Figured this would be of importance to bugtraq. Begin forwarded message: Date: Wed, 31 Jul 2002 13:11:28 -0700 (PDT) From: Slackware Security Team <securityat_private> To: slackware-securityat_private Subject: [slackware-security] Security updates for Slackware 8.1 From: Slackware Security Team <securityat_private> To: slackware-securityat_private Reply-To: Slackware Security Team <securityat_private> Subject: [slackware-security] Security updates for Slackware 8.1 Date: Wed, 31 Jul 2002 13:11:28 -0700 (PDT) Sender: owner-slackware-securityat_private Several security updates are now available for Slackware 8.1, including updated packages for Apache, glibc, mod_ssl, openssh, openssl, and php. Here are the details from the Slackware 8.1 ChangeLog: ---------------------------- Tue Jul 30 19:45:52 PDT 2002 patches/packages/apache-1.3.26-i386-2.tgz: Upgraded the included libmm to version 1.2.1. Versions of libmm earlier than 1.2.0 contain a tmp file vulnerability which may allow the local Apache user to gain privileges via temporary files or symlinks. For details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0658 This was also recompiled using EAPI patch from mod_ssl-2.8.10_1.3.26. (* Security fix *) patches/packages/glibc-2.2.5-i386-3.tgz: Patched to fix a buffer overflow in glibc's DNS resolver functions that look up network addresses. Another workaround for this problem is to edit /etc/nsswtich.conf changing: networks: files dns to: networks: files (* Security fix *) patches/packages/glibc-solibs-2.2.5-i386-3.tgz: Patched to fix a buffer overflow in glibc's DNS resolver functions that look up network addresses. (* Security fix *) patches/packages/mod_ssl-2.8.10_1.3.26-i386-1.tgz: This update fixes an off-by-one error in earlier versions of mod_ssl that may allow local users to execute code as the Apache user. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0653 (* Security fix *) patches/packages/openssh-3.4p1-i386-2.tgz: Recompiled against openssl-0.9.6e. This update also contains a fix to the installation script to ensure that the sshd privsep user is correctly created. patches/packages/openssl-0.9.6e-i386-1.tgz: Upgraded to openssl-0.9.6e, which fixes 4 potentially remotely exploitable bugs. For details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0659 (* Security fix *) patches/packages/openssl-solibs-0.9.6e-i386-1.tgz: Upgraded to openssl-0.9.6e, which fixes 4 potentially remotely exploitable bugs. For details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0659 (* Security fix *) patches/packages/php-4.2.2-i386-1.tgz: Upgraded to php-4.2.2. Earlier versions of PHP 4.2.x contain a security vulnerability, which although not currently considered exploitable on the x86 architecture is probably still a good to patch. For details, see: http://www.cert.org/advisories/CA-2002-21.html (* Security fix *) ---------------------------- WHERE TO FIND THE NEW PACKAGES: ------------------------------- ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/apache-1.3.26-i386-2.tgz ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/glibc-2.2.5-i386-3.tgz ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/glibc-solibs-2.2.5-i386-3.tgz ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/mod_ssl-2.8.10_1.3.26-i386-1.tgz ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/openssh-3.4p1-i386-2.tgz ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/openssl-0.9.6e-i386-1.tgz ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/openssl-solibs-0.9.6e-i386-1.tgz ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/php-4.2.2-i386-1.tgz MD5 SIGNATURES: --------------- Here are the md5sums for the packages: 9af3e989fb581fbb29cf6b2d91b1a921 apache-1.3.26-i386-2.tgz d159bf51306def68f9d28ef5bed06e52 glibc-2.2.5-i386-3.tgz 0b5414fbecbb7aace3593cdfeecba907 glibc-solibs-2.2.5-i386-3.tgz aaa5a61ff4600d415cf583dab9fbd0a0 mod_ssl-2.8.10_1.3.26-i386-1.tgz ea0ee4aac4b28ab3f8ed2190e7b3a7d8 openssh-3.4p1-i386-2.tgz 88f32f01ce855d4363bc71899404e2db openssl-0.9.6e-i386-1.tgz c20073efd9e3847bfa28da9d614e1dcd openssl-solibs-0.9.6e-i386-1.tgz 032bc53692b721ecec80d69944112ea1 php-4.2.2-i386-1.tgz INSTALLATION INSTRUCTIONS: -------------------------- Upgrade existing packages using the upgradepkg command: # upgradepkg apache-1.3.26-i386-2.tgz glibc-2.2.5-i386-3.tgz \ glibc-solibs-2.2.5-i386-3.tgz mod_ssl-2.8.10_1.3.26-i386-1.tgz \ openssh-3.4p1-i386-2.tgz openssl-0.9.6e-i386-1.tgz \ openssl-solibs-0.9.6e-i386-1.tgz php-4.2.2-i386-1.tgz If the packages have not been previously installed, either use the installpkg command, or the --install-new option with upgradepkg. Finally, if your site runs Apache it will need to be restarted: # apachectl restart - Slackware Linux Security Team http://www.slackware.com +---------------------------------------------------------------------- --+ | HOW TO REMOVE YOURSELF FROM THIS MAILING LIST: | +---------------------------------------------------------------------- --+ | Send an email to majordomoat_private with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back. Follow the instructions to | | complete the unsubscription. Do not reply to this message to | | unsubscribe! | +---------------------------------------------------------------------- --+
This archive was generated by hypermail 2b30 : Thu Aug 01 2002 - 19:59:45 PDT