-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thought I'd post a little update here since our mailing list is stil so
small. We've updated most of the vulnerabilities for Slackware-10.0 at
this time. I know of only two programs that are not yet updated, zip
and libxpm. A list of updates follows.

Kernel
======
Updated the kernel to 2.4.28 for various issues.

lvm
===
Patched LVM to fix an exploit that let a user overwrite files by
mounting a symlink attack on temporary files.

zlib
====
New version remedies a potential DOS attack.

dhcp
====
Upgraded to 3.0.1 to fix a buffer overflow.

shadow
======
This was a _tough_ one. There's a lot of differences between 10.0's
4.0.3 and 4.0.6 and backporting wasn't an easy option either. This
fixes a security bug in pwdcheck.c

samba
=====
Upgraded to 3.0.8 to fix numerous issues. No we have the plans to
upgrade to 3.0.9 at this time.

sudo
====
Fixes an issue that could allow privilege escalation.

You can find all these packages and source code at our primary mirror:
ftp://ftp.scarlet.be/pub/slacksec

- --
It is better to hear the rebuke of the wise,
Than for a man to hear the song of fools.
Ecclesiastes 7:5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBn8/TlKR45I6cfKARAigOAJ4/2AhHzKCGGY/mJJwRZrx0kHz1oQCbBwpo
CJY01tpTujBMvYDpRlN6o7I=
=zBfp
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

+Alan Hicks+ <alan@lizella.network> trolled:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Thought I'd post a little update here since our mailing list is
> stil so small.

Your mailing list is small because nobody gives a fuck. You have
no credibility. So why are you posting this shit here? Why are
you posting this shit here when you know that nobody cares about
it?

You're trash. Stop posting to this group. Only a complete
imbecile would use software you've handled.

cordially, as always,

rm

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBQZ/Xm+EckfDWS6x8EQJnNQCdE8Z7KvLX0IxCAsrBozgia9FFbYMAo JYY
WpLV0V++o2sYR0nHlLXn6IvM
=7IAB
-----END PGP SIGNATURE-----

Nicer links:

Samba: http://slacksec.info/update_1
PHP/gd: http://slacksec.info/update_2
Shadow: http://slacksec.info/update_3
Sudo: http://slacksec.info/update_5
Imagemagick: http://slacksec.info/update_7
LVM: http://slacksec.info/update_8
Apache: http://slacksec.info/update_9

> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Thought I'd post a little update here since our mailing list is
> > stil so small.
>
> Your mailing list is small because nobody gives a fuck. You have
> no credibility. So why are you posting this shit here? Why are
> you posting this shit here when you know that nobody cares about
> it?
>
> You're trash. Stop posting to this group. Only a complete
> imbecile would use software you've handled.
>
> cordially, as always,
>
> rm
>

For the truly paranoid, there is still the option of downloading the
source dirs for our packages, running a diff between pat's last source
dir, and building your own package, which is still more convenient than
finding the patches and updates. We also offer RSS feeds and mailing
lists of alerts without any packages, just containg information on
security vulnerabilities and which slackware versions are affected by
them.

By the way, "small" does not mean "nobody". To be precise, 25.

+Alan Hicks+ finally wrote on Saturday 20 November 2004 06:14 pm:

> shadow
> ======
> This was a _tough_ one. There's a lot of differences between 10.0's
> 4.0.3 and 4.0.6 and backporting wasn't an easy option either. This
> fixes a security bug in pwdcheck.c

About this one. I probably did something wrong, but I downloaded this (and
the others) from slacksec.info (or maybe from your link; I went to both)
and ran upgradepkg on it. I also upgraded the other packages. Then I just
happened to be looking at my downloads directory and saw chkrootkit. So I
installed it and ran it (v0.44). It said that /bin/login was *infected*.
I'm not sure what chkrootkit checks for, so perhaps the newer version threw
it for a loop, but I reinstalled the original shadow*.tgz from the CD and
re-ran chkrootkit and there were no complaints.

Any ideas?


Thanks,
jab3

> It is better to hear the rebuke of the wise,
> Than for a man to hear the song of fools.
> Ecclesiastes 7:5

The way of a fool is right in his own eyes,
but a wise man listens to advice.
Proverbs 12:15

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In alt.os.linux.slackware, jab3 dared to utter,
>> shadow
>
> About this one. I probably did something wrong, but I downloaded this (and
> the others) from slacksec.info (or maybe from your link; I went to both)
> and ran upgradepkg on it. I also upgraded the other packages. Then I just
> happened to be looking at my downloads directory and saw chkrootkit. So I
> installed it and ran it (v0.44). It said that /bin/login was *infected*.

Not sure, but it's worth asking the people who put together chkrootkit.
It may be a simple false positive (these things do happen after all).
Thanks for clueing me in. I'll check this out myself Real Soon Now(TM).
The shadow source code doesn't come with gpg sigs or md5s so it's even
possible that the source code on their ftp site was trojaned, but
there's no need to jump to conclusions. At the worst I'll email the
shadow maintainer and ask him.

>> It is better to hear the rebuke of the wise,
>> Than for a man to hear the song of fools.
>> Ecclesiastes 7:5
>
> The way of a fool is right in his own eyes,
> but a wise man listens to advice.
> Proverbs 12:15

Now that is what I'm talking about. :^)

- --
It is better to hear the rebuke of the wise,
Than for a man to hear the song of fools.
Ecclesiastes 7:5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBoAPzlKR45I6cfKARAhv9AKCEEVoDXn3JugULdmzipS oUTrkbLACgnysz
Onu0Ii8wIDodM+lY235tAZc=
=k2sV
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

+Alan Hicks+ <alan@lizella.network> trolled:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> In alt.os.linux.slackware, jab3 dared to utter,
>>> shadow
>>
>> About this one. I probably did something wrong, but I
>> downloaded this (and the others) from slacksec.info (or maybe
>> from your link; I went to both) and ran upgradepkg on it. I
>> also upgraded the other packages. Then I just happened to be
>> looking at my downloads directory and saw chkrootkit. So I
>> installed it and ran it (v0.44). It said that /bin/login was
>> *infected*.
>
> Not sure, but it's worth asking the people who put together
> chkrootkit. It may be a simple false positive (these things do
> happen after all).

Yes, these things do happen, especially when you're involved.
You're just a chickenshit little vulture, circling Volkerding's
bed.

Bugger off.

cordially, as always,

rm

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBQaAKWeEckfDWS6x8EQKjywCfZAQFKQc8tpFirxr/hPXOzDI0Pb0Anj7C
tAHkh4KbTxTrBXUktMV/9v5d
=bn86
-----END PGP SIGNATURE-----

On Sat, 20 Nov 2004 21:22:53 -0500, jab3 wrote:

>
> About this one. I probably did something wrong, but I downloaded this (and
> the others) from slacksec.info (or maybe from your link; I went to both)
> and ran upgradepkg on it. I also upgraded the other packages. Then I just
> happened to be looking at my downloads directory and saw chkrootkit. So I
> installed it and ran it (v0.44). It said that /bin/login was *infected*.
> I'm not sure what chkrootkit checks for, so perhaps the newer version threw
> it for a loop, but I reinstalled the original shadow*.tgz from the CD and
> re-ran chkrootkit and there were no complaints.
>
> Any ideas?
>
>
> Thanks,
> jab3
>

Had the same thing happen on my system.
I reinstalled 4.0.3 and chkrootkit was happy again.

btw, when you uninstall the shadow package, you loose login and su. Makes
it tough to do much of anything useful afterwards. Just a heads up to the
clueless (like me, duh).

When printing to either a printer shared via CUPS or a virtual PDF
printer (hosted also via CUPS), all text is replaced with crushed
together gibberish.

I've seen this happen via Slackware and Debian with the newest version
of CUPS. CUPS printers also have issues printing from MS Project.

I've searched the net with no luck; Has anyone experienced this problem?

Matt Darby

+Alan Hicks+ <alan@lizella.netWORK> writes:

> Thought I'd post a little update here since our mailing list is stil so
> small. We've updated most of the vulnerabilities for Slackware-10.0 at
> this time. I know of only two programs that are not yet updated, zip
> and libxpm. A list of updates follows.
>
> Kernel
> ======
> Updated the kernel to 2.4.28 for various issues.

Hmmmm. A new kernel... Where are the ALSA drivers for this one?