Slackware Blog

Thunderbird security update


Tue Nov 20 16:49:58 CST 2007
xap/mozilla-thunderbird-2.0.0.9-i686-1.tgz:
Upgraded to thunderbird-2.0.0.9.
This update fixes the following security related issues:
URIs with invalid %-encoding mishandled by Windows (MFSA 2007-36).
Crashes with evidence of memory corruption (MFSA 2007-29).
OK, so the first one obviously does not affect us. The second fix has
to do with the same JavaScript handling problem fixed before in Firefox.
JavaScript is not enabled by default in Thunderbird, and the developers
(at least in MFSA 2007-36) do not recommend turning it on.
For more information, see:
http://www.mozilla.org/security/announce/2007/mfsa2007-36.html
http://www.mozilla.org/security/announce/2007/mfsa2007-29.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4841
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5339
(* Security fix *)
+————————–+


Samba security update, and some HAL/X11 fixes

Sat Nov 17 00:19:20 CST 2007
ap/cdparanoia-IIIalpha9.8-i486-3.tgz: Recompiled with SG_IO patch. This
didn’t seem to make a noticable difference, but to someone it might.
x/xf86-video-intel-2.2.0-i486-1.tgz: Upgraded to xf86-video-intel-2.2.0
x/xf86-video-sis-0.9.4-i486-1.tgz: Upgraded to xf86-video-sis-0.9.4.
OK, now that that Samba fix is done, we can give you a working X server.
Evidently, the HAL/D-Bus enabled X server, xf86-input-evdev, and one of HAL’s
.fdi files aren’t playing well together. After considering three possible
workarounds, it was decided to disable D-Bus/HAL support in the X server for
now. If you really want to play with X input hotplugging, it’s easy enough to
modify the source/x/x11/configure xorg-server configure file to enable D-Bus
and HAL and run: ./x11.SlackBuild xserver xorg-server
Xdmx remains gone per X build recommendations.
x/xorg-server-1.4-i486-4.tgz: Recompiled without input hotplugging support.
x/xorg-server-xnest-1.4-i486-4.tgz: Rebuilt.
x/xorg-server-xvfb-1.4-i486-4.tgz: Rebuilt.
xap/xscreensaver-5.04-i486-1.tgz: Upgraded to xscreensaver-5.04.
+————————–+
Fri Nov 16 17:22:18 CST 2007
n/samba-3.0.27-i486-1.tgz:
Upgraded to samba-3.0.27.
Samba 3.0.27 is a security release in order to address a stack buffer
overflow in nmbd’s logon request processing, and remote code execution in
Samba’s WINS server daemon (nmbd) when processing name registration followed
name query requests.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4572
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5398
(* Security fix *)
+————————–+

X11 updates


Wed Nov 14 15:25:14 CST 2007
x/mesa-7.0.2-i486-1.tgz: Upgraded to mesa-7.0.2.
x/xf86-video-ati-6.7.196-i486-1.tgz: Upgraded to xf86-video-ati-6.7.196.
x/xf86-video-intel-2.1.99-i486-1.tgz: Upgraded to xf86-video-intel-2.1.99.
x/xorg-server-1.4-i486-3.tgz: Rebuilt against Mesa 7.0.2.
Removed support for XDMX, as the code is not maintained and interferes with
input hotplug support. Thanks to Carlos Corbacho for the help.
x/xorg-server-xdmx-1.4-i486-2.tgz: Removed.
x/xorg-server-xnest-1.4-i486-3.tgz: Rebuilt.
x/xorg-server-xvfb-1.4-i486-3.tgz: Rebuilt.
+————————–+


Xpdf security fixes


Mon Nov 12 01:25:34 CST 2007
kde/kdegraphics-3.5.8-i486-2.tgz:
Patched xpdf related bugs.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3387
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4352
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5392
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5393
(* Security fix *)
kde/koffice-1.6.3-i486-2.tgz:
Patched xpdf related bugs.
For more information, see:
http://www.kde.org/info/security/advisory-20071107-1.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3387
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4352
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5392
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5393
(* Security fix *)
l/pcre-7.4-i486-1.tgz: Upgraded to pcre-7.4.
l/poppler-0.6.2-i486-1.tgz: Upgraded to poppler-0.6.2.
This release fixes xpdf related bugs.
For more information, see:
http://poppler.freedesktop.org/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4352
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5392
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5393
(* Security fix *)
xap/xpdf-3.02pl2-i486-1.tgz: Upgraded to xpdf-3.02pl2.
The pl2 patch fixes a crash in xpdf.
Some theorize that this could be used to execute arbitrary code if an
untrusted PDF file is opened, but no real-world examples are known (yet).
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3387
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4352
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5392
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5393
(* Security fix *)
+————————–+


PHP security update


Sat Nov 10 14:27:42 CST 2007
n/php-5.2.5-i486-1.tgz:
Upgraded to php-5.2.5.
This fixes bugs and security issues.
For more information, see:
http://www.php.net/releases/5_2_5.php
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4887
(* Security fix *)
+————————–+


Firefox and Ghostscript updates


Fri Nov 9 16:07:43 CST 2007
ap/gnu-ghostscript-8.60.0-i486-2.tgz: ./configured with –disable-compile-inits
option, which disables a new default of compiling in various configuration
values (such as paper size) rather than reading them from the traditional
config file. Thanks to Jonathan Woithe for pointing this change out.
xap/mozilla-firefox-2.0.0.9-i686-1.tgz:
Upgraded to firefox-2.0.0.9.
This upgrade improves the stability of Firefox.
For more information, see:
http://developer.mozilla.org/devnews/index.php/2007/11/01/firefox-2009-stability-update-now-available-for-download/
xap/seamonkey-1.1.6-i486-1.tgz:
Upgraded to SeaMonkey 1.1.6.
This upgrade fixes SeaMonkey’s ability to display certain types of web pages.
That’s about all we could find about it here:
http://www.mozilla.org/projects/seamonkey/
+————————–+


Misc updates


Sat Nov 3 15:24:00 CDT 2007
x/libXft-2.1.12-i486-2.tgz: Recompiled to fix issues with bold font
rendering. Thanks to Bruce Hill and Eric Hameleers.
+————————–+
Fri Nov 2 17:37:13 CDT 2007
n/links-2.1pre31-i486-1.tgz: Upgraded to links-2.1pre31.
n/mcabber-0.9.4-i486-1.tgz: Upgraded to mcabber-0.9.4.
n/openldap-client-2.3.38-i486-1.tgz: Upgraded to openldap-client-2.3.38.
n/sendmail-8.14.2-i486-1.tgz: Upgraded to sendmail-8.14.2.
n/sendmail-cf-8.14.2-noarch-1.tgz: Upgraded to sendmail-8.14.2 config files.
x/dejavu-ttf-2.21-noarch-1.tgz: Upgraded to dejavu-ttf-2.21.
xap/gimp-2.4.1-i486-1.tgz: Upgraded to gimp-2.4.1.
xap/pan-0.132-i486-1.tgz: Upgraded to pan-0.132.
xap/pidgin-2.2.2-i486-1.tgz: Upgraded to pidgin-2.2.2.
+————————–+
Thu Nov 1 20:05:07 CDT 2007
a/cups-1.3.4-i486-1.tgz: Upgraded to cups-1.3.4.
An off-by-one error in ipp.c may allow a remote attacker to crash CUPS
resulting in a denial of service.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4351
(* Security fix *)
+————————–+


Here’s the latest from Patrick Volghoulding. (sorry, couldn’t resist :P) Mainly some glibc updates and bug fixes for pkgtools. Who knew pkgtools still had bugs!?!


Wed Oct 31 19:33:06 CDT 2007
a/pkgtools-12.1.0-noarch-1.tgz: Upgraded to pkgtools-12.1.0-noarch-1.
Fixed the following issues with removepkg:
Fix problem removing packages with a large number of fields. Thanks to
Niki Kovacs for noticing this, and to Piter Punk for the patch.
Use LC_ALL=C locale, which is much faster with “sort”. Thanks to Tsomi.
Don’t try to remove any package that starts with ‘-’. This is not a proper
package name (usually a typo), and results in the package database being
broken as the “package” beginning with ‘-’ is passed along as an option to
a command later in the script. Thanks to Jef Oliver.
Patched cat_except() to allow the last Slackware package on a partition to
be removed (using ROOT=, of course). Thanks to Selkfoster for the patch,
and to everyone else who proposed solutions before. This issue really
wasn’t given the highest priority before, but as long as I was here…
Fixed pkgtool to handle much larger numbers of installed packages.
Thanks to Gabriele Inghirami for the patch.
NOTE: If you upgrade to the glibc packages below, be sure you are really
wishing to test them, because reverting to the old version is not easy.
However, these packages have (so far) passed the tests done here.
testing/packages/glibc-2.7-i486-1.tgz: Added glibc-2.7.
testing/packages/glibc-i18n-2.7-noarch-1.tgz: Added glibc-i18n-2.7.
testing/packages/glibc-profile-2.7-i486-1.tgz: Added glibc-profile-2.7.
testing/packages/glibc-solibs-2.7-i486-1.tgz: Added glibc-solibs-2.7.
testing/packages/glibc-zoneinfo-2.7-noarch-1.tgz: Added glibc-zoneinfo-2.7.
+————————–+