Tuesday, July 29, 2008

Pile of Security Updates

WOW!!!! surprise Bunch of security updates just come out of -Current and also -Stable tree. I was suprised to see lots of incoming email messages with slackware-security on the subject. Here they are:
Mon Jul 28 22:45:58 CDT 2008
a/openssl-solibs-0.9.8h-i486-1.tgz:
Upgraded to OpenSSL 0.9.8h shared libraries (see below).
(* Security fix *)

a/sysvinit-scripts-1.2-noarch-21.tgz: For now, quiet error output from update-mime-database, since KDE4 causes some "noise".

ap/vim-7.1.330-i486-1.tgz:
Upgraded to vim-7.1.330. This fixes several security issues related to the automatic processing of untrusted files.
For more information, see:
http://www.rdancer.org/vulnerablevim.html
(* Security fix *)

l/libxml2-2.6.32-i486-1.tgz: Upgraded to libxml2-2.6.32.

l/libxslt-1.1.24-i486-1.tgz: Upgraded to libxslt-1.1.24.
A buffer overflow when processing XSL stylesheets could result in the execution of arbitrary code.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1767
(* Security fix *)

l/pcre-7.7-i486-1.tgz: Upgraded to pcre-7.7.
Tavis Ormandy of the Google Security Team found a buffer overflow triggered when handling certain regular expressions. This could lead to a crash or possible execution of code as the user of the PCRE-linked application.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2371
(* Security fix *)

n/fetchmail-6.3.8-i486-3.tgz: Patched to fix a possible denial of service when "-v -v" options are used.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2711
(* Security fix *)

n/httpd-2.2.9-i486-1.tgz: Upgraded to httpd-2.2.9.
This release fixes flaws which could allow XSS attacks.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5000
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6388
(* Security fix *)

n/links-2.1-i486-1.tgz: Upgraded to links-2.1.
Unspecified vulnerability in Links before 2.1, when "only proxies" is enabled, has unknown impact and attack vectors related to providing "URLs to external programs."
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3329
(* Security fix *)

n/mtr-0.73-i486-1.tgz: Upgraded to mtr-0.73.
This fixes a minor security bug where a very long hostname in the trace path could lead to an overflow (and most likely just a crash).
(* Security fix *)

n/net-snmp-5.4.1.2-i486-1.tgz: Upgraded to net-snmp-5.4.1.2.
A vulnerability was discovered where an attacked could spoof an authenticated SNMPv3 packet due to incorrect HMAC checking. Also, a buffer overflow was found that could be exploited if an application using the net-snmp perl modules connects to a malicious server.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0960
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2292
(* Security fix *)

n/openldap-client-2.3.43-i486-1.tgz: Upgraded to openldap-2.3.43.
This release fixes a security issue in slapd (our package does not ship it.)

n/openssh-5.1p1-i486-1.tgz: Upgraded to openssh-5.1p1.
When upgrading OpenSSH, it is VERY IMPORTANT to also upgrade OpenSSL, or it is possible to be unable to log back into sshd!

n/openssl-0.9.8h-i486-1.tgz: Upgraded to OpenSSL 0.9.8h.
The Codenomicon TLS test suite uncovered security bugs in OpenSSL.
If OpenSSL was compiled using non-default options (Slackware's package is not), then a malicious packet could cause a crash. Also, a malformed TLS handshake could also lead to a crash.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0891
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1672
When upgrading OpenSSL, it is VERY IMPORTANT to also upgrade OpenSSH, or it is possible to be unable to log back into sshd!
(* Security fix *)

xap/gimp-2.4.6-i486-1.tgz: Upgraded to gimp-2.4.6.

xap/mozilla-thunderbird-2.0.0.16-i686-1.tgz: Upgraded to thunderbird-2.0.0.16.
This upgrade fixes some more security bugs.
For more information, see:
http://www.mozilla.org/security/known-vulnerabilities/thunderbird20.html
(* Security fix *)

xap/vim-gvim-7.1.330-i486-1.tgz: Upgraded to vim-gvim-7.1.330.
See "vim" above for details.
(* Security fix *)
xap/xscreensaver-5.06-i486-1.tgz: Upgraded to xscreensaver-5.06.