Slackware Security Advisories (sigurnosne nadogradnje)

Novosti u vezi Slackware Linuxa

Moderator: Urednik

Locked

Administrator
Administrator
offline
User avatar

Posts: 3451
Joined: 01 Apr 2012, 13:50
Location: Mlečni put

Post Napisano: 24 Dec 2016, 10:41


21.11.2016.

Sveži ntp paketi za Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2 i -current:

Code: Select all

patches/packages/ntp-4.2.8p9-i586-1_slack14.2.txz:  Upgraded.
  In addition to bug fixes and enhancements, this release fixes the
  following 1 high- (Windows only :-), 2 medium-, 2 medium-/low, and
  5 low-severity vulnerabilities, and provides 28 other non-security
  fixes and improvements.
  CVE-2016-9311: Trap crash
  CVE-2016-9310: Mode 6 unauthenticated trap info disclosure and DDoS vector
  CVE-2016-7427: Broadcast Mode Replay Prevention DoS
  CVE-2016-7428: Broadcast Mode Poll Interval Enforcement DoS
  CVE-2016-9312: Windows: ntpd DoS by oversized UDP packet
  CVE-2016-7431: Regression: 010-origin: Zero Origin Timestamp Bypass
  CVE-2016-7434: Null pointer dereference in _IO_str_init_static_internal()
  CVE-2016-7429: Interface selection attack
  CVE-2016-7426: Client rate limiting and server responses
  CVE-2016-7433: Reboot sync calculation problem
  For more information, see:
    https://www.kb.cert.org/vuls/id/633847
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9311
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9310
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7427
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7428
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9312
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7431
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7434
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7429
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7426
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7433
  (* Security fix *)
Use the source, Luke
SSZ irc kanal
Spread the Word, “CHOOSE SLACK! and Don’t look back.”



Administrator
Administrator
offline
User avatar

Posts: 3451
Joined: 01 Apr 2012, 13:50
Location: Mlečni put

Post Napisano: 24 Dec 2016, 10:42


01.12.2016.

Sveži mozilla-firefox i mozilla-thunderbird paketi za Slackware 14.1, 14.2 i -current:

Code: Select all

patches/packages/mozilla-firefox-45.5.1esr-i586-1_slack14.2.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9079
  (* Security fix *)

Code: Select all

patches/packages/mozilla-thunderbird-45.5.1-i586-1_slack14.2.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9079
  (* Security fix *)
Use the source, Luke
SSZ irc kanal
Spread the Word, “CHOOSE SLACK! and Don’t look back.”



Administrator
Administrator
offline
User avatar

Posts: 3451
Joined: 01 Apr 2012, 13:50
Location: Mlečni put

Post Napisano: 24 Dec 2016, 10:49


12.12.2016.

Sveži php i mcabber paketi za Slackware 14.0, 14.1, 14,2 i -current:

Code: Select all

patches/packages/loudmouth-1.5.3-i586-1_slack14.2.txz:  Upgraded.
  This update is needed for the mcabber security update.
patches/packages/mcabber-1.0.4-i586-1_slack14.2.txz:  Upgraded.
  This update fixes a security issue which can lead to a malicious actor
  MITMing a conversation, or adding themselves as an entity on a third
  parties roster (thereby granting themselves the associated priviledges
  such as observing when the user is online).
  For more information, see:
    https://gultsch.de/gajim_roster_push_and_message_interception.html
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9928
  (* Security fix *)

Code: Select all

patches/packages/php-5.6.29-i586-1_slack14.2.txz:  Upgraded.
  This release fixes bugs and security issues.
  For more information, see:
    https://php.net/ChangeLog-5.php#5.6.29
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9933
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9934
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9935
  (* Security fix *)
Sveži kernel paketi za Slackware 14.2 i -current:

Code: Select all

patches/packages/linux-4.4.38/*:  Upgraded.
  This kernel fixes a security issue with a race condition in
  net/packet/af_packet.c that can be exploited to gain kernel code execution
  from unprivileged processes.
  Thanks to Philip Pettersson for discovering the bug and providing a patch.
  Be sure to upgrade your initrd after upgrading the kernel packages.
  If you use lilo to boot your machine, be sure lilo.conf points to the correct
  kernel and initrd and run lilo as root to update the bootloader.
  If you use elilo to boot your machine, you should run eliloconfig to copy the
  kernel and initrd to the EFI System Partition.
  For more information, see:
    https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0c
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8655
  (* Security fix *)
Use the source, Luke
SSZ irc kanal
Spread the Word, “CHOOSE SLACK! and Don’t look back.”



Administrator
Administrator
offline
User avatar

Posts: 3451
Joined: 01 Apr 2012, 13:50
Location: Mlečni put

Post Napisano: 24 Dec 2016, 10:51


13.12.2016.

Sveži mozila-firefox paketi za Slackware 14.1, 14.2 i -current:

Code: Select all

patches/packages/mozilla-firefox-45.6.0esr-i586-1_slack14.2.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
  (* Security fix *)
Use the source, Luke
SSZ irc kanal
Spread the Word, “CHOOSE SLACK! and Don’t look back.”



Administrator
Administrator
offline
User avatar

Posts: 3451
Joined: 01 Apr 2012, 13:50
Location: Mlečni put

Post Napisano: 24 Dec 2016, 10:54


23.12.2016.

Sveži httpd paketi za Slackware 14.0, 14.1, 14.2 i -current:

Code: Select all

patches/packages/httpd-2.4.25-i586-1_slack14.2.txz:  Upgraded.
  This update fixes the following security issues:
  * CVE-2016-8740: mod_http2: Mitigate DoS memory exhaustion via endless
    CONTINUATION frames.
  * CVE-2016-5387: core: Mitigate [f]cgi "httpoxy" issues.
  * CVE-2016-2161: mod_auth_digest: Prevent segfaults during client entry
    allocation when the shared memory space is exhausted.
  * CVE-2016-0736: mod_session_crypto: Authenticate the session data/cookie
    with a MAC (SipHash) to prevent deciphering or tampering with a padding
    oracle attack.
  * CVE-2016-8743: Enforce HTTP request grammar corresponding to RFC7230 for
    request lines and request headers, to prevent response splitting and
    cache pollution by malicious clients or downstream proxies.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8740
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5387
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2161
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0736
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743
  (* Security fix *)
Sveži openssh paketi za Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, i -current:

Code: Select all

patches/packages/openssh-7.4p1-i586-1_slack14.2.txz:  Upgraded.
  This is primarily a bugfix release, and also addresses security issues.
  ssh-agent(1): Will now refuse to load PKCS#11 modules from paths outside
    a trusted whitelist.
  sshd(8): When privilege separation is disabled, forwarded Unix-domain
    sockets would be created by sshd(8) with the privileges of 'root'.
  sshd(8): Avoid theoretical leak of host private key material to
    privilege-separated child processes via realloc().
  sshd(8): The shared memory manager used by pre-authentication compression
    support had a bounds checks that could be elided by some optimising
    compilers to potentially allow attacks against the privileged monitor.
    process from the sandboxed privilege-separation process.
  sshd(8): Validate address ranges for AllowUser and DenyUsers directives at
    configuration load time and refuse to accept invalid ones.  It was
    previously possible to specify invalid CIDR address ranges
    (e.g. user@127.1.2.3/55) and these would always match, possibly resulting
    in granting access where it was not intended.
  For more information, see:
    https://www.openssh.com/txt/release-7.4
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10009
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10010
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10011
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10012
  (* Security fix *)
Use the source, Luke
SSZ irc kanal
Spread the Word, “CHOOSE SLACK! and Don’t look back.”



Administrator
Administrator
offline
User avatar

Posts: 3451
Joined: 01 Apr 2012, 13:50
Location: Mlečni put

Post Napisano: 22 Jan 2017, 17:24


24.12.2016.

Novi expat paketi za Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2 i -current:

Code: Select all

patches/packages/expat-2.2.0-i586-1_slack14.2.txz:  Upgraded.
  This update fixes bugs and security issues:
  Multiple integer overflows in XML_GetBuffer.
  Fix crash on malformed input.
  Improve insufficient fix to CVE-2015-1283 / CVE-2015-2716.
  Use more entropy for hash initialization.
  Resolve troublesome internal call to srand.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1283
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4472
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5300
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6702
  (* Security fix *)
Use the source, Luke
SSZ irc kanal
Spread the Word, “CHOOSE SLACK! and Don’t look back.”



Administrator
Administrator
offline
User avatar

Posts: 3451
Joined: 01 Apr 2012, 13:50
Location: Mlečni put

Post Napisano: 22 Jan 2017, 17:26


28.12.2016.

Novi python paketi za Slackware 14.0, 14.1, 14.2 i -current:

Code: Select all

patches/packages/python-2.7.13-i586-1_slack14.2.txz:  Upgraded.
  This release fixes security issues:
  Issue #27850: Remove 3DES from ssl module's default cipher list to counter
  measure sweet32 attack (CVE-2016-2183).
  Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the
  HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates
  that the script is in CGI mode.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2183
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000110
  (* Security fix *)
Novi samba paketi za Slackware 14.2 i -current:

Code: Select all

patches/packages/samba-4.4.8-i586-1_slack14.2.txz:  Upgraded.
  This release fixes security issues:
  CVE-2016-2123 (Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer
    Overflow Remote Code Execution Vulnerability).
  CVE-2016-2125 (Unconditional privilege delegation to Kerberos servers
    in trusted realms).
  CVE-2016-2126 (Flaws in Kerberos PAC validation can trigger privilege
    elevation).
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2123
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2125
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2126
  (* Security fix *)
Use the source, Luke
SSZ irc kanal
Spread the Word, “CHOOSE SLACK! and Don’t look back.”



Administrator
Administrator
offline
User avatar

Posts: 3451
Joined: 01 Apr 2012, 13:50
Location: Mlečni put

Post Napisano: 22 Jan 2017, 17:28


30.12.2016.

Novi libpng paketi za Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2 i -current:

Code: Select all

patches/packages/libpng-1.6.27-i586-1_slack14.2.txz:  Upgraded.
  This release fixes an old NULL pointer dereference bug in png_set_text_2()
  discovered and patched by Patrick Keshishian.  The potential "NULL
  dereference" bug has existed in libpng since version 0.71 of June 26, 1995.
  To be vulnerable, an application has to load a text chunk into the png
  structure, then delete all text, then add another text chunk to the same
  png structure, which seems to be an unlikely sequence, but it has happened.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10087
  (* Security fix *)
Novi mozilla-thunderbird i seamonkey paketi za Slackware 14.1, 14.2 i -current:

Code: Select all

patches/packages/mozilla-thunderbird-45.6.0-i586-1_slack14.2.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9899
  (* Security fix *)

Code: Select all

patches/packages/seamonkey-2.46-i586-1_slack14.2.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    http://www.seamonkey-project.org/releases/seamonkey2.46
  (* Security fix *)
patches/packages/seamonkey-solibs-2.46-i586-1_slack14.2.txz:  Upgraded.
Use the source, Luke
SSZ irc kanal
Spread the Word, “CHOOSE SLACK! and Don’t look back.”



Administrator
Administrator
offline
User avatar

Posts: 3451
Joined: 01 Apr 2012, 13:50
Location: Mlečni put

Post Napisano: 22 Jan 2017, 17:31


11.01.2017.

Novi bind i irssi paketi za Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2 i -current:

Code: Select all

patches/packages/bind-9.10.4_P5-i586-1_slack14.2.txz:  Upgraded.
  This update fixes a denial-of-service vulnerability.  An error in handling
  certain queries can cause an assertion failure when a server is using the
  nxdomain-redirect feature to cover a zone for which it is also providing
  authoritative service.  A vulnerable server could be intentionally stopped
  by an attacker if it was using a configuration that met the criteria for
  the vulnerability and if the attacker could cause it to accept a query
  that possessed the required attributes.
  Please note: This vulnerability affects the "nxdomain-redirect" feature,
  which is one of two methods of handling NXDOMAIN redirection, and is only
  available in certain versions of BIND.  Redirection using zones of type
  "redirect" is not affected by this vulnerability.
  For more information, see:
    https://kb.isc.org/article/AA-01442
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9778
  (* Security fix *)

Code: Select all

patches/packages/irssi-0.8.21-i586-1_slack14.2.txz:  Upgraded.
  Fixed security issues that may result in a denial of service.
  For more information, see:
    https://irssi.org/security/irssi_sa_2017_01.txt
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5193
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5194
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5195
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5196
  (* Security fix *)
Novi gnutls paketi za Slackware 14.0, 14.1, 14.2 i -current:

Code: Select all

patches/packages/gnutls-3.5.8-i586-1_slack14.2.txz:  Upgraded.
  This update fixes some bugs and security issues.
  For more information, see:
    https://gnutls.org/security.html#GNUTLS-SA-2017-1
    https://gnutls.org/security.html#GNUTLS-SA-2017-2
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5334
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5335
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5336
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5337
  (* Security fix *)
Use the source, Luke
SSZ irc kanal
Spread the Word, “CHOOSE SLACK! and Don’t look back.”



Administrator
Administrator
offline
User avatar

Posts: 3451
Joined: 01 Apr 2012, 13:50
Location: Mlečni put

Post Napisano: 22 Jan 2017, 17:32


18.01.2017.

Novi mariadb paketi za Slackware 14.1, 14.2 i -current:

Code: Select all

patches/packages/mariadb-10.0.29-i586-1_slack14.2.txz:  Upgraded.
  This update fixes several security issues.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6664
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3238
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3243
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3244
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3257
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3258
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3265
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3291
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3312
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3317
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3318
  (* Security fix *)
Use the source, Luke
SSZ irc kanal
Spread the Word, “CHOOSE SLACK! and Don’t look back.”


Locked

Who is online

Users browsing this forum: No registered users and 29 guests