfix to be installed, but it's possible that exploits involving other mailers could emerge. (* Security fix *) patches/packages/xchat.tgz: Upgraded to xchat-1.8.7. This fixes a problem where an attacker could execute IRC server commands as the user running xchat. (* Security fix *) ---------------------------- Sat Jan 12 13:05:33 PST 2002 patches/packages/pine.tgz: Fix a security problem with pine by upgrading to pine4.44. More details from the Pine Announcement List: This note is to announce the availability of the Pine Message System version 4.44. The purpose of this release is to fix a security bug with the treatment of quotes in the URL-handling code. The bug allows a malicious sender to embed commands in a URL. This bug is present in all versions of UNIX Pine. (* Security fix *) patches/packages/imapd.tgz: This comes with Pine, so here's the new version of this as well. Just an upgrade, not a security fix. ---------------------------- Fri Jan 11 14:07:07 PST 2002 patches/packages/glibc.tgz, patches/packages/glibcso.tgz: Fixed a buffer overflow in the glob(3) function. This bug may be exploited through external services that might make use of it, like the port of OpenBSD's FTP server (not included in Slackware, but an example that's known to be affected). It's highly recommended that internet- connected machines or machines with local users who might try to exploit setuid root binaries be upgraded as soon as possible. Thanks to Flávio Veloso and Jakub Jelinek for finding this problem and working out a patch. (* Security fix *) ---------------------------- Mon Jan 7 12:43:31 PST 2002 patches/packages/mutt.tgz: Upgraded to mutt-1.2.5.1 to fix a security problem in the address handling code. Mutt users are urged to upgrade as soon as possible. (* Security fix *) ---------------------------- Sun Dec 9 14:31:52 PST 2001 patches/packages/wuftpd.tgz: This is a wu-ftpd-2.6.2 package to replace the one shipped in /pasture, which has a security hole. WU-FTPD is not installed on Slackware by default, and unless you have some specific reason to need WU-FTPD, we suggest using the default ProFTPD server. (* Security fix *) ---------------------------- Sun Aug 26 16:06:55 PDT 2001 An input validation error in sendmail has been discovered by Cade Cairns of SecurityFocus. This problem can be exploited by local users to gain root access. It is not exploitable by remote attackers without shell access. It is recommended that all multiuser sites running sendmail upgrade to these new packages: packages/procmail.tgz: Upgraded to procmail-3.21. The ChangeLog mentions these problems, but it's not known how serious they really are: - SECURITY: don't do unsafe things from signal handlers: - ignore TRAP when terminating because of a signal - resolve the host and protocol of COMSAT when it is set - save the absolute path form of $LASTFOLDER for the comsat message when it is set - only use the log buffer if it's safe packages/sendmail.tgz: Upgraded to sendmail.8.11.6. Removed setup for MAPS, since it's no longer a free service. packages/smailcfg.tgz: Upgraded to sendmail.8.11.6 config files. Detailed information about this security problem may be found here: http://www.securityfocus.com/bid/3163 (* Security fix *) ---------------------------- Thu Aug 9 13:29:49 PDT 2001 An advisory from zen-parse on BugTraq today describes a hole in the netkit-0.17 telnetd daemon which is used in Slackware. All sites running telnet service are advised to upgrade using one of these updated packages as soon as possible. packages/tcpip1.tgz: New version of the tcpip1 package containing a fixed /usr/sbin/in.telnetd. patches/telnetd.tgz: A patch-package containing just the fixed in.telnetd binary (for faster download). (* Security fix *)