Search:

July 2005

Slackware - Two Security Announcements

ID: 00605
Ref: 562/05
Date: 21 July 2005:12:17:14
Version: 1

Title: Slackware - Two Security Announcements
Abstract: 1. dnsmasq (SSA:2005-201-01), 2. emacs movemail POP utility (SSA:2005-201-02)
Vendors affected: Slackware
Operating systems affected: Slackware
Applications affected: Slackware

Title
=====

Slackware - Two Security Announcements:
1. dnsmasq (SSA:2005-201-01)
2. emacs movemail POP utility (SSA:2005-201-02)

Detail
======

Security announcement summaries:

1. New dnsmasq packages are available for Slackware 10.0, 10.1, and -current
to fix security issues. An off-by-one overflow vulnerability may allow
a DHCP client to create a denial of service condition. Additional code
was also added to detect and defeat attempts to poison the DNS cache.

2. New emacs packages are available for Slackware 10.1 and -current to
a security issue with the movemail utility for retrieving mail from
a POP mail server. If used to connect to a malicious POP server, it
is possible for the server to cause the execution of arbitrary code as
the user running emacs.

Security announcement content follows:

1.

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security] dnsmasq (SSA:2005-201-01)

New dnsmasq packages are available for Slackware 10.0, 10.1, and -current
to fix security issues. An off-by-one overflow vulnerability may allow
a DHCP client to create a denial of service condition. Additional code
was also added to detect and defeat attempts to poison the DNS cache.

More details about these issues may be found in the Common
Vulnerabilities and Exposures (CVE) database:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0876
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0877

Here are the details from the Slackware 10.1 ChangeLog:
+--------------------------+
patches/packages/dnsmasq-2.22-i486-1.tgz: Upgraded to dnsmasq-2.22.
This fixes an off-by-one overflow vulnerability may allow a DHCP
client to create a denial of service condition. Additional code was
also added to detect and defeat attempts to poison the DNS cache.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0876
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0877
(* Security fix *)
+--------------------------+

Where to find the new packages:
+-----------------------------+

Updated package for Slackware 10.0:
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/dnsmasq-2.22-i486-1.tgz

Updated package for Slackware 10.1:
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/dnsmasq-2.22-i486-1.tgz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/dnsmasq-2.22-i486-1.tgz

MD5 signatures:
+-------------+

Slackware 10.0 package:
9716a39a464c0121b88a3a717a65b7a3 dnsmasq-2.22-i486-1.tgz

Slackware 10.1 package:
21f99c7ed9bbee044fb839f4a9214b8c dnsmasq-2.22-i486-1.tgz

Slackware -current package:
e37624bee39e7e5da2f8790973e89e07 dnsmasq-2.22-i486-1.tgz

Installation instructions:
+------------------------+

Upgrade the package as root:
# upgradepkg dnsmasq-2.22-i486-1.tgz

+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. |
+------------------------------------------------------------------------+

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)

iD8DBQFC3qVuakRjwEAQIjMRAugwAJwLKlNP8P+tMmOdVXY2q9JLVvfbrgCeOLdv
BOMNsQRNEBmko2P9llY8HPo=
=MfPW
- -----END PGP SIGNATURE-----

2.

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security] emacs movemail POP utility (SSA:2005-201-02)

New emacs packages are available for Slackware 10.1 and -current to
a security issue with the movemail utility for retrieving mail from
a POP mail server. If used to connect to a malicious POP server, it
is possible for the server to cause the execution of arbitrary code as
the user running emacs.

Here are the details from the Slackware 10.1 ChangeLog:
+--------------------------+
patches/packages/emacs-21.4a-i486-1.tgz: Upgraded to emacs-21.4a.
This fixes a vulnerability in the movemail utility when connecting to a
malicious POP server that may allow the execution of arbitrary code as
the user running emacs.
(* Security fix *)
+--------------------------+

Where to find the new packages:
+-----------------------------+

Updated packages for Slackware 10.1:
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/emacs-21.4a-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/emacs-info-21.4a-noarch-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/emacs-leim-21.4-noarch-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/emacs-lisp-21.4a-noarch-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/emacs-misc-21.4a-noarch-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/emacs-nox-21.4a-i486-1.tgz

Updated packages for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/e/emacs-21.4a-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/e/emacs-info-21.4a-noarch-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/e/emacs-leim-21.4-noarch-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/e/emacs-lisp-21.4a-noarch-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/e/emacs-misc-21.4a-noarch-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/e/emacs-nox-21.4a-i486-1.tgz

MD5 signatures:
+-------------+

Slackware 10.1 packages:
7bb30482651e5e4558eea0b66b55d1de emacs-21.4a-i486-1.tgz
45b0fb651c6c7b9deacb55efe582b4b5 emacs-info-21.4a-noarch-1.tgz
5d0152fa95027215b14ece0f8fbf8a37 emacs-leim-21.4-noarch-1.tgz
5bd976633a33dad36161eba7e92bec61 emacs-lisp-21.4a-noarch-1.tgz
2763fe68ed8c833ed95ec4c95aacc562 emacs-misc-21.4a-noarch-1.tgz
195df428e1a10c50da88129002c9e2f9 emacs-nox-21.4a-i486-1.tgz

Slackware -current packages:
44986e6ca1e02d971f43e3d0f118dde3 emacs-21.4a-i486-1.tgz
100643203d73d54df78c58eef8596e4b emacs-info-21.4a-noarch-1.tgz
70effd3b113d795d8532022139269f77 emacs-leim-21.4-noarch-1.tgz
2bcec4297285f30124e2a61f85a27440 emacs-lisp-21.4a-noarch-1.tgz
48ebc0d4e581d5deb15159a4d34c060d emacs-misc-21.4a-noarch-1.tgz
04fb5ed4b1da572063b2a991d8c54edf emacs-nox-21.4a-i486-1.tgz

Installation instructions:
+------------------------+

Upgrade the packages as root:
# upgradepkg emacs-21.4a-i486-1.tgz
emacs-info-21.4a-noarch-1.tgz
emacs-leim-21.4-noarch-1.tgz
emacs-lisp-21.4a-noarch-1.tgz
emacs-misc-21.4a-noarch-1.tgz
emacs-nox-21.4a-i486-1.tgz

+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. |
+------------------------------------------------------------------------+

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)

iD8DBQFC3qbFakRjwEAQIjMRAgthAJsFFB9Z36TqtkNPM+tegL9KZS1zogCdHHcS
9X8hl9NzM70t4pPBPymgqe0=
=cd3U
- -----END PGP SIGNATURE-----