-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  slackware-current security updates (SSA:2005-251-03)

This advisory summarizes recent security fixes in Slackware -current.

Usually security advisories are not issued on problems that exist only
within the test version of Slackware (slackware-current), but since it's
so close to being released as Slackware 10.2, and since there have been
several -cuurent-only issues recently, it has been decided that it would
be a good idea to release a summary of all of the security fixes in
Slackware -current for the last 2 weeks.  Some of these are -current only,
and some affect other versions of Slackware (and advisories for these
have already been issued).


Here are the details from the Slackware -current ChangeLog:
+--------------------------+
ap/groff-1.19.1-i486-3.tgz:  Fixed a /tmp bug in groffer.  Groffer is a
  script to display formatted output on the console or X, and is not normally
  used in other scripts (for printers, etc) like most groff components are.
  The risk from this bug is probably quite low.  The fix was pulled from the
  just-released groff-1.19.2.  With Slackware 10.2 just around the corner it
  didn't seem prudent to upgrade to that -- the diff from 1.19.1 to 1.19.2
  is over a megabyte compressed.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0969
  (* Security fix *)

kde/kdebase-3.4.2-i486-2.tgz:  Patched a bug in Konqueror's handling of
  characters such as '*', '[', and '?'.
  Generated new kdm config files.
  Added /opt/kde/man to $MANPATH.
  Patched a security bug in kcheckpass that could allow a local user to
  gain root privileges.
  For more information, see:
    https://kde.org/info/security/advisory-20050905-1.txt
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2494
  (* Security fix *)

n/mod_ssl-2.8.24_1.3.33-i486-1.tgz:  Upgraded to mod_ssl-2.8.24-1.3.33.
  From the CHANGES file:
    Fix a security issue (CAN-2005-2700) where "SSLVerifyClient require" was
    not enforced in per-location context if "SSLVerifyClient optional" was
    configured in the global virtual host configuration.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2700
  (* Security fix *)

n/openssh-4.2p1-i486-1.tgz:  Upgraded to openssh-4.2p1.
  From the OpenSSH 4.2 release announcement:
     SECURITY: Fix a bug introduced in OpenSSH 4.0 that caused
     GatewayPorts to be incorrectly activated for dynamic ("-D") port
     forwardings when no listen address was explicitly specified.
  (* Security fix *)

kde/kdeedu-3.4.2-i486-2.tgz:  Fixed a minor /tmp bug in kvoctrain.
  (* Security fix *)

n/php-4.4.0-i486-3.tgz:  Relinked with the system PCRE library, as the builtin
  library has a buffer overflow that could be triggered by the processing of a
  specially crafted regular expression.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491
  (* Security fix *)
  Upgraded PEAR::XMLRPC to version 1.4.0, which eliminates the use of the
  insecure eval() function.
    For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2498
  (* Security fix *)

xap/gaim-1.5.0-i486-1.tgz:  Upgraded to gaim-1.5.0.
  This fixes some more security issues.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2103
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2102
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2370
  (* Security fix *)

testing/packages/php-5.0.4/php-5.0.4-i486-3.tgz:  Relinked with the
  system PCRE library, as the builtin library has a buffer overflow
  that could be triggered by the processing of a specially crafted
  regular expression.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491
  (* Security fix *)
  Upgraded PEAR::XMLRPC to version 1.4.0, which eliminates the use of the
  insecure eval() function.
    For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2498
  (* Security fix *)
  Recompiled with support for mbstring, cURL, and XSLT.
  Thanks to Den (aka Diesel) for suggesting XSLT.
+--------------------------+


Where to find the new packages:
+-----------------------------+

Add of these packages are available in the slackware-current directory
on ftp.slackware.com:


A .asc file is provided next to each package.  This can be used along
with 'gpg --verify' to verify the integrity of the packages.


+-----+

Slackware: 2005-251-03: slackware-current s Security Update

September 8, 2005
This advisory summarizes recent security fixes in Slackware -current

Summary

Here are the details from the Slackware -current ChangeLog: ap/groff-1.19.1-i486-3.tgz: Fixed a /tmp bug in groffer. Groffer is a script to display formatted output on the console or X, and is not normally used in other scripts (for printers, etc) like most groff components are. The risk from this bug is probably quite low. The fix was pulled from the just-released groff-1.19.2. With Slackware 10.2 just around the corner it didn't seem prudent to upgrade to that -- the diff from 1.19.1 to 1.19.2 is over a megabyte compressed. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0969 (* Security fix *) kde/kdebase-3.4.2-i486-2.tgz: Patched a bug in Konqueror's handling of characters such as '*', '[', and '?'. Generated new kdm config files. Added /opt/kde/man to $MANPATH. Patched a security bug in kcheckpass that could allow a local user to gain root privileges. For more information, see: https://kde.org/info/security/advisory-20050905-1.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2494 (* Security fix *) n/mod_ssl-2.8.24_1.3.33-i486-1.tgz: Upgraded to mod_ssl-2.8.24-1.3.33. From the CHANGES file: Fix a security issue (CAN-2005-2700) where "SSLVerifyClient require" was not enforced in per-location context if "SSLVerifyClient optional" was configured in the global virtual host configuration. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2700 (* Security fix *) n/openssh-4.2p1-i486-1.tgz: Upgraded to openssh-4.2p1. From the OpenSSH 4.2 release announcement: SECURITY: Fix a bug introduced in OpenSSH 4.0 that caused GatewayPorts to be incorrectly activated for dynamic ("-D") port forwardings when no listen address was explicitly specified. (* Security fix *) kde/kdeedu-3.4.2-i486-2.tgz: Fixed a minor /tmp bug in kvoctrain. (* Security fix *) n/php-4.4.0-i486-3.tgz: Relinked with the system PCRE library, as the builtin library has a buffer overflow that could be triggered by the processing of a specially crafted regular expression. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491 (* Security fix *) Upgraded PEAR::XMLRPC to version 1.4.0, which eliminates the use of the insecure eval() function. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2498 (* Security fix *) xap/gaim-1.5.0-i486-1.tgz: Upgraded to gaim-1.5.0. This fixes some more security issues. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2103 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2102 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2370 (* Security fix *) testing/packages/php-5.0.4/php-5.0.4-i486-3.tgz: Relinked with the system PCRE library, as the builtin library has a buffer overflow that could be triggered by the processing of a specially crafted regular expression. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491 (* Security fix *) Upgraded PEAR::XMLRPC to version 1.4.0, which eliminates the use of the insecure eval() function. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2498 (* Security fix *) Recompiled with support for mbstring, cURL, and XSLT. Thanks to Den (aka Diesel) for suggesting XSLT.

Where Find New Packages

Add of these packages are available in the slackware-current directory on ftp.slackware.com:

A .asc file is provided next to each package. This can be used along with 'gpg --verify' to verify the integrity of the packages.

MD5 Signatures

Severity
[slackware-security] slackware-current security updates (SSA:2005-251-03)
This advisory summarizes recent security fixes in Slackware -current.
Usually security advisories are not issued on problems that exist only within the test version of Slackware (slackware-current), but since it's so close to being released as Slackware 10.2, and since there have been several -cuurent-only issues recently, it has been decided that it would be a good idea to release a summary of all of the security fixes in Slackware -current for the last 2 weeks. Some of these are -current only, and some affect other versions of Slackware (and advisories for these have already been issued).

Installation Instructions

Related News

Google Releases Chrome 130 with Critical Security Fixes for 17 Flaws
3 - 5 min read
Google recently unveiled Chrome 130 , an update that addresses several security vulnerabilities to ensure the web browser's safety and reliability.
U.S. Investigation into China-Backed Telecom Companies Hack: The Role & Risks of Encryption Backdoors
3 - 5 min read
U.S. authorities are on high alert as they investigate an alleged Chinese state-sponsored hack targeting major U.S. telecommunications companies.
FASTCash Linux Malware: A New Cybercrime Menace Targeting Payment Switch Systems
3 - 5 min read
As malware threats evolve to increasingly target Linux systems, admins and organizations must stay up-to-date on the latest Linux malware variants
Optimizing CWPP on Linux Servers: Best Practices and Configurations
3 - 6 min read
Cloud Workload Protection Platforms are now essential for securing virtual environments. These provide a robust security layer vital for addressing
The Infiltration of Supply Chain Attacks in Open-Source Software Management
3 - 6 min read
Open-source projects are renowned for their collaborative nature and widespread adoption, yet more sophisticated supply chain attacks target them
Strengthen Your Linux Software Development Pipeline with Code Security Scanners
3 - 6 min read
Developers recognize the critical nature of protecting software systems as cyberattacks grow more sophisticated, thus necessitating robust security
Everything You Need to Know About Cloud Security Posture Management
3 - 5 min read
Many companies are transitioning from physical servers to cloud operations, but this transformation brings new challenges. Cloud Security Posture
Understanding the Critical Oath-Toolkit Vulnerability and Its Implications for Admins
3 - 5 min read
As Linux security threats advance and evolve, vulnerabilities often surface unexpectedly, exposing systems to potential exploitation. SUSE

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved