Slackware ChangeLog: September 29th

Here is the latest update to the Slackware-current changelog:

Fri Sep 29 02:10:15 CDT 2006
a/openssl-solibs-0.9.8d-i486-1.tgz: Upgraded to shared libraries from
openssl-0.9.8d. See openssl package update below.
(* Security fix *)
n/openssh-4.4p1-i486-1.tgz: Upgraded to openssh-4.4p1.
This fixes a few security related issues. From the release notes found at
http://www.openssh.com/txt/release-4.4:
* Fix a pre-authentication denial of service found by Tavis Ormandy,
that would cause sshd(8) to spin until the login grace time
expired.
* Fix an unsafe signal hander reported by Mark Dowd. The signal
handler was vulnerable to a race condition that could be exploited
to perform a pre-authentication denial of service. On portable
OpenSSH, this vulnerability could theoretically lead to
pre-authentication remote code execution if GSSAPI authentication
is enabled, but the likelihood of successful exploitation appears
remote.
* On portable OpenSSH, fix a GSSAPI authentication abort that could
be used to determine the validity of usernames on some platforms.
Links to the CVE entries will be found here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4924
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5051
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5052
After this upgrade, make sure the permissions on /etc/rc.d/rc.sshd are set
the way you want them. Future upgrades will respect the existing permissions
settings. Thanks to Manuel Reimer for pointing out that upgrading openssh
would enable a previously disabled sshd daemon.
Do better checking of passwd, shadow, and group to avoid adding
redundant entries to these files. Thanks to Menno Duursma.
(* Security fix *)
n/openssl-0.9.8d-i486-1.tgz: Upgraded to openssl-0.9.8d.
This fixes a few security related issues:
During the parsing of certain invalid ASN.1 structures an error
condition is mishandled. This can result in an infinite loop which
consumes system memory (CVE-2006-2937). (This issue did not affect
OpenSSL versions prior to 0.9.7)
Thanks to Dr S. N. Henson of Open Network Security and NISCC.
Certain types of public key can take disproportionate amounts of
time to process. This could be used by an attacker in a denial of
service attack (CVE-2006-2940).
Thanks to Dr S. N. Henson of Open Network Security and NISCC.
A buffer overflow was discovered in the SSL_get_shared_ciphers()
utility function. An attacker could send a list of ciphers to an
application that uses this function and overrun a buffer.
(CVE-2006-3738)
Thanks to Tavis Ormandy and Will Drewry of the Google Security Team.
A flaw in the SSLv2 client code was discovered. When a client
application used OpenSSL to create an SSLv2 connection to a malicious
server, that server could cause the client to crash (CVE-2006-4343).
Thanks to Tavis Ormandy and Will Drewry of the Google Security Team.
Links to the CVE entries will be found here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343
(* Security fix *)
zipslack/zipslack.zip: Rebuilt ZipSlack with new openssl-solibs and
openssh packages.
+————————–+

Posted automagically by ChangeLog Update (A work in progress)

Technorati Tags: slackware,linux,slackware-current,slackware-11.0

Advertisements

About JamesB

I am a Infrastructure Engineer in Houston, TX. I am also a music lover and enjoying spinning on my turntables after a stressful day at the office. I also run another blog (personal) @ http://www.confiscatedthoughts.com. This blog has posts about my personal life and updates on videos I post to YouTube.
This entry was posted in Slackware. Bookmark the permalink.

One Response to Slackware ChangeLog: September 29th

  1. IndianSuperPower says:

    I am predicting the that new release will be released this weekend.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s