linux, säkerhet

4542527 1999-12-01  20:54  /112 rader/ Postmaster
Mottagare: Bugtraq (import) <8734>
Markerad av 1 person.
Ärende: [david@slackware.com: New Patches for Slackware 4.0 Available]
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5 
             protocol="application/pgp-signature"; boundary="EOHJn1TVIJfeVXv2"
Message-ID:  <19991130192425.N1265@seduction>
Date:         Tue, 30 Nov 1999 19:24:25 -0800
Reply-To: bjr <bjr@PSYCHOHOLIC.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: bjr <bjr@PSYCHOHOLIC.COM>
X-To:         BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM

--EOHJn1TVIJfeVXv2
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

----- Forwarded message from David Cantrell <david@slackware.com> -----

X-POP3-Rcpt: bjr@fscked.cx
Date: Tue, 30 Nov 1999 12:11:56 -0800 (PST)
From: David Cantrell <david@slackware.com>
To: slackware-announce@slackware.com
Subject: New Patches for Slackware 4.0 Available
Precedence: bulk
Reply-To: David Cantrell <david@slackware.com>

There are several bug fixes available for Slackware 4.0.  Though they have
not been tested on all previous releases of Slackware, they should work for
any libc5 Slackware system (4.0 and previous).  The patches for Slackware
4.0 can be found in the /patches subdirectory on the ftp site:

   ftp.cdrom.com:/pub/linux/slackware-4.0/patches

The ChangeLog.txt file in that directory will show what has been patched and
why.  Here is a short overview of the current patches available:

   bind.tgz       Upgraded to bind-8.2.2-P5.  This fixes a vulnerability
                  in the processing of NXT records that can be used in a
                  DoS attack or (theoretically) be exploited to gain access=
=20
                  to the server.  It is suggested that everyone running=20
                  bind upgrade to this package as soon as possible.

   nfs-server.tgz Upgraded to nfs-server-2.2beta47, to fix a security
                  problem with the versions prior to 2.2beta47.  By using a=
=20
                  long pathname on a directory NFS mounted read-write, it=
=20
                  may be possible for an attacker to execute arbitrary code=
=20
                  on the server.  It is recommended that everyone running a=
n=20
                  NFS server upgrade to this package immediately.

   pine.tgz       Upgrades Pine to version 4.21.  Versions prior to 4.0 have
                  a Y2K bug where the date sorting will not work properly
                  when the new century begins.

   imapd.tgz      Upgrades imapd to the version from Pine 4.21

   sysklogd.tgz   It's possible to hang a machine and cause a denial of
                  service by opening many connections to the syslogd shipped
                  with Slackware 4.0 and earlier.  This package upgrades to
                  sysklogd-1.3-33, which fixes the problem.

   wuftpd.tgz     Relinked against -lshadow, enabling MD5 shadow password
                  support.

These packages are designed to be installed on top of an existing Slackware
4.0 system.  In the case where a package already exists (such as the pine.t=
gz
one), you should use upgradepkg (if available) to install the patch.  For
other fixes, you can just use installpkg to install the patch.

NOTE:  For packages that replace daemons on the system (such as bind), you
need to make sure that you stop the daemon before installing the package.
Otherwise the file may not be updated properly because it is in use.  You
can either stop the daemon manually or go into single user mode and then
go back to multiuser mode.  Example:

        # telinit 1             Go into single user mode
        # upgradepkg bind       Perform the upgrade
        # telinit 3             Go back to multiuser mode

Remember to back up configuration files before performing upgrades.

- The Slackware Linux Project
  http://www.slackware.com

----- End forwarded message -----

--=20
Not only does God play dice, he sometimes throws them where they can't be s=
een.
             -- Hawkings

--EOHJn1TVIJfeVXv2
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4RJTouLwj47paW7sRAfIkAJ4sGEyTZBQ48aI2QvZ1f75WfSLxOwCZAcvS
JSyP5ys78oCmlq57Fu2HFOY=
=3Z7v
-----END PGP SIGNATURE-----

--EOHJn1TVIJfeVXv2--
(4542527) -----------------------------------