Tue Dec 14 02:34:09 BRST 2004 a/kernel-ide-2.4.28-i486-1.tgz: Upgraded to Linux 2.4.28 kernel. a/kernel-modules-2.4.28-i486-1.tgz: Upgraded to Linux 2.4.28 kernel modules. bootdisks/*: Upgraded to Linux 2.4.28 bootdisks. d/kernel-headers-2.4.28-i386-1.tgz: Upgraded to Linux 2.4.28 kernel headers. k/kernel-source-2.4.28-i486-noarch-2.tgz: Upgraded to Linux 2.4.28 kernel source kernels/*: Upgraded to Linux 2.4.28 kernels. Many security fixes, including smbfs, USB, ext3 and ELF problems. You can see the full description in: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0177 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0685 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0883 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0949 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1068 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1070 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1071 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1072 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1073 (* Security fix *) +------------------------+ Sun Dec 12 13:26:03 BRST 2004 ap/a2ps-4.13b-i486-1.tgz: Rebuilt The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitray commands with the privileges of the user running the vulnerable application. http://www.securityfocus.com/bid/11025 (* Security fix *) +------------------------+ Sun Dec 12 03:49:29 BRST 2004 n/nfs-utils-1.0.6-i486-3.tgz: Rebuilt Statd in nfs-utils 1.257 and earlier does not ignore the SIGPIPE signal, which allows remote attackers to cause a denial of service (server process crash) via a TCP connection that is prematurely terminated. More information    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1014 (* Security fix *) +------------------------+ Mon Nov 29 09:55:43 BRST 2004 n/samba-3.0.9-i486-2.tgz: Upgrade to samba-3.0.9-i486-2. Fixed the current package. The first package are build with ldap support. Thanks Andrea Dieni! It's upgraded in Nov 25, but i forgot put the information in ChangeLog.txt l/imlib-1.9.15-i486-1.tgz: Upgraded to imlib-1.9.15 Multiple heap-based buffer overflows in the imlib BMP image handler allow remote attackers to execute arbitrary code via a crafted BMP file. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0817 (* Security fix *) +------------------------+ Fri Nov 26 14:41:32 BRST 2004 ap/lvm-1.0.8-i486-2.tgz: Rebuilt. A bug in lvm (1.5 through 2.1) allows local users to overwrite files via a symlink attack on temporary files. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0972 (* Security fix *) +------------------------+ Wed Nov 24 15:41:34 BRST 2004 ap/sudo-1.6.8p4-i486-1.tgz: Upgraded to sudo-1.6.8p4. This fixes a bug that may could permit malicious users with permission to run a shell script that uses the bash shell to run arbitrary commands. For more details, see: http://www.sudo.ws/sudo/alerts/bash_functions.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1051 (* Security fix *) n/samba-3.0.9-i486-1.tgz: Upgrade to samba-3.0.9-i486-1. A possible buffer overrun in smbd could lead to code execution by a remote user. For more details, see: http://samba.cdpa.nsysu.edu.tw/samba/news/#can-2004-0882 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0882 (* Security fix *) x/x11-6.8.1-i486-3.tgz: Rebuilt. libXpm stack and integer overflow issues. The XPM library which is part of the XFree86/XOrg project is used by several GUI applications to process XPM image files, so it seemed like a good idea to rebuild. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0914 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0687 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0688 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0692 (* Security fix *) +------------------------+ Thu Nov 18 19:04:09 BRST 2004 The community recently knew that Patrick will be absent to take care of his health. Bruno Henrique Collovini (aka Buick Sk), Ernani Azevedo (aka Azevedo, Man Slackpacks), and Roberto Freire Batista (aka Piter Punk) from GUS-BR Community will be keeping this fork ONLY with bugfixes for the Slackware while Patrick is out. Patrick had problems in order access slackware.com, and agree using slackware.org.br as a Security Fixes repository to Slackware Stable and Current as well. More information and Patrick Volkerding trust about this could be found here: (http://www.slackware.org.br/patrick-17-nov-2004-email.txt) The GUS-BR Security Team GPG key can be found here: (http://www.slackware.org.br/gus-br-key) or (ftp://ftp.slackware.org.br/pub/slackware/slackware-current-mr/GUS-BR_GPG-KEY) We really enjoy help from everyone!! Patrick! We go to keep the round Slackware until coming back of your vacations. ;) +------------------------+ Tue Nov 16 08:50:51 PST 2004 Hi folks, sorry about the lack of updates for a while. I've been pretty sick. If you want the full details (especially if you are in a position to help me), please see the file PAT-NEEDS-YOUR-HELP.txt. ftp://ftp.slackware.com/pub/slackware/slackware-current/PAT-NEEDS-YOUR-HELP.txt Thanks. :-) a/acpid-1.0.4-i486-2.tgz: Fixed perms of /usr/doc/acpid-1.0.4/samples/ directory. (thanks to Piotr Simon) +--------------------------+ Wed Nov 3 22:48:47 PST 2004 a/bash-3.0-i486-2.tgz: Applied official bash-3.0 patches 1-15. a/hotplug-2004_09_23-noarch-1.tgz: Upgraded to hotplug-2004_09_23. a/pkgtools-10.1.0-i486-1.tgz: Patched pkgtools to dramatically improve the speed of the "View" option. The patch was written by Jim Hawkins and forwarded to me by Stuart Winter. Thanks much! Fixed a typo in pkgtool.8. (thanks to "ldconfig") a/util-linux-2.12h-i486-1.tgz: Upgraded to util-linux-2.12h. ap/mdadm-1.8.0-i486-1.tgz: Upgraded to mdadm-1.8.0. l/libexif-0.6.11-i486-1.tgz: Upgraded to libexif-0.6.11 (but retained libexif.so.9.1.2 from libexif-0.5.12 to give third party packages a chance to be recompiled). n/lftp-3.0.11-i486-1.tgz: Upgraded to lftp-3.0.11. n/samba-3.0.7-i486-2.tgz: Applied a patch from Samba CVS needed to fix smbtree on systems using a recent glibc (such as the one here in Slackware -current). Thanks to Arthur Huillet for referring me to the patch and online discussion. n/tcpip-0.17-i486-30.tgz: Upgraded to ethtool-2 and tftp-hpa-0.40. Fixed a DoS bug in ntalkd. Thanks to Mauro Persano who discovered the bug and sent in a patch, and Dmitry V. Levin who refined it. xap/gimp-2.0.6-i486-1.tgz: Upgraded to gimp-2.0.6. extra/slackpkg/slackpkg-1.3-noarch-4.tgz: Upgraded to slackpkg-1.3-noarch-4. +--------------------------+ Sun Oct 31 22:03:05 PST 2004 a/cups-1.1.22-i486-1.tgz: Upgraded to cups-1.1.22. a/pcmcia-cs-3.2.8-i486-1.tgz: Upgraded to pcmcia-cs-3.2.8. a/udev-042-i486-1.tgz: Upgraded to udev-042. ap/mysql-4.0.22-i486-1.tgz: Upgraded to mysql-4.0.22. d/binutils-2.15.92.0.2-i486-1.tgz: Upgraded to binutils-2.15.92.0.2. d/oprofile-0.8.1-i486-2.tgz: Recompiled against libbfd from binutils-2.15.92.0.2. kde/kdegraphics-3.3.1-i486-2.tgz: Patched a crash bug in kpdf. kde/koffice-1.3.4-i486-2.tgz: Updated to koffice-1.3.4 and patched a bug in xpdf-based code that could cause a crash. l/libtiff-3.7.0-i486-1.tgz: Upgraded to libtiff-3.7.0. This fixes several bugs that could lead to crashes, or could possibly allow arbitrary code to be executed. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0803 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0804 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0886 (* Security fix *) l/libxml2-2.6.15-i486-1.tgz: Upgraded to libxml2-2.6.15. n/apache-1.3.33-i486-1.tgz: Upgraded to apache-1.3.33. This fixes one new security issue (the first issue, CAN-2004-0492, was fixed in apache-1.3.32). The second bug fixed in 1.3.3 (CAN-2004-0940) allows a local user who can create SSI documents to become "nobody". The amount of mischief they could cause as nobody seems low at first glance, but it might allow them to use kill or killall as nobody to try to create a DoS. Mention PHP's mhash dependency in httpd.conf (thanks to Jakub Jankowski). (* Security fix *) n/mod_ssl-2.8.22_1.3.33-i486-1.tgz: Upgraded to mod_ssl-2.8.22_1.3.33. n/nail-11.13-i486-1.tgz: Upgraded to nail-11.13. n/netatalk-2.0.1-i486-1.tgz: Upgraded to netatalk-2.0.1. xap/gnuchess-5.07-i486-1.tgz: Upgraded to gnuchess-5.07. This package also contains Sjeng-Free-11.2, eboard-0.9.5, and xboard-4.2.7. xap/imagemagick-6.1.2_4-i486-1.tgz: Upgraded to ImageMagick-6.1.2-4. xap/windowmaker-0.91.0-i486-1.tgz: Upgraded to WindowMaker-0.91.0. pasture/pasture/ifhp-3.5.18-i486-1.tgz: Upgraded to ifhp-3.5.18. pasture/lprng-3.8.28-i486-1.tgz: Upgraded to LPRng-3.8.28. testing/packages/linux-2.6.9/alsa-driver-1.0.6a_2.6.9-i486-1.tgz: Upgraded to ALSA kernel modules for Linux 2.6.9. testing/packages/linux-2.6.9/kernel-generic-2.6.9-i486-1.tgz: Upgraded to Linux 2.6.9 kernel. testing/packages/linux-2.6.9/kernel-headers-2.6.9-i386-1.tgz: Upgraded to Linux 2.6.9 kernel headers. testing/packages/linux-2.6.9/kernel-modules-2.6.9-i486-1.tgz: Upgraded to Linux 2.6.9 kernel modules. testing/packages/linux-2.6.9/kernel-source-2.6.9-noarch-1.tgz: Upgraded to Linux 2.6.9 kernel source. +--------------------------+ Mon Oct 25 16:35:04 PDT 2004 n/apache-1.3.32-i486-1.tgz: Upgraded to apache-1.3.32. This addresses a heap-based buffer overflow in mod_proxy by rejecting responses from a remote server with a negative Content-Length. The flaw could crash the Apache child process, or possibly allow code to be executed as the Apache user (but only if mod_proxy is actually in use on the server). For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492 (* Security fix *) n/mod_ssl-2.8.21_1.3.32-i486-1.tgz: Upgraded to mod_ssl-2.8.21-1.3.32. Don't allow clients to bypass cipher requirements, possibly negotiating a connection that the server does not consider secure enough. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885 (* Security fix *) +--------------------------+ Fri Oct 22 15:28:06 PDT 2004 xap/gaim-1.0.2-i486-1.tgz: Upgraded to gaim-1.0.2 and gaim-encryption-2.32. A buffer overflow in the MSN protocol handler for GAIM 0.79 to 1.0.1 allows remote attackers to cause a denial of service (application crash) and may allow the execution of arbitrary code. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0891 (* Security fix *) +--------------------------+ Mon Oct 18 23:48:13 PDT 2004 a/acpid-1.0.4-i486-1.tgz: Upgraded to acpid-1.0.4. a/sysvinit-2.84-i486-51.tgz: In rc.S, make sure /tmp/.ICE-unix and /tmp/.X11-unix exist and have proper permissions. X.Org no longer creates these if they are missing which is a problem for users who are using a tmpfs on /tmp. Reported by Alexandre Pinaffii Andrucioli, Stefano Mangione, and Luigi Genoni. In rc.S and rc.6, check /proc/ioports to make sure that the RTC lists ports, and if so use a workaround to prevent hwclock from hanging. Thanks to Piter PUNK for the bug report and patch. In rc.M, don't start acpid if apmd is already running regardless of the perms on rc.acpid (thanks again to Piter PUNK). n/curl-7.12.2-i486-1.tgz: Upgraded to curl-7.12.2. n/nmap-3.75-i486-1.tgz: Upgraded to nmap-3.75. Fixed nmapfe.desktop to follow freedesktop.org specs and moved it to /usr/share/applications. x/x11-6.8.1-i486-2.tgz: Rebuilt. X.Org made a few minor slient fixes to the X11R6.8.1 (like the version number), so it seemed like a good idea to rebuild. Thanks to Sergei Mutovkin for reporting this situation. x/x11-devel-6.8.1-i486-2.tgz: Rebuilt. x/x11-docs-6.8.1-noarch-2.tgz: Rebuilt. x/x11-docs-html-6.8.1-noarch-2.tgz: Rebuilt. x/x11-fonts-100dpi-6.8.1-noarch-2.tgz: Rebuilt. x/x11-fonts-cyrillic-6.8.1-noarch-2.tgz: Rebuilt. x/x11-fonts-misc-6.8.1-noarch-2.tgz: Rebuilt. x/x11-fonts-scale-6.8.1-noarch-2.tgz: Rebuilt. x/x11-xdmx-6.8.1-i486-2.tgz: Rebuilt. x/x11-xnest-6.8.1-i486-2.tgz: Patched to prevent an xnest crash. Thanks to Mariusz 'mj' Jedrzejewski for reporting this problem and providing a patch from the X.Org CVS. x/x11-xvfb-6.8.1-i486-2.tgz: Rebuilt. xap/abiword-2.0.12-i486-1.tgz: Upgraded to abiword-2.0.12. Moved from /gnome and compiled without GNOME dependencies. xap/gftp-2.0.17-i486-2.tgz: Build with .SlackBuild, not .build. Fixed gftp.desktop. xap/gucharmap-1.4.1-i486-2.tgz: Moved from /gnome. Build with .SlackBuild, not .build. Fixed gucharmap.desktop. xap/sane-1.0.14-i486-3.tgz: Upgraded to sane-frontends-1.0.13. Build with .SlackBuild, not .build. xap/xine-ui-0.99.2-i686-2.tgz: Fixed xine.desktop. +--------------------------+ Thu Oct 14 22:56:20 PDT 2004 ap/hpijs-1.7-i486-1.tgz: Upgraded to hpijs-1.7. ap/lsof-4.72-i486-1.tgz: Upgraded to lsof-4.72. ap/sox-12.17.6-i486-1.tgz: Upgraded to sox-12.17.6. kde/kdeaccessibility-3.3.1-i486-1.tgz: Upgraded to kdeaccessibility-3.3.1. kde/kdeaddons-3.3.1-i486-1.tgz: Upgraded to kdeaddons-3.3.1. kde/kdeadmin-3.3.1-i486-1.tgz: Upgraded to kdeadmin-3.3.1. kde/kdeartwork-3.3.1-i486-1.tgz: Upgraded to kdeartwork-3.3.1. kde/kdebase-3.3.1-i486-1.tgz: Upgraded to kdebase-3.3.1. kde/kdebindings-3.3.1-i486-1.tgz: Upgraded to kdebindings-3.3.1. kde/kdeedu-3.3.1-i486-1.tgz: Upgraded to kdeedu-3.3.1. kde/kdegames-3.3.1-i486-1.tgz: Upgraded to kdegames-3.3.1. kde/kdegraphics-3.3.1-i486-1.tgz: Upgraded to kdegraphics-3.3.1. kde/kdelibs-3.3.1-i486-1.tgz: Upgraded to kdelibs-3.3.1. kde/kdemultimedia-3.3.1-i486-1.tgz: Upgraded to kdemultimedia-3.3.1. kde/kdenetwork-3.3.1-i486-1.tgz: Upgraded to kdenetwork-3.3.1. kde/kdepim-3.3.1-i486-1.tgz: Upgraded to kdepim-3.3.1. kde/kdesdk-3.3.1-i486-1.tgz: Upgraded to kdesdk-3.3.1. kde/kdetoys-3.3.1-i486-1.tgz: Upgraded to kdetoys-3.3.1. kde/kdeutils-3.3.1-i486-1.tgz: Upgraded to kdeutils-3.3.1. kde/kdevelop-3.1.1-i486-1.tgz: Upgraded to kdevelop-3.1.1. kde/kdewebdev-3.3.1-i486-1.tgz: Upgraded to kdewebdev-3.3.1. kde/koffice-1.3.4-i486-1.tgz: Upgraded to koffice-1.3.4. kde/qt-3.3.3-i486-3.tgz: Recompiled. Note that this includes the change previously in /testing where the libqt.so -> libqt-mt.so symlinks have been removed. (this shouldn't affect any recent binaries, but might break some old ones) kdei/*.tgz: Upgraded to kde-i18n-3.3.1 and koffice-i18n-1.3.4. l/arts-1.3.1-i486-1.tgz: Upgraded to arts-1.3.1. l/glib2-2.4.7-i486-1.tgz: Upgraded to glib-2.4.7. l/gtk+2-2.4.13-i486-1.tgz: Upgraded to gtk+-2.4.13. l/libao-0.8.5-i486-1.tgz: Upgraded to libao-0.8.5. l/libidn-0.5.8-i486-1.tgz: Added libidn-0.5.8. l/libxml2-2.6.14-i486-1.tgz: Upgraded to libxml2-2.6.14. l/libxslt-1.1.11-i486-1.tgz: Upgraded to libxslt-1.1.11. l/pcre-5.0-i486-1.tgz: Upgraded to pcre-5.0. n/dnsmasq-2.15-i486-1.tgz: Upgraded to dnsmasq-2.15. xap/fvwm-2.4.19-i486-2.tgz: Fixed fvwm-root manpage symlink. (thanks to Mark Post) testing/{packages,source}/kde-3.3/: Removed. +--------------------------+ Mon Oct 11 23:41:16 PDT 2004 a/glibc-solibs-2.3.3-i486-2.tgz: Updated from CVS. Added the files in /usr/lib/gconv to glibc-solibs. (thanks to Tomas Matejicek) a/glibc-zoneinfo-2.3.3-noarch-2.tgz: Updated from CVS. a/udev-035-i486-1.tgz: Upgraded to udev-035. Thanks to ismail donmez and Jakub Jankowski for pointing out some problems with pty handling in the previous udev.rules config file. a/util-linux-2.12g-i486-2.tgz: Put the adjtimex docs in the proper directory (thanks to Stuart Winter). d/doxygen-1.3.9.1-i486-1.tgz: Upgraded to doxygen-1.3.9.1. l/glibc-2.3.3-i486-2.tgz: Updated from CVS. l/glibc-i18n-2.3.3-noarch-2.tgz: Updated from CVS. l/glibc-profile-2.3.3-i486-2.tgz: Updated from CVS. n/getmail-4.2.2-noarch-1.tgz: Upgraded to getmail-4.2.2. n/netatalk-2.0.0-i486-1.tgz: Upgraded to netatalk-2.0.0. n/rsync-2.6.3-i486-1.tgz: Upgraded to rsync-2.6.3. From the rsync NEWS file: A bug in the sanitize_path routine (which affects a non-chrooted rsync daemon) could allow a user to craft a pathname that would get transformed into an absolute path for certain options (but not for file-transfer names). If you're running an rsync daemon with chroot disabled, *please upgrade*, ESPECIALLY if the user privs you run rsync under is anything above "nobody". Note that rsync, in daemon mode, sets the "use chroot" to true by default, and (in this default mode) is not vulnerable to this issue. I would strongly recommend against setting "use chroot" to false even if you've upgraded to this new package. (* Security fix *) n/sendmail-8.13.1-i486-2.tgz: Recompiled with -DSOCKETMAP. Recommended by Catalin(ux aka Dino) BOIE. n/sendmail-cf-8.13.1-noarch-2.tgz: Rebuilt. xap/fvwm-2.4.19-i486-1.tgz: Upgraded to fvwm-2.4.19. xap/gaim-1.0.1-i486-1.tgz: Upgraded to gaim-1.0.1. xap/gftp-2.0.17-i486-1.tgz: Moved from /gnome. Apparently gftp doesn't require any of the GNOME libraries. I've heard that AbiWord can also be built so that it does not require GNOME libraries but haven't had much luck getting it to work that way. Does anyone know how to do that? How about a GNOMEless gnumeric (I suspect that's not possible, but...)? extra/bison-1.875d/bison-1.875d-i486-1.tgz: Upgraded to bison-1.875d. pasture/fvwm95-2.0.43ba-i386-2.tgz: Moved to /pasture. +--------------------------+ Thu Oct 7 19:03:18 PDT 2004 a/util-linux-2.12g-i486-1.tgz: Upgraded to util-linux-2.12g, adjtimex-1.20, and ziptool-1.4.0. d/doxygen-1.3.9-i486-1.tgz: Upgraded to doxygen-1.3.9. d/guile-1.6.5-i486-1.tgz: Upgraded to guile-1.6.5. gnome/gst-plugins-0.8.5-i486-1.tgz: Upgraded to gst-plugins-0.8.5. gnome/gstreamer-0.8.7-i486-1.tgz: Upgraded to gstreamer-0.8.7. n/slrn-0.9.8.1-i486-1.tgz: Upgraded to slrn-0.9.8.1. xap/imagemagick-6.1.0_5-i486-1.tgz: Upgraded to ImageMagick-6.1.0-5. +--------------------------+ Mon Oct 4 11:57:38 PDT 2004 ap/flac-1.1.1-i486-1.tgz: Upgraded to flac-1.1.1. ap/vorbis-tools-1.0.1-i486-3.tgz: Recompiled against new libFLAC. d/j2sdk-1_5_0-i586-1.tgz: Upgraded to Java(TM) 2 Software Development Kit Standard Edition, Version 1.5.0. gnome/gst-plugins-0.8.1-i486-2.tgz: Recompiled against new libFLAC. l/zlib-1.2.2-i486-1.tgz: Upgraded to zlib-1.2.2. This fixes a possible DoS in earlier versions of zlib-1.2.x. (* Security fix *) n/dhcp-3.0.1-i486-1.tgz: Upgraded to dhcp-3.0.1. n/getmail-4.2.0-noarch-1.tgz: Upgraded to getmail-4.2.0. Earlier versions contained a local security flaw when used in an insecure fashion (surprise, running something as root that writes to user- controlled files or directories could allow the old symlink attack to clobber system files! :-) From the getmail CHANGELOG: This vulnerability is not exploitable if the administrator does not deliver mail to the maildirs/mbox files of untrusted local users, or if getmail is configured to use an external unprivileged MDA. This vulnerability is not remotely exploitable. Most users would not use getmail in such as way as to be vulnerable to this flaw, but if your site does this package closes the hole. I'd also recommend not using getmail like this. Either run it as the user that owns the target mailbox, or deliver through an external MDA. (* Security fix *) n/sendmail-8.13.1-i486-1.tgz: Upgraded to sendmail-8.13.1. n/sendmail-cf-8.13.1-noarch-1.tgz: Upgraded to sendmail-8.13.1 configs. xap/mozilla-plugins-1.7.3-noarch-2.tgz: Point the libjavaplugin_oji.so symlink at the new Java plugin. xap/xine-lib-1rc6a-i686-2.tgz: Recompiled against new libFLAC. xap/xmms-1.2.10-i486-2.tgz: Added arts_output-0.7.1 aRts output plugin. +--------------------------+ Tue Sep 28 13:58:36 PDT 2004 a/gawk-3.1.4-i486-1.tgz: Upgraded to GNU gawk-3.1.4. ap/mdadm-1.7.0-i486-1.tgz: Upgraded to mdadm-1.7.0. xap/gkrellm-2.2.4-i486-1.tgz: Upgraded to gkrellm-2.2.4. +--------------------------+ Sun Sep 26 21:28:28 PDT 2004 l/lesstif-0.93.96-i486-1.tgz: Upgraded to lesstif-0.93.96. xap/gaim-1.0.0-i486-2.tgz: Fixed the gaim-encryption plugin by upgrading to gaim-encryption-2.31. xap/gimp-2.0.5-i486-1.tgz: Upgraded to gimp-2.0.5. +--------------------------+ Fri Sep 24 11:39:24 PDT 2004 n/php-4.3.9-i486-1.tgz: Upgraded to php-4.3.9. testing/packages/php-5.0.2/php-5.0.2-i486-1.tgz: Upgraded to php-5.0.2. +--------------------------+ Fri Sep 24 00:43:51 PDT 2004 n/bind-9.3.0-i486-2.tgz: Fixed missing libbind9.so.0.0.4. Thanks to Alan Brantley and Catalin(ux aka Dino) BOIE for the quick heads-up! +--------------------------+ Thu Sep 23 18:11:17 PDT 2004 d/automake-1.9.2-noarch-1.tgz: Upgraded to GNU automake-1.9.2. d/libtool-1.5.10-i486-1.tgz: Upgraded to GNU libtool-1.5.10. d/oprofile-0.8.1-i486-1.tgz: Upgraded to oprofile-0.8.1. (Suggested by Michael Iatrou) l/gmp-4.1.4-i486-1.tgz: Upgraded to GNU gmp-4.1.4. n/bind-9.3.0-i486-1.tgz: Upgraded to bind-9.3.0. xap/xsane-0.96-i486-1.tgz: Upgraded to xsane-0.96. bootdisks/sata.i: Rebuilt (see below). bootdisks/speakup.s: Rebuilt (fixed missing speakup support). extra/k3b/k3b-0.11.17-i486-1.tgz: Upgraded to k3b-0.11.17. extra/linux-wlan-ng/linux-wlan-ng-0.2.1pre22_2.4.27-i486-1.tgz: Upgraded to linux-wlan-ng-0.2.1pre22 (compiled for Linux 2.4.27). extra/linux-wlan-ng/linux-wlan-ng-0.2.1pre22_2.6.8.1-i486-1.tgz Upgraded to linux-wlan-ng-0.2.1pre22 (compiled for Linux 2.6.8.1). Thanks to Leopold Midha for suggesting these upgrades. extra/parted/parted-1.6.15-i486-1.tgz: Upgraded to GNU parted-1.6.15. kernels/sata.i/: Removed Silicon Image ATA support since it interferes with the libata SATA driver. This also removes support for the PATA CMD640 chipset, since that's part of the old Silicon Image ATA driver. Thanks to Miha Verlic for pointing out this incompatibility. kernels/speakup.s/: Fixed missing speakup support. isolinux/initrd.img, isolinux/network.dsk, isolinux/pcmcia.dsk, rootdisks/install.*, rootdisks/network.dsk, rootdisks/pcmcia.dsk: Updated kernel modules to 2.4.27. Allow the location of network.dsk to be provided on the network script command line (suggested by Daniel de Kok). +--------------------------+ Sun Sep 19 16:33:44 PDT 2004 a/cups-1.1.21-i486-1.tgz: Upgraded to cups-1.1.21. This fixes a flaw where a remote attacker can crash the CUPS server causing a denial of service. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0558 (* Security fix *) a/glibc-solibs-2.3.3-i486-1.tgz: Upgraded to glibc-2.3.3. This is from a CVS snapshot taken in early August. The official glibc-2.3.3 tarball was released in such an obsolete condition (a snapshot from 8 months ago) that I'd be surprised if any Linux distributions actually package it. a/glibc-zoneinfo-2.3.3-noarch-1.tgz: Upgraded to glibc-2.3.3. a/minicom-2.1-i486-2.tgz: Fixed install script to install the config files in /etc properly. (thanks to Piter PUNK) a/pkgtools-10.0.0-i486-2.tgz: Changed the keyboard driver in the sample /etc/X11/xorg.conf files from "Keyboard" to "kbd". a/kernel-ide-2.4.27-i486-1.tgz: Upgraded to Linux 2.4.27 kernel. a/kernel-modules-2.4.27-i486-1.tgz: Upgraded to Linux 2.4.27 kernel modules. ap/sudo-1.6.8p1-i486-1.tgz: Upgraded to sudo-1.6.8p1. d/kernel-headers-2.4.27-i386-1.tgz: Upgraded to Linux 2.4.27 kernel headers. gnome/epiphany-1.2.7-i486-1.tgz: Removed. (see Mozilla below) gnome/epiphany-extensions-0.9.1-i486-1.tgz: Removed. (see Mozilla below) gnome/galeon-1.3.17-i486-1.tgz: Removed. (see Mozilla below) k/kernel-source-2.4.27-noarch-1.tgz: Upgraded to Linux 2.4.27 kernel source. kde/koffice-1.3.3-i486-1.tgz: Upgraded to koffice-1.3.3. kdei/koffice-i18n-*.tgz: Upgraded to koffice-i18n-1.3.3. l/alsa-driver-1.0.6a_2.4.27-i486-1.tgz: Recompiled alsa-driver-1.0.6a for Linux 2.4.27. l/glibc-2.3.3-i486-1.tgz: Upgraded to glibc-2.3.3. l/glibc-i18n-2.3.3-noarch-1.tgz: Upgraded to glibc-2.3.3 i18n files. l/glibc-profile-2.3.3-i486-1.tgz: Upgraded to glibc-2.3.3 profile libs. l/gtk+2-2.4.10-i486-1.tgz: Upgraded to gtk+-2.4.10. This fixes security issues in the image loader routines that can crash applications. (* Security fix *) l/pango-1.6.0-i486-1.tgz: Upgraded to pango-1.6.0. n/iproute2-2.6.9_ss040831-i486-1.tgz: Upgraded to iproute2-2.6.9-ss040831. n/nail-11.7-i486-1.tgz: Upgraded to nail-11.7. n/nmap-3.70-i486-2.tgz: Fixed missing docs translations. (thanks to Alex) n/php-4.3.8-i486-2.tgz: Recompiled using --enable-exif in addition to --with-exif. Thanks to Niels Heinis for the tip. n/proftpd-1.2.10-i486-2.tgz: Fixed slack-desc (thanks to Stuart Winter). x/x11*6.8.1-i486-1.tgz: Upgraded to X.Org's X11R6.8.1 release. Note that the name of the keyboard driver in the xorg.conf file has changed from "Keyboard" to "kbd". You'll need to make this change in order to start X. xap/gaim-1.0.0-i486-1.tgz: Upgraded to gaim-1.0.0. xap/imagemagick-6.0.8_1-i486-1.tgz: Upgraded to ImageMagick-6.0.8-1. Removed spurious libtool library (thanks to Mark Post). xap/mozilla-1.7.3-i486-1.tgz: Upgraded to mozilla-1.7.3. The Mozilla page says this fixes some "minor security holes". It also breaks Galeon and Epiphany, and new versions of these have still not appeared. In light of this, I think it's time to remove these Gecko-based browsers. The future is going to be Firefox and Thunderbird anyway, and I don't believe Galeon and Epiphany can be compiled against Firefox's libraries. (* Security fix *) xap/mozilla-plugins-1.7.3-noarch-1.tgz: Changed plugin symlinks for Mozilla 1.7.3. xap/xine-lib-1rc6a-i686-1.tgz: Upgraded to xine-lib-1-rc6a. This release fixes a few overflows that could have security implications. (* Security fix *) xap/xlockmore-5.13-i486-1.tgz: Upgraded to xlockmore-5.13. xap/xscreensaver-4.18-i486-1.tgz: Upgraded to xscreensaver-4.18. bootdisks/*: Upgraded to Linux 2.4.27 bootdisks (and added sata.i). extra/bittornado/bittornado-0.3.7-noarch-1.tgz: Added BitTornado 0.3.7, an alternate BitTorrent client based on Bram's mainline BitTorrent code. extra/k3b/k3b-0.11.15-i486-1.tgz: Upgraded to k3b-0.11.15. extra/slacktrack/slacktrack-1.21-i486-2.tgz: Upgraded to slacktrack-1.21_2. kernels/*: Upgraded to Linux 2.4.27 kernels (and added sata.i). pasture/apsfilter-7.2.5-i386-2.tgz: The apsfilter print configuration tool has been moved to /pasture. pasture/ifhp-3.5.11-i486-1.tgz: Moved ifhp to /pasture. This is a print filter for LPRng (see below). pasture/libxml-1.8.17-i486-3.tgz: Added a static libxml1, needed to compile some ham software. pasture/lprng-3.8.27-i486-1.tgz: Moved LPRng to /pasture. These days most people want to run CUPS which has more or less taken over the printing scene as the defacto standard print system. LPRng will continue to be maintained here, but getting it out of the main installation will end the annoying problem of it overwriting the symlinks for CUPS and breaking it. testing/packages/linux-2.6.8.1/alsa-driver-1.0.6a_2.6.8.1-i486-1.tgz: Compiled alsa-driver package for Linux 2.6.8.1. testing/packages/linux-2.6.8.1/kernel-generic-2.6.8.1-i486-1.tgz: Upgraded to Linux 2.6.8.1 kernel. testing/packages/linux-2.6.8.1/kernel-headers-2.6.8.1-i386-1.tgz Upgraded to Linux 2.6.8.1 kernel headers. testing/packages/linux-2.6.8.1/kernel-modules-2.6.8.1-i486-1.tgz Upgraded to Linux 2.6.8.1 kernel modules. testing/packages/linux-2.6.8.1/kernel-source-2.6.8.1-noarch-1.tgz Upgraded to Linux 2.6.8.1 kernel source. testing/packages/php-5.0.1/php-5.0.1-i486-1.tgz: Upgraded to php-5.0.1. +--------------------------+ Mon Sep 13 22:22:59 PDT 2004 a/reiserfsprogs-3.6.18-i486-1.tgz: Upgraded to reiserfsprogs-3.6.18. d/ccache-2.4-i486-1.tgz: Upgraded to ccache-2.4. d/gdb-6.2.1-i486-1.tgz: Upgraded to gdb-6.2.1. gnome/gnumeric-1.2.13-i486-1.tgz: Upgraded to gnumeric-1.2.13. l/libpng-1.2.7-i486-1.tgz: Upgraded to libpng-1.2.7. l/taglib-1.3-i486-1.tgz: Upgraded to taglib-1.3. n/dnsmasq-2.14-i486-1.tgz: Upgraded to dnsmasq-2.14. n/getmail-4.1.5-noarch-1.tgz: Upgraded to getmail-4.1.5. n/proftpd-1.2.10-i486-1.tgz: Maybe I was a little too harsh on this project (especially as they've now addressed all the known problems with the latest release). I don't think it deserved to be /pasture-ized after all, and have moved it back to the N series. Vsftpd will also remain in N, so you can take your pick... n/samba-3.0.7-i486-1.tgz: Upgraded to samba-3.0.7. This fixes two Denial of Service vulnerabilities. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0807 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0808 (* Security fix *) xap/imagemagick-6.0.7_3-i486-1.tgz: Upgraded to ImageMagick-6.0.7-3. testing/packages/kde-3.3/kde/*.tgz: Rebuilt all KDE packages, and fixed a couple build problems with kdemultimedia and kdebindings. testing/packages/kde-3.3/kde/qt-3.3.3-i486-2.tgz: Removed the libqt.so -> libqt-mt.so symlinks. These were a kludge added to help run third party binaries that link with libqt rather than libqt-mt, but now it's breaking things like the kdebindings build. The symlinks were meant to allow some time to transition to the threaded Qt without breaking existing apps. Hopefully not many broken apps are still left. testing/packages/gcc-3.4.2/gcc*-3.4.2-i486-1.tgz: Upgraded to gcc-3.4.2. +--------------------------+ Fri Sep 10 15:32:58 PDT 2004 ap/mysql-4.0.21-i486-1.tgz: Upgraded to mysql-4.0.21. pasture/proftpd-1.2.10-i486-1.tgz: Upgraded to proftpd-1.2.10. +--------------------------+ Thu Sep 9 20:04:47 PDT 2004 ap/cdrtools-2.01-i486-1.tgz: Upgraded to cdrtools-2.01 and zisofs-tools-1.0.6. ap/dvd+rw-tools-5.21.4.10.8-i486-1.tgz: Upgraded to dvd+rw-tools-5.21.4.10.8. +--------------------------+ Tue Sep 7 18:38:29 PDT 2004 xap/fluxbox-0.9.10-i486-1.tgz: Upgraded to fluxbox-0.9.10. This is the development version, but they say it's stable, so I'll defer to upstream judgement. pasture/fluxbox-0.1.14-i386-1.tgz: Moved to /pasture. This is still officially the current stable version, but the developers say it's old and unmaintained, so off to /pasture it goes. +--------------------------+ Mon Sep 6 20:39:43 PDT 2004 l/aspell-0.60-i486-2.tgz: Fixed missing pre* tools. l/aspell-en-6.0_0-noarch-2.tgz: Upgraded to aspell6-en-6.0-0. (Since all the word list packages needed to be rebuilt, but not all had upgraded versions, they were all given a build of '2') extra/aspell-word-lists/: Rebuilt all word lists, and added many new ones. extra/bash-completion/bash-completion-20040711-noarch-1.tgz: Upgraded to bash-completion-20040711, and fixed the profile.d script to work with bash-3.0. +--------------------------+ Sat Sep 4 20:03:26 PDT 2004 a/bash-3.0-i486-1.tgz: Upgraded to GNU bash-3.0. a/minicom-2.1-i486-1.tgz: Upgraded to minicom-2.1. l/aspell-0.60-i486-1.tgz: Upgraded to GNU aspell-0.60 (forgot this in yesterday's ChangeLog... sorry). n/openssh-3.9p1-i486-1.tgz: Upgraded to openssh-3.9p1. +--------------------------+ Fri Sep 3 18:40:57 PDT 2004 a/glibc-solibs-2.3.2-i486-7.tgz: Recompiled using 'strip -g' rather than 'strip --strip-unneeded' to avoid stripping symbols that are needed for debugging threads. Thanks to those who reported this bug, especially Ricardo Nabinger Sanchez who sent in a sample thread program that made it easy to test for the problem (and confirm the fix worked). a/glibc-zoneinfo-2.3.2-noarch-7.tgz: Rebuilt. a/hdparm-5.7-i486-1.tgz: Upgraded to hdparm-5.7. ap/zsh-4.2.1-i486-1.tgz: Upgraded to zsh-4.2.1. d/m4-1.4.2-i486-1.tgz: Upgraded to GNU m4-1.4.2. kde/kdebase-3.2.3-i486-2.tgz: Patched frame injection vulnerability in Konqueror. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0721 (* Security fix *) kde/kdelibs-3.2.3-i486-2.tgz: Patched unsafe temporary directory usage, cross-domain cookie injection vulnerability for certain country specific domains, and frame injection vulnerability in Konqueror. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0689 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0690 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0721 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0746 (* Security fix *) l/glib2-2.4.6-i486-1.tgz: Upgraded to glib-2.4.6. l/glibc-2.3.2-i486-7.tgz: Recompiled using 'strip -g'. l/glibc-i18n-2.3.2-noarch-7.tgz: Recompiled. l/gtk+2-2.4.9-i486-1.tgz: Upgraded to gtk+-2.4.9. n/gnupg-1.2.6-i486-1.tgz: Upgraded to gnupg-1.2.6. n/inetd-1.79s-i486-7.tgz: Added a vsftpd example to /etc/inetd.conf. n/lftp-3.0.7-i486-1.tgz: Upgraded to lftp-3.0.7. n/nmap-3.70-i486-1.tgz: Upgraded to nmap-3.70. n/vsftpd-2.0.1-i486-1.tgz: Added vsftpd as Slackware's new default ftpd. This may not have the rich feature set of ProFTPD, but simple is probably more secure. Thanks to Laurens Vets for getting me to take another look at this. xap/imagemagick-6.0.6_2-i486-1.tgz: Upgraded to ImageMagick-6.0.6-2. extra/glibc-extra-packages/glibc-debug-2.3.2-i486-7.tgz: Recompiled. extra/glibc-extra-packages/glibc-profile-2.3.2-i486-7.tgz: Recompiled. extra/grub/grub-0.95-i486-2.tgz: Upgraded to version 1.24 of Kent Robotti's grubconfig setup tool. extra/k3b/k3b-i18n-0.11-noarch-2.tgz: Fixed path for locale files. pasture/proftpd-1.2.9-i486-3.tgz: Sent to /pasture. This has been allowed to slide way too much for a network service. A security issue was discovered in April (and was patched in Slackware and elsewhere shortly thereafter). It took a couple of weeks for any warning to appear on the ProFTPD site (with no official fix, just a suggestion to avoid the vulnerable feature). Since then it's been fixed in CVS but there is still no official stable release that fixes the issue. I liked ProFTPD, but won't put up with security negligence that goes on for months. Clearly ProFTPD's time is up, and it belongs here in /pasture. If there's any problem with vsftpd (and I don't expect there will be), you can bet that Chris Evans won't take 4 months to do something about it. testing/packages/kde-3.3/: Added KDE 3.3. This is in testing/ because of a few problems I've had with it (like crashes on logout, and no anti- aliased fonts no matter what kpersonalizer settings are chosen). I think it's a good idea to test it for a while and wait for patches (or for kde-3.3.1). Oh, I'm also getting requests to add libidn, which kde-3.3 apparently can use for jabber support, but libidn contains the following warning in README-alpha: "LIBIDN IS MOST LIKELY INSECURE. DO NOT USE IN A PRODUCTION ENVIRONMENT!" As a result, I haven't added libidn yet. I haven't ruled it out entirely either, but it's hard to get past a warning like that... +--------------------------+ Fri Aug 27 13:17:35 PDT 2004 n/getmail-4.1.1-noarch-1.tgz: Upgraded to getmail-4.1.1. xap/gaim-0.82.1-i486-1.tgz: Upgraded to gaim-0.82.1 to fix a couple of bugs in the gaim-0.82 release. Also, gaim-encryption-2.29 did not work with gaim-0.82 (or 0.82.1), so that has been upgraded to gaim-encryption-2.30. +--------------------------+ Thu Aug 26 18:28:53 PDT 2004 a/syslinux-2.11-i486-1.tgz: Upgraded to syslinux-2.11. ap/alsa-utils-1.0.6-i486-1.tgz: Upgraded to alsa-utils-1.0.6. d/distcc-2.17.1-i486-1.tgz: Upgraded to distcc-2.17.1. l/alsa-driver-1.0.6a_2.4.26-i486-1.tgz: Upgraded to alsa-driver-1.0.6a. l/alsa-lib-1.0.6-i486-1.tgz: Upgraded to alsa-lib-1.0.6. l/alsa-oss-1.0.6-i486-1.tgz: Upgraded to alsa-oss-1.0.6. l/libpng-1.2.6-i486-1.tgz: Upgraded to libpng-1.2.6. n/iptables-1.2.11-i486-1.tgz: Upgraded to iptables-1.2.11. n/samba-3.0.6-i486-1.tgz: Upgraded to samba-3.0.6. xap/gaim-0.82-i486-1.tgz: Upgraded to gaim-0.82 and gaim-encryption-2.29. Fixes several security issues: Content-length DOS (malloc error) (no CAN ID on this one) MSN strncpy buffer overflow (CAN-2004-0500) Groupware message receive integer overflow (CAN-2004-0754) Smiley theme installation lack of escaping (CAN-2004-0784) RTF message buffer overflow, Local hostname resolution buffer overflow, URL decode buffer overflow (these 3 are CAN-2004-0785) For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0500 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0754 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0784 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0785 (* Security fix *) +--------------------------+ Mon Aug 23 14:06:50 PDT 2004 a/hdparm-5.6-i486-1.tgz: Upgraded to hdparm-5.6. a/procps-3.2.3-i486-1.tgz: Upgraded to procps-3.2.3. d/automake-1.9.1-noarch-1.tgz: Upgraded to automake-1.9.1. kde/qt-3.3.3-i486-1.tgz: Upgraded to qt-3.3.3. This fixes bugs in the image loading routines which could be used by an attacker to run unauthorized code or create a denial-of-service. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0691 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0692 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0693 (* Security fix *) l/glib2-2.4.5-i486-1.tgz: Upgraded to glib-2.4.5. n/curl-7.12.1-i486-1.tgz: Upgraded to curl-7.12.1. n/getmail-4.0.13-noarch-1.tgz: Upgraded to getmail-4.0.13. n/nail-11.3-i486-1.tgz: Upgraded to nail-11.3. xap/netscape-7.2-i686-1.tgz: Upgraded to netscape-7.2. (Is it time yet to move this to /pasture?) extra/grub/grub-0.95-i486-1.tgz: Added GNU grub-0.95. Thanks to Kent Robotti for the grubconfig setup tool. :-) I did some cleanup on grubconfig, but it's going to need more work. For example, it's unable to properly determine the mappings for my two hard drives /dev/hde and /dev/hdg... it's a start, though. extra/k3b/k3b-0.11.14-i486-1.tgz: Upgraded to k3b-0.11.14. extra/k3b/k3b-i18n-0.11-noarch-1.tgz: Added k3b-i18n-0.11. extra/parted/parted-1.6.12-i486-1.tgz: Upgraded to parted-1.6.12. +--------------------------+ Mon Aug 9 01:57:10 PDT 2004 d/binutils-2.15.90.0.3-i486-1.tgz: Reverted to binutils-2.15.90.0.3 since Mozilla isn't compiling with binutils-2.15.91.0.2. d/oprofile-0.8-i486-1.tgz: Reverted to previous oprofile build linked with libbfd from binutils-2.15.90.0.3. gnome/epiphany-1.2.7-i486-1.tgz: Upgraded to epiphany-1.2.7. (compiled against Mozilla 1.7.2) gnome/galeon-1.3.17-i486-1.tgz: Upgraded to galeon-1.3.17. (compiled against Mozilla 1.7.2) xap/gaim-0.81-i486-1.tgz: Upgraded to gaim-0.81. (compiled against Mozilla 1.7.2) xap/mozilla-1.7.2-i486-1.tgz: Upgraded to Mozilla 1.7.2. This fixes three security vulnerabilities. For details, see: http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.2 (* Security fix *) xap/mozilla-plugins-1.7.2-noarch-1.tgz: Changed plugin symlinks for Mozilla 1.7.2. +--------------------------+ Sat Aug 7 17:17:40 AKDT 2004 ap/sox-12.17.4-i486-3.tgz: Patched buffer overflows that could allow a malicious WAV file to execute arbitrary code. (* Security fix *) d/libtool-1.5.8-i486-1.tgz: Upgraded to libtool-1.5.8. d/perl-5.8.5-i486-2.tgz: Updated -Dinc_version_list to include 5.8.4. Thanks to Luca Cavalli for pointing out the omission. l/libpng-1.2.5-i486-3.tgz: Patched possible security issues including buffer and integer overflows and null pointer references. These issues could cause program crashes, or possibly allow arbitrary code embedded in a malicious PNG image to execute. The PNG library is widely used within the system, so all sites should upgrade to the new libpng package. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599 (* Security fix *) l/pango-1.4.1-i486-1.tgz: Upgraded to pango-1.4.1. xap/gimp-2.0.4-i486-1.tgz: Upgraded to gimp-2.0.4. xap/imagemagick-6.0.4_3-i486-1.tgz: Upgraded to ImageMagick-6.0.4-3. Fixes PNG security issues. (* Security fix *) +--------------------------+ Sun Aug 1 20:27:33 PDT 2004 d/automake-1.9-noarch-1.tgz: Upgraded to automake-1.9. d/binutils-2.15.91.0.2-i486-1.tgz: Upgraded to binutils-2.15.91.0.2. d/gdb-6.2-i486-1.tgz: Upgraded to gdb-6.2. d/oprofile-0.8-i486-2.tgz: Recompiled against libbfd from binutils-2.15.91.0.2. +--------------------------+ Tue Jul 27 22:27:56 PDT 2004 d/perl-5.8.5-i486-1.tgz: Upgraded to perl-5.8.5, DBD-mysql-2.9004, and DBI-1.43. gnome/galeon-1.3.16-i486-1.tgz: Upgraded to galeon-1.3.16. kde/kdebindings-3.2.3-i486-2.tgz: Recompiled for perl-5.8.5. n/dnsmasq-2.10-i486-1.tgz: Upgraded to dnsmasq-2.10. n/getmail-4.0.1-noarch-1.tgz: Upgraded to getmail-4.0.1. n/irssi-0.8.9-i486-4.tgz: Recompiled for perl-5.8.5. n/ncftp-3.1.8-i486-1.tgz: Upgraded to ncftp-3.1.8. xap/gaim-0.80-i486-2.tgz: Recompiled for perl-5.8.5. xap/imagemagick-6.0.3_5-i486-1.tgz: Upgraded to ImageMagick-6.0.3-5. xap/xchat-2.0.10-i486-1.tgz: Upgraded to xchat-2.0.10. +--------------------------+ Mon Jul 26 22:46:37 PDT 2004 gnome/totem-0.99.15.1-i686-1.tgz: Upgraded to totem-0.99.15.1. xap/xfce-4.0.6-i486-1.tgz: Upgraded to xfce-4.0.6. xap/xine-lib-1rc5-i686-1.tgz: Upgraded to xine-lib-1-rc5. xap/xine-ui-0.99.2-i686-1.tgz: Upgraded to xine-ui-0.99.2. +--------------------------+ Mon Jul 26 14:09:31 PDT 2004 n/samba-3.0.5-i486-2.tgz: Rebuilt using --with-acl-support=no to avoid a dependency on libattr (found in the xfsprogs package). Thanks to Fredrik, Naresh Donti, and Dimitar Katerinski for pointing this out. It wasn't intentional (only the version number changed in the build script). +--------------------------+ Sun Jul 25 15:55:05 PDT 2004 ap/gimp-print-4.2.7-i486-1.tgz: Upgraded to gimp-print-4.2.7. d/distcc-2.16-i486-1.tgz: Upgraded to distcc-2.16. d/doxygen-1.3.8-i486-1.tgz: Upgraded to doxygen-1.3.8. l/glib2-2.4.4-i486-1.tgz: Upgraded to glib-2.4.4. l/gtk+2-2.4.4-i486-1.tgz: Upgraded to gtk+-2.4.4. n/getmail-4.0.0-noarch-1.tgz: Upgraded to getmail-4.0.0. n/mod_ssl-2.8.19_1.3.31-i486-1.tgz: Upgraded to mod_ssl-2.8.19-1.3.31. This fixes a security hole (ssl_log() related format string vulnerability in mod_proxy hook functions), so sites using mod_ssl should upgrade to the new version. Be sure to back up your existing key files first. (* Security fix *) n/samba-3.0.5-i486-1.tgz: Upgraded to samba-3.0.5. This fixes a buffer overflow in SWAT and another in the code supporting the 'mangling method = hash' smb.conf option (which is not the default). For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0600 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0686 (* Security fix *) xap/gimp-2.0.3-i486-1.tgz: Upgraded to gimp-2.0.3. xap/xsane-0.94-i486-1.tgz: Upgraded to xsane-0.94. testing/packages/gcc-3.4.1/gcc*-3.4.1-i486-1.tgz: Upgraded to gcc-3.4.1. testing/packages/php-5.0.0/php-5.0.0-i486-2.tgz: Changed references in mod_php.conf from php4 to php5 (thanks to Foti Trendafilov and Marek Januszewski for the bug reports). +--------------------------+ Wed Jul 21 13:50:18 PDT 2004 kde/koffice-1.3.2-i486-1.tgz: Upgraded to koffice-1.3.2. kdei/koffice-i18n-*.tgz: Upgraded to koffice-i18n-1.3.2. +--------------------------+ Tue Jul 20 22:05:23 PDT 2004 n/imapd-4.61-i486-1.tgz: Upgraded to IMAP4rev1 2004.352 from pine4.61. n/php-4.3.8-i486-1.tgz: Upgraded to php-4.3.8. This release fixes two security problems in PHP (memory_limit handling and a problem in the strip_tags function). Sites using PHP should upgrade. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0594 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0595 (* Security fix *) n/pine-4.61-i486-1.tgz: Upgraded to pine4.61. xap/gaim-0.80-i486-1.tgz: Upgraded to gaim-0.80 and gaim-encryption-2.28. testing/packages/php-5.0.0/php-5.0.0-i486-1.tgz: Added php-5.0.0. +--------------------------+ Sat Jun 26 16:02:45 PDT 2004 ap/vim-6.3.007-i486-1.tgz: Upgraded to patchlevel 007, fixed missing vim.mo files (sorry about that!!). xap/gaim-0.79-i486-1.tgz: Upgraded to gaim-0.79 and gaim-encryption-2.27. xap/gnuchess-4.0.pl80-i486-4.tgz: Fixed missing files. (thanks to grk) xap/xvim-6.3.007-i486-1.tgz: Upgraded to patchlevel 007, fixed missing vim.mo files. +--------------------------+ Tue Jun 22 01:34:56 PDT 2004 Slackware 10.0 is released. Thanks to everyone who helped out!