dcsimg
Linux Today: Linux News On Internet Time.




More on LinuxToday


Slackware Linux Advisories: BitchX, EPIC4, mod_ssl, sysvinit, glibc, GnuPG

May 22, 2003, 05:29 (3 Talkback[s])

[slackware-security] BitchX security fixes (SSA:2003-141-02)

New BitchX packages are available to fix security problems found by Timo Sirainen. BitchX is an IRC (Internet Relay Chat) client. Under certain circumstances, a malicious IRC server could cause BitchX to crash, or possibly to run arbitrary code as the user running BitchX.

All sites running BitchX are advised to upgrade.

More information on the problem can be found here:

Here are the details from the Slackware 9.0 ChangeLog:
+--------------------------+
Tue May 20 20:13:09 PDT 2003
patches/packages/bitchx-1.0c19-i386-3.tgz: Patched several potential "evil server" security problems noted by Timo Sirainen. (* Security fix *)
+--------------------------+

WHERE TO FIND THE NEW PACKAGES:

Updated package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/bitchx-1.0c19-i386-3.tgz

Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/bitchx-1.0c19-i386-3.tgz

MD5 SIGNATURES:

Slackware 8.1 package:
ed9affc29424472b5f442e6182be92ec bitchx-1.0c19-i386-3.tgz

Slackware 9.0 package:
2e2158987c031115a4b1d5cc9741e033 bitchx-1.0c19-i386-3.tgz

INSTALLATION INSTRUCTIONS:

Upgrade using upgradepkg (as root):

upgradepkg bitchx-1.0c19-i386-3.tgz

+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com


[slackware-security] EPIC4 security fixes (SSA:2003-141-01)

New EPIC4 packages are available to fix security problems found by Timo Sirainen. EPIC4 is an IRC (Internet Relay Chat) client. Under certain circumstances, a malicious IRC server could cause EPIC4 to crash, or possibly to run arbitrary code as the user running EPIC4.

All sites running EPIC4 are advised to upgrade.

More information on the problem can be found here:

Here are the details from the Slackware 9.0 ChangeLog:
+--------------------------+
Tue May 20 20:13:09 PDT 2003
patches/packages/epic4-1.0.1-i386-3.tgz: Patched a buffer overflow in ctcp.c. (* Security fix *)
+--------------------------+

WHERE TO FIND THE NEW PACKAGES:

Updated package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/epic4-1.0.1-i386-3.tgz

Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/epic4-1.0.1-i386-3.tgz

MD5 SIGNATURES:

Slackware 8.1 package:
4593af7c875770e1eadbb00b39b1de7a epic4-1.0.1-i386-3.tgz

Slackware 9.0 package:
9b3a389255484d9a2ff7ea0e8caacbc4 epic4-1.0.1-i386-3.tgz

INSTALLATION INSTRUCTIONS:

Upgrade using upgradepkg (as root):

upgradepkg epic4-1.0.1-i386-3.tgz

+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com


[slackware-security] mod_ssl RSA blinding fixes (SSA:2003-141-05)

An upgrade for mod_ssl to version 2.8.14_1.3.27 is now available. This version provides RSA blinding by default which prevents an extended timing analysis from revealing details of the secret key to an attacker. Note that this problem was already fixed within OpenSSL, so this is a "double fix". With this package, mod_ssl is secured even if OpenSSL is not.

We recommend sites using mod_ssl upgrade to this new package.

Here are the details from the Slackware 9.0 ChangeLog:
+--------------------------+
Tue May 20 20:13:09 PDT 2003
patches/packages/mod_ssl-2.8.14_1.3.27-i386-1.tgz: Upgraded to mod_ssl-2.8.14_1.3.27. Includes RSA blinding fixes. (* Security fix *)
+--------------------------+

WHERE TO FIND THE NEW PACKAGES:

Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/mod_ssl-2.8.14_1.3.27-i386-1.tgz

MD5 SIGNATURES:

Slackware 9.0 package:
2888ecec5e2116be81b5295fc477869b mod_ssl-2.8.14_1.3.27-i386-1.tgz

INSTALLATION INSTRUCTIONS:

First, shut down your web server:
# apachectl stop

Then upgrade using upgradepkg (as root): upgradepkg mod_ssl-2.8.14_1.3.27-i386-1.tgz

Finally, restart secure web services:
# apachectl startssl

+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com


[slackware-security] quotacheck security fix in rc.M (SSA:2003-141-06)

An upgraded sysvinit package is available which fixes a problem with the use of quotacheck in /etc/rc.d/rc.M. The original version of rc.M calls quotacheck like this:

echo "Checking filesystem quotas: /sbin/quotacheck -avugM" /sbin/quotacheck -avugM

The 'M' option is wrong. This causes the filesystem to be remounted, and in the process any mount flags such as nosuid, nodev, noexec, and the like, will be reset. The correct option to use here is 'm', which does not attempt to remount the partition:

echo "Checking filesystem quotas: /sbin/quotacheck -avugm" /sbin/quotacheck -avugm

We recommend sites using file system quotas upgrade to this new package, or edit /etc/rc.d/rc.M accordingly.

Here are the details from the Slackware 9.0 ChangeLog:
+--------------------------+
Tue May 20 20:13:09 PDT 2003
patches/packages/sysvinit-2.84-i386-26.tgz: Use option M, not m, for quotacheck. Otherwise, the partition might be remounted losing flags like nosuid,nodev, noexec. Thanks to Jem Berkes for pointing this out. (* Security fix *)
+--------------------------+

WHERE TO FIND THE NEW PACKAGES:

Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/sysvinit-2.84-i386-26.tgz

MD5 SIGNATURES:

Slackware 9.0 package:
966281dbd4e8cac23264021b9ad48f61 sysvinit-2.84-i386-26.tgz

INSTALLATION INSTRUCTIONS:

Upgrade using upgradepkg (as root):

upgradepkg sysvinit-2.84-i386-26.tgz

Then, you'll need to move the new version of rc.M into place, as rc.M is considered a config file and upgradepkg will not overwrite these by default:

mv /etc/rc.d/rc.M.new /etc/rc.d/rc.M

+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com


[slackware-security] glibc XDR overflow fix (SSA:2003-141-03)

An integer overflow in the xdrmem_getbytes() function found in the glibc library has been fixed. This could allow a remote attacker to execute arbitrary code by exploiting RPC service that use xdrmem_getbytes(). None of the default RPC services provided by Slackware appear to use this function, but third-party applications may make use of it.

We recommend upgrading to these new glibc packages.

Here are the details from the Slackware 9.0 ChangeLog:
+--------------------------+
Tue May 20 20:13:09 PDT 2003
patches/packages/glibc-2.3.1-i386-4.tgz: Patched, recompiled. (* Security fix *)
patches/packages/glibc-debug-2.3.1-i386-4.tgz: Patched, recompiled. (* Security fix *)
patches/packages/glibc-i18n-2.3.1-noarch-4.tgz: Rebuilt. patches/packages/glibc-profile-2.3.1-i386-4.tgz: Patched, recompiled. (* Security fix *)
patches/packages/glibc-solibs-2.3.1-i386-4.tgz: Patched a buffer overflow in some dead code (xdrmem_getbytes(), which we couldn't find used by anything, but it doesn't hurt to patch it anyway) (* Security fix *)
patches/packages/glibc-zoneinfo-2.3.1-noarch-4.tgz: Rebuilt.
+--------------------------+

WHERE TO FIND THE NEW PACKAGES:

Updated packages for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/glibc-2.2.5-i386-4.tgz ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/glibc-solibs-2.2.5-i386-4.tgz

Updated packages for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/glibc-2.3.1-i386-4.tgz ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/glibc-debug-2.3.1-i386-4.tgz ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/glibc-i18n-2.3.1-noarch-4.tgz ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/glibc-profile-2.3.1-i386-4.tgz ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/glibc-solibs-2.3.1-i386-4.tgz ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/glibc-zoneinfo-2.3.1-noarch-4.tgz

MD5 SIGNATURES:

Slackware 8.1 packages:
ae235701abcccdc726789c9af5a0eb7b glibc-2.2.5-i386-4.tgz 83714476158d8f93a1f597bfdc6945e7 glibc-solibs-2.2.5-i386-4.tgz

Slackware 9.0 packages:
98fb90ce972b42bf5731bc71a722832a glibc-2.3.1-i386-4.tgz 9f2c944389f25dfe1c1dcb13210d9dc4 glibc-debug-2.3.1-i386-4.tgz fa9fe934fe1dde4c134021e39aadaf7e glibc-i18n-2.3.1-noarch-4.tgz 1b264af8e047fa9378169bb4f8a9836f glibc-profile-2.3.1-i386-4.tgz 7c31f7602c54262c1e3ae16e59f8e0d6 glibc-solibs-2.3.1-i386-4.tgz 35b89aa808f4e7c8424f50eab73d824a glibc-zoneinfo-2.3.1-noarch-4.tgz

INSTALLATION INSTRUCTIONS:

Upgrade using upgradepkg (as root):

upgradepkg glibc-*.tgz

+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com


[slackware-security] GnuPG key validation fix (SSA:2003-141-04)

A key validation bug which results in all user IDs on a given key being treated with the validity of the most-valid user ID on that key has been fixed with the release of GnuPG 1.2.2.

We recommend sites using GnuPG upgrade to this new package.

For detailed information about the problem, see this page: http://lists.gnupg.org/pipermail/gnupg-announce/2003q2/000268.html

Here are the details from the Slackware 9.0 ChangeLog:
+--------------------------+
Tue May 20 20:13:09 PDT 2003
patches/packages/gnupg-1.2.2-i386-1.tgz: Upgraded to gnupg-1.2.2, which fixes a bug in key validation for keys with more than one user ID. The bug results in all user IDs on a given key being treated with the validity of the most-valid user ID on that key.
(* Security fix *)
+--------------------------+

WHERE TO FIND THE NEW PACKAGES:

Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/gnupg-1.2.2-i386-1.tgz

MD5 SIGNATURES:

Slackware 9.0 package:
1b2b07c29cbba7aacfb46635f11f2d76 gnupg-1.2.2-i386-1.tgz

INSTALLATION INSTRUCTIONS:

Upgrade using upgradepkg (as root):

upgradepkg gnupg-1.2.2-i386-1.tgz

+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com