Slackers (Slackware current journal) - Slackware – GNU/Linux per SubGeni e Fannulloni

Fri Feb 20 17:20:49 CST 2009
a/cpio-2.9-i486-1.tgz: Upgraded to cpio-2.9.
ap/cdrtools-2.01.01a57-i486-2.tgz: Fixed build script to put the charset
conversion tables in /usr/lib/siconv. Hopefully this will work correctly
with k3b now. Thanks to Krasimir Kazakov for the bug report.
ap/sqlite-3.6.11-i486-1.tgz: Upgraded to sqlite-3.6.11.
d/git-1.6.1.3-i486-1.tgz: Upgraded to git-1.6.1.3.
This fixes a vulnerability where running git-diff or git-grep on a hostile
git repository would result in the execution of arbirary code as the git user.
For more information, see:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3546

(* Security fix *)
d/subversion-1.5.5-i486-1.tgz: Upgraded to subversion-1.5.5.
l/libpng-1.2.35-i486-1.tgz: Upgraded to libpng-1.2.35.
This fixes multiple memory-corruption vulnerabilities due to a failure to
properly initialize data structures.
For more information, see:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0040

ftp://ftp.simplesystems.org/pub/png/src/libpng-1.2.34-ADVISORY.txt
(* Security fix *)
n/dnsmasq-2.47-i486-1.tgz: Upgraded to dnsmasq-2.47.
n/vsftpd-2.1.0-i486-1.tgz: Upgraded to vsftpd-2.1.0.
testing/packages/kde4/extragear/ktorrent-3.2-i486-1.tgz:
Upgraded to ktorrent-3.2.

Wed Feb 11 19:23:47 CST 2009
testing/packages/kde4/kde/kdelibs-4.2.0-i486-3.tgz:
Reverted patch r918403 which broke ktorrent.

Mon Feb 9 16:03:32 CST 2009
ap/cdrtools-2.01.01a57-i486-1.tgz: Upgraded to cdrtools-2.01.01a57.
Also, fixed a build script error so that the utilities look for locale files
in the correct directory. Thanks to Krasimir Kazakov for the bug report.
Anyone who had problems with k3b previously should upgrade this package.
extra/wicd/wicd-1.5.9-noarch-1.tgz: Upgraded to wicd-1.5.9.
This fixes a security problem with the D-Bus configuration file that allows
local users to intercept D-Bus messages, possibly including wireless network
credentials.
For more information, see:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0489

(* Security fix *)
testing/packages/kde4/deps/eigen2-r922425-i486-1.tgz:
Upgraded to eigen2-r922425.
testing/packages/kde4/kde/kdelibs-4.2.0-i486-2.tgz: Added bugfix patches from
SVN: r917170, r918403, r918654, r918838.
testing/packages/kde4/kde/kdevelop-3.9.91-i486-1.tgz:
Upgraded to kdevelop-3.9.91.
testing/packages/kde4/kde/kdevplatform-0.9.91-i486-1.tgz:
Upgraded to kdevplatform-0.9.91.
testing/packages/kde4/kde/koffice-1.9.98.6-i486-1.tgz:
Upgraded to koffice-1.9.98.6.
testing/packages/kde4/kde-l10n/koffice-l10n-*-1.9.98.6-noarch-1.tgz:
Upgraded to koffice-1.9.98.6 l10n packages.

Thu Feb 5 15:19:56 CST 2009
ap/ghostscript-8.64-i486-1.tgz: Upgraded to ghostscript-8.64.
Thanks to ABE Shin-ichi updating the build script and testing CJK output.
xap/mozilla-firefox-3.0.6-i686-1.tgz:
Upgraded to firefox-3.0.6.
This fixes some security issues:
For more information, see:

http://www.mozilla.org/security/known-vulnerabilities/firefox30.html

(* Security fix *)

Mon Feb 2 17:47:18 CST 2009
x/xdg-utils-1.0.2-noarch-3.tgz:
This update fixes two security issues. First, use of xdg-open in
/etc/mailcap was found to be unsafe — xdg-open passes along downloaded files
without indicating what mime type they initially presented themselves as,
leaving programs further down the processing chain to discover the file type
again. This makes it rather trivial to present a script (such as a .desktop
file) as a document type (like a PDF) so that it looks safe to click on in a
browser, but will result in the execution of an arbitrary script. It might
be safe to send files to trusted applications in /etc/mailcap, but it does
not seem to be safe to send files to xdg-open in /etc/mailcap.
This package will comment out calls to xdg-open in /etc/mailcap if they are
determined to have been added by a previous version of this package.
If you’ve made any local customizations to /etc/mailcap, be sure to check
that there are no uncommented calls to xdg-open after installing this update.
Thanks to Manuel Reimer for discovering this issue.
For more information, see:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0068

Another bug in xdg-open fails to sanitize input properly allowing the
execution of arbitrary commands. This was fixed in the xdg-utils repository
quite some time ago (prior to the inclusion of xdg-utils in Slackware), but
was never fixed in the official release of xdg-utils. The sources for
xdg-utils in Slackware have now been updated from the repo to fix the problem.
For more information, see:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0386

(* Security fix *)