Monday, April 27, 2009

Security Updates: BitchX and CUPS

Two security updates were released today, with something unique, as one of them are package deletion and not a patch or version upgrade. Yes, BitchX has been removed as there is no active development on the upstream, leaving users with known security vulnerabilities without no fixes. It's suggested that people who had been using BitchX to use irssi or X-Chat for GUI-based application.

Besides this two updates, there are several updated packages as well, mostly live in a/ and x/ where scim-* took some package there. Here are the latest -Current changelog:
Sun Apr 26 15:11:57 CDT 2009
a/cups-1.3.10-i486-1.tgz:
Upgraded to cups-1.3.10.
This fixes several security issues, including an integer overflow in the TIFF decoder, a failure to properly verify the Host HTTP header, and several problems with PDF handling (the new CUPS uses a wrapper rather than embedded code taken from xpdf). These issues could result in a denial of service or the execution of arbitrary code.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0146
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0147
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0163
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0164
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0166
(* Security fix *)

a/dialog-1.1_20080819-i486-2.tgz: Patched to make the minimum height of checkboxes and menuboxes 4. This fixes a bug where installer menus were taller than they needed to be, and in some cases filled the screen overwriting the information at the top.

a/pkgtools-12.34567890-noarch-4.tgz: Patched to fix failures when a valid package extension (.tgz, .tbz, .tlz, .txz) is embedded somewhere in the directory path, or the package's name, version, or build number.
Thanks to Erik Jan Tromp.

a/sysvinit-scripts-1.2-noarch-29.tgz: Patched rc.M to remove files of the form {a,}quota.{group,user}.new from the top of filesystems that use quota. These can be created if quota is interrupted by a reboot or power failure and cause quotacheck at boot time to fail.
Thanks to Erik Jan Tromp.

d/strace-4.5.18-i486-1.tgz: Upgraded to strace-4.5.18.

n/bitchx-1.1-i486-5.tgz: Removed.
BitchX has several known security flaws for which there are no known workarounds, and upstream progress seems to have stalled. Users should switch to a supported IRC client such as irssi.
(* Security fix *)

n/metamail-2.7-i486-3.tgz: Updated patch and recompiled.
Moved fonts for mailto-hebrew to /usr/share/metamail/fonts/.

n/wpa_supplicant-0.6.9-i486-1.tgz: Upgraded to wpa_supplicant-0.6.9.

x/m17n-lib-1.5.4-i486-1.tgz: Upgraded to m17n-lib-1.5.4.

x/scim-1.4.9-i486-1.tgz: Upgraded to scim-1.4.9.

x/scim-bridge-0.4.16-i486-1.tgz: Upgraded to scim-bridge-0.4.16.

x/scim-input-pad-0.1.2-i486-1.tgz: Added scim-input-pad-0.1.2.

x/scim-m17n-0.2.3-i486-1.tgz: Upgraded to scim-m17n-0.2.3.

x/scim-tables-0.5.9-i486-1.tgz: Upgraded to scim-tables-0.5.9.

x/wqy-zenhei-font-ttf-0.8.38_1-noarch-1.tgz: Upgraded to wqy-zenhei-0.8.38-1.

x/xaw3d-1.5E-i486-1.tgz: Upgraded to Xaw3d-1.5E.

xap/xfractint-20.04p09-i486-1.tgz: Upgraded to xfractint-20.04p09.

isolinux/initrd.img: Regenerated modules.dep to reflect the compressed kernel modules. Thanks to Piter Punk and Eric Hameleers.
When formatting an ext3 partition, don't use '-j' (using mkfs.ext3 already takes care of that).
Use the patched dialog to fix the formatting of the installer menus.

testing/packages/bash-4.0.017-i486-1.tgz: Updated with upstream patches.

usb-and-pxe-installers/usbboot.img: Same fixes as initrd.img.