Slackware Security Advisories (sigurnosne nadogradnje)

Novosti u vezi Slackware Linuxa

Moderator: Urednik

Locked

Administrator
Administrator
offline
User avatar

Posts: 3451
Joined: 01 Apr 2012, 13:50
Location: Mlečni put

Post Napisano: 14 Feb 2014, 10:09


13.02.2014.

Curl i ntp sigurnosne nadogradnje za Slackware 13.0, 13.1, 13.37, 14.0, 14.1 i -current:

Code: Select all

patches/packages/curl-7.35.0-i486-1_slack14.1.txz:  Upgraded.
  This update fixes a flaw where libcurl could, in some circumstances, reuse
  the wrong connection when asked to do an NTLM-authenticated HTTP or HTTPS
  request.
  For more information, see:
    http://curl.haxx.se/docs/adv_20140129.html
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0015
  (* Security fix *)

patches/packages/ntp-4.2.6p5-i486-5_slack14.1.txz:  Rebuilt.
  All stable versions of NTP remain vulnerable to a remote attack where the
  "ntpdc -c monlist" command can be used to amplify network traffic as part
  of a denial of service attack.  By default, Slackware is not vulnerable
  since it includes "noquery" as a default restriction.  However, it is
  vulnerable if this restriction is removed.  To help mitigate this flaw,
  "disable monitor" has been added to the default ntp.conf (which will disable
  the monlist command even if other queries are allowed), and the default
  restrictions have been extended to IPv6 as well.
  All users of the NTP daemon should make sure that their ntp.conf contains
  "disable monitor" to prevent misuse of the NTP service.  The new ntp.conf
  file will be installed as /etc/ntp.conf.new with a package upgrade, but the
  changes will need to be merged into any existing ntp.conf file by the admin.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5211
    http://www.kb.cert.org/vuls/id/348126
  (* Security fix *)
Use the source, Luke
SSZ irc kanal
Spread the Word, “CHOOSE SLACK! and Don’t look back.”



Administrator
Administrator
offline
User avatar

Posts: 3451
Joined: 01 Apr 2012, 13:50
Location: Mlečni put

Post Napisano: 20 Feb 2014, 17:06


19.02.2014.

Ovaj put u sigurnosnim nadogradnjama imamo gnutls, mariadb i kernel.

Gnutls za Slackware 14.0, 14.1 i -current:

Code: Select all

patches/packages/gnutls-3.1.21-i486-1_slack14.1.txz:  Upgraded.
  This update fixes a flaw where a version 1 intermediate certificate would be
  considered as a CA certificate by GnuTLS by default.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1959
  (* Security fix *)
Mariadb, mysql za Slackware 13.0, 13.1, 13.37, 14.0, 14.1 i -current:

Code: Select all

patches/packages/mariadb-5.5.35-i486-1_slack14.1.txz:  Upgraded.
  This update fixes a buffer overflow in the mysql command line client which
  may allow malicious or compromised database servers to cause a denial of
  service (crash) and possibly execute arbitrary code via a long server
  version string.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0001
  (* Security fix *)
Kernel nadogradnja se odnosi samo na Slackware 14.1 64bitni:

Code: Select all

patches/packages/linux-3.10.17-2/*:
  These are new kernels that fix CVE-2014-0038, a bug that can allow local
  users to gain a root shell.
  Be sure to reinstall LILO (run "lilo" as root) after upgrading the kernel
  packages, or on UEFI systems, copy the appropriate kernel to
  /boot/efi/EFI/Slackware/vmlinuz).
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0038
  (* Security fix *)
Use the source, Luke
SSZ irc kanal
Spread the Word, “CHOOSE SLACK! and Don’t look back.”



Administrator
Administrator
offline
User avatar

Posts: 3451
Joined: 01 Apr 2012, 13:50
Location: Mlečni put

Post Napisano: 28 Feb 2014, 01:06


27.02.2014.

Subversion nadogradnja za Slackware 14.0, 14.1 i -current:

Code: Select all

patches/packages/subversion-1.7.16-i486-1_slack14.1.txz:  Upgraded.
  Fix denial of service bugs.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4505
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4558
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0032
  (* Security fix *)
Use the source, Luke
SSZ irc kanal
Spread the Word, “CHOOSE SLACK! and Don’t look back.”



Administrator
Administrator
offline
User avatar

Posts: 3451
Joined: 01 Apr 2012, 13:50
Location: Mlečni put

Post Napisano: 04 Mar 2014, 15:16


03.03.2014.

Sveži gnutls paketi za Slackware 13.0, 13.1, 13.37, 14.0, 14.1 i -current su dostupni:

Code: Select all

patches/packages/gnutls-3.1.22-i486-1_slack14.1.txz:  Upgraded.
  Fixed a security issue where a specially crafted certificate could
  bypass certificate validation checks.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0092
  (* Security fix *)
Use the source, Luke
SSZ irc kanal
Spread the Word, “CHOOSE SLACK! and Don’t look back.”



Administrator
Administrator
offline
User avatar

Posts: 3451
Joined: 01 Apr 2012, 13:50
Location: Mlečni put

Post Napisano: 06 Mar 2014, 18:20


05.03.2014.

Sveža nadogradnja sudo paketa za Slackware 13.0, 13.1 i 13.37:

Code: Select all

patches/packages/sudo-1.7.10p8-i486-1_slack13.37.txz:  Upgraded.
  This update fixes a security issue where if the env_reset option is disabled
  in the sudoers file, a malicious user with sudo permissions may be able to
  run arbitrary commands with elevated privileges by manipulating the
  environment of a command the user is legitimately allowed to run.
  For more information, see:
    http://www.sudo.ws/sudo/alerts/env_add.html
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0106
  (* Security fix *)
Use the source, Luke
SSZ irc kanal
Spread the Word, “CHOOSE SLACK! and Don’t look back.”



Administrator
Administrator
offline
User avatar

Posts: 3451
Joined: 01 Apr 2012, 13:50
Location: Mlečni put

Post Napisano: 11 Mar 2014, 15:00


11.03.2014.

Novi i nadograđeni paketi udisks i udisks2 za Slackware 14.0, 14.1 i -current:

Code: Select all

patches/packages/udisks-1.0.5-i486-1_slack14.1.txz:  Upgraded.
  This update fixes a stack-based buffer overflow when handling long path
  names.  A malicious, local user could use this flaw to create a
  specially-crafted directory structure that could lead to arbitrary code
  execution with the privileges of the udisks daemon (root).
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0004
  (* Security fix *)
patches/packages/udisks2-2.1.3-i486-1_slack14.1.txz:  Upgraded.
  This update fixes a stack-based buffer overflow when handling long path
  names.  A malicious, local user could use this flaw to create a
  specially-crafted directory structure that could lead to arbitrary code
  execution with the privileges of the udisks daemon (root).
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0004
  (* Security fix *)
Use the source, Luke
SSZ irc kanal
Spread the Word, “CHOOSE SLACK! and Don’t look back.”



Administrator
Administrator
offline
User avatar

Posts: 3451
Joined: 01 Apr 2012, 13:50
Location: Mlečni put

Post Napisano: 13 Mar 2014, 09:03


12.03.2014.

Novi paketi za mutt email klijent za Slackware 13.37, 14.0, 14.1 i -current

Code: Select all

patches/packages/mutt-1.5.23-i486-1_slack14.1.txz:  Upgraded.
  This update fixes a buffer overflow where malformed RFC2047 header
  lines could result in denial of service or potentially the execution
  of arbitrary code as the user running mutt.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0467
  (* Security fix *)
Use the source, Luke
SSZ irc kanal
Spread the Word, “CHOOSE SLACK! and Don’t look back.”



Administrator
Administrator
offline
User avatar

Posts: 3451
Joined: 01 Apr 2012, 13:50
Location: Mlečni put

Post Napisano: 14 Mar 2014, 09:30


13.03.2014.

Ovaj put dobijamu sveže samba pakete za Slackware 14.0, 14.1 i -current:

Code: Select all

patches/packages/samba-4.1.6-i486-1_slack14.1.txz:  Upgraded.
  This update fixes two security issues:
  CVE-2013-4496:
  Samba versions 3.4.0 and above allow the administrator to implement
  locking out Samba accounts after a number of bad password attempts.
  However, all released versions of Samba did not implement this check for
  password changes, such as are available over multiple SAMR and RAP
  interfaces, allowing password guessing attacks.
  CVE-2013-6442:
  Samba versions 4.0.0 and above have a flaw in the smbcacls command. If
  smbcacls is used with the "-C|--chown name" or "-G|--chgrp name"
  command options it will remove the existing ACL on the object being
  modified, leaving the file or directory unprotected.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4496
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6442
  (* Security fix *)
Use the source, Luke
SSZ irc kanal
Spread the Word, “CHOOSE SLACK! and Don’t look back.”



Administrator
Administrator
offline
User avatar

Posts: 3451
Joined: 01 Apr 2012, 13:50
Location: Mlečni put

Post Napisano: 16 Mar 2014, 11:07


15.03.2014.

Nadogradnja php za Slackware 14.1:

Code: Select all

patches/packages/php-5.4.26-i486-1_slack14.1.txz:  Upgraded.
  This update fixes a flaw where a specially crafted data file may cause a
  segfault or 100% CPU consumption when a web page uses fileinfo() on it.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1943
  (* Security fix *)
Use the source, Luke
SSZ irc kanal
Spread the Word, “CHOOSE SLACK! and Don’t look back.”



Administrator
Administrator
offline
User avatar

Posts: 3451
Joined: 01 Apr 2012, 13:50
Location: Mlečni put

Post Napisano: 29 Mar 2014, 10:46


28.03.2014.

Nadogradnje za Slackware 13.0, 13.1, 13.37, 14.0, 14.1 i -current:

Code: Select all

patches/packages/openssh-6.6p1-i486-1_slack14.1.txz:  Upgraded.
  This update fixes a security issue when using environment passing with
  a sshd_config(5) AcceptEnv pattern with a wildcard.  OpenSSH could be
  tricked into accepting any environment variable that contains the
  characters before the wildcard character.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2532
  (* Security fix *)

patches/packages/curl-7.36.0-i486-1_slack14.1.txz:  Upgraded.
  This update fixes four security issues.
  For more information, see:
    http://curl.haxx.se/docs/adv_20140326A.html
    http://curl.haxx.se/docs/adv_20140326B.html
    http://curl.haxx.se/docs/adv_20140326C.html
    http://curl.haxx.se/docs/adv_20140326D.html
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0138
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0139
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1263
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2522
  (* Security fix *)
Za Slackware 14.0, 14.1 i -current:

Code: Select all

patches/packages/httpd-2.4.9-i486-1_slack14.1.txz:  Upgraded.
  This update addresses two security issues.
  Segfaults with truncated cookie logging. mod_log_config:  Prevent segfaults
    when logging truncated cookies.  Clean up the cookie logging parser to
    recognize only the cookie=value pairs, not valueless cookies.
  mod_dav:  Keep track of length of cdata properly when removing leading
    spaces. Eliminates a potential denial of service from specifically crafted
    DAV WRITE requests.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438
  (* Security fix *)

patches/packages/mozilla-nss-3.16-i486-1_slack14.1.txz:  Upgraded.
  This update fixes a security issue:
  The cert_TestHostName function in lib/certdb/certdb.c in the
  certificate-checking implementation in Mozilla Network Security Services
  (NSS) before 3.16 accepts a wildcard character that is embedded in an
  internationalized domain name's U-label, which might allow man-in-the-middle
  attackers to spoof SSL servers via a crafted certificate.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1492
  (* Security fix *)

patches/packages/seamonkey-2.25-i486-1_slack14.1.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html
  (* Security fix *)
patches/packages/seamonkey-solibs-2.25-i486-1_slack14.1.txz:  Upgraded.
Za Slackware 14.1 i -current:

Code: Select all

patches/packages/mozilla-firefox-24.4.0esr-i486-1_slack14.1.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
  (* Security fix *)

patches/packages/mozilla-thunderbird-24.4.0-i486-1_slack14.1.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html
  (* Security fix *)
Use the source, Luke
SSZ irc kanal
Spread the Word, “CHOOSE SLACK! and Don’t look back.”


Locked

Who is online

Users browsing this forum: No registered users and 43 guests