I did notice .. and intended to mention... when logging in over telnet and presenting a userid not registered on the system the connection will be dropped after a password attempt. Diffrent from past distributions where you would simply be re-prompted. makes it a bit easier to locate valid user accounts. also noticed (off subject) the /dev entries are missing for the compaq smart array controller Andrew Rafael Rodrigues Obelheiro <obelixat_private> on 11/30/99 08:39:44 PM Please respond to Rafael Rodrigues Obelheiro <obelixat_private> To: BUGTRAQat_private cc: (bcc: Andrew Kunz/GROUPSVC/USERS/TDGROUP) Subject: Security Patches for Slackware 7.0 Available (fwd) ---------- Forwarded message ---------- Date: Tue, 30 Nov 1999 12:14:09 -0800 (PST) From: David Cantrell <davidat_private> To: slackware-securityat_private Subject: Security Patches for Slackware 7.0 Available There are several security updates available for Slackware 7.0. We will always post bug fixes and security fixes to the /patches subdirectory on the ftp site: ftp.cdrom.com:/pub/linux/slackware-7.0/patches The ChangeLog.txt file in that directory will show what has been patched and why. Here is a short overview of the current patches available: ======================= BIND-8.2.2-P5 available ======================= CERT Advisory CA-99-14 Multiple Vulnerabilities in BIND: http://www.cert.org/advisories/CA-99-14-bind.html Six vulnerabilities have been found in BIND, the popular domain name server from the Internet Software Consortium (ISC). One of these vulnerabilities may allow remote intruders to gain priviledged access to name servers. It is recommended that all systems running the BIND package that shipped with Slackware 7.0 upgrade to this one. Here is the ChangeLog description: bind.tgz Upgraded to bind-8.2.2-P5. This fixes a vulnerability in the processing of NXT records that can be used in a DoS attack or (theoretically) be exploited to gain access to the server. It is suggested that everyone running bind upgrade to this package as soon as possible. ============================== nfs-server-2.2beta47 available ============================== It is recommended that all Slackware 7.0 systems using NFS upgrade to nfs-server 2.2beta47 to patch a possible exploit. Here is the ChangeLog description: nfs-server.tgz Upgraded to nfs-server-2.2beta47, to fix a security problem with the version that shipped with Slackware 7.0 (nfs-server-2.2beta46). By using a long pathname on a directory NFS mounted read-write, it may be possible for an attacker to execute arbitrary code on the server. It is recommended that everyone running an NFS server upgrade to this package immediately. These packages are designed to be installed on top of an existing Slackware 7.0 installation. In the case where a package already exists (such as bind.tgz), it is adviseable to use upgradepkg. For other fixes (such as the nfs-server.tgz one), you can just use installpkg to install the fix. NOTE: For packages that replace daemons on the system (such as bind), you need to make sure that you stop the daemon before installing the package. Otherwise the file may not be updated properly because it is in use. You can either stop the daemon manually or go into single user mode and then go back to multiuser mode. Example: # telinit 1 Go into single user mode # upgradepkg bind Perform the upgrade # telinit 3 Go back to multiuser mode Remember to back up configuration files before performing upgrades. - The Slackware Linux Project http://www.slackware.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:16:06 PDT