en-us shasta@slackware.pl (Slackware.PL staff) http://blogs.law.harvard.edu/tech/rss http://slackware.pl/ Changelog activity and resources for slackware-12.0 (detailed version) ftp://ftp.slackware.pl/pub/slackware/slackware-12.0/patches/packages/bind-9.7.6_P2-i486-1_slack12.0.tgz Upgraded. Prevents a named assert (crash) when validating caused by using "Bad cache" data before it has been initialized. [RT #30025] ISC_QUEUE handling for recursive clients was updated to address a race condition that could cause a memory leak. This rarely occurred with UDP clients, but could be a significant problem for a server handling a steady rate of TCP queries. [RT #29539 & #30233] Under heavy incoming TCP query loads named could experience a memory leak which could lead to significant reductions in query response or cause the server to be terminated on systems with "out of memory" killers. [RT #29539] A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [RT #29644] (* Security fix *) Fri, 27 Jul 2012 17:15:24 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.0/patches/packages/libpng-1.2.50-i486-1_slack12.0.tgz Upgraded. Fixed incorrect type (int copy should be png_size_t copy) in png_inflate() (fixes CVE-2011-3045). Revised png_set_text_2() to avoid potential memory corruption (fixes CVE-2011-3048). Changed "a+w" to "u+w" in Makefile.in to fix CVE-2012-3386. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3045 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3048 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3386 (* Security fix *) Wed, 25 Jul 2012 02:02:40 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.0/patches/packages/php-5.3.15-i486-1_slack12.0.tgz Upgraded. Fixed potential overflow in _php_stream_scandir (CVE-2012-2688). (Thanks to Jason Powell, Stas) For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2688 (* Security fix *) Sun, 22 Jul 2012 19:45:25 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.0/patches/packages/libexif-0.6.21-i486-1_slack12.0.tgz Upgraded. This update fixes a number of remotely exploitable issues in libexif with effects ranging from information leakage to potential remote code execution. For more information, see: http://sourceforge.net/mailarchive/message.php?msg_id=29534027 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2812 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2813 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2814 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2836 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2837 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2840 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2841 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2845 (* Security fix *) Wed, 18 Jul 2012 05:35:26 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.0/patches/packages/php-5.3.14-i486-1_slack12.0.tgz Upgraded. This release fixes a weakness in the DES implementation of crypt and a heap overflow issue in the phar extension. (* Security fix *) Fri, 13 Jul 2012 23:14:15 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.0/patches/packages/freetype-2.4.10-i486-1_slack12.0.tgz Upgraded. Since freetype-2.4.8 many fixes were made to better handle invalid fonts. Many of them are vulnerabilities (see CVE-2012-1126 up to CVE-2012-1144 and SA48320) so all users should upgrade. (* Security fix *) Mon, 25 Jun 2012 02:32:37 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.0/patches/packages/bind-9.7.6_P1-i486-1_slack12.0.tgz Upgraded. This release fixes an issue that could crash BIND, leading to a denial of service. It also fixes the so-called "ghost names attack" whereby a remote attacker may trigger continued resolvability of revoked domain names. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1033 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1667 IMPORTANT NOTE: This is a upgraded version of BIND, _not_ a patched one. It is likely to be more strict about the correctness of configuration files. Care should be taken about deploying this upgrade on production servers to avoid an unintended interruption of service. (* Security fix *) Thu, 14 Jun 2012 05:02:39 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.0/patches/packages/libxml2-2.6.32-i486-2_slack12.0.tgz Upgraded. Patched an off-by-one error in XPointer that could lead to a crash or possibly the execution of arbitrary code. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3102 (* Security fix *) Wed, 23 May 2012 00:14:52 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.0/patches/packages/openssl-0.9.8x-i486-1_slack12.0.tgz Upgraded. This is a very minor security fix: o Fix DTLS record length checking bug CVE-2012-2333 For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2333 (* Security fix *) Sat, 19 May 2012 19:03:37 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.0/patches/packages/openssl-solibs-0.9.8x-i486-1_slack12.0.tgz Upgraded. This is a very minor security fix: o Fix DTLS record length checking bug CVE-2012-2333 For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2333 (* Security fix *) Sat, 19 May 2012 19:03:37 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.0/patches/packages/php-5.3.13-i486-1_slack12.0.tgz Upgraded. This release completes a fix for a vulnerability in CGI-based setups. Note: mod_php and php-fpm are not vulnerable to this attack. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2311 (* Security fix *) Tue, 08 May 2012 21:21:10 +0200