Wed Jul 25 02:02:40 UTC 2012 patches/packages/libpng-1.2.50-i486-1_slack10.0.tgz: Upgraded. Fixed incorrect type (int copy should be png_size_t copy) in png_inflate() (fixes CVE-2011-3045). Revised png_set_text_2() to avoid potential memory corruption (fixes CVE-2011-3048). Changed "a+w" to "u+w" in Makefile.in to fix CVE-2012-3386. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3045 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3048 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3386 (* Security fix *) +--------------------------+ Thu Jun 14 05:02:39 UTC 2012 #################################################################### # NOTICE OF INPENDING EOL (END OF LIFE) FOR OLD SLACKWARE VERSIONS # # # # Effective August 1, 2012, security patches will no longer be # # provided for the following versions of Slackware (which will all # # be more than 5 years old at that time): # # Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0. # # If you are still running these versions you should consider # # migrating to a newer version (preferably as recent as possible). # # Alternately, you may make arrangements to handle your own # # security patches. If for some reason you are unable to upgrade # # or handle your own security patches, limited security support # # may be available for a fee. Inquire at security@slackware.com. # #################################################################### patches/packages/bind-9.7.6_P1-i486-1_slack10.0.tgz: Upgraded. This release fixes an issue that could crash BIND, leading to a denial of service. It also fixes the so-called "ghost names attack" whereby a remote attacker may trigger continued resolvability of revoked domain names. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1033 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1667 IMPORTANT NOTE: This is a upgraded version of BIND, _not_ a patched one. It is likely to be more strict about the correctness of configuration files. Care should be taken about deploying this upgrade on production servers to avoid an unintended interruption of service. (* Security fix *) +--------------------------+ Wed May 23 00:14:52 UTC 2012 patches/packages/libxml2-2.6.32-i486-2_slack10.0.tgz: Upgraded. Patched an off-by-one error in XPointer that could lead to a crash or possibly the execution of arbitrary code. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3102 (* Security fix *) +--------------------------+ Wed Apr 11 17:16:32 UTC 2012 patches/packages/samba-3.0.37-i486-5_slack10.0.tgz: Rebuilt. This is a security release in order to address a vulnerability that allows remote code execution as the "root" user. All sites running a Samba server should update to the new Samba package and restart Samba. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1182 (* Security fix *) +--------------------------+ Sat Apr 7 21:48:42 UTC 2012 patches/packages/libtiff-3.8.2-i486-4_slack10.0.tgz: Rebuilt. Patched overflows that could lead to arbitrary code execution when parsing a malformed image file. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1173 (* Security fix *) +--------------------------+ Wed Feb 22 18:14:58 UTC 2012 patches/packages/libpng-1.2.47-i486-1_slack10.0.tgz: Upgraded. All branches of libpng prior to versions 1.5.9, 1.4.9, 1.2.47, and 1.0.57, respectively, fail to correctly validate a heap allocation in png_decompress_chunk(), which can lead to a buffer-overrun and the possibility of execution of hostile code on 32-bit systems. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3026 (* Security fix *) +--------------------------+ Thu Nov 17 02:09:25 UTC 2011 patches/packages/bind-9.4_ESV_R5_P1-i486-1_slack10.0.tgz: Upgraded. --- 9.4-ESV-R5-P1 released --- 3218. [security] Cache lookup could return RRSIG data associated with nonexistent records, leading to an assertion failure. [RT #26590] (* Security fix *) +--------------------------+ Fri Aug 12 23:20:00 UTC 2011 patches/packages/bind-9.4_ESV_R5-i486-1_slack10.0.tgz: Upgraded. This BIND update addresses a couple of security issues: * named, set up to be a caching resolver, is vulnerable to a user querying a domain with very large resource record sets (RRSets) when trying to negatively cache the response. Due to an off-by-one error, caching the response could cause named to crash. [RT #24650] [CVE-2011-1910] * Change #2912 (see CHANGES) exposed a latent bug in the DNS message processing code that could allow certain UPDATE requests to crash named. [RT #24777] [CVE-2011-2464] For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1910 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2464 (* Security fix *) +--------------------------+ Fri Jul 29 18:22:40 UTC 2011 patches/packages/libpng-1.2.46-i486-1_slack10.0.tgz: Upgraded. Fixed uninitialized memory read in png_format_buffer() (Bug report by Frank Busse, related to CVE-2004-0421). For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0421 (* Security fix *) +--------------------------+ Mon Jun 20 00:49:34 UTC 2011 patches/packages/fetchmail-6.3.20-i486-1_slack10.0.tgz: Upgraded. This release fixes a denial of service in STARTTLS protocol phases. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1947 http://www.fetchmail.info/fetchmail-SA-2011-01.txt (* Security fix *) +--------------------------+ Fri May 27 22:56:00 UTC 2011 patches/packages/bind-9.4_ESV_R4_P1-i486-1_slack10.0.tgz: Upgraded. This release fixes security issues: * A large RRSET from a remote authoritative server that results in the recursive resolver trying to negatively cache the response can hit an off by one code error in named, resulting in named crashing. [RT #24650] [CVE-2011-1910] * Zones that have a DS record in the parent zone but are also listed in a DLV and won't validate without DLV could fail to validate. [RT #24631] For more information, see: http://www.isc.org/software/bind/advisories/cve-2011-1910 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1910 (* Security fix *) +--------------------------+ Fri Apr 8 06:58:48 UTC 2011 patches/packages/libtiff-3.8.2-i486-3_slack10.0.tgz: Rebuilt. Patched overflows that could lead to arbitrary code execution when parsing a malformed image file. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0192 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1167 (* Security fix *) +--------------------------+ Thu Apr 7 04:07:29 UTC 2011 patches/packages/dhcp-3.1_ESV_R1-i486-1_slack10.0.tgz: Upgraded. In dhclient, check the data for some string options for reasonableness before passing it along to the script that interfaces with the OS. This prevents some possible attacks by a hostile DHCP server. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0997 (* Security fix *) +--------------------------+ Mon Feb 28 22:19:08 UTC 2011 patches/packages/samba-3.0.37-i486-4_slack10.0.tgz: Rebuilt. Fix memory corruption denial of service issue. For more information, see: http://www.samba.org/samba/security/CVE-2011-0719 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0719 (* Security fix *) +--------------------------+ Thu Feb 10 21:19:38 UTC 2011 patches/packages/sudo-1.7.4p6-i486-1_slack10.0.tgz: Upgraded. Fix Runas group password checking. For more information, see the included CHANGES and NEWS files, and: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0010 (* Security fix *) +--------------------------+ Thu Dec 16 18:57:05 UTC 2010 patches/packages/bind-9.4_ESV_R4-i486-1_slack10.0.tgz: Upgraded. This update fixes some security issues. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3613 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3614 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3615 (* Security fix *) +--------------------------+ Sat Nov 20 21:20:27 UTC 2010 patches/packages/xpdf-3.02pl5-i486-1_slack10.0.tgz: Upgraded. This update fixes security issues that could lead to an application crash, or execution of arbitrary code. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3702 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3703 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3704 (* Security fix *) +--------------------------+ Mon Sep 20 18:39:57 UTC 2010 patches/packages/bzip2-1.0.6-i486-1_slack10.0.tgz: Upgraded. This update fixes an integer overflow that could allow a specially crafted bzip2 archive to cause a crash (denial of service), or execute arbitrary code. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0405 (* Security fix *) +--------------------------+ Wed Sep 15 18:51:21 UTC 2010 patches/packages/sudo-1.7.4p4-i486-3_slack10.0.tgz: Rebuilt. Hi folks, since the patches for old systems (8.1 - 10.2) were briefly available containing a /var/lib with incorrect permissions, I'm issuing these again just to be 100% sure that no systems out there will be left with problems due to that. This should do it (third time's the charm). +--------------------------+ Wed Sep 15 05:58:55 UTC 2010 patches/packages/sudo-1.7.4p4-i486-2_slack10.0.tgz: Rebuilt. The last sudo packages accidentally changed the permissions on /var from 755 to 700. This build restores the proper permissions. Thanks to Petri Kaukasoina for pointing this out. +--------------------------+ Wed Sep 15 00:41:13 UTC 2010 patches/packages/samba-3.0.37-i486-3_slack10.0.tgz: Upgraded. This upgrade fixes a buffer overflow in the sid_parse() function. For more information, see: http://www.samba.org/samba/security/CVE-2010-3069 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3069 (* Security fix *) patches/packages/sudo-1.7.4p4-i486-1_slack10.0.tgz: Upgraded. This fixes a flaw that could lead to privilege escalation. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2956 (* Security fix *) +--------------------------+ Wed Jun 30 04:51:49 UTC 2010 patches/packages/libtiff-3.8.2-i486-2_slack10.0.tgz: Rebuilt. This fixes image structure handling bugs that could lead to crashes or execution of arbitrary code if a specially-crafted TIFF image is loaded. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1411 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2065 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2067 (* Security fix *) patches/packages/libpng-1.2.44-i486-1_slack10.0.tgz: Upgraded. This fixes out-of-bounds memory write bugs that could lead to crashes or the execution of arbitrary code, and a memory leak bug which could lead to application crashes. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1205 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2249 (* Security fix *) +--------------------------+ Sun Jun 27 04:02:55 UTC 2010 patches/packages/bind-9.4.3_P5-i486-2_slack10.0.tgz: Rebuilt. At least some of these updates for 2.4.x systems were built under a 2.6.x kernel, and didn't work. Sorry, I think I've fixed the issue on this end this time. If the previous update did not work for you, try this one. +--------------------------+ Fri Jun 25 05:28:02 UTC 2010 patches/packages/bind-9.4.3_P5-i486-1_slack10.0.tgz: Upgraded. This fixes possible DNS cache poisoning attacks when DNSSEC is enabled and checking is disabled (CD). For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4022 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0097 (* Security fix *) +--------------------------+ Fri Jun 18 18:09:28 UTC 2010 patches/packages/samba-3.0.37-i486-2_slack10.0.tgz: Rebuilt. Patched a buffer overflow in smbd that allows remote attackers to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a crafted field in a packet. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2063 (* Security fix *) +--------------------------+ Sun May 16 20:01:28 UTC 2010 patches/packages/fetchmail-6.3.17-i486-1_slack10.0.tgz: Upgraded. A crafted header or POP3 UIDL list could cause a memory leak and crash leading to a denial of service. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1167 (* Security fix *) +--------------------------+ Tue Apr 20 14:45:24 UTC 2010 patches/packages/sudo-1.7.2p6-i486-1_slack10.0.tgz: Upgraded. This update fixes security issues that may give a user with permission to run sudoedit the ability to run arbitrary commands. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0426 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1163 http://www.gratisoft.us/sudo/alerts/sudoedit_escalate.html http://www.gratisoft.us/sudo/alerts/sudoedit_escalate2.html (* Security fix *) +--------------------------+ Thu Dec 10 00:12:58 UTC 2009 patches/packages/ntp-4.2.2p3-i486-2_slack10.0.tgz: Rebuilt. Prevent a denial-of-service attack involving spoofed mode 7 packets. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3563 (* Security fix *) +--------------------------+ Wed Dec 2 20:51:55 UTC 2009 patches/packages/bind-9.4.3_P4-i486-1_slack10.0.tgz: Upgraded. BIND 9.4.3-P4 is a SECURITY PATCH for BIND 9.4.3-P3. It addresses a potential cache poisoning vulnerability, in which data in the additional section of a response could be cached without proper DNSSEC validation. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4022 http://www.kb.cert.org/vuls/id/418861 (* Security fix *) +--------------------------+ Wed Oct 28 01:23:19 UTC 2009 patches/packages/xpdf-3.02pl4-i486-1_slack10.0.tgz: Upgraded. This update fixes several security issues that could lead to an application crash, or execution of arbitrary code. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3603 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3604 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3605 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3606 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3608 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3609 (* Security fix *) +--------------------------+ Sat Oct 3 18:19:00 CDT 2009 patches/packages/samba-3.0.37-i486-1_slack10.0.tgz: This update fixes the following security issues. A misconfigured /etc/passwd with no defined home directory could allow security restrictions to be bypassed. mount.cifs could allow a local user to read the first line of an arbitrary file if installed setuid. (On Slackware, it was not installed setuid) Specially crafted SMB requests could cause a denial of service. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2813 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2948 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2906 (* Security fix *) +--------------------------+ Fri Aug 14 13:42:26 CDT 2009 patches/packages/curl-7.12.2-i486-4_slack10.0.tgz This update fixes a security issue where a zero byte embedded in an SSL or TLS certificate could fool cURL into validating the security of a connection to a system that the certificate was not issued for. It has been reported that at least one Certificate Authority allowed such certificates to be issued. For more information, see: http://curl.haxx.se/docs/security.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2417 (* Security fix *) +--------------------------+ Fri Aug 7 14:25:03 CDT 2009 patches/packages/samba-3.0.36-i486-1_slack10.0.tgz: Upgraded. This is a bugfix release. +--------------------------+ Thu Aug 6 00:48:30 CDT 2009 patches/packages/fetchmail-6.3.11-i486-1_slack10.0.tgz: Upgraded. This update fixes an SSL NUL prefix impersonation attack through NULs in a part of a X.509 certificate's CommonName and subjectAltName fields. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2666 (* Security fix *) +--------------------------+ Wed Jul 29 23:10:01 CDT 2009 patches/packages/bind-9.4.3_P3-i486-1_slack10.0.tgz: Upgraded. This BIND update fixes a security problem where a specially crafted dynamic update message packet will cause named to exit resulting in a denial of service. An active remote exploit is in wide circulation at this time. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0696 https://www.isc.org/node/479 (* Security fix *) +--------------------------+ Tue Jul 14 18:07:41 CDT 2009 patches/packages/dhcp-3.1.2p1-i486-1_slack10.0.tgz: Upgraded. A stack overflow vulnerability was fixed in dhclient that could allow remote attackers to execute arbitrary commands as root on the system, or simply terminate the client, by providing an over-long subnet-mask option. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0692 (* Security fix *) +--------------------------+ Fri Jun 26 22:05:35 CDT 2009 patches/packages/samba-3.0.35-i486-1_slack10.0.tgz: This upgrade fixes the following security issue: o CVE-2009-1888: In Samba 3.0.31 to 3.3.5 (inclusive), an uninitialized read of a data value can potentially affect access control when "dos filemode" is set to "yes". For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1888 (* Security fix *) +--------------------------+ Fri Jun 19 18:22:20 CDT 2009 patches/packages/libpng-1.2.37-i486-1_slack10.0.tgz: Upgraded. This update fixes a possible security issue. Jeff Phillips discovered an uninitialized-memory-read bug affecting interlaced images that may have security implications. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2042 (* Security fix *) +--------------------------+ Wed Jun 3 18:09:52 CDT 2009 patches/packages/ntp-4.2.2p3-i486-1_slack10.0.tgz: Patched a stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows arbitrary code execution by a malicious remote NTP server. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0159 (* Security fix *) +--------------------------+ Sat May 9 18:03:41 CDT 2009 patches/packages/xpdf-3.02pl3-i486-1_slack10.0.tgz: Upgraded to xpdf-3.02pl3. This update fixes several overflows that may result in crashes or the execution of arbitrary code as the xpdf user. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0146 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0147 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0165 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0166 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0799 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0800 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1179 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1180 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1181 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1182 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1183 (* Security fix *) +--------------------------+ Tue Mar 24 01:56:10 CDT 2009 patches/packages/lcms-1.18-i486-1_slack10.0.tgz: Upgraded to lcms-1.18. This update fixes security issues discovered in LittleCMS by Chris Evans. These flaws could cause program crashes (denial of service) or the execution of arbitrary code as the user of the lcms-linked program. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0581 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0723 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0733 (* Security fix *) +--------------------------+ Mon Mar 9 00:04:05 CDT 2009 patches/packages/curl-7.12.2-i486-3_slack10.0.tgz: Patched curl-7.12.2. This fixes a security issue where automatic redirection could be made to follow file:// URLs, reading or writing a local instead of remote file. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0037 (* Security fix *) +--------------------------+ Fri Feb 20 17:20:49 CST 2009 patches/packages/libpng-1.2.35-i486-1_slack10.0.tgz: Upgraded to libpng-1.2.35. This fixes multiple memory-corruption vulnerabilities due to a failure to properly initialize data structures. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0040 ftp://ftp.simplesystems.org/pub/png/src/libpng-1.2.34-ADVISORY.txt (* Security fix *) +--------------------------+ Wed Jan 14 20:37:39 CST 2009 patches/packages/bind-9.3.6_P1-i486-1_slack10.0.tgz: Upgraded to bind-9.3.6-P1. Fixed checking on return values from OpenSSL's EVP_VerifyFinal and DSA_do_verify functions to prevent spoofing answers returned from zones using the DNSKEY algorithms DSA and NSEC3DSA. For more information, see: https://www.isc.org/node/373 http://www.ocert.org/advisories/ocert-2008-016.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0025 (* Security fix *) patches/packages/ntp-4.2.4p6-i486-1_slack10.0.tgz: [Sec 1111] Fix incorrect check of EVP_VerifyFinal()'s return value. For more information, see: https://lists.ntp.org/pipermail/announce/2009-January/000055.html http://www.ocert.org/advisories/ocert-2008-016.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0021 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077 (* Security fix *) +--------------------------+ Fri Nov 28 16:27:52 CST 2008 patches/packages/samba-3.0.33-i486-1_slack10.0.tgz: Upgraded to samba-3.0.33. This package fixes an important barrier against rogue clients reading from uninitialized memory (though no proof-of-concept is known to exist). For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4314 (* Security fix *) +--------------------------+ Wed Nov 19 19:13:12 CST 2008 patches/packages/libxml2-2.6.32-i486-1_slack10.0.tgz: Upgraded to libxml2-2.6.32 and patched. This fixes vulnerabilities including denial of service, or possibly the execution of arbitrary code as the user running a libxml2 linked application if untrusted XML content is parsed. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4225 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4226 (* Security fix *) +--------------------------+ Mon Oct 13 13:58:21 CDT 2008 patches/packages/glibc-zoneinfo-2.3.2-noarch-11_slack10.0.tgz: Upgraded to tzdata2008h for the latest world timezone changes. +--------------------------+ Wed Sep 17 02:28:20 CDT 2008 patches/packages/bind-9.3.5_P2-i486-1_slack10.0.tgz: Upgraded to bind-9.3.5-P2. This version has performance gains over bind-9.3.5-P1. +--------------------------+ Mon Sep 1 21:56:29 CDT 2008 patches/packages/samba-3.0.32-i486-1_slack10.0.tgz: Upgraded to samba-3.0.32. This is a bugfix release. See the WHATSNEW.txt file in the Samba docs for details on what has changed. +--------------------------+ Mon Jul 28 22:05:06 CDT 2008 patches/packages/fetchmail-6.3.8-i486-1_slack10.0.tgz: Patched to fix a possible denial of service when "-v -v" options are used. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2711 (* Security fix *) +--------------------------+ Wed Jul 23 16:27:21 CDT 2008 patches/packages/dnsmasq-2.45-i486-1_slack10.0.tgz: Upgraded to dnsmasq-2.45. It was discovered that earlier versions of dnsmasq have DNS cache weaknesses that are similar to the ones recently discovered in BIND. This new release minimizes the risk of cache poisoning. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 (* Security fix *) +--------------------------+ Wed Jul 9 20:03:57 CDT 2008 patches/packages/bind-9.3.5_P1-i486-1_slack10.0.tgz: Upgraded to bind-9.3.5-P1. This upgrade addresses a security flaw known as the CERT VU#800113 DNS Cache Poisoning Issue. This is the summary of the problem from the BIND site: "A weakness in the DNS protocol may enable the poisoning of caching recurive resolvers with spoofed data. DNSSEC is the only full solution. New versions of BIND provide increased resilience to the attack." It is suggested that sites that run BIND upgrade to one of the new packages in order to reduce their exposure to DNS cache poisoning attacks. For more information, see: http://www.isc.org/sw/bind/bind-security.php http://www.kb.cert.org/vuls/id/800113 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 (* Security fix *) +--------------------------+ Wed May 28 19:46:22 CDT 2008 patches/packages/samba-3.0.30-i486-1_slack10.0.tgz: Upgraded to samba-3.0.30. This is a security release in order to address CVE-2008-1105 ("Boundary failure when parsing SMB responses can result in a buffer overrun"). For more information on the security issue, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1105 (* Security fix *) +--------------------------+ Mon Apr 28 23:46:17 CDT 2008 patches/packages/libpng-1.2.27-i486-1_slack10.0.tgz: Upgraded to libpng-1.2.27. This fixes various bugs, the most important of which have to do with the handling of unknown chunks containing zero-length data. Processing a PNG image that contains these could cause the application using libpng to crash (possibly resulting in a denial of service), could potentially expose the contents of uninitialized memory, or could cause the execution of arbitrary code as the user running libpng (though it would probably be quite difficult to cause the execution of attacker-chosen code). We recommend upgrading the package as soon as possible. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1382 ftp://ftp.simplesystems.org/pub/libpng/png/src/libpng-1.2.27-README.txt (* Security fix *) +--------------------------+ Sat Apr 19 23:49:25 CDT 2008 patches/packages/xine-lib-1.1.11.1-i686-3_slack10.0.tgz: Recompiled, with --without-speex (we didn't ship the speex library in Slackware anyway, but for reference this issue would be CVE-2008-1686), and with --disable-nosefart (the recently reported as insecurely demuxed NSF format). As before in -2, this package fixes the two regressions mentioned in the release notes for xine-lib-1.1.12: http://sourceforge.net/project/shownotes.php?release_id=592185&group_id=9655 (* Security fix *) +--------------------------+ Tue Apr 8 00:17:36 CDT 2008 patches/packages/xine-lib-1.1.11.1-i686-2_slack10.0.tgz: Patched to fix playback failure affecting several media formats accidentally broken in the xine-lib-1.1.11.1 release. Thanks to Diogo Sousa for pointing me to the new release notes on xinehq.de. +--------------------------+ Mon Apr 7 02:04:58 CDT 2008 patches/packages/bzip2-1.0.5-i486-1_slack10.0.tgz: Upgraded to bzip2-1.0.5. Previous versions of bzip2 contained a buffer overread error that could cause applications linked to libbz2 to crash, resulting in a denial of service. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1372 (* Security fix *) patches/packages/m4-1.4.11-i486-1_slack10.0.tgz: Upgraded to m4-1.4.11. In addition to bugfixes and enhancements, this version of m4 also fixes two issues with possible security implications. A minor security fix with the use of "maketemp" and "mkstemp" -- these are now quoted to prevent the (rather unlikely) possibility that an unquoted string could match an existing macro causing operations to be done on the wrong file. Also, a problem with the '-F' option (introduced with version 1.4) could cause a core dump or possibly (with certain file names) the execution of arbitrary code. For more information on these issues, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1687 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1688 (* Security fix *) +--------------------------+ Fri Apr 4 12:36:37 CDT 2008 patches/packages/openssh-5.0p1-i486-1_slack10.0.tgz: Upgraded to openssh-5.0p1. This version fixes a security issue where local users could hijack forwarded X connections. Upgrading to the new package is highly recommended. For more information on this security issue, please see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1483 (* Security fix *) +--------------------------+ Mon Mar 31 23:33:58 CDT 2008 patches/packages/xine-lib-1.1.11.1-i686-1_slack10.0.tgz: Upgraded to xine-lib-1.1.11.1. Earlier versions of xine-lib suffer from an integer overflow which may lead to a buffer overflow that could potentially be used to gain unauthorized access to the machine if a malicious media file is played back. File types affected this time include .flv, .mov, .rm, .mve, .mkv, and .cak. For more information on this security issue, please see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1482 (* Security fix *) +--------------------------+ Sat Mar 29 03:09:17 CDT 2008 patches/packages/xine-lib-1.1.11-i686-1_slack10.0.tgz: Earlier versions of xine-lib suffer from an array index bug that may have security implications if a malicious RTSP stream is played. Playback of other media formats is not affected. If you use RTSP, you should probably upgrade xine-lib. For more information on the security issue, please see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0073 (* Security fix *) +--------------------------+ Thu Feb 14 17:05:55 CST 2008 patches/packages/apache-1.3.41-i486-1_slack10.0.tgz: Upgraded to apache-1.3.41, the last regular release of the Apache 1.3.x series, and a security bugfix-only release. For more information about the security issues fixed, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6388 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5000 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3847 (* Security fix *) patches/packages/mod_ssl-2.8.31_1.3.41-i486-1_slack10.0.tgz: Upgraded to mod_ssl-2.8.31-1.3.41 to work with apache_1.3.41. +--------------------------+ Mon Dec 31 18:49:52 CST 2007 patches/packages/glibc-zoneinfo-2.3.2-noarch-10_slack10.0.tgz: Some deja vu. ;-) Upgraded to tzdata2007k. A new year should be started with the latest timezone data, so here it is. Happy holidays, and a happy new year to all! :-) +--------------------------+ Mon Dec 24 15:54:26 CST 2007 patches/packages/glibc-zoneinfo-2.3.2-noarch-9_slack10.0.tgz: Upgraded to tzdata2007j. A new year should be started with the latest timezone data, so here it is. Happy holidays, and a happy new year to all! :-) +--------------------------+ Mon Dec 10 12:45:35 CST 2007 patches/packages/samba-3.0.28-i486-1_slack10.0.tgz: Upgraded to samba-3.0.28. Samba 3.0.28 is a security release in order to address a boundary failure in GETDC mailslot processing that can result in a buffer overrun leading to possible code execution. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6015 http://www.samba.org/samba/history/samba-3.0.28.html http://secunia.com/secunia_research/2007-99/advisory/ (* Security fix *) +--------------------------+ Mon Dec 3 19:58:51 CST 2007 patches/packages/samba-3.0.27a-i486-1_slack10.0.tgz: Upgraded to samba-3.0.27a. This update fixes a crash bug regression experienced by smbfs clients caused by the fix for CVE-2007-4572. +--------------------------+ Sat Dec 1 16:57:18 CST 2007 patches/packages/rsync-2.6.9-i486-1_slack10.0.tgz: Patched some security bugs. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4091 http://lists.samba.org/archive/rsync-announce/2007/000050.html (* Security fix *) +--------------------------+ Wed Nov 21 00:55:51 CST 2007 patches/packages/libpng-1.2.23-i486-1_slack10.0.tgz: Upgraded to libpng-1.2.23. Previous libpng versions may crash when loading malformed PNG files. It is not currently known if this vulnerability can be exploited to execute malicious code. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5266 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5267 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5268 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5269 (* Security fix *) +--------------------------+ Fri Nov 16 17:22:18 CST 2007 patches/packages/samba-3.0.27-i486-1_slack10.0.tgz: Upgraded to samba-3.0.27. Samba 3.0.27 is a security release in order to address a stack buffer overflow in nmbd's logon request processing, and remote code execution in Samba's WINS server daemon (nmbd) when processing name registration followed name query requests. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4572 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5398 (* Security fix *) +--------------------------+ Mon Nov 12 01:25:34 CST 2007 patches/packages/xpdf-3.02pl2-i486-1_slack10.0.tgz: Upgraded to xpdf-3.02pl2. The pl2 patch fixes a crash in xpdf. Some theorize that this could be used to execute arbitrary code if an untrusted PDF file is opened, but no real-world examples are known (yet). For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3387 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4352 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5392 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5393 (* Security fix *) +--------------------------+ Thu Nov 1 22:03:53 CDT 2007 patches/packages/cups-1.1.21-i486-2_slack10.0.tgz: Patched cups-1.1.21. Errors in ipp.c may allow a remote attacker to crash CUPS resulting in a denial of service. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4351 (* Security fix *) +--------------------------+ Wed Oct 10 11:50:50 CDT 2007 patches/packages/glibc-zoneinfo-2.3.2-noarch-8_slack10.0.tgz: Upgraded to timezone data from tzcode2007h and tzdata2007h. This contains the latest timezone data from NIST, including some important changes to daylight savings time in Brasil and New Zealand. +--------------------------+ Wed Sep 12 15:20:06 CDT 2007 patches/packages/openssh-4.7p1-i486-1_slack10.0.tgz: Upgraded to openssh-4.7p1. From the OpenSSH release notes: "Security bugs resolved in this release: Prevent ssh(1) from using a trusted X11 cookie if creation of an untrusted cookie fails; found and fixed by Jan Pechanec." While it's fair to say that we here at Slackware don't see how this could be leveraged to compromise a system, a) the OpenSSH people (who presumably understand the code better) characterize this as a security bug, b) it has been assigned a CVE entry, and c) OpenSSH is one of the most commonly used network daemons. Better safe than sorry. More information should appear here eventually: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4752 (* Security fix *) patches/packages/samba-3.0.26a-i486-1_slack10.0.tgz: Upgraded to samba-3.0.26a. This fixes a security issue in all Samba 3.0.25 versions: "Incorrect primary group assignment for domain users using the rfc2307 or sfu winbind nss info plugin." For more information, see: http://www.samba.org/samba/security/CVE-2007-4138.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4138 (* Security fix *) +--------------------------+ Sat Aug 18 15:00:32 CDT 2007 patches/packages/tcpdump-3.9.7-i486-1_slack10.0.tgz: Upgraded to libpcap-0.9.7, tcpdump-3.9.7. This new version fixes an integer overflow in the BGP dissector which could possibly allow remote attackers to crash tcpdump or to execute arbitrary code. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3798 (* Security fix *) +--------------------------+ Fri Aug 10 22:39:13 CDT 2007 patches/packages/xpdf-3.02pl1-i486-1_slack10.0.tgz: Upgraded to xpdf-3.02pl1. This fixes an integer overflow that could possibly be leveraged to run arbitrary code if a malicious PDF file is processed. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3387 (* Security fix *) +--------------------------+ Thu Jul 26 15:51:42 CDT 2007 patches/packages/bind-9.2.8_P1-i486-1_slack10.0.tgz: Upgraded to bind-9.2.8_P1 to fix a security issue. The query IDs in BIND9 prior to BIND 9.2.8-P1 are cryptographically weak. For more information on this issue, see: http://www.isc.org/index.pl?/sw/bind/bind-security.php http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2926 (* Security fix *) +--------------------------+ Fri May 25 11:27:02 CDT 2007 patches/packages/samba-3.0.25a-i486-1_slack10.0.tgz: Upgraded to samba-3.0.25a. This fixes some major (non-security) bugs in samba-3.0.25. See the WHATSNEW.txt for details. +--------------------------+ Wed May 16 16:16:59 CDT 2007 patches/packages/libpng-1.2.18-i486-1_slack10.0.tgz: Upgraded to libpng-1.2.18. A grayscale PNG image with a malformed (bad CRC) tRNS chunk will crash some libpng applications. This vulnerability has been assigned the identifiers CVE-2007-2445 and CERT VU#684664. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2445 (* Security fix *) +--------------------------+ Mon May 14 18:22:43 CDT 2007 patches/packages/samba-3.0.25-i486-1_slack10.0.tgz: Upgraded to samba-3.0.25. Security Fixes included in the Samba 3.0.25 release are: o CVE-2007-2444 Versions: Samba 3.0.23d - 3.0.25pre2 Local SID/Name translation bug can result in user privilege elevation o CVE-2007-2446 Versions: Samba 3.0.0 - 3.0.24 Multiple heap overflows allow remote code execution o CVE-2007-2447 Versions: Samba 3.0.0 - 3.0.24 Unescaped user input parameters are passed as arguments to /bin/sh allowing for remote command execution For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2444 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2446 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2447 (* Security fix *) +--------------------------+ Thu Apr 19 18:53:08 CDT 2007 patches/packages/xine-lib-1.1.6-i686-1_slack10.0.tgz: Upgraded to xine-lib-1.1.6. This fixes overflows in xine-lib in some little-used media formats in xine-lib < 1.1.5 and other bugs in xine-lib < 1.1.6. The overflows in xine-lib < 1.1.5 could definitely cause an application using xine-lib to crash, and it is theorized that a malicious media file could be made to run arbitrary code in the context of the user running the application. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1246 (* Security fix *) +--------------------------+ Tue Apr 3 15:13:56 CDT 2007 patches/packages/file-4.20-i486-1_slack10.0.tgz: Upgraded to file-4.20. This fixes a heap overflow that could allow code to be executed as the user running file (note that there are many scenarios where file might be used automatically, such as in virus scanners or spam filters). For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1536 (* Security fix *) +--------------------------+ Wed Mar 7 18:02:55 CST 2007 patches/packages/gnupg-1.4.7-i486-1_slack10.0.tgz: Upgraded to gnupg-1.4.7. This fixes a security problem that can occur when GnuPG is used incorrectly. Newer versions attempt to prevent such misuse. For more information, see: http://lists.gnupg.org/pipermail/gnupg-announce/2007q1/000251.html (* Security fix *) +--------------------------+ Sun Feb 18 15:20:36 CST 2007 patches/packages/glibc-zoneinfo-2.3.2-noarch-7_slack10.0.tgz: Updated with tzdata2007b for impending Daylight Savings Time changes in the US. +--------------------------+ Wed Feb 7 12:29:05 CST 2007 patches/packages/samba-3.0.24-i486-1_slack10.0.tgz: Upgraded to samba-3.0.24. From the WHATSNEW.txt file: "Important issues addressed in 3.0.24 include: o Fixes for the following security advisories: - CVE-2007-0452 (Potential Denial of Service bug in smbd) - CVE-2007-0453 (Buffer overrun in NSS host lookup Winbind NSS library on Solaris) - CVE-2007-0454 (Format string bug in afsacl.so VFS plugin)" Samba is Slackware is vulnerable to the first issue, which can cause smbd to enter into an infinite loop, disrupting Samba services. Linux is not vulnerable to the second issue, and Slackware does not ship the afsacl.so VFS plugin (but it's something to be aware of if you build Samba with custom options). For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0452 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0453 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0454 (* Security fix *) +--------------------------+ Fri Jan 26 22:46:30 CST 2007 patches/packages/bind-9.2.8-i486-1_slack10.0.tgz: Upgraded to bind-9.2.8. This update fixes two denial of service vulnerabilities where an attacker could crash the name server with specially crafted malformed data. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0493 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0494 (* Security fix *) +--------------------------+ Wed Jan 24 14:15:07 CST 2007 patches/packages/fetchmail-6.3.6-i486-1_slack10.0.tgz: Upgraded to fetchmail-6.3.6. This fixes two security issues. First, a bug introduced in fetchmail-6.3.5 could cause fetchmail to crash. However, no stable version of Slackware ever shipped fetchmail-6.3.5. Second, a long standing bug (reported by Isaac Wilcox) could cause fetchmail to send a password in clear text or omit using TLS even when configured otherwise. All fetchmail users are encouraged to consider using getmail, or to upgrade to the new fetchmail packages. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5974 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5867 (* Security fix *) +--------------------------+ Sat Dec 23 16:40:57 CST 2006 patches/packages/xine-lib-1.1.3-i686-1_slack10.0.tgz: Upgraded to xine-lib-1.1.3 which fixes possible security problems such as a heap overflow in libmms and a buffer overflow in the Real Media input plugin. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2200 (* Security fix *) +--------------------------+ Wed Dec 6 15:16:06 CST 2006 patches/packages/gnupg-1.4.6-i486-1_slack10.0.tgz: Upgraded to gnupg-1.4.6. This release fixes a severe and exploitable bug in earlier versions of gnupg. All gnupg users should update to the new packages as soon as possible. For details, see the information concerning CVE-2006-6235 posted on lists.gnupg.org: http://lists.gnupg.org/pipermail/gnupg-announce/2006q4/000491.html The CVE entry for this issue may be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6235 This update also addresses a more minor security issue possibly exploitable when GnuPG is used in interactive mode. For more information about that issue, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6169 (* Security fix *) +--------------------------+ Fri Dec 1 15:03:20 CST 2006 patches/packages/libpng-1.2.14-i486-1_slack10.0.tgz: Upgraded to libpng-1.2.14. This fixes a bug where a specially crafted PNG file could crash applications that use libpng. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5793 (* Security fix *) patches/packages/proftpd-1.3.0a-i486-1_slack10.0.tgz: Upgraded to proftpd-1.3.0a plus an additional security patch. Several security issues were found in proftpd that could lead to the execution of arbitrary code by a remote attacker, including one in mod_tls that does not require the attacker to be authenticated first. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5815 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6170 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6171 (* Security fix *) patches/packages/tar-1.16-i486-1_slack10.0.tgz: Upgraded to tar-1.16. This fixes an issue where files may be extracted outside of the current directory, possibly allowing a malicious tar archive, when extracted, to overwrite any of the user's files (in the case of root, any file on the system). For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6097 (* Security fix *) +--------------------------+ Mon Nov 6 21:29:24 CST 2006 patches/packages/bind-9.2.6_P2-i486-1_slack10.0.tgz: Upgraded to bind-9.2.6-P2. This fixes some security issues related to previous fixes in OpenSSL. The minimum OpenSSL version was raised to OpenSSL 0.9.7l and OpenSSL 0.9.8d to avoid exposure to known security flaws in older versions (these patches were already issued for Slackware). If you have not upgraded yet, get those as well to prevent a potentially exploitable security problem in named. In addition, the default RSA exponent was changed from 3 to 65537. RSA keys using exponent 3 (which was previously BIND's default) will need to be regenerated to protect against the forging of RRSIGs. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339 (* Security fix *) +--------------------------+ Fri Nov 3 23:19:57 CST 2006 patches/packages/screen-4.0.3-i486-1_slack10.0.tgz: Upgraded to screen-4.0.3. This addresses an issue with the way screen handles UTF-8 character encoding that could allow screen to be crashed (or possibly code to be executed in the context of the screen user) if a specially crafted sequence of pseudo-UTF-8 characters are displayed withing a screen session. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4573 (* Security fix *) +--------------------------+ Wed Oct 25 15:45:46 CDT 2006 patches/packages/qt-3.3.3-i486-2_slack10.0.tgz: Patched. This fixes an issue with Qt's handling of pixmap images that causes Qt linked applications to crash if a specially crafted malicious image is loaded. Inspection of the code in question makes it seem unlikely that this could lead to more serious implications (such as arbitrary code execution), but it is recommended that users upgrade to the new Qt package. For more information, see: http://www.trolltech.com/company/newsroom/announcements/press.2006-10-19.5434451733 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4811 (* Security fix *) +--------------------------+ Fri Sep 29 00:21:27 CDT 2006 patches/packages/openssl-0.9.7l-i486-1_slack10.0.tgz: Upgraded to shared libraries from openssl-0.9.7l. See openssl package update below. (* Security fix *) patches/packages/openssh-4.4p1-i486-1_slack10.0.tgz: Upgraded to openssh-4.4p1. This fixes a few security related issues. From the release notes found at http://www.openssh.com/txt/release-4.4: * Fix a pre-authentication denial of service found by Tavis Ormandy, that would cause sshd(8) to spin until the login grace time expired. * Fix an unsafe signal hander reported by Mark Dowd. The signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication denial of service. On portable OpenSSH, this vulnerability could theoretically lead to pre-authentication remote code execution if GSSAPI authentication is enabled, but the likelihood of successful exploitation appears remote. * On portable OpenSSH, fix a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms. Links to the CVE entries will be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4924 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5051 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5052 After this upgrade, make sure the permissions on /etc/rc.d/rc.sshd are set the way you want them. Future upgrades will respect the existing permissions settings. Thanks to Manuel Reimer for pointing out that upgrading openssh would enable a previously disabled sshd daemon. Do better checking of passwd, shadow, and group to avoid adding redundant entries to these files. Thanks to Menno Duursma. (* Security fix *) patches/packages/openssl-0.9.7l-i486-1_slack10.0.tgz: Upgraded to openssl-0.9.7l. This fixes a few security related issues: During the parsing of certain invalid ASN.1 structures an error condition is mishandled. This can result in an infinite loop which consumes system memory (CVE-2006-2937). (This issue did not affect OpenSSL versions prior to 0.9.7) Thanks to Dr S. N. Henson of Open Network Security and NISCC. Certain types of public key can take disproportionate amounts of time to process. This could be used by an attacker in a denial of service attack (CVE-2006-2940). Thanks to Dr S. N. Henson of Open Network Security and NISCC. A buffer overflow was discovered in the SSL_get_shared_ciphers() utility function. An attacker could send a list of ciphers to an application that uses this function and overrun a buffer. (CVE-2006-3738) Thanks to Tavis Ormandy and Will Drewry of the Google Security Team. A flaw in the SSLv2 client code was discovered. When a client application used OpenSSL to create an SSLv2 connection to a malicious server, that server could cause the client to crash (CVE-2006-4343). Thanks to Tavis Ormandy and Will Drewry of the Google Security Team. Links to the CVE entries will be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343 (* Security fix *) +--------------------------+ Tue Sep 19 14:07:49 CDT 2006 patches/packages/gzip-1.3.5-i486-1_slack10.0.tgz: Upgraded to gzip-1.3.5, and fixed a variety of bugs. Some of the bugs have possible security implications if gzip or its tools are fed a carefully constructed malicious archive. Most of these issues were recently discovered by Tavis Ormandy and the Google Security Team. Thanks to them, and also to the ALT and Owl developers for cleaning up the patch. For further details about the issues fixed, please see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0758 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0988 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1228 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4334 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4335 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4336 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4337 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4338 (* Security fix *) +--------------------------+ Thu Sep 14 05:30:50 CDT 2006 patches/packages/openssl-0.9.7d-i486-3_slack10.0.tgz: Patched an issue where it is possible to forge certain kinds of RSA signatures. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339 patches/packages/openssl-solibs-0.9.7d-i486-3_slack10.0.tgz: Patched an issue where it is possible to forge certain kinds of RSA signatures. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339 (* Security fix *) +--------------------------+ Thu Sep 7 23:41:37 CDT 2006 patches/packages/bind-9.2.6_P1-i486-1_slack10.0.tgz Upgraded to bind-9.2.6_P1. This update addresses a denial of service vulnerability. BIND's CHANGES file says this: 2066. [security] Handle SIG queries gracefully. [RT #16300] The best discussion I've found is in FreeBSD's advisory, so here's a link: http://security.FreeBSD.org/advisories/FreeBSD-SA-06:20.bind.asc Also, fixed some missing man pages. (noticed by Xavier Thomassin -- thanks) (* Security fix *) +--------------------------+ Fri Aug 18 00:27:05 CDT 2006 patches/packages/libtiff-3.8.2-i486-1_slack10.0.tgz: Patched vulnerabilities in libtiff which were found by Tavis Ormandy of the Google Security Team. These issues could be used to crash programs linked to libtiff or possibly to execute code as the program's user. A low risk command-line overflow in tiffsplit was also patched. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3459 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3460 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3461 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3462 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3463 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3464 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3465 (* Security fix *) +--------------------------+ Wed Aug 2 22:03:08 CDT 2006 patches/packages/gnupg-1.4.5-i486-1_slack10.0.tgz: Upgraded to gnupg-1.4.5. From the gnupg-1.4.5 NEWS file: * Fixed 2 more possible memory allocation attacks. They are similar to the problem we fixed with 1.4.4. This bug can easily be be exploited for a DoS; remote code execution is not entirely impossible. (* Security fix *) +--------------------------+ Fri Jul 28 17:37:42 CDT 2006 patches/packages/apache-1.3.37-i486-1_slack10.0.tgz: Upgraded to apache-1.3.37. From the announcement on httpd.apache.org: This version of Apache is security fix release only. An off-by-one flaw exists in the Rewrite module, mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46, and 2.2 since 2.2.0. The Slackware Security Team feels that the vast majority of installations will not be configured in a vulnerable way but still suggests upgrading to the new apache and mod_ssl packages for maximum security. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3747 And see Apache's announcement here: http://www.apache.org/dist/httpd/Announcement1.3.html (* Security fix *) patches/packages/mod_ssl-2.8.28_1.3.37-i486-1_slack10.0.tgz: Upgraded to mod_ssl-2.8.28-1.3.37. +--------------------------+ Wed Jul 26 23:18:13 CDT 2006 patches/packages/tcpip-0.17-i486-29c_slack10.0.tgz: Repatched the telnet client with the official OpenBSD patch that had already replaced the original security fix in Slackware 9.1, 10.2 and -current. Thanks to Dragan Simic for reporting the issue, and my apologies for taking so long to address the insufficiencies of the original patch in Slackware 10.0 and 10.1. +--------------------------+ Mon Jul 24 15:44:39 CDT 2006 patches/packages/mutt-1.4.2.2i-i486-1_slack10.0.tgz: Upgraded to mutt-1.4.2.2i. This release fixes CVE-2006-3242, a buffer overflow that could be triggered by a malicious IMAP server. [Connecting to malicious IMAP servers must be common, right? -- Ed.] For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3242 (* Security fix *) +--------------------------+ Tue Jul 18 22:44:53 CDT 2006 patches/packages/samba-3.0.23-i486-2_slack10.0.tgz: Patched a problem in nsswitch/wins.c that caused crashes in the wins and/or winbind libraries. Thanks to Mikhail Kshevetskiy for pointing out the issue and offering a reference to the patch in Samba's source repository. Also, this version of Samba evidently created a new dependency on libdm.so (found in the xfsprogs package in non -current Slackware versions). This additional dependency was not intentional, and has been corrected. +--------------------------+ Fri Jul 14 17:17:17 CDT 2006 patches/packages/samba-3.0.23-i486-1_slack10.0.tgz: Upgraded to samba-3.0.23. This fixes a minor memory exhaustion DoS in smbd. The CVE entry for this issue may be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3403 (* Security fix *) +--------------------------+ Tue Jun 27 18:48:22 CDT 2006 patches/packages/arts-1.2.3-i486-2_slack10.0.tgz: Patched to fix a possible exploit if artswrapper is setuid root (which, by default, it is not) and the system is running a 2.6 kernel. Systems running 2.4 kernels are not affected. The official KDE security advisory may be found here: http://www.kde.org/info/security/advisory-20060614-2.txt The CVE entry for this issue may be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2916 (* Security fix *) patches/packages/gnupg-1.4.4-i486-1_slack10.0.tgz: This version fixes a memory allocation issue that could allow an attacker to crash GnuPG creating a denial-of-service. The CVE entry for this issue may be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3082 patches/packages/kdebase-3.2.3-i486-4_slack10.0.tgz: Patched a problem with kdm where it could be abused to read any file on the system. The official KDE security advisory may be found here: http://www.kde.org/info/security/advisory-20060614-1.txt The CVE entry for this issue may be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2449 (* Security fix *) +--------------------------+ Thu Jun 15 02:03:05 CDT 2006 patches/packages/sendmail-8.13.7-i486-1_slack10.0.tgz: Upgraded to sendmail-8.13.7. Fixes a potential denial of service problem caused by excessive recursion leading to stack exhaustion when attempting delivery of a malformed MIME message. This crashes sendmail's queue processing daemon, which in turn can lead to two problems: depending on the settings, these crashed processes may create coredumps which could fill a drive partition; and such a malformed message in the queue will cause queue processing to cease when the message is reached, causing messages that are later in the queue to not be processed. Sendmail's complete advisory may be found here: http://www.sendmail.com/security/advisories/SA-200605-01.txt.asc Sendmail has also provided an FAQ about this issue: http://www.sendmail.com/security/advisories/SA-200605-01/faq.shtml The CVE entry for this issue may be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1173 (* Security fix *) patches/packages/sendmail-cf-8.13.7-noarch-1_slack10.0.tgz: Upgraded to sendmail-8.13.7 configs. +--------------------------+ Sat Jun 3 17:19:45 CDT 2006 patches/packages/mysql-4.0.27-i486-1_slack10.0.tgz: Upgraded to mysql-4.0.27. This fixes some minor security issues with possible information leakage. Note that the information leakage bugs require that the attacker have access to an account on the database. Also note that by default, Slackware's rc.mysqld script does *not* allow access to the database through the outside network (it uses the --skip-networking option). If you've enabled network access to MySQL, it is a good idea to filter the port (3306) to prevent access from unauthorized machines. For more details, see the MySQL 4.0.27 release announcement here: http://lists.mysql.com/announce/359 For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1516 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1517 (* Security fix *) +--------------------------+ Wed May 10 15:07:18 CDT 2006 patches/packages/apache-1.3.35-i486-2_slack10.0.tgz: Patched to fix totally broken Include behavior. Thanks to Francesco Gringoli for reporting this bug. +--------------------------+ Tue May 9 00:50:56 CDT 2006 patches/packages/apache-1.3.35-i486-1_slack10.0.tgz: Upgraded to apache-1.3.35. From the official announcement: Of particular note is that 1.3.35 addresses and fixes 1 potential security issue: CVE-2005-3352 (cve.mitre.org) mod_imap: Escape untrusted referer header before outputting in HTML to avoid potential cross-site scripting. Change also made to ap_escape_html so we escape quotes. Reported by JPCERT For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3352 (* Security fix *) patches/packages/mod_ssl-2.8.26_1.3.35-i486-1_slack10.0.tgz: Upgraded to mod_ssl-2.8.26-1.3.35. This is an updated version designed for Apache 1.3.35. +--------------------------+ Mon Apr 24 14:36:46 CDT 2006 patches/packages/mozilla-1.7.13-i486-1.tgz: Upgraded to mozilla-1.7.13. This upgrade fixes several possible security bugs. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla This release marks the end-of-life of the Mozilla 1.7.x series: http://developer.mozilla.org/devnews/index.php/2006/04/12/sunset-announcement-for-fxtb-10x-and-mozilla-suite-17x/ Mozilla Corporation is recommending that users think about migrating to Firefox and Thunderbird. (* Security fix *) patches/packages/mozilla-plugins-1.7.13-noarch-1.tgz: Updated for mozilla-1.7.13. +--------------------------+ Wed Mar 22 13:01:23 CST 2006 patches/packages/sendmail-8.13.6-i486-1.tgz: Upgraded to sendmail-8.13.6. This new version of sendmail contains a fix for a security problem discovered by Mark Dowd of ISS X-Force. From sendmail's advisory: Sendmail was notified by security researchers at ISS that, under some specific timing conditions, this vulnerability may permit a specifically crafted attack to take over the sendmail MTA process, allowing remote attackers to execute commands and run arbitrary programs on the system running the MTA, affecting email delivery, or tampering with other programs and data on this system. Sendmail is not aware of any public exploit code for this vulnerability. This connection-oriented vulnerability does not occur in the normal course of sending and receiving email. It is only triggered when specific conditions are created through SMTP connection layer commands. Sendmail's complete advisory may be found here: http://www.sendmail.com/company/advisory/index.shtml The CVE entry for this issue may be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0058 (* Security fix *) patches/packages/sendmail-cf-8.13.6-noarch-1.tgz: Upgraded to sendmail-8.13.6 configuration files. +--------------------------+ Mon Mar 13 20:42:48 CST 2006 patches/packages/gnupg-1.4.2.2-i486-1.tgz: Upgraded to gnupg-1.4.2.2. There have been two security related issues reported recently with GnuPG. From the GnuPG 1.4.2.1 and 1.4.2.2 NEWS files: Noteworthy changes in version 1.4.2.2 (2006-03-08) * Files containing several signed messages are not allowed any longer as there is no clean way to report the status of such files back to the caller. To partly revert to the old behaviour the new option --allow-multisig-verification may be used. Noteworthy changes in version 1.4.2.1 (2006-02-14) * Security fix for a verification weakness in gpgv. Some input could lead to gpgv exiting with 0 even if the detached signature file did not carry any signature. This is not as fatal as it might seem because the suggestion as always been not to rely on th exit code but to parse the --status-fd messages. However it is likely that gpgv is used in that simplified way and thus we do this release. Same problem with "gpg --verify" but nobody should have used this for signature verification without checking the status codes anyway. Thanks to the taviso from Gentoo for reporting this problem. (* Security fix *) +--------------------------+ Thu Feb 9 15:09:26 CST 2006 patches/packages/fetchmail-6.3.2-i486-1.tgz: Upgraded to fetchmail-6.3.2. Presumably this replaces all the known security problems with a batch of new unknown ones. (fetchmail is improving, really ;-) For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3088 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4348 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0321 (* Security fix *) patches/packages/kdegraphics-3.2.3-i486-2.tgz: Patched integer and heap overflows in kpdf to fix possible security bugs with malformed PDF files. For more information, see: http://www.kde.org/info/security/advisory-20051207-2.txt http://www.kde.org/info/security/advisory-20060202-1.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3191 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3192 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3193 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3624 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3625 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3626 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3627 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3628 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0301 (* Security fix *) patches/packages/kdelibs-3.2.3-i486-3.tgz: Patched a heap overflow vulnerability in kjs, the JavaScript interpreter engine used by Konqueror and other parts of KDE. For more information, see: http://www.kde.org/info/security/advisory-20060119-1.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0019 (* Security fix *) patches/packages/openssh-4.3p1-i486-1.tgz: Upgraded to openssh-4.3p1. This fixes a security issue when using scp to copy files that could cause commands embedded in filenames to be executed. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0225 (* Security fix *) patches/packages/sudo-1.6.8p12-i486-1.tgz: Upgraded to sudo-1.6.8p12. This fixes an issue where a user able to run a Python script through sudo may be able to gain root access. IMHO, running any kind of scripting language from sudo is still not safe... For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0151 (* Security fix *) patches/packages/xpdf-3.01-i486-3.tgz: Recompiled with xpdf-3.01pl2.patch to fix integer and heap overflows in xpdf triggered by malformed PDF files. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3191 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3192 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3193 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3624 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3625 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3626 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3627 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3628 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0301 (* Security fix *) +--------------------------+ Mon Nov 7 19:54:57 CST 2005 patches/packages/elm-2.5.8-i486-1.tgz: Upgraded to elm2.5.8. This fixes a buffer overflow in the parsing of the Expires header that could be used to execute arbitrary code as the user running Elm. Thanks to Ulf Harnhammar for finding the bug and reminding me to get out updated packages to address the issue. A reference to the original advisory: http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0688.html +--------------------------+ Sat Nov 5 22:15:34 CST 2005 patches/packages/apache-1.3.34-i486-1.tgz: Upgraded to apache-1.3.34. Fixes this minor security bug: "If a request contains both Transfer-Encoding and Content-Length headers, remove the Content-Length, mitigating some HTTP Request Splitting/Spoofing attacks." (* Security fix *) patches/packages/curl-7.12.2-i486-2.tgz: Patched. This addresses a buffer overflow in libcurl's NTLM function that could have possible security implications. For more details, see: http://curl.haxx.se/docs/security.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3185 (* Security fix *) patches/packages/imapd-4.64-i486-1.tgz: Upgraded to imapd-4.64. A buffer overflow was reported in the mail_valid_net_parse_work function. However, this function in the c-client library does not appear to be called from anywhere in imapd. iDefense states that the issue is of LOW risk to sites that allow users shell access, and LOW-MODERATE risk to other servers. I believe it's possible that it is of NIL risk if the function is indeed dead code to imapd, but draw your own conclusions... (* Security fix *) patches/packages/koffice-1.3.1-i486-4.tgz: Patched. Fixes a buffer overflow in KWord's RTF import discovered by Chris Evans. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2971 (* Security fix *) patches/packages/lynx-2.8.5rel.5-i486-1.tgz: Upgraded to lynx-2.8.5rel.5. Fixes an issue where the handling of Asian characters when using lynx to connect to an NNTP server (is this a common use?) could result in a buffer overflow causing the execution of arbitrary code. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3120 (* Security fix *) patches/packages/mod_ssl-2.8.25_1.3.34-i486-1.tgz: Upgraded to mod_ssl-2.8.25-1.3.34. patches/packages/pine-4.64-i486-1.tgz: Upgraded to pine-4.64. patches/packages/wget-1.10.2-i486-1.tgz: Upgraded to wget-1.10.2. This addresses a buffer overflow in wget's NTLM handling function that could have possible security implications. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3185 (* Security fix *) +--------------------------+ Thu Oct 13 13:57:25 PDT 2005 patches/packages/openssl-0.9.7d-i486-2.tgz: Patched. Fixed a vulnerability that could, in rare circumstances, allow an attacker acting as a "man in the middle" to force a client and a server to negotiate the SSL 2.0 protocol (which is known to be weak) even if these parties both support SSL 3.0 or TLS 1.0. For more details, see: http://www.openssl.org/news/secadv_20051011.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2969 (* Security fix *) patches/packages/openssl-solibs-0.9.7d-i486-2.tgz: Patched. (* Security fix *) +--------------------------+ Mon Oct 10 15:14:22 PDT 2005 patches/packages/xine-lib-1.0.3a-i686-1.tgz: Upgraded to xine-lib-1.0.3a. This fixes a format string bug where an attacker, if able to upload malicious information to a CDDB server and then get a local user to play a certain audio CD, may be able to run arbitrary code on the machine as the user running the xine-lib linked application. For more information, see: http://xinehq.de/index.php/security/XSA-2005-1 (* Security fix *) +--------------------------+ Sun Sep 25 22:11:57 PDT 2005 patches/packages/x11-6.7.0-i486-5.tgz: Patched a pixmap overflow issue. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2495 (* Security fix *) patches/packages/x11-xdmx-6.7.0-i486-5.tgz: Patched and rebuilt. patches/packages/x11-xnest-6.7.0-i486-5.tgz: Patched and rebuilt. patches/packages/x11-xvfb-6.7.0-i486-5.tgz: Patched and rebuilt. patches/packages/mozilla-1.7.12-i486-1.tgz: Upgraded to mozilla-1.7.12. This fixes several security issues. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#Mozilla (* Security fix *) patches/packages/mozilla-firefox-1.0.7-i686-1.tgz: Upgraded to firefox-1.0.7. This fixes several security issues. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#Firefox (* Security fix *) +--------------------------+ Mon Sep 12 23:38:33 PDT 2005 patches/packages/util-linux-2.12a-i486-2.tgz: Patched an issue with umount where if the umount failed when the '-r' option was used, the filesystem would be remounted read-only but without any extra flags specified in /etc/fstab. This could allow an ordinary user able to mount a floppy or CD (but with nosuid, noexec, nodev, etc in /etc/fstab) to run a setuid binary from removable media and gain root privileges. Reported to BugTraq by David Watson: http://www.securityfocus.com/archive/1/410333 (* Security fix *) +--------------------------+ Mon Sep 12 12:49:39 PDT 2005 patches/packages/dhcpcd-1.3.22pl4-i486-2.tgz: Patched an issue where a remote attacker can cause dhcpcd to crash. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1848 (* Security fix *) +--------------------------+ Wed Sep 7 13:33:05 PDT 2005 patches/packages/kdebase-3.2.3-i486-3.tgz: Patched a security bug in kcheckpass that could allow a local user to gain root privileges. For more information, see: http://www.kde.org/info/security/advisory-20050905-1.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2494 (* Security fix *) patches/packages/mod_ssl-2.8.24_1.3.33-i486-1.tgz: Upgraded to mod_ssl-2.8.24-1.3.33. From the CHANGES file: Fix a security issue (CAN-2005-2700) where "SSLVerifyClient require" was not enforced in per-location context if "SSLVerifyClient optional" was configured in the global virtual host configuration. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2700 (* Security fix *) +--------------------------+ Tue Aug 30 12:58:36 PDT 2005 patches/packages/gaim-1.5.0-i486-1.tgz: Upgraded to gaim-1.5.0. This fixes some more security issues. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2103 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2102 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2370 (* Security fix *) patches/packages/pcre-6.3-i486-1.tgz: Upgraded to pcre-6.3. This fixes a buffer overflow that could be triggered by the processing of a specially crafted regular expression. Theoretically this could be a security issue if regular expressions are accepted from untrusted users to be processed by a user with greater privileges, but this doesn't seem like a common scenario (or, for that matter, a good idea). However, if you are using an application that links to the shared PCRE library and accepts outside input in such a manner, you will want to update to this new package. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491 (* Security fix *) patches/packages/php-4.3.11-i486-3.tgz: Relinked with the system PCRE library, as the builtin library has a buffer overflow that could be triggered by the processing of a specially crafted regular expression. Note that this change requires the pcre package to be installed. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491 (* Security fix *) Upgraded PEAR::XMLRPC to version 1.4.0, which eliminates the use of the insecure eval() function. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2498 (* Security fix *) +--------------------------+ Fri Jul 29 11:41:50 PDT 2005 patches/packages/tcpip-0.17-i486-29b.tgz: Patched two overflows in the telnet client that could allow the execution of arbitrary code when connected to a malicious telnet server. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469 (* Security fix *) +--------------------------+ Tue Jul 26 23:37:15 PDT 2005 patches/packages/mozilla-1.7.10-i486-2.tgz: Fixed a folder switching bug. Thanks to Peter Santoro for pointing out the patch. +--------------------------+ Fri Jul 22 13:50:25 PDT 2005 patches/packages/fetchmail-6.2.5.2-i486-1.tgz: Upgraded to fetchmail-6.2.5.2. This fixes an overflow by which malicious or compromised POP3 servers may overflow fetchmail's stack. For more information, see: http://fetchmail.berlios.de/fetchmail-SA-2005-01.txt (* Security fix *) patches/packages/gxine-0.4.6-i486-1.tgz: Upgraded to gxine-0.4.6. This fixes a format string vulnerability that allows remote attackers to execute arbitrary code via a ram file with a URL whose hostname contains format string specifiers. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1692 (* Security fix *) patches/packages/zlib-1.2.3-i486-1.tgz: Upgraded to zlib-1.2.3. This fixes an additional crash not fixed by the patch to zlib-1.2.2. (* Security fix *) +--------------------------+ Fri Jul 22 10:33:15 PDT 2005 patches/packages/kdenetwork-3.2.3-i486-2.tgz: Patched overflows in libgadu (used by kopete) that can cause a denial of service or arbitrary code execution. For more information, see: http://www.kde.org/info/security/advisory-20050721-1.txt (* Security fix *) patches/packages/mozilla-1.7.10-i486-1.tgz: Upgraded to mozilla-1.7.10. This fixes several security issues. For more information, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#Mozilla (* Security fix *) patches/packages/mozilla-plugins-1.7.10-noarch-1.tgz: Upgraded Java(TM) symlink for Mozilla. +--------------------------+ Tue Jul 19 20:16:16 PDT 2005 patches/packages/dnsmasq-2.22-i486-1.tgz: Upgraded to dnsmasq-2.22. This fixes an off-by-one overflow vulnerability may allow a DHCP client to create a denial of service condition. Additional code was also added to detect and defeat attempts to poison the DNS cache. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0876 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0877 (* Security fix *) +--------------------------+ Thu Jul 14 15:22:27 PDT 2005 patches/packages/tcpdump-3.9.3-i486-1.tgz: Upgraded to libpcap-0.9.3 and tcpdump-3.9.3. This fixes an issue where an invalid BGP packet can cause tcpdump to go into an infinate loop, effectively disabling network monitoring. (* Security fix *) patches/packages/xv-3.10a-i486-4.tgz: Upgraded to the latest XV jumbo patches, xv-3.10a-jumbo-fix-patch-20050410 and xv-3.10a-jumbo-enh-patch-20050501. These fix a number of format string and other possible security issues in addition to providing many other bugfixes and enhancements. (Thanks to Greg Roelofs) (* Security fix *) +--------------------------+ Mon Jul 11 15:02:11 PDT 2005 patches/packages/php-4.3.11-i486-2.tgz: Upgraded PEAR XML_RPC class. This new PHP package fixes a PEAR XML_RPC vulnerability. Sites that use this PEAR class should upgrade to the new PHP package, or as a minimal fix may instead upgrade the XML_RPC PEAR class with the following command: pear upgrade XML_RPC (* Security fix *) +--------------------------+ Fri Jul 8 12:05:43 PDT 2005 patches/packages/zlib-1.2.2-i486-2.tgz: Patched an overflow in zlib that could cause applications using zlib to crash. The overflow does not involve user supplied data, and therefore does not allow the execution of arbitrary code. However, it could still be used by a remote attacker to create a denial of service. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2096 (* Security fix *) +--------------------------+ Tue Jun 21 22:32:29 PDT 2005 patches/packages/sudo-1.6.8p9-i486-1.tgz: Upgraded to sudo-1.6.8p9. This new version of Sudo fixes a race condition in command pathname handling that could allow a user with Sudo privileges to run arbitrary commands. For full details, see the Sudo site: http://www.courtesan.com/sudo/alerts/path_race.html (* Security fix *) +--------------------------+ Sat Jun 11 22:03:00 PDT 2005 patches/packages/gaim-1.3.1-i486-1.tgz: Upgraded to gaim-1.3.1 and gaim-encryption-2.38. This fixes a couple of remote crash bugs, so users of the MSN and Yahoo! chat protocols should upgrade to gaim-1.3.1. (* Security fix *) +--------------------------+ Sun May 15 20:29:09 PDT 2005 patches/packages/ncftp-3.1.9-i486-1.tgz: Upgraded to ncftp-3.1.9. This corrects a vulnerability where a download from a hostile FTP server might be written to an unintended location potentially compromising system security or causing a denial of service. For more details, see: http://www.ncftp.com/ncftp/doc/changelog.html#3.1.5 (* Security fix *) patches/packages/mozilla-plugins-1.7.8-noarch-1.tgz: Upgraded Java(TM) symlink for Mozilla. patches/packages/mozilla-1.7.8-i486-1.tgz: Upgraded to mozilla-1.7.8. Two vulnerabilities found in Mozilla Firefox 1.0.3 when combined allow an attacker to run arbitrary code. The Mozilla Suite version 1.7.7 is only partially vulnerable. For more details, see: http://www.mozilla.org/security/announce/mfsa2005-42.html (* Security fix *) +--------------------------+ Fri May 13 12:48:53 PDT 2005 patches/packages/gaim-1.3.0-i486-1.tgz: Upgraded to gaim-1.3.0. This fixes a few bugs which could be used by a remote attacker to annoy a GAIM user by crashing GAIM and creating a denial of service. (* Security fix *) +--------------------------+ Sun May 1 22:04:43 PDT 2005 patches/packages/infozip-5.52-i486-1.tgz: Upgraded to unzip552.tar.gz and zip231.tar.gz. These fix some buffer overruns if deep directory paths are packed into a Zip archive which could be a security vulnerability (for example, in a case of automated archiving or backups that use Zip). However, it also appears that these now use certain assembly instructions that might not be available on older CPUs, so if you have an older machine you may wish to take this into account before deciding whether you should upgrade. (* Security fix *) patches/packages/gxine-0.4.4-i486-1.tgz: Upgraded to gxine-0.4.4. patches/packages/xine-lib-1.0.1-i686-1.tgz: Upgraded to xine-lib-1.0.1. This fixes some bugs in the MMS and Real RTSP streaming client code. While the odds of this vulnerability being usable to a remote attacker are low (but see the xine advisory), if you stream media from sites using these protocols (and you think the sites might be "hostile" and will try to hack into your xine client), then you might want to upgrade to this new version of xine-lib. Probably the other fixes and enchancements in xine-lib-1.0.1 are a better rationale to do so, though. For more details on the xine-lib security issues, see: http://xinehq.de/index.php/security/XSA-2004-8 (* Security fix *) patches/packages/xine-ui-0.99.3-i686-1.tgz: Upgraded to xine-ui-0.99.3. +--------------------------+ Thu Apr 21 14:19:49 PDT 2005 patches/packages/cvs-1.11.20-i486-1.tgz: Upgraded to cvs-1.11.20. From cvshome.org: "This version fixes many minor security issues in the CVS server executable including a potentially serious buffer overflow vulnerability with no known exploit. We recommend this upgrade for all CVS servers!" For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0753 (* Security fix *) patches/packages/gaim-1.2.1-i486-1.tgz: Upgraded to gaim-1.2.1. According to gaim.sf.net, this fixes a few denial-of-service flaws. (* Security fix *) patches/packages/mozilla-1.7.7-i486-1.tgz: Upgraded to mozilla-1.7.7. This fixes some security issues. For complete details, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html (* Security fix *) patches/packages/mozilla-plugins-1.7.7-noarch-1.tgz: Upgraded Java(TM) symlink for Mozilla. patches/packages/python-2.3.5-i486-1.tgz: Upgraded to python-2.3.5. From the python.org site: "The Python development team has discovered a flaw in the SimpleXMLRPCServer library module which can give remote attackers access to internals of the registered object or its module or possibly other modules. The flaw only affects Python XML-RPC servers that use the register_instance() method to register an object without a _dispatch() method. Servers using only register_function() are not affected." For more details, see: http://python.org/security/PSF-2005-001/ (* Security fix *) patches/packages/python-demo-2.3.5-noarch-1.tgz: Upgraded to python-2.3.5 demos. patches/packages/python-tools-2.3.5-noarch-1.tgz: Upgraded to python-2.3.5 tools. +--------------------------+ Sun Apr 3 21:20:07 PDT 2005 patches/packages/php-4.3.11-i486-1.tgz: Upgraded to php-4.3.11. "This is a maintenance release that in addition to over 70 non-critical bug fixes addresses several security issues inside the exif and fbsql extensions as well as the unserialize(), swf_definepoly() and getimagesize() functions." (* Security fix *) +--------------------------+ Sat Mar 26 15:04:15 PST 2005 patches/packages/gaim-1.2.0-i486-1.tgz: Upgraded to gaim-1.2.0 and gaim-encryption-2.36 (compiled against mozilla-1.7.6). patches/packages/mozilla-1.7.6-i486-1.tgz: Upgraded to mozilla-1.7.6. Fixes some security issues. Please see mozilla.org for a complete list. (* Security fix *) patches/packages/mozilla-plugins-1.7.6-noarch-1.tgz: Adjusted plugin symlinks for Mozilla 1.7.6. +--------------------------+ Sun Oct 31 19:20:49 PST 2004 patches/packages/apache-1.3.33-i486-1.tgz: Upgraded to apache-1.3.33. This fixes one new security issue (the first issue, CAN-2004-0492, was fixed in apache-1.3.32). The second bug fixed in 1.3.3 (CAN-2004-0940) allows a local user who can create SSI documents to become "nobody". The amount of mischief they could cause as nobody seems low at first glance, but it might allow them to use kill or killall as nobody to try to create a DoS. Mention PHP's mhash dependency in httpd.conf (thanks to Jakub Jankowski). (* Security fix *) patches/packages/libtiff-3.7.0-i486-1.tgz: Upgraded to libtiff-3.7.0. This fixes several bugs that could lead to crashes, or could possibly allow arbitrary code to be executed. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0803 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0804 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0886 (* Security fix *) patches/packages/mod_ssl-2.8.22_1.3.33-i486-1.tgz: Upgraded to mod_ssl-2.8.22_1.3.33. +--------------------------+ Mon Oct 25 16:36:28 PDT 2004 patches/packages/apache-1.3.32-i486-1.tgz: Upgraded to apache-1.3.32. This addresses a heap-based buffer overflow in mod_proxy by rejecting responses from a remote server with a negative Content-Length. The flaw could crash the Apache child process, or possibly allow code to be executed as the Apache user (but only if mod_proxy is actually in use on the server). For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492 (* Security fix *) patches/packages/mod_ssl-2.8.21_1.3.32-i486-1.tgz: Upgraded to mod_ssl-2.8.21-1.3.32. Don't allow clients to bypass cipher requirements, possibly negotiating a connection that the server does not consider secure enough. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885 (* Security fix *) patches/packages/php-4.3.9-i486-1.tgz: Upgraded to php-4.3.9. +--------------------------+ Fri Oct 22 16:26:38 PDT 2004 patches/packages/gaim-1.0.2-i486-1.tgz: Upgraded to gaim-1.0.2 and gaim-encryption-2.32. A buffer overflow in the MSN protocol handler for GAIM 0.79 to 1.0.1 allows remote attackers to cause a denial of service (application crash) and may allow the execution of arbitrary code. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0891 (* Security fix *) +--------------------------+ Mon Oct 11 19:32:39 PDT 2004 patches/packages/rsync-2.6.3-i486-1.tgz: Upgraded to rsync-2.6.3. From the rsync NEWS file: A bug in the sanitize_path routine (which affects a non-chrooted rsync daemon) could allow a user to craft a pathname that would get transformed into an absolute path for certain options (but not for file-transfer names). If you're running an rsync daemon with chroot disabled, *please upgrade*, ESPECIALLY if the user privs you run rsync under is anything above "nobody". Note that rsync, in daemon mode, sets the "use chroot" to true by default, and (in this default mode) is not vulnerable to this issue. I would strongly recommend against setting "use chroot" to false even if you've upgraded to this new package. (* Security fix *) +--------------------------+ Mon Oct 4 11:54:19 PDT 2004 patches/packages/getmail-4.2.0-noarch-1.tgz: Upgraded to getmaii-4.2.0. Earlier versions contained a local security flaw when used in an insecure fashion (surprise, running something as root that writes to user-controlled files or directories could allow the old symlink attack to clobber system files! :-) From the getmail CHANGELOG: This vulnerability is not exploitable if the administrator does not deliver mail to the maildirs/mbox files of untrusted local users, or if getmail is configured to use an external unprivileged MDA. This vulnerability is not remotely exploitable. Most users would not use getmail in such as way as to be vulnerable to this flaw, but if your site does this package closes the hole. I'd also recommend not using getmail like this. Either run it as the user that owns the target mailbox, or deliver through an external MDA. (* Security fix *) patches/packages/zlib-1.2.2-i486-1.tgz: Upgraded to zlib-1.2.2. This fixes a possible DoS in earlier versions of zlib-1.2.x. (* Security fix *) +--------------------------+ Sun Sep 19 18:28:24 PDT 2004 patches/packages/cups-1.1.21-i486-1.tgz: Upgraded to cups-1.1.21. This fixes a flaw where a remote attacker can crash the CUPS server causing a denial of service. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0558 (* Security fix *) patches/packages/gtk+2-2.4.10-i486-1.tgz: Upgraded to gtk+-2.4.10. This fixes security issues in the image loader routines that can crash applications. (* Security fix *) patches/packages/mozilla-1.7.3-i486-1.tgz: Upgraded to mozilla-1.7.3. The Mozilla page says this fixes some "minor security holes". It also breaks Galeon and Epiphany, and new versions of these have still not appeared. In light of this, I think it's time to remove these Gecko-based browsers. The future is going to be Firefox and Thunderbird anyway, and I don't believe Galeon and Epiphany can be compiled against Firefox's libraries. (* Security fix *) patches/packages/mozilla-plugins-1.7.3-noarch-1.tgz: Changed plugin symlinks for Mozilla 1.7.3. patches/packages/xine-lib-1rc6a-i686-1.tgz: Upgraded to xine-lib-1-rc6a. This release fixes a few overflows that could have security implications. (* Security fix *) +--------------------------+ Mon Sep 13 17:07:20 PDT 2004 patches/packages/samba-3.0.5-i486-3.tgz: Patched two Denial of Service vulnerabilities in samba-3.0.5. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0807 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0808 (* Security fix *) +--------------------------+ Fri Sep 10 15:33:55 PDT 2004 patches/packages/proftpd-1.2.10-i486-1.tgz: Upgraded to proftpd-1.2.10. +--------------------------+ Fri Sep 3 13:13:09 PDT 2004 patches/packages/glibc-2.3.2-i486-7.tgz: Recompiled using 'strip -g' rather than 'strip --strip-unneeded' to avoid stripping symbols that are needed for debugging threads. Thanks to those who reported this bug, especially Ricardo Nabinger Sanchez who sent in a sample thread program that made it easy to test for the problem (and confirm the fix worked). patches/packages/glibc-solibs-2.3.2-i486-7.tgz: Recompiled using 'strip -g'. patches/packages/kdebase-3.2.3-i486-2.tgz: Patched frame injection vulnerability in Konqueror. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0721 (* Security fix *) patches/packages/kdelibs-3.2.3-i486-2.tgz: Patched unsafe temporary directory usage, cross-domain cookie injection vulnerability for certain country specific domains, and frame injection vulnerability in Konqueror. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0689 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0690 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0721 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0746 (* Security fix *) +--------------------------+ Fri Aug 27 14:25:53 PDT 2004 patches/packages/gaim-0.82.1-i486-1.tgz: Upgraded to gaim-0.82.1 to fix a couple of bugs in the gaim-0.82 release. Also, gaim-encryption-2.29 did not work with gaim-0.82 (or 0.82.1), so that has been upgraded to gaim-encryption-2.30. +--------------------------+ Thu Aug 26 17:14:09 PDT 2004 patches/packages/gaim-0.82-i486-1.tgz: Upgraded to gaim-0.82 and gaim-encryption-2.29. Fixes several security issues: Content-length DOS (malloc error) (no CAN ID on this one) MSN strncpy buffer overflow (CAN-2004-0500) Groupware message receive integer overflow (CAN-2004-0754) Smiley theme installation lack of escaping (CAN-2004-0784) RTF message buffer overflow, Local hostname resolution buffer overflow, URL decode buffer overflow (these 3 are CAN-2004-0785) For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0500 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0754 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0784 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0785 (* Security fix *) +--------------------------+ Mon Aug 23 12:12:58 PDT 2004 patches/packages/qt-3.3.3-i486-1.tgz: Upgraded to qt-3.3.3. This fixes bugs in the image loading routines which could be used by an attacker to run unauthorized code or create a denial-of-service. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0691 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0692 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0693 (* Security fix *) +--------------------------+ Mon Aug 9 01:56:43 PDT 2004 patches/packages/epiphany-1.2.7-i486-1.tgz: Upgraded to epiphany-1.2.7. (compiled against Mozilla 1.7.2) patches/packages/gaim-0.81-i486-1.tgz: Upgraded to gaim-0.81. (compiled against Mozilla 1.7.2) patches/packages/galeon-1.3.17-i486-1.tgz: Upgraded to galeon-1.3.17. (compiled against Mozilla 1.7.2) patches/packages/mozilla-1.7.2-i486-1.tgz: Upgraded to Mozilla 1.7.2. This fixes three security vulnerabilities. For details, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.2 (* Security fix *) patches/packages/mozilla-plugins-1.7.2-noarch-1.tgz: Changed plugin symlinks for Mozilla 1.7.2. +--------------------------+ Sat Aug 7 17:17:20 AKDT 2004 patches/packages/sox-12.17.4-i486-3.tgz: Patched buffer overflows that could allow a malicious WAV file to execute arbitrary code. (* Security fix *) patches/packages/imagemagick-6.0.4_3-i486-1.tgz: Upgraded to ImageMagick-6.0.4-3. Fixes PNG security issues. (* Security fix *) patches/packages/libpng-1.2.5-i486-3.tgz: Patched possible security issues including buffer and integer overflows and null pointer references. These issues could cause program crashes, or possibly allow arbitrary code embedded in a malicious PNG image to execute. The PNG library is widely used within the system, so all sites should upgrade to the new libpng package. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599 (* Security fix *) +--------------------------+ Mon Jul 26 14:10:01 PDT 2004 patches/packages/samba-3.0.5-i486-2.tgz: Rebuilt using --with-acl-support=no to avoid a dependency on libattr (found in the xfsprogs package). Thanks to Fredrik, Naresh Donti, and Dimitar Katerinski for pointing this out. It wasn't intentional (only the version number changed in the build script). +--------------------------+ Sun Jul 25 14:17:29 PDT 2004 patches/packages/mod_ssl-2.8.19_1.3.31-i486-1.tgz: Upgraded to mod_ssl-2.8.19-1.3.31. This fixes a security hole (ssl_log() related format string vulnerability in mod_proxy hook functions), so sites using mod_ssl should upgrade to the new version. Be sure to back up your existing key files first. (* Security fix *) patches/packages/samba-3.0.5-i486-1.tgz: Upgraded to samba-3.0.5. This fixes a buffer overflow in SWAT and another in the code supporting the 'mangling method = hash' smb.conf option (which is not the default). For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0600 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0686 (* Security fix *) +--------------------------+ Tue Jul 20 19:35:16 PDT 2004 patches/packages/php-4.3.8-i486-1.tgz: Upgraded to php-4.3.8. This release fixes two security problems in PHP (memory_limit handling and a problem in the strip_tags function). Sites using PHP should upgrade. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0594 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0595 (* Security fix *) +--------------------------+ Sat Jun 26 16:05:36 PDT 2004 patches/packages/vim-6.3.007-i486-1.tgz: Upgraded to patchlevel 007, fixed missing vim.mo files (sorry about that!!). patches/packages/gaim-0.79-i486-1.tgz: Upgraded to gaim-0.79 and gaim-encryption-2.27. patches/packages/gnuchess-4.0.pl80-i486-4.tgz: Fixed missing files. (thanks to grk) patches/packages/xvim-6.3.007-i486-1.tgz: Upgraded to patchlevel 007, fixed missing vim.mo files. +--------------------------+ Tue Jun 22 01:34:56 PDT 2004 Slackware 10.0 is released. Thanks to everyone who helped out! +--------------------------+ Tue Jun 22 00:08:40 PDT 2004 a/shadow-4.0.3-i486-11.tgz: Updated adduser (thanks to Stuart Winter). a/sysvinit-2.84-i486-50.tgz: In rc.d, fix the test for a running pppd. (Thanks to Richard Hoyle) In rc.6, fix test for quota. (Thanks to Bruno Henrique Collovini) d/doxygen-1.3.7-i486-1.tgz: Upgraded to doxygen-1.3.7. gnome/totem-0.99.12-i486-2.tgz: Removed bogus /usr/lib/mozilla/plugins dir. n/tcpip-0.17-i486-29.tgz: Don't biff terminals if the user listed in utmp doesn't match the term's current owner. (thanks to Tom Crane) extra/slackpkg/slackpkg-1.2.2-noarch-4.tgz: Upgraded to slackpkg-1.2.2-noarch-4 (thanks to Piter PUNK). +--------------------------+ Sun Jun 20 22:22:54 PDT 2004 a/hotplug-2004_01_05-noarch-3.tgz: Added aic79xx and some other SCSI/SATA modules to /etc/hotplug/blacklist since they interfere with using an initrd. Thanks to Robert Upshall for the bug report. a/mkinitrd-1.0.1-i486-2.tgz: Fixed a typo, and added an ext3 example to README.initrd. Thanks to Piter PUNK. d/gdb-6.1.1-i486-1.tgz: Upgraded to gdb-6.1.1. Thanks to David for the heads-up. extra/ham/libgeotiff-1.2.2-i486-1.tgz: Upgraded to libgeotiff-1.2.2 since the last TIFF upgrade broke the previous package. Thanks to Uno Staver for the bug report. +--------------------------+ Sun Jun 20 02:07:22 PDT 2004 This is Slackware 10.0 release candidate 2. a/etc-5.1-noarch-9.tgz: Make sure audio/video/cdrom groups are installed. (Thanks to Piter PUNK) a/kernel-modules-2.4.26-i486-3.tgz: Load quota_v2 from rc.modules if quota options are seen in /etc/fstab. a/mkinitrd-1.0.1-i486-1.tgz: Upgraded to mkinitrd-1.0.1. a/syslinux-2.10-i486-1.tgz: Upgraded to syslinux-2.10. a/sysvinit-2.84-i486-49.tgz: Try to shut down pppd in rc.6. (Suggested by Luigi Genoni) Fixed quota examples in rc.M (thanks to Jakub Jankowski). Free initrd buffers in rc.S (thanks to Lucas Santos). ap/quota-3.12-i486-1.tgz: Upgraded to quota-3.12. Thanks to Sander de Leeuw for pointing out the new version. d/gcc-gnat-3.3.4-i486-2.tgz: Removed incorrect symlinks from adalib. gnome/epiphany-1.2.6-i486-1.tgz: Upgraded to epiphany-1.2.6. gnome/epiphany-extensions-0.9.1-i486-1.tgz: Upgraded to epiphany-extensions-0.9.1. gnome/gail-1.6.6-i486-1.tgz: Upgraded to gail-1.6.6. gnome/galeon-1.3.15-i486-2.tgz: Patched and recompiled for Mozilla 1.7. Thanks very much to Philip Langdale for the patch (which made it possible to squeeze Mozilla 1.7 into this Slackware release at the last minute). gnome/gconf-2.6.2-i486-1.tgz: Upgraded to GConf-2.6.2. gnome/gconf-editor-2.6.2-i486-1.tgz: Upgraded to gconf-editor-2.6.2. gnome/gdm-2.6.0.3-i486-1.tgz: Upgraded to gdm-2.6.0.3. gnome/gnome-desktop-2.6.2-i486-1.tgz: Upgraded to gnome-desktop-2.6.2. gnome/gnome-panel-2.6.2-i486-1.tgz: Upgraded to gnome-panel-2.6.2. gnome/gnome-session-2.6.2-i486-1.tgz: Upgraded to gnome-session-2.6.2. gnome/gnome-speech-0.3.3-i486-1.tgz: Upgraded to gnome-speech-0.3.3. gnome/gnome-themes-2.6.2-i486-1.tgz: Upgraded to gnome-themes-2.6.2. gnome/gnopernicus-0.9.5-i486-1.tgz: Upgraded to gnopernicus-0.9.5. gnome/gpdf-0.132-i486-1.tgz: Upgraded to gpdf-0.132. gnome/gstreamer-0.8.3-i486-1.tgz: Upgraded to gstreamer-0.8.3. gnome/libgtkhtml-2.6.2-i486-1.tgz: Upgraded to libgtkhtml-2.6.2. gnome/libwnck-2.6.2-i486-1.tgz: Upgraded to libwnck-2.6.2. gnome/nautilus-2.6.3-i486-1.tgz: Upgraded to nautilus-2.6.3. l/sdl-1.2.7-i486-2.tgz: Added SDL_net-1.2.5 and SDL_ttf-2.0.6. (Suggested by Jesper Juhl) n/iproute2-2.6.7_ss040608-i486-2.tgz: Added missing /var/lib/arpd. n/iptables-1.2.10-i486-1.tgz: Upgraded to iptables-1.2.10. (thanks to Sorin Mitrica) xap/gaim-0.78-i486-2.tgz: Recompiled against Mozilla 1.7 libraries. Added gaim-encryption plugin (suggested by Chris Lumens and Eric Hameleers). xap/gnuchess-4.0.pl80-i486-3.tgz: Upgraded to xboard-4.2.7. (suggested by Bradley Reed) xap/mozilla-1.7-i486-1.tgz: Upgraded to mozilla-1.7. xap/mozilla-plugins-1.7-noarch-1.tgz: Upgraded to mozilla-plugins-1.7. bootdisks/*: Rebuilt using syslinux-2.10. extra/kfiresaver3d/kfiresaver3d-0.6-i486-2.tgz: Patched a memory leak. Thanks to Adrien Beau for pointing out the patch. extra/slacktrack/slacktrack-1.21-i486-1.tgz: Upgraded to slacktrack-1.21_1. isolinux/initrd.img, rootdisks/install.*: Allow bypassing multi LUNS scan with 'noscanluns' as a kernel boot option. testing/packages/linux-2.6.7/kernel-modules-2.6.7-i486-2.tgz: Load quota_v2 from rc.modules if quota options are seen in /etc/fstab. Finally, thanks to Adrien Beau for helping clean up some Slackware docs. +--------------------------+ Wed Jun 16 22:34:59 PDT 2004 a/sysvinit-2.84-i486-48.tgz: In rc.S, run isapnp before rc.modules. In rc.6, deactivate LVM before remounting / read-only so that metadata backups can be made. (thanks to Luigi Genoni) xap/imagemagick-6.0.2_7-i486-1.tgz: Upgraded to ImageMagick-6.0.2-7. extra/linux-wlan-ng/linux-wlan-ng-0.2.1pre21_2.6.7-i486-1.tgz: Recompiled for Linux 2.6.7. testing/packages/linux-2.6.7/alsa-driver-1.0.5a_2.6.7-i486-1.tgz: Recompiled for Linux 2.6.7. testing/packages/linux-2.6.7/kernel-generic-2.6.7-i486-1.tgz: Upgraded to Linux 2.6.7. testing/packages/linux-2.6.7/kernel-headers-2.6.7-i386-1.tgz: Upgraded to 2.6.7 kernel headers. testing/packages/linux-2.6.7/kernel-modules-2.6.7-i486-1.tgz: Upgraded to Linux 2.6.7 kernel modules. testing/packages/linux-2.6.7/kernel-source-2.6.7-noarch-1.tgz: Upgraded to Linux 2.6.7 kernel source. +--------------------------+ Tue Jun 15 18:30:11 PDT 2004 This is Slackware 10.0 release candidate 1. xap/gimp-2.0.2-i486-1.tgz: Upgraded to gimp-2.0.2. extra/bash-completion/bash-completion-20040526-noarch-1.tgz: Upgraded to bash-completion-20040526. extra/k3b/k3b-0.11.11-i486-1.tgz: Added k3b-0.11.11. extra/slackpkg/slackpkg-1.2.2-noarch-2.tgz: Upgraded to slackpkg-1.2.2-noarch-2. zipslack/*: Rebuilt ZipSlack for the upcoming release. +--------------------------+ Mon Jun 14 21:51:44 PDT 2004 a/bin-9.2.0-i486-2.tgz: Moved "which" from /usr/bin to /bin. a/hotplug-2004_01_05-noarch-2.tgz: Blacklisted evbug. Added /usr/lib/hotplug/firmware directory. Quieted some of the error logging about modules that couldn't be loaded, though modprobe still produces a few of these even with -q. a/kernel-ide-2.4.26-i486-4.tgz: Patched local DoS (CAN-2004-0554). Without this patch to asm-i386/i387.h a local user can crash the kernel. (* Security fix *) d/kernel-headers-2.4.26-i386-3.tgz: Patched asm-i386/i387.h. k/kernel-source-2.4.26-noarch-4.tgz: Patched local DoS (CAN-2004-0554). (* Security fix *) bootdisks/*: Rebuilt from patched kernels. (* Security fix *) kernels/*: Patched local DoS (CAN-2004-0554). (* Security fix *) testing/packages/linux-2.6.6/kernel-generic-2.6.6-i486-5.tgz: Patched local DoS (CAN-2004-0554). (* Security fix *) testing/packages/linux-2.6.6/kernel-headers-2.6.6-i386-3.tgz: Patched asm-i386/i387.h. testing/packages/linux-2.6.6/kernel-source-2.6.6-noarch-3.tgz: Patched local DoS (CAN-2004-0554). (* Security fix *) +--------------------------+ Mon Jun 14 00:39:32 PDT 2004 a/aaa_base-10.0.0-noarch-1.tgz: Updated. a/aaa_elflibs-9.2.0-i486-1.tgz: Updated package of ELF libraries. Note that this package shouldn't be upgraded... it's only meant for the initial installation. Reinstalling it can overwrite newer libraries. a/bin-9.2.0-i486-1.tgz: Added /sbin/rescan-scsi-bus, useful for activating USB storage devices. (thanks to Lincoln Stein) Made rpm2tgz more portable, more secure on machines without mcookie (all Slackware boxes should have this), and able to handle RPM files that use bzip2 compression without requiring rpm2cpio. Thanks to q# for the patch. Also made rpm2tgz less verbose (except for errors). a/cxxlibs-5.0.6-i486-1.tgz: Upgraded to libstdc++.so.5.0.6 from gcc-3.3.4. No longer includes libstdc++.so.6 from gcc-3.4.0 -- this is pointless since it won't work without the libgcc_s.so.1 from that version of gcc, and we can't include that (the version in the gcc package would copy over it if we tried). A possible solution would be for gcc to use unique library versions for libgcc_s.so instead of making them all .so.1. a/kernel-ide-2.4.26-i486-3.tgz: Recompiled with gcc-3.3.4. a/kernel-modules-2.4.26-i486-2.tgz: Recompiled with gcc-3.3.4. a/udev-026-i486-1.tgz: Upgraded to udev-026. Added a few more VMware devices (thanks to Abby Ricart). a/utempter-1.1.1-i486-1.tgz: Moved from the L series. ap/vim-6.3.004-i486-1.tgz: Upgraded to vim-6.3.004. ap/most-4.9.5-i486-1.tgz: Upgraded to most-4.9.5. (suggested by Gerardo Exequiel Pozzi) d/gcc-3.3.4-i486-1.tgz: Upgraded to gcc-3.3.4. d/gcc-g++-3.3.4-i486-1.tgz: Upgraded to gcc-3.3.4. d/gcc-g77-3.3.4-i486-1.tgz: Upgraded to gcc-3.3.4. d/gcc-gnat-3.3.4-i486-1.tgz: Upgraded to gcc-3.3.4. d/gcc-java-3.3.4-i486-1.tgz: Upgraded to gcc-3.3.4. d/gcc-objc-3.3.4-i486-1.tgz: Upgraded to gcc-3.3.4. d/m4-1.4.1-i486-1.tgz: Upgraded to m4-1.4.1. l/alsa-driver-1.0.5a-i486-2.tgz: Recompiled with gcc-3.3.4. l/libtiff-3.6.1-i486-2.tgz: Fixed perms on libtiff.so.3.6.1. n/bitchx-1.1-i486-1.tgz: Upgraded to BitchX 1.1 (ircii-pana-1.1-final). n/inetd-1.79s-i486-6.tgz: Start pidentd as root and allow it to drop privs so that it can write to /var/run/identd.pid. n/iproute2-2.6.7_ss040608-i486-1.tgz: Upgraded to iproute2-2.6.7-ss040608. Moved from /extra. (now that it finally contains man pages...) Thanks to Tomasz Torcz for letting me know that OSDL is maintaining this now. n/lftp-3.0.6-i486-1.tgz: Upgraded to lftp-3.0.6. n/pidentd-3.0.18-i486-1.tgz: Upgraded to pidentd-3.0.18. n/tcpip-0.17-i486-28.tgz: Removed whois. Patched mii-tool for 2.6 kernels. Thanks to Gil Disatnik for the patch. n/whois-4.6.16-i486-1.tgz: Upgraded to whois-4.6.16, which was split out of the tcpip package for easier maintainance (suggested by Stuart Winter). xap/gkrellm-2.2.1-i486-1.tgz: Upgraded to gkrellm-2.2.1. Added gkrellm-countdown-0.1.1 plugin. xap/imagemagick-6.0.2_6-i486-1.tgz: Upgraded to imagemagick-6.0.2-6. xap/xvim-6.3.004-i486-1.tgz: Upgraded to vim-6.3.004 for X/GTK+. bootdisks/*: Rebuilt from new kernels. extra/linux-wlan-ng/linux-wlan-ng-0.2.1pre21-i486-1.tgz: Added linux-wlan-ng-0.2.1pre21 (Prism 802.11 drivers). kernels/*: Recompiled with gcc-3.3.4. testing/packages/linux-2.6.6/alsa-driver-1.0.5a-i486-2.tgz: Recompiled with gcc-3.3.4. testing/packages/linux-2.6.6/kernel-headers-2.6.6-i386-2.tgz: Fixed missing headers in /usr/include/asm-generic/. testing/packages/linux-2.6.6/kernel-modules-2.6.6-i486-3.tgz: Recompiled with gcc-3.3.4, made /etc/rc.d/rc.modules a symlink to rc.modules-2.6.6. testing/packages/linux-2.6.6/kernel-source-2.6.6-noarch-2.tgz: Retain a few compiled utilities in scripts/ since some external driver sources need them. testing/packages/linux-2.6.6/linux-wlan-ng-0.2.1pre21_2.6.6-i486-1.tgz: Added linux-wlan-ng-0.2.1pre21 for Linux 2.6.6. +--------------------------+ Fri Jun 11 14:24:11 PDT 2004 l/gtk+2-2.4.3-i486-1.tgz: Upgraded to gtk+-2.4.3. +--------------------------+ Thu Jun 10 21:04:13 PDT 2004 gnome/nautilus-2.6.2-i486-2.tgz: Patched a bug when dragging icons with a zoom level other than 100%. Thanks to Miguel Manuel Melendez Gomez for the patch. l/arts-1.2.3-i486-1.tgz: Upgraded to arts-1.2.3. l/zlib-1.2.1.1-i486-1.tgz: Upgraded to zlib-1.2.1.1. kde/kdeaccessibility-3.2.3-i486-1.tgz: Upgraded to kdeaccessibility-3.2.3. kde/kdeaddons-3.2.3-i486-1.tgz: Upgraded to kdeaddons-3.2.3. kde/kdeadmin-3.2.3-i486-1.tgz: Upgraded to kdeadmin-3.2.3. kde/kdeartwork-3.2.3-i486-1.tgz: Upgraded to kdeartwork-3.2.3. kde/kdebase-3.2.3-i486-1.tgz: Upgraded to kdebase-3.2.3. kde/kdebindings-3.2.3-i486-1.tgz: Upgraded to kdebindings-3.2.3. kde/kdeedu-3.2.3-i486-1.tgz: Upgraded to kdeedu-3.2.3. kde/kdegames-3.2.3-i486-1.tgz: Upgraded to kdegames-3.2.3. kde/kdegraphics-3.2.3-i486-1.tgz: Upgraded to kdegraphics-3.2.3. kde/kdelibs-3.2.3-i486-1.tgz: Upgraded to kdelibs-3.2.3. kde/kdelinks-1.3-noarch-1.tgz: Added GKrellM to KDE menu. kde/kdemultimedia-3.2.3-i486-1.tgz: Upgraded to kdemultimedia-3.2.3. kde/kdenetwork-3.2.3-i486-1.tgz: Upgraded to kdenetwork-3.2.3. kde/kdepim-3.2.3-i486-1.tgz: Upgraded to kdepim-3.2.3. kde/kdesdk-3.2.3-i486-1.tgz: Upgraded to kdesdk-3.2.3. kde/kdetoys-3.2.3-i486-1.tgz: Upgraded to kdetoys-3.2.3. kde/kdeutils-3.2.3-i486-1.tgz: Upgraded to kdeutils-3.2.3. kde/kdevelop-3.0.4-i486-1.tgz: Upgraded to kdevelop-3.0.4. kde/koffice-1.3.1-i486-3.tgz: Recompiled. kde/qt-3.3.2-i486-2.tgz: Recompiled. kde/quanta-3.2.3-i486-1.tgz: Upgraded to quanta-3.2.3. kdei/kde-i18n-*-3.2.3.tgz: Upgraded to kde-i18n-3.2.3 packages. +--------------------------+ Wed Jun 9 12:12:41 PDT 2004 d/cvs-1.11.17-i486-1.tgz: Upgraded to cvs-1.11.17. From the cvs NEWS file: * Thanks to Stefan Esser & Sebastian Krahmer, several potential security problems have been fixed. The ones which were considered dangerous enough to catalogue were assigned issue numbers CAN-2004-0416, CAN-2004-0417, & CAN-2004-0418 by the Common Vulnerabilities and Exposures Project. Please see for more information. * A potential buffer overflow vulnerability in the server has been fixed. This addresses the Common Vulnerabilities and Exposures Project's issue CAN-2004-0414. Please see for more information. (* Security fix *) l/alsa-driver-1.0.5a-i486-1.tgz: Upgraded to alsa-driver-1.0.5a. testing/packages/linux-2.6.6/alsa-driver-1.0.5a-i486-1.tgz: Upgraded to alsa-driver-1.0.5a for Linux 2.6.6. +--------------------------+ Tue Jun 8 23:08:33 PDT 2004 a/sysvinit-2.84-i486-47.tgz: Fixed rc.S test for root filesystem read-write status (thanks to Vidar Madsen). ap/cdrdao-1.1.9-i486-1.tgz: Upgraded to cdrdao-1.1.9. ap/vim-6.3.0-i486-1.tgz: Upgraded to vim-6.3.0. d/strace-4.5.4-i486-1.tgz: Upgraded to strace-4.5.4. k/kernel-source-2.4.26-noarch-3.tgz: Updated speakup patch from CVS. xap/xchat-2.0.9-i486-1.tgz: Upgraded to xchat-2.0.9. xap/xvim-6.3.0-i486-1.tgz: Upgraded to vim-6.3.0 for X/GTK+. bootdisks/speakup.s: Updated speakup from CVS. kernels/speakup.s/bzImage: Updated speakup from CVS. testing/packages/linux-2.6.6/kernel-headers-2.6.6-i386-1.tgz: Added a Linux 2.6.6 kernel-headers package by popular request. This should only be used if you need to compile a driver that needs it. For general compiling the 2.4.26 kernel-headers package is a better match with glibc. testing/packages/linux-2.6.6/kernel-source-2.6.6-noarch-1.tgz: Added a Linux 2.6.6 source package. +--------------------------+ Mon Jun 7 20:59:24 PDT 2004 gnome/gcalctool-4.4.8-i486-1.tgz: Upgraded to gcalctool-4.4.8. gnome/gnome-icon-theme-1.2.3-noarch-1.tgz: Upgraded to gnome-icon-theme-1.2.3. gnome/totem-0.99.12-i486-1.tgz: Upgraded to totem-0.99.12. n/elm-2.5.7-i486-1.tgz: Upgraded to elm2.5.7. n/proftpd-1.2.9-i486-3.tgz: Patched to fix broken ACL implementation. Without this patch the ACLs with CIDR entries will not work. See http://bugs.proftpd.org/show_bug.cgi?id=2267 for details. Because this bug is relatively low-risk and because it has only existed in Slackware in the unstable -current tree, this ChangeLog entry will be the only security advisory issued for this flaw. (* Security fix *) xap/imagemagick-6.0.2_2-i486-1.tgz: Upgraded to ImageMagick-6.0.2-2. xap/xine-lib-1rc4a-i686-1.tgz: Upgraded to xine-lib-1-rc4a. extra/parted/parted-1.6.11-i486-1.tgz: Upgraded to parted-1.6.11. +--------------------------+ Mon Jun 7 00:56:25 PDT 2004 a/bin-9.0.0-i486-4.tgz: Patched splitvt to use devpts (thanks to Nate Rodriguez for the patch). Removed bpe. Added file magic for rzip archives (thanks to Erik Jan Tromp). a/pkgtools-10.0.0-i486-1.tgz: Removed soon-to-be-obsolete "head -1" syntax from pkgtool (thanks to Stuart Winter). a/sysvinit-2.84-i486-46.tgz: In rc.S, improved ro filesystem check. (thanks to =?ISO-8859-2?Q?Grzegorz_B=B3ach?= :-) In rc.6, don't use soon-to-be-obsolete "head -1" syntax. (thanks to Stuart Winter) a/tar-1.14-i486-4.tgz: Fixed "lone zero block" errors when archives do not strictly adhere to POSIX specs. ap/bpe-2.01.00-i486-1.tgz: Upgraded to bpe-2.01.00 (previously included in the bin package). ap/vorbis-tools-1.0.1-i486-2.tgz: Recompiled against libcurl.so.3. gnome/eel-2.6.2-i486-1.tgz: Upgraded to eel-2.6.2. gnome/galeon-1.3.15-i486-1.tgz: Upgraded to galeon-1.3.15. gnome/gstreamer-0.8.2-i486-1.tgz: Upgraded to gstreamer-0.8.2. gnome/nautilus-2.6.2-i486-1.tgz: Upgraded to nautilus-2.6.2. l/glib2-2.4.2-i486-1.tgz: Upgraded to glib-2.4.2. l/gtk+2-2.4.2-i486-1.tgz: Upgraded to gtk+-2.4.2. n/curl-7.12.0-i486-1.tgz: Upgraded to curl-7.12.0. This uses a new major shared library version number (.so.3), so all libcurl linked programs will need to be recompiled. n/inetd-1.79s-i486-5.tgz: Recompiled, fixed tftpd example in inetd.conf. n/nfs-utils-1.0.6-i486-2.tgz: rc.nfsd: when checking for NFS shares in /etc/exports, skip lines that are commented out. n/tcpip-0.17-i486-27.tgz: Merged in changes to rc.inet1 to add wireless support and per-interface start/stop/restart (thanks to Eric Hameleers). In rc.inet2, filter out lines starting with '#' when checking /etc/fstab for nfs and smbfs partitions (thanks to Stuart Winter). Added nameif (thanks to Tomas Szepe for pointing out its absence). Upgraded to whois_4.6.14. Removed pcnfsd and bwnfsd. n/wireless-tools-26-i486-3.tgz: Moved wireless tools into /sbin. Added /etc/rc.d/rc.wireless and /etc/rc.d/rc.wireless.conf for setting up non-PCMCIA wireless interfaces (thanks to Eric Hameleers). xap/imagemagick-6.0.2-i486-1.tgz: Upgraded to ImageMagick-6.0.2, which builds shared libraries _just fine_. The problem I was having with this before was likely caused by Slackware using newer autoconf/ automake/libtool versions than were used in the ImageMagick sources. ImageMagick-6.0.2 uses the latest versions of these, *and* has a lot of other improvements over the 5.5.x series. Thanks to ImageMagick's John Cristy for cluing me in. xap/xine-ui-0.99.1-i686-2.tgz: Recompiled against libcurl.so.3. pasture/pcnfsd-93.02.16-i486-1.tgz: Removed pcnfsd from the tcpip package, and recompiled it using a fixed diff from Mark Post. +--------------------------+ Sat Jun 5 22:12:30 PDT 2004 n/yptools-2.8-i486-6.tgz: Fixed missing ypserv tools in /usr/lib/yp. Thanks to Dominik L. Borkowski for the bug report. x/x11-6.7.0-i486-4.tgz: Patched X -configure to not comment out monitor frequencies. x/x11-devel-6.7.0-i486-4.tgz: Patched freetype.h to remove the forced error that breaks a great deal of existing code. xap/imagemagick-5.5.7_17-i486-3.tgz: Recompiled to link with freetype now that freetype.h works again. The recompile also fixes some PerlMagick crashes (reported by bren). Oh, and if you're wondering why I'm not using a newer ImageMagick it's because newer ones don't generate properly named shared libraries on Linux. Anyone got a patch? +--------------------------+ Sat Jun 5 00:21:39 PDT 2004 ap/mdadm-1.6.0-i486-1.tgz: Upgraded to mdadm-1.6.0. ap/rzip-2.0-i486-2.tgz: Fixed slack-desc typo, stripped binary. d/clisp-2.33.2-i486-1.tgz Upgraded to clisp-2.33.2. n/php-4.3.7-i486-1.tgz: Upgraded to php-4.3.7. Thanks to DaMouse for the nifty trick to get INSTALL_ROOT working. +--------------------------+ Wed Jun 2 11:29:58 PDT 2004 a/lilo-22.5.9-i486-2.tgz: Patched liloconfig to label any detected FAT or NTFS partitions "Windows", not "DOS". This is a better guess in 2004. a/pkgtools-9.2.0-i486-2.tgz: Removed sample XF86Config files and xfree86setup script. Fixed root:bin owner on xorgsetup script. ap/man-pages-1.64-noarch-1.tgz: Upgraded to man-pages-1.64. ap/rzip-2.0-i486-1.tgz: Added rzip-2.0 (suggested by Daniel de Kok). n/apache-1.3.31-i486-2.tgz: Recompiled with EAPI patch from new mod_ssl. If /usr/sbin/apachectl is a link to mod_ssl's apachectl, do not replace it. n/mod_ssl-2.8.18_1.3.31-i486-1.tgz: Upgraded to mod_ssl-2.8.18-1.3.31. This fixes a buffer overflow that may allow remote attackers to execute arbitrary code via a client certificate with a long subject DN, if mod_ssl is configured to trust the issuing CA: *) Fix buffer overflow in "SSLOptions +FakeBasicAuth" implementation if the Subject-DN in the client certificate exceeds 6KB in length. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488 (* Security fix *) Other changes: Make the sample keys .new so as not to overwrite existing server keys. However, any existing mod_ssl package will have these listed as non-config files, and will still remove and replace these upon upgrade. You'll have to save your config files one more time... sorry). n/php-4.3.6-i486-4.tgz: Recompiled with c-client.a in /usr/local/lib/c-client/ to fix a problem in previous php packages where linking against the library in a path under /tmp caused an ELF rpath to this location to be built into the PHP binaries. A local attacker could (by placing shared libraries in this location) either crash PHP or cause arbitrary code to be executed as the PHP user (typically "nobody"). Thanks to Bryce Nichols for discovering this issue and bringing it to my attention. (* Security fix *) Added --enable-wddx option (suggested by Lorenzo Tomei). Linked with the system libexpat rather than the internal one. Added --enable-pcntl --enable-sigchild for the CLI version of PHP. (suggested by Tobias Poschwatta and Aron Rosenberg) x/x11-6.7.0-i486-3.tgz: Patched xorgconfig to contain a correct path to the XKB rules files, include the glx module, and add the TTF and cyrillic font directories to the default font path. Thanks to Darth Apocalypsis for reporting the problems. xap/gaim-0.78-i486-1.tgz: Upgraded to gaim-0.78. +--------------------------+ Mon May 31 17:49:49 PDT 2004 a/kernel-ide-2.4.26-i486-2.tgz: Recompiled without LDM partition support. ap/mc-4.6.0-i486-4.tgz: Fixed broken php syntax file. Thanks to Firman Pribadi and Georgi Chorbadzhiyski for reporting the bug. d/kernel-headers-2.4.26-i386-2.tgz: These have been updated to reflect the changed LDM partition support config option. k/kernel-source-2.4.26-noarch-2.tgz: Removed experimental LDM support from .config since it doesn't seem useful to most people yet (searching online isn't turning up much use), and simply to get rid of all the "disk read failed" messages it was emitting. n/lftp-3.0.5-i486-1.tgz: Upgraded to lftp-3.0.5. bootdisks/*: Rebuilt from new kernels. extra/slacktrack/slacktrack-1.20-i486-1.tgz: Upgraded to slacktrack-1.20_1. isolinux/initrd.img, rootdisks/install.*: Detect NTFS partitions properly (I think it's safe to say at this point that NTFS has beaten HPFS over ownership of the 07 partition id). Set $HOME in /etc/profile where it will actually stick. kernels/*: Recompiled without LDM. testing/packages/linux-2.6.6/kernel-generic-2.6.6-i486-3.tgz: No LDM. +--------------------------+ Sun May 30 14:29:48 PDT 2004 ap/joe-3.1-i486-1.tgz: Upgraded to joe-3.1. Now with Klingon support! ;-) isolinux/initrd.img, rootdisks/install.*: Move LUN scan down a little farther in rc.S where we've got a better grep. This should fix installing from a USB or IEEE1394 device when the LUN != 0. +--------------------------+ Sun May 30 01:06:39 PDT 2004 a/bin-9.0.0-i486-3.tgz: Don't link fsck.reiserfs to /bin/true. a/infozip-5.51-i486-1.tgz: Upgraded unzip to version 5.51. a/kbd-1.12-i486-2.tgz: Added support for euro character to nl.map. (thanks to Eric Hameleers for the patch) a/lprng-3.8.27-i486-1.tgz: Upgraded to LPRng-3.8.27. a/pcmcia-cs-3.2.7-i486-3.tgz: Fixed perms (chown -R root:bin /usr/bin). a/pkgtools-9.2.0-i486-1.tgz: Set umask in *pkg tools so there are no surprises. Use $ROOT for $TMP in upgradepkg. Fix path to preserved packages in the removepkg manpage. Fix "comtains" typo in makepkg. Fix "mkdir: cannot create directory `./install': File exists" error message from makepkg. a/reiserfsprogs-3.6.17-i486-1.tgz: Upgraded to reiserfsprogs-3.6.17. Make fsck.reiserfs and mkfs.reiserfs symlinks in /sbin. a/slocate-2.7-i486-3.tgz: Prune /dev, /proc, and /sys. a/tar-1.14-i486-3.tgz: Fixed perms (chown -R root:bin /usr/sbin). a/tcsh-6.13.00-i486-1.tgz: Upgraded to tcsh-6.13.00. Thanks to Dale Eaton (and his friends on OFTC #slackware) for letting me know this was out. a/xfsprogs-2.6.13-i486-1.tgz: Upgraded to attr-2.4.16, dmapi-2.2.0, xfsdump-2.2.21, xfsprogs-2.6.13. Libs/headers are now installed. ap/alsa-utils-1.0.5-i486-1.tgz: Upgraded to alsa-utils-1.0.5. d/python-2.3.4-i486-1.tgz: Upgraded to Python-2.3.4. d/python-demo-2.3.4-noarch-1.tgz: Upgraded to Python-2.3.4 demos. d/python-tools-2.3.4-noarch-1.tgz: Upgraded to Python-2.3.4 tools. gnome/gthumb-2.4.0-i486-1.tgz: Upgraded to gthumb-2.4.0. gnome/libbonobo-2.6.2-i486-1.tgz: Upgraded to libbonobo-2.6.2. l/alsa-driver-1.0.5-i486-1.tgz: Upgraded to alsa-driver-1.0.5. l/alsa-lib-1.0.5-i486-1.tgz: Upgraded to alsa-lib-1.0.5. l/alsa-oss-1.0.5-i486-1.tgz: Upgraded to alsa-oss-1.0.5. l/db4-4.2.52-i486-2.tgz: Added libdb4.{a,so} to fix building Subversion. (thanks to Patrik Rådman) l/mhash-0.9.1-i486-1.tgz: Added mhash-0.9.1. l/taglib-1.1-i486-2.tgz: Fixed perms (chown -R root:bin /usr/bin). n/php-4.3.6-i486-3.tgz: Recompiled using --with-mhash and linked with the new mhash package. (Suggested by Eric Hameleers) n/sendmail-cf-8.12.11-noarch-3.tgz: Fixed the Build script (for building .cf files from .mc files). Thanks to Jonathan Mohr for pointing out the problem. n/yptools-2.8-i486-5.tgz: Upgraded to ypbind-mt-1.17.3 and ypserv-2.13. Removed unmaintained yps and ypmake. x/: Switched to X11R6.7.0 from X.Org. Thanks to those who sent comments to x@slackware.com. Seems the community has spoken, because the opinions were more than 4 to 1 in favor of using the X.Org release as the default version of X. I think I've heard just about every side to this issue now, and it was only after careful consideration and testing that this decision was made. It's primarily (as is usual around here) a technical decision. Nearly everyone else is going with X.Org and it seems to me that sticking with XFree86 it spite of this would be asking for compatibility trouble (indeed, we saw some issues between X.Org and XFree86 4.4.0 until a few things in XFree86 were patched). I also noticed that the ATI Radeon binary drivers designed for XFree86 4.3.0 do not work with XFree86 4.4.0, but do work with the X.Org release. Something I'm *not* in favor of is dragging around two nearly identical projects, so XFree86 4.4.0 has been moved to the /pub/slackware/unsupported/ directory on the FTP site. I'd like to take this moment to thank the XFree86 Project for all the truly amazing work they've done all these years, and to wish the project the best of luck. Slackware owes the XFree86 Project a debt of gratitude and will always include the XFree86 acknowledgement, even if we are no longer shipping XFree86. xap/sane-1.0.14-i486-2.tgz: Installed hotplug scripts. (thanks to Helmut Schmid :-) isolinux/initrd.img, rootdisks/install.*: Added support for installing from USB or IEEE1394 CD/DVD drives. Fixed full installation size estimate (thanks to Karl Magnus and Erik Jan Tromp). Set HOME=/root for install. Fixed install support for bareacpi.i. (thanks to Miha Verlic) testing/packages/linux-2.6.6/alsa-driver-1.0.5-i486-1.tgz: Upgraded to alsa-driver-1.0.5, compiled for a kernel using 8K stacks. testing/packages/linux-2.6.6/kernel-generic-2.6.6-i486-2.tgz: Removed 4KSTACKS option and recompiled. The rationale is that for now we need to be compatible with things like the nVidia binary driver that will be broken with 4KSTACKS until they are fixed, so we should stick with 8K stacks for a while longer. It appears that the de facto standard options for production kernels in other distributions will be 4KSTACKS and no preempt, and that's what Slackware should eventually use too if we want compatibility with binary modules that are compiled for those systems. testing/packages/linux-2.6.6/kernel-modules-2.6.6-i486-2.tgz: Recompiled. Note that these modules are binary incompatible with the last set, so if you're using an initrd you'll have to rebuild it. Make sure you load the loop module before installing this package, or you might find yourself unable to rebuild the initrd... +--------------------------+ Thu May 27 16:09:36 PDT 2004 a/procps-3.2.1-i486-1.tgz: Upgraded to procps-3.2.1. a/util-linux-2.12a-i486-1.tgz: Upgraded to util-linux-2.12a. Patched adjtimex for gcc-3.3.3. (thanks to *dEiMoS*) ap/mc-4.6.0-i486-3.tgz: Fixed broken hotkeys (reported by c0ldbyte). ap/mdadm-1.5.0-i486-1.tgz: Added mdadm-1.5.0. d/clisp-2.33.1-i486-1.tgz: Upgraded to clisp-2.33.1. gnome/ghex-2.6.1-i486-1.tgz: Upgraded to ghex-2.6.1. gnome/gnopernicus-0.9.4-i486-1.tgz: Upgraded to gnopernicus-0.9.4. gnome/libbonobo-2.6.1-i486-1.tgz: Upgraded to libbonobo-2.6.1. +--------------------------+ Wed May 26 20:26:45 PDT 2004 ap/vim-6.2.532-i486-1.tgz: Upgraded to vim-6.2.532. Thanks to Alvaro Figueroa Cabezas for reminding me to update vim. d/perl-5.8.4-i486-3.tgz: Fixed -Dinc_version_list (thanks to Mark Post). gnome/gail-1.6.5-i486-1.tgz: Upgraded to gail-1.6.5. gnome/gnopernicus-0.9.3-i486-1.tgz: Upgraded to gnopernicus-0.9.3. gnome/libgnome-2.6.1.1-i486-2.tgz: Patched broken sound events. (thanks to Chuck R. Bell for forwarding the patch) xap/xvim-6.2.532-i486-1.tgz: Upgraded to vim-6.2.532 for GTK/X11. +--------------------------+ Tue May 25 21:20:48 PDT 2004 a/sysvinit-2.84-i486-45.tgz: The clock should be set before running rc.modules, otherwise it's hard to know if we need to run depmod on recently installed modules. a/udev-025-i486-6.tgz: Added /dev/fd[0-3]. n/lftp-3.0.4-i486-1.tgz: Upgraded to lftp-3.0.4. Here is some work in progress. :-) It might be good for it to stay out of the installer until after the next release, actually. By then any drive geometry or other issues will be worked out... It's working great here, though, and is now very well supported in the init scripts (and I've even run / on LVM). testing/packages/linux-2.6.6/alsa-driver-1.0.4-i486-2.tgz: Added ALSA driver package compiled for Linux 2.6.6. testing/packages/linux-2.6.6/kernel-generic-2.6.6-i486-1.tgz: Added a generic Linux 2.6.6 kernel. Generic means that it supports almost everything through modules, but a lot less than usual is built in. For example, the only built-in filesystem is ext2. If you want something better for your root filesystem, or you need to load SCSI or other drivers before mounting root, then you'll need to build an initrd (see the new mkinitrd package). You'll also need to add a line to your lilo.conf to load the initrd along with the kernel: initrd=/boot/initrd.gz testing/packages/linux-2.6.6/kernel-modules-2.6.6-i486-1.tgz: Added kernel modules for Linux 2.6.6. testing/packages/linux-2.6.6/mkinitrd-1.0.0-i486-1.tgz: Added a mkinitrd package (this was added for 2.6.x but should work with any kernel). +--------------------------+ Mon May 24 22:18:50 PDT 2004 a/glibc-solibs-2.3.2-i486-6.tgz: Recompiled against 2.4.26 kernel headers. a/glibc-zoneinfo-2.3.2-noarch-6.tgz: Rebuilt. Patched /usr/sbin/timeconfig to copy the timezone file to /etc/localtime instead of making that a link. This prevents problems caused by trying to set the clock when /usr is not yet mounted, as well as other problems caused by waiting until after /usr is mounted to set the clock. Set a /etc/localtime-copied-from symlink to show where the file is coming from. a/sysvinit-2.84-i486-44.tgz: Detect LVM2 by looking for /etc/lvm/backup/. (one more reason not to turn off metadata backups :-), also on shutdown don't try to use --ignorelockingfailure with LVM1. Support swap on LVM (thanks to Lucas Santos). Test for nohotplug before starting udev (thanks to Piter Punk). a/udev-025-i486-5.tgz: unset math function, not unalias (thanks LukenShiro). Check for existing devices or links before trying to make them. Add a couple of vmnet devices (suggested by Gerardo Exequiel Pozzi). ap/normalize-0.7.6-i486-1.tgz: Added normalize-0.7.6. l/glibc-2.3.2-i486-6.tgz: Recompiled. l/glibc-i18n-2.3.2-noarch-6.tgz: Rebuilt. xap/gnuplot-4.0.0-i486-1.tgz: Upgraded to gnuplot-4.0.0. (thanks to Dominik L. Borkowski for the reminder) xap/xv-3.10a-i486-3.tgz: Updated the XV jumbo patches to fix things for registered users (who have to recompile xv themselves to register anyway :). extra/brltty/brltty-3.4.1-i486-1.tgz: Upgraded to brltty-3.4.1. extra/emacspeak/emacspeak-20.0-i486-1.tgz: Upgraded to emacspeak-20.0. extra/fluxbox-0.9.9/fluxbox-beta-0.9.9-i486-1.tgz: Upgraded to fluxbox-0.9.9. extra/glibc-extra-packages/glibc-debug-2.3.2-i486-6.tgz: Recompiled. extra/glibc-extra-packages/glibc-profile-2.3.2-i486-6.tgz: Recompiled. extra/isdn4k-utils/isdn4k-utils-CVS-2004-05-02.tar.bz2: Updated. pasture/db4-4.1.25-i386-1.tgz: Moved from /extra. testing/packages/lvm2/device-mapper-1.00.17-i486-2.tgz: Provide a static version of dmsetup. testing/packages/lvm2/lvm2-2.00.15-i486-2.tgz: Provide a static version of lvm (perhaps useful with an initrd for placing / on a LV). Build in support for lvm1 metadata (I wasn't able to migrate from lvm1 using vgconvert until this was built in, but possibly a setting in lvm.conf would also have worked). +--------------------------+ Sat May 22 23:27:56 PDT 2004 a/sysvinit-2.84-i486-43.tgz: Fix adding proc and sysfs to /etc/mtab. +--------------------------+ Sat May 22 22:46:49 PDT 2004 a/sysvinit-2.84-i486-42.tgz: Use /proc/mounts to detect a mounted sysfs. Move some things around in rc.S. Debugged LVM2 in rc.S and rc.6 (thanks to Luigi Genoni for the LVM help!) a/udev-025-i486-4.tgz: Create /dev/ppp so that the ppp modules can autoload. Fix perms on misc/* devices (thanks to Stefano Vesa and /ismail). Add nVidia devices. Add /dev/loop0. Don't use expr in make_extra_nodes.sh (thanks to LukenShiro). Symlink v4l devices in /dev (thanks to Michele Mariottini). testing/packages/lvm2/device-mapper-1.00.17-i486-1.tgz: Added device-mapper-1.00.17. testing/packages/lvm2/lvm2-2.00.15-i486-1.tgz: Added LVM2.2.00.15. +--------------------------+ Fri May 21 01:39:02 PDT 2004 a/devs-2.3.1-noarch-21.tgz: Chgrp some devices to audio, video, or cdrom. a/etc-5.1-noarch-8.tgz: Add to /etc/group: audio(17), video(18), cdrom(19). Don't leave $file set after running scripts in /etc/profile.d/. a/lilo-22.5.9-i486-1.tgz: Upgraded to lilo-22.5.9. Patched liloconfig to only suggest using ide-scsi for 2.4.x kernels. a/shadow-4.0.3-i486-10.tgz: In /etc/login.defs, allow console users access to the audio, video, and cdrom groups. a/sysvinit-2.84-i486-41.tgz: Various updates in /etc/rc.d/. In rc.S: Mount /proc before doing anything else. Remove SGIVWS hwclock cruft. Use /proc/sys/kernel/random/poolsize for random_seed (Daniel de Kok). In rc.M: Power down monitor after one hour (Gerardo Exequiel Pozzi). Increase supported dmesg buffer size to 64K (Lech Szychowski). Support an /etc/rc.d/rc.hpoj if found (Marc A. Mironescu). In rc.6: Remove SGIVWS hwclock cruft. Use /proc/sys/kernel/random/poolsize for random_seed (Daniel de Kok). a/udev-025-i486-3.tgz: Moved make_extra_nodes into a separate script. Fixed detection/perms on IDE cdrom devices. Use new cdrom/audio/video groups. d/automake-1.8.5-noarch-1.tgz: Upgraded to automake-1.8.5. d/perl-5.8.4-i486-2.tgz: Support modules compiled for older perl versions. n/curl-7.11.2-i486-1.tgz: Upgraded to curl-7.11.2. xap/xpdf-3.00-i486-2.tgz: Fixed Cyrillic support in xpdfrc. Thanks to Alexey Remizov for the bug report and patch. xap/xv-3.10a-i486-2.tgz: Applied Greg Roelofs' "jumbo" fix and enhancement patches (thanks, Greg!). pasture/devfsd-1.3.25-i486-4.tgz: On systems that support both devfs and udev, do not use devfs unless /etc/rc.d/rc.udev is non-executable. +--------------------------+ Wed May 19 18:08:33 PDT 2004 a/shadow-4.0.3-i486-9.tgz: Upgraded /usr/sbin/adduser. (Thanks to Stuart Winter for the update) a/tar-1.14-i486-2.tgz: Restore bzip2 support in tar-1.13. ap/mysql-4.0.20-i486-1.tgz: Upgraded to mysql-4.0.20. ap/sgml-tools-1.0.9-i486-12.tgz: Put docbook-utils-0.6.14 docs in the right directory (/usr/doc). Fix directory perms in /usr/doc/gtk-doc-1.2/doc/. d/cvs-1.11.16-i486-1.tgz: Upgraded to cvs-1.11.16. From the NEWS file: A potential buffer overflow vulnerability in the server has been fixed. Prior to this patch, a malicious client could potentially use carefully crafted server requests to run arbitrary programs on the CVS server machine. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0396 (* Security fix *) gnome/eel-2.6.1-i486-2.tgz: Fixed documentation perms (no, the GPL should not be executable). Thanks to mRgOBLIN. gnome/epiphany-1.2.5-i486-2.tgz: Fix doc perms (thanks to mRgOBLIN). gnome/epiphany-extensions-0.9.0-i486-2.tgz: Fix doc perms (thanks to mRgOBLIN). extra/slackpkg/slackpkg-1.2.1-noarch-6.tgz: Upgraded to slackpkg-1.2.1-noarch-6. +--------------------------+ Tue May 18 14:01:11 PDT 2004 a/sysvinit-2.84-i486-40.tgz: In rc.S, fix syntax for mounting /proc (it really did work most of the time before ;-). I considered checking it again later when the /etc/mtab entries are created, but we'll see if this does the trick first. Also, fix a typo where sysctl is checked for in /bin rather than /sbin (thanks to Tomasz Torcz for pointing that out). a/udev-025-i486-2.tgz: After refining and re-rerefining a rules file for Slackware, I completely forgot to install it! Sorry about it -- it's there now. Oh, and I know that udev overwrites existing config files. If you think there are user serviceable parts in there, save backup copies. Fixed /dev/tty* perms. Thanks to Markus Stauffer and the folks on alt.os.linux.slackware for the heads-up. gnome/gnome-games-2.6.1-i486-3.tgz: Fix /usr/bin directory ownership. l/pcre-4.5-i486-2.tgz: --enable-utf8 (thanks to Tomas Szepe). l/libglade-2.4.0-i486-1.tgz: Upgraded to libglade-2.4.0. +--------------------------+ Mon May 17 19:33:11 PDT 2004 kde/kdelibs-3.2.2-i486-2.tgz: Patched URI security issues. According to www.kde.org: The telnet, rlogin, ssh and mailto URI handlers in KDE do not check for '-' at the beginning of the hostname passed, which makes it possible to pass an option to the programs started by the handlers. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0411 (* Security fix *) +--------------------------+ Mon May 17 02:04:08 PDT 2004 a/sysvinit-2.84-i486-39.tgz: In rc.S, support udev in 2.6 kernels. In rc.M, save the contents of 'dmesg' in /var/log/dmesg. a/tar-1.14-i486-1.tgz: Upgraded to tar-1.14. a/udev-025-i486-1.tgz: Added udev-0.25, and for now at least this will be used by default if a 2.6 kernel with hotplug and sysfs support is detected. ap/mc-4.6.0-i486-2.tgz: Patched to fix buffer overflow, format string, and temporary file creation vulnerabilities found by Andrew V. Samoilov and Pavel Roskin. These could lead to a denial of service or the execution of arbitrary code as the user running mc. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0226 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0231 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0232 (* Security fix *) gnome/at-spi-1.4.2-i486-1.tgz: Upgraded to at-spi-1.4.2. gnome/epiphany-extensions-0.9.0-i486-1.tgz: Upgraded to epiphany-extensions-0.9.0. gnome/gail-1.6.4-i486-1.tgz: Upgraded to gail-1.6.4. gnome/gnome-games-2.6.1-i486-2.tgz: Chamge the perms on /var/lib/games to 0775, since the gnome-games don't like 2775 now (it causes the "Scores" menu choice to be greyed out). Reported by Eugenia Loli-Queru. gnome/gok-0.11.3-i486-1.tgz: Upgraded to gok-0.11.3. gnome/libbonoboui-2.6.1-i486-1.tgz: Upgraded to libbonoboui-2.6.1. l/libgsf-1.9.1-i486-1.tgz: Upgraded to libgsf-1.9.1. l/wv2-0.2.2-i486-1.tgz: Upgraded to wv2-0.2.2. n/dnsmasq-2.8-i486-1.tgz: Upgraded to dnsmasq-2.8. n/getmail-3.2.4-noarch-1.tgz: Upgraded to getmail-3.2.4. extra/bittorrent/bittorrent-3.4.2-noarch-1.tgz: Upgraded to BitTorrent-3.4.2. pasture/devfsd-1.3.25-i486-3.tgz: Obsolete, and retired to /pasture. +--------------------------+ Thu May 13 18:45:15 PDT 2004 gnome/gnome-applets-2.6.1-i486-1.tgz: Upgraded to gnome-applets-2.6.1. gnome/gnome-media-2.6.2-i486-1.tgz: Upgraded to gnome-media-2.6.2. gnome/gnopernicus-0.9.2-i486-1.tgz: Upgraded to gnopernicus-0.9.2. gnome/gok-0.11.2-i486-1.tgz: Upgraded to gok-0.11.2. xap/xchat-2.0.8-i486-2.tgz: Recompiled against perl-5.8.4. Thanks to Sorin Mitrica for the bug report. +--------------------------+ Wed May 12 23:49:40 PDT 2004 d/perl-5.8.4-i486-1.tgz: Upgraded to perl-5.8.4. Upgraded DBI module to DBI-1.42. d/python-2.3.3-i486-2.tgz: Recompiled to use libgdbm.so.3. gnome/gnomeicu-0.99.5-i486-2.tgz: Recompiled to use libgdbm.so.3. l/gdbm-1.8.3-i486-3.tgz: Removed compat library, which isn't used by anything (but sure does break stuff!). Just having that version of ndbm.h around causes more problems than you can shake a stick at. n/irssi-0.8.9-i486-3.tgz: Recompiled against perl-5.8.4. xap/gaim-0.77-i486-2.tgz: Recompiled against perl-5.8.4. xap/imagemagick-5.5.7_17-i486-2.tgz: Recompiled against perl-5.8.4. xap/xscreensaver-4.16-i486-1.tgz: Upgraded to xscreensaver-4.16. +--------------------------+ Wed May 12 15:56:45 PDT 2004 n/apache-1.3.31-i486-1.tgz: Note that apache-1.3.31 contains some security fixes. According to http://httpd.apache.org, we have: In mod_digest, verify whether the nonce returned in the client response is one we issued ourselves. This problem does not affect mod_auth_digest. (CAN-2003-0987) Escape arbitrary data before writing into the errorlog. (CAN-2003-0020) Fix starvation issue on listening sockets where a short-lived connection on a rarely-accessed listening socket will cause a child to hold the accept mutex and block out new connections until another connection arrives on that rarely-accessed listening socket. (CAN-2004-0174) Fix parsing of Allow/Deny rules using IP addresses without a netmask; issue is only known to affect big-endian 64-bit platforms (CAN-2003-0993) For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0987 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0174 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0993 (* Security fix *) n/imapd-4.60-i486-1.tgz: Upgraded to IMAP4rev1 2004.350 from pine4.60. n/mod_ssl-2.8.17_1.3.31-i486-2.tgz: Recompiled to fix a symbol conflict with mod_auth_dbm. Thanks to Joshua Rubin for pointing out the problem. n/php-4.3.6-i486-2.tgz: Recompiled to use libgdbm.so.3. n/pine-4.60-i486-1.tgz: Upgraded to pine4.60. +--------------------------+ Wed May 12 00:47:13 PDT 2004 a/aaa_base-9.1.0-noarch-2.tgz: Added /sys directory. a/jfsutils-1.1.6-i486-1.tgz: Upgraded to jfsutils-1.1.6. a/sysvinit-2.84-i486-38.tgz: In rc.S, run sysctl to load any values present in /etc/sysctl.conf (thanks to Piter Punk). Mount sysfs on /sys if the directory exists, support for the filesystem exists in the kernel, and it is not mounted already. Umount and clean up after an initrd. In rc.6, create the /initrd directory if needed. ap/hpijs-1.6-i486-1.tgz: Upgraded to hpijs-1.6. d/binutils-2.15.90.0.3-i486-1.tgz: Upgraded to binutils-2.15.90.0.3. d/oprofile-0.8-i486-1.tgz: Upgraded to oprofile-0.8. f/linux-howtos-20040511-noarch-1.tgz: Upgraded to Linux-HOWTOs-20040511. gnome/libbonobo-2.6.0-i486-2.tgz: Fixed /usr/sbin perms (thanks Mark Post). gnome/libgtop-2.6.0-i486-2.tgz: Compressed info file (thanks Mark Post). gnome/libwnck-2.6.1-i486-2.tgz: Fixed /usr/doc/ files ownership. l/db1-1.85-i386-1.tgz: Removed. (off to /pasture) l/db2-2.4.14-i386-1.tgz: Removed. (off to /pasture) l/db3-3.3.11-i486-4.tgz: Recompiled. Remains the version used by default when compiling (for now) if the application links with a generic -ldb. l/db31-3.1.17-i486-1.tgz: This version, which is specifically required by certain programs, returns to -current. l/db4-4.2.52-i486-1.tgz: Added db-4.2.52. l/gdbm-1.8.3-i486-2.tgz: Recompiled to add compat library and {dbm,ndbm}.h. l/gmp-4.1.3-i486-2.tgz: Recompiled to add libgmpxx library (thanks Mark Post). n/apache-1.3.31-i486-1.tgz: Upgraded to apache-1.3.31. n/mod_ssl-2.8.17_1.3.31-i486-1.tgz: Upgraded to mod_ssl-2.8.17-1.3.31. n/samba-3.0.4-i486-1.tgz: Upgraded to samba-3.0.4. tcl/expect-5.41.0-i486-1.tgz: Upgraded to expect-5.41.0. tcl/tcl-8.4.6-i486-1.tgz: Upgraded to tcl-8.4.6. tcl/tk-8.4.6-i486-1.tgz: Upgraded to tk-8.4.6. xap/sane-1.0.14-i486-1.tgz: Upgraded to sane-backends-1.0.14. xap/xpdf-3.00-i486-1.tgz: Upgraded to xpdf-3.00. xap/xsane-0.93-i486-1.tgz: Upgraded to xsane-0.93. +--------------------------+ Mon May 10 18:57:20 PDT 2004 gnome/gnome-vfs-2.6.1.1-i486-2.tgz: Rebuilt to fix missing url-handlers files, which fixes the GNOME help system. Thanks to Rodney Cobb for the help! :-) l/gmp-4.1.3-i486-1.tgz: Upgraded to gmp-4.1.3. testing/source/linux-2.6.x/linux-2.6.6.tar.bz2: Added linux-2.6.6 source. +--------------------------+ Sat May 8 13:28:59 PDT 2004 gnome/gpdf-0.131-i486-1.tgz: Added gpdf-0.131. ;-) (anything else missing?) Thanks to Bradley Reed for pointing out the omission. +--------------------------+ Fri May 7 22:46:17 PDT 2004 a/devs-2.3.1-noarch-20.tgz: Fixed ALSA sound output for non-root users. ap/sgml-tools-1.0.9-i486-11.tgz: Added docbook-utils-0.6.14. Upgraded to GNOME 2.6! :-) gnome/acme-2.4.2-i486-1.tgz: Removed. gnome/gal2-2.1.4-i486-1.tgz: Removed. gnome/gnome-extra-themes-1.0.1-noarch-1.tgz: Removed (no need for theme bloat). gnome/linc-1.0.3-i486-1.tgz: Removed. gnome/abiword-2.0.6-i486-1.tgz: Upgraded to abiword-2.0.6. gnome/at-spi-1.4.0-i486-1.tgz: Upgraded to at-spi-1.4.0 and gnome-mag-0.11.1. gnome/bug-buddy-2.6.1-i486-1.tgz: Upgraded to bug-buddy-2.6.1. gnome/control-center-2.6.1-i486-1.tgz: Upgraded to control-center-2.6.1. gnome/eel-2.6.1-i486-1.tgz: Upgraded to eel-2.6.1. gnome/eog-2.6.1-i486-1.tgz: Upgraded to eog-2.6.1. gnome/epiphany-1.2.5-i486-1.tgz: Upgraded to epiphany-1.2.5. gnome/epiphany-extensions-0.8.2-i486-1.tgz: Added epiphany-extensions-0.8.2. gnome/file-roller-2.6.1-i486-1.tgz: Upgraded to file-roller-2.6.1. gnome/gail-1.6.3-i486-1.tgz: Upgraded to gail-1.6.3. gnome/galeon-1.3.14a-i486-1.tgz: Upgraded to galeon-1.3.14a. gnome/gcalctool-4.3.51-i486-1.tgz: Upgraded to gcalctool-4.3.51. gnome/gconf-2.6.1-i486-1.tgz: Upgraded to GConf-2.6.1. gnome/gconf-editor-2.6.1-i486-1.tgz: Upgraded to gconf-editor-2.6.1. gnome/gdm-2.6.0.2-i486-1.tgz: Upgraded to gdm-2.6.0.2. gnome/gedit-2.6.1-i486-1.tgz: Upgraded to gedit-2.6.1 and gtksourceview-1.0.1. gnome/gftp-2.0.17-i486-1.tgz: Upgraded to gftp-2.0.17. gnome/ggv-2.6.1-i486-1.tgz: Upgraded to ggv-2.6.1. gnome/ghex-2.6.0-i486-1.tgz: Upgraded to ghex-2.6.0. gnome/glade-2.6.0-i486-1.tgz: Upgraded to glade-2.6.0. gnome/gnome-applets-2.6.0-i486-1.tgz: Upgraded to gnome-applets-2.6.0. gnome/gnome-desktop-2.6.1-i486-1.tgz: Upgraded to gnome-desktop-2.6.1. gnome/gnome-games-2.6.1-i486-1.tgz: Upgraded to gnome-games-2.6.1. gnome/gnome-icon-theme-1.2.1-noarch-1.tgz: Upgraded to gnome-icon-theme-1.2.1. gnome/gnome-keyring-0.2.1-i486-1.tgz: Added gnome-keyring-0.2.1. gnome/gnome-media-2.6.1-i486-1.tgz: Upgraded to gnome-media-2.6.1. gnome/gnome-netstatus-2.6.1-i486-1.tgz: Added gnome-netstatus-2.6.1. gnome/gnome-panel-2.6.1-i486-1.tgz: Upgraded to gnome-panel-2.6.1. gnome/gnome-session-2.6.1-i486-1.tgz: Upgraded to gnome-session-2.6.1. gnome/gnome-speech-0.3.2-i486-1.tgz: Upgraded to gnome-speech-0.3.2. gnome/gnome-system-monitor-2.6.0-i486-1.tgz: Upgraded to gnome-system-monitor-2.6.0. gnome/gnome-terminal-2.6.1-i486-1.tgz: Upgraded to gnome-terminal-2.6.1. gnome/gnome-themes-2.6.1-i486-1.tgz: Upgraded to gnome-themes-2.6.1. gnome/gnome-themes-extras-0.7-i486-1.tgz: Added gnome-themes-extras-0.7. gnome/gnome-utils-2.6.2-i486-1.tgz: Upgraded to gnome-utils-2.6.2. gnome/gnome-vfs-2.6.1.1-i486-1.tgz: Upgraded to gnome-vfs-2.6.1.1. gnome/gnome2-user-docs-2.6.0.1-i486-1.tgz: Upgraded to gnome2-user-docs-2.6.0.1. gnome/gnomeicu-0.99.5-i486-1.tgz: Upgraded to gnomeicu-0.99.5. gnome/gnopernicus-0.9.1-i486-1.tgz: Upgraded to gnopernicus-0.9.1. gnome/gnumeric-1.2.12-i486-1.tgz: Upgraded to gnumeric-1.2.12. gnome/gok-0.10.2-i486-1.tgz: Added gok-0.10.2. gnome/gstreamer-0.8.1-i486-1.tgz: Upgraded to gstreamer-0.8.1. gnome/gst-plugins-0.8.1-i486-1.tgz: Upgraded to gst-plugins-0.8.1. gnome/gthumb-2.3.3-i486-1.tgz: Upgraded to gthumb-2.3.3. gnome/gtk-engines-2.2.0-i486-5.tgz: Recompiled. gnome/gucharmap-1.4.1-i486-1.tgz: Upgraded to gucharmap-1.4.1. gnome/hicolor-icon-theme-0.5-noarch-1.tgz: Added hicolor-icon-theme-0.5. gnome/intltool-0.30-noarch-1.tgz: Upgraded to intltool-0.30. gnome/libbonobo-2.6.0-i486-1.tgz: Upgraded to libbonobo-2.6.0. gnome/libbonoboui-2.6.0-i486-1.tgz: Upgraded to libbonoboui-2.6.0. gnome/libcroco-0.5.1-i486-1.tgz: Added libcroco-0.5.1. gnome/libgail-gnome-1.0.4-i486-1.tgz: Upgraded to libgail-gnome-1.0.4. gnome/libgnome-2.6.1.1-i486-1.tgz: Upgraded to libgnome-2.6.1.1. gnome/libgnomeprint-2.6.1-i486-1.tgz: Upgraded to libgnomeprint-2.6.1. gnome/libgnomeprintui-2.6.1-i486-1.tgz: Upgraded to libgnomeprintui-2.6.1. gnome/libgnomeui-2.6.1.1-i486-1.tgz: Upgraded to libgnomeui-2.6.1.1. gnome/libgnomecanvas-2.6.1.1-i486-1.tgz: Upgraded to libgnomecanvas-2.6.1.1. gnome/libgtkhtml-2.6.1-i486-1.tgz: Upgraded to libgtkhtml-2.6.1. gnome/libgtop-2.6.0-i486-1.tgz: Upgraded to libgtop-2.6.0. gnome/libidl-0.8.3-i486-1.tgz: Upgraded to libIDL-0.8.3. gnome/librsvg-2.6.5-i486-1.tgz: Upgraded to librsvg-2.6.5. gnome/libwnck-2.6.1-i486-1.tgz: Upgraded to libwnck-2.6.1. gnome/libxklavier-1.02-i486-1.tgz: Added libxklavier-1.02. gnome/metacity-2.8.1-i486-1.tgz: Added metacity-2.8.1. gnome/mpeg2dec-0.4.0b-i486-1.tgz: Upgraded to mpeg2dec-0.4.0b. gnome/nautilus-2.6.1-i486-1.tgz: Upgraded to nautilus-2.6.1. gnome/nautilus-cd-burner-2.6.1-i486-1.tgz: Upgraded to nautilus-cd-burner-2.6.1. gnome/nautilus-media-0.8.0-i486-1.tgz: Upgraded to nautilus-media-0.8.0. gnome/orbit2-2.10.2-i486-1.tgz: Upgraded to orbit2-2.10.2. gnome/shared-mime-info-0.14-i486-1.tgz: Added shared-mime-info-0.14. gnome/totem-0.99.11-i486-1.tgz: Added totem-0.99.11. gnome/vte-0.11.11-i486-1.tgz: Upgraded to vte-0.11.11. gnome/yelp-2.6.1-i486-1.tgz: Upgraded to yelp-2.6.1. Known bug (yelp? elsewhere?) on most GNOME apps: the 'Help -> Contents' menu choice does nothing. Anyone know why? kde/koffice-1.3.1-i486-2.tgz: Rebuilt to fix some missing input filters. Thanks to Mark Post and Andrey V. Panov for pointing out the problems. +--------------------------+ Wed May 5 18:01:27 PDT 2004 kde/koffice-1.3.1-i486-1.tgz: Upgraded to koffice-1.3.1. kde/qt-3.3.2-i486-1.tgz: Upgraded to qt-3.3.2 (from testing/). kdei/koffice-i18n-*-1.3.1-noarch-1.tgz: Upgraded to koffice-i18n-1.3.1. l/libgsf-1.9.0-i486-1.tgz: Upgraded to libgsf-1.9.0. +--------------------------+ Tue May 4 12:10:52 PDT 2004 a/bin-9.0.0-i486-2.tgz: Fixed buffer overflows and directory traversal vulnerabilities in the 'lha' archive utility. Sites using 'lha' should upgrade to the new bin package right away. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0234 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0235 (* Security fix *) +--------------------------+ Sun May 2 19:06:45 PDT 2004 a/sysklogd-1.4.1-i486-9.tgz: Patched a bug which could allow a user to cause syslogd to write to unallocated memory and crash. Thanks to Steve Grubb for finding the bug, and Solar Designer for refining the patch. (* Security fix *) ap/sgml-tools-1.0.9-i486-10.tgz: Added gtk-doc-1.2. d/distcc-2.14-i486-1.tgz: Upgraded to distcc-2.14. d/j2sdk-1_4_2_04-i586-3.tgz: Fixed permissions that the Java installer didn't set properly. (Thanks to mRgOBLIN) l/atk-1.6.1-i486-1.tgz: Upgraded to atk-1.6.1. l/audiofile-0.2.6-i486-1.tgz: Upgraded to audiofile-0.2.6. l/gdbm-1.8.3-i486-1.tgz: Upgraded to gdbm-1.8.3. This changes the major number of the shared library, so we'll be recompiling things to use the new library (and you may need to, as well). l/glib2-2.4.1-i486-1.tgz: Upgraded to glib-2.4.1. l/gtk+2-2.4.1-i486-1.tgz: Upgraded to gtk+-2.4.1. l/libpng-1.2.5-i486-2.tgz: Patched a problem where libpng may access memory that is out of bounds when creating an error message, possibly crashing libpng and creating a denial of service. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0421 (* Security fix *) l/libxml2-2.6.9-i486-1.tgz: Upgraded to libxml2-2.6.9. l/libxslt-1.1.6-i486-1.tgz: Upgraded to libxslt-1.1.6. n/links-2.1pre15-i486-1.tgz: Upgraded to links-2.1pre15. n/rsync-2.6.2-i486-1.tgz: Upgraded to rsync-2.6.2. Rsync before 2.6.1 does not properly sanitize paths when running a read/write daemon without using chroot, allowing remote attackers to write files outside of the module's path. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0426 (* Security fix *) n/samba-3.0.3-i486-1.tgz: Upgraded to samba-3.0.3. Note that some other distributions are issuing security adviories that have to do with smbmount, and with an insecure use of /tmp is smbprint. Slackware is not vulnerable to either of these issues by default, since neither smbmnt nor smbmount are installed setuid root, and because smbprint is not installed in the $PATH as a standard utility (though it is present in the documentation area as an example file). If you've installed smbprint on your own (or if you were crazy enough to make smbmount or smbmnt setuid root), you should be aware of these problems which are fixed in samba-3.0.3. Apparently it's now "safe" to make smbmnt setuid root, but I still don't recommend it. xap/gkrellm-2.2.0test1-i486-1.tgz: Added gkrellm-2.2.0-test1. xap/xine-lib-1rc4-i686-1.tgz: Upgraded to xine-lib-1-rc4. This fixes an exploit possible when playing Real RTSP streams. For more details, see: http://www.xinehq.de/index.php/security/XSA-2004-3 (* Security fix *) +--------------------------+ Wed Apr 28 19:36:48 PDT 2004 n/php-4.3.6-i486-1.tgz: Upgraded to php-4.3.6. x/xfree86-4.4.0-i486-3.tgz: Upgraded Xrender to 0.8.4 and Xcursor to 1.1.2, which should fix some mouse incompatibilities between XFree86 and X.Org (such as the KDE mouse setup menu). x/xfree86-devel-4.4.0-i486-3.tgz: Upgraded Xrender and Xcursor. x/xfree86-xnest-4.4.0-i486-3.tgz: Recompiled. x/xfree86-xprt-4.4.0-i486-3.tgz: Recompiled. x/xfree86-xvfb-4.4.0-i486-3.tgz: Recompiled. testing/packages/qt-3.3.2/qt-3.3.2-i486-1.tgz: Added qt-x11-free-3.3.2. testing/packages/x11/x11-6.7.0-i486-2.tgz: Removed extra fontconfig manpages. (Thanks to Mark Post) testing/packages/x11/x11-devel-6.7.0-i486-2.tgz: Recompiled. +--------------------------+ Tue Apr 27 22:19:52 PDT 2004 a/syslinux-2.09-i486-1.tgz: Upgraded to syslinux-2.09. ap/dvd+rw-tools-5.19_1.4.9.7-i486-1.tgz: Upgraded to dvd+rw-tools-5.19-1.4.9.7. d/automake-1.8.4-noarch-1.tgz: Upgraded to automake-1.8.4. kde/kdebase-3.2.2-i486-2.tgz: Fixed missing KDM config files. l/libtiff-3.6.1-i486-1.tgz: Upgraded to tiff-v3.6.1. n/lftp-3.0.3-i486-1.tgz: Upgraded to lftp-3.0.3. xap/sane-1.0.13-i486-2.tgz: Upgraded to sane-frontends-1.0.12. xap/xsane-0.92-i486-2.tgz: Patched and recompiled for GIMP 2.0.x. Thanks to Sebastian Stein for pointing me to the patch. Also note that the recent 2.4.26 kernel upgrades fix some security issues: an overflow in ip_setsockopt() [CAN-2004-0424] a flaw in do_fork() that could lead to a DoS an (unexploitable) overflow in panic() [CAN-2004-0394] For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0394 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0424 (* Security fix *) +--------------------------+ Sun Apr 25 00:14:04 PDT 2004 ap/joe-3.0-i486-1.tgz: Upgraded to joe-3.0. xap/gaim-0.77-i486-1.tgz: Upgraded to gaim-0.77. extra/slacktrack/slacktrack-1.19-i486-1.tgz: Upgraded to slacktrack-1.19_1. +--------------------------+ Fri Apr 23 15:12:16 PDT 2004 d/doxygen-1.3.6-i486-2.tgz: Patched to work with Qt styles that are compiled as plugins. Thanks to Pierre Doritch for pointing out the breakage. n/openssh-3.8.1p1-i486-1.tgz: Upgraded to openssh-3.8.1p1. extra/slackpkg/slackpkg-1.2-noarch-14.tgz: Upgraded to slackpkg-1.2-noarch-14. +--------------------------+ Thu Apr 22 21:05:30 PDT 2004 a/cxxlibs-6.0.0-i486-1.tgz: Added libstdc++.so.6.0.0 from gcc-3.4.0. kde/kdeaccessibility-3.2.2-i486-1.tgz: Upgraded to kdeaccessibility-3.2.2. kde/kdeaddons-3.2.2-i486-1.tgz: Upgraded to kdeaddons-3.2.2. kde/kdeadmin-3.2.2-i486-1.tgz: Upgraded to kdeadmin-3.2.2. kde/kdeartwork-3.2.2-i486-1.tgz: Upgraded to kdeartwork-3.2.2. kde/kdebase-3.2.2-i486-1.tgz: Upgraded to kdebase-3.2.2. kde/kdebindings-3.2.2-i486-1.tgz: Upgraded to kdebindings-3.2.2. kde/kdeedu-3.2.2-i486-1.tgz: Upgraded to kdeedu-3.2.2. kde/kdegames-3.2.2-i486-1.tgz: Upgraded to kdegames-3.2.2. kde/kdegraphics-3.2.2-i486-1.tgz: Upgraded to kdegraphics-3.2.2. kde/kdelibs-3.2.2-i486-1.tgz: Upgraded to kdelibs-3.2.2. kde/kdelinks-1.2-noarch-1.tgz: Updated. kde/kdemultimedia-3.2.2-i486-1.tgz: Upgraded to kdemultimedia-3.2.2. kde/kdenetwork-3.2.2-i486-1.tgz: Upgraded to kdenetwork-3.2.2. kde/kdepim-3.2.2-i486-1.tgz: Upgraded to kdepim-3.2.2. kde/kdesdk-3.2.2-i486-1.tgz: Upgraded to kdesdk-3.2.2. kde/kdetoys-3.2.2-i486-1.tgz: Upgraded to kdetoys-3.2.2. kde/kdeutils-3.2.2-i486-1.tgz: Upgraded to kdeutils-3.2.2. kde/kdevelop-3.0.3-i486-1.tgz: Upgraded to kdevelop-3.0.3. kde/quanta-3.2.2-i486-1.tgz: Upgraded to quanta-3.2.2. kdei/kde-i18n-*-3.2.2.tgz: Upgraded to kde-i18n-3.2.2 packages. l/arts-1.2.2-i486-1.tgz: Upgraded to arts-1.2.2. l/libcaca-0.9-i486-2.tgz: Fixed manpage symlinks. (Thanks to Adrien Beau) extra/xcdroast/xcdroast-0.98alpha15-i486-1.tgz: Upgraded to xcdroast-0.98alpha15. testing/packages/gcc-3.4.0/*.tgz: Added gcc-3.4.0. +--------------------------+ Tue Apr 20 17:40:12 PDT 2004 l/libcaca-0.9-i486-1.tgz: Added libcaca-0.9 (Colour AsCii Art library). xap/xine-lib-1rc3c-i686-2.tgz: Recompiled to add libcaca support. xine-lib-1-rc3c apparently fixes a security problem where opening a malicious MRL could write to system (or other) files. For detailed information, see: http://www.xinehq.de/index.php/security/XSA-2004-1 Thanks to Dario Nicodemi for the heads-up on this advisory. (* Security fix *) xap/xine-ui-0.99.1-i686-1.tgz: Upgraded to xine-ui-0.99.1, which fixes a similar MRL security issue. For details, see: http://www.xinehq.de/index.php/security/XSA-2004-2 Thanks again to Dario Nicodemi. (* Security fix *) bootdisks/*: Rebuilt with 2.4.26 kernels. +--------------------------+ Mon Apr 19 13:48:09 PDT 2004 l/utempter-1.1.1-i486-1.tgz: Upgraded to libutempter-1.1.1 (this is a new version written by Dmitry V. Levin of ALT Linux). This upgrade fixes a low-level security issue in utempter-0.5.2 where utempter could possibly be tricked into writing through a symlink, and is a cleaner implementation all-around. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0233 (* Security fix *) +--------------------------+ Sat Apr 17 15:30:15 PDT 2004 a/kernel-ide-2.4.26-i486-1.tgz: Upgraded to Linux 2.4.26. a/kernel-modules-2.4.26-i486-1.tgz: Upgraded to Linux 2.4.26. a/sed-4.0.9-i486-2.tgz: Fixed two missing sed info files. Thanks much to Max for pointing out the problem. d/cvs-1.11.15-i486-1.tgz: Upgraded to cvs-1.11.15. Fixes two security problems (server creating arbitrary files on a client machine, and client viewing files outside of the CVS repository). For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0180 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0405 (* Security fix *) d/kernel-headers-2.4.26-i386-1.tgz: Upgraded to Linux 2.4.26 headers. k/kernel-source-2.4.26-noarch-1.tgz: Upgraded to Linux 2.4.26. l/alsa-driver-1.0.4-i486-2.tgz: Recompiled for Linux 2.4.26. xap/gimp-2.0.1-i486-1.tgz: Upgraded to gimp-2.0.1. xap/xfce-4.0.5-i486-1.tgz: Upgraded to xfce-4.0.5. xap/xlockmore-5.11.1-i486-2.tgz: Removed KDE menu entries. The "clock" entry was causing a conflict with KDE such that the "Date & Time" settings on the taskbar wouldn't work, and this got me to thinking that these just aren't all that necessary. XLock can be a reward of the command line. :-) Thanks to Mike Rubin for the bug report. isolinux/initrd.img, rootdisks/install.*: Upgraded USB keyboard modules to Linux 2.4.26. kernels/*: Upgraded to Linux 2.4.26. rootdisks/network.dsk, pcmcia.dsk: Upgraded to Linux 2.4.26 modules. +--------------------------+ Tue Apr 13 20:13:15 PDT 2004 x/xfree86-4.4.0-i486-2.tgz: Upgraded to fontconfig-2.2.2, freetype-2.1.7, and Xft-2.1.5. x/xfree86-devel-4.4.0-i486-2.tgz: Upgraded to fontconfig-2.2.2, freetype-2.1.7, and Xft-2.1.5. x/xfree86-docs-4.4.0-noarch-2.tgz: Upgraded freetype2 docs to version 2.1.7. testing/packages/x11/*: Added X11R6.7.0 from X.Org. Got an opinion on what the future of X in Slackware should be? I'm curious about that myself, and welcome comments on the matter at x@slackware.com. +--------------------------+ Mon Apr 12 20:31:23 PDT 2004 a/pcmcia-cs-3.2.7-i486-2.tgz: Fixed missing '#' in config.opts.new. (Thanks to Lech Szychowski) d/bin86-0.16.15-i486-1.tgz: Upgraded to bin86-0.16.15. n/tin-1.6.2-i486-2.tgz: Fixed rtin.1.gz symlink. (Thanks to Mark Post) xap/x3270-3.3.2p1-i486-1.tgz: Upgraded to x3270-3.3.2p1. xap/xchat-2.0.8-i486-1.tgz: Upgraded to xchat-2.0.8. +--------------------------+ Sun Apr 11 21:49:24 PDT 2004 a/e2fsprogs-1.35-i486-1.tgz: Upgraded to e2fsprogs-1.35. a/hdparm-5.5-i486-1.tgz: Upgraded to hdparm-5.5. a/pcmcia-cs-3.2.7-i486-1.tgz: Upgraded to pcmcia-cs-3.2.7. a/smartmontools-5.30-i486-1.tgz: Upgraded to smartmontools-5.30. ap/dvd+rw-tools-5.19.4.9.7-i486-1.tgz: Upgraded to dvd+rw-tools-5.19.4.9.7. ap/texinfo-4.7-i486-1.tgz: Upgraded to texinfo-4.7. d/gdb-6.1-i486-1.tgz: Upgraded to gdb-6.1. d/libtool-1.5.6-i486-1.tgz: Upgraded to libtool-1.5.6. Set CC=gcc and LTCC=gcc when building to fix problems with xfsprogs. Thanks to Kostadin Karaivanov for the fix. l/audiofile-0.2.5-i486-1.tgz: Upgraded to audiofile-0.2.5. l/esound-0.2.34-i486-1.tgz: Upgraded to esound-0.2.34. l/libglade-2.3.6-i486-1.tgz: Upgraded to libglade-2.3.6. l/libxml2-2.6.8-i486-1.tgz: Upgraded to libxml2-2.6.8. l/libxslt-1.1.5-i486-1.tgz: Upgraded to libxslt-1.1.5. l/netpbm-10.18.12-i486-1.tgz: Added netpbm-10.18.12 (this replaces libgr). l/startup-notification-0.6-i486-1.tgz: Upgraded to startup-notification-0.6. n/sendmail-8.12.11-i486-2.tgz: Recompiled with milter support, and added libmilter (and header files) to the package. Thanks to Andrey V. Panov, Alan Fitton, and Joao Carvalho for build script help. n/sendmail-cf-8.12.11-noarch-2.tgz: Rebuilt. xap/imagemagick-5.5.7_17-i486-1.tgz: Upgraded to ImageMagick-5.5.7-17. xap/xine-lib-1rc3c-i686-1.tgz: Upgraded to xine-lib-1-rc3c. extra/parted/parted-1.6.9-i486-1.tgz: Upgraded to parted-1.6.9. +--------------------------+ Wed Apr 7 00:49:02 PDT 2004 a/xfsprogs-2.6.10-i486-1.tgz: Upgraded to xfsprogs-2.6.10. ap/mysql-4.0.18-i486-1.tgz: Upgraded to mysql-4.0.18. l/taglib-1.1-i486-1.tgz: Upgraded to taglib-1.1. n/lftp-3.0.1-i486-1.tgz: Upgraded to lftp-3.0.1. pasture/libtool-1.4.3/libtool-1.4.3-i486-2.tgz: There's plenty of source out there that's not yet updated to build with libtool-1.5.x (I just ran into this myself with xfsprogs), so it's probably a good idea to keep this version available in /pasture for now. +--------------------------+ Sun Apr 4 20:50:01 PDT 2004 ap/alsa-utils-1.0.4-i486-1.tgz: Upgraded to alsa-utils-1.0.4. ap/dvd+rw-tools-5.18.4.8.6-i486-1.tgz: Upgraded to dvd+rw-tools-5.18.4.8.6. ap/lvm-1.0.8-i486-1.tgz: Upgraded to lvm-1.0.8. d/libtool-1.5.4-i486-1.tgz: Upgraded to libtool-1.5.4. l/alsa-driver-1.0.4-i486-1.tgz: Upgraded to alsa-driver-1.0.4. l/alsa-lib-1.0.4-i486-1.tgz: Upgraded to alsa-lib-1.0.4. l/alsa-oss-1.0.4-i486-1.tgz: Upgraded to alsa-oss-1.0.4. n/dnsmasq-2.6-i486-1.tgz: Added dnsmasq-2.6. n/lftp-3.0.0-i486-1.tgz: Upgraded to lftp-3.0.0. xap/fvwm-2.4.18-i486-1.tgz: Upgraded to fvwm-2.4.18. testing/source/linux-2.6.x/linux-2.6.5.tar.bz2: Added linux-2.6.5 source. +--------------------------+ Sat Apr 3 11:09:50 PST 2004 n/tcpdump-3.8.3-i486-2.tgz: Change group ownership in /usr/sbin to "bin". xap/gaim-0.76-i486-1.tgz: Upgraded to gaim-0.76. :-) +--------------------------+ Wed Mar 31 19:44:58 PST 2004 a/jfsutils-1.1.5-i486-1.tgz: Upgraded to jfsutils-1.1.5. l/libieee1284-0.2.8-i486-1.tgz: Upgraded to libieee1284-0.2.8. l/libungif-4.1.2-i486-1.tgz: Upgraded to libungif-4.1.2. n/tcpdump-3.8.3-i486-1.tgz: Upgraded to tcpdump-3.8.3 and libpcap-0.8.3. This fixes a couple minor bugs that shouldn't affect 32-bit ix86 Slackware, but we might as well have the latest in -current. According to www.tcpdump.org: TCPDUMP version 3.8.3 has been released as of March 30, 2004. 3.8.3 is identical to 3.8.2, but the version number has been incremented to match libpcap. LIBPCAP version 0.8.3 has been released as of March 30, 2004. 0.8.3 fixes a minor problem with gencode.c on 64-bit architectures. It also carries the correct version numbers. extra/bash-completion/bash-completion-20040331-noarch-1.tgz: Upgraded to bash-completion-20040331. extra/parted/parted-1.6.8-i486-1.tgz: Upgraded to parted-1.6.8. +--------------------------+ Tue Mar 30 22:04:09 PST 2004 a/reiserfsprogs-3.6.14-i486-1.tgz: Upgraded to reiserfsprogs-3.6.14. a/xfsprogs-2.6.9-i486-1.tgz: Upgraded to acl-2.2.23, attr-2.4.15, dmapi-2.1.0, xfsdump-2.2.19, and xfsprogs-2.6.9. ap/madplay-0.15.2b-i486-1.tgz: Upgraded to madplay-0.15.2b. d/cvs-1.11.14-i486-1.tgz: Upgraded to cvs-1.11.14. d/strace-4.5.2-i486-1.tgz: Upgraded to strace-4.5.2. gnome/gnumeric-1.2.8-i486-1.tgz: Upgraded to gnumeric-1.2.8. kde/kdelibs-3.2.1-i486-2.tgz: Patched to fix broken nsplugins. Thanks to Chris Rainey for the bug report and link to a patch. kde/kdenetwork-3.2.1-i486-2.tgz: Recompiled to add additional wireless support. l/alsa-lib-1.0.3b-i486-1.tgz: Upgraded to alsa-lib-1.0.3b. l/alsa-oss-1.0.3a-i486-1.tgz: Upgraded to alsa-oss-1.0.3a. l/libid3tag-0.15.1b-i486-1.tgz: Upgraded to libid3tag-0.15.1b. l/libmad-0.15.1b-i486-1.tgz: Upgraded to libmad-0.15.1b. l/sdl-1.2.7-i486-1.tgz: Upgraded to SDL-1.2.7, and added SDL_image-1.2.3 and SDL_mixer-1.2.5 to the package. n/curl-7.11.1-i486-1.tgz: Upgraded to curl-7.11.1. n/getmail-3.2.2-noarch-1.tgz: Upgraded to getmail-3.2.2. n/gnupg-1.2.4-i486-1.tgz: Upgraded to gnupg-1.2.4. n/links-2.1pre14-i486-1.tgz: Upgraded to links-2.1pre14. n/netatalk-1.6.4-i486-1.tgz: Upgraded to netatalk-1.6.4. n/ntp-4.2.0-i486-1.tgz: Upgraded to ntp-4.2.0. n/stunnel-4.05-i486-1.tgz: Upgraded to stunnel-4.05. n/tcpdump-3.8.2-i486-1.tgz: Upgraded to tcpdump-3.8.2 and libpcap-0.8.2. Fixes denial-of-service security issues. For more details, see: http://www.rapid7.com/advisories/R7-0017.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0183 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0184 (* Security fix *) n/wireless-tools-26-i486-2.tgz: Added libiw.a and iwlib.h. (Thanks to Tomas Matejicek for pointing out that kdenetwork can use these to provide better wireless support). x/xfree86-fonts-scale-4.4.0-noarch-2.tgz: Fixed missing VeraIt.ttf. (Thanks to Stepan Roh for the bug report). extra/checkinstall/checkinstall-1.5.3-i486-2.tgz: Recompiled. extra/fluxbox-0.9.8/fluxbox-0.9.8-i486-1.tgz: Upgraded to fluxbox-0.9.8 (beta). +--------------------------+ Fri Mar 26 21:32:31 PST 2004 d/j2sdk-1_4_2_04-i586-2.tgz: Well, I hate to reroll the largest package for such a minor error, but the slack-desc still had the old version number in it... n/php-4.3.5-i486-1.tgz: Upgraded to php-4.3.5. +--------------------------+ Thu Mar 25 19:32:25 PST 2004 d/clisp-2.33-i486-1.tgz: Upgraded to clisp-2.33. d/distcc-2.13-i486-1.tgz: Upgraded to distcc-2.13. d/j2sdk-1_4_2_04-i586-1.tgz: Upgraded to j2sdk-1_4_2_04. kde/qt-3.3.1-i486-2.tgz: Fixed a missing '\' in the build script that prevented some plugins from building. (Thanks to Mark Post for noticing this bug) extra/slacktrack/slacktrack-1.18-i486-1.tgz: Upgraded to slacktrack-1.18_1. extra/slackpkg/slackpkg-1.1-noarch-6.tgz: Upgraded to slackpkg-1.1-noarch-6. +--------------------------+ Tue Mar 23 18:18:41 PST 2004 xap/gimp-2.0.0-i486-1.tgz: Upgraded to gimp-2.0.0. +--------------------------+ Tue Mar 23 13:07:20 PST 2004 a/aaa_elflibs-9.1.2-i486-2.tgz: Added /usr/lib/libusb-0.1.so.4.4.0. a/pciutils-2.1.11-i486-5.tgz: Recompiled, updated pci.ids. a/usbutils-0.11-i486-2.tgz: Added updates from CVS, new usb.ids, removed bogus libusb and linked against libusb-0.1.8. ap/alsa-utils-1.0.3-i486-1.tgz: Upgraded to alsa-utils-1.0.3. ap/hpijs-1.5-i486-2.tgz: Fixed docs location (thanks to Mark Post). ap/lsof-4.71-i486-1.tgz: Upgraded to lsof-4.71. ap/sgml-tools-1.0.9-i486-9.tgz: Added SGMLS-1.03ii. Moved EntityMap.pm under /usr/lib/perl5/site_perl/Text/. ap/vim-6.2.393-i486-1.tgz: Upgraded to vim-6.2.393. ap/zsh-4.2.0-i486-1.tgz: Upgraded to zsh-4.2.0. d/automake-1.8.3-noarch-1.tgz: Upgraded to automake-1.8.3. d/binutils-2.15.90.0.1.1-i486-1.tgz: Upgraded to binutils-2.15.90.0.1.1. d/oprofile-0.7.1-i486-2.tgz: Recompiled against libbfd-2.15.90.0.1.1.so from binutils-2.15.90.0.1.1. gnome/gdm-2.4.4.7-i486-2.tgz: Recompiled against gtk+-2.4.0. gnome/gnome-themes-2.4.1-i486-2.tgz: Recompiled against gtk+-2.4.0. gnome/gtk-engines-2.2.0-i486-4.tgz: Recompiled against gtk+-2.4.0. gnome/gucharmap-1.2.0-i486-2.tgz: Recompiled against gtk+-2.4.0. gnome/librsvg-2.4.0-i486-2.tgz: Recompiled against librsvg-2.4.0. kde/kdeaccessibility-3.2.1-i486-1.tgz: Upgraded to kdeaccessibility-3.2.1. kde/kdeaddons-3.2.1-i486-1.tgz: Upgraded to kdeaddons-3.2.1. kde/kdeadmin-3.2.1-i486-1.tgz: Upgraded to kdeadmin-3.2.1. kde/kdeartwork-3.2.1-i486-1.tgz: Upgraded to kdeartwork-3.2.1. kde/kdebase-3.2.1-i486-1.tgz: Upgraded to kdebase-3.2.1. kde/kdebindings-3.2.1-i486-1.tgz: Upgraded to kdebindings-3.2.1. kde/kdeedu-3.2.1-i486-1.tgz: Upgraded to kdeedu-3.2.1. kde/kdegames-3.2.1-i486-1.tgz: Upgraded to kdegames-3.2.1. kde/kdegraphics-3.2.1-i486-1.tgz: Upgraded to kdegraphics-3.2.1. kde/kdelibs-3.2.1-i486-1.tgz: Upgraded to kdelibs-3.2.1. kde/kdemultimedia-3.2.1-i486-1.tgz: Upgraded to kdemultimedia-3.2.1. kde/kdenetwork-3.2.1-i486-1.tgz: Upgraded to kdenetwork-3.2.1. kde/kdepim-3.2.1-i486-1.tgz: Upgraded to kdepim-3.2.1. kde/kdesdk-3.2.1-i486-1.tgz: Upgraded to kdesdk-3.2.1. kde/kdetoys-3.2.1-i486-1.tgz: Upgraded to kdetoys-3.2.1. kde/kdeutils-3.2.1-i486-1.tgz: Upgraded to kdeutils-3.2.1. kde/kdevelop-3.0.2-i486-1.tgz: Upgraded to kdevelop-3.0.2. kde/koffice-1.3-i486-3.tgz: Recompiled. kde/qt-3.3.1-i486-1.tgz: Upgraded to qt-3.3.1. kde/quanta-3.2.1-i486-1.tgz: Upgraded to quanta-3.2.1. kdei/kde-i18n-*-3.2.1.tgz: Upgraded to kde-i18n-3.2.1 packages. l/arts-1.2.1-i486-1.tgz: Upgraded to arts-1.2.1. l/alsa-driver-1.0.3-i486-1.tgz: Upgraded to alsa-driver-1.0.3. l/alsa-lib-1.0.3-i486-1.tgz: Upgraded to alsa-lib-1.0.3. l/alsa-oss-1.0.3-i486-1.tgz: Upgraded to alsa-oss-1.0.3. l/expat-1.95.7-i486-1.tgz: Upgraded to expat-1.95.7. l/gtk+2-2.4.0-i486-2.tgz: Recompiled with --with-xinput=yes. l/libusb-0.1.8-i486-1.tgz: Upgraded to libusb-0.1.8. l/libwmf-0.2.8.2-i486-2.tgz: Recompiled against gtk+-2.4.0. l/libwmf-docs-0.2.8.2-noarch-2.tgz: Rebuilt. n/nail-10.7-i486-1.tgz: Upgraded to nail-10.7. Restored /bin/mail and /bin/Mail symlinks. x/xfree86-4.4.0-i486-1.tgz: Upgraded to XFree86 4.4.0. x/xfree86-devel-4.4.0-i486-1.tgz: Upgraded to XFree86 4.4.0. x/xfree86-docs-4.4.0-noarch-1.tgz: Upgraded to XFree86 4.4.0. x/xfree86-docs-html-4.4.0-noarch-1.tgz: Upgraded to XFree86 4.4.0. x/xfree86-fonts-100dpi-4.4.0-noarch-1.tgz: Upgraded to XFree86 4.4.0. x/xfree86-fonts-cyrillic-4.4.0-noarch-1.tgz: Upgraded to XFree86 4.4.0. x/xfree86-fonts-misc-4.4.0-noarch-1.tgz: Upgraded to XFree86 4.4.0. x/xfree86-fonts-scale-4.4.0-noarch-1.tgz: Upgraded to XFree86 4.4.0. x/xfree86-xnest-4.4.0-i486-1.tgz: Upgraded to XFree86 4.4.0. x/xfree86-xprt-4.4.0-i486-1.tgz: Upgraded to XFree86 4.4.0. x/xfree86-xvfb-4.4.0-i486-1.tgz: Upgraded to XFree86 4.4.0. xap/gimp-2.0rc1-i486-1.tgz: Upgraded to gimp-2.0rc1. xap/xfce-4.0.4-i486-1.tgz: Upgraded to xfce-4.0.4. xap/xine-lib-1rc3b-i686-1.tgz: Upgraded to xine-lib-1-rc3b. xap/xvim-6.2.393-i486-1.tgz: Upgraded to vim-6.2.393. Removed bad symlinks (thanks to Mark Post). extra/bittorrent/bittorrent-3.4.1a-noarch-1.tgz: Upgraded to bittorrent-3.4.1a. (Thanks to Erik Jan Tromp for the "install --root=$PKG" hint! :-) +--------------------------+ Wed Mar 17 14:23:52 PST 2004 Happy St. Patrick's Day! :-) a/coreutils-5.2.1-i486-1.tgz: Upgraded to coreutils-5.2.1. a/openssl-solibs-0.9.7d-i486-1.tgz: Upgraded to openssl-0.9.7d. (* Security fix *) l/atk-1.6.0-i486-1.tgz: Upgraded to atk-1.6.0. l/glib2-2.4.0-i486-1.tgz: Upgraded to glib-2.4.0. l/gtk+2-2.4.0-i486-1.tgz: Upgraded to gtk+-2.4.0. l/pango-1.4.0-i486-1.tgz: Upgraded to pango-1.4.0. n/openssl-0.9.7d-i486-1.tgz: Upgraded to openssl-0.9.7d. This fixes two potential denial-of-service issues in earlier versions of OpenSSL. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112 (* Security fix *) xap/gimp-2.0pre4-i486-1.tgz: Upgraded to gimp-2.0pre4. testing/source/linux-2.6.x/linux-2.6.4.tar.bz2: Added linux-2.6.4 source. +--------------------------+ Tue Mar 2 16:47:17 PST 2004 l/esound-0.2.33-i486-1.tgz: Upgraded to esound-0.2.33. +--------------------------+ Tue Mar 2 10:42:08 PST 2004 a/kernel-ide-2.4.25-i486-2.tgz: Recompiled to enable QoS/CLS modules. a/kernel-modules-2.4.25-i486-2.tgz: Added several modules. a/module-init-tools-3.0-i486-1.tgz: Upgraded to module-init-tools-3.0. ap/hpijs-1.5-i486-1.tgz: Upgraded to hpijs-1.5. d/kernel-headers-2.4.25-i386-2.tgz: Regenerated to reflect QoS/CLS changes. k/kernel-source-2.4.25-noarch-2.tgz: Added QoS/CLS network features to the default .config. n/iptables-1.2.9-i486-1.tgz: Upgraded to iptables-1.2.9. bootdisks/*: Regenerated from new kernels. isolinux/initrd.img, rootdisks/install.*: Fixed loading of compiled keyboard maps. Thanks to Olivier Jannot for the bug report. kernels/: Recompiled to enable QoS/CLS modules. +--------------------------+ Fri Feb 27 15:45:48 PST 2004 xap/xscreensaver-4.15-i486-1.tgz: Upgraded to xscreensaver-4.15. +--------------------------+ Thu Feb 26 13:39:48 PST 2004 n/ppp-2.4.2-i486-2.tgz: Fixed infinite loop on adsl-stop with a patch from Paul Mackerras. Thanks to stefano and Markus for the bug report. +--------------------------+ Wed Feb 25 21:33:14 PST 2004 a/acpid-1.0.3-i486-1.tgz: Upgraded to acpid-1.0.3. a/bin-9.0.0-i486-1.tgz: Upgraded to debianutils_2.7, dosfstools-2.10, eject-2.0.13, file-4.07, and which-2.16. Patched rpm2tgz to stop outputting a blank line after each package is converted. Patched zoo to compile with gcc-3.3.3. Rewrote bin.SlackBuild to be less x86 centric. a/kbd-1.12-i486-1.tgz: Upgraded to kbd-1.12. ap/man-1.5m2-i486-1.tgz: Upgraded to man-1.5m2. isolinux/initrd.img, rootdisks/install.*: Upgraded keyboard maps. +--------------------------+ Tue Feb 24 23:31:25 PST 2004 n/mutt-1.4.2.1i-i486-1.tgz: Upgraded to mutt-1.4.2.1i. (Thanks to Chip Cuccio for the heads-up on this one) n/openssh-3.8p1-i486-1.tgz: Upgraded to openssh-3.8p1. n/tin-1.6.2-i486-1.tgz: Upgraded to tin-1.6.2. xap/xmms-1.2.10-i486-1.tgz: Upgraded to xmms-1.2.10. Removed broken xmmsarts plugin. +--------------------------+ Mon Feb 23 16:36:41 PST 2004 a/coreutils-5.2.0-i486-2.tgz: Fixed [, which the build script had improperly linked to test (that's how it worked with previous fileutils/coreutils). Thanks to Angelo Brigante, Jr. for the bug report. n/mutt-1.4.2i-i486-2.tgz: Recompiled to pick up support for libncursesw. This was on the todo list, but thanks to Tomas Szepe for the reminder. :-) +--------------------------+ Sun Feb 22 23:44:31 PST 2004 a/aaa_elflibs-9.1.2-i486-1.tgz: Updated ncurses shared libraries. a/bzip2-1.0.2-i486-5.tgz: Added bzless symlink (pointed out by Faux_Pseudo). Fixed library soname (should still be compatible). a/cxxlibs-5.1.1-i486-1.tgz: Upgraded to libstc++.so.5.0.5. a/elvis-2.2_0-i486-2.tgz: Fixed elvis.clr and bad --docdir path. (Thanks to Angelo Brigante, Jr. for the bug report and fixes) a/coreutils-5.2.0-i486-1.tgz: Upgraded to coreutils-5.2.0. This includes various updates to /etc/DIR_COLORS (thanks to Patrik Rådman and Alak Trakru for the suggestions) a/etc-5.1-noarch-7.tgz: Save incoming /etc/profile.d/lang.{csh|sh}.new even if the machine already has these scripts, as they contain some useful examples and info now. (reported by Giovanni Quadriglio and Gerardo Exequiel Pozzi) a/glibc-solibs-2.3.2-i486-5.tgz: Rebuilt using linux-2.4.25 kernel headers. a/glibc-zoneinfo-2.3.2-noarch-5.tgz: Rebuilt. a/hotplug-2004_01_05-noarch-1.tgz: Upgraded to hotplug-2004_01_05. Added a patch to fix hotplugging in 2.6 from Daniel de Kok. a/kernel-ide-2.4.25-i486-1.tgz: Upgraded to linux-2.4.25. a/kernel-modules-2.4.25-i486-1.tgz: Upgraded to linux-2.4.25. a/pkgtools-9.1.3-i486-1.tgz: In setup.services, allow rc.syslog to be turned on or off (hey, if you want no system logger that's your call :-). There are a few other things that aren't listed here (like as rc.yp, rc.sysvinit, and rc.nfsd), but since these require other scripts or config files that aren't present after an installation defaulting them to on and leaving them out of the menu seems better. If you set them up and then want to temporarily disable them at boot, use chmod. Also, rc.mysql *is* listed here, but there's no default database so until that's created it still will not start. That's an exception to the previous rule, as rc.mysqld defaults to off, and turning it on does get you one step closer to a working database. :-) a/sysvinit-2.84-i486-37.tgz: Support rc.sysvinit in rc.S (thanks to Jan Rafaj). Start syslogd/klogd earlier in rc.M, if possible (thanks to Tomas Matejicek). Support LVM2, fix genpowerd examples (thanks to Filip Rembia³kowski). ap/cdrdao-1.1.8-i486-1.tgz: Upgraded to cdrdao-1.1.8. d/cscope-15.5-i486-2.tgz: Fixed permissions on documentation files. (thanks to Szymczak Artur) d/kernel-headers-2.4.25-i386-1.tgz: Upgraded to linux-2.4.25. gnome/galeon-1.3.13a-i486-1.tgz: Upgraded to galeon-1.3.13a. k/kernel-source-2.4.25-noarch-1.tgz: Upgraded to linux-2.4.25. kde/kdegraphics-3.2.0-i486-2.tgz: Added ksvg (this needed lcms). kde/kdemultimedia-3.2.0-i486-2.tgz: Added juk (this needed taglib). l/alsa-driver-1.0.2c-i486-2.tgz: Recompiled for 2.4.25. l/glibc-2.3.2-i486-5.tgz: Rebuilt. l/glibc-i18n-2.3.2-noarch-5.tgz: Rebuilt. l/lcms-1.12-i486-1.tgz: Added lcms-1.12. l/taglib-1.0-i486-1.tgz: Added taglib-1.0. n/epic4-2.0-i486-1.tgz: Upgraded to epic4-2.0. n/inetd-1.79s-i486-4.tgz: Do not enable an FTP daemon, finger daemon, or talk daemon by default. However, time seems harmless enough, comsat is needed to enable biff (and seems safe enough), and auth is needed to comply with RFCs for sending mail (some sites will reject mail if you don't provide an auth service), and auth also seems safe enough. These seem like reasonable defaults to ship with. If it all makes you paranoid, you can always remove (or not install) inetd. :-) n/nmap-3.50-i486-1.tgz: Upgraded to nmap-3.50. n/ppp-2.4.2-i486-1.tgz: Upgraded to ppp-2.4.2. n/popa3d-0.6.4-i486-1.tgz: Upgraded to popa3d-0.6.4. Fixed slack-desc typo (reported by David "Dave" Jez). n/tcpdump-3.8.1-i486-1.tgz: Upgraded to tcpdump-3.8.1 and libpcap-0.8.1. n/tcpip-0.17-i486-26.tgz: Upgraded to tftp-hpa-0.36 and whois_4.6.9. Added more logging to /etc/rc.d/rc.inet1. When configuring the gateway, use "0.0.0.0" rather than "default" to avoid delays if DNS is not available (suggested by Piter Punk and Sebastien Renard). Patched tcp_wrappers to remove setenv() function duplicated in glibc. n/yptools-2.8-i486-4.tgz: Upgraded to ypbind-mt-1.17.2 and ypserv-2.12.1. Removed obsolete ypbind-3.3 (this was replaced by ypbind-mt long ago). xap/xfce-4.0.3.1-i486-1.tgz: Fixed package version number. Fixed permissions on documentation files (thanks to Szymczak Artur). bootdisks/*: Upgraded bootdisks to Linux 2.4.25. extra/glibc-extra-packages/glibc-debug-2.3.2-i486-5.tgz: Rebuilt. extra/glibc-extra-packages/glibc-profile-2.3.2-i486-5.tgz: Rebuilt. extra/slackpkg/slackpkg-1.03-noarch-2.tgz: Upgraded to slackpkg-1.03-noarch-2. NOTE: slackpkg users must manually upgrade to the new slackpkg package, since the change to Slackware's default locale caused the formatting of the FILELIST.TXT file on the FTP site to be slightly different (and, unfortunately, incompatible with older versions of slackpkg). isolinux/initrd.img, rootdisks/install.*: Upgraded USB keyboard modules to Linux 2.4.25. kernels/: Upgraded to Linux 2.4.25. rootdisks/network.dsk, pcmcia.dsk: Upgraded to Linux 2.4.25 modules. testing/source/linux-2.6.x/linux-2.6.3.tar.bz2: Added linux-2.6.3 source. +--------------------------+ Wed Feb 18 03:07:58 PST 2004 kernels/*: Recompiled to fix another bounds-checking error in the kernel mremap() code. (this is not the same issue that was fixed on Jan 6) This bug could be used by a local attacker to gain root privileges. Sites should upgrade to a new kernel. After installing the new kernel, be sure to run 'lilo'. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0077 Thanks to Paul Starzetz for finding and researching this issue. (* Security fix *) a/kernel-ide-2.4.24-i486-2.tgz: Patched, recompiled. (* Security fix *) d/oprofile-0.7.1-i486-1.tgz: Upgraded to oprofile-0.7.1. Thanks to Firman Pribadi for noticing this needed a recompile (which led me to find the new version :-) k/kernel-source-2.4.24-noarch-2.tgz: Patched the kernel source with a fix for the mremap() problem from Solar Designer, and updated the Speakup driver (not pre-applied). (* Security fix *) kde/kdepim-3.2.0-i486-2.tgz: Fixed problems with KMail, including a bug which could incorrectly cause IMAP mailboxes to be purged. l/libxslt-1.1.3-i486-1.tgz: Upgraded to libxslt-1.1.3. n/metamail-2.7-i486-2.tgz: Patched two format string bugs and two buffer overflows in metamail which could lead to unauthorized code execution. Thanks to Ulf Härnhammar for discovering these problems and providing a patch. (* Security fix *) +--------------------------+ Tue Feb 17 15:33:40 PST 2004 l/ncurses-5.4-i486-2.tgz: Fixed libcursesw.so symlink. (Reported by Luigi Genoni) pasture/: Purged some unsupported things that don't need to be carried along in -current, like freetype-1.3.1, gcl-2.4.4, libxml-1.8.17, and xview-3.2p1.4. They'll still be in the Slackware 9.1 (and older) /pasture directory if you really need them. +--------------------------+ Tue Feb 17 00:16:53 PST 2004 a/devs-2.3.1-noarch-19.tgz: Added /dev/ram8 - /dev/ram15 to avoid LILO warnings with newer 2.6 kernels (thanks to Gerardo Exequiel Pozzi). a/elvis-2.2_0-i486-1.tgz: Upgraded to elvis-2.2_0. ap/vim-6.2.263-i486-1.tgz: Upgraded to vim-6.2.263. ap/zsh-4.0.9-i486-1.tgz: Upgraded to zsh-4.0.9. d/doxygen-1.3.6-i486-1.tgz: Upgraded to doxygen-1.3.6. (Thanks to Mark Post for the build script improvements) kde/kdevelop-3.0.1-i486-1.tgz: Upgraded to kdevelop-3.0.1. xap/xvim-6.2.263-i486-1.tgz: Upgraded to vim-6.2.263 linked with GTK2. +--------------------------+ Mon Feb 16 11:14:34 PST 2004 d/gettext-tools-0.14.1-i486-2.tgz: Fixed the build script so that the binaries link against the gettext libraries in the build tree rather than whatever's installed on the machine. Thanks to Doug Asherman for the bug report. +--------------------------+ Sun Feb 15 22:51:12 PST 2004 a/etc-5.1-noarch-6.tgz: Rewrote /etc/profile.d/lang.{csh|sh}, changing the default locale from C to en_US, but retaining the traditional sort order (LC_COLLATE=C). Examples for using the en_US.ISO8859-1 and en_US.UTF-8 locales are also provided. Updated termcap data for Eterm in /etc/termcap-Linux. a/gettext-0.14.1-i486-1.tgz: Upgraded to gettext-0.14.1 (runtime). a/less-382-i486-1.tgz: Upgraded to less-382. a/pkgtools-9.1.2-i486-1.tgz: Upgraded to dialog-0.9b-20031207 and ncurses-5.4 terminfo files. ap/ksh93-20030724-i486-1.tgz: Upgraded to ast-ksh.2003-07-24. ap/rexima-1.4-i486-1.tgz: Upgraded to rexima-1.4. ap/texinfo-4.6-i486-1.tgz: Upgraded to texinfo-4.6. d/autoconf-2.59-noarch-1.tgz: Upgraded to autoconf-2.59. d/automake-1.8.2-noarch-1.tgz: Upgraded to automake-1.8.2. d/gcc-3.3.3-i486-1.tgz: Upgraded to gcc-3.3.3. d/gcc-g++-3.3.3-i486-1.tgz: Upgraded to gcc-3.3.3. d/gcc-g77-3.3.3-i486-1.tgz: Upgraded to gcc-3.3.3. d/gcc-gnat-3.3.3-i486-1.tgz: Upgraded to gcc-3.3.3. d/gcc-java-3.3.3-i486-1.tgz: Upgraded to gcc-3.3.3. d/gcc-objc-3.3.3-i486-1.tgz: Upgraded to gcc-3.3.3. d/gettext-tools-0.14.1-i486-1.tgz: Upgraded to gettext-0.14.1 (tools). d/libtool-1.5.2-i486-1.tgz: Upgraded to libtool-1.5.2. l/aspell-0.50.5-i486-1.tgz: Upgraded to aspell-0.50.5. l/ncurses-5.4-i486-1.tgz: Upgraded to ncurses-5.4 with wide-char/UTF-8 support. n/ncftp-3.1.7-i486-1.tgz: Upgraded to ncftp-3.1.7. n/samba-3.0.2a-i486-1.tgz: Upgraded to samba-3.0.2a. Removed some obsolete ./configure options (thanks to David Lechnyr). extra/aspell-word-lists/aspell-is-0.50_4-noarch-1.tgz: Added Icelandic word list for aspell. extra/slacktrack/slacktrack-1.17-i486-1.tgz: Upgraded to slacktrack-1.17_1. +--------------------------+ Thu Feb 12 21:50:10 PST 2004 a/glibc-solibs-2.3.2-i486-4.tgz: Recompiled. a/glibc-zoneinfo-2.3.2-noarch-4.tgz: Rebuilt. l/glibc-2.3.2-i486-4.tgz: Recompiled with the 2.4.24 kernel headers. Patched to produce more UTF locales, and changed from a locale-archive to more traditional locale directories in /usr/lib/locale. l/glibc-i18n-2.3.2-noarch-4.tgz: Added many UTF-8 locales. l/libxml2-2.6.6-i486-1.tgz: Upgraded to libxml2-2.6.6. n/lftp-2.6.12-i486-1.tgz: Upgraded to lftp-2.6.12. n/lynx-2.8.5rel.1-i486-2.tgz: Enabled many new options, and fixed symlinks in /usr/lib/lynx/lynx_help. Thanks to Frédéric L. W. Meunier for the suggestions for additional options. tcl/tcl-8.4.5-i486-1.tgz: Upgraded to tcl-8.4.5. tcl/tk-8.4.5-i486-1.tgz: Upgraded to tk-8.4.5. extra/glibc-extra-packages/glibc-debug-2.3.2-i486-4.tgz: Recompiled. extra/glibc-extra-packages/glibc-profile-2.3.2-i486-4.tgz: Recompiled. +--------------------------+ Thu Feb 12 10:00:58 PST 2004 n/mutt-1.4.2i-i486-1.tgz: Upgraded to mutt-1.4.2i. This fixes an overflow that is a potential security hole. Here's the information from www.mutt.org: "Mutt 1.4.2 was released on February 11, 2004. This version fixes a buffer overflow that can be triggered by incoming messages. There are reports about spam that has actually triggered this problem and crashed mutt. It is recommended that users of mutt versions prior to 1.4.2 upgrade to this version, or apply the patch included below." (* Security fix *) x/xfree86-4.3.0-i486-6.tgz: Patched to fix buffer overflow problems with the parsing of 'font.alias' files that could allow unauthorized code execution. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0083 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0084 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0106 (* Security fix *) +--------------------------+ Mon Feb 9 11:13:03 PST 2004 gnome/gnumeric-1.2.6-i486-1.tgz: Upgraded to gnumeric-1.2.6. xap/pan-0.14.2.91-i486-1.tgz: Upgraded to pan-0.14.2.91 (beta). +--------------------------+ Sun Feb 8 22:13:30 PST 2004 ap/dvd+rw-tools-5.17.4.8.6-i486-1.tgz: Upgraded to dvd+rw-tools-5.17.4.8.6. ap/gimp-print-4.2.6-i486-1.tgz: Upgraded to gimp-print-4.2.6. ap/screen-4.0.2-i486-1.tgz: Upgraded to screen-4.0.2. extra/swaret/swaret-1.6.1-noarch-2.tgz: Upgraded to swaret-1.6.1-noarch-2. +--------------------------+ Fri Feb 6 21:20:21 PST 2004 ap/alsa-utils-1.0.2-i486-1.tgz: Upgraded to alsa-utils-1.0.2. d/cscope-15.5-i486-1.tgz: Upgraded to cscope-15.5. gnome/gal2-2.1.4-i486-1.tgz: Upgraded to gal-2.1.4. Added back gal-1.99.10 until more things are updated to use the new shared library. l/alsa-driver-1.0.2c-i486-1.tgz: Upgraded to alsa-driver-1.0.2c. l/alsa-lib-1.0.2-i486-1.tgz: Upgraded to alsa-lib-1.0.2. l/alsa-oss-1.0.2-i486-1.tgz: Upgraded to alsa-oss-1.0.2. n/lynx-2.8.5rel.1-i486-1.tgz: Upgraded to lynx-2.8.5rel.1. +--------------------------+ Wed Feb 4 21:37:08 PST 2004 a/acpid-1.0.2-i486-2.tgz: Applied Dirk van Deun's acpi_handler.sh patch to fix ACPI with 2.6 kernels. gnome/acme-2.4.2-i486-1.tgz: Upgraded to acme-2.4.2. gnome/at-spi-1.3.9-i486-1.tgz: Upgraded to at-spi-1.3.9 and gnome-mag-0.10.4. gnome/bug-buddy-2.4.2-i486-1.tgz: Upgraded to bug-buddy-2.4.2. gnome/eel-2.4.2-i486-1.tgz: Upgraded to eel-2.4.2. gnome/file-roller-2.4.4-i486-1.tgz: Upgraded to file-roller-2.4.4. gnome/gail-1.4.1-i486-1.tgz: Upgraded to gail-1.4.1. gnome/gal2-2.1.3-i486-1.tgz: Upgraded to gal-2.1.3. This changes to a new major version number (2.2) in the shared library, but since I can't find anything using this in Slackware any longer it's probably not a huge issue. gnome/gcalctool-4.3.42-i486-1.tgz: Upgraded to gcalctool-4.3.42. gnome/gdm-2.4.4.7-i486-1.tgz: Upgraded to gdm-2.4.4.7. gnome/gftp-2.0.16-i486-1.tgz: Upgraded to gftp-2.0.16. gnome/ggv-2.4.1-i486-1.tgz: Upgraded to ggv-2.4.1. gnome/gnome-applets-2.4.2-i486-1.tgz: Upgraded to gnome-applets-2.4.2. gnome/gnome-games-2.4.2-i486-1.tgz: Upgraded to gnome-games-2.4.2. gnome/gnome-media-2.4.1.1-i486-1.tgz: Upgraded to gnome-media-2.4.1.1. gnome/gnome-mime-data-2.4.1-noarch-1.tgz: Upgraded to gnome-mime-data-2.4.1. gnome/gnome-panel-2.4.2-i486-1.tgz: Upgraded to gnome-panel-2.4.2. gnome/gnome-session-2.4.2-i486-1.tgz: Upgraded to gnome-session-2.4.2. gnome/gnome-speech-0.3.1-i486-1.tgz: Upgraded to gnome-speech-0.3.1. gnome/gnome-terminal-2.4.2-i486-1.tgz: Upgraded to gnome-terminal-2.4.2. gnome/gnome-themes-2.4.1-i486-1.tgz: Upgraded to gnome-themes-2.4.1. gnome/gnome-utils-2.4.1-i486-1.tgz: Upgraded to gnome-utils-2.4.1. gnome/gnome-vfs-2.4.2-i486-1.tgz: Upgraded to gnome-vfs-2.4.2. gnome/gnomeicu-cvs20040204-i486-1.tgz: Upgraded to gnomeicu-cvs20040204. gnome/gnome2-user-docs-2.4.1-noarch-1.tgz: Upgraded to gnome2-user-docs-2.4.1. gnome/gnopernicus-0.7.3-i486-1.tgz: Upgraded to gnopernicus-0.7.3. gnome/gucharmap-1.2.0-i486-1.tgz: Upgraded to gucharmap-1.2.0. gnome/libgtkhtml-2.4.1-i486-1.tgz: Upgraded to libgtkhtml-2.4.1. gnome/intltool-0.29-noarch-1.tgz: Upgraded to intltool-0.29. gnome/libbonobo-2.4.3-i486-1.tgz: Upgraded to libbonobo-2.4.3. gnome/libbonoboui-2.4.3-i486-1.tgz: Upgraded to libbonoboui-2.4.3. gnome/libgtop-2.0.8-i486-1.tgz: Upgraded to libgtop-2.0.8. gnome/metacity-2.6.3-i486-1.tgz: Upgraded to metacity-2.6.3. gnome/nautilus-2.4.2-i486-1.tgz: Upgraded to nautilus-2.4.2. gnome/orbit2-2.9.6-i486-1.tgz: Upgraded to ORBit-2.9.6. gnome/scrollkeeper-0.3.14-i486-1.tgz: Upgraded to scrollkeeper-0.3.14. gnome/yelp-2.4.2-i486-1.tgz: Upgraded to yelp-2.4.2. kde/kdeaccessibility-3.2.0-i486-1.tgz: Added kdeaccessibility-3.2.0. kde/kdeaddons-3.2.0-i486-1.tgz: Upgraded to kdeaddons-3.2.0. kde/kdeadmin-3.2.0-i486-1.tgz: Upgraded to kdeadmin-3.2.0. kde/kdeartwork-3.2.0-i486-1.tgz: Upgraded to kdeartwork-3.2.0. kde/kdebase-3.2.0-i486-1.tgz: Upgraded to kdebase-3.2.0. kde/kdebindings-3.2.0-i486-1.tgz: Upgraded to kdebindings-3.2.0. kde/kdeedu-3.2.0-i486-1.tgz: Upgraded to kdeedu-3.2.0. kde/kdegames-3.2.0-i486-1.tgz: Upgraded to kdegames-3.2.0. kde/kdegraphics-3.2.0-i486-1.tgz: Upgraded to kdegraphics-3.2.0. kde/kdelibs-3.2.0-i486-1.tgz: Upgraded to kdelibs-3.2.0. kde/kdemultimedia-3.2.0-i486-1.tgz: Upgraded to kdemultimedia-3.2.0. kde/kdenetwork-3.2.0-i486-1.tgz: Upgraded to kdenetwork-3.2.0. kde/kdepim-3.2.0-i486-1.tgz: Upgraded to kdepim-3.2.0. kde/kdesdk-3.2.0-i486-1.tgz: Upgraded to kdesdk-3.2.0. kde/kdetoys-3.2.0-i486-1.tgz: Upgraded to kdetoys-3.2.0. kde/kdeutils-3.2.0-i486-1.tgz: Upgraded to kdeutils-3.2.0. kde/kdevelop-3.0.0-i486-1.tgz: Upgraded to kdevelop-3.0.0. kde/koffice-1.3-i486-2.tgz: Recompiled against KDE 3.2.0. kde/quanta-3.2.0-i486-1.tgz: Upgraded to quanta-3.2.0. kdei/kde-i18n-*: Upgraded to KDE 3.2.0 i18n packages. l/arts-1.2.0-i486-1.tgz: Upgraded to arts-1.2.0. l/atk-1.5.2-i486-1.tgz: Upgraded to atk-1.5.2. l/libxml2-2.6.5-i486-1.tgz: Upgraded to libxml2-2.6.5. l/libxslt-1.1.2-i486-1.tgz: Upgraded to libxslt-1.1.2. xap/gimp-2.0pre3-i486-1.tgz: Upgraded to gimp-2.0pre3. extra/slackpkg/slackpkg-1.02.2-noarch-2.tgz: Upgraded to slackpkg-1.02.2-noarch-2. rootdisks/network.dsk, pcmcia.dsk: Upgraded to Linux 2.4.24 modules. testing/packages/qt-3.3.0/qt-3.3.0-i486-1.tgz: Added qt-x11-free-3.3.0. Like qt-3.2.3, this breaks support for the Linux font in Konsole. Until that can be addressed in either Qt or KDE (it's been broken and fixed a couple of times before, but nobody's told me what the fix was), we'll likely stick with qt-3.2.2. That version is working fine here. If you have a need for the new features in Qt 3.3, feel free to use it. Other than the Konsole problem, it works fine with KDE 3.2.0. testing/source/linux-2.6.x/linux-2.6.2.tar.bz: Added linux-2.6.2 source. +--------------------------+ Fri Jan 30 19:36:41 PST 2004 bootdisks/*: Upgraded bootdisks to Linux 2.4.24 isolinux/initrd.img, rootdisks/install.*: Upgraded USB keyboard modules to Linux 2.4.24. d/perl-5.8.3-i486-1.tgz: Upgraded to perl-5.8.3, DBI-1.40, and XML-Parser-2.34. kde/kdevelop-3.0.0r1-i486-1.tgz: Upgraded to kdevelop-3.0.0r1. (this version actually contains a kdevelop binary, too) n/irssi-0.8.9-i486-2.tgz: Recompiled against perl-5.8.3. xap/gaim-0.75-i486-2.tgz: Recompiled against perl-5.8.3 and used the updated patch from the GAIM site. xap/imagemagick-5.5.7_15-i486-1.tgz: Upgraded to ImageMagick-5.5.7-15. extra/slackpkg/slackpkg-1.02-noarch-6.tgz: Upgraded to slackpkg-1.02-noarch-6. +--------------------------+ Wed Jan 28 18:13:34 PST 2004 d/binutils-2.14.90.0.8-i486-1.tgz: Upgraded to binutils-2.14.90.0.8. d/clisp-2.32-i486-1.tgz: Upgraded to clisp-2.32. xap/xfce-4.0.3-i486-1.tgz: Upgraded to xfce-4.0.3. xap/xine-lib-1rc3a-i686-1.tgz: Upgraded to xine-lib-1-rc3a. xap/xine-ui-0.9.23-i686-1.tgz: Upgraded to xine-ui-0.9.23. xap/xlockmore-5.11.1-i486-1.tgz: Upgraded to xlockmore-5.11.1. xap/xmms-1.2.9-i486-1.tgz: Upgraded to xmms-1.2.9. xap/xscreensaver-4.14-i486-1.tgz: Upgraded to xscreensaver-4.14. +--------------------------+ Tue Jan 27 20:02:08 PST 2004 a/sed-4.0.9-i486-1.tgz: Upgraded to sed-4.0.9. It looks like the new regex matcher in this version finally passes the benchmark test from Haakon Riiser (this was a test sent in to me which ran in less than a second with sed-3.x versions, but took hours with sed-4.x versions). This is the first 4.0.x version to pass, and I *think* it's finally safe to upgrade this, but let me know if there are problems. d/distcc-2.12.1-i486-1.tgz: Upgraded to distcc-2.12.1. gnome/abiword-2.0.3-i486-1.tgz: Upgraded to abiword-2.0.3. gnome/eog-2.4.1-i486-1.tgz: Upgraded to eog-2.4.1. gnome/galeon-1.3.12-i486-1.tgz: Upgraded to galeon-1.3.12. gnome/gedit-2.4.1-i486-1.tgz: Upgraded to gedit-2.4.1. gnome/ghex-2.4.1-i486-1.tgz: Upgraded to ghex-2.4.1. gnome/gnumeric-1.2.5-i486-1.tgz: Upgraded to gnumeric-1.2.5. gnome/gthumb-2.3.0-i486-1.tgz: Upgraded to gthumb-2.3.0. gnome/libgnomeprint-2.4.2-i486-1.tgz: Upgraded to libgnomeprint-2.4.2. gnome/libgnomeprintui-2.4.2-i486-1.tgz: Upgraded to libgnomeprintui-2.4.2. kde/koffice-1.3-i486-1.tgz: Upgraded to koffice-1.3. kdei/koffice-*: Upgraded to koffice-i18n-*-1.3 packages. n/rsync-2.6.0-i486-1.tgz: Upgraded to rsync-2.6.0. n/samba-3.0.1-i486-1.tgz: Upgraded to samba-3.0.1. +--------------------------+ Mon Jan 26 15:14:12 PST 2004 xap/gaim-0.75-i486-1.tgz: Upgraded to gaim-0.75 and patched 12 overflows that can allow remote compromise. All GAIM users should upgrade. (* Security fix *) +--------------------------+ Tue Jan 20 14:42:23 PST 2004 d/python-2.3.3-i486-1.tgz: Upgraded to python-2.3.3. d/python-demo-2.3.3-noarch-1.tgz: Upgraded to python-2.3.3 demos. d/python-tools-2.3.3-noarch-1.tgz: Upgraded to tools for python-2.3.3. kde/kdemultimedia-3.1.5-i486-2.tgz: Recompiled without -ansi and -pedantic, using the 2.4.20 kernel includes, and with two other patches to make code compatible with GCC 3.3.x. This restores some missing programs. :-) n/sendmail-8.12.11-i486-1.tgz: Upgraded to sendmail-8.12.11. n/sendmail-cf-8.12.11-noarch-1.tgz: Upgraded to sendmail-cf-8.12.11. xap/gimp-2.0pre2-i486-1.tgz: Upgraded to gimp-2.0pre2. +--------------------------+ Sun Jan 18 18:06:08 PST 2004 ap/espgs-7.07.1-i486-2.tgz: Fixed symbolic links in /usr/doc/espgs-7.07.1/. gnome/epiphany-1.0.7-i486-1.tgz: Upgraded to epiphany-1.0.7. gnome/galeon-1.3.11a-i486-1.tgz: Upgraded to galeon-1.3.11a. xap/gimp-2.0pre1-i486-1.tgz: Upgraded to gimp-2.0pre1. xap/mozilla-1.6-i486-1.tgz: Upgraded to mozilla-1.6. xap/mozilla-plugins-1.6-noarch-1.tgz: Java/Flash symlinks for mozilla-1.6. +--------------------------+ Wed Jan 14 13:06:58 PST 2004 ap/alsa-utils-1.0.1-i486-1.tgz: Upgraded to alsa-utils-1.0.1. kde/kdeaddons-3.1.5-i486-1.tgz: Upgraded to kdeaddons-3.1.5. kde/kdeadmin-3.1.5-i486-1.tgz: Upgraded to kdeadmin-3.1.5. kde/kdeartwork-3.1.5-i486-1.tgz: Upgraded to kdeartwork-3.1.5. kde/kdebase-3.1.5-i486-1.tgz: Upgraded to kdebase-3.1.5. kde/kdebindings-3.1.5-i486-1.tgz: Upgraded to kdebindings-3.1.5. kde/kdeedu-3.1.5-i486-1.tgz: Upgraded to kdeedu-3.1.5. kde/kdegames-3.1.5-i486-1.tgz: Upgraded to kdegames-3.1.5. kde/kdegraphics-3.1.5-i486-1.tgz: Upgraded to kdegraphics-3.1.5. kde/kdelibs-3.1.5-i486-1.tgz: Upgraded to kdelibs-3.1.5. kde/kdemultimedia-3.1.5-i486-1.tgz: Upgraded to kdemultimedia-3.1.5. kde/kdenetwork-3.1.5-i486-1.tgz: Upgraded to kdenetwork-3.1.5. kde/kdepim-3.1.5-i486-1.tgz: Upgraded to kdepim-3.1.5. This fixes a security issue. From the KDE advisory: The KDE team has found a buffer overflow in the file information reader of VCF files. A carefully crafted .VCF file potentially enables local attackers to compromise the privacy of a victim's data or execute arbitrary commands with the victim's privileges. By default, file information reading is disabled for remote files. However, if previews are enabled for remote files, remote attackers may be able to compromise the victim's account. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0988 (* Security fix *) kde/kdesdk-3.1.5-i486-1.tgz: Upgraded to kdesdk-3.1.5. kde/kdetoys-3.1.5-i486-1.tgz: Upgraded to kdetoys-3.1.5. kde/kdeutils-3.1.5-i486-1.tgz: Upgraded to kdeutils-3.1.5. kde/kdevelop-3.0.0b2-i486-1.tgz: Upgraded to kdevelop-3.0.0b2. kde/quanta-3.1.5-i486-1.tgz: Upgraded to quanta-3.1.5. kdei/*: Upgraded to KDE 3.1.5 i18n packages. l/alsa-driver-1.0.1-i486-1.tgz: Upgraded to alsa-driver-1.0.1. l/alsa-lib-1.0.1-i486-1.tgz: Upgraded to alsa-lib-1.0.1. l/alsa-oss-1.0.1-i486-1.tgz: Upgraded to alsa-oss-1.0.1. l/arts-1.1.5-i486-1.tgz: Upgraded to arts-1.1.5. extra/inn/inn-2.4.1-i486-1.tgz: Upgraded to inn-2.4.1. From the inn-2.4.1 NEWS file: * SECURITY: Handle the special filing of control messages into per-type newsgroups more robust. This closes a potentially exploitable buffer overflow. Thanks to Dan Riley for his excellent bug report. (* Security fix *) testing/source/linux-2.6.x/linux-2.6.1.tar.bz: Added linux-2.6.1 source. +--------------------------+ Thu Jan 8 13:30:11 PST 2004 d/j2sdk-1_4_2_03-i586-1.tgz: Upgraded to Java(TM) 2 Software Development Kit Standard Edition, Version 1.4.2_03. Among other fixes, this updates the Verisign root certificates which expired yesterday in the version of Java shipped in Slackware 9.1. Thanks to Dominik L. Borkowski for the heads-up. +--------------------------+ Tue Jan 6 17:41:15 PST 2004 Happy new year everyone! :-) kernels/: Upgraded to Linux 2.4.24. This fixes a bounds-checking problem in the kernel's mremap() call which could be used by a local attacker to gain root privileges. Sites should upgrade to the 2.4.24 kernel and kernel modules. After installing the new kernel, be sure to run 'lilo'. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0985 Thanks to Paul Starzetz for finding and researching this issue. (* Security fix *) extra/kernel-modules-xfs/alsa-driver-xfs-1.0.0rc2-i486-2.tgz: Recompiled against Linux 2.4.24-xfs. extra/kernel-modules-xfs/kernel-modules-xfs-2.4.24-i486-1.tgz Kernel modules upgraded to 2.4.24-xfs. extra/slacktrack/slacktrack-1.16-i486-1.tgz: Upgraded to slacktrack-1.16_1. a/procps-2.0.18-i486-1.tgz: Upgraded to procps-2.0.18 and psmisc-21.4. a/kernel-ide-2.4.24-i486-1.tgz: Upgraded to Linux 2.4.24. a/kernel-modules-2.4.24-i486-1.tgz: Upgraded to Linux 2.4.24 kernel modules. d/cvs-1.11.11-i486-1.tgz: Upgraded to cvs-1.11.11. This version enforces greater security. Changes include pserver refusing to run as root, and logging attempts to exploit the security hole fixed in 1.11.10 in the syslog. d/kernel-headers-2.4.24-i386-1.tgz: Upgraded to kernel-headers-2.4.24. BTW, every time I do this (upgrade kernel-headers without a glibc rcompile) I hear from many well-intentioned people who must think I don't know the "rules" about that, but I do (honest!). Slackware was one of the first to create a kernel-headers package that wasn't just a couple of symlinks into /usr/src. However, in this case (and in the case of the last upgrade), the kernel isn't different enough to require (or justify) pushing a recompiled glibc. If this were a major kernel upgrade (like 2.4 -> 2.6), that would be a whole different story... k/kernel-source-2.4.24-noarch-1.tgz: Upgraded to Linux 2.4.24 kernel source, with XFS and Speakup patches included (but not pre-applied). This uses the XFS and Speakup patches for 2.4.23, which should be fine since 2.4.24 didn't change much code. Proper XFS patches for 2.4.24 will probably be out soon to fix the one Makefile rejection for EXTRAVERSION = -xfs, but likely little else will be different since XFS development has already gone ahead to what is now the 2.4.25-pre kernel series. l/alsa-driver-1.0.0rc2-i486-2.tgz: Recompiled against Linux 2.4.24. +--------------------------+ Thu Dec 18 22:05:40 PST 2003 ap/dvd+rw-tools-5.14.4.7.4-i486-1.tgz: Upgraded to dvd+rw-tools-5.14.4.7.4. ap/mysql-4.0.17-i486-1.tgz: Upgraded to mysql-4.0.17. ap/oggutils-1.0-i386-3.tgz: Removed. This is replaced by separate libao, libogg, libvorbis, and vorbis-tools packages. ap/vorbis-tools-1.0.1-i486-1.tgz: Upgraded to vorbis-tools-1.0.1. kde/koffice-1.2.95-i486-1.tgz: Upgraded to koffice-1.2.95. kdei/koffice-i18n-*.tgz: Upgraded to koffice-i18n-1.2.95. l/libao-0.8.4-i486-1.tgz: Upgraded to libao-0.8.4. l/libogg-1.1-i486-1.tgz: Upgraded to libogg-1.1. l/libvorbis-1.0.1-i486-1.tgz: Upgraded to libvorbis-1.0.1. testing/source/linux-2.6.x/linux-2.6.0.tar.bz: Added linux-2.6.0 source. +--------------------------+ Tue Dec 16 22:23:07 PST 2003 xap/gimp-1.3.23-i486-1.tgz: Upgraded to gimp-1.3.23. +--------------------------+ Mon Dec 15 17:49:23 PST 2003 a/aaa_elflibs-9.1.1-i486-1.tgz: Renamed from 'elflibs' so that it comes before any other library-containing packages in the A series. This reduces potential problems if it contains a few obsolete libraries (as occasionally happens in -current). Also, updated the asound, cups, and pcre libraries. a/cups-1.1.20-i486-1.tgz: Upgraded to cups-1.1.20. Also, added an smb backend symlink to smbspool (thanks to Boris Kurktchiev for the suggestion. :-) a/syslinux-2.08-i486-1.tgz: Upgraded to syslinux-2.08. ap/espgs-7.07.1-i486-1.tgz: Upgraded to espgs-7.07.1. d/perl-5.8.2-i486-1.tgz: Upgraded to perl-5.8.2. gnome/abiword-2.0.2-i486-1.tgz: Upgraded to abiword-2.0.2. l/libwmf-0.2.8.2-i486-1.tgz: Added libwmf-0.2.8.2. l/libwmf-docs-0.2.8.2-noarch-1.tgz: Added docs package for libwmf-0.2.8.2. l/pcre-4.5-i486-1.tgz: Upgraded to pcre-4.5. l/wv2-0.2.1-i486-2.tgz: Moved from kde/, recompiled with /usr prefix. n/irssi-0.8.9-i486-1.tgz: Added irssi-0.8.9. xap/gaim-0.74-i486-2.tgz: Recompiled against perl-5.8.2. xap/imagemagick-5.5.7_14-i486-1.tgz: Upgraded to imagemagick-5.5.7-14. Switched to --prefix=/usr, since some sources can't find it otherwise. xap/xchat-2.0.6-i486-2.tgz: Patched remote crash in dcc.c. Recompiled against perl-5.8.2. +--------------------------+ Fri Dec 12 11:01:02 PST 2003 l/lftp-2.6.10-i486-1.tgz: Upgraded to lftp-2.6.10. According to the NEWS file, this includes "security fixes in html parsing code" which could cause a compromise when using lftp to access an untrusted site. (* Security fix *) +--------------------------+ Thu Dec 11 12:38:41 PST 2003 d/cvs-1.11.10-i486-1.tgz: Upgraded to cvs-1.11.10. From the NEWS file: SERVER SECURITY ISSUES * Malformed module requests could cause the CVS server to attempt to create directories and possibly files at the root of the filesystem holding the CVS repository. Filesystem permissions usually prevent the creation of these misplaced directories, but nevertheless, the CVS server now rejects the malformed requests. (* Security fix *) l/lesstif-0.93.94-i486-1.tgz: Upgraded to lesstif-0.93.94. This should be a more stable version (thanks to Andrea Comerlati, who reported a crash with xmgrace compiled against lesstif-0.93.91). +--------------------------+ Tue Dec 9 23:09:53 PST 2003 ap/alsa-utils-1.0.0rc2-i486-1.tgz: Upgraded to alsa-utils-1.0.0rc2. l/alsa-driver-1.0.0rc2-i486-1.tgz: Upgraded to alsa-driver-1.0.0rc2. l/alsa-lib-1.0.0rc2-i486-1.tgz: Upgraded to alsa-lib-1.0.0rc2. l/alsa-oss-1.0.0rc2-i486-1.tgz: Upgraded to alsa-oss-1.0.0rc2. extra/kernel-modules-xfs/alsa-driver-xfs-1.0.0rc2-i486-1.tgz: Upgraded to alsa-driver-1.0.0rc2 compiled for linux-2.4.23-xfs. +--------------------------+ Thu Dec 4 19:53:16 PST 2003 xap/xfce-4.0.1-i486-1.tgz: Upgraded to xfce-4.0.1. +--------------------------+ Wed Dec 3 22:09:27 PST 2003 n/rsync-2.5.7-i486-1.tgz: Upgraded to rsync-2.5.7. From the rsync-2.5.7-NEWS file: SECURITY: * Fix buffer handling bugs. (Andrew Tridgell, Martin Pool, Paul Russell, Andrea Barisani) The vulnerability affects sites running rsync in daemon mode (rsync servers). These sites should be upgraded immediately. (* Security fix *) +--------------------------+ Mon Dec 1 16:07:32 PST 2003 k/kernel-source-2.4.23-noarch-2.tgz: Added XFS and Speakup patches. (not applied by default) xap/xchat-2.0.6-i486-1.tgz: Upgraded to xchat-2.0.6. bootdisks/: Added 2.4.23 speakup.s and xfs.s bootdisks. extra/kernel-modules-xfs/alsa-driver-xfs-0.9.8-i486-1.tgz: Added alsa-driver-0.9.8 kernel modules for 2.4.23-xfs. extra/kernel-modules-xfs/kernel-modules-xfs-2.4.23-i486-1.tgz: Added XFS-patched 2.4.23 kernel modules. kernels/: Added 2.4.23 speakup.s and xfs.s kernels. +--------------------------+ Sun Nov 30 23:26:17 PST 2003 a/kernel-ide-2.4.23-i486-1.tgz: Upgraded to Linux 2.4.23. a/kernel-modules-2.4.23-i486-1.tgz: Upgraded to Linux 2.4.23 modules. ap/alsa-utils-0.9.8-i486-1.tgz: Upgraded to alsa-utils-0.9.8. d/kernel-headers-2.4.23-i386-1.tgz: Upgraded to Linux 2.4.23 kernel headers. k/kernel-source-2.4.23-noarch-1.tgz: Upgraded to Linux 2.4.23. l/alsa-driver-0.9.8-i486-1.tgz: Upgraded to alsa-driver-0.9.8. l/alsa-lib-0.9.8-i486-1.tgz: Upgraded to alsa-lib-0.9.8. l/alsa-oss-0.9.8-i486-1.tgz: Upgraded to alsa-oss-0.9.8. xap/xchat-2.0.5-i486-2.tgz: Rebuilt against new perl. Thanks to Boris Kurktchiev for reminding me this needed to be done. bootdisks/*: Upgraded to Linux 2.4.23. isolinux/initrd.img, rootdisks/install.*: Upgraded USB keyboard modules to 2.4.23. kernels/*: Upgraded to Linux 2.4.23 kernels. extra/slacktrack/slacktrack-1.15-i486-4.tgz: Upgraded to slacktrack-1.15-i486-4. +--------------------------+ Fri Nov 28 15:10:26 PST 2003 d/distcc-2.11.2-i486-1.tgz: Upgraded to distcc-2.11.2. d/nasm-0.98.38-i486-1.tgz: Upgraded to nasm-0.98.38. l/aspell-0.50.4.1-i486-1.tgz: Upgraded to aspell-0.50.4.1. n/bind-9.2.3-i486-1.tgz: Upgraded to bind-9.2.3. Be sure to remove any old bind-9 package, because for some crazy reason they've changed the library version of libisccfg from 1.0.0 to 0.0.7. n/gnupg-1.2.3-i486-2.tgz: Removed support for ElGamal keys, since an implementation error has caused many of these to be easily compromised. Any existing sign+encrypt ElGamal keys should be revoked (and you'll need to use your existing gpg to do that). Fortunately, ElGamal is not used by default in GnuPG, is not widely used, and was never a popular choice because it produced larger signatures and was more costly to encrypt/decrypt than other choices. If you've been using ElGamal, you will need to select a new key cipher type for your replacement key (my suggestion would be to go with the GnuPG default). (* Security fix *) n/wget-1.9.1-i486-1.tgz: Upgraded to wget-1.9.1. xap/gaim-0.74-i486-1.tgz: Upgraded to gaim-0.74. extra/bash-completion/bash-completion-20031125-noarch-1.tgz: Upgraded to bash-completion-20031125. extra/swaret/swaret-1.6.0-noarch-5.tgz: Upgraded to swaret-1.6.0-noarch-5. +--------------------------+ Mon Nov 24 18:18:42 PST 2003 a/syslinux-2.07-i486-1.tgz: Upgraded to syslinux-2.07. ap/at-3.1.8-i486-2.tgz: Patched to fix parsing of timespec formats such as TIME DATE INCREMENT (for example, 'at 00:00 today + 1 week'). Thanks to Haakon Riiser for the bug report. d/doxygen-1.3.5-i486-1.tgz: Upgraded to doxygen-1.3.5. n/lftp-2.6.9-i486-1.tgz: Upgraded to lftp-2.6.9. xap/gaim-0.73-i486-1.tgz: Upgraded to gaim-0.73. xap/sane-1.0.13-i486-1.tgz: Upgraded to sane-backends-1.0.13. +--------------------------+ Fri Nov 21 16:07:06 PST 2003 ap/mysql-4.0.16-i486-1.tgz: Upgraded to mysql-4.0.16. d/doxygen-1.3.4-i486-1.tgz: Added doxygen-1.3.4 (used by KDevelop). d/python-2.3.2-i486-2.tgz: Rebuilt with --enable-shared. (Suggested by Andrey V. Panov) kde/kdelinks-1.1-noarch-2.tgz: Fixed incorrect perms on some .desktop files. (Thanks to Murphy for the bug report) kde/kdevelop-3.0.0b1-i486-1.tgz: Upgraded to kdevelop-3.0.0b1. kde/qt-3.2.2-i486-2.tgz: Reverted to Qt-3.2.2. I noticed (and it was also reported by Peter Christy) that upgrading to Qt-3.2.3 breaks konsole's font handling in exactly the same way as happened over the summer. I never did find out how that was fixed (and couldn't find it myself last time) or I'd see if I could fix it again. In any case, Qt is probably OK, but until KDE syncs up to it we should probably use version 3.2.2. Most of the bugfixes in Qt-3.2.3 were for other platforms, and AFAIK Qt 3.2.2 was working and finally fixed some keyboard problems people were having. IMPORTANT NOTE: If you're using an auto-update utility to keep your Slackware system up to date, there's a chance it might take the opinion that a larger version number is always better and will fail to revert to qt-3.2.2-i486-2.tgz automatically. If you run into this, IMHO it should be reported as a bug. Such an algorithm would make it impossible to ever revert from a buggy upstream release to the previous one. Depending on the reason for the package retraction (and there always is one on the rare occasions it happens), leaving the package in place could be a security issue as well as failing to address the problems leading to the package retraction. The default behavior for such utilities should always be to keep in sync with the online package set. n/nail-10.6-i486-1.tgz: Upgraded to nail-10.6. n/php-4.3.4-i486-1.tgz: Upgraded to php-4.3.4. n/proftpd-1.2.9-i486-2.tgz: Added mod_wrap (suggested by Jesse McCormick). extra/swaret/swaret-1.4.0-noarch-3.tgz: Upgraded to swaret-1.4.0-noarch-3. testing/packages/qt-3.2.3/qt-3.2.3-i486-1.tgz: Removed from mainstream and placed in testing/ until konsole problems are addressed. +--------------------------+ Mon Nov 17 09:23:02 PST 2003 a/glibc-solibs-2.3.2-i486-3.tgz: Recompiled with gcc-3.3.2. a/glibc-zoneinfo-2.3.2-noarch-3.tgz: Rebuilt, updated Brazil timezone. d/binutils-2.14.90.0.7-i486-1.tgz: Upgraded to binutils-2.14.90.0.7. d/gcc-3.3.2-i486-1.tgz: Moved to slackware/d/ from testing/packages/. d/gcc-g++-3.3.2-i486-1.tgz: Moved to slackware/d/ from testing/packages/. d/gcc-g77-3.3.2-i486-1.tgz: Moved to slackware/d/ from testing/packages/. d/gcc-gnat-3.3.2-i486-1.tgz: Moved to slackware/d/ from testing/packages/. d/gcc-java-3.3.2-i486-1.tgz: Moved to slackware/d/ from testing/packages/. d/gcc-objc-3.3.2-i486-1.tgz: Moved to slackware/d/ from testing/packages/. kde/koffice-1.2.94-i486-1.tgz: Upgraded to koffice-1.2.94. kde/qt-3.2.3-i486-1.tgz: Upgraded to qt-x11-free-3.2.3. kde/wv2-0.2.1-i486-1.tgz: Added wv2-0.2.1 (used by KWord to import various MS document formats). kdei/koffice-i18n-*-1.2.94-noarch-1.tgz: Upgraded to koffice-i18n-1.2.94. l/glibc-2.3.2-i486-3.tgz: Recompiled with gcc-3.3.2 after applying a small patch to fix some old-style C syntax that won't compile with the new gcc. Thanks to Tomasz Torcz for pointing me to the patch on the glibc bug list. Updated timezone information for Brazil. l/glibc-i18n-2.3.2-noarch-3.tgz: Rebuilt. l/libgsf-1.8.2-i486-2.tgz: Recompiled, fixed placement of HTML docs, and moved this package to l/ from gnome/ since this library is needed by wv2, which is used by KWord (part of KDE's KOffice suite). n/php-4.3.3-i486-5.tgz: Recompiled, fixed PHP ini files to load gettext by adding the following line: extension=gettext.so Thanks to christian laubscher for reporting the gettext problem. Fixed the CLI version of PHP to add '-r' and other options that were not provided in previous Slackware builds. extra/glibc-extra-packages/glibc-debug-2.3.2-i486-3.tgz: Recompiled with gcc-3.3.2. extra/glibc-extra-packages/glibc-profile-2.3.2-i486-3.tgz: Recompiled with gcc-3.3.2. +--------------------------+ Thu Nov 13 19:45:54 PST 2003 isolinux/initrd.img, rootdisks/install.*: Fixed custom tagfile extensions. Thanks to Andrew Donkin for the patch, and to Martin van Nijnatten for making sure I got it. :-) a/pkgtools-9.1.1-i486-2.tgz: Fixed makepkg $PREPEND bug. Thanks to Luca C.M. Girardi "CAT" for the bug report/patch. d/python-2.3.2-i486-1.tgz: Upgraded to python-2.3.2. d/python-demo-2.3.2-noarch-1.tgz: Upgraded to python-2.3.2 demos. d/python-tools-2.3.2-noarch-1.tgz: Upgraded to tools for python-2.3.2. l/startup-notification-0.5-i486-2.tgz: Moved here from gnome/ since this library is needed by gaim in xap/. n/mod_ssl-2.8.16_1.3.29-i486-2.tgz: Modified the conf file to load from the module correctly from the new /usr/libexec/apache location. Eliminated unnecessary 'AddModule' directive in mod_ssl.conf. n/php-4.3.3-i486-4.tgz: Modified the conf file to load from the module correctly from the new /usr/libexec/apache location. Eliminated unnecessary 'AddModule' directive in mod_php.conf. xap/gaim-0.72-i486-1.tgz: Upgraded to gaim-0.72. xap/gimp-1.3.22-i486-1.tgz: Upgraded to gimp-1.3.22. extra/slackpkg/slackpkg-1.00-noarch-2.tgz: Upgraded to slackpkg-1.00-noarch-2. (thanks to Piter PUNK aka Roberto F Batista) extra/slacktrack/slacktrack-1.15-i486-3.tgz: Upgraded to slacktrack-1.15-i486-3. (thanks to Stuart Winter) +--------------------------+ Mon Nov 3 19:30:57 PST 2003 gnome/abiword-2.0.1-i486-1.tgz: Upgraded to abiword-2.0.1. kde/qt-3.2.2-i486-2.tgz: Fixed incorrect QTDIR in /etc/profile.d/ scripts. Thanks to Damjan for the bug report. n/apache-1.3.29-i486-1.tgz: Upgraded to apache-1.3.29. This fixes the following local security issue: o CAN-2003-0542 (cve.mitre.org) Fix buffer overflows in mod_alias and mod_rewrite which occurred if one configured a regular expression with more than 9 captures. This vulnerability requires the attacker to create or modify certain Apache configuration files, and is not a remote hole. However, it could possibly be used to gain additional privileges if access to the Apache administrator account can be gained through some other means. All sites running Apache should upgrade. NOTE: This package also changes the libexecdir (the location for Apache modules) from /usr/libexec to /usr/libexec/apache. (* Security fix *) n/links-2.1pre13-i486-1.tgz: Upgraded to links-2.1pre13. n/mod_ssl-2.8.16_1.3.29-i486-1.tgz: Upgraded to mod_ssl-2.8.16_1.3.29. Moved Apache module libssl.so into /usr/libexec/apache. n/php-4.3.3-i486-3.tgz: Recompiled, moved Apache module libphp4.so into /usr/libexec/apache. n/proftpd-1.2.9-i486-1.tgz: Upgraded to proftpd-1.2.9. extra/slacktrack/slacktrack-1.15-i486-2.tgz: Upgraded to slacktrack/slacktrack-1.15-i486-2.tgz. +--------------------------+ Thu Oct 30 15:08:57 PST 2003 extra/swaret/swaret-1.3.4-noarch-7.tgz: Upgraded to swaret-1.3.4-noarch-7. +--------------------------+ Wed Oct 29 23:05:49 PST 2003 gnome/epiphany-1.0.4-i486-1.tgz: Upgraded to epiphany-1.0.4. gnome/galeon-1.3.10-i486-1.tgz: Upgraded to galeon-1.3.10. kde/qt-3.2.2-i486-1.tgz: Upgraded to qt-3.2.2. xap/gaim-0.71-i486-1.tgz: Upgraded to gaim-0.71, and linked with the NSS libraries from Mozilla 1.4.1. xap/mozilla-1.4.1-i486-1.tgz: Upgraded to mozilla-1.4.1. Added --enable-calendar (suggested by Dirk van Deun). xap/mozilla-plugins-1.4.1-noarch-1.tgz: Adjusted symlinks for mozilla-1.4.1. +--------------------------+ Tue Oct 28 23:09:35 PST 2003 ap/rpm-4.2.1-i486-3.tgz: Fixed /usr/lib/rpmpopt symlink. (Reported by Matthew Fischer and Luigi Genoni) gnome/abiword-2.0.0-i486-2.tgz: Added libwpd to enable support for WordPerfect document formats. Thanks to Jonathan Mohr for the suggestion. extra/swaret/swaret-1.3.4-noarch-6.tgz: Upgraded to swaret-1.3.4-noarch-6. +--------------------------+ Wed Oct 22 23:15:01 PDT 2003 a/glibc-solibs-2.3.2-i486-2.tgz: Recompiled. a/glibc-zoneinfo-2.3.2-noarch-2.tgz: Rebuilt. d/automake-1.7.8-noarch-1.tgz: Upgraded to automake-1.7.8. d/gdb-6.0-i486-1.tgz: Upgraded to gdb-6.0. gnome/gdm-2.4.4.5-i486-1.tgz: Upgraded to gdm-2.4.4.5. This fixes a bug which can allow a local user to crash gdm, preventing access until the machine is rebooted. (* Security fix *) gnome/gst-plugins-0.6.4-i486-1.tgz: Upgraded to gst-plugins-0.6.4. gnome/gstreamer-0.6.4-i486-1.tgz: Upgraded to gstreamer-0.6.4. l/aspell-0.50.4-i486-1.tgz: Upgraded to aspell-0.50.4. l/glibc-2.3.2-i486-2.tgz: Recompiled, fixed /usr/lib/libpthread.so which should be a linker script but was replaced by a symlink in doinst.sh. Thanks to Mark Post for reporting the problem with libpthread.so. l/glibc-i18n-2.3.2-noarch-2.tgz: Rebuilt. n/fetchmail-6.2.5-i486-1.tgz: Upgraded to fetchmail-6.2.5. This fixes a security issue where a specially crafted message could cause fetchmail to crash, preventing the user from retrieving email. (* Security fix *) xap/xsane-0.92-i486-1.tgz: Upgraded to xsane-0.92. Thanks to Florent Aide for reporting that xsane wouldn't start without gimp-1.2. For now xsane has been compiled without the gimp plugin since it doesn't seem to be compatible with gimp-1.3. extra/glibc-extra-packages/glibc-debug-2.3.2-i486-2.tgz: Recompiled. extra/glibc-extra-packages/glibc-profile-2.3.2-i486-2.tgz: Recompiled. extra/slacktrack/slacktrack-1.13-i486-4.tgz: Upgraded to slacktrack-1.13. extra/swaret/swaret-1.3.3-noarch-6.tgz: Upgraded to swaret-1.3.3-noarch-6.tgz. testing/packages/gcc-3.3.2/gcc-3.3.2-i486-1.tgz: Upgraded to gcc-3.3.2. testing/packages/gcc-3.3.2/gcc-g++-3.3.2-i486-1.tgz: Upgraded to gcc-3.3.2. testing/packages/gcc-3.3.2/gcc-g77-3.3.2-i486-1.tgz: Upgraded to gcc-3.3.2. testing/packages/gcc-3.3.2/gcc-gnat-3.3.2-i486-1.tgz: Upgraded to gcc-3.3.2. testing/packages/gcc-3.3.2/gcc-java-3.3.2-i486-1.tgz: Upgraded to gcc-3.3.2. testing/packages/gcc-3.3.2/gcc-objc-3.3.2-i486-1.tgz: Upgraded to gcc-3.3.2. +--------------------------+ Sun Oct 12 13:01:53 PDT 2003 ap/rpm-4.2.1-i486-2.tgz: Fixed /var/tmp with wrong (only writable by root) permissions. RPM really shouldn't have installed its own /var/tmp anyway, but now it needs to be corrected before it can be removed. Thanks to Denis A. Kaledin for reporting this permissions bug. +--------------------------+ Mon Oct 6 22:19:00 PDT 2003 a/hdparm-5.4-i486-1.tgz: Upgraded to hdparm-5.4. a/pkgtools-9.1.1-i486-1.tgz: Add --prepend option to makepkg to add symlinks before existing lines in install/doinst.sh. Thanks to Tomas Szepe for the patch. ap/rpm-4.2.1-i486-1.tgz: Upgraded to rpm-4.2.1 (fixes segfaults). d/ccache-2.3-i486-1.tgz: Upgraded to ccache-2.3. d/distcc-2.11-i486-1.tgz: Upgraded to distcc-2.11. gnome/epiphany-1.0.1-i486-1.tgz: Upgraded to epiphany-1.0.1. gnome/abiword-2.0.0-i486-1.tgz: Moved from XAP since version 2.0.0 now depends on several GNOME libraries. gnome/gst-plugins-0.6.3-i486-3.tgz: Run gst-register from install script. gnome/gstreamer-0.6.3-i486-3.tgz: Added scripts to run gst-register. kde/koffice-1.2.93-i486-1.tgz: Upgraded to koffice-1.2.93. kdei/koffice-i18n-*-noarch-1.tgz: Upgraded to koffice-i18n-1.2.93. n/samba-3.0.0-i486-3.tgz: Fixed two broken symlinks in the docs. n/tcpip-0.17-i486-25.tgz: Upgraded to tcp_wrappers_7.6-ipv6.2. Upgraded to whois-4.6.7. xap/gaim-0.70-i486-1.tgz: Upgraded to gaim-0.70. xap/gimp-1.3.21-i486-1.tgz: Upgraded to gimp-1.3.21. +--------------------------+ Wed Oct 1 16:53:11 PDT 2003 a/openssl-solibs-0.9.7c-i486-2.tgz: Rebuilt. n/openssl-0.9.7c-i486-2.tgz: Some minor bugs in the 0.9.7c release caused a few manpages to be incorrectly installed, as well as /usr/lib/pkgconfig to be chmoded 644 (which will lead to problems compiling things). These problems are fixed in our -2 build. Thanks to Frédéric L. W. Meunier and Mark Post for the bug reports. n/samba-3.0.0-i486-2.tgz: Fixed missing swat files (thanks to Alan Fitton). Removed some duplicated documentation. +--------------------------+ Tue Sep 30 21:15:32 PDT 2003 a/openssl-solibs-0.9.7c-i486-1.tgz: Upgraded to OpenSSL 0.9.7c. d/perl-5.8.1-i486-1.tgz: Upgraded to perl-5.8.1. n/openssl-0.9.7c-i486-1.tgz: Upgraded to OpenSSL 0.9.7c. This update fixes problems with OpenSSL's ASN.1 parsing which could lead to a denial of service. It is not known whether the problems could lead to the running of malicious code on the server, but it has not been ruled out. For detailed information, see OpenSSL's security advisory: http://www.openssl.org/news/secadv_20030930.txt We recommend sites that use OpenSSL upgrade to the fixed packages right away. (* Security fix *) n/samba-3.0.0-i486-1.tgz: Upgraded to samba-3.0.0. xap/xfce-4.0.0-i486-1.tgz: Upgraded to xfce-4.0.0. extra/slackpkg/slackpkg-0.99.1-noarch-7.tgz: Upgraded. +--------------------------+ Thu Sep 25 07:00:08 PDT 2003 Slackware 9.1 is released. Enjoy!