Wed Jul 25 02:02:40 UTC 2012 patches/packages/libpng-1.2.50-i486-1_slack10.2.tgz: Upgraded. Fixed incorrect type (int copy should be png_size_t copy) in png_inflate() (fixes CVE-2011-3045). Revised png_set_text_2() to avoid potential memory corruption (fixes CVE-2011-3048). Changed "a+w" to "u+w" in Makefile.in to fix CVE-2012-3386. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3045 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3048 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3386 (* Security fix *) +--------------------------+ Thu Jun 14 05:02:39 UTC 2012 #################################################################### # NOTICE OF INPENDING EOL (END OF LIFE) FOR OLD SLACKWARE VERSIONS # # # # Effective August 1, 2012, security patches will no longer be # # provided for the following versions of Slackware (which will all # # be more than 5 years old at that time): # # Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0. # # If you are still running these versions you should consider # # migrating to a newer version (preferably as recent as possible). # # Alternately, you may make arrangements to handle your own # # security patches. If for some reason you are unable to upgrade # # or handle your own security patches, limited security support # # may be available for a fee. Inquire at security@slackware.com. # #################################################################### patches/packages/bind-9.7.6_P1-i486-1_slack10.2.tgz: Upgraded. This release fixes an issue that could crash BIND, leading to a denial of service. It also fixes the so-called "ghost names attack" whereby a remote attacker may trigger continued resolvability of revoked domain names. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1033 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1667 IMPORTANT NOTE: This is a upgraded version of BIND, _not_ a patched one. It is likely to be more strict about the correctness of configuration files. Care should be taken about deploying this upgrade on production servers to avoid an unintended interruption of service. (* Security fix *) +--------------------------+ Wed May 23 00:14:52 UTC 2012 patches/packages/libxml2-2.6.32-i486-2_slack10.2.tgz: Upgraded. Patched an off-by-one error in XPointer that could lead to a crash or possibly the execution of arbitrary code. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3102 (* Security fix *) +--------------------------+ Wed Apr 11 17:16:32 UTC 2012 patches/packages/samba-3.0.37-i486-5_slack10.2.tgz: Rebuilt. This is a security release in order to address a vulnerability that allows remote code execution as the "root" user. All sites running a Samba server should update to the new Samba package and restart Samba. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1182 (* Security fix *) +--------------------------+ Sat Apr 7 21:48:42 UTC 2012 patches/packages/libtiff-3.8.2-i486-4_slack10.2.tgz: Rebuilt. Patched overflows that could lead to arbitrary code execution when parsing a malformed image file. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1173 (* Security fix *) +--------------------------+ Wed Feb 22 18:14:58 UTC 2012 patches/packages/libpng-1.2.47-i486-1_slack10.2.tgz: Upgraded. All branches of libpng prior to versions 1.5.9, 1.4.9, 1.2.47, and 1.0.57, respectively, fail to correctly validate a heap allocation in png_decompress_chunk(), which can lead to a buffer-overrun and the possibility of execution of hostile code on 32-bit systems. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3026 (* Security fix *) +--------------------------+ Thu Nov 17 02:09:25 UTC 2011 patches/packages/bind-9.4_ESV_R5_P1-i486-1_slack10.2.tgz: Upgraded. --- 9.4-ESV-R5-P1 released --- 3218. [security] Cache lookup could return RRSIG data associated with nonexistent records, leading to an assertion failure. [RT #26590] (* Security fix *) +--------------------------+ Fri Aug 12 23:20:00 UTC 2011 patches/packages/bind-9.4_ESV_R5-i486-1_slack10.2.tgz: Upgraded. This BIND update addresses a couple of security issues: * named, set up to be a caching resolver, is vulnerable to a user querying a domain with very large resource record sets (RRSets) when trying to negatively cache the response. Due to an off-by-one error, caching the response could cause named to crash. [RT #24650] [CVE-2011-1910] * Change #2912 (see CHANGES) exposed a latent bug in the DNS message processing code that could allow certain UPDATE requests to crash named. [RT #24777] [CVE-2011-2464] For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1910 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2464 (* Security fix *) +--------------------------+ Fri Jul 29 18:22:40 UTC 2011 patches/packages/libpng-1.2.46-i486-1_slack10.2.tgz: Upgraded. Fixed uninitialized memory read in png_format_buffer() (Bug report by Frank Busse, related to CVE-2004-0421). For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0421 (* Security fix *) +--------------------------+ Mon Jun 20 00:49:34 UTC 2011 patches/packages/fetchmail-6.3.20-i486-1_slack10.2.tgz: Upgraded. This release fixes a denial of service in STARTTLS protocol phases. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1947 http://www.fetchmail.info/fetchmail-SA-2011-01.txt (* Security fix *) +--------------------------+ Fri May 27 22:56:00 UTC 2011 patches/packages/bind-9.4_ESV_R4_P1-i486-1_slack10.2.tgz: Upgraded. This release fixes security issues: * A large RRSET from a remote authoritative server that results in the recursive resolver trying to negatively cache the response can hit an off by one code error in named, resulting in named crashing. [RT #24650] [CVE-2011-1910] * Zones that have a DS record in the parent zone but are also listed in a DLV and won't validate without DLV could fail to validate. [RT #24631] For more information, see: http://www.isc.org/software/bind/advisories/cve-2011-1910 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1910 (* Security fix *) +--------------------------+ Fri Apr 8 06:58:48 UTC 2011 patches/packages/libtiff-3.8.2-i486-3_slack10.2.tgz: Rebuilt. Patched overflows that could lead to arbitrary code execution when parsing a malformed image file. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0192 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1167 (* Security fix *) +--------------------------+ Thu Apr 7 04:07:29 UTC 2011 patches/packages/dhcp-3.1_ESV_R1-i486-1_slack10.2.tgz: Upgraded. In dhclient, check the data for some string options for reasonableness before passing it along to the script that interfaces with the OS. This prevents some possible attacks by a hostile DHCP server. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0997 (* Security fix *) +--------------------------+ Mon Feb 28 22:19:08 UTC 2011 patches/packages/samba-3.0.37-i486-4_slack10.2.tgz: Rebuilt. Fix memory corruption denial of service issue. For more information, see: http://www.samba.org/samba/security/CVE-2011-0719 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0719 (* Security fix *) +--------------------------+ Thu Feb 10 21:19:38 UTC 2011 patches/packages/sudo-1.7.4p6-i486-1_slack10.2.tgz: Upgraded. Fix Runas group password checking. For more information, see the included CHANGES and NEWS files, and: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0010 (* Security fix *) +--------------------------+ Thu Dec 16 18:57:05 UTC 2010 patches/packages/bind-9.4_ESV_R4-i486-1_slack10.2.tgz: Upgraded. This update fixes some security issues. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3613 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3614 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3615 (* Security fix *) +--------------------------+ Sat Nov 20 21:20:27 UTC 2010 patches/packages/xpdf-3.02pl5-i486-1_slack10.2.tgz: Upgraded. This update fixes security issues that could lead to an application crash, or execution of arbitrary code. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3702 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3703 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3704 (* Security fix *) +--------------------------+ Mon Sep 20 18:39:57 UTC 2010 patches/packages/bzip2-1.0.6-i486-1_slack10.2.tgz: Upgraded. This update fixes an integer overflow that could allow a specially crafted bzip2 archive to cause a crash (denial of service), or execute arbitrary code. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0405 (* Security fix *) +--------------------------+ Wed Sep 15 18:51:21 UTC 2010 patches/packages/sudo-1.7.4p4-i486-3_slack10.2.tgz: Rebuilt. Hi folks, since the patches for old systems (8.1 - 10.2) were briefly available containing a /var/lib with incorrect permissions, I'm issuing these again just to be 100% sure that no systems out there will be left with problems due to that. This should do it (third time's the charm). +--------------------------+ Wed Sep 15 05:58:55 UTC 2010 patches/packages/sudo-1.7.4p4-i486-2_slack10.2.tgz: Rebuilt. The last sudo packages accidentally changed the permissions on /var from 755 to 700. This build restores the proper permissions. Thanks to Petri Kaukasoina for pointing this out. +--------------------------+ Wed Sep 15 00:41:13 UTC 2010 patches/packages/samba-3.0.37-i486-3_slack10.2.tgz: Upgraded. This upgrade fixes a buffer overflow in the sid_parse() function. For more information, see: http://www.samba.org/samba/security/CVE-2010-3069 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3069 (* Security fix *) patches/packages/sudo-1.7.4p4-i486-1_slack10.2.tgz: Upgraded. This fixes a flaw that could lead to privilege escalation. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2956 (* Security fix *) +--------------------------+ Wed Jun 30 04:51:49 UTC 2010 patches/packages/libtiff-3.8.2-i486-2_slack10.2.tgz: Rebuilt. This fixes image structure handling bugs that could lead to crashes or execution of arbitrary code if a specially-crafted TIFF image is loaded. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1411 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2065 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2067 (* Security fix *) patches/packages/libpng-1.2.44-i486-1_slack10.2.tgz: Upgraded. This fixes out-of-bounds memory write bugs that could lead to crashes or the execution of arbitrary code, and a memory leak bug which could lead to application crashes. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1205 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2249 (* Security fix *) +--------------------------+ Sun Jun 27 04:02:55 UTC 2010 patches/packages/bind-9.4.3_P5-i486-2_slack10.2.tgz: Rebuilt. At least some of these updates for 2.4.x systems were built under a 2.6.x kernel, and didn't work. Sorry, I think I've fixed the issue on this end this time. If the previous update did not work for you, try this one. +--------------------------+ Fri Jun 25 05:28:02 UTC 2010 patches/packages/bind-9.4.3_P5-i486-1_slack10.2.tgz: Upgraded. This fixes possible DNS cache poisoning attacks when DNSSEC is enabled and checking is disabled (CD). For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4022 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0097 (* Security fix *) +--------------------------+ Fri Jun 18 18:09:28 UTC 2010 patches/packages/samba-3.0.37-i486-2_slack10.2.tgz: Rebuilt. Patched a buffer overflow in smbd that allows remote attackers to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a crafted field in a packet. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2063 (* Security fix *) +--------------------------+ Sun May 16 20:01:28 UTC 2010 patches/packages/fetchmail-6.3.17-i486-1_slack10.2.tgz: Upgraded. A crafted header or POP3 UIDL list could cause a memory leak and crash leading to a denial of service. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1167 (* Security fix *) +--------------------------+ Fri Apr 30 01:07:12 UTC 2010 patches/packages/irssi-0.8.15-i486-2_slack10.2.tgz: Rebuilt. Sorry, the perl modules were a mess in that last build on systems that don't use a vendor_perl dir. This should work better. +--------------------------+ Thu Apr 22 19:13:54 UTC 2010 patches/packages/irssi-0.8.15-i486-1_slack10.2.tgz: Upgraded. From the NEWS file: - Check if an SSL certificate matches the hostname of the server we are connecting to. - Fix crash when checking for fuzzy nick match when not on the channel. Reported by Aurelien Delaitre (SATE 2009). For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1155 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1156 (* Security fix *) +--------------------------+ Tue Apr 20 14:45:24 UTC 2010 patches/packages/sudo-1.7.2p6-i486-1_slack10.2.tgz: Upgraded. This update fixes security issues that may give a user with permission to run sudoedit the ability to run arbitrary commands. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0426 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1163 http://www.gratisoft.us/sudo/alerts/sudoedit_escalate.html http://www.gratisoft.us/sudo/alerts/sudoedit_escalate2.html (* Security fix *) +--------------------------+ Mon Apr 5 03:06:19 UTC 2010 patches/packages/mozilla-thunderbird-2.0.0.24-i686-1.tgz: Upgraded. This upgrade fixes some more security bugs. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/thunderbird20.html (* Security fix *) +--------------------------+ Thu Dec 10 00:12:58 UTC 2009 patches/packages/ntp-4.2.2p3-i486-2_slack10.2.tgz: Rebuilt. Prevent a denial-of-service attack involving spoofed mode 7 packets. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3563 (* Security fix *) +--------------------------+ Wed Dec 2 20:51:55 UTC 2009 patches/packages/bind-9.4.3_P4-i486-1_slack10.2.tgz: Upgraded. BIND 9.4.3-P4 is a SECURITY PATCH for BIND 9.4.3-P3. It addresses a potential cache poisoning vulnerability, in which data in the additional section of a response could be cached without proper DNSSEC validation. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4022 http://www.kb.cert.org/vuls/id/418861 (* Security fix *) +--------------------------+ Wed Oct 28 01:23:19 UTC 2009 patches/packages/xpdf-3.02pl4-i486-1_slack10.2.tgz: Upgraded. This update fixes several security issues that could lead to an application crash, or execution of arbitrary code. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3603 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3604 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3605 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3606 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3608 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3609 (* Security fix *) +--------------------------+ Sat Oct 3 18:19:00 CDT 2009 patches/packages/samba-3.0.37-i486-1_slack10.2.tgz: This update fixes the following security issues. A misconfigured /etc/passwd with no defined home directory could allow security restrictions to be bypassed. mount.cifs could allow a local user to read the first line of an arbitrary file if installed setuid. (On Slackware, it was not installed setuid) Specially crafted SMB requests could cause a denial of service. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2813 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2948 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2906 (* Security fix *) +--------------------------+ Thu Aug 20 22:12:00 CDT 2009 patches/packages/mozilla-thunderbird-2.0.0.23-i686-1.tgz: This upgrade fixes a security bug. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/thunderbird20.html (* Security fix *) +--------------------------+ Fri Aug 14 13:42:26 CDT 2009 patches/packages/curl-7.12.2-i486-4_slack10.2.tgz: This update fixes a security issue where a zero byte embedded in an SSL or TLS certificate could fool cURL into validating the security of a connection to a system that the certificate was not issued for. It has been reported that at least one Certificate Authority allowed such certificates to be issued. For more information, see: http://curl.haxx.se/docs/security.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2417 (* Security fix *) +--------------------------+ Fri Aug 7 14:25:03 CDT 2009 patches/packages/samba-3.0.36-i486-1_slack10.2.tgz: Upgraded. This is a bugfix release. +--------------------------+ Thu Aug 6 00:48:30 CDT 2009 patches/packages/fetchmail-6.3.11-i486-1_slack10.2.tgz: Upgraded. This update fixes an SSL NUL prefix impersonation attack through NULs in a part of a X.509 certificate's CommonName and subjectAltName fields. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2666 (* Security fix *) +--------------------------+ Wed Jul 29 23:10:01 CDT 2009 patches/packages/bind-9.4.3_P3-i486-1_slack10.2.tgz: Upgraded. This BIND update fixes a security problem where a specially crafted dynamic update message packet will cause named to exit resulting in a denial of service. An active remote exploit is in wide circulation at this time. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0696 https://www.isc.org/node/479 (* Security fix *) +--------------------------+ Tue Jul 14 18:07:41 CDT 2009 patches/packages/dhcp-3.1.2p1-i486-1_slack10.2.tgz: Upgraded. A stack overflow vulnerability was fixed in dhclient that could allow remote attackers to execute arbitrary commands as root on the system, or simply terminate the client, by providing an over-long subnet-mask option. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0692 (* Security fix *) +--------------------------+ Sat Jun 27 18:54:07 CDT 2009 patches/packages/mozilla-thunderbird-2.0.0.22-i686-1.tgz: Upgraded to thunderbird-2.0.0.22. This upgrade fixes some more security bugs. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/thunderbird20.html (* Security fix *) +--------------------------+ Fri Jun 26 22:05:35 CDT 2009 patches/packages/samba-3.0.35-i486-1_slack10.2.tgz: This upgrade fixes the following security issue: o CVE-2009-1888: In Samba 3.0.31 to 3.3.5 (inclusive), an uninitialized read of a data value can potentially affect access control when "dos filemode" is set to "yes". For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1888 (* Security fix *) +--------------------------+ Fri Jun 19 18:22:20 CDT 2009 patches/packages/libpng-1.2.37-i486-1_slack10.2.tgz: Upgraded. This update fixes a possible security issue. Jeff Phillips discovered an uninitialized-memory-read bug affecting interlaced images that may have security implications. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2042 (* Security fix *) +--------------------------+ Wed Jun 3 18:09:52 CDT 2009 patches/packages/ntp-4.2.2p3-i486-1_slack10.2.tgz: Patched a stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows arbitrary code execution by a malicious remote NTP server. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0159 (* Security fix *) +--------------------------+ Thu May 14 18:09:26 CDT 2009 patches/packages/cyrus-sasl-2.1.23-i486-1_slack10.2.tgz: Upgraded to cyrus-sasl-2.1.23. This fixes a buffer overflow in the sasl_encode64() function that could lead to crashes or the execution of arbitrary code. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0688 (* Security fix *) +--------------------------+ Sat May 9 18:03:41 CDT 2009 patches/packages/xpdf-3.02pl3-i486-1_slack10.2.tgz: Upgraded to xpdf-3.02pl3. This update fixes several overflows that may result in crashes or the execution of arbitrary code as the xpdf user. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0146 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0147 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0165 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0166 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0799 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0800 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1179 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1180 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1181 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1182 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1183 (* Security fix *) +--------------------------+ Mon Apr 20 23:27:45 CDT 2009 patches/packages/udev-064-i486-4_slack10.2.tgz: This package has been patched to fix a local root hole. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1185 (* Security fix *) +--------------------------+ Tue Mar 24 01:56:10 CDT 2009 patches/packages/lcms-1.18-i486-1_slack10.2.tgz: Upgraded to lcms-1.18. This update fixes security issues discovered in LittleCMS by Chris Evans. These flaws could cause program crashes (denial of service) or the execution of arbitrary code as the user of the lcms-linked program. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0581 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0723 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0733 (* Security fix *) patches/packages/mozilla-thunderbird-2.0.0.21-i686-1.tgz: Upgraded to thunderbird-2.0.0.21. This upgrade fixes some more security bugs. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/thunderbird20.html (* Security fix *) +--------------------------+ Mon Mar 9 00:04:05 CDT 2009 patches/packages/curl-7.12.2-i486-3_slack10.2.tgz: Patched curl-7.12.2. This fixes a security issue where automatic redirection could be made to follow file:// URLs, reading or writing a local instead of remote file. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0037 (* Security fix *) +--------------------------+ Fri Feb 20 17:20:49 CST 2009 patches/packages/libpng-1.2.35-i486-1_slack10.2.tgz: Upgraded to libpng-1.2.35. This fixes multiple memory-corruption vulnerabilities due to a failure to properly initialize data structures. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0040 ftp://ftp.simplesystems.org/pub/png/src/libpng-1.2.34-ADVISORY.txt (* Security fix *) +--------------------------+ Mon Jan 19 12:59:20 CST 2009 patches/packages/bind-9.3.6_P1-i486-3_slack10.2.tgz: It appears there was a newer libdns.so installed on the Slackware 10.2 build box which caused the bind update for Slackware 10.2 to fail once again, but I'm fairly sure that the third time is the charm. If not, let me know and I'll build that box up again from a clean install. My apologies for any inconvenience. +--------------------------+ Thu Jan 15 16:48:00 CST 2009 patches/packages/bind-9.3.6_P1-i486-2_slack10.2.tgz: Recompiled. The -1_slack10.2 package was compiled on a Slackware 10.2 system running a 2.6.x kernel, and this caused problems for machines running the default 2.4.31 kernel. This package should run correctly. +--------------------------+ Wed Jan 14 20:37:39 CST 2009 patches/packages/bind-9.3.6_P1-i486-1_slack10.2.tgz: Upgraded to bind-9.3.6-P1. Fixed checking on return values from OpenSSL's EVP_VerifyFinal and DSA_do_verify functions to prevent spoofing answers returned from zones using the DNSKEY algorithms DSA and NSEC3DSA. For more information, see: https://www.isc.org/node/373 http://www.ocert.org/advisories/ocert-2008-016.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0025 (* Security fix *) patches/packages/ntp-4.2.4p6-i486-1_slack10.2.tgz: [Sec 1111] Fix incorrect check of EVP_VerifyFinal()'s return value. For more information, see: https://lists.ntp.org/pipermail/announce/2009-January/000055.html http://www.ocert.org/advisories/ocert-2008-016.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0021 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077 (* Security fix *) +--------------------------+ Wed Dec 31 11:35:43 CST 2008 patches/packages/mozilla-thunderbird-2.0.0.19-i686-1.tgz: Upgraded to thunderbird-2.0.0.19. This upgrade fixes some more security bugs. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/thunderbird20.html (* Security fix *) +--------------------------+ Thu Dec 18 12:44:59 CST 2008 patches/packages/mozilla-firefox-2.0.0.20-i686-1.tgz: Upgraded to firefox-2.0.0.20. This fixes some security issues: For more information, see: http://www.mozilla.org/security/known-vulnerabilities/firefox20.html (* Security fix *) +--------------------------+ Fri Nov 28 16:27:52 CST 2008 patches/packages/samba-3.0.33-i486-1_slack10.2.tgz: Upgraded to samba-3.0.33. This package fixes an important barrier against rogue clients reading from uninitialized memory (though no proof-of-concept is known to exist). For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4314 (* Security fix *) +--------------------------+ Thu Nov 20 18:14:27 CST 2008 patches/packages/mozilla-thunderbird-2.0.0.18-i686-1.tgz: Upgraded to thunderbird-2.0.0.18. This upgrade fixes some more security bugs. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/thunderbird20.html (* Security fix *) +--------------------------+ Wed Nov 19 19:13:12 CST 2008 patches/packages/libxml2-2.6.32-i486-1_slack10.2.tgz: Upgraded to libxml2-2.6.32 and patched. This fixes vulnerabilities including denial of service, or possibly the execution of arbitrary code as the user running a libxml2 linked application if untrusted XML content is parsed. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4225 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4226 (* Security fix *) +--------------------------+ Sat Nov 15 19:22:43 CST 2008 patches/packages/mozilla-firefox-2.0.0.18-i686-1.tgz: Upgraded to firefox-2.0.0.18. This fixes some security issues: For more information, see: http://www.mozilla.org/security/known-vulnerabilities/firefox20.html (* Security fix *) +--------------------------+ Mon Oct 13 13:58:21 CDT 2008 patches/packages/glibc-zoneinfo-2.3.5-noarch-11_slack10.2.tgz: Upgraded to tzdata2008h for the latest world timezone changes. +--------------------------+ Fri Sep 26 22:38:32 CDT 2008 patches/packages/mozilla-thunderbird-2.0.0.17-i686-1.tgz: Upgraded to thunderbird-2.0.0.17. This upgrade fixes some more security bugs. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/thunderbird20.html (* Security fix *) +--------------------------+ Thu Sep 25 23:24:07 CDT 2008 patches/packages/mozilla-firefox-2.0.0.17-i686-1.tgz: Upgraded to firefox-2.0.0.17. This release fixes some more security vulnerabilities. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/firefox20.html (* Security fix *) +--------------------------+ Wed Sep 17 02:28:20 CDT 2008 patches/packages/bind-9.3.5_P2-i486-1_slack10.2.tgz: Upgraded to bind-9.3.5-P2. This version has performance gains over bind-9.3.5-P1. +--------------------------+ Wed Sep 3 19:51:43 CDT 2008 patches/packages/php-4.4.9-i486-1_slack10.2.tgz: Upgraded to php-4.4.9. This upgrades the bundled PCRE library to fix security issues, as well as fixing a few other security related bugs. See the PHP4 ChangeLog for more details: http://www.php.net/ChangeLog-4.php#4.4.9 Please note: PHP4 has been officially discontinued since last year, and reached the announced EOL on 2008-08-08. Sites should consider migrating to a supported release. (* Security fix *) +--------------------------+ Mon Sep 1 21:56:29 CDT 2008 patches/packages/samba-3.0.32-i486-1_slack10.2.tgz: Upgraded to samba-3.0.32. This is a bugfix release. See the WHATSNEW.txt file in the Samba docs for details on what has changed. +--------------------------+ Mon Aug 4 14:03:01 CDT 2008 patches/packages/python-2.4.5-i486-1_slack10.2.tgz: Upgraded to 2.4.5 and patched overflows and other security problems. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1679 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1721 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2315 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3142 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3144 (* Security fix *) patches/packages/python-demo-2.4.5-i486-1_slack10.2.tgz: Upgraded. patches/packages/python-tools-2.4.5-i486-1_slack10.2.tgz: Upgraded. +--------------------------+ Mon Jul 28 22:05:06 CDT 2008 patches/packages/fetchmail-6.3.8-i486-1_slack10.2.tgz: Patched to fix a possible denial of service when "-v -v" options are used. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2711 (* Security fix *) patches/packages/mozilla-thunderbird-2.0.0.16-i686-1.tgz: Upgraded to thunderbird-2.0.0.16. This upgrade fixes some more security bugs. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/thunderbird20.html (* Security fix *) +--------------------------+ Wed Jul 23 16:27:21 CDT 2008 patches/packages/dnsmasq-2.45-i486-1_slack10.2.tgz: Upgraded to dnsmasq-2.45. It was discovered that earlier versions of dnsmasq have DNS cache weaknesses that are similar to the ones recently discovered in BIND. This new release minimizes the risk of cache poisoning. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 (* Security fix *) +--------------------------+ Wed Jul 16 17:14:13 CDT 2008 patches/packages/mozilla-firefox-2.0.0.16-i686-1.tgz: Upgraded to firefox-2.0.0.16. This release fixes some more security vulnerabilities. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/firefox20.html (* Security fix *) +--------------------------+ Wed Jul 9 20:03:57 CDT 2008 patches/packages/bind-9.3.5_P1-i486-1_slack10.2.tgz: Upgraded to bind-9.3.5-P1. This upgrade addresses a security flaw known as the CERT VU#800113 DNS Cache Poisoning Issue. This is the summary of the problem from the BIND site: "A weakness in the DNS protocol may enable the poisoning of caching recurive resolvers with spoofed data. DNSSEC is the only full solution. New versions of BIND provide increased resilience to the attack." It is suggested that sites that run BIND upgrade to one of the new packages in order to reduce their exposure to DNS cache poisoning attacks. For more information, see: http://www.isc.org/sw/bind/bind-security.php http://www.kb.cert.org/vuls/id/800113 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 (* Security fix *) patches/packages/mozilla-firefox-2.0.0.15-i686-1.tgz: Upgraded to firefox-2.0.0.15. This release closes several possible security vulnerabilities and bugs. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox (* Security fix *) +--------------------------+ Wed May 28 19:46:22 CDT 2008 patches/packages/samba-3.0.30-i486-1_slack10.2.tgz: Upgraded to samba-3.0.30. This is a security release in order to address CVE-2008-1105 ("Boundary failure when parsing SMB responses can result in a buffer overrun"). For more information on the security issue, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1105 (* Security fix *) +--------------------------+ Wed May 7 16:54:39 CDT 2008 patches/packages/mozilla-thunderbird-2.0.0.14-i686-1.tgz: Upgraded to thunderbird-2.0.0.14. This upgrade fixes some more security bugs. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#thunderbird (* Security fix *) testing/packages/php5/php-5.2.6-i486-1_slack10.2.tgz: Upgraded to php-5.2.6. PHP4 was standard in Slackware 10.2, which is why this package is provided "in place" under /testing rather than under /patches (where upgrade tools might mistakenly grab and install it where it would not be desirable.) PHP5 has never been officially supported in Slackware 10.2, but we upgrade it anyway... :-) This version of PHP contains many fixes and enhancements. Some of the fixes are security related, and the PHP release announcement provides this list: * Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. * Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. * Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. * Upgraded bundled PCRE to version 7.6 When last checked, CVE-2008-0599 was not yet open. However, additional information should become available at this URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0599 The list reproduced above, as well as additional information about other fixes in PHP 5.2.6 may be found in the PHP release announcement here: http://www.php.net/releases/5_2_6.php (* Security fix *) +--------------------------+ Mon Apr 28 23:46:17 CDT 2008 patches/packages/libpng-1.2.27-i486-1_slack10.2.tgz: Upgraded to libpng-1.2.27. This fixes various bugs, the most important of which have to do with the handling of unknown chunks containing zero-length data. Processing a PNG image that contains these could cause the application using libpng to crash (possibly resulting in a denial of service), could potentially expose the contents of uninitialized memory, or could cause the execution of arbitrary code as the user running libpng (though it would probably be quite difficult to cause the execution of attacker-chosen code). We recommend upgrading the package as soon as possible. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1382 ftp://ftp.simplesystems.org/pub/libpng/png/src/libpng-1.2.27-README.txt (* Security fix *) +--------------------------+ Sat Apr 19 23:49:25 CDT 2008 patches/packages/xine-lib-1.1.11.1-i686-3_slack10.2.tgz: Recompiled, with --without-speex (we didn't ship the speex library in Slackware anyway, but for reference this issue would be CVE-2008-1686), and with --disable-nosefart (the recently reported as insecurely demuxed NSF format). As before in -2, this package fixes the two regressions mentioned in the release notes for xine-lib-1.1.12: http://sourceforge.net/project/shownotes.php?release_id=592185&group_id=9655 (* Security fix *) +--------------------------+ Thu Apr 17 16:25:55 CDT 2008 patches/packages/mozilla-firefox-2.0.0.14-i686-1.tgz: Upgraded to firefox-2.0.0.14. This upgrade fixes a potential security bug. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox (* Security fix *) +--------------------------+ Tue Apr 8 00:17:36 CDT 2008 patches/packages/xine-lib-1.1.11.1-i686-2_slack10.2.tgz: Patched to fix playback failure affecting several media formats accidentally broken in the xine-lib-1.1.11.1 release. Thanks to Diogo Sousa for pointing me to the new release notes on xinehq.de. +--------------------------+ Mon Apr 7 02:04:58 CDT 2008 patches/packages/bzip2-1.0.5-i486-1_slack10.2.tgz: Upgraded to bzip2-1.0.5. Previous versions of bzip2 contained a buffer overread error that could cause applications linked to libbz2 to crash, resulting in a denial of service. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1372 (* Security fix *) patches/packages/m4-1.4.11-i486-1_slack10.2.tgz: Upgraded to m4-1.4.11. In addition to bugfixes and enhancements, this version of m4 also fixes two issues with possible security implications. A minor security fix with the use of "maketemp" and "mkstemp" -- these are now quoted to prevent the (rather unlikely) possibility that an unquoted string could match an existing macro causing operations to be done on the wrong file. Also, a problem with the '-F' option (introduced with version 1.4) could cause a core dump or possibly (with certain file names) the execution of arbitrary code. For more information on these issues, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1687 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1688 (* Security fix *) +--------------------------+ Fri Apr 4 12:36:37 CDT 2008 patches/packages/openssh-5.0p1-i486-1_slack10.2.tgz: Upgraded to openssh-5.0p1. This version fixes a security issue where local users could hijack forwarded X connections. Upgrading to the new package is highly recommended. For more information on this security issue, please see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1483 (* Security fix *) +--------------------------+ Mon Mar 31 23:33:58 CDT 2008 patches/packages/xine-lib-1.1.11.1-i686-1_slack10.2.tgz: Upgraded to xine-lib-1.1.11.1. Earlier versions of xine-lib suffer from an integer overflow which may lead to a buffer overflow that could potentially be used to gain unauthorized access to the machine if a malicious media file is played back. File types affected this time include .flv, .mov, .rm, .mve, .mkv, and .cak. For more information on this security issue, please see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1482 (* Security fix *) +--------------------------+ Sat Mar 29 03:09:17 CDT 2008 patches/packages/mozilla-firefox-2.0.0.13-i686-1.tgz: Upgraded to firefox-2.0.0.13. This upgrade fixes some more security bugs. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox (* Security fix *) patches/packages/xine-lib-1.1.11-i686-1_slack10.2.tgz: Earlier versions of xine-lib suffer from an array index bug that may have security implications if a malicious RTSP stream is played. Playback of other media formats is not affected. If you use RTSP, you should probably upgrade xine-lib. For more information on the security issue, please see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0073 (* Security fix *) +--------------------------+ Sat Mar 1 15:55:28 CST 2008 patches/packages/mozilla-thunderbird-2.0.0.12-i686-1.tgz: Upgraded to thunderbird-2.0.0.12. This update fixes the following security related issues: MFSA 2008-12: Heap buffer overflow in external MIME bodies MFSA 2008-05: Directory traversal via chrome: URI MFSA 2008-03: Privilege escalation, XSS, Remote Code Execution MFSA 2008-01: Crashes with evidence of memory corruption (rv:1.8.1.12) For more information, see: http://www.mozilla.org/security/announce/2008/mfsa2008-12.html http://www.mozilla.org/security/announce/2008/mfsa2008-05.html http://www.mozilla.org/security/announce/2008/mfsa2008-03.html http://www.mozilla.org/security/announce/2008/mfsa2008-01.html These are the related CVE entries: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0304 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0418 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0415 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0412 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0413 (* Security fix *) +--------------------------+ Thu Feb 14 17:37:11 CST 2008 patches/packages/apache-1.3.41-i486-1_slack10.2.tgz: Upgraded to apache-1.3.41, the last regular release of the Apache 1.3.x series, and a security bugfix-only release. For more information about the security issues fixed, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6388 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5000 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3847 (* Security fix *) patches/packages/mod_ssl-2.8.31_1.3.41-i486-1_slack10.2.tgz: Upgraded to mod_ssl-2.8.31-1.3.41 to work with apache_1.3.41. patches/packages/php-4.4.8-i486-1_slack10.2.tgz: Upgraded to php-4.4.8. This is a security and bugfix release. More information may be found here: http://bugs.php.net/43010 This is the last regular release of PHP-4.4.x. The EOL is scheduled for 2008-08-08. (* Security fix *) +--------------------------+ Tue Feb 12 23:07:34 CST 2008 patches/packages/mozilla-firefox-2.0.0.12-i686-1.tgz: Upgraded to firefox-2.0.0.12. This upgrade fixes some more security bugs. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox (* Security fix *) +--------------------------+ Mon Dec 31 18:49:52 CST 2007 patches/packages/glibc-zoneinfo-2.3.5-noarch-10_slack10.2.tgz: Some deja vu. ;-) Upgraded to tzdata2007k. A new year should be started with the latest timezone data, so here it is. Happy holidays, and a happy new year to all! :-) +--------------------------+ Mon Dec 24 15:54:26 CST 2007 patches/packages/glibc-zoneinfo-2.3.5-noarch-9_slack10.2.tgz: Upgraded to tzdata2007j. A new year should be started with the latest timezone data, so here it is. Happy holidays, and a happy new year to all! :-) +--------------------------+ Mon Dec 10 12:45:35 CST 2007 patches/packages/samba-3.0.28-i486-1_slack10.2.tgz: Upgraded to samba-3.0.28. Samba 3.0.28 is a security release in order to address a boundary failure in GETDC mailslot processing that can result in a buffer overrun leading to possible code execution. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6015 http://www.samba.org/samba/history/samba-3.0.28.html http://secunia.com/secunia_research/2007-99/advisory/ (* Security fix *) +--------------------------+ Mon Dec 3 19:58:51 CST 2007 patches/packages/samba-3.0.27a-i486-1_slack10.2.tgz: Upgraded to samba-3.0.27a. This update fixes a crash bug regression experienced by smbfs clients caused by the fix for CVE-2007-4572. +--------------------------+ Sat Dec 1 16:57:18 CST 2007 patches/packages/rsync-2.6.9-i486-1_slack10.2.tgz: Patched some security bugs. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4091 http://lists.samba.org/archive/rsync-announce/2007/000050.html (* Security fix *) patches/packages/mozilla-firefox-2.0.0.11-i686-1.tgz: Upgraded to Firefox 2.0.0.11, which fixed a bug introduced by the 2.0.0.10 update in the feature that affected some web pages and extensions. +--------------------------+ Tue Nov 27 16:23:07 CST 2007 patches/packages/mozilla-firefox-2.0.0.10-i686-1.tgz: Upgraded to firefox-2.0.0.10. This upgrade fixes some more security bugs. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox (* Security fix *) +--------------------------+ Wed Nov 21 00:55:51 CST 2007 patches/packages/libpng-1.2.23-i486-1_slack10.2.tgz: Upgraded to libpng-1.2.23. Previous libpng versions may crash when loading malformed PNG files. It is not currently known if this vulnerability can be exploited to execute malicious code. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5266 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5267 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5268 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5269 (* Security fix *) +--------------------------+ Tue Nov 20 16:49:58 CST 2007 patches/packages/mozilla-thunderbird-2.0.0.9-i686-1.tgz: Upgraded to thunderbird-2.0.0.9. This update fixes the following security related issues: URIs with invalid %-encoding mishandled by Windows (MFSA 2007-36). Crashes with evidence of memory corruption (MFSA 2007-29). OK, so the first one obviously does not affect us. :-) The second fix has to do with the same JavaScript handling problem fixed before in Firefox. JavaScript is not enabled by default in Thunderbird, and the developers (at least in MFSA 2007-36) do not recommend turning it on. For more information, see: http://www.mozilla.org/security/announce/2007/mfsa2007-36.html http://www.mozilla.org/security/announce/2007/mfsa2007-29.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4841 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5339 (* Security fix *) +--------------------------+ Fri Nov 16 17:22:18 CST 2007 patches/packages/samba-3.0.27-i486-1_slack10.2.tgz: Upgraded to samba-3.0.27. Samba 3.0.27 is a security release in order to address a stack buffer overflow in nmbd's logon request processing, and remote code execution in Samba's WINS server daemon (nmbd) when processing name registration followed name query requests. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4572 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5398 (* Security fix *) +--------------------------+ Mon Nov 12 01:25:34 CST 2007 patches/packages/kdegraphics-3.4.2-i486-3_slack10.2.tgz: Patched xpdf related bugs. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3387 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4352 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5392 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5393 (* Security fix *) patches/packages/xpdf-3.02pl2-i486-1_slack10.2.tgz: Upgraded to xpdf-3.02pl2. The pl2 patch fixes a crash in xpdf. Some theorize that this could be used to execute arbitrary code if an untrusted PDF file is opened, but no real-world examples are known (yet). For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3387 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4352 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5392 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5393 (* Security fix *) +--------------------------+ Sat Nov 10 15:36:59 CST 2007 patches/packages/mozilla-firefox-2.0.0.9-i686-1.tgz: Upgraded to firefox-2.0.0.9. This upgrade improves the stability of Firefox. For more information, see: http://developer.mozilla.org/devnews/index.php/2007/11/01/firefox-2009-stability-update-now-available-for-download/ testing/packages/php5/php-5.2.5-i486-1_slack10.2.tgz: Upgraded to php-5.2.5. This fixes bugs and security issues. For more information, see: http://www.php.net/releases/5_2_5.php http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4887 (* Security fix *) +--------------------------+ Thu Nov 1 22:03:53 CDT 2007 patches/packages/cups-1.1.23-i486-2_slack10.2.tgz: Patched cups-1.1.23. Errors in ipp.c may allow a remote attacker to crash CUPS resulting in a denial of service. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4351 (* Security fix *) +--------------------------+ Wed Oct 24 22:51:37 CDT 2007 patches/packages/mozilla-firefox-2.0.0.8-i686-1.tgz: Upgraded to firefox-2.0.0.8. This upgrade fixes some more security bugs. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox (* Security fix *) The ancient Firefox in slackware/xap will be left there, as we no longer change the main tree after a release. It's strongly suggested that you consider upgrading to a newer version, though. +--------------------------+ Wed Oct 10 11:50:50 CDT 2007 patches/packages/glibc-zoneinfo-2.3.5-noarch-8_slack10.2.tgz: Upgraded to timezone data from tzcode2007h and tzdata2007h. This contains the latest timezone data from NIST, including some important changes to daylight savings time in Brasil and New Zealand. +--------------------------+ Wed Sep 12 15:20:06 CDT 2007 patches/packages/openssh-4.7p1-i486-1_slack10.2.tgz: Upgraded to openssh-4.7p1. From the OpenSSH release notes: "Security bugs resolved in this release: Prevent ssh(1) from using a trusted X11 cookie if creation of an untrusted cookie fails; found and fixed by Jan Pechanec." While it's fair to say that we here at Slackware don't see how this could be leveraged to compromise a system, a) the OpenSSH people (who presumably understand the code better) characterize this as a security bug, b) it has been assigned a CVE entry, and c) OpenSSH is one of the most commonly used network daemons. Better safe than sorry. More information should appear here eventually: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4752 (* Security fix *) patches/packages/samba-3.0.26a-i486-1_slack10.2.tgz: Upgraded to samba-3.0.26a. This fixes a security issue in all Samba 3.0.25 versions: "Incorrect primary group assignment for domain users using the rfc2307 or sfu winbind nss info plugin." For more information, see: http://www.samba.org/samba/security/CVE-2007-4138.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4138 (* Security fix *) testing/packages/php5/php-5.2.4-i486-1_slack10.2.tgz: Upgraded to php-5.2.4. The PHP announcement says this version fixes over 120 bugs as well as "several low priority security bugs." Read more about it here: http://www.php.net/releases/5_2_4.php (* Security fix *) +--------------------------+ Sat Aug 18 15:00:32 CDT 2007 patches/packages/tcpdump-3.9.7-i486-1_slack10.2.tgz: Upgraded to libpcap-0.9.7, tcpdump-3.9.7. This new version fixes an integer overflow in the BGP dissector which could possibly allow remote attackers to crash tcpdump or to execute arbitrary code. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3798 (* Security fix *) +--------------------------+ Fri Aug 10 22:39:13 CDT 2007 patches/packages/gimp-2.2.17-i486-1_slack10.2.tgz: Upgraded to gimp-2.2.17, which fixes buffer overflows when decoding certain image types. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2949 (* Security fix *) patches/packages/qt-3.3.4-i486-5_slack10.2.tgz: Patched to fix several format string bugs. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3388 (* Security fix *) patches/packages/xpdf-3.02pl1-i486-1_slack10.2.tgz: Upgraded to xpdf-3.02pl1. This fixes an integer overflow that could possibly be leveraged to run arbitrary code if a malicious PDF file is processed. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3387 (* Security fix *) +--------------------------+ Thu Jul 26 15:51:42 CDT 2007 patches/packages/bind-9.3.4_P1-i486-1_slack10.2.tgz: Upgraded to bind-9.3.4_P1 to fix a security issue. The query IDs in BIND9 prior to BIND 9.3.4-P1 are cryptographically weak. For more information on this issue, see: http://www.isc.org/index.pl?/sw/bind/bind-security.php http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2926 (* Security fix *) +--------------------------+ Wed Jun 13 22:08:36 CDT 2007 patches/packages/libexif-0.6.16-i486-1_slack10.2.tgz: Upgraded to libexif-0.6.16. An integer overflow in libexif can crash applications that use the library on malformed images. The upstream advisory indicates that this flaw could also be used to execute arbitrary code in the context of the user, but no exploit is known (by us) to exist among iDefense's researchers or in the wild. But, as a crash bug and heap overflow one must suppose that the possibility exists. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4168 (* Security fix *) +--------------------------+ Fri Jun 1 19:54:09 CDT 2007 patches/packages/mozilla-firefox-1.5.0.12-i686-1.tgz: Upgraded to firefox-1.5.0.12. This upgrade fixes several possible security bugs. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox (* Security fix *) patches/packages/mozilla-thunderbird-1.5.0.12-i686-1.tgz: Upgraded to thunderbird-1.5.0.12. This upgrade fixes several possible security bugs. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#thunderbird (* Security fix *) +--------------------------+ Fri Jun 1 14:54:59 CDT 2007 testing/packages/php5/php-5.2.3-i486-1_slack10.2.tgz: Upgraded to php-5.2.3. Here's some basic information about the release from php.net: "This release continues to improve the security and the stability of the 5.X branch as well as addressing two regressions introduced by the previous 5.2 releases. These regressions relate to the timeout handling over non-blocking SSL connections and the lack of HTTP_RAW_POST_DATA in certain conditions. All users are encouraged to upgrade to this release." For more complete information, see: http://www.php.net/releases/5_2_3.php http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1900 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2756 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2872 (* Security fix *) +--------------------------+ Fri May 25 11:27:02 CDT 2007 patches/packages/samba-3.0.25a-i486-1_slack10.2.tgz: Upgraded to samba-3.0.25a. This fixes some major (non-security) bugs in samba-3.0.25. See the WHATSNEW.txt for details. +--------------------------+ Wed May 16 16:16:59 CDT 2007 patches/packages/libpng-1.2.18-i486-1_slack10.2.tgz: Upgraded to libpng-1.2.18. A grayscale PNG image with a malformed (bad CRC) tRNS chunk will crash some libpng applications. This vulnerability has been assigned the identifiers CVE-2007-2445 and CERT VU#684664. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2445 (* Security fix *) +--------------------------+ Mon May 14 18:22:43 CDT 2007 patches/packages/samba-3.0.25-i486-1_slack10.2.tgz: Upgraded to samba-3.0.25. Security Fixes included in the Samba 3.0.25 release are: o CVE-2007-2444 Versions: Samba 3.0.23d - 3.0.25pre2 Local SID/Name translation bug can result in user privilege elevation o CVE-2007-2446 Versions: Samba 3.0.0 - 3.0.24 Multiple heap overflows allow remote code execution o CVE-2007-2447 Versions: Samba 3.0.0 - 3.0.24 Unescaped user input parameters are passed as arguments to /bin/sh allowing for remote command execution For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2444 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2446 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2447 (* Security fix *) +--------------------------+ Mon May 7 21:56:52 CDT 2007 patches/packages/php-4.4.7-i486-1_slack10.2.tgz: Upgraded to php-4.4.7. This fixes bugs and improves security. For more details, see: http://www.php.net/releases/4_4_7.php http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1001 (* Security fix *) testing/packages/php5/php-5.2.2-i486-1_slack10.2.tgz: Upgraded to php-5.2.2. This fixes bugs and improves security. For more details, see: http://www.php.net/releases/5_2_2.php http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1001 (* Security fix *) +--------------------------+ Thu Apr 26 12:39:47 CDT 2007 patches/packages/x11-6.8.2-i486-10_slack10.2.tgz: Fixed some bugs in the fontconfig upgrade... Put cache files in /var/cache/fontconfig, not /var/X11R6/var/cache/fontconfig. Properly locate and compress fontconfig man pages. Thanks to Eef Hartman for pointing these out. patches/packages/x11-devel-6.8.2-i486-10_slack10.2.tgz: Recompiled. patches/packages/x11-xdmx-6.8.2-i486-10_slack10.2.tgz: Recompiled. patches/packages/x11-xnest-6.8.2-i486-10_slack10.2.tgz: Recompiled. patches/packages/x11-xvfb-6.8.2-i486-10_slack10.2.tgz: Recompiled. +--------------------------+ Thu Apr 19 18:53:08 CDT 2007 patches/packages/x11-6.8.2-i486-9_slack10.2.tgz: Replaced freetype library with freetype-2.3.4. This fixes an overflow parsing BDF fonts. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1351 (* Security fix *) Upgraded to fontconfig-2.4.2. patches/packages/x11-devel-6.8.2-i486-9_slack10.2.tgz: Replaced freetype library with freetype-2.3.4. This fixes an overflow parsing BDF fonts. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1351 (* Security fix *) Upgraded to fontconfig-2.4.2. patches/packages/x11-xnest-6.8.2-i486-9_slack10.2.tgz: Recompiled. patches/packages/x11-xvfb-6.8.2-i486-9_slack10.2.tgz: Recompiled. patches/packages/x11-xdmx-6.8.2-i486-9_slack10.2.tgz: Recompiled. patches/packages/xine-lib-1.1.6-i686-1_slack10.2.tgz: Upgraded to xine-lib-1.1.6. This fixes overflows in xine-lib in some little-used media formats in xine-lib < 1.1.5 and other bugs in xine-lib < 1.1.6. The overflows in xine-lib < 1.1.5 could definitely cause an application using xine-lib to crash, and it is theorized that a malicious media file could be made to run arbitrary code in the context of the user running the application. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1246 (* Security fix *) +--------------------------+ Tue Apr 3 15:01:57 CDT 2007 patches/packages/file-4.20-i486-1_slack10.2.tgz: Upgraded to file-4.20. This fixes a heap overflow that could allow code to be executed as the user running file (note that there are many scenarios where file might be used automatically, such as in virus scanners or spam filters). For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1536 (* Security fix *) patches/packages/qt-3.3.4-i486-4_slack10.2.tgz: Patched an issue where the Qt UTF 8 decoder may in some instances fail to reject overlong sequences, possibly allowing "/../" path injection or XSS errors. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0242 (* Security fix *) +--------------------------+ Mon Mar 26 20:54:55 CDT 2007 patches/packages/libwpd-0.8.9-i486-1_slack10.2.tgz: Upgraded to libwpd-0.8.9. Various overflows may lead to application crashes upon opening a specially crafted WordPerfect file. This vulnerability could also conceivably be used by an attacker to execute arbitrary code. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-002 (* Security fix *) patches/packages/mozilla-firefox-1.5.0.11-i686-1.tgz: Upgraded to mozilla-firefox-1.5.0.11. This upgrade fixes several possible security bugs. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox (* Security fix *) +--------------------------+ Tue Mar 13 18:22:59 CDT 2007 patches/packages/php-4.4.6-i486-1_slack10.2.tgz: Upgraded to php-4.4.6. This version of PHP fixes a problem introduced with the last PHP release where certain applications using "register_globals" may crash. +--------------------------+ Wed Mar 7 18:01:55 CST 2007 patches/packages/gnupg-1.4.7-i486-1_slack10.2.tgz: Upgraded to gnupg-1.4.7. This fixes a security problem that can occur when GnuPG is used incorrectly. Newer versions attempt to prevent such misuse. For more information, see: http://lists.gnupg.org/pipermail/gnupg-announce/2007q1/000251.html (* Security fix *) patches/packages/x11-6.8.2-i486-8_slack10.2.tgz: Patched. This update fixes overflows in the dbe and render extensions. This could possibly be exploited to overwrite parts of memory, possibly allowing malicious code to execute, or (more likely) causing X to crash. For information about some of the security fixes, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6101 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6102 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6103 (* Security fix *) patches/packages/mozilla-firefox-1.5.0.10-i686-1.tgz: Upgraded to firefox-1.5.0.10. This upgrade fixes several possible security bugs. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox (* Security fix *) patches/packages/mozilla-thunderbird-1.5.0.10-i686-1.tgz: Upgraded to thunderbird-1.5.0.10. This upgrade fixes several possible security bugs. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#thunderbird (* Security fix *) +--------------------------+ Thu Feb 22 21:13:04 CST 2007 patches/packages/php-4.4.5-i486-1_slack10.2.tgz: Upgraded to php-4.4.5 which improves stability and security. For complete details, see http://www.php.net. For imformation about some of the security fixes, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0906 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0907 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0908 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0909 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0910 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0988 (* Security fix *) testing/packages/php-5.2.1/php-5.2.1-i486-1_slack10.2.tgz: Upgraded to php-5.2.1 which improves stability and security. For imformation about some of the security fixes, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0906 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0907 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0908 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0909 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0910 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0988 (* Security fix *) +--------------------------+ Sun Feb 18 15:20:36 CST 2007 patches/packages/glibc-zoneinfo-2.3.5-noarch-7_slack10.2.tgz: Updated with tzdata2007b for impending Daylight Savings Time changes in the US. +--------------------------+ Wed Feb 7 12:29:05 CST 2007 patches/packages/samba-3.0.24-i486-1_slack10.2.tgz: Upgraded to samba-3.0.24. From the WHATSNEW.txt file: "Important issues addressed in 3.0.24 include: o Fixes for the following security advisories: - CVE-2007-0452 (Potential Denial of Service bug in smbd) - CVE-2007-0453 (Buffer overrun in NSS host lookup Winbind NSS library on Solaris) - CVE-2007-0454 (Format string bug in afsacl.so VFS plugin)" Samba is Slackware is vulnerable to the first issue, which can cause smbd to enter into an infinite loop, disrupting Samba services. Linux is not vulnerable to the second issue, and Slackware does not ship the afsacl.so VFS plugin (but it's something to be aware of if you build Samba with custom options). For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0452 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0453 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0454 (* Security fix *) +--------------------------+ Fri Jan 26 22:46:30 CST 2007 patches/packages/bind-9.3.4-i486-1_slack10.2.tgz: Upgraded to bind-9.3.4. This update fixes two denial of service vulnerabilities where an attacker could crash the name server with specially crafted malformed data. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0493 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0494 (* Security fix *) +--------------------------+ Wed Jan 24 14:15:07 CST 2007 patches/packages/fetchmail-6.3.6-i486-1_slack10.2.tgz: Upgraded to fetchmail-6.3.6. This fixes two security issues. First, a bug introduced in fetchmail-6.3.5 could cause fetchmail to crash. However, no stable version of Slackware ever shipped fetchmail-6.3.5. Second, a long standing bug (reported by Isaac Wilcox) could cause fetchmail to send a password in clear text or omit using TLS even when configured otherwise. All fetchmail users are encouraged to consider using getmail, or to upgrade to the new fetchmail packages. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5974 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5867 (* Security fix *) +--------------------------+ Sat Dec 23 16:39:20 CST 2006 patches/packages/koffice-1.4.1-i486-3_slack10.2.tgz: Patched to fix a security problem with KOffice's PPT file parsing. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6120 (* Security fix *) patches/packages/mozilla-firefox-1.5.0.9-i686-1.tgz: Upgraded to firefox-1.5.0.9. This upgrade fixes several possible security bugs. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox (* Security fix *) patches/packages/mozilla-thunderbird-1.5.0.9-i686-1.tgz: Upgraded to thunderbird-1.5.0.9. This upgrade fixes several possible security bugs. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#thunderbird (* Security fix *) patches/packages/xine-lib-1.1.3-i686-1_slack10.2.tgz: Upgraded to xine-lib-1.1.3 which fixes possible security problems such as a heap overflow in libmms and a buffer overflow in the Real Media input plugin. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2200 (* Security fix *) +--------------------------+ Wed Dec 6 15:16:06 CST 2006 patches/packages/gnupg-1.4.6-i486-1_slack10.2.tgz: Upgraded to gnupg-1.4.6. This release fixes a severe and exploitable bug in earlier versions of gnupg. All gnupg users should update to the new packages as soon as possible. For details, see the information concerning CVE-2006-6235 posted on lists.gnupg.org: http://lists.gnupg.org/pipermail/gnupg-announce/2006q4/000491.html The CVE entry for this issue may be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6235 This update also addresses a more minor security issue possibly exploitable when GnuPG is used in interactive mode. For more information about that issue, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6169 (* Security fix *) +--------------------------+ Fri Dec 1 15:03:20 CST 2006 patches/packages/libpng-1.2.14-i486-1_slack10.2.tgz: Upgraded to libpng-1.2.14. This fixes a bug where a specially crafted PNG file could crash applications that use libpng. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5793 (* Security fix *) patches/packages/proftpd-1.3.0a-i486-1_slack10.2.tgz: Upgraded to proftpd-1.3.0a plus an additional security patch. Several security issues were found in proftpd that could lead to the execution of arbitrary code by a remote attacker, including one in mod_tls that does not require the attacker to be authenticated first. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5815 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6170 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6171 (* Security fix *) patches/packages/tar-1.16-i486-1_slack10.2.tgz: Upgraded to tar-1.16. This fixes an issue where files may be extracted outside of the current directory, possibly allowing a malicious tar archive, when extracted, to overwrite any of the user's files (in the case of root, any file on the system). For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6097 (* Security fix *) +--------------------------+ Thu Nov 9 18:04:51 CST 2006 patches/packages/mozilla-firefox-1.5.0.8-i686-1.tgz: Upgraded to firefox-1.5.0.8. This upgrade fixes several possible security bugs. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox (* Security fix *) patches/packages/mozilla-thunderbird-1.5.0.8-i686-1.tgz: Upgraded to thunderbird-1.5.0.8. This upgrade fixes several possible security bugs. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#thunderbird (* Security fix *) +--------------------------+ Mon Nov 6 21:29:24 CST 2006 patches/packages/bind-9.3.2_P2-i486-1_slack10.2.tgz: Upgraded to bind-9.3.2-P2. This fixes some security issues related to previous fixes in OpenSSL. The minimum OpenSSL version was raised to OpenSSL 0.9.7l and OpenSSL 0.9.8d to avoid exposure to known security flaws in older versions (these patches were already issued for Slackware). If you have not upgraded yet, get those as well to prevent a potentially exploitable security problem in named. In addition, the default RSA exponent was changed from 3 to 65537. RSA keys using exponent 3 (which was previously BIND's default) will need to be regenerated to protect against the forging of RRSIGs. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339 (* Security fix *) +--------------------------+ Fri Nov 3 23:19:57 CST 2006 patches/packages/php-4.4.4-i486-2_slack10.2.tgz: Patched the UTF-8 overflow. More details about the vulnerability may be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5465 (* Security fix *) patches/packages/screen-4.0.3-i486-1_slack10.2.tgz: Upgraded to screen-4.0.3. This addresses an issue with the way screen handles UTF-8 character encoding that could allow screen to be crashed (or possibly code to be executed in the context of the screen user) if a specially crafted sequence of pseudo-UTF-8 characters are displayed withing a screen session. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4573 (* Security fix *) +--------------------------+ Wed Oct 25 15:45:46 CDT 2006 patches/packages/qt-3.3.4-i486-3_slack10.2.tgz: Patched. This fixes an issue with Qt's handling of pixmap images that causes Qt linked applications to crash if a specially crafted malicious image is loaded. Inspection of the code in question makes it seem unlikely that this could lead to more serious implications (such as arbitrary code execution), but it is recommended that users upgrade to the new Qt package. For more information, see: http://www.trolltech.com/company/newsroom/announcements/press.2006-10-19.5434451733 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4811 (* Security fix *) +--------------------------+ Fri Sep 29 00:21:27 CDT 2006 patches/packages/openssl-0.9.7l-i486-1_slack10.2.tgz: Upgraded to shared libraries from openssl-0.9.7l. See openssl package update below. (* Security fix *) patches/packages/openssh-4.4p1-i486-1_slack10.2.tgz: Upgraded to openssh-4.4p1. This fixes a few security related issues. From the release notes found at http://www.openssh.com/txt/release-4.4: * Fix a pre-authentication denial of service found by Tavis Ormandy, that would cause sshd(8) to spin until the login grace time expired. * Fix an unsafe signal hander reported by Mark Dowd. The signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication denial of service. On portable OpenSSH, this vulnerability could theoretically lead to pre-authentication remote code execution if GSSAPI authentication is enabled, but the likelihood of successful exploitation appears remote. * On portable OpenSSH, fix a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms. Links to the CVE entries will be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4924 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5051 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5052 After this upgrade, make sure the permissions on /etc/rc.d/rc.sshd are set the way you want them. Future upgrades will respect the existing permissions settings. Thanks to Manuel Reimer for pointing out that upgrading openssh would enable a previously disabled sshd daemon. Do better checking of passwd, shadow, and group to avoid adding redundant entries to these files. Thanks to Menno Duursma. (* Security fix *) patches/packages/openssl-0.9.7l-i486-1_slack10.2.tgz: Upgraded to openssl-0.9.7l. This fixes a few security related issues: During the parsing of certain invalid ASN.1 structures an error condition is mishandled. This can result in an infinite loop which consumes system memory (CVE-2006-2937). (This issue did not affect OpenSSL versions prior to 0.9.7) Thanks to Dr S. N. Henson of Open Network Security and NISCC. Certain types of public key can take disproportionate amounts of time to process. This could be used by an attacker in a denial of service attack (CVE-2006-2940). Thanks to Dr S. N. Henson of Open Network Security and NISCC. A buffer overflow was discovered in the SSL_get_shared_ciphers() utility function. An attacker could send a list of ciphers to an application that uses this function and overrun a buffer. (CVE-2006-3738) Thanks to Tavis Ormandy and Will Drewry of the Google Security Team. A flaw in the SSLv2 client code was discovered. When a client application used OpenSSL to create an SSLv2 connection to a malicious server, that server could cause the client to crash (CVE-2006-4343). Thanks to Tavis Ormandy and Will Drewry of the Google Security Team. Links to the CVE entries will be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343 (* Security fix *) +--------------------------+ Tue Sep 19 14:07:49 CDT 2006 patches/packages/gzip-1.3.5-i486-1_slack10.2.tgz: Upgraded to gzip-1.3.5, and fixed a variety of bugs. Some of the bugs have possible security implications if gzip or its tools are fed a carefully constructed malicious archive. Most of these issues were recently discovered by Tavis Ormandy and the Google Security Team. Thanks to them, and also to the ALT and Owl developers for cleaning up the patch. For further details about the issues fixed, please see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0758 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0988 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1228 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4334 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4335 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4336 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4337 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4338 (* Security fix *) +--------------------------+ Sat Sep 16 23:12:59 CDT 2006 patches/packages/x11-6.8.2-i486-7_slack10.2.tgz:i Fixed an overflow in CID encoded Type1 font parsing. For further reference, see: http://www.idefense.com/intelligence/vulnerabilities/display.php?id=411 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3739 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3740 (* Security fix *) patches/packages/x11-devel-6.8.2-i486-7_slack10.2.tgz: Recompiled. patches/packages/x11-xdmx-6.8.2-i486-7_slack10.2.tgz: Recompiled. patches/packages/x11-xnest-6.8.2-i486-7_slack10.2.tgz: Recompiled. patches/packages/x11-xvfb-6.8.2-i486-7_slack10.2.tgz: Recompiled. +--------------------------+ Thu Sep 14 19:44:27 CDT 2006 patches/packages/mozilla-firefox-1.5.0.7-i686-1.tgz: Upgraded to firefox-1.5.0.7. This upgrade fixes several possible security bugs. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox (* Security fix *) patches/packages/mozilla-thunderbird-1.5.0.7-i686-1.tgz: Upgraded to thunderbird-1.5.0.7. This upgrade fixes several possible security bugs. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#thunderbird (* Security fix *) +--------------------------+ Thu Sep 14 05:30:50 CDT 2006 patches/packages/openssl-0.9.7g-i486-3_slack10.2.tgz: Patched an issue where it is possible to forge certain kinds of RSA signatures. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339 patches/packages/openssl-solibs-0.9.7g-i486-3_slack10.2.tgz: Patched an issue where it is possible to forge certain kinds of RSA signatures. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339 (* Security fix *) +--------------------------+ Thu Sep 7 23:41:37 CDT 2006 patches/packages/bind-9.3.2_P1-i486-1_slack10.2.tgz: Upgraded to bind-9.3.2_P1. This update addresses a denial of service vulnerability. BIND's CHANGES file says this: 2066. [security] Handle SIG queries gracefully. [RT #16300] The best discussion I've found is in FreeBSD's advisory, so here's a link: http://security.FreeBSD.org/advisories/FreeBSD-SA-06:20.bind.asc Also, fixed some missing man pages. (noticed by Xavier Thomassin -- thanks) (* Security fix *) +--------------------------+ Tue Aug 22 15:20:32 CDT 2006 patches/packages/glibc-2.3.5-i486-6_slack10.2.tgz: Patched an issue with kernel version parsing in ld-2.3.5.so that was leading glibc to treat 2.4 kernels with 4 version parts (such as 2.4.33.1) as if they supported NPTL, leading to a crash at boot. Added ru_RU.CP1251 locale support. Updated timezone information from tzdata2006j. Updated timezone utilities from tzcode2006j. patches/packages/glibc-i18n-2.3.5-noarch-6_slack10.2.tgz: Rebuilt. Added ru_RU.CP1251 locale support. patches/packages/glibc-profile-2.3.5-i486-6_slack10.2.tgz: Recompiled. patches/packages/glibc-solibs-2.3.5-i486-6_slack10.2.tgz: Patched an issue with kernel version parsing in ld-2.3.5.so that was leading glibc to treat 2.4 kernels with 4 version parts (such as 2.4.33.1) as if they supported NPTL, leading to a crash at boot. patches/packages/glibc-zoneinfo-2.3.5-noarch-6_slack10.2.tgz: Updated timezone information from tzdata2006j. +--------------------------+ Fri Aug 18 00:27:05 CDT 2006 patches/packages/libtiff-3.8.2-i486-1_slack10.2.tgz: Patched vulnerabilities in libtiff which were found by Tavis Ormandy of the Google Security Team. These issues could be used to crash programs linked to libtiff or possibly to execute code as the program's user. A low risk command-line overflow in tiffsplit was also patched. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3459 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3460 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3461 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3462 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3463 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3464 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3465 (* Security fix *) patches/packages/php-4.4.4-i486-1_slack10.2.tgz: Upgraded to php-4.4.4. Some of the security issues fixed in this release include: * Added missing safe_mode/open_basedir checks inside the error_log(), file_exists(), imap_open() and imap_reopen() functions. * Fixed possible open_basedir/safe_mode bypass in cURL extension. * Fixed a buffer overflow inside sscanf() function. (* Security fix *) testing/packages/php-5.1.5/php-5.1.5-i486-1_slack10.2.tgz: Usually packages in /testing aren't patched or upgraded after a release, but since quite a few people have probably deployed this one, and it is a network service, an upgraded package is being provided. Upgraded to php-5.1.5. Some of the security issues fixed in this release include: * Added missing safe_mode/open_basedir checks inside the error_log(), file_exists(), imap_open() and imap_reopen() functions. * Fixed possible open_basedir/safe_mode bypass in cURL extension and on PHP 5 with realpath cache. * Fixed a buffer overflow inside sscanf() function. (* Security fix *) +--------------------------+ Sat Aug 5 01:23:15 CDT 2006 patches/packages/php-4.4.3-i486-1_slack10.2.tgz: Upgraded to php-4.4.3. From the announcement of the release: The security issues resolved include the following: * Disallow certain characters in session names. * Fixed a buffer overflow inside the wordwrap() function. * Prevent jumps to parent directory via the 2nd parameter of the tempnam() function. * Improved safe_mode check for the error_log() function. * Fixed cross-site scripting inside the phpinfo() function. The PHP 4.4.3 release announcement may be found on their web site: http://www.php.net (* Security fix *) +--------------------------+ Wed Aug 2 22:03:08 CDT 2006 patches/packages/gnupg-1.4.5-i486-1_slack10.2.tgz: Upgraded to gnupg-1.4.5. From the gnupg-1.4.5 NEWS file: * Fixed 2 more possible memory allocation attacks. They are similar to the problem we fixed with 1.4.4. This bug can easily be be exploited for a DoS; remote code execution is not entirely impossible. (* Security fix *) +--------------------------+ Sun Jul 30 21:30:17 CDT 2006 patches/packages/mysql-4.1.21-i486-1_slack10.2.tgz: Upgraded to mysql-4.1.21. This is a bugfix and security release. For more details, see MySQL's news page about MySQL 4.1.21: http://dev.mysql.com/doc/refman/4.1/en/news-4-1-21.html The CVE entry may be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3469 Thanks to Nino Petkov for pointing out this MySQL release to me. :-) (* Security fix *) +--------------------------+ Fri Jul 28 17:37:42 CDT 2006 patches/packages/apache-1.3.37-i486-1_slack10.2.tgz: Upgraded to apache-1.3.37. From the announcement on httpd.apache.org: This version of Apache is security fix release only. An off-by-one flaw exists in the Rewrite module, mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46, and 2.2 since 2.2.0. The Slackware Security Team feels that the vast majority of installations will not be configured in a vulnerable way but still suggests upgrading to the new apache and mod_ssl packages for maximum security. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3747 And see Apache's announcement here: http://www.apache.org/dist/httpd/Announcement1.3.html (* Security fix *) patches/packages/mod_ssl-2.8.28_1.3.37-i486-1_slack10.2.tgz: Upgraded to mod_ssl-2.8.28-1.3.37. +--------------------------+ Thu Jul 27 16:27:14 CDT 2006 patches/packages/mozilla-firefox-1.5.0.5-i686-1.tgz: Upgraded to firefox-1.5.0.5. This upgrade fixes several possible security bugs. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox (* Security fix *) patches/packages/mozilla-thunderbird-1.5.0.5-i686-1.tgz: Upgraded to thunderbird-1.5.0.5. This upgrade fixes several possible security bugs. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#thunderbird (* Security fix *) +--------------------------+ Wed Jul 26 15:51:51 CDT 2006 patches/packages/xine-lib-1.1.2-i686-1.tgz: Upgraded to xine-lib-1.1.2. According to xinehq.de's announcement: There are three security fixes: - CVE-2005-4048: possible buffer overflow in libavcodec (crafted PNGs); - CVE-2006-2802: possible buffer overflow in the HTTP plugin; - possible buffer overflow via bad indexes in specially-crafted AVI files. (* Security fix *) +--------------------------+ Tue Jul 25 14:19:42 CDT 2006 patches/packages/gimp-2.2.12-i486-1.tgz: Upgraded to gimp-2.2.12. This release fixes a security hole in the XCF parser. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3404 (* Security fix *) patches/packages/mutt-1.4.2.2i-i486-1_slack10.2.tgz: Upgraded to mutt-1.4.2.2i. This release fixes CVE-2006-3242, a buffer overflow that could be triggered by a malicious IMAP server. [Connecting to malicious IMAP servers must be common, right? -- Ed.] For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3242 (* Security fix *) patches/packages/x11-6.8.2-i486-6_slack10.2.tgz: Patched some more possible linux 2.6.x setuid() related bugs: http://lists.freedesktop.org/archives/xorg-announce/2006-June/000100.html Patched CVE-2006-1861 linux 2.6.x setuid() related bugs in freetype2. (* Security fix *) patches/packages/x11-devel-6.8.2-i486-6_slack10.2.tgz: Patched as above. (* Security fix *) patches/packages/x11-xdmx-6.8.2-i486-6_slack10.2.tgz: Rebuilt. patches/packages/x11-xnest-6.8.2-i486-6_slack10.2.tgz: Rebuilt. patches/packages/x11-xvfb-6.8.2-i486-6_slack10.2.tgz: Rebuilt. +--------------------------+ Tue Jul 18 22:44:53 CDT 2006 patches/packages/samba-3.0.23-i486-2_slack10.2.tgz: Patched a problem in nsswitch/wins.c that caused crashes in the wins and/or winbind libraries. Thanks to Mikhail Kshevetskiy for pointing out the issue and offering a reference to the patch in Samba's source repository. Also, this version of Samba evidently created a new dependency on libdm.so (found in the xfsprogs package in non -current Slackware versions). This additional dependency was not intentional, and has been corrected. +--------------------------+ Fri Jul 14 17:17:17 CDT 2006 patches/packages/samba-3.0.23-i486-1_slack10.2.tgz: Upgraded to samba-3.0.23. This fixes a minor memory exhaustion DoS in smbd. The CVE entry for this issue may be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3403 (* Security fix *) +--------------------------+ Tue Jun 27 18:48:22 CDT 2006 patches/packages/arts-1.4.2-i486-2_slack10.2.tgz: Patched to fix a possible exploit if artswrapper is setuid root (which, by default, it is not) and the system is running a 2.6 kernel. Systems running 2.4 kernels are not affected. The official KDE security advisory may be found here: http://www.kde.org/info/security/advisory-20060614-2.txt The CVE entry for this issue may be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2916 (* Security fix *) patches/packages/gnupg-1.4.4-i486-1_slack10.2.tgz: This version fixes a memory allocation issue that could allow an attacker to crash GnuPG creating a denial-of-service. The CVE entry for this issue may be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3082 patches/packages/kdebase-3.4.2-i486-3_slack10.2.tgz: Patched a problem with kdm where it could be abused to read any file on the system. The official KDE security advisory may be found here: http://www.kde.org/info/security/advisory-20060614-1.txt The CVE entry for this issue may be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2449 (* Security fix *) +--------------------------+ Thu Jun 15 02:06:03 CDT 2006 patches/packages/sendmail-8.13.7-i486-1_slack10.2.tgz: Upgraded to sendmail-8.13.7. Fixes a potential denial of service problem caused by excessive recursion leading to stack exhaustion when attempting delivery of a malformed MIME message. This crashes sendmail's queue processing daemon, which in turn can lead to two problems: depending on the settings, these crashed processes may create coredumps which could fill a drive partition; and such a malformed message in the queue will cause queue processing to cease when the message is reached, causing messages that are later in the queue to not be processed. Sendmail's complete advisory may be found here: http://www.sendmail.com/security/advisories/SA-200605-01.txt.asc Sendmail has also provided an FAQ about this issue: http://www.sendmail.com/security/advisories/SA-200605-01/faq.shtml The CVE entry for this issue may be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1173 (* Security fix *) patches/packages/sendmail-cf-8.13.7-noarch-1_slack10.2.tgz: Upgraded to sendmail-8.13.7 configs. +--------------------------+ Sat Jun 3 16:53:29 CDT 2006 patches/packages/mozilla-firefox-1.5.0.4-i686-1.tgz: Upgraded to firefox-1.5.0.4. This upgrade fixes several possible security bugs. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox (* Security fix *) patches/packages/mozilla-thunderbird-1.5.0.4-i686-1.tgz: Upgraded to thunderbird-1.5.0.4. This upgrade fixes several possible security bugs. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#thunderbird (* Security fix *) patches/packages/mysql-4.1.20-i486-1_slack10.2.tgz: Upgraded to mysql-4.1.20. This fixes an SQL injection vulnerability. For more details, see the MySQL 4.1.20 release announcement here: http://lists.mysql.com/announce/364 The CVE entry for this issue will be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2753 +--------------------------+ Mon May 22 10:44:28 CDT 2006 patches/packages/bin-10.2-i486-2_10.2.tgz: Upgraded to eject-2.1.4 to fix problems with 2.6 kernels (bugfix). Patched a security problem in zoo's fullpath() function that was reported by Jean-Sebastien Guay-Leroux. At first this didn't seem like much as zoo is old and hardly used, but there are virus scanning programs that scan zoo archives. It is a possible problem on any system running zoo like this in an automated way, and (of course) could also cause problems if a user were to open a malicious zoo archive manually. (though I'd be pretty suspicious if someone were to mail me anything using "zoo" in 2006...) (* Security fix *) patches/packages/tetex-3.0-i486-2_10.2.tgz: Regenerated the etex.fmt files with etex, not pdfetex. This is more appropriate since etex is a binary, not a link to pdfetex. Thanks to John Breckenridge for reporting the issue. Added --disable-a4, and fixed the texconfig for US paper default in the build script. Thanks to Marc Benstein and Jingmin Zhou for reporting this. Improved /tmp use security. Patched a possible security issue in library code borrowed from xpdf that's used in pdfetex. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3193 (* Security fix *) +--------------------------+ Wed May 10 15:07:18 CDT 2006 patches/packages/apache-1.3.35-i486-2_slack10.2.tgz: Patched to fix totally broken Include behavior. Thanks to Francesco Gringoli for reporting this bug. +--------------------------+ Tue May 9 00:48:46 CDT 2006 patches/packages/apache-1.3.35-i486-1_slack10.2.tgz: Upgraded to apache-1.3.35. From the official announcement: Of particular note is that 1.3.35 addresses and fixes 1 potential security issue: CVE-2005-3352 (cve.mitre.org) mod_imap: Escape untrusted referer header before outputting in HTML to avoid potential cross-site scripting. Change also made to ap_escape_html so we escape quotes. Reported by JPCERT For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3352 (* Security fix *) patches/packages/mod_ssl-2.8.26_1.3.35-i486-1_slack10.2.tgz: Upgraded to mod_ssl-2.8.26-1.3.35. This is an updated version designed for Apache 1.3.35. patches/packages/mysql-4.1.19-i486-1.tgz: Upgraded to mysql-4.1.19. This fixes some minor security issues with possible information leakage. Note that the information leakage bugs require that the attacker have access to an account on the database. Also note that by default, Slackware's rc.mysqld script does *not* allow access to the database through the outside network (it uses the --skip-networking option). If you've enabled network access to MySQL, it is a good idea to filter the port (3306) to prevent access from unauthorized machines. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1516 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1517 (* Security fix *) +--------------------------+ Wed May 3 21:55:38 CDT 2006 patches/packages/mozilla-firefox-1.5.0.3-i686-1.tgz: Upgraded to firefox-1.5.0.3. This upgrade fixes a crash bug that could possibly be used to execute code as the Firefox user. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox (* Security fix *) +--------------------------+ Wed May 3 00:04:31 CDT 2006 patches/packages/x11-6.8.2-i486-5.tgz: Patched with x11r6.9.0-mitri.diff and recompiled. A typo in the X render extension allows an X client to crash the server and possibly to execute arbitrary code as the X server user (typically this is "root".) The CVE entry for this issue may be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1526 The advisory from X.Org may be found here: http://lists.freedesktop.org/archives/xorg/2006-May/015136.html (* Security fix *) patches/packages/x11-devel-6.8.2-i486-5.tgz: Patched and recompiled libXrender. (* Security fix *) +--------------------------+ Sun Apr 30 17:38:15 CDT 2006 patches/packages/mozilla-thunderbird-1.5.0.2-i686-1.tgz: Upgraded to thunderbird-1.5.0.2. This upgrade fixes several possible security bugs. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#thunderbird (* Security fix *) +--------------------------+ Mon Apr 24 14:36:46 CDT 2006 patches/packages/mozilla-1.7.13-i486-1.tgz: Upgraded to mozilla-1.7.13. This upgrade fixes several possible security bugs. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla This release marks the end-of-life of the Mozilla 1.7.x series: http://developer.mozilla.org/devnews/index.php/2006/04/12/sunset-announcement-for-fxtb-10x-and-mozilla-suite-17x/ Mozilla Corporation is recommending that users think about migrating to Firefox and Thunderbird. (* Security fix *) +--------------------------+ Mon Apr 17 01:31:07 CDT 2006 patches/packages/mozilla-firefox-1.5.0.2-i686-1.tgz: Upgraded to firefox-1.5.0.2. This upgrade fixes several possible security bugs. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox (* Security fix *) +--------------------------+ Wed Mar 22 13:01:23 CST 2006 patches/packages/sendmail-8.13.6-i486-1.tgz: Upgraded to sendmail-8.13.6. This new version of sendmail contains a fix for a security problem discovered by Mark Dowd of ISS X-Force. From sendmail's advisory: Sendmail was notified by security researchers at ISS that, under some specific timing conditions, this vulnerability may permit a specifically crafted attack to take over the sendmail MTA process, allowing remote attackers to execute commands and run arbitrary programs on the system running the MTA, affecting email delivery, or tampering with other programs and data on this system. Sendmail is not aware of any public exploit code for this vulnerability. This connection-oriented vulnerability does not occur in the normal course of sending and receiving email. It is only triggered when specific conditions are created through SMTP connection layer commands. Sendmail's complete advisory may be found here: http://www.sendmail.com/company/advisory/index.shtml The CVE entry for this issue may be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0058 (* Security fix *) patches/packages/sendmail-cf-8.13.6-noarch-1.tgz: Upgraded to sendmail-8.13.6 configuration files. +--------------------------+ Mon Mar 13 20:42:48 CST 2006 patches/packages/gnupg-1.4.2.2-i486-1.tgz: Upgraded to gnupg-1.4.2.2. There have been two security related issues reported recently with GnuPG. From the GnuPG 1.4.2.1 and 1.4.2.2 NEWS files: Noteworthy changes in version 1.4.2.2 (2006-03-08) * Files containing several signed messages are not allowed any longer as there is no clean way to report the status of such files back to the caller. To partly revert to the old behaviour the new option --allow-multisig-verification may be used. Noteworthy changes in version 1.4.2.1 (2006-02-14) * Security fix for a verification weakness in gpgv. Some input could lead to gpgv exiting with 0 even if the detached signature file did not carry any signature. This is not as fatal as it might seem because the suggestion as always been not to rely on th exit code but to parse the --status-fd messages. However it is likely that gpgv is used in that simplified way and thus we do this release. Same problem with "gpg --verify" but nobody should have used this for signature verification without checking the status codes anyway. Thanks to the taviso from Gentoo for reporting this problem. (* Security fix *) +--------------------------+ Tue Feb 14 16:08:52 CST 2006 patches/packages/php-4.4.2-i486-3.tgz: Fixed some more bugs from the 4.4.2 release... hopefully the third time is the charm. Replaced PEAR packages for which the 4.4.2 release contained incorrect md5sums: Archive_Tar-1.3.1, Console_Getopt-1.2, and HTML_Template_IT-1.1.3. (this last one was also not upgraded to the stable version that was released on 2005-11-01) Sorry to have delayed the advisories, but these bugs had to be fixed first. IMHO, the security issues are of dubious severity anyway, or a more agressive approach would have been taken (though this would likely have caused a lot of people to upgrade to the broken -1 or -2 package revisions, so anyone who didn't know about this until now was probably saved a hassle.) Upgraded other PEAR modules to HTTP-1.4.0, Net_SMTP-1.2.8, and XML_RPC-1.4.5. Thanks again to Krzysztof Oledzki for the bug report. +--------------------------+ Fri Feb 10 17:32:28 CST 2006 patches/packages/php-4.4.2-i486-2.tgz: Rebuilt the package to clean up some junk dotfiles that were installed in the / directory. Harmless, but sloppy... Thanks to Krzysztof Oledzki for pointing this out. +--------------------------+ Thu Feb 9 15:09:26 CST 2006 patches/packages/fetchmail-6.3.2-i486-1.tgz: Upgraded to fetchmail-6.3.2. Presumably this replaces all the known security problems with a batch of new unknown ones. (fetchmail is improving, really ;-) For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3088 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4348 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0321 (* Security fix *) patches/packages/imagemagick-6.2.3_3-i486-2.tgz: Patched and recompiled. Several security issues have been backported to this release. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4601 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0082 (* Security fix *) patches/packages/kdegraphics-3.4.2-i486-2.tgz: Patched integer and heap overflows in kpdf to fix possible security bugs with malformed PDF files. For more information, see: http://www.kde.org/info/security/advisory-20051207-2.txt http://www.kde.org/info/security/advisory-20060202-1.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3191 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3192 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3193 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3624 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3625 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3626 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3627 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3628 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0301 (* Security fix *) patches/packages/kdelibs-3.4.2-i486-2.tgz: Patched a heap overflow vulnerability in kjs, the JavaScript interpreter engine used by Konqueror and other parts of KDE. For more information, see: http://www.kde.org/info/security/advisory-20060119-1.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0019 (* Security fix *) patches/packages/mozilla-firefox-1.5.0.1-i686-1.tgz: Upgraded to firefox-1.5.0.1. This fixes a DoS issue and some other security bugs. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox1.5.0.1 (* Security fix *) patches/packages/openssh-4.3p1-i486-1.tgz: Upgraded to openssh-4.3p1. This fixes a security issue when using scp to copy files that could cause commands embedded in filenames to be executed. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0225 (* Security fix *) patches/packages/php-4.4.2-i486-1.tgz: Upgraded to php-4.4.2. Claims to fix "a few small security issues". For more information, see: http://www.php.net/release_4_4_2.php (* Security fix *) patches/packages/sudo-1.6.8p12-i486-1.tgz: Upgraded to sudo-1.6.8p12. This fixes an issue where a user able to run a Python script through sudo may be able to gain root access. IMHO, running any kind of scripting language from sudo is still not safe... For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0151 (* Security fix *) patches/packages/xpdf-3.01-i486-3.tgz: Recompiled with xpdf-3.01pl2.patch to fix integer and heap overflows in xpdf triggered by malformed PDF files. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3191 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3192 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3193 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3624 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3625 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3626 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3627 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3628 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0301 (* Security fix *) +--------------------------+ Fri Dec 9 20:19:31 CST 2005 patches/packages/bash-3.0-i486-4.tgz: Fixed an obscure bug where suspending the first process started in a new shell would cause the shell to hang. Thanks to Grant Coady for discovering and fixing this bug. patches/packages/bzip2-1.0.3-i486-2.tgz: Patched a minor bug in the libbz2 shared library Makefile to enable support for large files. Thanks to Timothy C. McGrath and Manuel Jose Blanca Molinos both of whom pointed out this problem and provided fixes. patches/packages/php-4.4.1-i486-2.tgz: Recompiled with a patch from PHP CVS that fixes issues with SquirrelMail and possibly other PHP applications. I'd hoped there would be a new PHP out quickly to address this but since there isn't I'm making an exception to the usual policy here on merging patches from CVS as a fair number of users seem to be affected by this issue. Let me know if this doesn't help or if any undesired side effects are noticed. This problem was first reported here by Gerardo Exequiel Pozzi, but was later reported by too many people to list. Thanks, everyone! :-) +--------------------------+ Mon Nov 7 19:54:57 CST 2005 patches/packages/elm-2.5.8-i486-1.tgz: Upgraded to elm2.5.8. This fixes a buffer overflow in the parsing of the Expires header that could be used to execute arbitrary code as the user running Elm. Thanks to Ulf Harnhammar for finding the bug and reminding me to get out updated packages to address the issue. A reference to the original advisory: http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0688.html +--------------------------+ Sat Nov 5 22:05:29 CST 2005 patches/packages/apache-1.3.34-i486-1.tgz: Upgraded to apache-1.3.34. Fixes this minor security bug: "If a request contains both Transfer-Encoding and Content-Length headers, remove the Content-Length, mitigating some HTTP Request Splitting/Spoofing attacks." (* Security fix *) patches/packages/curl-7.12.2-i486-2.tgz: Patched. This addresses a buffer overflow in libcurl's NTLM function that could have possible security implications. For more details, see: http://curl.haxx.se/docs/security.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3185 (* Security fix *) patches/packages/imapd-4.64-i486-1.tgz: Upgraded to imapd-4.64. A buffer overflow was reported in the mail_valid_net_parse_work function. However, this function in the c-client library does not appear to be called from anywhere in imapd. iDefense states that the issue is of LOW risk to sites that allow users shell access, and LOW-MODERATE risk to other servers. I believe it's possible that it is of NIL risk if the function is indeed dead code to imapd, but draw your own conclusions... (* Security fix *) patches/packages/koffice-1.4.1-i486-2.tgz: Patched. Fixes a buffer overflow in KWord's RTF import discovered by Chris Evans. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2971 (* Security fix *) patches/packages/libxml2-2.6.22-i486-1.tgz: Upgraded to libxml2-2.6.22. This fixes an issue where libxml2 had declared a variable XML_FEATURE_UNICODE that was already used by the expat headers, causing PHP to fail to compile when using Slackware's combination of ./configure options. patches/packages/lynx-2.8.5rel.5-i486-1.tgz: Upgraded to lynx-2.8.5rel.5. Fixes an issue where the handling of Asian characters when using lynx to connect to an NNTP server (is this a common use?) could result in a buffer overflow causing the execution of arbitrary code. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3120 (* Security fix *) patches/packages/mod_ssl-2.8.25_1.3.34-i486-1.tgz: Upgraded to mod_ssl-2.8.25-1.3.34. patches/packages/php-4.4.1-i486-1.tgz: Upgraded to php-4.4.1. Fixes a number of bugs, including several minor security fixes relating to the overwriting of the GLOBALS array. (* Security fix *) patches/packages/pine-4.64-i486-1.tgz: Upgraded to pine-4.64. patches/packages/samba-3.0.20b-i486-1.tgz: Upgraded to samba-3.0.20b. This includes various bugfixes. Thanks to Christopher Linnet for reporting that this fixes a problem with printing to a printer on an XP machine from CUPS. If you use such a configuration, you'll want this upgrade for sure. patches/packages/wget-1.10.2-i486-1.tgz: Upgraded to wget-1.10.2. This addresses a buffer overflow in wget's NTLM handling function that could have possible security implications. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3185 (* Security fix *) +--------------------------+ Thu Oct 13 13:57:25 PDT 2005 patches/packages/openssl-0.9.7g-i486-2.tgz: Patched. Fixed a vulnerability that could, in rare circumstances, allow an attacker acting as a "man in the middle" to force a client and a server to negotiate the SSL 2.0 protocol (which is known to be weak) even if these parties both support SSL 3.0 or TLS 1.0. For more details, see: http://www.openssl.org/news/secadv_20051011.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2969 (* Security fix *) patches/packages/openssl-solibs-0.9.7g-i486-2.tgz: Patched. (* Security fix *) +--------------------------+ Mon Oct 10 15:15:24 PDT 2005 patches/packages/xine-lib-1.0.3a-i686-1.tgz: Upgraded to xine-lib-1.0.3a. This fixes a format string bug where an attacker, if able to upload malicious information to a CDDB server and then get a local user to play a certain audio CD, may be able to run arbitrary code on the machine as the user running the xine-lib linked application. For more information, see: http://xinehq.de/index.php/security/XSA-2005-1 (* Security fix *) +--------------------------+ Wed Oct 5 13:05:39 PDT 2005 patches/packages/mozilla-thunderbird-1.0.7-i686-1.tgz: Upgraded to thunderbird-1.0.7. This fixes a security issue where URLs passed on the command line to the thunderbird shell script were not correctly protected against interpretation by the shell. As a result, a malicious URL could contain embedded shell commands which would then be executed as the user running Thunderbird. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#Thunderbird (* Security fix *) +--------------------------+ Sun Sep 25 22:03:45 PDT 2005 patches/packages/x11-6.8.2-i486-4.tgz: Rebuilt with a modified patch for an earlier pixmap overflow issue. The patch released by X.Org was slightly different than the one that was circulated previously, and is an improved version. There have been reports that the earlier patch broke WINE and possibly some other programs. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2495 (* Security fix *) patches/packages/x11-xdmx-6.8.2-i486-4.tgz: Patched and rebuilt. patches/packages/x11-xnest-6.8.2-i486-4.tgz: Patched and rebuilt. patches/packages/x11-xvfb-6.8.2-i486-4.tgz: Patched and rebuilt. patches/packages/mozilla-1.7.12-i486-1.tgz: Upgraded to mozilla-1.7.12. This fixes several security issues. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#Mozilla (* Security fix *) patches/packages/mozilla-firefox-1.0.7-i686-1.tgz: Upgraded to firefox-1.0.7. This fixes several security issues. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#Firefox (* Security fix *) +--------------------------+ Tue Sep 13 12:24:53 PDT 2005 Slackware 10.2 is released. Thanks to everyone to helped make it possible. Enjoy! :-) +--------------------------+ Tue Sep 13 10:54:29 PDT 2005 xap/gxine-0.4.8-i486-2.tgz: Fixed gxine.desktop icon path. (Thanks to Peter Eszlari) extra/isdn4k-utils/isdn4k-utils-CVS-2005-08-21.tar.bz2: Upgraded to a recent snapshot of isdn4k-utils. +--------------------------+ Tue Sep 13 02:15:06 PDT 2005 x/x11-6.8.2-i486-3.tgz: Patched an integer overflow in the X server pixmap memory allocation that could potentially allow any X user to execute arbitrary code with root privileges. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2495 (* Security fix *) x/x11-devel-6.8.2-i486-3.tgz: Recompiled. x/x11-docs-6.8.2-noarch-3.tgz: Rebuilt. x/x11-docs-html-6.8.2-noarch-3.tgz: Rebuilt. x/x11-fonts-100dpi-6.8.2-noarch-3.tgz: Rebuilt. x/x11-fonts-cyrillic-6.8.2-noarch-3.tgz: Rebuilt. x/x11-fonts-misc-6.8.2-noarch-3.tgz: Rebuilt. x/x11-fonts-scale-6.8.2-noarch-3.tgz: Rebuilt. x/x11-xdmx-6.8.2-i486-3.tgz: Recompiled. x/x11-xnest-6.8.2-i486-3.tgz: Recompiled. x/x11-xvfb-6.8.2-i486-3.tgz: Recompiled. +--------------------------+ Mon Sep 12 22:48:09 PDT 2005 a/util-linux-2.12p-i486-2.tgz: Patched an issue with umount where if the umount failed when the '-r' option was used, the filesystem would be remounted read-only but without any extra flags specified in /etc/fstab. This could allow an ordinary user able to mount a floppy or CD (but with nosuid, noexec, nodev, etc in /etc/fstab) to run a setuid binary from removable media and gain root privileges. Reported to BugTraq by David Watson: http://www.securityfocus.com/archive/1/410333 (* Security fix *) ap/mdadm-2.1-i486-1.tgz: Upgraded to mdadm-2.1. n/dnsmasq-2.23-i486-1.tgz: Upgraded to dnsmasq-2.23. n/nmap-3.93-i486-1.tgz: Upgraded to nmap-3.93. extra/k3b/k3b-0.12.4a-i486-1.tgz: Upgraded to k3b-0.12.4a. extra/k3b/k3b-i18n-0.12.4-noarch-1.tgz: Upgraded to k3b-i18n-0.12.4. +--------------------------+ Mon Sep 12 19:02:13 PDT 2005 a/aaa_elflibs-10.2.0-i486-3.tgz: Upgraded PCRE library. a/dcron-2.3.3-i486-5.tgz: Added a patch to keep dcron from improperly forking extra copies of itself in some circumstances. (Thanks to Henrik Carlqvist) a/mkinitrd-1.0.1-i486-3.tgz: Added tftp support to busybox, updated README.initrd examples to refer to the 2.6.13 kernel. ap/sox-12.17.8-i486-1.tgz: Upgraded to sox-12.17.8. (Thanks to Peter Eszlari) ap/vorbis-tools-1.1.1-i486-1.tgz: Upgraded to vorbis-tools-1.1.1. (Thanks to Peter Eszlari) l/libvorbis-1.1.1-i486-1.tgz: Upgraded to libvorbis-1.1.1. (Thanks to Peter Eszlari) l/libxml2-2.6.21-i486-1.tgz: Upgraded to libxml2-2.6.21. l/libxslt-1.1.15-i486-1.tgz: Upgraded to libxslt-1.1.15. l/pcre-6.4-i486-1.tgz: Upgraded to pcre-6.4. n/dhcpcd-1.3.22pl4-i486-2.tgz: Patched an issue where a remote attacker can cause dhcpcd to crash. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1848 (* Security fix *) n/wget-1.10.1-i486-3.tgz: Install /etc/wgetrc properly. (Thanks to Fred Emmott) xap/gftp-2.0.18-i486-1.tgz: Upgraded to gftp-2.0.18. (Thanks to Peter Eszlari) xap/gxine-0.4.7-i486-1.tgz: Upgraded to gxine-0.4.8. xap/sane-1.0.16-i486-1.tgz: Upgraded to sane-backends-1.0.16. xap/xchat-2.4.5-i486-1.tgz: Upgraded to xchat-2.4.5. xap/xpdf-3.01-i486-2.tgz: Added missing Bulgarian.nameToUnicode. (Thanks to Dimitar Zhekov) xap/xsane-0.97-i486-1.tgz: Upgraded to xsane-0.97. extra/slackpkg/slackpkg-1.5.2-noarch-2.tgz: Upgraded to slackpkg-1.5.2-noarch-2. (Thanks to Piter Punk) +--------------------------+ Sat Sep 10 22:21:22 PDT 2005 OK, everything was set in stone except for these things. ;-) There may still be a couple more changes (maybe), but this is pretty close. a/aaa_base-10.2.0-noarch-2.tgz: Fixed rp-pppoe version number in email to root. (thanks to Piter Punk) a/aaa_elflibs-10.2.0-i486-2.tgz: Upgraded glib libraries to 2.6.6. a/bash-3.0-i486-3.tgz: Added bash patch bash30-016. (suggested by Fredrik Rinnestam and Xavier Thomassin) Added a patch to prevent an issue with newer glibc versions and 2.4.x kernels that leads to a bash hang if bash is recompiled on such a system. (Thanks to Fredrik Rinnestam) a/glibc-solibs-2.3.5-i486-5.tgz: Recompiled against header files from linux 2.4.31 (linuxthreads version) and linux 2.6.13 (NPTL version). a/glibc-zoneinfo-2.3.5-noarch-5.tgz: Rebuilt. ap/vim-6.3.086-i486-1.tgz: Upgraded vim to patchlevel 86, and upgraded to ctags-5.5.4. l/esound-0.2.36-i486-1.tgz: Upgraded to esound-0.2.36. l/glib2-2.6.6-i486-1.tgz: Upgraded to glib-2.6.6. l/glibc-2.3.5-i486-5.tgz: Recompiled. l/glibc-i18n-2.3.5-noarch-5.tgz: Rebuilt. l/glibc-profile-2.3.5-i486-5.tgz: Recompiled. l/gtk+2-2.6.10-i486-1.tgz: Upgraded to gtk+-2.6.10. l/pango-1.8.2-i486-1.tgz: Upgraded to pango-1.8.2. Thanks to Giacomo Lozito for pointing the bugfix releases of glib, gtk+, and pango out. The 2.8 series still needs time to stabilize and may present some compatibility issues (just a guess), and the version bump on atk-1.10.1 makes me want to play it safe on that one as well. We'll get to those in the next -current. l/sdl-1.2.9-i486-1.tgz: Upgraded to SDL-1.2.9, SDL_image-1.2.4, SDL_mixer-1.2.6, and SDL_ttf-2.0.7. n/nmap-3.90-i486-1.tgz: Upgraded to nmap-3.90. (suggested by many :-) n/wget-1.10.1-i486-2.tgz: Change /etc/wgetrc to /etc/wgetrc.new so that it'll be protected from replacement the next time this package is upgraded. Suggested by Luigi Genoni. xap/xvim-6.3.086-i486-1.tgz: Upgraded X version of vim to patchlevel 86, and upgraded to ctags-5.5.4. +--------------------------+ Thu Sep 8 17:48:59 PDT 2005 extra/linux-wlan-ng/linux-wlan-ng-0.2.1pre25_2.6.13-i486-1.tgz: Recompiled for 2.6.13. Thanks to xgizzmo for catching the omission. +--------------------------+ Thu Sep 8 13:24:58 PDT 2005 OK folks, this is just about ready to go. Consider nearly everything to be set in stone at this point, especially the kernels. Zipslack has yet to be built, and some of the documentation needs minor updating, but for the most part this is how Slackware 10.2 is going to look. Expect a release to happen sometime within the next week or so. Also, a bit of advance warning: I'm going to be removing most of the ISO images for old Slackware releases from ftp.slackware.com in order to make room for the new release, so if you're running a mirror site and want to save those, move them elsewhere now before they go. The ISO images at slackware.osuosl.org in /pub/slackware-iso/ will remain, but the ones at ftp.slackware.com and other sites under /pub/slackware are all potentially on the chopping block. a/aaa_base-10.2.0-noarch-1.tgz: Bumped version number to 10.2. Edited initial email. a/aaa_elflibs-10.2.0-i486-1.tgz: Updated initial library collection. a/bin-10.2-i486-1.tgz: Upgraded to file-4.15. a/cxxlibs-5.0.7-i486-1.tgz: Upgraded to libstdc++.so.5.0.7 from gcc-3.3.6. a/gawk-3.1.5-i486-1.tgz: Upgraded to gawk-3.1.5. a/hotplug-2004_09_23-noarch-5.tgz: Fix a minor syntax error in rc.hotplug. (the logging test was always true even if syslogd was not running) Thanks to Luis Castilho. Blacklisted a new framebuffer module (arcfb.ko) in 2.6.13. a/pkgtools-10.2.0-i486-5.tgz: Upgraded to dialog-1.0-20050306, which fixes a bug that prevented the install-packages scripts from working. Thanks to Krzysztof Oledzki for pointing out this bug. a/reiserfsprogs-3.6.19-i486-1.tgz: Upgraded to reiserfsprogs-3.6.19. a/usbutils-0.11-i486-3.tgz: Upgraded to latest usb.ids. Note that newer versions of usbutils no longer include the usbmodules utility, which breaks hotplugging of USB devices on 2.4.x kernels, so until the default kernel is a 2.6.x version, this is the best version of usbutils to include. a/utempter-1.1.3-i486-1.tgz: Upgraded to libutempter-1.1.3. ap/groff-1.19.1-i486-3.tgz: Fixed a /tmp bug in groffer. Groffer is a script to display formatted output on the console or X, and is not normally used in other scripts (for printers, etc) like most groff components are. The risk from this bug is probably quite low. The fix was pulled from the just-released groff-1.19.2. With Slackware 10.2 just around the corner it didn't seem prudent to upgrade to that -- the diff from 1.19.1 to 1.19.2 is over a megabyte compressed. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0969 (* Security fix *) ap/zsh-4.2.5-i486-1.tgz: Upgraded to zsh-4.2.5. d/clisp-2.35-i486-1.tgz: Upgraded to clisp-2.35. d/libtool-1.5.20-i486-1.tgz: Upgraded to libtool-1.5.20. d/subversion-1.2.3-i486-1.tgz: Added subversion-1.2.3. This will be the last last-minute addition in this release cycle. Suggested by many. :-) kde/kdebase-3.4.2-i486-2.tgz: Patched a bug in Konqueror's handling of characters such as '*', '[', and '?'. Generated new kdm config files. Added /opt/kde/man to $MANPATH. Patched a security bug in kcheckpass that could allow a local user to gain root privileges. For more information, see: http://www.kde.org/info/security/advisory-20050905-1.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2494 (* Security fix *) l/jre-1_5_0_04-i586-2.tgz: Added /usr/lib/mozilla/plugins directory with a link to the Java plugin. l/t1lib-5.1.0-i486-1.tgz: Upgraded to t1lib-5.1.0. n/dhcp-3.0.3-i486-1.tgz: Upgraded to dhcp-3.0.3. n/iproute2-2.6.11_050330-i486-2.tgz: Fixed symlinks in /sbin. Thanks to Krzysztof Oledzki for the Makefile patch. n/mod_ssl-2.8.24_1.3.33-i486-1.tgz: Upgraded to mod_ssl-2.8.24-1.3.33. From the CHANGES file: Fix a security issue (CAN-2005-2700) where "SSLVerifyClient require" was not enforced in per-location context if "SSLVerifyClient optional" was configured in the global virtual host configuration. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2700 (* Security fix *) n/openssh-4.2p1-i486-1.tgz: Upgraded to openssh-4.2p1. From the OpenSSH 4.2 release announcement: SECURITY: Fix a bug introduced in OpenSSH 4.0 that caused GatewayPorts to be incorrectly activated for dynamic ("-D") port forwardings when no listen address was explicitly specified. (* Security fix *) n/php-4.4.0-i486-4.tgz: Added --with-dom. Suggested by Joao Carvalho. n/ppp-2.4.4b1-i486-1.tgz: Upgraded to ppp-2.4.4b1. This should fix the issues people were having with demand dialing and persistant connections. n/rp-pppoe-3.6-i486-1.tgz: Upgraded to rp-pppoe-3.6. Thanks to Erik Jan Tromp for the build script improvements. n/samba-3.0.20-i486-2.tgz: Fixed /usr/doc/samba-3.0.20/docs/using_samba symlink. Thanks to Valentin Avram for the bug report. n/tcpip-0.17-i486-35.tgz: Changed to a cleaner telnet patch borrowed from OpenBSD. Two people, both using Slackware 9.1, informed me that the previous patch for telnet was causing a segfault when used with short hostnames from /etc/hosts (such as localhost). If anyone is having a similar problem with other versions of Slackware, let me know. Thanks to Dragan Simic for telling me about the improved patch. Fixed a minor syntax error in rc.inet1 in the test for syslogd.pid. (Thanks to Luis Castilho) Added brctl and vconfig. (suggested by Jan Rafaj) Increased timeout for dhcpcd. Fixed a bit of bad grammar in rc.inet1.conf. ("appending" -> "prepending") Added a new option "DHCP_IPADDR" to rc.inet1.conf to ask the DHCP server for a specific IP address. (Thanks to James Michael Fultz for these last two) n/wget-1.10.1-i486-1.tgz: Upgraded to wget-1.10.1. xap/jre-symlink-1.0.6-noarch-2: Removed. This is obsolete now that the Java packages contain symlinks in /usr/lib/mozilla/plugins and Mozilla and Firefox have been patched to search for plugins in that directory. xap/mozilla-1.7.11-i486-2.tgz: Patched mozilla startup script to search for plugins in /usr/lib/mozilla/plugins after searching in /usr/lib/mozilla-1.7.11/plugins. xap/mozilla-firefox-1.0.6-i686-2.tgz: Patched firefox startup script to search for plugins in /usr/lib/mozilla/plugins after searching in /usr/lib/firefox-1.0.6/plugins. xap/xpdf-3.01-i486-1.tgz: Upgraded to xpdf-3.01. extra/bash-completion/bash-completion-20050721-noarch-1.tgz: Upgraded to bash-completion-20050721. extra/brltty/brltty-3.6.1-i486-1.tgz: Upgraded to brltty-3.6.1. extra/grub/grub-0.97-i486-1.tgz: Upgraded to grub-0.97. Thanks to Kent Robotti for the new version of grubconfig. extra/jdk-1.5.0_04/jdk-1_5_0_04-i586-2.tgz: Added /usr/lib/mozilla/plugins directory with a link to the Java plugin. extra/slackpkg/slackpkg-1.5.1-noarch-2.tgz: Upgraded to slackpkg-1.5.1-noarch-2. (Thanks to Piter Punk) extra/slacktrack/slacktrack-1.26-i486-1.tgz: Upgraded to slacktrack-1.26_1. (Thanks to Stuart Winter) extra/slacktrack/slacktrack-examples-v1.01.tar.gz: Upgraded slacktrack build script examples. kernels/test26.s/: Added a 2.6.13 install kernel. rootdisks/install.*, isolinux/initrd.img: Fixed install size estimate. testing/packages/gnupg-1.4.2-i486-1.tgz: Upgraded to gnupg-1.4.2. testing/packages/linux-2.6.13/alsa-driver-1.0.9b_2.6.13-i486-1.tgz: Recompiled against Linux 2.6.13. testing/packages/linux-2.6.13/kernel-generic-2.6.13-i486-1.tgz: Upgraded to Linux 2.6.13 generic kernel. testing/packages/linux-2.6.13/kernel-headers-2.6.13-i386-1.tgz: Upgraded to Linux 2.6.13 kernel headers for x86. testing/packages/linux-2.6.13/kernel-modules-2.6.13-i486-1.tgz: Upgraded to Linux 2.6.13 kernel modules. testing/packages/linux-2.6.13/kernel-source-2.6.13-noarch-1.tgz: Upgraded to Linux 2.6.13 kernel source. testing/packages/lvm2/device-mapper-1.01.04-i486-1.tgz: Upgraded to device-mapper.1.01.04. testing/packages/lvm2/lvm2-2.01.09-i486-1.tgz: Upgraded to LVM2.2.01.09. testing/packages/php-5.0.5/php-5.0.5-i486-4.tgz: Upgraded to php-5.0.5 with --with-dom and --with-curl options. +--------------------------+ Tue Aug 30 13:01:43 PDT 2005 a/jfsutils-1.1.8-i486-1.tgz: Upgraded to jfsutils-1.1.8. a/pciutils-2.1.11-i486-6.tgz: Updated pci.ids. a/procps-3.2.5-i486-1.tgz: Upgraded to procps-3.2.5. Thanks to Stuart Winter for informing me that newer 2.6 kernels needed this. ap/espgs-8.15rc4-i486-1.tgz: Upgraded to espgs-8.15rc4. ap/mysql-4.1.14-i486-1.tgz: Upgraded to mysql-4.1.14. kde/kdeedu-3.4.2-i486-2.tgz: Fixed a minor /tmp bug in kvoctrain. (* Security fix *) l/pcre-6.3-i486-1.tgz: Upgraded to pcre-6.3. This fixes a buffer overflow that could be triggered by the processing of a specially crafted regular expression. Theoretically this could be a security issue if regular expressions are accepted from untrusted users to be processed by a user with greater privileges, but this doesn't seem like a common scenario (or, for that matter, a good idea). However, if you are using an application that links to the shared PCRE library and accepts outside input in such a manner, you will want to update to this new package. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491 (* Security fix *) n/php-4.4.0-i486-3.tgz: Relinked with the system PCRE library, as the builtin library has a buffer overflow that could be triggered by the processing of a specially crafted regular expression. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491 (* Security fix *) Upgraded PEAR::XMLRPC to version 1.4.0, which eliminates the use of the insecure eval() function. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2498 (* Security fix *) Recompiled with support for mbstring and cURL. Thanks to Gerardo Exequiel Pozzi for pointing out that the new MySQL uses UTF-8, which in turn requires that PHP support multibyte strings. Also, thanks to Amrit for mentioning that the PHP cURL extentions are useful and should be included. n/samba-3.0.20-i486-1.tgz: Upgraded samba-3.0.20. xap/gaim-1.5.0-i486-1.tgz: Upgraded to gaim-1.5.0. This fixes some more security issues. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2103 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2102 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2370 (* Security fix *) testing/packages/linux-2.6.12.5/alsa-driver-1.0.9b_2.6.12.5-i486-1.tgz Recompiled against Linux 2.6.12.5. testing/packages/linux-2.6.12.5/kernel-generic-2.6.12.5-i486-1.tgz Upgraded to Linux 2.6.12.5 generic kernel. testing/packages/linux-2.6.12.5/kernel-headers-2.6.12.5-i386-1.tgz Upgraded to Linux 2.6.12.5 kernel headers for x86. testing/packages/linux-2.6.12.5/kernel-modules-2.6.12.5-i486-1.tgz Upgraded to Linux 2.6.12.5 kernel modules. testing/packages/linux-2.6.12.5/kernel-source-2.6.12.5-noarch-1.tgz Upgraded to Linux 2.6.12.5 kernel source. testing/packages/php-5.0.4/php-5.0.4-i486-3.tgz: Relinked with the system PCRE library, as the builtin library has a buffer overflow that could be triggered by the processing of a specially crafted regular expression. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491 (* Security fix *) Upgraded PEAR::XMLRPC to version 1.4.0, which eliminates the use of the insecure eval() function. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2498 (* Security fix *) Recompiled with support for mbstring, cURL, and XSLT. Thanks to Den (aka Diesel) for suggesting XSLT. +--------------------------+ Thu Aug 4 22:33:48 PDT 2005 a/e2fsprogs-1.38-i486-2.tgz: Make sure pkgconfig files go to the right place (/usr/lib/pkgconfig). Thanks to Chad Corkrum. n/links-2.1pre18-i486-1.tgz: Upgraded to links-2.1pre18, which fixes some bugs in Javascript handling. Suggested by Roberto Leandrini. extra/bittornado/bittornado-0.3.12-noarch-1.tgz: Upgraded to bittornado-0.3.12. Suggested by Adam Young. +--------------------------+ Thu Aug 4 13:35:29 PDT 2005 a/sysvinit-2.84-i486-56.tgz: Enable swapping again in rc.S after all local filesystems are mounted read-write. This makes sure that swapfiles get activated with 2.6 kernels. Thanks to Jingmin (Jimmy) Zhou. a/e2fsprogs-1.38-i486-1.tgz: Upgraded to e2fsprogs-1.38, needed for new ext2fs boot label support. Thanks to Jerome Pinot for the heads-up. l/taglib-1.4-i486-1.tgz: Upgraded to taglib-1.4, which will be needed by various projects soon. Thanks to Sergei Mutovkin. xap/xmms-1.2.10-i486-3.tgz: Patched a pause bug in XMMS. Thanks to Erik Jan Tromp for the bug report and patch. extra/ham/gmfsk-0.6-i486-2.tgz: Rebuilt to work with hamlib-1.2.4. extra/ham/hamlib-1.2.4-i486-1.tgz: Upgraded to hamlib-1.2.4 . extra/ham/proj-4.4.9-i486-1.tgz: Upgraded to proj-4.4.9. extra/ham/tlf-0.9.23-i486-1.tgz: Upgraded to tlf-0.9.23. extra/ham/xastir-1.6.0-i486-1.tgz: Upgraded to xastir-1.6.0. extra/ham/xconvers-0.8.3-i486-1.tgz: Upgraded to xconvers-0.8.3. extra/ham/xlog-1.2.2-i486-1.tgz: xlog-1.2.2. Thanks to Arno Verhoeven for all the ham radio package updates! +--------------------------+ Tue Aug 2 22:34:49 PDT 2005 n/proftpd-1.2.10-i486-4.tgz: Added mod_ctrls_admin module, which is needed to make use of --enable-ctrls. Thanks again to Roberto Leandrini. +--------------------------+ Tue Aug 2 15:34:18 PDT 2005 Hi folks, I think it's time to consider this to be mostly frozen and concentrate on beta testing in preparation for the Slackware 10.2 release, so there won't be too many more upgrades and additions. Things are going to be pretty busy for me over the next couple of weeks besides working on getting 10.2 finalized, but let me know about any issues that need fixing before the release and I'll get to them just as soon as I can. Have fun! kde/kdepim-3.4.2-i486-2.tgz: Patched a bug in KMail. n/proftpd-1.2.10-i486-3.tgz: Recompiled with --enable-ctrls and --enable-ipv6. Suggested by Roberto Leandrini. xap/xine-lib-1.0.2-i686-1.tgz: Upgraded to xine-lib-1.0.2. xap/xine-ui-0.99.4-i686-1.tgz: Upgraded to xine-ui-0.99.4. extra/blackbox-0.70.0/blackbox-0.70.0-i486-1.tgz: Added blackbox-0.70.0. This isn't in slackware/xap because there were some things about it that struck me as not quite right, like the removal of i18n support, and that the themes didn't seem to work any more (or at least weren't included). If it's something I'm doing wrong, let me know, otherwise this can stay here for now... extra/slackpkg/slackpkg-1.5.0-noarch-3.tgz: Upgraded to slackpkg-1.5.0-noarch-3 (fixed a mirror URL). +--------------------------+ Mon Aug 1 11:25:46 PDT 2005 a/sysvinit-2.84-i486-55.tgz: In rc.6, try to use 'rc.inet1 stop' to bring the network down. Thanks to Eric Hameleers for reminding me that this sort of thing works now. :-) extra/k3b/k3b-0.12.3-i486-2.tgz: Rebuilt to fix missing binaries. I built this on the same machine, no changes to the build script other than bumping the build number to 2... strange, but I'll take it. extra/slackpkg/slackpkg-1.5.0-noarch-2.tgz: Upgraded to slackpkg-1.5.0-noarch-2. Thanks to Piter Punk. +--------------------------+ Sun Jul 31 17:08:43 PDT 2005 a/sysvinit-2.84-i486-54.tgz: In rc.6, try to use 'dhcpcd -k' to kill dhcpcd, otherwise a cache file is left behind which may cause problems. Thanks to Giacomo Rizzo for the bug report. d/clisp-2.34-i486-1.tgz: Upgraded to clisp-2.34. d/doxygen-1.4.4-i486-1.tgz: Upgraded to doxygen-1.4.4. d/oprofile-0.9.1-i486-1.tgz: Upgraded to oprofile-0.9.1. n/iptables-1.3.3-i486-1.tgz: Upgraded to iptables-1.3.3. n/rsync-2.6.6-i486-1.tgz: Upgraded to rsync-2.6.6. n/tcpip-0.17-i486-34.tgz: Upgraded ethtool to ethtool-3. n/yptools-2.9-i486-1.tgz: Upgraded to yp-tools-2.9, ypbind-mt-1.19.1, and ypserv-2.18. xap/jre-symlink-1.0.6-noarch-2.tgz: Upgraded symlink for Mozilla 1.7.11. xap/mozilla-1.7.11-i486-1.tgz: Upgraded to mozilla-1.7.11. extra/k3b/k3b-0.12.3-i486-1.tgz: Upgraded to k3b-0.12.3. extra/k3b/k3b-i18n-0.12.3-noarch-1.tgz: Upgraded to k3b-i18n-0.12.3. +--------------------------+ Sat Jul 30 13:01:25 PDT 2005 a/smartmontools-5.33-i486-1.tgz: Upgraded to smartmontools-5.33. a/udev-064-i486-2.tgz: Commented out the new lines in udev.rules. It seems like these aren't really needed now that the symlink in /etc/hotplug.d/default/ was restored, and having them there causes a race race condition that can cause things like wireless adaptors that need to load firmware to fail to initialize. Thanks to Andreas Liebschner and Philip Langdale for helping debug this. ap/espgs-8.15rc3-i486-2.tgz: Removed libtool file that wasn't supposed to be in the package. Thanks to Mark Post. Also, I had a report that espgs was not printing margins properly with the Epson C64 printer. If you notice issues like that it is best to send the reports directly to the espgs maintainers, as without the hardware in question (or even with, really) there's little that I can do to fix bugs such as that here. ap/joe-3.3-i486-1.tgz: Upgraded to joe-3.3. ap/mc-4.6.1-i486-1.tgz: Upgraded to mc-4.6.1. e/emacs-21.4a-i486-2.tgz: Patched emacs to change the order some X headers are included, which fixes a keyboard problem with some non-US keyboards when running under X.Org. Thanks to Emanuele Vicentini for pointing out the issue and a patch. e/emacs-nox-21.4a-i486-2.tgz: Recompiled. +--------------------------+ Fri Jul 29 10:33:59 PDT 2005 a/etc-5.1-noarch-10.tgz: Added scanner group. a/getty-ps-2.1.0b-i486-1.tgz: Upgraded to getty-ps-2.1.0b. Thanks to Jan Rafaj for providing additional bugfixes for this package. a/hotplug-2004_09_23-noarch-4.tgz: Changed firmware directory from /usr/lib/hotplug/firmware to /lib/firmware. Thanks to Lior Kadosh, Steve Caster, Lawrence Teo, Piter Punk, and Vidar Madsen, all of whom reported this. a/pkgtools-10.2.0-i486-4.tgz: Fixed toggling rc.dnsmasq and rc.saslauthd in setup.services. Thanks to Eric Hameleers. kde/koffice-1.4.1-i486-1.tgz: Upgraded to koffice-1.4.1. kde/kdeaccessibility-3.4.2-i486-1.tgz: Upgraded to KDE 3.4.2. kde/kdeaddons-3.4.2-i486-1.tgz: Upgraded to KDE 3.4.2. kde/kdeadmin-3.4.2-i486-1.tgz: Upgraded to KDE 3.4.2. kde/kdeartwork-3.4.2-i486-2.tgz: Upgraded to KDE 3.4.2. kde/kdebase-3.4.2-i486-1.tgz: Upgraded to KDE 3.4.2. kde/kdebindings-3.4.2-i486-1.tgz: Upgraded to KDE 3.4.2. kde/kdeedu-3.4.2-i486-1.tgz: Upgraded to KDE 3.4.2. kde/kdegames-3.4.2-i486-1.tgz: Upgraded to KDE 3.4.2. kde/kdegraphics-3.4.2-i486-1.tgz: Upgraded to KDE 3.4.2. kde/kdelibs-3.4.2-i486-1.tgz: Upgraded to KDE 3.4.2. kde/kdemultimedia-3.4.2-i486-1.tgz: Upgraded to KDE 3.4.2. kde/kdenetwork-3.4.2-i486-1.tgz: Upgraded to KDE 3.4.2. kde/kdepim-3.4.2-i486-1.tgz: Upgraded to KDE 3.4.2. kde/kdesdk-3.4.2-i486-1.tgz: Upgraded to KDE 3.4.2. kde/kdetoys-3.4.2-i486-1.tgz: Upgraded to KDE 3.4.2. kde/kdeutils-3.4.2-i486-1.tgz: Upgraded to KDE 3.4.2. kde/kdevelop-3.2.2-i486-1.tgz: Upgraded to KDE 3.4.2. kde/kdewebdev-3.4.2-i486-1.tgz: Upgraded to KDE 3.4.2. kdei/kde-i18n-*.tgz: Upgraded to KDE 3.4.2 i18n packages. kdei/koffice-l10n-*.tgz: Upgraded to KOffice 1.4.1 l10n packages. l/arts-1.4.2-i486-1.tgz: Upgraded to arts-1.4.2. l/fribidi-0.10.5-i486-1.tgz: Added fribidi-0.10.5, needed by AbiWord and KDE. l/jre-1_5_0_04-i586-1.tgz: Upgraded to Java(TM) 2 Platform Standard Edition Runtime Environment Version 5.0, Release 4. n/links-2.1pre17-i486-2.tgz: Recompiled without SDL, which was causing X libraries to be indirectly linked. Thanks to Kirils Solovjovs. n/tcpip-0.17-i486-33.tgz: Patched rc.inet1 to make sure that an attempt is made to bring up the gateway whenever a new interface is loaded by hotplug. Added support to bring up/down ethernet aliases, like: IFNAME[2]="eth0:1" (Thanks to Andrey V. Panov for the aliases patch) Patched two overflows in the telnet client that could allow the execution of arbitrary code when connected to a malicious telnet server. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469 (* Security fix *) xap/abiword-2.2.9-i486-1.tgz: Upgraded to abiword-2.2.9, which now links with the new fribidi package. Thanks to Ryan Pavlik for telling me about the new release, and to the AbiWord team for all the great work. extra/j2sdk-1.5.0_04/j2sdk-1_5_0_04-i586-1.tgz: Upgraded to Java(TM) 2 Platform Standard Edition Development Kit Version 5.0, Release 4. +--------------------------+ Tue Jul 26 23:35:18 PDT 2005 ap/vim-6.3.085-i486-1.tgz: Upgraded to patchlevel 85. d/distcc-2.18.3-i486-2.tgz: Recompiled distccmon-gnome to use only GTK+ libraries and not GNOME ones. Thanks to Lasse Collin for suggesting --without-gnome --with-gtk. d/guile-1.6.7-i486-1.tgz: Upgraded to guile-1.6.7. n/links-2.1pre17-i486-1.tgz: Upgraded to links-2.1pre17. n/imapd-4.63-i486-1.tgz: Upgraded to imapd from pine-4.63. n/netatalk-2.0.3-i486-1.tgz: Upgraded to netatalk-2.0.3. n/pine-4.63-i486-1.tgz: Upgraded to pine-4.63. xap/mozilla-1.7.10-i486-2.tgz: Fixed a folder switching bug. Thanks to Peter Santoro for pointing out the patch. xap/xvim-6.3.085-i486-1.tgz: Upgraded to patchlevel 85. +--------------------------+ Mon Jul 25 00:21:30 PDT 2005 n/wireless-tools-27-i486-2.tgz: Build against static libiw. (Thanks to Lech Szychowski) +--------------------------+ Sun Jul 24 22:57:27 PDT 2005 n/nail-11.24-i486-1.tgz: Upgraded to nail-11.24. n/ppp-2.4.3-i486-1.tgz: Upgraded to ppp-2.4.3 and radiusclient-0.3.2. +--------------------------+ Sun Jul 24 17:50:37 PDT 2005 a/hotplug-2004_09_23-noarch-3.tgz: Modified net.agent to use the new rc.inet1 syntax (thanks to Eric Hameleers), and added several new framebuffer modules and the eth1394 module to the blacklist. a/pkgtools-10.2.0-i486-3.tgz: Added saslauthd and dnsmasq to the services setup menu. a/sysvinit-2.84-i486-53.tgz: Added support in /etc/rc.d/rc.M for starting /etc/rc.d/rc.dnsmasq and /etc/rc.d/rc.saslauthd. a/udev-064-i486-1.tgz: Upgraded to udev-064. With the help of two new lines in udev.rules, and a symlink added in /etc/hotplug.d/default that used to be added by earlier versions of hotplug, udev-064 appears to be working! Thanks to Piter Punk for the rules and Kris Karas for the link. l/libxml2-2.6.20-i486-1.tgz: Upgraded to libxml-2.6.20. n/cyrus-sasl-2.1.21-i486-1.tgz: Upgraded to cyrus-sasl-2.1.21, added missing /var/state/saslauthd directory and /etc/rc.d/rc.saslauthd startup script. Thanks to Piter Punk for the help. n/iproute2-2.6.11_050330-i486-1.tgz: Upgraded to iproute2-2.6.11-050330. n/lftp-3.2.1-i486-1.tgz: Upgraded to lftp-3.2.1. n/sendmail-8.13.4-i486-1.tgz: Upgraded to sendmail-8.13.4 compiled with SASL support. Added a new cf file that supports SASL (this is not the one installed by default): /usr/share/sendmail/sendmail-slackware-tls-sasl.cf Thanks to Joshua Rubin and Piter Punk for the help with SASL support. n/sendmail-cf-8.13.4-noarch-1.tgz: Upgraded to sendmail-8.13.4, and added a new sendmail-slackware-tls-sasl.mc config file. n/tcpip-0.17-i486-32.tgz: Merged in many improvements to rc.inet1 scripts to allow alternate interface names and better networking support. Thanks to Eric Hameleers for the really great job on this! When starting rc.portmap for NFS clients, also start rpc.lockd and rpc.statd, otherwise some Java applications may have problems due to a lack of locking. Thanks to Dominik L. Borkowski and Piter Punk for pointing out this issue. n/wireless-tools-27-i486-1.tgz: Upgraded to wireless_tools.27. Thanks to Eric Hameleers for the improved rc.wireless scripts. rootdisks/install.*, rootdisks/network.dsk, rootdisks/pcmcia.dsk: Fix /dev/urandom device (thanks to Daniel de Kok). Bumped version number to 10.2. +--------------------------+ Fri Jul 22 13:54:50 PDT 2005 ap/alsa-utils-1.0.9a-i486-2.tgz: Patched rc.alsa to try to load the OSS compatibility modules with both 2.4 and 2.6 kernels. Thanks to Cal Peake for the bug report. ap/mysql-4.1.13-i486-1.tgz: Upgraded to mysql-4.1.13. l/zlib-1.2.3-i486-1.tgz: Upgraded to zlib-1.2.3. This fixes an additional crash not fixed by the patch to zlib-1.2.2. (* Security fix *) n/fetchmail-6.2.5.2-i486-1.tgz: Upgraded to fetchmail-6.2.5.2. This fixes an overflow by which malicious or compromised POP3 servers may overflow fetchmail's stack. For more information, see: http://fetchmail.berlios.de/fetchmail-SA-2005-01.txt (* Security fix *) xap/gxine-0.4.6-i486-1.tgz: Upgraded to gxine-0.4.6. This fixes a format string vulnerability that allows remote attackers to execute arbitrary code via a ram file with a URL whose hostname contains format string specifiers. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1692 (* Security fix *) xap/xlockmore-5.18-i486-1.tgz: Upgraded to xlockmore-5.18. +--------------------------+ Fri Jul 22 10:33:41 PDT 2005 a/udev-058-i486-2.tgz: Added a line to udev.rules to (hopefully) help with the ALSA issues: KERNEL="controlC[0-9]", NAME="snd/%k", MODE="0666" Now, it would seem to me that the already-existing line: KERNEL="controlC[0-9]*", NAME="snd/%k", MODE="0666" ...should have already covered this. It works with previous versions of udev just fine, and this seems to me to be a udev bug. Oh well, give it a test and let me know if it's still causing any problems, in which case I'll probably go back to 054 for the Slackware 10.2 release. I'd rather not spend the next couple of months dorking around with udev problems and not getting a Slackware release out because of it. Thanks to Andris Pavenis for the one line udev.rules fix. ap/groff-1.19.1-i486-2.tgz: Fixed missing gxditview man page. Thanks to Stuart Winter. kde/kdenetwork-3.4.1-i486-2.tgz: Patched overflows in libgadu (used by kopete) that can cause a denial of service or arbitrary code execution. For more information, see: http://www.kde.org/info/security/advisory-20050721-1.txt (* Security fix *) xap/abiword-2.2.8-i486-1.tgz: Upgraded to abiword-2.2.8. xap/fluxbox-0.9.13-i486-1.tgz: Upgraded to fluxbox-0.9.13. xap/jre-symlink-1.0.6-noarch-1.tgz: Upgraded for firefox-1.0.6 and Mozilla 1.7.10. xap/mozilla-firefox-1.0.6-i686-1.tgz: Upgraded to firefox-1.0.6. xap/mozilla-1.7.10-i486-1.tgz: Upgraded to mozilla-1.7.10. This fixes several security issues. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#Mozilla (* Security fix *) xap/mozilla-thunderbird-1.0.6-i686-1.tgz: Upgraded to thunderbird-1.0.6. xap/windowmaker-0.92.0-i486-1.tgz: Upgraded to WindowMaker-0.92.0. testing/packages/php-5.0.4/php-5.0.4-i486-2.tgz: Recompiled against mysql-4.1.12. Thanks to Tyler McGrath for pointing out this needed to be done. +--------------------------+ Wed Jul 20 16:17:08 PDT 2005 a/glibc-solibs-2.3.5-i486-4.tgz: Recompiled, as I forgot that with both linuxthreads and NPTL versions of glibc that the patch would have to be applied twice. Thanks again to Dirk van Deun for pointing out my error. a/glibc-zoneinfo-2.3.5-noarch-4.tgz: Rebuilt. l/glibc-2.3.5-i486-4.tgz: Recompiled. l/glibc-i18n-2.3.5-noarch-4.tgz: Rebuilt. l/glibc-profile-2.3.5-i486-4.tgz: Recompiled. +--------------------------+ Wed Jul 20 09:59:03 PDT 2005 a/glibc-solibs-2.3.5-i486-3.tgz: Recompiled with a patch to fix logging in using NIS netgroups. Thanks to Dirk van Deun for the bug report and patch. a/glibc-zoneinfo-2.3.5-noarch-3.tgz: Rebuilt. a/sysvinit-2.84-i486-52.tgz: In /etc/rc.d/rc.S, try to umount /initrd/proc/ before umounting /initrd/. a/udev-058-i486-1.tgz: Switched to udev-058, as newer versions still have problems (these are probably caused by the elimination of the /etc/hotplug.d/ directory, as this used to contain a link to udevstart). It was pointed out that udev-062 and udev-063 do create the missing devices if you run udevstart after boot (and possibly after plugging in new devices), but udev-058 is working fine without any kludges and seems to be the most stable version to use with 2.6.12.* kernels. Also, made a fix in /etc/udev/scripts/make_extra_nodes to set a default LANG before calling /bin/ls to look for cdrom and dvd devices (not all LANG settings will produce the same number of fields with ls, which can break cd/dvd symlinks). Thanks to Lukasz Stelmach for pointing out this bug. e/emacs-21.4a-i486-1.tgz: Upgraded to emacs-21.4a. This fixes a vulnerability in the movemail utility when connecting to a malicious POP server that may allow the execution of arbitrary code as the user running emacs. (* Security fix *) e/emacs-info-21.4a-noarch-1.tgz: Upgraded to emacs-21.4a. e/emacs-leim-21.4-noarch-1.tgz: Upgraded to leim-21.4. e/emacs-lisp-21.4a-noarch-1.tgz: Upgraded to emacs-21.4a. e/emacs-misc-21.4a-noarch-1.tgz: Upgraded to emacs-21.4a. e/emacs-nox-21.4a-i486-1.tgz: Upgraded to emacs-21.4a. f/linux-howtos-20050718-noarch-1.tgz: Upgraded to Linux-HOWTOs-20050718. l/glibc-2.3.5-i486-3.tgz: Recompiled with NIS netgroups patch. l/glibc-i18n-2.3.5-noarch-3.tgz: Rebuilt. l/glibc-profile-2.3.5-i486-3.tgz Recompiled with NIS netgroups patch. n/dnsmasq-2.22-i486-1.tgz: Upgraded to dnsmasq-2.22. This fixes an off-by-one overflow vulnerability may allow a DHCP client to create a denial of service condition. Additional code was also added to detect and defeat attempts to poison the DNS cache. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0876 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0877 (* Security fix *) n/getmail-4.3.11-noarch-1.tgz: Upgraded to getmail-4.3.11. kde/koffice-1.4.0b-i486-1.tgz: Upgraded to koffice-1.4.0b. tcl/expect-5.43.0-i486-1.tgz: Upgraded to expect-5.43.0. tcl/tcl-8.4.11-i486-1.tgz: Upgraded to tcl-8.4.11. tcl/tclx-8.3.5-i486-2.tgz: Recompiled. tcl/tix-8.1.4-i486-2.tgz: Recompiled. tcl/tk-8.4.11-i486-1.tgz: Upgraded to tk-8.4.11. xap/xchat-2.4.4-i486-1.tgz: Upgraded to xchat-2.4.4 (and compiled against the new version of perl. Thanks to Steven E. Woolard for pointing out that the old xchat package was still depending on the old perl. I've been known to forget about that one since it doesn't put anything under /usr/lib/perl/...) testing/packages/linux-2.6.12.3/alsa-driver-1.0.9b_2.6.12.3-i486-1.tgz: Recompiled against Linux 2.6.12.3. testing/packages/linux-2.6.12.3/kernel-generic-2.6.12.3-i486-1.tgz: Upgraded to Linux 2.6.12.3 generic kernel. testing/packages/linux-2.6.12.3/kernel-headers-2.6.12.3-i386-1.tgz Upgraded to Linux 2.6.12.3 kernel headers for x86. testing/packages/linux-2.6.12.3/kernel-modules-2.6.12.3-i486-1.tgz Upgraded to Linux 2.6.12.3 kernel modules. testing/packages/linux-2.6.12.3/kernel-source-2.6.12.3-noarch-1.tgz Upgraded to Linux 2.6.12.3 kernel source. +--------------------------+ Fri Jul 15 00:31:30 PDT 2005 testing/packages/gcc-3.4.4/gcc-3.4.4-i486-1.tgz: Upgraded to gcc-3.4.4. testing/packages/gcc-3.4.4/gcc-g++-3.4.4-i486-1.tgz: Upgraded to gcc-3.4.4. testing/packages/gcc-3.4.4/gcc-g77-3.4.4-i486-1.tgz: Upgraded to gcc-3.4.4. testing/packages/gcc-3.4.4/gcc-gnat-3.4.4-i486-1.tgz: Upgraded to gcc-3.4.4. testing/packages/gcc-3.4.4/gcc-java-3.4.4-i486-1.tgz: Upgraded to gcc-3.4.4. testing/packages/gcc-3.4.4/gcc-objc-3.4.4-i486-1.tgz: Upgraded to gcc-3.4.4. +--------------------------+ Thu Jul 14 16:02:40 PDT 2005 a/devs-2.3.1-noarch-22.tgz: Added /dev/ACM* devices. (Thanks to Manolis Tzanidakis) a/pkgtools-10.2.0-i486-2.tgz: Merged in Jim Hawkins' fixed speed optimizations for pkgtool. a/udev-062-i486-1.tgz: Upgraded to udev-062. This seems to be broken with regard to ALSA devices... I'd suggest anyone using a 2.6 kernel "chmod 644 /etc/rc.d/rc.udev" unless you want to help locate and report bugs. It's also possible that this has something to do with the ever-changing syntax used in the udev.rules config file. If you find any problems that can be attributed to that, fixes would be appreciated. For now, rc.udev will be off by default. ap/mysql-4.1.12-i486-1.tgz: Upgraded to mysql-4.1.12. ap/texinfo-4.8-i486-1.tgz: Upgraded to texinfo-4.8. d/perl-5.8.7-i486-1.tgz: Upgraded to perl-5.8.7, DBD-mysql-3.0002, and DBI-1.48. kde/kdebindings-3.4.1-i486-2.tgz: Recompiled against perl-5.8.7 and j2sdk-1_5_0_03. kde/koffice-1.4.0a-i486-2.tgz: Recompiled against mysql-4.1.12. kde/qt-3.3.4-i486-2.tgz: Recompiled against mysql-4.1.12. n/bitchx-1.1-i486-2.tgz: Recompiled against mysql-4.1.12. n/irssi-0.8.9-i486-7.tgz: Recompiled against perl-5.8.7. n/php-4.4.0-i486-2.tgz: Recompiled against mysql-4.1.12. n/popa3d-1.0-i486-1.tgz: Upgraded to popa3d-1.0. n/tcpdump-3.9.3-i486-1.tgz: Upgraded to libpcap-0.9.3 and tcpdump-3.9.3. This fixes an issue where an invalid BGP packet can cause tcpdump to go into an infinate loop, effectively disabling network monitoring. (* Security fix *) n/vsftpd-2.0.3-i486-1.tgz: Upgraded to vsftpd-2.0.3. x/x11-6.8.2-i486-2.tgz: Reverted to the 6.8.1 version of the ATI Rage128 DRI module, as there's an undefined symbol in the newer version that prevents it from loading and breaks direct rendering for these cards. This bug has been reported on the freedesktop,org site but appears to have been closed without a fix... To observe the problem, on a system with a Rage128 card and DRI configured, use this command: LIBGL_DEBUG=verbose glxinfo (Thanks to Andrey V. Panov for the bug report) xap/gaim-1.4.0-i486-1.tgz: Upgraded to gaim-1.4.0. xap/imagemagick-6.2.3_3-i486-1.tgz: Upgraded to ImageMagick-6.2.3-3. xap/jre-symlink-1.0.5-noarch-1.tgz: Upgraded for firefox-1.0.5. xap/mozilla-firefox-1.0.5-i686-1.tgz: Upgraded to mozilla-firefox-1.0.5. This fixes several security issues. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#Firefox (* Security fix *) xap/mozilla-thunderbird-1.0.5-i686-1.tgz: Upgraded to thunderbird-1.0.5. This fixes several security issues. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#thunderbird1.0.5 (* Security fix *) xap/xscreensaver-4.22-i486-2.tgz: Fixed location of man pages. (Thanks to Alak Trakru) xap/xv-3.10a-i486-4.tgz: Upgraded to the latest XV jumbo patches, xv-3.10a-jumbo-fix-patch-20050410 and xv-3.10a-jumbo-enh-patch-20050501. These fix a number of format string and other possible security issues in addition to providing many other bugfixes and enhancements. (Thanks to Greg Roelofs) (* Security fix *) testing/packages/linux-2.6.12.2/alsa-driver-1.0.9b_2.6.12.2-i486-1.tgz: Recompiled for Linux 2.6.12.2. testing/packages/linux-2.6.12.2/kernel-generic-2.6.12.2-i486-1.tgz Upgraded to Linux 2.6.12.2 generic kernel (added loopback). testing/packages/linux-2.6.12.2/kernel-headers-2.6.12.2-i386-1.tgz Upgraded to Linux 2.6.12.2 kernel headers. testing/packages/linux-2.6.12.2/kernel-modules-2.6.12.2-i486-1.tgz Upgraded to Linux 2.6.12.2 kernel modules. testing/packages/linux-2.6.12.2/kernel-source-2.6.12.2-noarch-1.tgz Upgraded to Linux 2.6.12.2 kernel sources. bootdisks/*: Regenerated bootdisks with "Slackware 10.2" label. extra/bittorrent/bittorrent-4.1.3-noarch-1.tgz: Upgraded to bittorrent-4.1.3. extra/slackpkg/slackpkg-1.4.1-noarch-5.tgz: Upgraded to slackpkg-1.4.1-noarch-5. (Thanks to Piter Punk) extra/slacktrack/slacktrack-1.25-i486-1.tgz: Upgraded to slacktrack-1.25_1. (Thanks to Stuart Winter) +--------------------------+ Mon Jul 11 15:06:22 PDT 2005 n/php-4.4.0-i486-1.tgz: Upgraded to php-4.4.0. This new PHP package fixes a PEAR XML_RPC vulnerability. Sites that use this PEAR class should upgrade to the new PHP package, or as a minimal fix may instead upgrade the XML_RPC PEAR class with the following command: pear upgrade XML_RPC (* Security fix *) +--------------------------+ Sun Jul 10 22:33:04 PDT 2005 a/pkgtools-10.2.0-i486-1.tgz: In xorgsetup, don't load the freetype module twice in the outputted xorg.conf file. Also, fix the formatting of the xorg.conf file. Thanks to Jonathan Woithe for the fixes! d/gcc-3.3.6-i486-1.tgz: Upgraded to gcc-3.3.6. d/gcc-g++-3.3.6-i486-1.tgz: Upgraded to gcc-3.3.6. d/gcc-g77-3.3.6-i486-1.tgz: Upgraded to gcc-3.3.6. d/gcc-gnat-3.3.6-i486-1.tgz: Upgraded to gcc-3.3.6. d/gcc-java-3.3.6-i486-1.tgz: Upgraded to gcc-3.3.6. d/gcc-objc-3.3.6-i486-1.tgz: Upgraded to gcc-3.3.6. kde/kdeartwork-3.4.1-i486-2.tgz: Patched to fix using screensavers from xscreensaver >= 4.21. Thanks to Chris Linnet for the fix! l/libtiff-3.7.3-i486-1.tgz: Upgraded to libtiff-3.7.3. n/iptables-1.3.2-i486-1.tgz: Upgraded to iptables-1.3.2. n/rsync-2.6.5-i486-1.tgz: Upgraded to rsync-2.6.5. tcl/hfsutils-3.2.6-i486-3.tgz: Patched to include , and recompiled to fix problems on systems using NPTL. Thanks to Dominik L. Borkowski for pointing out the issue. xap/gkrellm-2.2.7-i486-1.tgz: Upgraded to gkrellm-2.2.7. xap/xscreensaver-4.22-i486-1.tgz: Upgraded to xscreensaver-4.22. +--------------------------+ Fri Jul 8 13:44:53 PDT 2005 l/gnet-2.0.7-i486-3.tgz: Fixed a missing '\' in the ./configure part of the build that was causing the --prefix to be ignored (and which I'd formulated an unnecessary patch to work around). Thanks to orlan. l/libexif-0.6.12-i486-2.tgz: Included a patch from CVS to fix loading of JPEGs from certain digital cameras in GIMP. This fix has been in CVS for months, and many people have pointed it out here. Sorry about the delay in fixing it, but I thought for sure upstream would have issued a new release by now (long ago, really.) l/zlib-1.2.2-i486-2.tgz: Patched an overflow in zlib that could cause applications using zlib to crash. The overflow does not involve user supplied data, and therefore does not allow the execution of arbitrary code. However, it could still be used by a remote attacker to create a denial of service. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2096 (* Security fix *) xap/gimp-2.2.8-i486-1.tgz: Upgraded to gimp-2.2.8. +--------------------------+ Thu Jun 23 16:06:53 PDT 2005 ap/groff-1.19.1-i486-1.tgz: Upgraded to groff-1.19.1. I'd been putting this off upgrade off because of problems caused by newer groff versions defaulting to ANSI color output, but found a patch for man.local and mdoc.local that makes man pages render without color by default. Hopefully this new groff version won't contain any other surprises, but I think that was the big one... ap/man-1.5p-i486-1.tgz: Upgraded to man-1.5p. ap/vim-6.3.078-i486-1.tgz: Upgraded to patchlevel 78. kde/koffice-1.4.0a-i486-1.tgz: Upgraded to koffice-1.4.0a. (This requires the new libgsf and libwpd packages) kdei/koffice-l10n-*.tgz: Upgraded to new KOffice translation packages. l/libgsf-1.12.1-i486-1.tgz: Upgraded to libgsf-1.12.1. l/libwpd-0.8.2-i486-1.tgz: Added libwpd-0.8.2 (needed by KWord). n/wget-1.10-i486-1.tgz: Upgraded to wget-1.10. xap/xvim-6.3.078-i486-1.tgz: Upgraded to patchlevel 78. +--------------------------+ Tue Jun 21 21:56:16 PDT 2005 ap/sudo-1.6.8p9-i486-1.tgz: Upgraded to sudo-1.6.8p9. This new version of Sudo fixes a race condition in command pathname handling that could allow a user with Sudo privileges to run arbitrary commands. For full details, see the Sudo site: http://www.courtesan.com/sudo/alerts/path_race.html (* Security fix *) l/gtk+2-2.6.8-i486-1.tgz: Upgraded to gtk+-2.6.8. Fixed /etc/gtk-2.0/gdk-pixbuf.loaders to list the SVG loader (svg_loader.so). (Thanks very much to Alastair Poole for noticing that XFCE was not loading SVG icons correctly, figuring out the problem, and sending in a fix) +--------------------------+ Sun Jun 19 21:45:07 PDT 2005 l/jre-1_5_0_03-i586-1.tgz: This already-issued package fixes some recently announced security issues that could allow applets to read or write to local files. See: http://sunsolve.sun.com/search/document.do?assetkey=1-26-101748-1 http://sunsolve.sun.com/search/document.do?assetkey=1-26-101749-1 (* Security fix *) extra/j2sdk-1.5.0_03/j2sdk-1_5_0_03-i586-1.tgz: Fixed the slack-desc to not include the release version to prevent future mishaps. :-) This already-issued package fixes some recently announced security issues that could allow applets to read or write to local files. See: http://sunsolve.sun.com/search/document.do?assetkey=1-26-101748-1 http://sunsolve.sun.com/search/document.do?assetkey=1-26-101749-1 (* Security fix *) +--------------------------+ Tue Jun 14 18:40:39 PDT 2005 ap/flac-1.1.2-i486-2.tgz: Patched the XMMS plugin. (thanks to Wim Speekenbrink for the patch) l/glib2-2.6.5-i486-1.tgz: Upgraded to glib-2.6.5. extra/k3b/k3b-0.12-i486-1.tgz: Upgraded to k3b-0.12. extra/k3b/k3b-i18n-0.12-noarch-1.tgz: Upgraded to k3b-i18n-0.12. +--------------------------+ Sun Jun 12 21:48:25 PDT 2005 a/bzip2-1.0.3-i486-1.tgz: Upgraded to bzip2-1.0.3. a/openssl-solibs-0.9.7g-i486-1.tgz: Upgraded to openssl-0.9.7g libraries. a/tcsh-6.14.00-i486-1.tgz: Upgraded to tcsh-6.14.00. ap/espgs-8.15rc3-i486-1.tgz: Upgraded to espgs-8.15rc3, which should fix problems with PNG and PDF while we wait for a final release on this one. ap/flac-1.1.2-i486-1.tgz: Upgraded to flac-1.1.2. Note that the library versions for FLAC have changed, so anything using the FLAC libraries will need to be recompiled. If I've missed anything, let me know. ap/vorbis-tools-1.0.1-i486-4.tgz: Recompiled against new Ogg/FLAC libraries. d/doxygen-1.4.3-i486-1.tgz: Upgraded to doxygen-1.4.3. kde/kdeaccessibility-3.4.1-i486-1.tgz: Upgraded to kdeaccessibility-3.4.1. kde/kdeaddons-3.4.1-i486-1.tgz: Upgraded to kdeaddons-3.4.1. kde/kdeadmin-3.4.1-i486-1.tgz: Upgraded to kdeadmin-3.4.1. kde/kdeartwork-3.4.1-i486-1.tgz: Upgraded to kdeartwork-3.4.1. kde/kdebase-3.4.1-i486-1.tgz: Upgraded to kdebase-3.4.1. kde/kdebindings-3.4.1-i486-1.tgz: Upgraded to kdebindings-3.4.1. kde/kdeedu-3.4.1-i486-1.tgz: Upgraded to kdeedu-3.4.1. kde/kdegames-3.4.1-i486-1.tgz: Upgraded to kdegames-3.4.1. kde/kdegraphics-3.4.1-i486-1.tgz: Upgraded to kdegraphics-3.4.1. kde/kdelibs-3.4.1-i486-1.tgz: Upgraded to kdelibs-3.4.1. kde/kdemultimedia-3.4.1-i486-1.tgz: Upgraded to kdemultimedia-3.4.1. kde/kdenetwork-3.4.1-i486-1.tgz: Upgraded to kdenetwork-3.4.1. kde/kdepim-3.4.1-i486-1.tgz: Upgraded to kdepim-3.4.1. kde/kdesdk-3.4.1-i486-1.tgz: Upgraded to kdesdk-3.4.1. kde/kdetoys-3.4.1-i486-1.tgz: Upgraded to kdetoys-3.4.1. kde/kdeutils-3.4.1-i486-1.tgz: Upgraded to kdeutils-3.4.1. kde/kdevelop-3.2.1-i486-1.tgz: Upgraded to kdevelop-3.2.1. kde/kdewebdev-3.4.1-i486-1.tgz: Upgraded to kdewebdev-3.4.1. kdei/kde-i18n-*-3.4.1-noarch-1.tgz: Upgraded to KDE 3.4.1 i18n packages. l/arts-1.4.1-i486-1.tgz: Upgraded to arts-1.4.1. l/aspell-0.60.2-i486-1.tgz: Upgraded to aspell-0.60.2. Moved aspell data files into /usr/lib/aspell where most things look for them rather than the default of /usr/lib/aspell-. l/aspell-en-6.0_0-noarch-3.tgz: Moved data files into /usr/lib/aspell. l/gnet-2.0.7-i486-2.tgz: Patched ./configure to not put the package into /usr/local. Thanks to orlan for pointing out the problem. l/jre-1_5_0_03-i586-1.tgz: Upgraded to Java(TM) 2 Platform Standard Edition Runtime Environment Version 5.0, Release 3. l/libao-0.8.6-i486-1.tgz: Upgraded to libao-0.8.6. l/libogg-1.1.2-i486-1.tgz: Upgraded to libogg-1.1.2. l/libvorbis-1.1.0-i486-1.tgz: Upgraded to libvorbis-1.1.0. n/openssh-4.1p1-i486-1.tgz: Upgraded to openssh-4.1p1. n/openssl-0.9.7g-i486-1.tgz: Upgraded to openssl-0.9.7g. xap/gaim-1.3.1-i486-1.tgz: Upgraded to gaim-1.3.1 and gaim-encryption-2.38. This fixes a couple of remote crash bugs, so users of the MSN and Yahoo! chat protocols should upgrade to gaim-1.3.1. (* Security fix *) xap/gimp-2.2.7-i486-1.tgz: Upgraded to gimp-2.2.7. xap/gimp-help-2-0.8-noarch-1.tgz: Upgraded to gimp-help-2-0.8. xap/imagemagick-6.2.3_0-i486-1.tgz: Upgraded to ImageMagick-6.2.3-0. xap/xine-lib-1.0.1-i686-2.tgz: Recompiled against new Ogg/FLAC libraries. extra/aspell-word-lists: Updated and added several dictionaries, and moved all data files from /usr/lib/aspell-0.60 to /usr/lib/aspell. extra/j2sdk-1.5.0_03/j2sdk-1_5_0_03-i586-1.tgz: Upgraded to Java(TM) 2 Platform Standard Edition Development Kit Version 5.0, Release 3. +--------------------------+ Wed Jun 8 22:25:08 PDT 2005 ap/alsa-utils-1.0.9a-i486-1.tgz: Upgraded to alsa-utils-1.0.9a. l/alsa-driver-1.0.9b_2.4.31-i486-1.tgz: Upgraded to alsa-driver-1.0.9b, which works great with both 2.4 and 2.6 kernels. Big thanks to the ALSA developers for the quick fix! :-) l/alsa-lib-1.0.9-i486-1.tgz: Upgraded to alsa-lib-1.0.9. l/alsa-oss-1.0.9-i486-1.tgz: Upgraded to alsa-oss-1.0.9. l/gnet-2.0.7-i486-1.tgz: Upgraded to gnet-2.0.7. l/lcms-1.14-i486-1.tgz: Upgraded to lcms-1.14. l/lesstif-0.94.4-i486-1.tgz: Upgraded to lesstif-0.94.4. l/libexif-0.6.12-i486-1.tgz: Upgraded to libexif-0.6.12. l/libgsf-1.12.0-i486-1.tgz: Upgraded to libgsf-1.12.0. l/libidn-0.5.17-i486-1.tgz: Upgraded to libidn-0.5.17. l/libieee1284-0.2.10-i486-1.tgz: Upgraded to libieee1284-0.2.10. l/libtiff-3.7.2-i486-1.tgz: Upgraded to tiff-3.7.2. l/libungif-4.1.3-i486-1.tgz: Upgraded to libungif-4.1.3. l/libwmf-0.2.8.3-i486-1.tgz: Upgraded to libwmf-0.2.8.3. l/libwmf-docs-0.2.8.3-noarch-1.tgz: Upgraded to libwmf-0.2.8.3 docs. l/mhash-0.9.2-i486-1.tgz: Upgraded to mhash-0.9.2. n/samba-3.0.14a-i486-1.tgz: Upgraded to samba-3.0.14a. extra/linux-wlan-ng/linux-wlan-ng-0.2.1pre25_2.4.31-i486-1.tgz: Recompiled for Linux 2.4.31. extra/linux-wlan-ng/linux-wlan-ng-0.2.1pre25_2.6.11.11-i486-1.tgz Recompiled for Linux 2.6.11.11. testing/packages/linux-2.6.11.11/alsa-driver-1.0.9b_2.6.11.11-i486-1.tgz: Upgraded to alsa-driver-1.0.9b (compiled for Linux 2.6.11.11). +--------------------------+ Mon Jun 6 20:23:40 PDT 2005 a/kernel-ide-2.4.31-i486-1.tgz: Upgraded to Linux 2.4.31. a/kernel-modules-2.4.31-i486-1.tgz: Upgraded to Linux 2.4.31 kernel modules. d/kernel-headers-2.4.31-i386-1.tgz: Upgraded to kernel headers from Linux 2.4.31. k/kernel-source-2.4.31-noarch-1.tgz: Upgraded to Linux 2.4.31. l/alsa-driver-1.0.8_2.4.31-i486-1.tgz: Recompiled for Linux 2.4.31. alsa-driver-1.0.9a was tested, but attempting to load snd.o produces some unresolved symbol errors (class_device_destroy and class_device_create). Seems that the new version of ALSA requires some new features of the 2.6.x kernel series. ALSA 1.0.8 works with both 2.4.x and 2.6.x kernels, so for the time being ALSA will stay at 1.0.8. It would be nice to see these features backported in an official 2.4.32 kernel, or an alsa-driver-1.0.9b release that can work with either kernel branch... bootdisks/*: Upgraded to Linux 2.4.31 bootdisks. kernels/*: Upgraded to Linux 2.4.31 kernels. isolinux/initrd.img, isolinux/network.dsk, isolinux/pcmcia.dsk, rootdisks/install.*, rootdisks/network.dsk, rootdisks/pcmcia.dsk: Updated kernel modules to 2.4.31. testing/packages/linux-2.6.11.11/alsa-driver-1.0.8_2.6.11.11-i486-1.tgz: Recompiled for Linux 2.6.11.11. testing/packages/linux-2.6.11.11/kernel-generic-2.6.11.11-i486-1.tgz Upgraded to Linux 2.6.11.11. testing/packages/linux-2.6.11.11/kernel-headers-2.6.11.11-i386-1.tgz Upgraded to kernel headers from Linux 2.6.11.11. testing/packages/linux-2.6.11.11/kernel-modules-2.6.11.11-i486-1.tgz Upgraded to kernel modules for Linux 2.6.11.11. testing/packages/linux-2.6.11.11/kernel-source-2.6.11.11-noarch-1.tgz Upgraded to kernel source for Linux 2.6.11.11. +--------------------------+ Tue May 17 17:51:29 PDT 2005 xap/xfce-4.2.2-i486-1.tgz: Upgraded to xfce-4.2.2. +--------------------------+ Mon May 16 15:27:24 PDT 2005 a/glibc-solibs-2.3.5-i486-2.tgz: Recompiled including a patch found in Debian's glibc sources that fixes an issue with TLS that breaks X and XMMS on machines that use nVidia's X drivers. This might also be found in glibc CVS by now, but I'm not sure about that. In any case, if you had problems before and you're using nVidia's drivers, this should fix it. Also, I heard a few reports of trouble with Firefox not working with NPTL -- maybe this will also fix that? a/glibc-zoneinfo-2.3.5-noarch-2.tgz: Rebuilt. l/glibc-2.3.5-i486-2.tgz: Recompiled with TLS fix. l/glibc-i18n-2.3.5-noarch-2.tgz: Rebuilt. l/glibc-profile-2.3.5-i486-2.tgz: Recompiled with TLS fix. +--------------------------+ Sun May 15 20:12:03 PDT 2005 n/ncftp-3.1.9-i486-1.tgz: Upgraded to ncftp-3.1.9. This corrects a vulnerability where a download from a hostile FTP server might be written to an unintended location potentially compromising system security or causing a denial of service. For more details, see: http://www.ncftp.com/ncftp/doc/changelog.html#3.1.5 (* Security fix *) xap/jre-symlink-1.0.4-noarch-1.tgz: Upgraded Java(TM) symlink for new versions of Mozilla Firefox and the Mozilla Suite. xap/mozilla-1.7.8-i486-1.tgz: Upgraded to mozilla-1.7.8. Two vulnerabilities found in Mozilla Firefox 1.0.3 when combined allow an attacker to run arbitrary code. The Mozilla Suite version 1.7.7 is only partially vulnerable. For more details, see: http://www.mozilla.org/security/announce/mfsa2005-42.html (* Security fix *) xap/mozilla-firefox-1.0.4-i686-1.tgz: Upgraded to firefox-1.0.4. Two vulnerabilities found in Mozilla Firefox 1.0.3 when combined allow an attacker to run arbitrary code. For more details, see: http://www.mozilla.org/security/announce/mfsa2005-42.html (* Security fix *) +--------------------------+ Fri May 13 12:51:03 PDT 2005 Here's the (I'm sure) long awaited upgrade to Slackware's glibc to include support for NPTL (the Native POSIX Thread Library). NPTL works with newer kernels (meaning 2.6.x, or a 2.4 kernel that is patched to support NPTL, but not an unmodified "vanilla" 2.4 kernel such as Slackware uses) to provide improved performance for threads. This difference can be quite dramatic in some situations. For example, a benchmark test mentioned on Wikipedia started 100,000 threads simultaneously in about 2 seconds on a system using NPTL. The same test using the old Linuxthreads glibc thread support took around 15 minutes to run! For most applications that do not start large numbers of threads the difference will not be so large, but for high traffic servers, databases, or anything that runs large numbers of threads, NPTL should bring big improvements in scalability and performance. For compatibility, the regular (linuxthreads) libraries are installed in /lib, and the new NPTL versions are installed in /lib/tls. Which versions are used depends on the kernel you're using. If it's newer than 2.6.4, then the NPTL libraries in /lib/tls will be used. TLS stands for "thread-local storage", and the directory name /lib/tls is a little bit misleading since now both the linuxthreads and NPTL versions of glibc are compiled with TLS support included (this is needed to produce versions of tools such as ldconfig that can run under either kind of system). Getting all the kinks out of the build script to be able to get this to work with either 2.4 or 2.6 kernels and be able to switch back and forth without issues was quite a challenge, to say the least, and would have been much harder without all the good advice and help folks sent in to help me along and give me important hints. A special thanks goes to Chad Corkrum for sending in some ./configure options that really helped get the ball rolling here. Here's some information about compiling things using these libraries -- by default, if you compile something the headers and shared libraries used to compile and link the binary will be the linuxthreads versions, but when you go to run the binary it will link to the NPTL library versions (and you'll get the NPTL speed improvements) if you are running an NPTL capable kernel. In rare cases you may find that an old binary doesn't work right when run against the NPTL libs, and in this case you can force it to run against the linuxthreads versions by setting the LD_ASSUME_KERNEL variable to assume the use of a 2.4.x (non-NPTL) kernel so that NPTL will not be used. An easy way to see the effect of this is to try something like the following while using an NPTL enabled kernel: volkerdi@tree:~$ ldd /bin/bash linux-gate.so.1 => (0xffffe000) libtermcap.so.2 => /lib/libtermcap.so.2 (0xb7fcf000) libdl.so.2 => /lib/tls/libdl.so.2 (0xb7fcb000) libc.so.6 => /lib/tls/libc.so.6 (0xb7eaf000) /lib/ld-linux.so.2 (0xb7feb000) Note that in the example above, the binary is running against the NPTL libraries in /lib/tls. Now, let's try setting LD_ASSUME_KERNEL: volkerdi@tree:~$ LD_ASSUME_KERNEL=2.4.30 ldd /bin/bash linux-gate.so.1 => (0xffffe000) libtermcap.so.2 => /lib/libtermcap.so.2 (0xb7fcf000) libdl.so.2 => /lib/libdl.so.2 (0xb7fcb000) libc.so.6 => /lib/libc.so.6 (0xb7eb2000) /lib/ld-linux.so.2 (0xb7feb000) As you can see, now the binary is running against the linuxthreads version of glibc in /lib. If you find old things that won't work with NPTL (which should be rare), this is the method you'll want to use to work around it. Now for a little note about compiling things. In most cases it will be just fine to compile against linuxthreads and run against NPTL, and this approach will produce the most flexible binaries (ones that will run against either linuxthreads or NPTL.) However, in some cases you might want to use some of the new functions that are only available in NPTL, and to do that you'll need to use the NPTL versions of pthread.h and other headers that are different and link against the NPTL versions of the glibc libraries. To do this you'll need to add these compile flags to your build in an appropriate spot: -I/usr/include/nptl -L/usr/lib/nptl (and link with -lpthread, of course) Have fun, and report any problems to volkerdi@slackware.com. a/glibc-solibs-2.3.5-i486-1.tgz: Upgraded to glibc-2.3.5 shared libs. a/glibc-zoneinfo-2.3.5-noarch-1.tgz: Upgraded to time zone files from glibc-2.3.5. l/glibc-2.3.5-i486-1.tgz: Upgraded to glibc-2.3.5. l/glibc-i18n-2.3.5-noarch-1.tgz: Upgraded to glibc-2.3.5 i18n files. l/glibc-profile-2.3.5-i486-1.tgz: Upgraded to glibc-2.3.5 profile libs. xap/gaim-1.3.0-i486-1.tgz: Upgraded to gaim-1.3.0. This fixes a few bugs which could be used by a remote attacker to annoy a GAIM user by crashing GAIM and creating a denial of service. (* Security fix *) extra/linux-wlan-ng/linux-wlan-ng-0.2.1pre25_2.6.11.9-i486-1.tgz: Recompiled linux-wlan-ng-0.2.1pre25 for Linux 2.6.11.9. testing/packages/linux-2.6.11.9/alsa-driver-1.0.8_2.6.11.9-i486-1.tgz: Recompiled for Linux 2.6.11.9. testing/packages/linux-2.6.11.9/kernel-generic-2.6.11.9-i486-1.tgz: Upgraded to Linux 2.6.11.9. Note that as far as these so-called "sucker" kernels go, I won't be intending to follow every one that's released, but I figure I might as well upgrade _occasionallly_, as there's no reason to be testing for bugs that are already well-known. Anyway, I guess my point here is that when 2.6.11.10 comes out (if it's not out already ;-), I won't need everyone to be sending me email saying "new kernel! new kernel!". If, on the other hand, you are personally affected by a kernel bug that's fixed by a new kernel in this series feel free to let me know about it. Thanks! :-) testing/packages/linux-2.6.11.9/kernel-headers-2.6.11.9-i386-1.tgz: Upgraded to kernel headers from Linux 2.6.11.9. testing/packages/linux-2.6.11.9/kernel-modules-2.6.11.9-i486-1.tgz: Upgraded to kernel modules for Linux 2.6.11.9. testing/packages/linux-2.6.11.9/kernel-source-2.6.11.9-noarch-1.tgz: Upgraded to kernel source for Linux 2.6.11.9. +--------------------------+ Sun May 1 22:10:17 PDT 2005 a/hdparm-6.1-i486-1.tgz: Upgraded to hdparm-6.1. a/kernel-ide-2.4.30-i486-1.tgz: Upgraded to Linux 2.4.30. a/kernel-modules-2.4.30-i486-1.tgz: Upgraded to Linux 2.4.30 kernel modules. d/kernel-headers-2.4.30-i386-1.tgz: Upgraded kernel headers from 2.4.30 kernel. k/kernel-source-2.4.30-noarch-1.tgz: Upgraded to Linux 2.4.30 kernel source. l/alsa-driver-1.0.8_2.4.30-i486-1.tgz: Recompiled for Linux 2.4.30. l/gmp-4.1.4-i486-2.tgz: Recompiled with --enable-mpfr. l/libgtkhtml-2.6.3-i486-1.tgz: Added libgtkhtml-2.6.3 (needed for GIMP's help browser plugin). l/librsvg-2.8.1-i486-1.tgz: Added librsvg-2.8.1 (needed for GIMP's SVG support plugin). n/bind-9.3.1-i486-1.tgz: Upgraded to bind-9.3.1. n/getmail-4.3.7-noarch-1.tgz: Upgraded to getmail-4.3.7. xap/gimp-2.2.6-i486-2.tgz: Rebuilt to include SVG and help browser plugins. xap/gimp-help-2-0.7-noarch-1.tgz: Added help files for the GIMP image editor. xap/gxine-0.4.4-i486-1.tgz: Upgraded to gxine-0.4.4. xap/jre-symlink-1.0.3-noarch-2.tgz: Make sure the directories for the symlinks are there. (thanks to Eric Le Bras for the bug report) xap/xine-lib-1.0.1-i686-1.tgz: Upgraded to xine-lib-1.0.1. This fixes some bugs in the MMS and Real RTSP streaming client code. While the odds of this vulnerability being usable to a remote attacker are low (but see the xine advisory), if you stream media from sites using these protocols (and you think the sites might be "hostile" and will try to hack into your xine client), then you might want to upgrade to this new version of xine-lib. Probably the other fixes and enchancements in xine-lib-1.0.1 are a better rationale to do so, though. For more details on the xine-lib security issues, see: http://xinehq.de/index.php/security/XSA-2004-8 (* Security fix *) bootdisks/*: Upgraded to Linux 2.4.30 bootdisks. extra/linux-wlan-ng/linux-wlan-ng-0.2.1pre25_2.4.30-i486-1.tgz: Recompiled linux-wlan-ng-0.2.1pre25 for Linux 2.4.30. kernels/*: Upgraded to Linux 2.4.30 kernels. isolinux/initrd.img, isolinux/network.dsk, isolinux/pcmcia.dsk, rootdisks/install.*, rootdisks/network.dsk, rootdisks/pcmcia.dsk: Updated kernel modules to 2.4.30. +--------------------------+ Thu Apr 21 14:26:29 PDT 2005 d/binutils-2.15.92.0.2-i486-3.tgz: Upgraded to ksymoops-2.4.11. d/cvs-1.11.20-i486-1.tgz: Upgraded to cvs-1.11.20. From cvshome.org: "This version fixes many minor security issues in the CVS server executable including a potentially serious buffer overflow vulnerability with no known exploit. We recommend this upgrade for all CVS servers!" For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0753 (* Security fix *) d/python-2.4.1-i486-1.tgz: Upgraded to python-2.4.1. From the python.org site: "The Python development team has discovered a flaw in the SimpleXMLRPCServer library module which can give remote attackers access to internals of the registered object or its module or possibly other modules. The flaw only affects Python XML-RPC servers that use the register_instance() method to register an object without a _dispatch() method. Servers using only register_function() are not affected." For more details, see: http://python.org/security/PSF-2005-001/ (* Security fix *) d/python-demo-2.4.1-noarch-1.tgz: Upgraded to python-2.4.1 demos. d/python-tools-2.4.1-noarch-1.tgz: Upgraded to python-2.4.1 tools. kde/kdebase-3.4.0-i486-2.tgz: Recompiled to link with Cyrus SASL. kde/kdepim-3.4.0-i486-2.tgz: Recompiled to link with Cyrus SASL. l/glib2-2.6.4-i486-1.tgz: Upgraded to glib-2.6.4. l/gtk+2-2.6.7-i486-1.tgz: Upgraded to gtk+-2.6.7. l/libxml2-2.6.19-i486-1.tgz: Upgraded to libxml2-2.6.19. l/libxslt-1.1.14-i486-1.tgz: Upgraded to libxslt-1.1.14. n/cyrus-sasl-2.1.20-i486-1.tgz: Added Cyrus SASL library (for Kmail). xap/gaim-1.2.1-i486-1.tgz: Upgraded to gaim-1.2.1. According to gaim.sf.net, this fixes a few denial-of-service flaws. (* Security fix *) xap/gimp-2.2.6-i486-1.tgz: Upgraded to gimp-2.2.6. xap/jre-symlink-1.0.3-noarch-1.tgz: Upgraded Java(TM) symlink for Mozilla Firefox and added an additional link for the Mozilla Suite. xap/mozilla-1.7.7-i486-1.tgz: Upgraded to mozilla-1.7.7. This fixes some security issues. For complete details, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html (* Security fix *) xap/mozilla-firefox-1.0.3-i686-1.tgz: Upgraded to firefox-1.0.3. From the mozilla.org site: "Firefox 1.0.3 is a security update that is part of our ongoing program to provide a safe Internet experience for our customers. We recommend that all users upgrade to this latest version." For complete details, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html (* Security fix *) xap/xscreensaver-4.21-i486-2.tgz: Patched to fix setgid shadow. +--------------------------+ Tue Apr 5 12:52:00 PDT 2005 n/php-4.3.11-i486-1.tgz: Upgraded to php-4.3.11. "This is a maintenance release that in addition to over 70 non-critical bug fixes addresses several security issues inside the exif and fbsql extensions as well as the unserialize(), swf_definepoly() and getimagesize() functions." (* Security fix *) testing/packages/php-5.0.4/php-5.0.4-i486-1.tgz: Upgraded to php-5.0.4. Fixes various bugs (and security issues.) (* Security fix *) +--------------------------+ Sat Mar 26 23:04:41 PST 2005 a/hotplug-2004_09_23-noarch-2.tgz: Blacklisted a few more modules: snd-atiixp-modem, snd-intel8x0m, snd-via82xx-modem, and intelfb. Thanks to Tomas Matejicek, Piter PUNK, and Tobias Svensson for reporting the problems with hotplug auto-loading these (in the rare event that your machine actually needs them, they can be manually loaded somewhere else in the boot scripts, such as rc.modules.) a/infozip-5.52-i486-1.tgz: Upgraded to unzip-5.52 and zip-2.31. a/gettext-0.14.3-i486-1.tgz: Upgraded to gettext-0.14.3. ap/mysql-4.0.24-i486-1.tgz: Upgraded to mysql-4.0.24. d/automake-1.9.5-noarch-1.tgz: Upgraded to automake-1.9.5. d/gettext-tools-0.14.3-i486-1.tgz: Upgraded to gettext-0.14.3. d/libtool-1.5.14-i486-1.tgz: Upgraded to libtool-1.5.14. gnome/*: Removed from -current, and turned over to community support and distribution. I'm not going to rehash all the reasons behind this, but it's been under consideration for more than four years. There are already good projects in place to provide Slackware GNOME for those who want it, and these are more complete than what Slackware has shipped in the past. So, if you're looking for GNOME for Slackware -current, I would recommend looking at these two projects for well-built packages that follow a policy of minimal interference with the base Slackware system: http://gsb.sf.net http://gware.sf.net There is also Dropline, of course, which is quite popular. However, due to their policy of adding PAM and replacing large system packages (like the entire X11 system) with their own versions, I can't give quite the same sort of nod to Dropline. Nevertheless, it remains another choice, and it's _your_ system, so I will also mention their project: http://www.dropline.net/gnome/ Please do not incorrectly interpret any of this as a slight against GNOME itself, which (although it does usually need to be fixed and polished beyond the way it ships from upstream more so than, say, KDE or XFce) is a decent desktop choice. So are a lot of others, but Slackware does not need to ship every choice. GNOME is and always has been a moving target (even the "stable" releases usually aren't quite ready yet) that really does demand a team to keep up on all the changes (many of which are not always well documented). I fully expect that this move will improve the quality of both Slackware itself, and the quality (and quantity) of the GNOME options available for it. Folks, this is how open source is supposed to work. Enjoy. :-) kde/kdeaccessibility-3.4.0-i486-1.tgz: Upgraded to kdeaccessibility-3.4.0. kde/kdeaddons-3.4.0-i486-1.tgz: Upgraded to kdeaddons-3.4.0. kde/kdeadmin-3.4.0-i486-1.tgz: Upgraded to kdeadmin-3.4.0. kde/kdeartwork-3.4.0-i486-1.tgz: Upgraded to kdeartwork-3.4.0. kde/kdebase-3.4.0-i486-1.tgz: Upgraded to kdebase-3.4.0. kde/kdebindings-3.4.0-i486-1.tgz: Upgraded to kdebindings-3.4.0. kde/kdeedu-3.4.0-i486-1.tgz: Upgraded to kdeedu-3.4.0. kde/kdegames-3.4.0-i486-1.tgz: Upgraded to kdegames-3.4.0. kde/kdegraphics-3.4.0-i486-1.tgz: Upgraded to kdegraphics-3.4.0. kde/kdelibs-3.4.0-i486-1.tgz: Upgraded to kdelibs-3.4.0. kde/kdemultimedia-3.4.0-i486-1.tgz: Upgraded to kdemultimedia-3.4.0. kde/kdenetwork-3.4.0-i486-1.tgz: Upgraded to kdenetwork-3.4.0. kde/kdepim-3.4.0-i486-1.tgz: Upgraded to kdepim-3.4.0. kde/kdesdk-3.4.0-i486-1.tgz: Upgraded to kdesdk-3.4.0. kde/kdetoys-3.4.0-i486-1.tgz: Upgraded to kdetoys-3.4.0. kde/kdeutils-3.4.0-i486-1.tgz: Upgraded to kdeutils-3.4.0. kde/kdevelop-3.2.0-i486-1.tgz: Upgraded to kdevelop-3.2.0. kde/kdewebdev-3.4.0-i486-1.tgz: Upgraded to kdewebdev-3.4.0. kde/koffice-1.3.5-i486-3.tgz: Recompiled. kde/qt-3.3.4-i486-1.tgz: Upgraded to qt-3.3.4 (with -stl). l/atk-1.9.1-i486-1.tgz: Upgraded to atk-1.9.1. l/arts-1.4.0-i486-1.tgz: Upgraded to arts-1.4.0. l/expat-1.95.8-i486-1.tgz: Upgraded to expat-1.95.8. (thanks to Alak Trakru for updating the DESTDIR patch) l/gtk+2-2.6.4-i486-1.tgz: Upgraded to gtk+-2.6.4. l/libart_lgpl-2.3.17-i486-1.tgz: Upgraded to libart_lgpl-2.3.17. l/libglade-2.4.2-i486-1.tgz: Upgraded to libglade-2.4.2. l/libgsf-1.11.1-i486-1.tgz: Upgraded to libgsf-1.11.1. l/libidl-0.8.5-i486-1.tgz: Upgraded to libidl-0.8.5, moved from /gnome. (this is used by Mozilla) l/libmikmod-3.1.11a-i486-1.tgz: Upgraded to libmikmod-3.1.11a, moved from /gnome. (this is used by XMMS) l/libxml2-2.6.18-i486-1.tgz: Upgraded to libxml2-2.6.18. l/libxslt-1.1.13-i486-1.tgz: Upgraded to libxslt-1.1.13. l/orbit-0.5.17-i386-1.tgz: Removed obsolete ORBit. l/pango-1.8.1-i486-1.tgz: Upgraded to pango-1.8.1. l/shared-mime-info-0.16-i486-1.tgz: Upgraded to shared-mime-info-0.16, moved from /gnome. l/startup-notification-0.8-i486-1.tgz: Upgraded to startup-notification-0.8. n/nail-11.22-i486-1.tgz: Upgraded to nail-11.22. n/samba-3.0.13-i486-1.tgz: Upgraded to samba-3.0.13. xap/gaim-1.2.0-i486-1.tgz: Upgraded to gaim-1.2.0 and gaim-encryption-2.36. (compiled against mozilla-1.7.6) xap/gimp-2.2.4-i486-1.tgz: Upgraded to gimp-2.2.4. xap/jre-symlink-1.0.2-noarch-1.tgz: Upgraded Java link for Firefox 1.0.2. xap/mozilla-1.7.6-i486-1.tgz: Replaced Mozilla, upgraded to 1.7.6. While I got surprisingly few negative comments about Mozilla's previous removal from -current, I have decided put it back. Why? Well, it is a good piece of software with a long and respected history. So, why then, would I have removed it before? Did I lose my mind? ;-) My answer at the time was that once the Mozilla Foundation indicated that the primary future direction would be with Firefox and Thunderbird, and that active development on the traditional Mozilla suite would end, then the writing was already on the wall. Slackware does not aim to be a Home for Orphaned Software, and if upstream ceases to support something, then I'll usually follow that lead in fairly short order. However, Mozilla is being restored for now since I know it has a strong following, but also because it provides some features (like the composer) that FF/TB do not, and because the libraries are used in GAIM to provide support for MSN. I am aware that GNUTLS can also be used for this purpose, but after looking that (and its dependencies) over, I'd prefer to not see that enter Slackware at this time. OpenSSL could also be used for this support in GAIM, but unfortunately there is an incompatibility between GAIM's GPL license and OpenSSL's BSD-with-advertising-clause license. This resulting snafu reminds me of a short article by Grigor Gatchev that I recently read on NewsForge, called "Metalicensing". It's still online, and I'd suggest it (and the author's site) for a little additional reading on the topic of free license incompatibilities, and how we might avoid unintentionally setting these kinds of traps for ourselves. I look forward to a world with the least possible restrictions on software development, and I think that step one is to be on guard against accidentally tying our own hands behind our backs. Having a redundant (but differently free) version of every component and needing them _all_ to create a complete system does not strike me as the optimal solution. /* end "pseudo blog" :-) I hope I didn't offend anybody affiliated with any of these fine projects, as that is definately not my intent... */ Back to the topic of _this package_, this Mozilla release fixes more than a dozen security issues (many of which are probably minor and unlikely to occur in real life, but you be the judge.) Please see mozilla.org for a complete list. (* Security fix *) xap/mozilla-firefox-1.0.2-i686-1.tgz: Upgraded to firefox-1.0.2. Fixes a GIF heap overflow and some other security issues. Please see mozilla.org for a complete list. (* Security fix *) xap/mozilla-thunderbird-1.0.2-i686-1.tgz: Upgraded to thunderbird-1.0.2. Fixes a GIF heap overflow and some other security issues. Please see mozilla.org for a complete list. (* Security fix *) xap/xfce-4.2.1.1-i486-1.tgz: Upgraded to xfce-4.2.1.1. xap/xscreensaver-4.21-i486-1.tgz: Upgraded to xscreensaver-4.21. extra/k3b/k3b-0.11.23-i486-1.tgz: Upgraded to k3b-0.11.23. extra/parted/parted-1.6.22-i486-1.tgz: Upgraded to parted-1.6.22. testing/packages/gnupg-1.4.1-i486-1.tgz: Upgraded to gnupg-1.4.1. +--------------------------+ Wed Mar 9 21:15:23 PST 2005 a/udev-054-i486-3.tgz: Fixed make_extra_nodes.sh to not require expr, which is under /usr and might not be available. (thanks to Daniel de Kok) n/nmap-3.81-i486-1.tgz: Upgraded to nmap-3.81. n/openssh-4.0p1-i486-1.tgz: Upgraded to OpenSSH 4.0p1. n/samba-3.0.11-i486-1.tgz: Upgraded to samba-3.0.11. extra/bittornado/bittornado-0.3.10-noarch-1.tgz: Upgraded to BitTornado-0.3.10. extra/bittorrent/bittorrent-4.0.0-noarch-1.tgz: Upgraded to BitTorrent-4.0.0. +--------------------------+ Tue Mar 8 14:23:58 PST 2005 xap/mozilla-firefox-1.0.1-i686-2.tgz: Fixed default mailto: pref to use Thunderbird. (thanks to Steven E. Woolard) xap/mozilla-thunderbird-1.0-i686-2.tgz: Fixed default URL handler to use Firefox for https:// as well as http://. (thanks to Steven E. Woolard) Fixed background transparency of icon used by the thunderbird.desktop file. (thanks to Jason Edson) +--------------------------+ Mon Mar 7 22:16:12 PST 2005 a/udev-054-i486-2.tgz: Removed udev.permissions file and merged the permissions configuration into the udev.rules file. Also, added support for numbering multiple cdrom and dvd devices at boot time (thanks to Michal Kosmulski for sending in the starting diff). Let me know if any permissions bugs remain... sorry about that last batch 'o bugs -- my fault for not reading the instructions carefully. xap/jre-symlink-1.0.1-noarch-1.tgz: Adds a symlink to the Java(TM) plugin. xap/mozilla-firefox-1.0.1-i686-1.tgz: Added Mozilla Firefox (from the official binary distribution.) Thanks to the Mozilla Foundation! :-) xap/mozilla-thunderbird-1.0-i686-1.tgz: Added Mozilla Thunderbird (also from the official binary distribution.) xap/mozilla-1.7.5-i486-1.tgz: Removed. xap/mozilla-plugins-1.7.5-noarch-2.tgz: Removed. xap/netscape-7.2-i686-1.tgz: Removed. testing/packages/linux-2.6.11/alsa-driver-1.0.8_2.6.11-i486-1.tgz: Upgraded to ALSA 1.0.8 for Linux 2.6.11. testing/packages/linux-2.6.11/kernel-generic-2.6.11-i486-1.tgz: Upgraded to Linux 2.6.11 generic x86 kernel. testing/packages/linux-2.6.11/kernel-headers-2.6.11-i386-1.tgz: Upgraded to Linux 2.6.11 kernel headers. testing/packages/linux-2.6.11/kernel-modules-2.6.11-i486-1.tgz: Upgraded to Linux 2.6.11 kernel modules. testing/packages/linux-2.6.11/kernel-source-2.6.11-noarch-1.tgz: Upgraded to Linux 2.6.11 kernel source. +--------------------------+ Mon Feb 28 20:56:58 PST 2005 a/udev-054-i486-1.tgz: Upgraded to udev-054. ap/espgs-8.15rc2-i486-1.tgz: Upgraded to espgs-8.15rc2. d/flex-2.5.4a-i486-3.tgz: Replaced old "lex" script with a symlink. (Thanks to Mike Sullivan) d/gcc-3.3.5-i486-1.tgz: Upgraded to gcc-3.3.5. d/gcc-g++-3.3.5-i486-1.tgz: Upgraded to gcc-3.3.5. d/gcc-g77-3.3.5-i486-1.tgz: Upgraded to gcc-3.3.5. d/gcc-gnat-3.3.5-i486-1.tgz: Upgraded to gcc-3.3.5. d/gcc-java-3.3.5-i486-1.tgz: Upgraded to gcc-3.3.5. d/gcc-objc-3.3.5-i486-1.tgz: Upgraded to gcc-3.3.5. l/glib2-2.6.3-i486-1.tgz: Upgraded to glib-2.6.3. l/gtk+2-2.6.3-i486-1.tgz: Upgraded to gtk+-2.6.3. t/tetex-3.0-i486-1.tgz: Upgraded to teTeX 3.0. t/tetex-doc-3.0-noarch-1.tgz: Upgraded to teTeX 3.0 documentation. xap/gaim-1.1.4-i486-1.tgz: Upgraded to gaim-1.1.4 and gaim-encryption-2.35. +--------------------------+ Mon Feb 14 10:31:43 PST 2005 Upgraded to X11R6.8.2 (these new -current X11 packages will also work just fine on Slackware 10.1 since no libraries have changed since the 10.1 release) x/x11-6.8.2-i486-1.tgz: Upgraded to X11R6.8.2. x/x11-devel-6.8.2-i486-1.tgz: Upgraded to X11R6.8.2. x/x11-docs-6.8.2-noarch-1.tgz: Upgraded to X11R6.8.2. x/x11-docs-html-6.8.2-noarch-1.tgz: Upgraded to X11R6.8.2. x/x11-fonts-100dpi-6.8.2-noarch-1.tgz: Upgraded to X11R6.8.2. x/x11-fonts-cyrillic-6.8.2-noarch-1.tgz: Upgraded to X11R6.8.2. x/x11-fonts-misc-6.8.2-noarch-1.tgz: Upgraded to X11R6.8.2. x/x11-fonts-scale-6.8.2-noarch-1.tgz: Upgraded to X11R6.8.2. x/x11-xdmx-6.8.2-i486-1.tgz: Upgraded to X11R6.8.2. x/x11-xnest-6.8.2-i486-1.tgz: Upgraded to X11R6.8.2. x/x11-xvfb-6.8.2-i486-1.tgz: Upgraded to X11R6.8.2. +--------------------------+ Wed Feb 2 18:22:01 PST 2005 Released Slackware 10.1 stable. Thanks to everyone who helped out with this release, and especially to the folks at GUS-BR and SlackSec who helped (and continue to help) with handling security issues for the last few months, to Andreas Liebschner for keeping the website updated and running smoothly, to Theresa Elam for all her hard work running store.slackware.com, to the folks on alt.os.linux.slackware for pointing out bugs and offering suggestions, to the people on ##slackware that I met on IRC (and some again in later emails), to Justin, Kyle, and Dean from the Linux User Group of Rochester, MN who I got to hang out with while "vacationing" at the Mayo Clinic, to everyone who signed my online Christmas card (one of the nicest things I ever got), and to all the kind and patient members of the Slackware community. I hope all of you will enjoy this new Slackware release. Have fun! :-) Your Slackware Maintainer, Pat PS I'm looking forward to working with all of you towards the next one, too. PPS Sorry if that was too much like an Academy Award speech. I could almost hear that music shoving me off the stage. ;-)