Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0373 -- [UNIX/Linux] New m4 packages are available 10 April 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: m4 Publisher: Slackware Operating System: UNIX variants (UNIX, Linux, OSX) Impact: Execute Arbitrary Code/Commands Access: Existing Account CVE Names: CVE-2008-1688 CVE-2008-1687 Original Bulletin: http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.510612 Comment: This advisory references vulnerabilties in products which run on platforms other than Slackware. It is recommended that administrators running m4 check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] m4 (SSA:2008-098-01) New m4 packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, and -current to fix security issues. More details about the issues may be found in the Common Vulnerabilities and Exposures (CVE) database: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1687 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1688 Here are the details from the Slackware 12.0 ChangeLog: +--------------------------+ patches/packages/m4-1.4.11-i486-1_slack12.0.tgz: Upgraded to m4-1.4.11. In addition to bugfixes and enhancements, this version of m4 also fixes two issues with possible security implications. A minor security fix with the use of "maketemp" and "mkstemp" -- these are now quoted to prevent the (rather unlikely) possibility that an unquoted string could match an existing macro causing operations to be done on the wrong file. Also, a problem with the '-F' option (introduced with version 1.4) could cause a core dump or possibly (with certain file names) the execution of arbitrary code. For more information on these issues, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1687 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1688 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ HINT: Getting slow download speeds from ftp.slackware.com? Give slackware.osuosl.org a try. This is another primary FTP site for Slackware that can be considerably faster than downloading directly from ftp.slackware.com. Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating additional FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 8.1: ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/m4-1.4.11-i386-1_slack8.1.tgz Updated package for Slackware 9.0: ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/m4-1.4.11-i386-1_slack9.0.tgz Updated package for Slackware 9.1: ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/m4-1.4.11-i486-1_slack9.1.tgz Updated package for Slackware 10.0: ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/m4-1.4.11-i486-1_slack10.0.tgz Updated package for Slackware 10.1: ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/m4-1.4.11-i486-1_slack10.1.tgz Updated package for Slackware 10.2: ftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/m4-1.4.11-i486-1_slack10.2.tgz Updated package for Slackware 11.0: ftp://ftp.slackware.com/pub/slackware/slackware-11.0/patches/packages/m4-1.4.11-i486-1_slack11.0.tgz Updated package for Slackware 12.0: ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/m4-1.4.11-i486-1_slack12.0.tgz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/d/m4-1.4.11-i486-1.tgz MD5 signatures: +-------------+ Slackware 8.1 package: 1179fae2c4429945c3e6441fed82709d m4-1.4.11-i386-1_slack8.1.tgz Slackware 9.0 package: d9e5769918dc1741db6bb2619f060995 m4-1.4.11-i386-1_slack9.0.tgz Slackware 9.1 package: 796f62a0d275b1e9bc4bad8d40595a4e m4-1.4.11-i486-1_slack9.1.tgz Slackware 10.0 package: 032835fa9f150839ca0dfac4c73a5498 m4-1.4.11-i486-1_slack10.0.tgz Slackware 10.1 package: e0dd3949d996a8fa12bc480fe2d4eda5 m4-1.4.11-i486-1_slack10.1.tgz Slackware 10.2 package: 690aa0ae07fcb68096b7122f304a9ea1 m4-1.4.11-i486-1_slack10.2.tgz Slackware 11.0 package: c48865785be7e2ea5357a43bd625a17f m4-1.4.11-i486-1_slack11.0.tgz Slackware 12.0 package: 6655deb1e644f356b2ccf74edd3c9d4e m4-1.4.11-i486-1_slack12.0.tgz Slackware -current package: b56a401503f4285ff0f660bc6da769b8 m4-1.4.11-i486-1.tgz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg m4-1.4.11-i486-1_slack12.0.tgz +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address. | +------------------------------------------------------------------------+ - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkf5yf0ACgkQakRjwEAQIjNNvgCfeufBwAekfHgHEokUxPc65bDd +mIAnjc7Ouf+IjiSmT9LypKqdm+UXPRU =XJwz - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBR/1vByh9+71yA2DNAQLg/AP+KIYjtN2CzPgpr+HqtqpF0KEXl4vVk5sz glbxmO6AK5Neb0Qgss0bhbazc0l3QFvtzYF9Pxz2q6F147pavYEKdjk414qnrAnf HM8m5n4HaOspgBDKcwppxlyKPg7NiXUGU9Adqo765AMsUKEWY6QRrHHulQj7nKk8 GB7ZwAToyYY= =69ba -----END PGP SIGNATURE-----