April 2005
Four Slackware Security Advisories: 1. SSA:2005-111-01 - CVS 2. SSA:2005-111-03 - gaim 3. SSA:2005-111-04 - Mozilla/Firefox 4. SSA:2005-111-02 - Python SimpleXMLRPCServer module
ID: 00350
Ref: 324/2005
Date: 22 April 2005:15:26:59
Version: 1
Title: Four Slackware Security Advisories: 1. SSA:2005-111-01 - CVS 2. SSA:2005-111-03 - gaim 3. SSA:2005-111-04 - Mozilla/Firefox 4. SSA:2005-111-02 - Python SimpleXMLRPCServer module
Abstract:
Vendors affected: Slackware
Operating systems affected: Slackware
Applications affected: Slackware
Title
=====
Four Slackware Security Advisories:
1. SSA:2005-111-01 - CVS
2. SSA:2005-111-03 - gaim
3. SSA:2005-111-04 - Mozilla/Firefox
4. SSA:2005-111-02 - Python SimpleXMLRPCServer module
Detail
======
1. patches/packages/cvs-1.11.20-i486-1.tgz: Upgraded to cvs-1.11.20.
- From cvshome.org: "This version fixes many minor security issues in the
CVS server executable including a potentially serious buffer overflow
vulnerability with no known exploit. We recommend this upgrade for all CVS
servers!"
2. New gaim packages are available for Slackware 9.0, 9.1, 10.0, 10.1,
and -current to fix several security issues. Sites that use GAIM
should upgrade to the new version.
3. New Mozilla packages are available for Slackware 10.0, 10.1, and -current
to fix various security issues and bugs. See the Mozilla site for a complete
list of the issues patched:
4. New Python packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1,
and -current to fix a security issue in the SimpleXMLRPCServer library
module.
1.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[] CVS (SSA:2005-111-01)
New CVS packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1,
and -current to fix security issues.
More details about this issue may be found in the Common
Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0753
Here are the details from the Slackware 10.1 ChangeLog:
+--------------------------+
patches/packages/cvs-1.11.20-i486-1.tgz: Upgraded to cvs-1.11.20.
From cvshome.org: "This version fixes many minor security issues in the
CVS server executable including a potentially serious buffer overflow
vulnerability with no known exploit. We recommend this upgrade for all CVS
servers!"
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0753
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Updated package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/cvs-1.11.20-i386-1.tgz
Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/cvs-1.11.20-i386-1.tgz
Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/cvs-1.11.20-i486-1.tgz
Updated package for Slackware 10.0:
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/cvs-1.11.20-i486-1.tgz
Updated package for Slackware 10.1:
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/cvs-1.11.20-i486-1.tgz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/d/cvs-1.11.20-i486-1.tgz
MD5 signatures:
+-------------+
Slackware 8.1 package:
c94fb036f87d31bb78cb70f97802ef4a cvs-1.11.20-i386-1.tgz
Slackware 9.0 package:
180fe0ba92cc5ee557f5468823c0e365 cvs-1.11.20-i386-1.tgz
Slackware 9.1 package:
11aec60a9dd42ed9b6cd5bd1e13f7f00 cvs-1.11.20-i486-1.tgz
Slackware 10.0 package:
ae181089d20698948d294facad010cbe cvs-1.11.20-i486-1.tgz
Slackware 10.1 package:
893c9053b6f38c429d386fb70bea19e0 cvs-1.11.20-i486-1.tgz
Slackware -current package:
4f6f74e6fdfe259a2c3f6088ee84d5c8 cvs-1.11.20-i486-1.tgz
Installation instructions:
+------------------------+
First, shut down the cvs server if you are running one.
Upgrade the packages as root:
# upgradepkg cvs-1.11.20-i486-1.tgz
Finally, restart the CVS server.
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. |
+------------------------------------------------------------------------+
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)
iD4DBQFCaG6qakRjwEAQIjMRAnfPAJUWxqQ9/CEGClKcRJSDTVnpfGYCAJ9k+tFt
S1f+Hvp5VZRzrjO94OwUAQ==
=ROFJ
- -----END PGP SIGNATURE-----
2.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[slackware-security] gaim (SSA:2005-111-03)
New gaim packages are available for Slackware 9.0, 9.1, 10.0, 10.1,
and -current to fix several security issues. Sites that use GAIM
should upgrade to the new version.
Here are the details from the Slackware 10.1 ChangeLog:
+--------------------------+
patches/packages/gaim-1.2.1-i486-1.tgz: Upgraded to gaim-1.2.1.
According to gaim.sf.net, this fixes a few denial-of-service flaws.
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/gaim-1.2.1-i386-1.tgz
Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/gaim-1.2.1-i486-1.tgz
Updated package for Slackware 10.0:
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/gaim-1.2.1-i486-1.tgz
Updated package for Slackware 10.1:
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/gaim-1.2.1-i486-1.tgz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/gaim-1.2.1-i486-1.tgz
MD5 signatures:
+-------------+
Slackware 9.0 package:
630bced584023b81372126df5eb03eb5 gaim-1.2.1-i386-1.tgz
Slackware 9.1 package:
4c3f57658bf1371230b35e63967800d5 gaim-1.2.1-i486-1.tgz
Slackware 10.0 package:
b8a6585f6e3cd90d8324b49c8399d8dc gaim-1.2.1-i486-1.tgz
Slackware 10.1 package:
1d58b6f3e5b202152b0b7dc968b0c6f5 gaim-1.2.1-i486-1.tgz
Slackware -current package:
d4d07ba8e57b0fe2b45c8eb1109e9fbc gaim-1.2.1-i486-1.tgz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg gaim-1.2.1-i486-1.tgz
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. |
+------------------------------------------------------------------------+
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)
iD8DBQFCaG6uakRjwEAQIjMRAtdIAJ9R804r59FwLL3BJ9zvrG3EoVeTLACeOvO9
LrLKjLU2MoYjkPegcdsM5xw=
=ZiF4
- -----END PGP SIGNATURE-----
3.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[slackware-security] Mozilla/Firefox (SSA:2005-111-04)
New Mozilla packages are available for Slackware 10.0, 10.1, and -current
to fix various security issues and bugs. See the Mozilla site for a complete
list of the issues patched:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#Mozilla
Also updated is Firefox in Slackware -current.
New versions of the mozilla-plugins symlink creation package are also out for
Slackware 10.0 and 10.1, and a new version of the jre-symlink package for
Slackware -current.
Here are the details from the Slackware 10.1 ChangeLog:
+--------------------------+
patches/packages/mozilla-1.7.7-i486-1.tgz: Upgraded to mozilla-1.7.7.
This fixes some security issues. For complete details, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html
(* Security fix *)
patches/packages/mozilla-plugins-1.7.7-noarch-1.tgz: Upgraded Java(TM)
symlink for Mozilla.
+--------------------------+
Where to find the new packages:
+-----------------------------+
Updated packages for Slackware 10.0:
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/mozilla-1.7.7-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/mozilla-plugins-1.7.7-noarch-1.tgz
Updated packages for Slackware 10.1:
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/mozilla-1.7.7-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/mozilla-plugins-1.7.7-noarch-1.tgz
Updated packages for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/jre-symlink-1.0.3-noarch-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/mozilla-1.7.7-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/mozilla-firefox-1.0.3-i686-1.tgz
MD5 signatures:
+-------------+
Slackware 10.0 packages:
ce858e8818a5446f77a65eb3596f169e mozilla-1.7.7-i486-1.tgz
273a55ae2b6549a708d373ce41d22dcc mozilla-plugins-1.7.7-noarch-1.tgz
Slackware 10.1 packages:
88067d3dd9b05424993eeecf4ec439dd mozilla-1.7.7-i486-1.tgz
f1f2d581553911f219ee985a93b10b62 mozilla-plugins-1.7.7-noarch-1.tgz
Slackware -current packages:
200c44ab49c175cd45366e0faaf0979f jre-symlink-1.0.3-noarch-1.tgz
39b5dd6559802159cc6d8bbf6bdecbdc mozilla-1.7.7-i486-1.tgz
10abe6ae734d8ccaa2c77946df794b21 mozilla-firefox-1.0.3-i686-1.tgz
Installation instructions:
+------------------------+
Upgrade the packages as root:
# upgradepkg mozilla-1.7.7-i486-1.tgz mozilla-plugins-1.7.7-noarch-1.tgz
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. |
+------------------------------------------------------------------------+
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)
iD8DBQFCaG6wakRjwEAQIjMRAmZcAJsHz+lCzcqfsYknyzl8xEMuZlqY9wCfVatq
gAO9qqo9QLRRN3KpW/J6Kps=
=mbnX
- -----END PGP SIGNATURE-----
4.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[slackware-security] Python SimpleXMLRPCServer module (SSA:2005-111-02)
New Python packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1,
and -current to fix a security issue in the SimpleXMLRPCServer library
module.
Here are the details from the Slackware 10.1 ChangeLog:
+--------------------------+
patches/packages/python-2.4.1-i486-1.tgz: Upgraded to python-2.4.1.
From the python.org site: "The Python development team has discovered a flaw
in the SimpleXMLRPCServer library module which can give remote attackers
access to internals of the registered object or its module or possibly other
modules. The flaw only affects Python XML-RPC servers that use the
register_instance() method to register an object without a _dispatch()
method. Servers using only register_function() are not affected."
For more details, see:
http://python.org/security/PSF-2005-001/
(* Security fix *)
patches/packages/python-demo-2.4.1-noarch-1.tgz: Upgraded to python-2.4.1
demos.
patches/packages/python-tools-2.4.1-noarch-1.tgz: Upgraded to python-2.4.1
tools.
+--------------------------+
Where to find the new packages:
+-----------------------------+
Updated package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/python-2.2.3-i386-1.tgz
Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/python-2.2.3-i386-1.tgz
Updated packages for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/python-2.3.5-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/python-demo-2.3.5-noarch-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/python-tools-2.3.5-noarch-1.tgz
Updated packages for Slackware 10.0:
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/python-2.3.5-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/python-demo-2.3.5-noarch-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/python-tools-2.3.5-noarch-1.tgz
Updated packages for Slackware 10.1:
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/python-2.4.1-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/python-demo-2.4.1-noarch-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/python-tools-2.4.1-noarch-1.tgz
Updated packages for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/d/python-2.4.1-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/d/python-demo-2.4.1-noarch-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/d/python-tools-2.4.1-noarch-1.tgz
MD5 signatures:
+-------------+
Slackware 8.1 package:
b90d20f1c90a39407fae3346e17befd0 python-2.2.3-i386-1.tgz
Slackware 9.0 package:
fb39a3367b130440b5f8a64c3468eec2 python-2.2.3-i386-1.tgz
Slackware 9.1 packages:
897fe07abe99fc1f1a4095cacecd697f python-2.3.5-i486-1.tgz
34a3cd2b3fe85810964a13fce7c5d9fc python-demo-2.3.5-noarch-1.tgz
c48b074dcf6a76818e181764ce7e41ee python-tools-2.3.5-noarch-1.tgz
Slackware 10.0 packages:
11c483e44089d7aae954c62eada1108c python-2.3.5-i486-1.tgz
b1dbd8eeca44c048dd83f505b2c69fdb python-demo-2.3.5-noarch-1.tgz
554e9cc2cb5c3f9d02cb57ee07025681 python-tools-2.3.5-noarch-1.tgz
Slackware 10.1 packages:
b78837244ef3c145cb9c354729d2954f python-2.4.1-i486-1.tgz
83b8a735c638a64f0f348a95fd58847a python-demo-2.4.1-noarch-1.tgz
83f0b4a65b44de14e475faa4087e5268 python-tools-2.4.1-noarch-1.tgz
Slackware -current packages:
7b2695497611d592ca756a074084bcbc python-2.4.1-i486-1.tgz
81f77f0063c79aa9cb78c7d03c2a762b python-demo-2.4.1-noarch-1.tgz
4008585cd345feb544de5ffae574a449 python-tools-2.4.1-noarch-1.tgz
Installation instructions:
+------------------------+
Upgrade the packages as root:
# upgradepkg python-2.4.1-i486-1.tgz python-demo-2.4.1-noarch-1.tgz python-tools-2.4.1-noarch-1.tgz
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. |
+------------------------------------------------------------------------+
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)
iD8DBQFCaG6sakRjwEAQIjMRAgQUAJ9AP2+3/FIMWQ4P4NkGDUl9dw3YygCfZmiT
574knh55gFxmCnxjKr1CENs=
=KQDB
- -----END PGP SIGNATURE-----