4542820 1999-12-01 22:48 /127 rader/ Postmaster
Mottagare: Bugtraq (import) <8745>
Ärende: [david@slackware.com: New Patches for Slackware 7.0 Available]
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5
protocol="application/pgp-signature"; boundary="8MZM6zh5Bb05FW+3"
Message-ID: <19991130192435.O1265@seduction>
Date: Tue, 30 Nov 1999 19:24:35 -0800
Reply-To: bjr <bjr@PSYCHOHOLIC.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: bjr <bjr@PSYCHOHOLIC.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
--8MZM6zh5Bb05FW+3
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
----- Forwarded message from David Cantrell <david@slackware.com> -----
X-POP3-Rcpt: bjr@fscked.cx
Date: Tue, 30 Nov 1999 12:12:26 -0800 (PST)
From: David Cantrell <david@slackware.com>
To: slackware-announce@slackware.com
Subject: New Patches for Slackware 7.0 Available
Precedence: bulk
Reply-To: David Cantrell <david@slackware.com>
There are several bug fixes available for Slackware 7.0. We will always
post bug fixes and security fixes to the /patches subdirectory on the ftp
site:
ftp.cdrom.com:/pub/linux/slackware-7.0/patches
The ChangeLog.txt file in that directory will show what has been patched and
why. Here is a short overview of the current patches available:
bind.tgz Upgraded to bind-8.2.2-P5. This fixes a vulnerability
in the processing of NXT records that can be used in a
DoS attack or (theoretically) be exploited to gain access=
=20
to the server. It is suggested that everyone running=20
bind upgrade to this package as soon as possible.
nfs-server.tgz Upgraded to nfs-server-2.2beta47, to fix a security
problem with the version that shipped with Slackware 7.0
(nfs-server-2.2beta46). By using a long pathname on a=20
directory NFS mounted read-write, it may be possible for=
=20
an attacker to execute arbitrary code on the server. It=
=20
is recommended that everyone running an NFS server=20
upgrade to this package immediately.
pine.tgz
imapd.tgz Pine that shipped with 7.0 looked for pine.conf in
/usr/local/lib instead of /usr/lib/pine, which is where
we put the file. These packages fix that problem, as
well as upgrading to Pine 4.21, which fixes some minor
problems people were reporting with the IMAP server (some
messages would remain flagged as "N" even after you read
it).
raidtool.tgz The package that shipped with 7.0 was missing the
symlinks for /sbin/mdrun and /sbin/mdstop, install
this package to address that problem.
sh_utils.tgz Moved /usr/bin/sleep to /bin/sleep, symlinked to it in
/usr/bin. This addresses a problem with metamail's
autocompose.
sysvinit.tgz Carry a 512 byte entropy pool between reboots in
/etc/random-seed. This improves the security of anything
using /dev/urandom as an entropy source. Also, try to
shut down RAID devices in /etc/rc.d/rc.6 if we see that
an /etc/mdtab exists on the system.
write.tgz Fixes the broken /usr/bin/write command. The one that
shipped with 7.0 had trouble with the Unix98 PTYs.
wuftpd.tgz wu-ftpd-2.6.0 as shipped in the tcpip1.tgz package with
7.0 has a broken version of /usr/bin/ftpwho that produces
invalid output. This package fixes ftpwho.
These packages are designed to be installed on top of an existing Slackware
7.0 installation. In the case where a package already exists (such as
pine.tgz), it is adviseable to use upgradepkg. For other fixes (such as the
write.tgz one), you can just use installpkg to install the fix.
NOTE: For packages that replace daemons on the system (such as bind), you=
=20
need to make sure that you stop the daemon before installing the package. =
=20
Otherwise the file may not be updated properly because it is in use. You=
=20
can either stop the daemon manually or go into single user mode and then=20
go back to multiuser mode. Example:
# telinit 1 Go into single user mode
# upgradepkg bind Perform the upgrade
# telinit 3 Go back to multiuser mode
Remember to back up configuration files before performing upgrades.
- The Slackware Linux Project
http://www.slackware.com
----- End forwarded message -----
--=20
$_=3D'5O1v3v5y9)1b7u2q4x1i0e3u2"3S9n5w7s6&7o7h8k1l6k3u';s/(.)(.)/pack('C',o=
rd($2)-$1)/eg;print;
--8MZM6zh5Bb05FW+3
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE4RJTzuLwj47paW7sRAQaFAKDXC3vn7OFOKifuT3+mw/JR2k4H2gCgoOLk
cEAbtGUHR7wYqR9KjhJGG48=
=5Sdo
-----END PGP SIGNATURE-----
--8MZM6zh5Bb05FW+3--
(4542820) -----------------------------------
4542848 1999-12-01 22:52 /92 rader/ Postmaster
Mottagare: Bugtraq (import) <8746>
Ärende: Security Patches for Slackware 7.0 Available (fwd)
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@securityfocus.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.10.9911302339080.427-100000@jazz.lcmi.ufsc.br>
Date: Tue, 30 Nov 1999 23:39:44 -0200
Reply-To: Rafael Rodrigues Obelheiro <obelix@LCMI.UFSC.BR>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Rafael Rodrigues Obelheiro <obelix@LCMI.UFSC.BR>
X-To: linux-security@redhat.com, BUGTRAQ@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
---------- Forwarded message ----------
Date: Tue, 30 Nov 1999 12:14:09 -0800 (PST)
From: David Cantrell <david@slackware.com>
To: slackware-security@slackware.com
Subject: Security Patches for Slackware 7.0 Available
There are several security updates available for Slackware 7.0. We will
always post bug fixes and security fixes to the /patches subdirectory on
the ftp site:
ftp.cdrom.com:/pub/linux/slackware-7.0/patches
The ChangeLog.txt file in that directory will show what has been patched and
why. Here is a short overview of the current patches available:
=======================
BIND-8.2.2-P5 available
=======================
CERT Advisory CA-99-14 Multiple Vulnerabilities in BIND:
http://www.cert.org/advisories/CA-99-14-bind.html
Six vulnerabilities have been found in BIND, the popular domain name
server from the Internet Software Consortium (ISC). One of these
vulnerabilities may allow remote intruders to gain priviledged access
to name servers.
It is recommended that all systems running the BIND package that
shipped with Slackware 7.0 upgrade to this one. Here is the ChangeLog
description:
bind.tgz Upgraded to bind-8.2.2-P5. This fixes a vulnerability
in the processing of NXT records that can be used in a
DoS attack or (theoretically) be exploited to gain access
to the server. It is suggested that everyone running
bind upgrade to this package as soon as possible.
==============================
nfs-server-2.2beta47 available
==============================
It is recommended that all Slackware 7.0 systems using NFS upgrade to
nfs-server 2.2beta47 to patch a possible exploit. Here is the
ChangeLog description:
nfs-server.tgz Upgraded to nfs-server-2.2beta47, to fix a security
problem with the version that shipped with Slackware 7.0
(nfs-server-2.2beta46). By using a long pathname on a
directory NFS mounted read-write, it may be possible for
an attacker to execute arbitrary code on the server. It
is recommended that everyone running an NFS server
upgrade to this package immediately.
These packages are designed to be installed on top of an existing Slackware
7.0 installation. In the case where a package already exists (such as
bind.tgz), it is adviseable to use upgradepkg. For other fixes (such as the
nfs-server.tgz one), you can just use installpkg to install the fix.
NOTE: For packages that replace daemons on the system (such as bind), you
need to make sure that you stop the daemon before installing the package.
Otherwise the file may not be updated properly because it is in use. You
can either stop the daemon manually or go into single user mode and then
go back to multiuser mode. Example:
# telinit 1 Go into single user mode
# upgradepkg bind Perform the upgrade
# telinit 3 Go back to multiuser mode
Remember to back up configuration files before performing upgrades.
- The Slackware Linux Project
http://www.slackware.com
(4542848) -----------------------------------