en-us shasta@slackware.pl (Slackware.PL staff) http://blogs.law.harvard.edu/tech/rss http://slackware.pl/ Changelog activity and resources for slackware-12.2 (detailed version) ftp://ftp.slackware.pl/pub/slackware/slackware-12.2/patches/packages/wicd-1.7.2.4-i486-2_slack12.2.tgz Rebuilt. Fixed an input sanitization bug that breaks accepting a passphrase for a new password protected access point. Patch from upstream. Thanks to Willy Sudiarto Raharjo for the notice. Wed, 09 May 2012 20:16:40 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.2/patches/packages/php-5.3.13-i486-1_slack12.2.tgz Upgraded. This release completes a fix for a vulnerability in CGI-based setups. Note: mod_php and php-fpm are not vulnerable to this attack. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2311 (* Security fix *) Tue, 08 May 2012 21:21:10 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.2/patches/packages/pidgin-2.10.4-i486-1_slack12.2.tgz Upgraded. Fixed possible MSN remote crash. Fixed XMPP remote crash. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2214 (* Security fix *) Mon, 07 May 2012 18:54:03 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.2/patches/packages/wicd-1.7.2.4-i486-1_slack12.2.tgz Upgraded. Correct the fix for CVE-2012-2095 (and fix other new bugs). For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2095 (* Security fix *) Mon, 30 Apr 2012 22:24:10 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.2/patches/packages/openssl-0.9.8w-i486-1_slack12.2.tgz Upgraded. Fixes some potentially exploitable buffer overflows. Thanks to Tavis Ormandy, Google Security Team, for discovering this issue and to Adam Langley <agl@chromium.org> for fixing it. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2110 (* Security fix *) Fri, 27 Apr 2012 01:07:23 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.2/patches/packages/openssl-solibs-0.9.8w-i486-1_slack12.2.tgz Upgraded. Fixes some potentially exploitable buffer overflows. Thanks to Tavis Ormandy, Google Security Team, for discovering this issue and to Adam Langley <agl@chromium.org> for fixing it. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2110 (* Security fix *) Fri, 27 Apr 2012 01:07:23 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.2/patches/packages/openssl-0.9.8v-i486-1_slack12.2.tgz Upgraded. Fixes some potentially exploitable buffer overflows. Thanks to Tavis Ormandy, Google Security Team, for discovering this issue and to Adam Langley <agl@chromium.org> for fixing it. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2110 (* Security fix *) Mon, 23 Apr 2012 18:18:31 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.2/patches/packages/openssl-solibs-0.9.8v-i486-1_slack12.2.tgz Upgraded. Fixes some potentially exploitable buffer overflows. Thanks to Tavis Ormandy, Google Security Team, for discovering this issue and to Adam Langley <agl@chromium.org> for fixing it. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2110 (* Security fix *) Mon, 23 Apr 2012 18:18:31 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.2/extra/wicd/wicd-1.7.2.1-i486-1_slack12.2.tgz Upgraded. This fixes a local privilege escalation that allows a user to set arbitrary pre/post-connection scripts through D-Bus which are then executed as the wicd user (generally root). For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2095 Thanks to dapal for the workaround allowing us to skip the pybabel requirement (for now), and to Robby Workman for the script update. (* Security fix *) Mon, 23 Apr 2012 18:18:31 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.2/patches/packages/pidgin-2.10.3-i486-1_slack12.2.tgz Upgraded. This update fixes several remotely triggerable crash bugs. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2943 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3184 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3185 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3594 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4601 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4602 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4603 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4939 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1178 (* Security fix *) Wed, 11 Apr 2012 17:16:32 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.2/patches/packages/samba-3.2.15-i486-5_slack12.2.tgz Rebuilt. This is a security release in order to address a vulnerability that allows remote code execution as the "root" user. All sites running a Samba server should update to the new Samba package and restart Samba. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1182 (* Security fix *) Wed, 11 Apr 2012 17:16:32 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.2/patches/packages/libtiff-3.8.2-i486-6_slack12.2.tgz Rebuilt. Patched overflows that could lead to arbitrary code execution when parsing a malformed image file. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1173 (* Security fix *) Sat, 07 Apr 2012 21:48:42 +0200 ftp://ftp.slackware.pl/pub/slackware/slackware-12.2/patches/packages/libpng-1.2.47-i486-1_slack12.2.tgz Upgraded. All branches of libpng prior to versions 1.5.9, 1.4.9, 1.2.47, and 1.0.57, respectively, fail to correctly validate a heap allocation in png_decompress_chunk(), which can lead to a buffer-overrun and the possibility of execution of hostile code on 32-bit systems. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3026 (* Security fix *) Wed, 22 Feb 2012 18:14:58 +0100 ftp://ftp.slackware.pl/pub/slackware/slackware-12.2/patches/packages/apr-util-1.4.1-i486-1_slack12.2.tgz Upgraded. Version bump for httpd upgrade. Wed, 08 Feb 2012 01:21:42 +0100 ftp://ftp.slackware.pl/pub/slackware/slackware-12.2/patches/packages/httpd-2.2.22-i486-1_slack12.2.tgz Upgraded. *) SECURITY: CVE-2011-3368 (cve.mitre.org) Reject requests where the request-URI does not match the HTTP specification, preventing unexpected expansion of target URLs in some reverse proxy configurations. [Joe Orton] *) SECURITY: CVE-2011-3607 (cve.mitre.org) Fix integer overflow in ap_pregsub() which, when the mod_setenvif module is enabled, could allow local users to gain privileges via a .htaccess file. [Stefan Fritsch, Greg Ames] *) SECURITY: CVE-2011-4317 (cve.mitre.org) Resolve additional cases of URL rewriting with ProxyPassMatch or RewriteRule, where particular request-URIs could result in undesired backend network exposure in some configurations. [Joe Orton] *) SECURITY: CVE-2012-0021 (cve.mitre.org) mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format string is in use and a client sends a nameless, valueless cookie, causing a denial of service. The issue existed since version 2.2.17. PR 52256. [Rainer Canavan <rainer-apache 7val com>] *) SECURITY: CVE-2012-0031 (cve.mitre.org) Fix scoreboard issue which could allow an unprivileged child process could cause the parent to crash at shutdown rather than terminate cleanly. [Joe Orton] *) SECURITY: CVE-2012-0053 (cve.mitre.org) Fix an issue in error responses that could expose "httpOnly" cookies when no custom ErrorDocument is specified for status code 400. [Eric Covener] For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3368 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3607 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4317 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0021 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0031 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0053 (* Security fix *) Wed, 08 Feb 2012 01:21:42 +0100 ftp://ftp.slackware.pl/pub/slackware/slackware-12.2/patches/packages/php-5.3.10-i486-1_slack12.2.tgz Upgraded. Fixed arbitrary remote code execution vulnerability reported by Stefan Esser, CVE-2012-0830. (Stas, Dmitry) For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0830 (* Security fix *) Wed, 08 Feb 2012 01:21:42 +0100 ftp://ftp.slackware.pl/pub/slackware/slackware-12.2/patches/packages/proftpd-1.3.4a-i486-1_slack12.2.tgz Upgraded. This update fixes a use-after-free() memory corruption error, and possibly other unspecified issues. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4130 (* Security fix *) Wed, 08 Feb 2012 01:21:42 +0100 ftp://ftp.slackware.pl/pub/slackware/slackware-12.2/patches/packages/vsftpd-2.3.5-i486-1_slack12.2.tgz Upgraded. Minor version bump, this also works around a hard to trigger heap overflow in glibc (glibc zoneinfo caching vuln). For there to be any possibility to trigger the glibc bug within vsftpd, the non-default option "chroot_local_user" must be set in /etc/vsftpd.conf. Considered 1) low severity (hard to exploit) and 2) not a vsftpd bug :-) Nevertheless: (* Security fix *) Wed, 08 Feb 2012 01:21:42 +0100