Slackware: 2005-251-03: slackware-current s Security Update
Summary
Here are the details from the Slackware -current ChangeLog: ap/groff-1.19.1-i486-3.tgz: Fixed a /tmp bug in groffer. Groffer is a script to display formatted output on the console or X, and is not normally used in other scripts (for printers, etc) like most groff components are. The risk from this bug is probably quite low. The fix was pulled from the just-released groff-1.19.2. With Slackware 10.2 just around the corner it didn't seem prudent to upgrade to that -- the diff from 1.19.1 to 1.19.2 is over a megabyte compressed. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0969 (* Security fix *) kde/kdebase-3.4.2-i486-2.tgz: Patched a bug in Konqueror's handling of characters such as '*', '[', and '?'. Generated new kdm config files. Added /opt/kde/man to $MANPATH. Patched a security bug in kcheckpass that could allow a local user to gain root privileges. For more information, see: https://kde.org/info/security/advisory-20050905-1.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2494 (* Security fix *) n/mod_ssl-2.8.24_1.3.33-i486-1.tgz: Upgraded to mod_ssl-2.8.24-1.3.33. From the CHANGES file: Fix a security issue (CAN-2005-2700) where "SSLVerifyClient require" was not enforced in per-location context if "SSLVerifyClient optional" was configured in the global virtual host configuration. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2700 (* Security fix *) n/openssh-4.2p1-i486-1.tgz: Upgraded to openssh-4.2p1. From the OpenSSH 4.2 release announcement: SECURITY: Fix a bug introduced in OpenSSH 4.0 that caused GatewayPorts to be incorrectly activated for dynamic ("-D") port forwardings when no listen address was explicitly specified. (* Security fix *) kde/kdeedu-3.4.2-i486-2.tgz: Fixed a minor /tmp bug in kvoctrain. (* Security fix *) n/php-4.4.0-i486-3.tgz: Relinked with the system PCRE library, as the builtin library has a buffer overflow that could be triggered by the processing of a specially crafted regular expression. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491 (* Security fix *) Upgraded PEAR::XMLRPC to version 1.4.0, which eliminates the use of the insecure eval() function. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2498 (* Security fix *) xap/gaim-1.5.0-i486-1.tgz: Upgraded to gaim-1.5.0. This fixes some more security issues. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2103 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2102 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2370 (* Security fix *) testing/packages/php-5.0.4/php-5.0.4-i486-3.tgz: Relinked with the system PCRE library, as the builtin library has a buffer overflow that could be triggered by the processing of a specially crafted regular expression. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491 (* Security fix *) Upgraded PEAR::XMLRPC to version 1.4.0, which eliminates the use of the insecure eval() function. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2498 (* Security fix *) Recompiled with support for mbstring, cURL, and XSLT. Thanks to Den (aka Diesel) for suggesting XSLT.
Where Find New Packages
Add of these packages are available in the slackware-current directory
on ftp.slackware.com:
A .asc file is provided next to each package. This can be used along
with 'gpg --verify' to verify the integrity of the packages.
MD5 Signatures
Installation Instructions