Wed Jun 26 12:26:20 PDT 2002 patches/packages/openssh.tgz: Upgraded to openssh-3.4p1. This version enables privilege separation by default. The README.privsep file says this about it: Privilege separation, or privsep, is method in OpenSSH by which operations that require root privilege are performed by a separate privileged monitor process. Its purpose is to prevent privilege escalation by containing corruption to an unprivileged process. More information is available at: http://www.citi.umich.edu/u/provos/ssh/privsep.html Note that ISS has released an advisory on OpenSSH (OpenSSH Remote Challenge Vulnerability). Slackware is not affected by this issue, as we have never included AUTH_BSD, S/KEY, or PAM. Unless at least one of these options is compiled into sshd, it is not vulnerable. Further note that none of these options are turned on in a default build from source code, so if you have built sshd yourself you should not be vulnerable unless you've enabled one of these options. Regardless, the security provided by privsep is unquestionably better. This time we (Slackware) were lucky, but next time we might not be. Therefore we recommend that all sites running the OpenSSH daemon upgrade to this new openssh package. After upgrading the package, restart the daemon like this: /etc/rc.d/rc.sshd restart We would like to thank Theo and the rest of the OpenSSH team for their quick handling of this issue, Niels Provos and Markus Friedl for implementing privsep, and Solar Designer for working out issues with privsep on 2.2 Linux kernels. ---------------------------- Sat Jun 22 12:16:12 PDT 2002 libsafe.tgz: Added libsafe, a library that intercepts and prevents buffer overflow attacks such as the Apache chunking issue. If you are continuing to run a Slackware 7.1 machine that is exposed to the Internet, you would be well advised to install this. ------------------------------ Thu Apr 25 12:00:50 PDT 2002 patches/packages/sudo.tgz: Upgraded to sudo-1.6.6. This version of sudo fixes a security problem whereby a local user may gain root access through corruption of the heap (Off-By-Five). This issue was discovered by Global InterSec LLC, and more information may be found on their web site: http://www.globalintersec.com/adv/sudo-2002041701.txt The discussion on the site indicates that this problem may only be exploitable on systems that use PAM, which Slackware does not use. However, in the absence of proof, it still seems prudent to upgrade sudo immediately. (* Security fix *) ---------------------------- Wed Mar 13 11:56:05 PST 2002 patches/packages/cvs.tgz: Fix dir perms: chmod 755 /usr/share/cvs/contrib/. patches/packages/rsync.tgz: Upgraded to rsync-2.5.4 (fixes broken -z option). ---------------------------- Tue Mar 12 00:12:57 PST 2002 patches/packages/cvs.tgz: Gzipped the tmp diff so that it applies correctly. Thanks to George Georgakis for pointing out the mistake. (* Security fix *) ---------------------------- Mon Mar 11 18:05:52 PST 2002 patches/packages/cvs.tgz: Patched to link to the shared zlib on the system instead of statically linking to the included zlib source. Also, use mktemp to create files in /tmp files more safely. (* Security fix *) ---------------------------- Mon Mar 11 15:09:26 PST 2002 patches/packages/rsync.tgz: Upgraded to rsync-2.5.3. This fixes two security problems: * Make sure that supplementary groups are removed from a server process after changing uid and gid. (Ethan Benson) (Debian bug #132272, CVE CAN-2002-0080) * Fix zlib double-free bug. (Owen Taylor, Mark J Cox) (CVE CAN-2002-0059) (* Security fix *) ---------------------------- Mon Mar 11 13:38:37 PST 2002 patches/packages/zlib.tgz: Upgraded to zlib-1.1.4. This fixes a security problem which may introduce vulnerabilities into any program that links with zlib. Quoting the advisory on zlib.org: "Depending upon how and where the zlib routines are called from the given program, the resulting vulnerability may have one or more of the following impacts: denial of service, information leakage, or execution of arbitrary code." Sites are urged to upgrade the zlib package immediately. The complete advisory may be found here: http://www.zlib.org/advisory-2002-03-11.txt (* Security fix *) ---------------------------- Mon Mar 11 10:57:50 PST 2002 patches/packages/openssh.tgz: Upgraded to openssh-3.1p1. When preparing the update on Saturday evening, I neglected to copy the new openssh.tgz package out of the source directory and into the packages directory. If you downloaded it since then, check to see if you have a /usr/doc/openssh-3.1p1/ directory -- if not, you'll need to grab the new package and install it. Sorry about that... ---------------------------- Sat Mar 9 19:38:19 PST 2002 patches/packages/openssh.tgz: Upgraded to openssh-3.1p1. This fixes a security problem in the openssh package. All sites running OpenSSH should upgrade immediately. All versions of OpenSSH between 2.0 and 3.0.2 contain an off-by-one error in the channel code. OpenSSH 3.1 and later are not affected. This bug can be exploited locally by an authenticated user logging into a vulnerable OpenSSH server or by a malicious SSH server attacking a vulnerable OpenSSH client. This bug was discovered by Joost Pol (* Security fix *) ---------------------------- Fri Jan 25 14:25:51 PST 2002 patches/packages/rsync.tgz: Fixed a security hole by upgrading to rsync-2.4.8pre1. This is the relevant information from the rsync NEWS file: SECURITY FIXES: * Signedness security patch from Sebastian Krahmer -- in some cases we were not sufficiently careful about reading integers from the network. (* Security fix *) ---------------------------- Tue Jan 15 15:04:14 PST 2002 packages/glibc.tgz, glibcso.tgz: Patched glibc-2.1.3. Fixed a buffer overflow in the glob(3) function. This bug may be exploited through external services that might make use of it, like the port of OpenBSD's FTP server (not included in Slackware, but an example that's known to be affected). It's highly recommended that internet- connected machines or machines with local users who might try to exploit setuid root binaries be upgraded as soon as possible. Added glibc-crypt-2.1. (* Security fix *) packages/openssh.tgz: Added openssh-3.0.2p1. packages/openssl.tgz: Added openssl-0.9.6c. packages/ossllibs.tgz: Added openssl-0.9.6c shared libraries. ---------------------------- Sun Dec 9 13:21:41 PST 2001 packages/wuftpd.tgz: This package overwrites the wu-ftpd-2.6.1 installed by Slackware 7.1 (which has a nasty security hole), with wu-ftpd-2.6.2, recently released to fix the problem. But for how long? Don't install this package -- install the one below. packages/proftpd.tgz: This is proftpd-1.2.4. Slackware switched to proftpd because of repeated security problems with wu-ftpd. You can too. :) (* Security fix *) ---------------------------- Sun Aug 26 16:06:55 PDT 2001 An input validation error in sendmail has been discovered by Cade Cairns of SecurityFocus. This problem can be exploited by local users to gain root access. It is not exploitable by remote attackers without shell access. It is recommended that all multiuser sites running sendmail upgrade to these new packages: packages/procmail.tgz: Upgraded to procmail-3.21. The ChangeLog mentions these problems, but it's not known how serious they really are: - SECURITY: don't do unsafe things from signal handlers: - ignore TRAP when terminating because of a signal - resolve the host and protocol of COMSAT when it is set - save the absolute path form of $LASTFOLDER for the comsat message when it is set - only use the log buffer if it's safe packages/sendmail.tgz: Upgraded to sendmail.8.11.6. Removed setup for MAPS, since it's no longer a free service. packages/smailcfg.tgz: Upgraded to sendmail.8.11.6 config files. Detailed information about this security problem may be found here: http://www.securityfocus.com/bid/3163 (* Security fix *) ---------------------------- Thu Aug 9 20:56:55 PDT 2001 An advisory from zen-parse on BugTraq today describes a hole in the netkit-0.17 telnetd daemon which is used in Slackware. All sites running telnet service are advised to upgrade using one of these updated packages as soon as possible. packages/tcpip1.tgz: New version of the tcpip1 package containing a fixed /usr/sbin/in.telnetd. packages/telnetd.tgz: A patch-package containing just the fixed in.telnetd binary (for faster download). (* Security fix *) ---------------------------- Wed May 16 12:36:56 PDT 2001 packages/samba.tgz: Upgraded to samba-2.0.9. This is a bug fix release that fixes the security problem that samba-2.0.8 meant to address. ---------------------------- Mon Apr 23 23:39:07 PDT 2001 packages/samba.tgz: Upgraded to samba-2.0.8. Earlier versions have a temp file handling problem that could allow a local attacker to write to arbitrary devices, possibly destroying data. ---------------------------- Sun Apr 8 12:37:44 PDT 2001 packages/xntp.tgz: Patched xntp3-5.93e against recently reported buffer overflow problem. All sites running xntp from Slackware 7.1 should either upgrade to this package or ensure that their /etc/ntp.conf does not allow connections from untrusted hosts. To deny people access to your time daemon (not a bad idea anyway if you're only running ntp to keep your own clock updated) use this in /etc/ntp.conf: # Don't serve time or stats to anyone else restrict default ignore ---------------------------- Sat Mar 10 19:58:47 PST 2001 packages/gmc.tgz, mc.tgz: Upgraded to mc-4.5.51, patched to prevent input validation error on directory names. More information can be found here: http://www.securityfocus.com/vdb/?id=2016 Security Focus states, "Currently the SecurityFocus staff are not aware of any exploits for this issue." ---------------------------- Mon Feb 26 22:30:38 PST 2001 packages/imapd.tgz: Upgraded to IMAP4rev1 2000.287 from pine4.33. A remote exploit exists for the previously included version of imapd, so all sites running imapd are urged to upgrade to the new version immediately. packages/pine.tgz: Upgraded to pine4.33. ---------------------------- Sat Feb 24 23:05:03 PST 2001 packages/sudo.tgz: Upgraded to sudo-1.6.3p6. ---------------------------- Sun Jan 28 17:43:29 PST 2001 packages/bind.tgz: Upgraded to bind-8.2.3. ---------------------------- Mon Nov 20 22:59:00 PST 2000 packages/ncurses.tgz: Upgraded to ncurses-5.2. ---------------------------- Fri Nov 10 20:24:04 PST 2000 packages/bind.tgz: Upgraded to bind-8.2.2-P7. A bug in code intended to provide support for the transfer of compressed zone files can crash the name server, resulting in denial of service. More BIND security information can be found at: http://www.isc.org/products/BIND/bind8.html ---------------------------- Wed Nov 1 12:35:58 PST 2000 packages/imapd.tgz: Upgraded to IMAP4rev1 2000.283 from pine-4.30. packages/pine.tgz: Upgraded to pine-4.30. Pine (versions 4.21 and before) contain a buffer overflow vulnerability which allows a remote user to execute arbitrary code on the local client by the sending of a special-crafted email message. The overflow occurs during the periodic "new mail" checking of an open folder. ---------------------------- Mon Oct 23 14:09:22 PDT 2000 packages/xlock.tgz: Upgraded to xlockmore-4.17.2. By providing a carefully crafted display variable to xlock, it is possible for a local attacker to gain root access. Anyone running xlock on a public machine should upgrade to this version of xlock (or disable xlock) immediately. ---------------------------- Fri Oct 20 18:55:01 PDT 2000 packages/ppp.tgz: Fixed stupid /tmp bug in ppp-off. This could allow a local user to corrupt system files. ---------------------------- Sat Oct 14 20:03:51 PDT 2000 packages/apache.tgz: Upgraded to apache_1.3.14. It is recommended that sites using Apache upgrade to this version of the apache package as soon as possible. The following security problems are fixed with this version of Apache (from the Apache announcement): * A problem with the Rewrite module, mod_rewrite, allowed access to any file on the web server under certain circumstances * The handling of Host: headers in mass virtual hosting configurations, mod_vhost_alias, could allow access to any file on the server * If a cgi-bin directory is under the document root, the source to the scripts inside it could be sent if using mass virtual hosting ---------------------------- Thu Sep 28 19:45:07 PDT 2000 packages/tcpip1.tgz: Upgraded to wu-ftpd-2.6.1. This fixes a possible format string hole reported on BugTraq. ---------------------------- Mon Sep 18 11:13:56 PDT 2000 packages/sysklogd.tgz: Upgraded to sysklogd-1.4. This fixes the "klogd format bug" announced this morning on BugTraq. ---------------------------- Tue Sep 12 20:12:08 PDT 2000 packages/xchat.tgz: Upgraded to xchat-1.5.7. This fixes the "X-Chat Command Execution Via URLs Vulnerability" described on BugTraq. A console version of X-Chat (xchat-text) has also been added to this updated package. ---------------------------- Mon Sep 4 22:48:59 PDT 2000 This update fixes the three known locale-related vulnerabilities in glibc-2.1.3 recently reported on BugTraq that allow local users to gain root access. Thanks to Solar Designer for putting together a set of patches from the current glibc CVS version. packages/glibcso.tgz: Recompiled with security patch for glibc-2.1.3. packages/glibc.tgz: Recompiled with security patch for glibc-2.1.3. packages/descrypt.tgz: Recompiled with security patch for glibc-2.1.3. Note that if you don't reinstall this package after installing glibcso.tgz and/or glibc.tgz, the C library will be limited to using MD5 crypt(). ---------------------------- Sat Sep 2 01:26:24 PDT 2000 packages/perl.tgz: Patched suidperl to report hack attempts through syslog, not /bin/mail. This patch closes a security hole through which local users can gain root access using /usr/bin/suidperl5.6.0.