[bglug] Fwd: [slackware-security] Security updates for Slackware 8.1

Fri, 2 Aug 2002 17:22:27 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Per chi vuole essere sempre aggiornato, ecco cosa fare e dove scaricare i=
=20
pacchetti per la vostra 8.1.
Ciao.

- ----------  Forwarded Message  ----------

Subject: [slackware-security] Security updates for Slackware 8.1
Date: Wed, 31 Jul 2002 13:11:28 -0700 (PDT)
From: Slackware Security Team <security@slackware.com>
To: slackware-security@slackware.com

Several security updates are now available for Slackware 8.1, including
updated packages for Apache, glibc, mod_ssl, openssh, openssl, and php.

Here are the details from the Slackware 8.1 ChangeLog:

- ----------------------------
Tue Jul 30 19:45:52 PDT 2002
patches/packages/apache-1.3.26-i386-2.tgz:  Upgraded the included libmm
  to version 1.2.1.  Versions of libmm earlier than 1.2.0 contain a tmp f=
ile
  vulnerability which may allow the local Apache user to gain privileges =
via
  temporary files or symlinks.  For details, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2002-0658
  This was also recompiled using EAPI patch from mod_ssl-2.8.10_1.3.26.
  (* Security fix *)
patches/packages/glibc-2.2.5-i386-3.tgz:  Patched to fix a buffer overflo=
w
  in glibc's DNS resolver functions that look up network addresses.
  Another workaround for this problem is to edit /etc/nsswtich.conf chang=
ing:
    networks:       files dns
  to:
    networks:       files
  (* Security fix *)
patches/packages/glibc-solibs-2.2.5-i386-3.tgz:  Patched to fix a buffer
  overflow in glibc's DNS resolver functions that look up network address=
es.
  (* Security fix *)
patches/packages/mod_ssl-2.8.10_1.3.26-i386-1.tgz:  This update fixes an
  off-by-one error in earlier versions of mod_ssl that may allow local us=
ers
 to execute code as the Apache user.  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2002-0653
  (* Security fix *)
patches/packages/openssh-3.4p1-i386-2.tgz:  Recompiled against
 openssl-0.9.6e. This update also contains a fix to the installation scri=
pt
 to ensure that the sshd privsep user is correctly created.
patches/packages/openssl-0.9.6e-i386-1.tgz:  Upgraded to openssl-0.9.6e,
 which fixes 4 potentially remotely exploitable bugs.  For details, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2002-0659
  (* Security fix *)
patches/packages/openssl-solibs-0.9.6e-i386-1.tgz:  Upgraded to
 openssl-0.9.6e, which fixes 4 potentially remotely exploitable bugs.  Fo=
r
 details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2002-0=
659
  (* Security fix *)
patches/packages/php-4.2.2-i386-1.tgz:  Upgraded to php-4.2.2.  Earlier
 versions of PHP 4.2.x contain a security vulnerability, which although n=
ot
 currently considered exploitable on the x86 architecture is probably sti=
ll a
 good to patch.  For details, see:=20
 http://www.cert.org/advisories/CA-2002-21.html (* Security fix *)
- ----------------------------

WHERE TO FIND THE NEW PACKAGES:
- -------------------------------
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/apac=
he-1
=2E3.26-i386-2.tgz
 ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/gli=
bc-2
=2E2.5-i386-3.tgz
 ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/gli=
bc-s
olibs-2.2.5-i386-3.tgz
 ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/mod=
_ssl
- -2.8.10_1.3.26-i386-1.tgz
 ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/ope=
nssh
- -3.4p1-i386-2.tgz
 ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/ope=
nssl
- -0.9.6e-i386-1.tgz
 ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/ope=
nssl
- -solibs-0.9.6e-i386-1.tgz
 ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/php=
-4.2
=2E2-i386-1.tgz

MD5 SIGNATURES:
- ---------------

Here are the md5sums for the packages:
9af3e989fb581fbb29cf6b2d91b1a921  apache-1.3.26-i386-2.tgz
d159bf51306def68f9d28ef5bed06e52  glibc-2.2.5-i386-3.tgz
0b5414fbecbb7aace3593cdfeecba907  glibc-solibs-2.2.5-i386-3.tgz
aaa5a61ff4600d415cf583dab9fbd0a0  mod_ssl-2.8.10_1.3.26-i386-1.tgz
ea0ee4aac4b28ab3f8ed2190e7b3a7d8  openssh-3.4p1-i386-2.tgz
88f32f01ce855d4363bc71899404e2db  openssl-0.9.6e-i386-1.tgz
c20073efd9e3847bfa28da9d614e1dcd  openssl-solibs-0.9.6e-i386-1.tgz
032bc53692b721ecec80d69944112ea1  php-4.2.2-i386-1.tgz

INSTALLATION INSTRUCTIONS:
- --------------------------

Upgrade existing packages using the upgradepkg command:

   # upgradepkg apache-1.3.26-i386-2.tgz glibc-2.2.5-i386-3.tgz \
     glibc-solibs-2.2.5-i386-3.tgz mod_ssl-2.8.10_1.3.26-i386-1.tgz \
     openssh-3.4p1-i386-2.tgz openssl-0.9.6e-i386-1.tgz \
     openssl-solibs-0.9.6e-i386-1.tgz php-4.2.2-i386-1.tgz

If the packages have not been previously installed, either use the
installpkg command, or the --install-new option with upgradepkg.

Finally, if your site runs Apache it will need to be restarted:

   # apachectl restart

- - Slackware Linux Security Team
  http://www.slackware.com

- -------------------------------------------------------

- --=20
Summary of above: head -c 78 /dev/urandom=20
| k | b | s |  <kbs (at) bglug.it>=20
=EB=FA=93
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: KeyID 0x2870B1ED  available on  www.keyserver.net

iD8DBQE9Sr/TfG0wjShwse0RAlO3AJ0bIcgFaCBw7X/qIUsZqWk6g+SaNACfVCn7
uR+neM67f+ay93waCHycyp0=3D
=3DT5uO
-----END PGP SIGNATURE-----