changelog_14.2
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
changelog_14.2 [2022/05/03 14:39] – [2022-04-02] connie | changelog_14.2 [2023/12/13 23:08] – [2023-11-08] connie | ||
---|---|---|---|
Line 2: | Line 2: | ||
Slackware upstream ChangeLog entries are courtesy of Patrick Volkerding. | Slackware upstream ChangeLog entries are courtesy of Patrick Volkerding. | ||
+ | |||
+ | ==== 2023-12-13 ==== | ||
+ | |||
+ | **libxml2-2.12.3**: | ||
+ | This update addresses regressions when building against libxml2 that were | ||
+ | due to header file refactoring. | ||
+ | |||
+ | **libxml2-2.12.2**: | ||
+ | Add --sysconfdir=/ | ||
+ | Thanks to SpiderTux. | ||
+ | Fix the following security issues: | ||
+ | Fix integer overflows with XML_PARSE_HUGE. | ||
+ | Fix dict corruption caused by entity reference cycles. | ||
+ | Hashing of empty dict strings isn't deterministic. | ||
+ | Fix null deref in xmlSchemaFixupComplexType. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **ca-certificates-20231117**: | ||
+ | This update provides the latest CA certificates to check for the | ||
+ | authenticity of SSL connections. | ||
+ | |||
+ | **sudo-1.9.15p1**: | ||
+ | This is a bugfix release: | ||
+ | Fixed a bug introduced in sudo 1.9.15 that prevented LDAP-based sudoers | ||
+ | from being able to read the ldap.conf file. | ||
+ | |||
+ | ==== 2023-11-08 ==== | ||
+ | |||
+ | **sudo-1.9.15**: | ||
+ | The sudoers plugin has been modified to make it more resilient to ROWHAMMER | ||
+ | attacks on authentication and policy matching. | ||
+ | The sudoers plugin now constructs the user time stamp file path name using | ||
+ | the user-ID instead of the user name. This avoids a potential problem with | ||
+ | user names that contain a path separator ('/' | ||
+ | the path name. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | |||
+ | ==== 2023-10-20 ==== | ||
+ | |||
+ | **httpd-2.4.58**: | ||
+ | This update fixes bugs and security issues: | ||
+ | moderate: Apache HTTP Server: HTTP/2 stream memory not reclaimed | ||
+ | right away on RST. | ||
+ | low: mod_macro buffer over-read. | ||
+ | low: Apache HTTP Server: DoS in HTTP/2 with initial windows size 0. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2023-10-16 ==== | ||
+ | |||
+ | **curl-8.4.0**: | ||
+ | This update fixes security issues: | ||
+ | Cookie injection with none file. | ||
+ | SOCKS5 heap buffer overflow. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | < | ||
+ | Mon Oct 9 18:10:01 UTC 2023 | ||
+ | #################################################################### | ||
+ | # NOTICE OF INPENDING EOL (END OF LIFE) FOR OLD SLACKWARE VERSIONS # | ||
+ | # # | ||
+ | # Effective January 1, 2024, security patches will no longer be # | ||
+ | # provided for the following versions of Slackware (which will all # | ||
+ | # be more than 7 years old at that time): | ||
+ | # | ||
+ | # If you are still running these versions you should consider | ||
+ | # migrating to a newer version (preferably as recent as possible). # | ||
+ | # Alternately, | ||
+ | # security patches. | ||
+ | #################################################################### | ||
+ | </ | ||
+ | |||
+ | ==== 2023-10-04 ==== | ||
+ | |||
+ | **libX11-1.8.7**: | ||
+ | This update fixes security issues: | ||
+ | libX11: out-of-bounds memory access in _XkbReadKeySyms(). | ||
+ | libX11: stack exhaustion from infinite recursion in PutSubImage(). | ||
+ | libX11: integer overflow in XCreateImage() leading to a heap overflow. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **libXpm-3.5.17**: | ||
+ | This update fixes security issues: | ||
+ | libXpm: out of bounds read in XpmCreateXpmImageFromBuffer(). | ||
+ | libXpm: out of bounds read on XPM with corrupted colormap. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **cups-2.1.4**: | ||
+ | This update fixes bugs and a security issue: | ||
+ | Fixed Heap-based buffer overflow when reading Postscript in PPD files. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **netatalk-3.1.17**: | ||
+ | This update fixes bugs and a security issue: | ||
+ | Validate data type in dalloc_value_for_key(). This flaw could allow a | ||
+ | malicious actor to cause Netatalk' | ||
+ | execute arbitrary code. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **curl-8.3.0**: | ||
+ | This update fixes a security issue: | ||
+ | HTTP headers eat all memory. | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **libarchive-3.7.2**: | ||
+ | This update fixes multiple security vulnerabilities in the PAX writer: | ||
+ | Heap overflow in url_encode() in archive_write_set_format_pax.c. | ||
+ | NULL dereference in archive_write_pax_header_xattrs(). | ||
+ | Another NULL dereference in archive_write_pax_header_xattrs(). | ||
+ | NULL dereference in archive_write_pax_header_xattr(). | ||
+ | (**Security fix**) | ||
+ | |||
+ | **netatalk-3.1.16**: | ||
+ | This update fixes bugs and security issues. | ||
+ | Shared library .so-version bump. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **curl-8.2.1**: | ||
+ | This is a bugfix release. | ||
+ | |||
+ | **whois-5.5.18**: | ||
+ | Updated the .ga TLD server. | ||
+ | Added new recovered IPv4 allocations. | ||
+ | Removed the delegation of 43.0.0.0/8 to JPNIC. | ||
+ | Removed 12 new gTLDs which are no longer active. | ||
+ | Improved the man page source, courtesy of Bjarni Ingi Gislason. | ||
+ | Added the .edu.za SLD server. | ||
+ | Updated the .alt.za SLD server. | ||
+ | Added the -ru and -su NIC handles servers. | ||
+ | |||
+ | **ca-certificates-20230721**: | ||
+ | This update provides the latest CA certificates to check for the | ||
+ | authenticity of SSL connections. | ||
+ | |||
+ | **curl-8.2.0**: | ||
+ | This update fixes a security issue: | ||
+ | fopen race condition. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **sudo-1.9.14p2**: | ||
+ | This is a bugfix release. | ||
+ | |||
+ | **sudo-1.9.14p1**: | ||
+ | This is a bugfix release. | ||
+ | |||
+ | **cups-2.1.4**: | ||
+ | Fixed use-after-free when logging warnings in case of failures | ||
+ | in cupsdAcceptClient(). | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2023-06-15 ==== | ||
+ | |||
+ | **libX11-1.8.6**: | ||
+ | This update fixes buffer overflows in InitExt.c that could at least cause | ||
+ | the client to crash due to memory corruption. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **ntp-4.2.8p17**: | ||
+ | This is a bugfix release. | ||
+ | |||
+ | |||
+ | ==== 2023-06-06 ==== | ||
+ | |||
+ | **cups-2.1.4**: | ||
+ | Fixed a heap buffer overflow in _cups_strlcpy(), | ||
+ | cupsd.conf sets the value of loglevel to DEBUG, that could allow a remote | ||
+ | attacker to launch a denial of service (DoS) attack, or possibly execute | ||
+ | arbirary code. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **ntp-4.2.8p16**: | ||
+ | This update fixes bugs and security issues. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **curl-8.1.2**: | ||
+ | This is a bugfix release. | ||
+ | |||
+ | ==== 2023-05-26 ==== | ||
+ | |||
+ | **ntfs-3g-2022.10.3**: | ||
+ | Fixed vulnerabilities that may allow an attacker using a maliciously | ||
+ | crafted NTFS-formatted image file or external storage to potentially | ||
+ | execute arbitrary privileged code or cause a denial of service. | ||
+ | Thanks to opty. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **curl-8.1.1**: | ||
+ | This is a bugfix release. | ||
+ | |||
+ | |||
+ | ==== 2023-05-18 ==== | ||
+ | |||
+ | **curl-8.1.0**: | ||
+ | This update fixes security issues: | ||
+ | more POST-after-PUT confusion. | ||
+ | IDN wildcard match. | ||
+ | siglongjmp race condition. | ||
+ | UAF in SSH sha256 fingerprint check. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **ca-certificates-20230506**: | ||
+ | This update provides the latest CA certificates to check for the | ||
+ | authenticity of SSL connections. | ||
+ | |||
+ | ==== 2023-05-05 ==== | ||
+ | |||
+ | **libssh-0.10.5**: | ||
+ | This update fixes security issues: | ||
+ | A NULL dereference during rekeying with algorithm guessing. | ||
+ | A possible authorization bypass in pki_verify_data_signature under | ||
+ | low-memory conditions. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **whois-5.5.17**: | ||
+ | Added the .cd TLD server. | ||
+ | Updated the -kg NIC handles server name. | ||
+ | Removed 2 new gTLDs which are no longer active. | ||
+ | |||
+ | |||
+ | ==== 2023-05-01 ==== | ||
+ | |||
+ | **netatalk-3.1.15**: | ||
+ | This update fixes security issues, including a critical vulnerability that | ||
+ | allows remote attackers to execute arbitrary code on affected installations | ||
+ | of Netatalk. Authentication is not required to exploit this vulnerability. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2023-04-25 ==== | ||
+ | |||
+ | **git-2.30.9**: | ||
+ | This update fixes security issues: | ||
+ | By feeding specially crafted input to `git apply --reject`, a | ||
+ | path outside the working tree can be overwritten with partially | ||
+ | controlled contents (corresponding to the rejected hunk(s) from | ||
+ | the given patch). | ||
+ | When Git is compiled with runtime prefix support and runs without | ||
+ | translated messages, it still used the gettext machinery to | ||
+ | display messages, which subsequently potentially looked for | ||
+ | translated messages in unexpected places. This allowed for | ||
+ | malicious placement of crafted messages. | ||
+ | When renaming or deleting a section from a configuration file, | ||
+ | certain malicious configuration values may be misinterpreted as | ||
+ | the beginning of a new configuration section, leading to arbitrary | ||
+ | configuration injection. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **httpd-2.4.57**: | ||
+ | This is a bugfix release. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | |||
+ | ==== 2023-04-03 ==== | ||
+ | |||
+ | **irssi-1.4.4**: | ||
+ | Do not crash Irssi when one line is printed as the result of another line | ||
+ | being printed. | ||
+ | Also solve a memory leak while printing unformatted lines. | ||
+ | (**Security fix**) | ||
+ | |||
+ | **glibc-zoneinfo-2023c**: | ||
+ | This package provides the latest timezone updates. | ||
+ | |||
+ | **tar-1.29**: | ||
+ | GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use | ||
+ | of uninitialized memory for a conditional jump. Exploitation to change the | ||
+ | flow of control has not been demonstrated. The issue occurs in from_header | ||
+ | in list.c via a V7 archive in which mtime has approximately 11 whitespace | ||
+ | characters. | ||
+ | Thanks to marav for the heads-up. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | |||
+ | ==== 2023-03-22 ==== | ||
+ | |||
+ | **curl-8.0.1**: | ||
+ | * This update fixes security issues: | ||
+ | * SSH connection too eager reuse still. | ||
+ | * HSTS double-free. | ||
+ | * GSS delegation too eager connection re-use. | ||
+ | * FTP too eager connection reuse. | ||
+ | * SFTP path ~ resolving discrepancy. | ||
+ | * TELNET option IAC injection. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2023-03-08 ==== | ||
+ | |||
+ | **httpd-2.4.56**: | ||
+ | This update fixes two security issues: | ||
+ | HTTP Response Smuggling vulnerability via mod_proxy_uwsgi. | ||
+ | HTTP Request Smuggling attack via mod_rewrite and mod_proxy. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **sudo-1.9.13p3**: | ||
+ | This is a bugfix release. | ||
+ | |||
+ | **whois-5.5.16**: | ||
+ | Add bash completion support, courtesy of Ville Skytta. | ||
+ | Updated the .tr TLD server. | ||
+ | Removed support for -metu NIC handles. | ||
+ | |||
+ | **curl-7.88.1**: | ||
+ | This is a bugfix release. | ||
+ | |||
+ | ==== 2023-02-16 ==== | ||
+ | |||
+ | **curl-7.88.0**: | ||
+ | This update fixes security issues: | ||
+ | HTTP multi-header compression denial of service. | ||
+ | HSTS amnesia with --parallel. | ||
+ | HSTS ignored on multiple requests. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **git-2.30.8**: | ||
+ | This update fixes security issues: | ||
+ | Using a specially-crafted repository, Git can be tricked into using | ||
+ | its local clone optimization even when using a non-local transport. | ||
+ | Though Git will abort local clones whose source $GIT_DIR/ | ||
+ | directory contains symbolic links (c.f., CVE-2022-39253), | ||
+ | directory itself may still be a symbolic link. | ||
+ | These two may be combined to include arbitrary files based on known | ||
+ | paths on the victim' | ||
+ | working copy, allowing for data exfiltration in a similar manner as | ||
+ | CVE-2022-39253. | ||
+ | By feeding a crafted input to "git apply", | ||
+ | working tree can be overwritten as the user who is running "git | ||
+ | apply" | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2023-01-19 ==== | ||
+ | |||
+ | **sudo-1.9.12p2**: | ||
+ | This update fixes a flaw in sudo's -e option (aka sudoedit) that could allow | ||
+ | a malicious user with sudoedit privileges to edit arbitrary files. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2023-01-18 ==== | ||
+ | |||
+ | **git-2.30.7**: | ||
+ | This release fixes two security issues: | ||
+ | * CVE-2022-41903: | ||
+ | git log has the ability to display commits using an arbitrary | ||
+ | format with its --format specifiers. This functionality is also | ||
+ | exposed to git archive via the export-subst gitattribute. | ||
+ | When processing the padding operators (e.g., %<(, %<|(, %>(, | ||
+ | %>>(, or %><( ), an integer overflow can occur in | ||
+ | pretty.c:: | ||
+ | stored as an int, and then added as an offset to a subsequent | ||
+ | memcpy() call. | ||
+ | This overflow can be triggered directly by a user running a | ||
+ | command which invokes the commit formatting machinery (e.g., git | ||
+ | log --format=...). It may also be triggered indirectly through | ||
+ | git archive via the export-subst mechanism, which expands format | ||
+ | specifiers inside of files within the repository during a git | ||
+ | archive. | ||
+ | This integer overflow can result in arbitrary heap writes, which | ||
+ | may result in remote code execution. | ||
+ | * CVE-2022-23521: | ||
+ | gitattributes are a mechanism to allow defining attributes for | ||
+ | paths. These attributes can be defined by adding a `.gitattributes` | ||
+ | file to the repository, which contains a set of file patterns and | ||
+ | the attributes that should be set for paths matching this pattern. | ||
+ | When parsing gitattributes, | ||
+ | when there is a huge number of path patterns, a huge number of | ||
+ | attributes for a single pattern, or when the declared attribute | ||
+ | names are huge. | ||
+ | These overflows can be triggered via a crafted `.gitattributes` file | ||
+ | that may be part of the commit history. Git silently splits lines | ||
+ | longer than 2KB when parsing gitattributes from a file, but not when | ||
+ | parsing them from the index. Consequentially, | ||
+ | depends on whether the file exists in the working tree, the index or | ||
+ | both. | ||
+ | This integer overflow can result in arbitrary heap reads and writes, | ||
+ | which may result in remote code execution. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **httpd-2.4.55**: | ||
+ | This update fixes bugs and the following security issues: | ||
+ | mod_proxy allows a backend to trigger HTTP response splitting. | ||
+ | mod_proxy_ajp possible request smuggling. | ||
+ | mod_dav out of bounds read, or write of zero byte. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **libXpm-3.5.15**: | ||
+ | This update fixes security issues: | ||
+ | Infinite loop on unclosed comments. | ||
+ | Runaway loop with width of 0 and enormous height. | ||
+ | Compression commands depend on $PATH. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2023-01-15 ==== | ||
+ | |||
+ | **netatalk-3.1.14**: | ||
+ | Netatalk through 3.1.13 has an afp_getappl heap-based buffer overflow | ||
+ | resulting in code execution via a crafted .appl file. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **ca-certificates-20221205**: | ||
+ | Make sure that if we're installing this package on another partition (such as | ||
+ | when using installpkg with a --root parameter) that the updates are done on | ||
+ | that partition. Thanks to fulalas. | ||
+ | |||
+ | |||
+ | ==== 2023-01-04 ==== | ||
+ | |||
+ | **libtiff-4.4.0**: | ||
+ | Patched various security bugs. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **whois-5.5.15**: | ||
+ | Updated the .bd, .nz and .tv TLD servers. | ||
+ | Added the .llyw.cymru, | ||
+ | Updated the .ac.uk and .gov.uk SLD servers. | ||
+ | Recursion has been enabled for whois.nic.tv. | ||
+ | Updated the list of new gTLDs with four generic TLDs assigned in October 2013 | ||
+ | which were missing due to a bug. | ||
+ | Removed 4 new gTLDs which are no longer active. | ||
+ | Added the Georgian translation, | ||
+ | Updated the Finnish translation, | ||
+ | |||
+ | ==== 2022-12-22 ==== | ||
+ | |||
+ | **curl-7.87.0**: | ||
+ | This is a bugfix release. | ||
+ | |||
+ | **libksba-1.6.3**: | ||
+ | Fix another integer overflow in the CRL's signature parser. | ||
+ | (**Security fix**) | ||
+ | |||
+ | **sdl-1.2.15**: | ||
+ | This update fixes a heap overflow problem in video/ | ||
+ | By crafting a malicious .BMP file, an attacker can cause the application | ||
+ | using this library to crash, denial of service, or code execution. | ||
+ | Thanks to marav for the heads-up. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **libarchive-3.6.2**: | ||
+ | This update fixes a regression causing a failure to compile against | ||
+ | libarchive: don't include iconv in libarchive.pc. | ||
+ | |||
+ | **libarchive-3.6.2**: | ||
+ | This is a bugfix and security release. | ||
+ | Relevant bugfixes: | ||
+ | * rar5 reader: fix possible garbled output with bsdtar -O (#1745) | ||
+ | * mtree reader: support reading mtree files with tabs (#1783) | ||
+ | Security fixes: | ||
+ | * various small fixes for issues found by CodeQL | ||
+ | (**Security fix**) | ||
+ | |||
+ | **ca-certificates-20221205**: | ||
+ | This update provides the latest CA certificates to check for the | ||
+ | authenticity of SSL connections. | ||
+ | |||
+ | **glibc-zoneinfo-2022g**: | ||
+ | This package provides the latest timezone updates. | ||
+ | |||
+ | ==== 2022-11-09 ==== | ||
+ | |||
+ | **sysstat-12.7.1**: | ||
+ | On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, | ||
+ | allocate_structures contains a size_t overflow in sa_common.c. The | ||
+ | allocate_structures function insufficiently checks bounds before arithmetic | ||
+ | multiplication, | ||
+ | buffer representing system activities. | ||
+ | This issue may lead to Remote Code Execution (RCE). | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **glibc-zoneinfo-2022f**: | ||
+ | This package provides the latest timezone updates. | ||
+ | |||
+ | **sudo-1.9.12p1**: | ||
+ | Fixed a potential out-of-bounds write for passwords smaller than 8 | ||
+ | characters when passwd authentication is enabled. | ||
+ | This does not affect configurations that use other authentication | ||
+ | methods such as PAM, AIX authentication or BSD authentication. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **curl-7.86.0**: | ||
+ | This update fixes security issues: | ||
+ | HSTS bypass via IDN. | ||
+ | HTTP proxy double-free. | ||
+ | .netrc parser out-of-bounds access. | ||
+ | POST following PUT confusion. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **expat-2.4.3**: | ||
+ | This update fixes a security issue: | ||
+ | Fix heap use-after-free after overeager destruction of a shared DTD in | ||
+ | function XML_ExternalEntityParserCreate in out-of-memory situations. | ||
+ | Expected impact is denial of service or potentially arbitrary code | ||
+ | execution. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **rsync-3.2.7**: | ||
+ | This is a bugfix release, fixing the list of supported auth checksums when | ||
+ | rsync is built against 1.0.x. | ||
+ | Thanks to niksoggia. | ||
+ | |||
+ | **rsync-3.2.7**: | ||
+ | This is a bugfix release. | ||
+ | Notably, this addresses some regressions caused by the file-list validation | ||
+ | fix in rsync-3.2.5. | ||
+ | Thanks to llgar. | ||
+ | |||
+ | **whois-5.5.14**: | ||
+ | This update adds the .bf and .sd TLD servers, removes the .gu TLD server, | ||
+ | updates the .dm, .fj, .mt and .pk TLD servers, updates the charset for | ||
+ | whois.nic.tr, | ||
+ | list of RIPE-like servers (because it is not one anymore), renames | ||
+ | whois.arnes.si to whois.register.si in the list of RIPE-like servers, and | ||
+ | adds the hiding string for whois.auda.org.au. | ||
+ | |||
+ | **git-2.30.6**: | ||
+ | This release fixes two security issues: | ||
+ | * CVE-2022-39253: | ||
+ | When relying on the `--local` clone optimization, | ||
+ | symbolic links in the source repository before creating hardlinks | ||
+ | (or copies) of the dereferenced link in the destination repository. | ||
+ | This can lead to surprising behavior where arbitrary files are | ||
+ | present in a repository' | ||
+ | repository. | ||
+ | Git will no longer dereference symbolic links via the `--local` | ||
+ | clone mechanism, and will instead refuse to clone repositories that | ||
+ | have symbolic links present in the `$GIT_DIR/ | ||
+ | Additionally, | ||
+ | " | ||
+ | * CVE-2022-39260: | ||
+ | An overly-long command string given to `git shell` can result in | ||
+ | overflow in `split_cmdline()`, | ||
+ | remote code execution when `git shell` is exposed and the directory | ||
+ | `$HOME/ | ||
+ | `git shell` is taught to refuse interactive commands that are | ||
+ | longer than 4MiB in size. `split_cmdline()` is hardened to reject | ||
+ | inputs larger than 2GiB. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2022-10-17 ==== | ||
+ | |||
+ | **glibc-zoneinfo-2022e**: | ||
+ | This package provides the latest timezone updates. | ||
+ | |||
+ | **zlib-1.2.13**: | ||
+ | Fixed a bug when getting a gzip header extra field with inflateGetHeader(). | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **libksba-1.6.2**: | ||
+ | Detect a possible overflow directly in the TLV parser. | ||
+ | This patch detects possible integer overflows immmediately when creating | ||
+ | the TI object. | ||
+ | Reported-by: | ||
+ | (**Security fix**) | ||
+ | |||
+ | |||
+ | ==== 2022-10-05 ==== | ||
+ | |||
+ | **dhcp-4.4.3_P1**: | ||
+ | This update fixes two security issues: | ||
+ | Corrected a reference count leak that occurs when the server builds | ||
+ | responses to leasequery packets. | ||
+ | Corrected a memory leak that occurs when unpacking a packet that has an | ||
+ | FQDN option (81) that contains a label with length greater than 63 bytes. | ||
+ | Thanks to VictorV of Cyber Kunlun Lab for reporting these issues. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **glibc-zoneinfo-2022d**: | ||
+ | This package provides the latest timezone updates. | ||
+ | |||
+ | **dnsmasq-2.87**: | ||
+ | Fix write-after-free error in DHCPv6 server code. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **ca-certificates-20220922**: | ||
+ | This update provides the latest CA certificates to check for the | ||
+ | authenticity of SSL connections. | ||
+ | |||
+ | **expat-2.4.3**: | ||
+ | This update fixes a security issue: | ||
+ | Heap use-after-free vulnerability in function doContent. Expected impact is | ||
+ | denial of service or potentially arbitrary code execution. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | |||
+ | ==== 2022-09-01 ==== | ||
+ | |||
+ | **curl-7.85.0**: | ||
+ | This update fixes a security issue: | ||
+ | control code in cookie denial of service. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **glibc-zoneinfo-2022c**: | ||
+ | This package provides the latest timezone updates. | ||
+ | |||
+ | ==== 2022-08-15 ==== | ||
+ | |||
+ | **rsync-3.2.5**: | ||
+ | Added some file-list safety checking that helps to ensure that a rogue | ||
+ | sending rsync can't add unrequested top-level names and/or include recursive | ||
+ | names that should have been excluded by the sender. These extra safety | ||
+ | checks only require the receiver rsync to be updated. When dealing with an | ||
+ | untrusted sending host, it is safest to copy into a dedicated destination | ||
+ | directory for the remote content (i.e. don't copy into a destination | ||
+ | directory that contains files that aren't from the remote host unless you | ||
+ | trust the remote host). | ||
+ | For more information, | ||
+ | | ||
+ | (**Security fix**) | ||
+ | |||
+ | **glibc-zoneinfo-2022b**: | ||
+ | This package provides the latest timezone updates. | ||
+ | |||
+ | **zlib-1.2.12**: | ||
+ | This is a bugfix update. | ||
+ | Applied an upstream patch to restore the handling of CRC inputs to be the | ||
+ | same as in previous releases of zlib. This fixes an issue with OpenJDK. | ||
+ | Thanks to alienBOB. | ||
+ | |||
+ | |||
+ | ==== 2022-07-10 ==== | ||
+ | |||
+ | **wavpack-5.5.0**: | ||
+ | WavPack 5.5.0 contains a fix for CVE-2021-44269 wherein encoding a specially | ||
+ | crafted DSD file causes an out-of-bounds read exception. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2022-06-30 ==== | ||
+ | |||
+ | **curl-7.84.0**: | ||
+ | This update fixes security issues: | ||
+ | Set-Cookie denial of service. | ||
+ | HTTP compression denial of service. | ||
+ | Unpreserved file permissions. | ||
+ | FTP-KRB bad message verification. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **openssl-1.0.2u**: | ||
+ | We're sending out the Slackware 14.2 updates again because the package | ||
+ | build number wasn't incremented which caused slackpkg to not pick up the | ||
+ | updates. It's been bumped and the packages rebuilt - otherwise there are | ||
+ | no new changes. Thanks to John Jenkins for the report. | ||
+ | For reference, here's the information from the previous advisory: | ||
+ | In addition to the c_rehash shell command injection identified in | ||
+ | CVE-2022-1292, | ||
+ | properly sanitise shell metacharacters to prevent command injection were | ||
+ | found by code review. | ||
+ | When the CVE-2022-1292 was fixed it was not discovered that there | ||
+ | are other places in the script where the file names of certificates | ||
+ | being hashed were possibly passed to a command executed through the shell. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **openssl-solibs-1.0.2u**: | ||
+ | |||
+ | |||
+ | ==== 2022-06-28 ==== | ||
+ | |||
+ | **ca-certificates-20220622**: | ||
+ | This update provides the latest CA certificates to check for the | ||
+ | authenticity of SSL connections. | ||
+ | |||
+ | **openssl-1.0.2u**: | ||
+ | In addition to the c_rehash shell command injection identified in | ||
+ | CVE-2022-1292, | ||
+ | properly sanitise shell metacharacters to prevent command injection were | ||
+ | found by code review. | ||
+ | When the CVE-2022-1292 was fixed it was not discovered that there | ||
+ | are other places in the script where the file names of certificates | ||
+ | being hashed were possibly passed to a command executed through the shell. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **openssl-solibs-1.0.2u**: | ||
+ | |||
+ | |||
+ | ==== 2022-06-09 ==== | ||
+ | |||
+ | **httpd-2.4.54**: | ||
+ | This update fixes bugs and the following security issues: | ||
+ | mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism. | ||
+ | Information Disclosure in mod_lua with websockets. | ||
+ | mod_sed denial of service. | ||
+ | Denial of service in mod_lua r: | ||
+ | Read beyond bounds in ap_strcmp_match(). | ||
+ | Read beyond bounds via ap_rwrite(). | ||
+ | Read beyond bounds in mod_isapi. | ||
+ | mod_proxy_ajp: | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2022-05-26 ==== | ||
+ | |||
+ | **cups-2.1.4**: | ||
+ | Fixed certificate strings comparison for Local authorization. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | |||
+ | ==== 2022-05-11 ==== | ||
+ | |||
+ | **curl-7.83.1**: | ||
+ | This update fixes security issues: | ||
+ | HSTS bypass via trailing dot. | ||
+ | TLS and SSH connection too eager reuse. | ||
+ | CERTINFO never-ending busy-loop. | ||
+ | percent-encoded path separator in URL host. | ||
+ | cookie for trailing dot TLD. | ||
+ | curl removes wrong file on error. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2022-05-03 ==== | ||
+ | |||
+ | **openssl-1.0.2u**: | ||
+ | Fixed a bug in the c_rehash script which was not properly sanitising shell | ||
+ | metacharacters to prevent command injection. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **openssl-solibs-1.0.2u**: | ||
==== 2022-05-03 ==== | ==== 2022-05-03 ==== |
changelog_14.2.txt · Last modified: 2023/12/23 13:40 by connie