Skip to main content

Security Fix : m4 and bzip2

Two security updates has been released along with another batch of updates in Slackware-Current tree. Nothing major happened on this batch, except for iptables which gets a significant upgrade and also improvement to the installer to support installation from HTTP source with port number, such as: http://somehost:8080.

Here's the latest -Current changelog:

Mon Apr 7 12:25:10 CDT 2008
a/aaa_elflibs-12.1.0-i486-1.tgz: Added libfuse. Updated libbz2 (which still has the shared library name "libbz2.so.1.0.4").

a/bzip2-1.0.5-i486-1.tgz: Upgraded to bzip2-1.0.5.
Previous versions of bzip2 contained a buffer overread error that could cause applications linked to libbz2 to crash, resulting in a denial of service.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1372
(* Security fix *)

a/cryptsetup-1.0.5-i486-3.tgz: Make cryptsetup in /sbin and /usr/sbin both symlinks to /sbin/cryptsetup.static. This prevents "cryptsetup" failure if someone installs only the A package series. Thanks to Piter Punk.

ap/cdrtools-2.01.01a38-i486-1.tgz: Upgraded to cdrtools-2.01.01a38.

ap/dvd+rw-tools-7.1-i486-1.tgz: Upgraded to dvd+rw-tools-7.1.

ap/ghostscript-8.62-i486-4.tgz: Fixed cidfmap for printing with the wqy-zenhei.ttf font. Thanks to ABE Shin-ichi.

d/m4-1.4.11-i486-1.tgz: Upgraded to m4-1.4.11.
In addition to bugfixes and enhancements, this version of m4 also fixes two issues with possible security implications. A minor security fix with the use of "maketemp" and "mkstemp" -- these are now quoted to prevent the (rather unlikely) possibility that an unquoted string could match an existing macro causing operations to be done on the wrong file. Also, a problem with the '-F' option (introduced with version 1.4) could cause a core dump or possibly (with certain file names) the execution of arbitrary code.
For more information on these issues, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1687
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1688
(* Security fix *)

n/iptables-1.4.0-i486-1.tgz: Upgraded to iptables-1.4.0. Thanks to giovanni for testing this version and suggesting it as a safe upgrade.
On x86, explicitly set i486 compile flags (though this is the compiler's default anyway). Thanks to kanedaaa.

n/network-scripts-12.1-noarch-1.tgz: Fixed WLAN_IWPRIV[4] example generated by netconfig. Thanks to Eric Hameleers for pointing it out.

n/whois-4.7.26-i486-1.tgz: Upgraded to whois-4.7.26.

xap/xfce-4.4.2-i486-4.tgz: Fixed the build script to apply a couple of bugfix patches correctly. Thanks to Carlos Corbacho for the bug report.
Fixed xfcalendar.desktop (orage) to only show in the Xfce menus.
Thanks to Frank Duignan for prompting me to take a closer look.

isolinux/initrd.img: Patched to fix expert mode FTP/HTTP installation, and to allow installation from HTTP source with port number, such as: http://somehost:8080
Thanks to Dario Nicodemi for the bug report and patches, and to Eric Hameleers for making some adjustments to the HTTP port patch.

usb-and-pxe-installers/: Patched to fix expert mode FTP/HTTP installation, and to allow installation from HTTP source with port number, such as: http://somehost:8080
Thanks to Dario Nicodemi for the bug report and patches, and to Eric Hameleers for making some adjustments to the HTTP port patch.

Popular posts from this blog

Running Rsync Via Proxy

One way to get the latest Slackware updates is by running rsync to syncronize your local repository and the main repository that hold the Slackware packages. Eric Hameleers has provided a great script called rsync_current.sh and how i modified this tool has been discussed on my previous post. In general, it works, except for one problem, when your computer is connecting to the Internet through a proxy.

My workstation at my office is connected to the Internet through a proxy, so i can't use normal rsync to work normally. I browsed the web and i found this site which tells us about how we should modify our squid configuration to allow rsync connection from any computer from our local networks. I asked my sysadmin to try this script. He agreed and he updated the squid configuration on the proxy.

Next, i need to update my environment variable RSYNC_PROXY to the host of the proxy and also the port. Let's say you are running a proxy on 192.168.1.1 and port 8080, then you need to run …

NVidia Legacy Unix Driver Update

NVidia has released an updated legacy drivers to support X.Org 1.19 with ABI 23. It has been mentioned in the UNIX drivers, but you can directly find the drivers from the links below:
NVidia 304.134 (x86x86_64)NVidia 340.101 (x86, x86_64) I have tested the 304.134 driver and it's working great here. I can finally remove x from my /etc/slackpkg/blacklist file since it's a showstopper for me.
Aside from legacy driver, NVidia has also released their latest driver 375.26 (x86, x86_64), which brings support for newer cards and also many new features (including X.Org 1.19 with ABI 23 support). 

Security Update: firefox, irssi, pidgin

Three security updates were released for today:
firefox: Upgraded to 45.4.0esr for 14.1 and 14.2 and 49.0 for currentirssi: Upgraded to 0.8.20pidgin: Upgraded to 2.10.11, 2.10.12, and 2.11.0 for all stable Slackware releases depending on their support Some minor update in current:
mkinitrd: Add dmsetup supportemacs: Upgraded to 25.1qt: Fix multilib issue network-scripts: Fix minor issue