dcsimg
Linux Today: Linux News On Internet Time.




More on LinuxToday


Slackware Linux Advisories: Mozilla, GTK+, CUPS, xine-lib

Sep 23, 2004, 15:59 (0 Talkback[s])

[slackware-security] Mozilla (SSA:2004-266-03)

New Mozilla 1.7.3 packages are available for Slackware 10.0 and -current to fix security issues.

Here are the details from the Slackware 10.0 ChangeLog:
+--------------------------+
patches/packages/mozilla-1.7.3-i486-1.tgz: Upgraded to mozilla-1.7.3.
The Mozilla page says this fixes some "minor security holes". It also breaks Galeon and Epiphany, and new versions of these have still not appeared. In light of this, I think it's time to remove these Gecko-based browsers. The future is going to be Firefox and Thunderbird anyway, and I don't believe Galeon and Epiphany can be compiled against Firefox's libraries.
(* Security fix *)
+--------------------------+

[ Philip Langdale of the Galeon project was kind enough to write to tell me that Galeon can be compiled against Mozilla 1.7.3 if this option is used: --with-mozilla-snapshot=1.7.2 The point about Firefox remains though. I don't intend to support the Mozilla suite, a number of browsers that depend on it, and Firefox and Thunderbird. While these are all great projects the goal will be to choose the best one and go with it. ]

Where to find the new packages:

Updated packages for Slackware 10.0:
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/mozilla-1.7.3-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/mozilla-plugins-1.7.3-noarch-1.tgz

Updated packages for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/mozilla-1.7.3-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/mozilla-plugins-1.7.3-noarch-1.tgz

MD5 signatures:

Slackware 10.0 packages:
b94d6165e6412ce17113d57b8f4fa326 mozilla-1.7.3-i486-1.tgz
25f1b0a8b66dc21cff2ca8107184a33c mozilla-plugins-1.7.3-noarch-1.tgz

Slackware -current packages:
6e5a0460aa32b4d1014d068868cc616b mozilla-1.7.3-i486-1.tgz
d930901e1ab613f492349833a15934ff mozilla-plugins-1.7.3-noarch-1.tgz

Installation instructions:

Upgrade the packages as root:
# upgradepkg mozilla-1.7.3-i486-1.tgz mozilla-plugins-1.7.3-noarch-1.tgz

+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

[slackware-security] GTK+ image loading flaws (SSA:2004-266-02)

New GTK+ (version 2) packages are available for Slackware 10.0 and -current to fix issues in the image loader routines that can crash applications.

Here are the details from the Slackware 10.0 ChangeLog:
+--------------------------+
l/gtk+2-2.4.10-i486-1.tgz: Upgraded to gtk+-2.4.10. This fixes security issues in the image loader routines that can crash applications.
(* Security fix *)
+--------------------------+

Where to find the new packages:

Updated package for Slackware 10.0:
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/gtk+2-2.4.10-i486-1.tgz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/gtk+2-2.4.10-i486-1.tgz

MD5 signatures:

Slackware 10.0 package:
44546bc140e5ea47ca2e6d314169951c gtk+2-2.4.10-i486-1.tgz

Slackware -current package:
cada53174c06fc621713300a817ad76a gtk+2-2.4.10-i486-1.tgz

Installation instructions:

Upgrade the packages as root:
# upgradepkg gtk+2-2.4.10-i486-1.tgz

+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

[slackware-security] CUPS DoS (SSA:2004-266-01)

New CUPS packages are available for Slackware 9.1, 10.0, and -current to fix a denial of service issue where a malformed packet can crash the CUPS server.

More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0558

Here are the details from the Slackware 10.0 ChangeLog:

+--------------------------+
patches/packages/cups-1.1.21-i486-1.tgz: Upgraded to cups-1.1.21.
This fixes a flaw where a remote attacker can crash the CUPS server causing a denial of service.
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0558
(* Security fix *)
+--------------------------+

Where to find the new packages:

Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/cups-1.1.21-i486-1.tgz

Updated package for Slackware 10.0:
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/cups-1.1.21-i486-1.tgz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/cups-1.1.21-i486-1.tgz

MD5 signatures:

Slackware 9.1 package:
b3f16be12546c626071281bc17e11739 cups-1.1.21-i486-1.tgz

Slackware 10.0 package:
6cca53545b2ea2d260a3ad4f55e22153 cups-1.1.21-i486-1.tgz

Slackware -current package:
01cc7de97fd7f6d51c3803b5c286dcff cups-1.1.21-i486-1.tgz

Installation instructions:

First, if the CUPS server (cupsd) is running, stop it: . /etc/rc.d/rc.cups stop

Then upgrade using upgradepkg (as root):
upgradepkg cups-1.1.21-i486-1.tgz

Finally, restart cupsd (if needed):
. /etc/rc.d/rc.cups start

+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

[slackware-security] xine-lib (SSA:2004-266-04)

New xine-lib packages are available for Slackware 10.0 and -current to fix security issues.

For more details, see:
http://www.xinehq.de/index.php/security/XSA-2004-4
http://www.xinehq.de/index.php/security/XSA-2004-5

Here are the details from the Slackware 10.0 ChangeLog:
+--------------------------+
patches/packages/xine-lib-1rc6a-i686-1.tgz: Upgraded to xine-lib-1-rc6a.
This release fixes a few overflows that could have security implications.
(* Security fix *)
+--------------------------+

Where to find the new packages:

Updated package for Slackware 10.0:
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/xine-lib-1rc6a-i686-1.tgz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/xine-lib-1rc6a-i686-1.tgz

MD5 signatures:

Slackware 10.0 package:
bd8222afaa5584ce86a602c3cac91a3f xine-lib-1rc6a-i686-1.tgz

Slackware -current package:
fcef31016022f4386cca0f6a064b21d4 xine-lib-1rc6a-i686-1.tgz

Installation instructions:

Upgrade the package as root:
# upgradepkg xine-lib-1rc6a-i686-1.tgz

+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com