Sat Mar 15 13:49:04 PST 2003 patches/packages/samba-2.2.8-i386-1.tgz: Upgraded to Samba 2.2.8. From the Samba web site: * (14th Mar, 2003) Security Release - Samba 2.2.8 A flaw has been detected in the Samba main smbd code which could allow an external attacker to remotely and anonymously gain Super User (root) privileges on a server running a Samba server. This flaw exists in previous versions of Samba from 2.0.x to 2.2.7a inclusive. This is a serious problem and all sites should either upgrade to Samba 2.2.8 immediately or prohibit access to TCP ports 139 and 445. (* Security fix *) +--------------------------+ Mon Mar 3 10:29:01 PST 2003 patches/packages/sendmail-8.12.8-i386-1.tgz: Upgraded to sendmail-8.12.8. From sendmail's RELNOTES: SECURITY: Fix a remote buffer overflow in header parsing by dropping sender and recipient header comments if the comments are too long. Problem noted by Mark Dowd of ISS X-Force. (* Security fix *) patches/packages/sendmail-cf-8.12.8-noarch-1.tgz: Updated config files for sendmail-8.12.8. ---------------------------- Tue Feb 18 20:52:43 PST 2003 patches/packages/php-4.3.1-i386-1.tgz: Upgraded to php-4.3.1 This fixes a serious security vulnerability in CGI SAPI. Most sites don't use this mode of operation, but if you do -- upgrade. (* Security fix *) ---------------------------- Tue Jan 21 13:12:20 PST 2003 patches/packages/cvs-1.11.5-i386-1.tgz: Upgraded to cvs-1.11.5. This release fixes a major security vulnerability in the CVS server by which users with read only access could gain write access. Details should be available at this URL (but don't seem to be yet): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0015 (* Security fix *) ---------------------------- Sun Jan 19 11:18:33 PST 2003 patches/packages/dhcp-3.0pl2-i386-1.tgz: Upgraded to dhcp-3.0pl2, which fixes several buffer overflow vulnerabilities, including some which may allow remote attackers to execute arbitrary code on affected systems, though no exploits are known yet. For complete information, please see: http://www.cert.org/advisories/CA-2003-01.html (* Security fix *) ---------------------------- Mon Jan 6 19:31:37 PST 2003 patches/packages/php-4.3.0-i386-3.tgz: Fixed files under /usr/lib/php/ which were accidentally left chmodded 666. ---------------------------- Mon Jan 6 16:27:28 PST 2003 patches/packages/mysql-3.23.54a-i386-1.tgz: Upgraded to mysql-3.23.54a. According to www.mysql.com, this contains some security fixes. (* Security fix *) patches/packages/php-4.3.0-i386-2.tgz: Switched back to --mysql=/usr instead of --mysql=shared (which didn't work). ---------------------------- Sun Jan 5 15:56:56 PST 2003 patches/packages/apache-1.3.27-i386-1.tgz: Upgraded to apache-1.3.27. This fixes a few security problems; please reference CAN-2002-0839, CAN-2002-0840, and CAN-2002-0843 on cve.mitre.org for complete details. (* Security fix *) patches/packages/mod_ssl-2.8.12_1.3.27-i386-1.tgz: Upgraded to mod_ssl-2.8.12-1.3.27. This fixes a potential cross-site scripting bug. (* Security fix *) patches/packages/php-4.3.0-i386-1.tgz: Upgraded to php-4.3.0. patches/packages/yptools-2.8-i386-1.tgz: Upgraded to yp-tools-2.8. This fixes a bug where yppasswd fails to work. Thanks to Dirk van Deun for suggesting the upgrade. ---------------------------- Wed Nov 20 16:51:23 PST 2002 patches/packages/samba-2.2.7-i386-1.tgz: Upgraded to samba-2.2.7. Some details (based on the WHATSNEW.txt file included in samba-2.2.7): This fixes a security hole discovered in versions 2.2.2 through 2.2.6 of Samba that could potentially allow an attacker to gain root access on the target machine. The word "potentially" is used because there is no known exploit of this bug, and the Samba Team has not been able to craft one ourselves. However, the seriousness of the problem warrants this immediate 2.2.7 release. There was a bug in the length checking for encrypted password change requests from clients. A client could potentially send an encrypted password, which, when decrypted with the old hashed password could be used as a buffer overrun attack on the stack of smbd. The attack would have to be crafted such that converting a DOS codepage string to little endian UCS2 unicode would translate into an executable block of code. Thanks to Steve Langasek and Eloy Paris for bringing this vulnerability to our notice. (* Security fix *) An unrelated change to the Slackware package is the addition of libsmbclient. Thanks to Marcelo Anton for the suggestion. ---------------------------- Mon Sep 16 13:43:11 PDT 2002 patches/packages/xfree86-4.2.1-i386-2.tgz: Recompiled with 4.2.1-mit-shm-security.patch. This is an update to 4.2.1 that fixes the shm vulnerability for the case where the server is running from xdm. Also fixed a problem with freetype2 where there were two versions of the shared library on the system. (* Security fix *) patches/packages/xfree86-devel-4.2.1-i386-2.tgz: Recompiled with 4.2.1-mit-shm-security.patch. (* Security fix *) ---------------------------- Wed Sep 4 19:20:44 PDT 2002 patches/packages/kernel-modules-2.4.18-i386-5.tgz: Updated XFree86 DRI modules in /lib/modules/2.4.18/kernel/drivers/char/drm/. patches/packages/xfree86-4.2.1-i386-1.tgz: Upgraded to XFree86 4.2.1. patches/packages/xfree86-devel-4.2.1-i386-1.tgz: Upgraded to XFree86 4.2.1. patches/packages/xfree86-docs-4.2.1-i386-1.tgz: Upgraded to XFree86 4.2.1. patches/packages/xfree86-docs-html-4.2.1-i386-1.tgz: Upgraded to XFree86 4.2.1. patches/packages/xfree86-xnest-4.2.1-i386-1.tgz: Upgraded to XFree86 4.2.1. patches/packages/xfree86-xprt-4.2.1-i386-1.tgz: Upgraded to XFree86 4.2.1. patches/packages/xfree86-xvfb-4.2.1-i386-1.tgz: Upgraded to XFree86 4.2.1. These are new XFree86 4.2.1 packages for Slackware 8.1. Note that among the changes are these security patches (from the RELNOTES): 2.1 Security o Fix a zlib bug that may have security implications on some platforms. o MIT-SHM update to not access SHM segments that the client doesn't have sufficient privileges to access. o Fix an Xlib problem that made it possible to load (and execute) arbi- trary code in privileged clients. The first issue (zlib) was already patched in Slackware prior to the release of 8.1, but these other two fixes are new. The Xlib issue in particular can be locally exploited to gain root access through setuid root binaries linked with libX11. Note that there are no changes to the fonts packages (xfree86-fonts-*.tgz), and the xfree86-fonts packages released with Slackware 8.1 should continue to be used. (* Security fix *) ---------------------------- Tue Jul 30 19:45:52 PDT 2002 patches/packages/apache-1.3.26-i386-2.tgz: Upgraded the included libmm to version 1.2.1. Versions of libmm earlier than 1.2.0 contain a tmp file vulnerability which may allow the local Apache user to gain privileges via temporary files or symlinks. For details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0658 This was also recompiled using EAPI patch from mod_ssl-2.8.10_1.3.26. (* Security fix *) patches/packages/glibc-2.2.5-i386-3.tgz: Patched to fix a buffer overflow in glibc's DNS resolver functions that look up network addresses. Another workaround for this problem is to edit /etc/nsswtich.conf changing: networks: files dns to: networks: files (* Security fix *) patches/packages/glibc-solibs-2.2.5-i386-3.tgz: Patched to fix a buffer overflow in glibc's DNS resolver functions that look up network addresses. (* Security fix *) patches/packages/mod_ssl-2.8.10_1.3.26-i386-1.tgz: This update fixes an off-by-one error in earlier versions of mod_ssl that may allow local users to execute code as the Apache user. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0653 (* Security fix *) patches/packages/openssh-3.4p1-i386-2.tgz: Recompiled against openssl-0.9.6e. This update also contains a fix to the installation script to ensure that the sshd privsep user is correctly created. patches/packages/openssl-0.9.6e-i386-1.tgz: Upgraded to openssl-0.9.6e, which fixes 4 potentially remotely exploitable bugs. For details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0659 (* Security fix *) patches/packages/openssl-solibs-0.9.6e-i386-1.tgz: Upgraded to openssl-0.9.6e, which fixes 4 potentially remotely exploitable bugs. For details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0659 (* Security fix *) patches/packages/php-4.2.2-i386-1.tgz: Upgraded to php-4.2.2. Earlier versions of PHP 4.2.x contain a security vulnerability, which although not currently considered exploitable on the x86 architecture is probably still a good to patch. For details, see: http://www.cert.org/advisories/CA-2002-21.html (* Security fix *) ---------------------------- Wed Jun 26 12:03:06 PDT 2002 patches/packages/openssh-3.4p1-i386-1.tgz: Upgraded to openssh-3.4p1. This version enables privilege separation by default. The README.privsep file says this about it: Privilege separation, or privsep, is method in OpenSSH by which operations that require root privilege are performed by a separate privileged monitor process. Its purpose is to prevent privilege escalation by containing corruption to an unprivileged process. More information is available at: http://www.citi.umich.edu/u/provos/ssh/privsep.html Note that ISS has released an advisory on OpenSSH (OpenSSH Remote Challenge Vulnerability). Slackware is not affected by this issue, as we have never included AUTH_BSD, S/KEY, or PAM. Unless at least one of these options is compiled into sshd, it is not vulnerable. Further note that none of these options are turned on in a default build from source code, so if you have built sshd yourself you should not be vulnerable unless you've enabled one of these options. Regardless, the security provided by privsep is unquestionably better. This time we (Slackware) were lucky, but next time we might not be. Therefore we recommend that all sites running the OpenSSH daemon (sshd, enabled by default in Slackware 8.1) upgrade to this new openssh package. After upgrading the package, restart the daemon like this: /etc/rc.d/rc.sshd restart We would like to thank Theo and the rest of the OpenSSH team for their quick handling of this issue, Niels Provos and Markus Friedl for implementing privsep, and Solar Designer for working out issues with privsep on 2.2 Linux kernels. ----------------------------