Curl i ntp sigurnosne nadogradnje za Slackware 13.0, 13.1, 13.37, 14.0, 14.1 i -current:
Code: Select all
patches/packages/curl-7.35.0-i486-1_slack14.1.txz: Upgraded.
This update fixes a flaw where libcurl could, in some circumstances, reuse
the wrong connection when asked to do an NTLM-authenticated HTTP or HTTPS
request.
For more information, see:
http://curl.haxx.se/docs/adv_20140129.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0015
(* Security fix *)
patches/packages/ntp-4.2.6p5-i486-5_slack14.1.txz: Rebuilt.
All stable versions of NTP remain vulnerable to a remote attack where the
"ntpdc -c monlist" command can be used to amplify network traffic as part
of a denial of service attack. By default, Slackware is not vulnerable
since it includes "noquery" as a default restriction. However, it is
vulnerable if this restriction is removed. To help mitigate this flaw,
"disable monitor" has been added to the default ntp.conf (which will disable
the monlist command even if other queries are allowed), and the default
restrictions have been extended to IPv6 as well.
All users of the NTP daemon should make sure that their ntp.conf contains
"disable monitor" to prevent misuse of the NTP service. The new ntp.conf
file will be installed as /etc/ntp.conf.new with a package upgrade, but the
changes will need to be merged into any existing ntp.conf file by the admin.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5211
http://www.kb.cert.org/vuls/id/348126
(* Security fix *)