Date: Tue, 30 Nov 1999 12:11:56 -0800 (PST) From: David Cantrell <david@slackware.com> To: slackware-announce@slackware.com Subject: New Patches for Slackware 4.0 Available There are several bug fixes available for Slackware 4.0. Though they have not been tested on all previous releases of Slackware, they should work for any libc5 Slackware system (4.0 and previous). The patches for Slackware 4.0 can be found in the /patches subdirectory on the ftp site: ftp.cdrom.com:/pub/linux/slackware-4.0/patches The ChangeLog.txt file in that directory will show what has been patched and why. Here is a short overview of the current patches available: bind.tgz Upgraded to bind-8.2.2-P5. This fixes a vulnerability in the processing of NXT records that can be used in a DoS attack or (theoretically) be exploited to gain access to the server. It is suggested that everyone running bind upgrade to this package as soon as possible. nfs-server.tgz Upgraded to nfs-server-2.2beta47, to fix a security problem with the versions prior to 2.2beta47. By using a long pathname on a directory NFS mounted read-write, it may be possible for an attacker to execute arbitrary code on the server. It is recommended that everyone running an NFS server upgrade to this package immediately. pine.tgz Upgrades Pine to version 4.21. Versions prior to 4.0 have a Y2K bug where the date sorting will not work properly when the new century begins. imapd.tgz Upgrades imapd to the version from Pine 4.21 sysklogd.tgz It's possible to hang a machine and cause a denial of service by opening many connections to the syslogd shipped with Slackware 4.0 and earlier. This package upgrades to sysklogd-1.3-33, which fixes the problem. wuftpd.tgz Relinked against -lshadow, enabling MD5 shadow password support. These packages are designed to be installed on top of an existing Slackware 4.0 system. In the case where a package already exists (such as the pine.tgz one), you should use upgradepkg (if available) to install the patch. For other fixes, you can just use installpkg to install the patch. NOTE: For packages that replace daemons on the system (such as bind), you need to make sure that you stop the daemon before installing the package. Otherwise the file may not be updated properly because it is in use. You can either stop the daemon manually or go into single user mode and then go back to multiuser mode. Example: # telinit 1 Go into single user mode # upgradepkg bind Perform the upgrade # telinit 3 Go back to multiuser mode Remember to back up configuration files before performing upgrades. - The Slackware Linux Project http://www.slackware.com