Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


Top White Papers

More on LinuxToday


Slackware Linux Advisories: mc, kdelibs

May 19, 2004, 18:58 (0 Talkback[s])

[slackware-security] mc (SSA:2004-136-01)

New mc packages are available for Slackware 9.0, 9.1, and -current to fix security issues that These could lead to a denial of service or the execution of arbitrary code as the user running mc.

Sites that use mc should upgrade to the new mc package.

More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0226
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0231
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0232

Here are the details from the Slackware 9.1 ChangeLog:
+--------------------------+
Fri May 14 15:11:37 PDT 2004
patches/packages/mc-4.6.0-i486-2.tgz: Patched to fix buffer overflow, format string, and temporary file creation vulnerabilities found by Andrew V. Samoilov and Pavel Roskin. These could lead to a denial of service or the execution of arbitrary code as the user running mc. For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0226
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0231
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0232
(* Security fix *)
+--------------------------+

Where to find the new packages:

Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/mc-4.6.0-i386-2.tgz

Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/mc-4.6.0-i486-2.tgz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/ap/mc-4.6.0-i486-2.tgz

MD5 signatures:

Slackware 9.0 package:
e74a8dcdd90f2846e4bbac75a154ad39 mc-4.6.0-i386-2.tgz

Slackware 9.1 package:
ac580a4f3556aaae92be0fd754866a55 mc-4.6.0-i486-2.tgz

Slackware -current package:
ce9b9ab338ee114c5d9038e8420db1e7

Installation instructions:

Upgrade the mc package as root:
# upgradepkg mc-4.6.0-i486-2.tgz

+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

[slackware-security] kdelibs (SSA:2004-238-01)

New kdelibs packages are available for Slackware 9.0, 9.1 and -current to fix security issues with URI handling.

More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0411

Here are the details from the Slackware 9.1 ChangeLog:
+--------------------------+
Mon May 17 19:31:12 PDT 2004
patches/packages/kdelibs-3.1.4-i486-2.tgz: Patched URI security issues. According to www.kde.org/:
The telnet, rlogin, ssh and mailto URI handlers in KDE do not check for '-' at the beginning of the hostname passed, which makes it possible to pass an option to the programs started by the handlers.
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0411
(* Security fix *)
+--------------------------+

Where to find the new packages:

Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/kde/kdelibs-3.1.3a-i386-2.tgz

Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/kdelibs-3.1.4-i486-2.tgz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/kde/kdelibs-3.2.2-i486-2.tgz

MD5 signatures:

Slackware 9.0 package:
554873b76b83e345c2c86a9785199fcf kdelibs-3.1.3a-i386-2.tgz

Slackware 9.1 package:
4be0192b1c0c246aa947b625eeb6dfd9 kdelibs-3.1.4-i486-2.tgz

Slackware -current package:
015a0efcd12fb61b6bf78a10e218c0cd kdelibs-3.2.2-i486-2.tgz

Installation instructions:

Upgrade the kdelibs package as root:
# upgradepkg kdelibs-3.1.4-i486-2.tgz

+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com