Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


More on LinuxToday


Slackware Linux Advisories: sysklogd, libpng, xine-lib, rsync

May 03, 2004, 21:14 (0 Talkback[s])

[slackware-security] sysklogd update (SSA:2004-124-02)

New sysklogd packages are available for Slackware 8.1, 9.0, 9.1, and -current to fix a security issue where a user could cause syslogd to crash. Thanks to Steve Grubb who researched the issue.

Here are the details from the Slackware 9.1 ChangeLog:
+--------------------------+
Sun May 2 17:16:41 PDT 2004
patches/packages/sysklogd-1.4.1-i486-9.tgz: Patched a bug which could allow a user to cause syslogd to write to unallocated memory and crash. Thanks to Steve Grubb for finding the bug, and Solar Designer for refining the patch.
(* Security fix *)
+--------------------------+

Where to find the new packages:

Updated package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/sysklogd-1.4.1-i386-7.tgz

Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/sysklogd-1.4.1-i386-9.tgz

Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/sysklogd-1.4.1-i486-9.tgz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/sysklogd-1.4.1-i486-9.tgz

MD5 signatures:

Slackware 8.1 package:
4bcd73db9029567f73d7131f63421cdd sysklogd-1.4.1-i386-7.tgz

Slackware 9.0 package:
8e7563c3c060641acc2307b0ab8c1402 sysklogd-1.4.1-i386-9.tgz

Slackware 9.1 package:
f97b852f2202af2ed775a2e0c584bc26 sysklogd-1.4.1-i486-9.tgz

Slackware -current package:
5820b02d24994c1b5fff7a62b59dada0 sysklogd-1.4.1-i486-9.tgz

Installation instructions:

First, stop syslogd/klogd:
# . /etc/rc.d/rc.syslog stop

Next, upgrade the package as root:
# upgradepkg sysklogd-1.4.1-i486-9.tgz

Finally, restart the logging system:
# . /etc/rc.d/rc.syslog start

+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

[slackware-security] libpng update (SSA:2004-124-04)

New libpng packages are available for Slackware 9.0, 9.1, and -current to fix an issue where libpng could be caused to crash, perhaps creating a denial of service issue if network services are linked with it.

More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0421

Here are the details from the Slackware 9.1 ChangeLog:
+--------------------------+
Sun May 2 17:16:41 PDT 2004
patches/packages/libpng-1.2.5-i486-2.tgz: Patched a problem where libpng may access memory that is out of bounds when creating an error message, possibly crashing libpng and creating a denial of service. For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0421
(* Security fix *)
+--------------------------+

Where to find the new packages:

Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/libpng-1.2.5-i386-2.tgz

Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/libpng-1.2.5-i486-2.tgz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/libpng-1.2.5-i486-2.tgz

MD5 signatures:

Slackware 9.0 package:
6c68e6a65850e26b60651d65fd8c0a2f libpng-1.2.5-i386-2.tgz

Slackware 9.1 package:
781c7e61997c34c5c70855be40012bb9 libpng-1.2.5-i486-2.tgz

Slackware -current package:
476b916ded315a2eba0af3c6637d770b libpng-1.2.5-i486-2.tgz

Installation instructions:

Upgrade the package as root:
# upgradepkg libpng-1.2.5-i486-2.tgz/

+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

[slackware-security] xine-lib update (SSA:2004-124-03)

New xine-lib packages are available for Slackware 9.1 and -current to fix a security issue where playing a specially crafted Real RTSP stream could run malicious code as the user playing the stream.

More details about this issue may be found in this advisory:

http://www.xinehq.de/index.php/security/XSA-2004-3

Here are the details from the Slackware 9.1 ChangeLog:
+--------------------------+
Sun May 2 17:16:41 PDT 2004
patches/packages/xine-lib-1rc4-i686-1.tgz: Upgraded to xine-lib-1-rc4. This fixes an exploit possible when playing Real RTSP streams. For more details, see:
http://www.xinehq.de/index.php/security/XSA-2004-3
(* Security fix *)
+--------------------------+

Where to find the new packages:

Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/xine-lib-1rc4-i686-1.tgz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/xine-lib-1rc4-i686-1.tgz

MD5 signatures:

Slackware 9.1 package:
78f2924f19dda0399317fb0eb34dc4da xine-lib-1rc4-i686-1.tgz

Slackware -current package:
eef1fc39ce6d88cf3b46f57084eb3dc2 xine-lib-1rc4-i686-1.tgz

Installation instructions:

Upgrade the package as root:
# upgradepkg xine-lib-1rc4-i686-1.tgz

+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

[slackware-security] rsync update (SSA:2004-124-01)

New rsync packages are available for Slackware 8.1, 9.0, 9.1, and -current to fix a security issue. When running an rsync server without the chroot option it is possible for an attacker to write outside of the allowed directory. Any sites running rsync in that mode should upgrade right away (and should probably look into using the chroot option as well).

More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0426

Here are the details from the Slackware 9.1 ChangeLog:
+--------------------------+
Sun May 2 17:16:41 PDT 2004
patches/packages/rsync-2.6.2-i486-1.tgz: Upgraded to rsync-2.6.2. Rsync before 2.6.1 does not properly sanitize paths when running a read/write daemon without using chroot, allowing remote attackers to write files outside of the module's path. For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0426
(* Security fix *)
+--------------------------+

Where to find the new packages:

Updated package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/rsync-2.6.2-i386-1.tgz

Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/rsync-2.6.2-i386-1.tgz

Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/rsync-2.6.2-i486-1.tgz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/rsync-2.6.2-i486-1.tgz

MD5 signatures:

Slackware 8.1 package:
f7702e872e7816dcb6f9b0ba27c3fb61 rsync-2.6.2-i386-1.tgz

Slackware 9.0 package:
f6ec19791028f4b355bc16d454031204 rsync-2.6.2-i386-1.tgz

Slackware 9.1 package:
a42dc11056b37c7ddd94f71e4ce20c74 rsync-2.6.2-i486-1.tgz

Slackware -current package:
31eb4e17aea2a32a98d4576fab64ab8b rsync-2.6.2-i486-1.tgz

Installation instructions:

If rsync is running as a server, shut it down first.

Then, upgrade the packages as root:
# upgradepkg rsync-2.6.2-i486-1.tgz/

Finally, restart the rsync server if needed.

+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com