Wed Oct 3 10:30:08 CEST 2007
patches/packages/pidgin-2.2.1-x86_64-1_sflack12.0.tgz:
Upgraded to pidgin-2.2.1.
This fixes a crash that can be triggered remotely on MSN in 2.2.0.
For more information, see:
http://www.pidgin.im/news/security/?id=23
(* Security fix *)
+--------------------------+
Fri Sep 28 09:23:30 CEST 2007
patches/packages/autofs-3.1.7-x86_64-2.tgz
Patched for some shared libraries missing /usr/lib/autofs/*.so.
Thanks to Daisuke Nishikawa for suggesting this problem.
+--------------------------+
Sat Sep 22 11:47:25 CEST 2007
patches/packages/kdebase-3.5.7-x86_64-3_sflack12.0.tgz:
Patched Konqueror to prevent "spoofing" the URL
(i.e. displaying a URL other than the one associated with the page displayed)
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3820
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4224
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4225
Patched KDM issue: "KDM can be tricked into performing a password-less
login even for accounts with a password set under certain circumstances,
namely autologin to be configured and "shutdown with password" enabled."
For more information, see:
http://www.kde.org/info/security/advisory-20070919-1.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4569
(* Security fix *)
patches/packages/kdelibs-3.5.7-x86_64-3_sflack12.0.tgz:
Patched Konqueror's supporting libraries to prevent addressbar spoofing.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4225
(* Security fix *)
+--------------------------+
Thu Sep 13 12:22:20 CEST 2007
patches/packages/openssh-4.7p1-x86_64-1_sflack12.0.tgz:
Upgraded to openssh-4.7p1.
From the OpenSSH release notes:
"Security bugs resolved in this release: Prevent ssh(1) from using a
trusted X11 cookie if creation of an untrusted cookie fails; found and
fixed by Jan Pechanec."
While it's fair to say that we here at Sflack don't see how this could
be leveraged to compromise a system, a) the OpenSSH people (who presumably
understand the code better) characterize this as a security bug, b) it has
been assigned a CVE entry, and c) OpenSSH is one of the most commonly used
network daemons. Better safe than sorry.
More information should appear here eventually:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4752
(* Security fix *)
patches/packages/php-5.2.4-x86_64-1_sflack12.0.tgz:
Upgraded to php-5.2.4. The PHP announcement says this version fixes over
120 bugs as well as "several low priority security bugs."
Read more about it here:
http://www.php.net/releases/5_2_4.php
(* Security fix *)
patches/packages/samba-3.0.26a-x86_64-1_sflack12.0.tgz:
Upgraded to samba-3.0.26a.
This fixes a security issue in all Samba 3.0.25 versions:
"Incorrect primary group assignment for domain users using the rfc2307
or sfu winbind nss info plugin."
For more information, see:
http://www.samba.org/samba/security/CVE-2007-4138.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4138
(* Security fix *)
+--------------------------+
Sun Sep 2 10:51:33 CEST 2007
extra/jdk-6/jdk-6u2-x86_64-2.tgz: Fixed a bug in the improvement to the
/etc/profile.d/ scripts where it would mess up the $MANPATH. Sorry
about that, folks. The JRE package was not affected.
+--------------------------+
Sat Sep 1 11:00:55 CEST 2007
patches/packages/jre-6u2-x86_64-1.tgz:
Upgraded to Java(TM) 2 Platform Standard Edition Runtime Environment
Version 6.0 update 2.
This update addresses code errors which could possibly be leveraged to
compromise system security, though we know of no existing exploits.
This update consists of the official Java(TM) sources build and
repackaged in Sflack's package format, and may be used on any version
of Sflack that is based on glibc.
For more information, see:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102995-1
(* Security fix *)
An additional change was made to the script that Sflack uses to
set environment variables for Java(TM). Now, after the $JAVA_HOME
variable is set, the next variable settings make use of it, rather
than hard-coding the path to $JAVA_HOME. This does not fix a bug,
but is certainly better scripting style. Thanks to Jason Byrne and
Jean-Christophe Fargette for suggesting this change.
extra/jdk-6/jdk-6u2-x86_64-1.tgz: Upgraded to Java(TM) 2 Platform
Standard Edition Development Kit Version 6.0 update 2.
This update addresses code errors which could possibly be leveraged to
compromise system security, though we know of no existing exploits.
This update consists of the official Java(TM) sources build and
repackaged in Sflack's package format, and may be used on any version
of Sflack that is based on glibc.
For more information, see:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102995-1
(* Security fix *)
An additional change was made to the script that Sflack uses to
set environment variables for Java(TM). Now, after the $JAVA_HOME
variable is set, the next variable settings make use of it, rather
than hard-coding the path to $JAVA_HOME. This does not fix a bug,
but is certainly better scripting style. Thanks to Jason Byrne and
Jean-Christophe Fargette for suggesting this change.
+--------------------------+
Mon Aug 27 14:12:37 CEST 2007
patches/packages/tcpdump-3.9.7-x86_64-1_sflack12.0.tgz:
Upgraded to libpcap-0.9.7, tcpdump-3.9.7.
This new version fixes an integer overflow in the BGP dissector which
could possibly allow remote attackers to crash tcpdump or to execute
arbitrary code.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3798
(* Security fix *)
+--------------------------+
Sat Aug 11 12:20:26 CEST 2007
patches/packages/gimp-2.2.17-x86_64-1_sflack12.0.tgz:
Upgraded to gimp-2.2.17, which fixes buffer overflows when decoding
certain image types.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2949
(* Security fix *)
patches/packages/poppler-0.5.4-x86_64-2_sflack12.0.tgz:
Patched to fix an integer overflow in code borrowed from xpdf.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3387
(* Security fix *)
patches/packages/qt-3.3.8-x86_64-5_sflack12.0.tgz:
Patched to fix several format string bugs.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3388
(* Security fix *)
patches/packages/seamonkey-1.1.4-x86_64-1_sflack12.tgz:
Upgraded to seamonkey-1.1.4.
This upgrade fixes some more security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#seamonkey
(* Security fix *)
patches/packages/xpdf-3.02pl1-x86_64-1_sflack12.0.tgz:
Upgraded to xpdf-3.02pl1. This fixes an integer overflow that could possibly
be leveraged to run arbitrary code if a malicious PDF file is processed.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3387
(* Security fix *)
+--------------------------+
Sat Aug 4 12:03:51 CEST 2007
patches/packages/mozilla-thunderbird-2.0.0.6-x86_64-1.tgz:
Upgraded to thunderbird-2.0.0.6.
This upgrade fixes some more security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#thunderbird
(* Security fix *)
+--------------------------+
Thu Aug 2 11:04:23 CEST 2007
patches/packages/mozilla-firefox-2.0.0.6-x86_64-1.tgz:
Upgraded to firefox-2.0.0.6.
This upgrade fixes some more security bugs.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox
(* Security fix *)
+--------------------------+
Fri Jul 27 08:24:24 CEST 2007
patches/packages/bind-9.4.1_P1-x86_64-1_sflack12.0.tgz:
Upgraded to bind-9.4.1_P1 to fix security issues.
The default access control lists allow remote attackers to make recursive
queries in BIND9 versions 9.4.0 through 9.4.1.
The query IDs in BIND9 prior to BIND 9.4.1-P1 are cryptographically weak.
For more information on these issues, see:
http://www.isc.org/index.pl?/sw/bind/bind-security.php
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2925
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2926
(* Security fix *)
+--------------------------+
Wed Jul 25 16:28:42 CEST 2007
patches/packages/mozilla-thunderbird-2.0.0.5-x86_64-1.tgz:
Upgraded to thunderbird-2.0.0.5. Since Thunderbird shares the browser engine
with Firefox it is susceptible to similar vulnerabilities. This update fixes
the same issues fixed in the recent Firefox patch.
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#thunderbird
(* Security fix *)
patches/packages/seamonkey-1.1.3-x86_64-1_sflack12.tgz:
Upgraded to seamonkey-1.1.3. This is presumably a security update, but the
details on the net have been sparse. So far nothing has appeared at the
usual URL, but I would treat this as a security update unless it is announced
as otherwise.
For more information (if/when it appears), see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#seamonkey
(* Security fix *)
+--------------------------+
Tue Jul 24 09:05:41 CEST 2007
patches/packages/mkinitrd-1.1.3-x86_64-1.tgz: Fixed a minor bug in mkinitrd
where devices such as /dev/cciss/c0d0p2 (DL360 RAID) were not properly copied
to the initramfs. "Normal" (two level) boot devices such as /dev/sda1 were
not affected by this bug, so most people won't run into it (which is probably
why it wasn't spotted in development here).
Thanks to Eric Hameleers for the patch.
patches/packages/mozilla-firefox-2.0.0.5-x86_64-1.tgz:
Upgraded to firefox-2.0.0.5.
This upgrade fixes a couple of minor security bugs. Nobody here is launching
Firefox from Internet Explorer, right? :-)
For more information, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox
(* Security fix *)
patches/packages/xf86-video-intel-2.1.0-x86_64-1.tgz: Added additional chipsets.
patches/packages/xf86-video-nv-2.1.2-x86_64-1.tgz: Added additional chipsets.
+--------------------------+
Tue Jul 3 00:12:19 CEST 2007
Released as Sflack 12.0 with no changes since the last batch.
I hope it shows in project output that you'll enjoy.
Thanks for Slackware Linux to Patrick J. Volkerding. Without Slackware,
Sflack would not exist.
For more detailed information about what all has changed since Sflack
11.0, start with CHANGES_AND_HINTS.TXT, and maybe read my RELEASE_NOTES.
Have fun!
Vin
