Thursday, September 13, 2007

Security Update : PHP, OpenSSH, Samba

Slackware security team has released three packages containing security updates: PHP, OpenSSH, and Samba. Here's the latest changelog on -Stable tree:
Wed Sep 12 15:20:06 CDT 2007
Upgraded to openssh-4.7p1.
From the OpenSSH release notes:
"Security bugs resolved in this release: Prevent ssh(1) from using a trusted X11 cookie if creation of an untrusted cookie fails; found and fixed by Jan Pechanec."
While it's fair to say that we here at Slackware don't see how this could be leveraged to compromise a system, a) the OpenSSH people (who presumably understand the code better) characterize this as a security bug, b) it has been assigned a CVE entry, and c) OpenSSH is one of the most commonly used network daemons. Better safe than sorry.
More information should appear here eventually:
(* Security fix *)

Upgraded to php-5.2.4. The PHP announcement says this version fixes over 120 bugs as well as "several low priority security bugs."
Read more about it here:
(* Security fix *)

Upgraded to samba-3.0.26a.
This fixes a security issue in all Samba 3.0.25 versions:
"Incorrect primary group assignment for domain users using the rfc2307 or sfu winbind nss info plugin."
For more information, see:
(* Security fix *)