Sunday, May 10, 2009

Security Updates: GnuTLS and xpdf

Sorry for the long updates, since i was out of town for about four days and without proper Internet access to update this blog with the latest update from Slackware development news. Well, the good news is that i'm back at home with good Internet access and ready to tell you the updates. Two new security updates has been released since few days ago, which were GnuTLS and xpdf. Especially for GnuTLS, it will fix the problem i have been encountering for the last few weeks where i couldn't get my signature verified by GnuPG. I used GetFirefGPG extension for Firefox to add my digital signature and when it's posted, i always got a wrong signature message. I hope this fixed the problem.

Other good news is that next Slackware release will have new package format, called txz. It's a standard tar archive, but instead of using gzip, the new format will use lzma compression algorithm which provides better results without breaking the performance. As you might see, almost all of the packages in /slackware tree under slackware-current tree has been migrated to .txz, resulting to approximately 500 MB of disk savings compared to the old .tgz formats.

New version for KDE has also been released for this batch and it will continue to be better and more stable version of KDE which is expected to release KDE 4.3 in the next quarter. OK, let's see our latest -Current Changelog:
Sat May 9 18:13:36 CDT 2009
xap/gv-3.6.7-i486-1.txz: Upgraded to gv-3.6.7.

xap/pidgin-2.5.5-i486-3.txz: Fixed missing Pidgin.pod. Thanks to Mark Post.

Upgraded to xpdf-3.02pl3.
This update fixes several overflows that may result in crashes or the execution of arbitrary code as the xpdf user.
For more information, see:
(* Security fix *)
Fri May 8 18:49:03 CDT 2009
Hello folks! This batch of updates includes the newly released KDE 4.2.3, but more noticeably it marks the first departure from the use of gzip for compressing Slackware packages. Instead, we will be using xz, based on the LZMA compression algorithm. xz offers better compression than even bzip2, but still offers good extraction performance (about 3 times better than bzip2 and not much slower than gzip in our testing). Since support for bzip2 has long been requested, support for bzip2 and the original lzma format has also been added (why not?), but this is purely in the interest of completeness -- we think most people will probably want to use either the original .tgz or the new .txz compression wrappers. The actual Slackware package format (which consists of the layout within the package envelope) has not changed, but this is the first support within Slackware's package tools for using alternate compression algorithms.
Some people have asked why we don't pick a single extension, such as .slk. While there's certainly a case to be made for that idea, the tools would still need to support .tgz to handle older packages. Sticking with "tgz" for everything makes no sense. Using extensions that reflect the compression format used by the package envelope seems to be the most transparent approach, and the one that best follows tradition.
As an example of the compression improvement with .txz, have a look at the kernel-source package:
Before: kernel-source- (73808508 bytes)
After: kernel-source- (49150104 bytes)
The size of the main package tree in /slackware has been reduced from 1.9GB to 1.4GB by converting most packages to .txz.
Most of the packages have been converted from .tgz to .txz, but we will continue to make the gzip, pkgtools, slackpkg, tar, and xz packages in .tgz format for the foreseeable future.
Enjoy! And thanks to Lasse Collin for the great work on xz. :-)
a/coreutils-7.4-i486-1.txz: Upgraded to coreutils-7.4.

a/tar-1.22-i486-2.tgz: Added support for .txz. Thanks to Robby Workman.

ap/sqlite-3.6.13-i486-1.txz: Upgraded to sqlite-3.6.13.

d/gcc-4.3.3-i486-3.txz: Recompiled. Moved some files into the gcc-gfortran and gcc-java packages. Thanks to Frédéric L. W. Meunier.

d/gcc-g++-4.3.3-i486-3.txz: Recompiled.

d/gcc-gfortran-4.3.3-i486-3.txz: Recompiled.

d/gcc-gnat-4.3.3-i486-3.txz: Recompiled.

d/gcc-java-4.3.3-i486-3.txz: Added ecj-4.3.jar and fixed the build script to compile and install gcj. Thanks to Michael James.

d/gcc-objc-4.3.3-i486-3.txz: Recompiled.

kde/guidance-power-manager-4.2.3-i486-1.txz: Upgraded to guidance-power-manager-4.2.3.

kde/kaudiocreator-r964620-i486-1.txz: Upgraded to kaudiocreator-r964620.

kde/kdeaccessibility-4.2.3-i486-1.txz: Upgraded to kdeaccessibility-4.2.3.

kde/kdeadmin-4.2.3-i486-1.txz: Upgraded to kdeadmin-4.2.3.

kde/kdeartwork-4.2.3-i486-1.txz: Upgraded to kdeartwork-4.2.3.

kde/kdebase-4.2.3-i486-1.txz: Upgraded to kdebase-4.2.3.

kde/kdebase-runtime-4.2.3-i486-1.txz: Upgraded to kdebase-runtime-4.2.3.

kde/kdebase-workspace-4.2.3-i486-1.txz: Upgraded to kdebase-workspace-4.2.3.

kde/kdebindings-4.2.3-i486-1.txz: Upgraded to kdebindings-4.2.3.

kde/kdeedu-4.2.3-i486-1.txz: Upgraded to kdeedu-4.2.3.

kde/kdegames-4.2.3-i486-1.txz: Upgraded to kdegames-4.2.3.

kde/kdegraphics-4.2.3-i486-1.txz: Upgraded to kdegraphics-4.2.3.

kde/kdelibs-4.2.3-i486-1.txz: Upgraded to kdelibs-4.2.3.

kde/kdemultimedia-4.2.3-i486-1.txz: Upgraded to kdemultimedia-4.2.3.

kde/kdenetwork-4.2.3-i486-1.txz: Upgraded to kdenetwork-4.2.3.

kde/kdepim-4.2.3-i486-1.txz: Upgraded to kdepim-4.2.3.

kde/kdepimlibs-4.2.3-i486-1.txz: Upgraded to kdepimlibs-4.2.3.

kde/kdeplasma-addons-4.2.3-i486-1.txz: Upgraded to kdeplasma-addons-4.2.3.

kde/kdesdk-4.2.3-i486-1.txz: Upgraded to kdesdk-4.2.3.

kde/kdetoys-4.2.3-i486-1.txz: Upgraded to kdetoys-4.2.3.

kde/kdeutils-4.2.3-i486-1.txz: Upgraded to kdeutils-4.2.3.

kde/kdewebdev-4.2.3-i486-1.txz: Upgraded to kdewebdev-4.2.3.

kde/koffice- Upgraded to koffice-

kde/konq-plugins-4.2.3-i486-1.txz: Upgraded to konq-plugins-4.2.3.

kde/skanlite-0.3_kde4.2.3-i486-1.txz: Upgraded to skanlite-0.3-kde4.2.3.

kdei/kde-l10n-*-4.2.3-noarch-1.txz: Upgraded to KDE 4.2.3 l10n packages.

kdei/koffice-l10n-*- Upgraded to KOffice l10n packages.

l/dbus-qt3-0.70-i486-2.tgz: Removed.

l/qt-r964497-i486-1.txz: Upgraded to qt-copy-r964497.

n/gnutls-2.6.6-i486-1.txz: Upgraded to gnutls-2.6.6.
- Corrected double free on signature verification failure.
Reported by Miroslav Kratochvil .
- Noticed when investigating the previous GNUTLS-SA-2009-1 problem.
All DSA keys generated using GnuTLS 2.6.x are corrupt.
For more information, see:
(* Security fix *)

xap/pidgin-2.5.5-i486-2.txz: Recompiled against gnutls-2.6.6.