The Slackware Linux Project: Slackware Security Advisories

Slackware Security Advisories

News

Security Advisories

FAQ
Book
General Info
Get Slack
Install Help
Configuration
Packages
ChangeLogs
Propaganda
Ports
Other Sites
Support
Contact
Mailing Lists

About

From: David Cantrell <david@slackware.com>
To: slackware-security@slackware.com
Subject: Security Fixes for Slackware 4.0 Available
Date: Tue, 30 Nov 1999 12:13:36 -0800 (PST)

There are several security updates available for Slackware 4.0.  These
patches should work on any libc5 Slackware system, but we have not tested
them on each of the previous releases.  We will always post bug fixes and
security fixes to the /patches subdirectory on the ftp site:

   ftp.cdrom.com:/pub/linux/slackware-4.0/patches

The ChangeLog.txt file in that directory will show what has been patched and
why.  Here is a short overview of the current patches available:



   =======================
   BIND-8.2.2-P5 available
   =======================

   CERT Advisory CA-99-14 Multiple Vulnerabilities in BIND:

        http://www.cert.org/advisories/CA-99-14-bind.html

   Six vulnerabilities have been found in BIND, the popular domain name
   server from the Internet Software Consortium (ISC).  One of these
   vulnerabilities may allow remote intruders to gain priviledged access
   to name servers.

   It is recommended that all systems running the BIND package that
   shipped with Slackware 7.0 upgrade to this one.  Here is the ChangeLog
   description:

   bind.tgz       Upgraded to bind-8.2.2-P5.  This fixes a vulnerability
                  in the processing of NXT records that can be used in a
                  DoS attack or (theoretically) be exploited to gain access 
                  to the server.  It is suggested that everyone running 
                  bind upgrade to this package as soon as possible.



   ==============================
   nfs-server-2.2beta47 available
   ==============================

   It is recommended that all Slackware 4.0 systems using NFS upgrade to
   nfs-server 2.2beta47 to patch a possible exploit.  Here is the
   ChangeLog description:

   nfs-server.tgz Upgraded to nfs-server-2.2beta47, to fix a security problem 
                  found in nfs-server-2.2beta46 and earlier.  By using a long 
                  pathname on a directory NFS mounted read-write, it may be 
                  possible for an attacker to execute arbitrary code on the 
                  server.  It is recommended that everyone running an NFS 
                  server upgrade to this package immediately.


These packages are designed to be installed on top of an existing Slackware
4.0 installation.  In the case where a package already exists (such as
bind.tgz), it is adviseable to use upgradepkg.  For other fixes (such as the
nfs-server.tgz one), you can just use installpkg to install the fix.

NOTE:  For packages that replace daemons on the system (such as bind), you 
need to make sure that you stop the daemon before installing the package.  
Otherwise the file may not be updated properly because it is in use.  You 
can either stop the daemon manually or go into single user mode and then 
go back to multiuser mode.  Example:

        # telinit 1             Go into single user mode
        # upgradepkg bind       Perform the upgrade
        # telinit 3             Go back to multiuser mode

Remember to back up configuration files before performing upgrades.

- The Slackware Linux Project
  http://www.slackware.com

Slackware™ is a trademark of Patrick Volkerding.