News
Seamonkey, GnuTLS and Ruby upgrades.
Seamonkey-1.1.10
Incognu has packaged seamonkey-1.1.10 for VL5.8 and VL5.9. This is a security fix release. You can read the release notes here, and the security fixes here. This also includes updated window icons by jtek.
Package: seamonkey-1.1.10-i586-2vl59.tlz
MD5: f53f0ad5c500a19e9b6a3873f909073a
Package Size: 18,152 KIB (17.73 MB)
Installed size: 73,650 KIB (71.92 MB)
Above info's not available for the VL5.8 package
SeaMonkey (an open-source web browser suite)
The SeaMonkey browser suite. SeaMonkey features a state-of-the-art
web browser and powerful email client, as well as a WYSIWYG web page
composer and a feature-rich IRC chat client. For web developers,
mozilla.org's DOM inspector and JavaScript debugger tools are included
as well.
Visit the SeaMonkey project at this URL:
http://www.mozilla.org/projects/seamonkey/
Ruby 1.8.6_p230
Ruby-1.8.6_p230 is available for VectorLinux-5.9 to fix security issues reported here:
http://www.slackware.com/security/viewer.php?l=slackware-security
Ruby (Interpreted object-oriented scripting language)
Ruby is an interpreted scripting language for quick and easy
object-oriented programming. It has many features to process text
files and to do system management tasks (as in Perl). It is simple,
straight-forward, and extensible.
Visit the Ruby project online at http://www.ruby-lang.org/
GnuTLS 1.6.3
GnuTLS-1.6.3 is available for download from the VectorLinux repository.
This is a security fix:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1948 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1949 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1950
Package: gnutls-1.6.3-i486-1_slack12.0.tlz
MD5: 06af4e1a0b8e26aab07052508300c790
Package Size: 827 KIB (0.81 MB)
Installed size: 2,270 KIB (2.22 MB)
gnutls (GNU TLS library)
This is a TLS (Transport Layer Security) 1.0 and SSL (Secure Sockets
Layer) 3.0 implementation. In brief, GnuTLS can be described as a
library which offers an API to access secure communication protocols.
These protocols provide privacy over insecure lines, and were designed
to prevent eavesdropping, tampering, or message forgery.
Homepage: http://www.gnu.org/software/gnutls/
This packages are available from the teting repository. You can read about the VectorLinux packaging system here. If you find any problem, please find assistance at the VectorLinux Forum.
Samba security update
New samba packages are available for Vector Linux 5.9 to fix a security issue:
Specifically crafted SMB responses can result in a heap overflow in the Samba client code. Because the server process, smbd, can itself act as a client during operations such as printer notification and domain authentication, this issue affects both Samba client and server installations." This flaw affects Samba versions from 3.0.0 through 3.0.29.
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
Rdesktop security update
A new rdesktop package is available for Vector Linux 5.9 in the testing repository. This fix a security issue caused by using rdesktop to connect to a malicious or compromised RDP server.
More details about this issue:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1801
http://slackware.com/security/
Mozilla Thunderbird
Mozilla-thunderbird 2.0.0.14 is available for 5.8 and 5.9 to fix security issues, including crashes that can corrupt memory, as well as a JavaScript privilege escalation and arbitrary code execution flaw. More details about these issues may be found here:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#thunderbird http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1233
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1234 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1235 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1236 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1237
Xine-lib
An overflow was found in the Speex decoder that could lead to a crash or possible execution of arbitrary code.Xine-lib <= 1.1.12 was also found to be vulnerable to a stack-based bufferoverflow in the NES demuxer thanks to milw0rm.com).
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1686
Xine-lib 1.1.12 is now available from the testing repository.
Bzip2
bzlib.c in bzip2 before 1.0.5 allows user-assisted remote attackers to cause a denial of service (crash) via a crafted file that triggers a buffer over-read, as demonstrated by the PROTOS GENOME test suite for Archive Formats.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1372
New bzip2 package is available for Vector Linux 5.9
m4 security advisore
The (1) maketemp and (2) mkstemp builtin functions in GNU m4 before 1.4.11 do not quote their output when a file is created, which might allow context-dependent attackers to trigger a macro expansion, leading to unspecified use of an incorrect filename. Unspecified vulnerability in GNU m4 before 1.4.11 might allow context-dependent attackers to execute arbitrary code, related to improper handling of filenames specified with the -F option. NOTE: it is not clear when this issue crosses privilege boundaries.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1687
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1688
New m4 package is available in the testing repository.
OpenSSH 5.0p1
OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs.
OpenSSH 5.0p1 is now available in the testing repository.
Cups 1.3.7
New cups packages are available for Vector Linux 5.9 to fix security issues. If you're on a completely secured internal network these issues may be less of a risk than upgrading. If your IPP port is open to the internet, you'd be advised to upgrade as soon as possible (or firewall the port at the gateway if you're not in need of printer jobs coming in from the internet).
espgs/ghostscript
Description
Stack-based buffer overflow in the zseticcspace function in zicc.c in Ghostscript 8.61 and earlier allows remote attackers to execute arbitrary code via a postscript (.ps) file containing a long Range array in a .seticcspace operator.
New package is available for VectorLinux 5.9, we recommend to upgrade the espgs package to the latest in the testing repository.
Firefox 2.0.0.14
Firefox security update
Seamonkey security update
Incognu has packaged seamonkey-1.1.9 for VL5.8 and VL5.9
A SeaMonkey security update.
Please let us know if this package works or not in this thread.seamonkey: SeaMonkey (an open-source web browser suite)
seamonkey:
seamonkey: The SeaMonkey browser suite. SeaMonkey features a state-of-the-art
seamonkey: web browser and powerful email client, as well as a WYSIWYG web page
seamonkey: composer and a feature-rich IRC chat client. For web
seamonkey: developers, mozilla.org's DOM inspector and JavaScript debugger tools
seamonkey: are included as well.
seamonkey:
seamonkey: Visit the SeaMonkey project at this URL:
seamonkey: http://www.mozilla.org/projects/seamonkey/
