en-us shasta@slackware.pl (Slackware.PL staff) http://blogs.law.harvard.edu/tech/rss http://slackware.pl/ Changelog activity and resources for slackware-12.1 (detailed version) ftp://ftp.slackware.pl/pub/slackware/slackware-12.1/patches/packages/libtiff-3.9.7-i486-1_slack12.1.tgz Upgraded. Patched overflows, crashes, and out of bounds writes. Thanks to mancha for the backported patches. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2088 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2113 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4447 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4564 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1960 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1961 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4231 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4232 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4244 (* Security fix *) Fri, 18 Oct 2013 02:41:09 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.1/patches/packages/gnupg-1.4.15-i486-1_slack12.1.tgz Upgraded. Fixed possible infinite recursion in the compressed packet parser. [CVE-2013-4402] Protect against rogue keyservers sending secret keys. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4402 (* Security fix *) Mon, 14 Oct 2013 22:09:17 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.1/patches/packages/gnutls-2.8.4-i486-2_slack12.1.tgz Rebuilt. [Updated to the correct version to fix fetching the "latest" from gnu.org] This update prevents a side-channel attack which may allow remote attackers to conduct distinguishing attacks and plaintext recovery attacks using statistical analysis of timing data for crafted packets. Other minor security issues are patched as well. Thanks to mancha for backporting these patches. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4128 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1569 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1573 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1619 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2116 (* Security fix *) Mon, 14 Oct 2013 22:09:17 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.1/patches/packages/xorg-server-1.4.2-i486-3_slack12.1.tgz Rebuilt. Patched a use-after-free bug that can cause an X server crash or memory corruption. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4396 (* Security fix *) Mon, 14 Oct 2013 22:09:17 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.1/patches/packages/xorg-server-xnest-1.4.2-i486-3_slack12.1.tgz Rebuilt. Mon, 14 Oct 2013 22:09:17 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.1/patches/packages/xorg-server-xvfb-1.4.2-i486-3_slack12.1.tgz Rebuilt. Mon, 14 Oct 2013 22:09:17 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.1/patches/packages/lm_sensors-2.10.8-i486-1_slack12.1.tgz Upgraded. This update fixes issues with sensors-detect that may cause serious trouble on recent hardware (most notably laptops.) The symptoms are that the display starts misbehaving (wrong resolution or wrong gamma factor.) The risk is mitigated in this package by changing the default behavior of sensors-detect to no longer touch EDID EEPROMs and then to no longer probe graphics adapters at all unless the user asks for it. Sun, 29 Sep 2013 02:39:29 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.1/patches/packages/xpdf-3.03-i486-2_slack12.1.tgz Rebuilt. Due to a bug in the libXt headers, the previous package build silently omitted the main xpdf binary. This has now been fixed. Fri, 23 Aug 2013 20:18:50 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.1/patches/packages/hplip-2.8.4-i486-2_slack12.1.tgz Rebuilt. This update fixes a stack-based buffer overflow in the hpmud_get_pml function that can allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted SNMP response with a large length value. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4267 (* Security fix *) Wed, 21 Aug 2013 06:11:23 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.1/patches/packages/xpdf-3.03-i486-1_slack12.1.tgz Upgraded. Sanitize error messages to remove escape sequences that could be used to exploit vulnerable terminal emulators. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2142 Thanks to mancha. (* Security fix *) Wed, 21 Aug 2013 06:11:23 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.1/patches/packages/bind-9.8.5_P2-i486-1_slack12.1.tgz Upgraded. This update fixes a security issue where a specially crafted query can cause BIND to terminate abnormally, resulting in a denial of service. For more information, see: https://kb.isc.org/article/AA-01015 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4854 (* Security fix *) Tue, 06 Aug 2013 05:23:34 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.1/patches/packages/httpd-2.2.25-i486-1_slack12.1.tgz Upgraded. This update addresses two security issues: * SECURITY: CVE-2013-1862 (cve.mitre.org) mod_rewrite: Ensure that client data written to the RewriteLog is escaped to prevent terminal escape sequences from entering the log file. * SECURITY: CVE-2013-1896 (cve.mitre.org) mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with the source href (sent as part of the request body as XML) pointing to a URI that is not configured for DAV will trigger a segfault. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1862 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1896 (* Security fix *) Tue, 06 Aug 2013 05:23:34 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.1/patches/packages/gnupg-1.4.14-i486-1_slack12.1.tgz Upgraded. Mitigate the Yarom/Falkner flush+reload side-channel attack on RSA secret keys. For more information, see: http://eprint.iacr.org/2013/448 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4242 (* Security fix *) Sat, 03 Aug 2013 20:36:53 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.1/patches/packages/libgcrypt-1.5.3-i486-1_slack12.1.tgz Upgraded. Mitigate the Yarom/Falkner flush+reload side-channel attack on RSA secret keys. For more information, see: http://eprint.iacr.org/2013/448 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4242 (* Security fix *) Sat, 03 Aug 2013 20:36:53 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.1/patches/packages/libgpg-error-1.11-i486-1_slack12.1.tgz Upgraded. This package upgrade was needed by the new version of libgcrypt. Sat, 03 Aug 2013 20:36:53 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.1/patches/packages/php-5.3.27-i486-1_slack12.1.tgz Upgraded. This update fixes an issue where XML in PHP does not properly consider parsing depth, which allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted document that is processed by the xml_parse_into_struct function. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4113 (* Security fix *) Tue, 16 Jul 2013 21:18:56 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.1/patches/packages/curl-7.16.2-i486-4_slack12.1.tgz Rebuilt. This fixes a minor security issue where a decode buffer boundary flaw in libcurl could lead to heap corruption. For more information, see: http://curl.haxx.se/docs/adv_20130622.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2174 (* Security fix *) Sun, 23 Jun 2013 21:00:00 +0200