User Tools

Site Tools


changelog_14.2

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Next revisionBoth sides next revision
changelog_14.2 [2019/02/12 23:41] conniechangelog_14.2 [2019/06/16 16:19] connie
Line 2: Line 2:
  
 Slackware upstream ChangeLog entries are courtesy of Patrick Volkerding. Slackware upstream ChangeLog entries are courtesy of Patrick Volkerding.
 +
 +==== 2019-06-16 ====
 +
 +**curl-7.65.1**:  Upgraded.
 +This is a bugfix release.
 +For more information, see:
 +  * https://curl.haxx.se/changes.html
 +
 +**openssl-1.0.2s**:  Upgraded.
 +This is a bugfix release:
 +Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
 +This changes the size when using the genpkey app when no size is given.
 +It fixes an omission in earlier changes that changed all RSA, DSA and DH
 +generation apps to use 2048 bits by default.  [Kurt Roeckx]
 +
 +**openssl-solibs-1.0.2s**:  Upgraded.
 +
 +**rdesktop-1.8.6**:  Upgraded.
 +This is a small bug fix release for rdesktop 1.8.5. An issue was discovered
 +soon after release where it was impossible to connect to some servers. This
 +issue has now been fixed, but otherwise this release is identical to 1.8.5.
 +
 +==== 2019-05-23 ====
 +
 +**curl-7.65.0**:  Upgraded.
 +This release fixes the following security issues:
 +Integer overflows in curl_url_set
 +tftp: use the current blksize for recvfrom()
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5435
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5436
 +(**Security fix**)
 +
 +==== 2019-05-16 ====
 +
 +**rdesktop-1.8.5**:  Upgraded.
 +This update fixes security issues:
 +Add bounds checking to protocol handling in order to fix many
 +security problems when communicating with a malicious server.
 +(**Security fix**)
 +
 +==== 2019-04-26 ====
 +
 +**bind-9.11.6_P1**:  Upgraded.
 +This update fixes a security issue:
 +The TCP client quota set using the tcp-clients option could be exceeded
 +in some cases. This could lead to exhaustion of file descriptors.
 +For more information, see:
 +  * https://kb.isc.org/docs/cve-2018-5743
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5743
 +(**Security fix**)
 +
 +**curl-7.64.1**:  Upgraded.
 +This update fixes a regression in curl-7.64.0 which could lead to
 +100% CPU usage. Thanks to arcctgx.
 +
 +
 +==== 2019-04-17 ====
 +
 +**libpng-1.6.37**:  Upgraded.
 +This update fixes security issues:
 +  * Fixed a use-after-free vulnerability (CVE-2019-7317) in png_image_free.
 +  * Fixed a memory leak in the ARM NEON implementation of png_do_expand_palette.
 +  * Fixed a memory leak in pngtest.c.
 +  * Fixed two vulnerabilities (CVE-2018-14048, CVE-2018-14550) in contrib/pngminus; refactor.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14048
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14550
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7317
 +(**Security fix**)
 +
 +**libssh2-1.8.2**:  Upgraded.
 +This update fixes a misapplied userauth patch that broke 1.8.1.
 +Thanks to Ook.
 +
 +**glibc-zoneinfo-2019a**:  Upgraded.
 +This package provides the latest timezone updates.
 +
 +==== 2019-04-06 ====
 +
 +**httpd-2.4.39**:  Upgraded.
 +This release contains security fixes and improvements.
 +In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker
 +or prefork, code executing in less-privileged child processes or threads
 +(including scripts executed by an in-process scripting interpreter) could
 +execute arbitrary code with the privileges of the parent process by
 +manipulating the scoreboard.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0211
 +(**Security fix**)
 +
 +==== 2019-04-06 ====
 +
 +**openjpeg-2.3.1**:  Upgraded.
 +Includes many bug fixes (including security fixes).
 +(**Security fix**)
 +
 +**wget-1.20.3**:  Upgraded.
 +Fixed a buffer overflow vulnerability:
 +src/iri.c(do_conversion): Reallocate the output buffer to a larger
 +size if it is already full.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5953
 +(**Security fix**)
 +
 +==== 2019-04-02 ====
 +
 +**ghostscript-9.26**:  Upgraded.                                                                                                                                      
 +Fixes security issues:                                                                                                                                                
 +A specially crafted PostScript file could have access to the file system                                                                                              
 +outside of the constrains imposed by -dSAFER.                                                                                                                         
 +Transient procedures can allow access to system operators, leading to                                                                                                 
 +remote code execution.                                                                                                                                                
 +For more information, see:                                                                                                                                            
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3835                                                                                                      
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3838                                                                                                      
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6116                                                                                                      
 +(**Security fix**)                                                                                                                                                    
 +                                                                                                                                                                      
 +**wget-1.20.2**:  Upgraded.                                                                                                                                           
 +Fixed an unspecified buffer overflow vulnerability.                                                                                                                   
 +(**Security fix**)
 +
 +==== 2019-03-27 ====
 +
 +**gnutls-3.6.7**:  Upgraded.
 +Fixes security issues:
 +  * libgnutls, gnutls tools: Every gnutls_free() will automatically set the free'd pointer to NULL. This prevents possible use-after-free and double free issues. Use-after-free will be turned into NULL dereference. The counter-measure does not extend to applications using gnutls_free().
 +  * libgnutls: Fixed a memory corruption (double free) vulnerability in the certificate verification API. Reported by Tavis Ormandy; addressed with the change above. [GNUTLS-SA-2019-03-27, #694]
 +  * libgnutls: Fixed an invalid pointer access via malformed TLS1.3 async messages; Found using tlsfuzzer. [GNUTLS-SA-2019-03-27, #704]
 +  * libgnutls: enforce key usage limitations on certificates more actively. Previously we would enforce it for TLS1.2 protocol, now we enforce it even when TLS1.3 is negotiated, or on client certificates as well. When an inappropriate for TLS1.3 certificate is seen on the credentials structure GnuTLS will disable TLS1.3 support for that session (#690).
 +  * libgnutls: enforce the equality of the two signature parameters fields in a certificate. We were already enforcing the signature algorithm, but there was a bug in parameter checking code.
 +
 +(**Security fix**)
 +
 +==== 2019-03-19 ====
 +
 +**libssh2-1.8.1**:  Upgraded.
 +Fixed several security issues.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3855
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3856
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3857
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3858
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3859
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3860
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3861
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3862
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3863
 +(**Security fix**)
 +
 +**mariadb-10.0.38**:  Rebuilt.
 +Fixed paths in /usr/bin/mysql_install_db.
 +Thanks to Stuart Winter.
 +
 +==== 2019-03-08 ====
 +
 +**ca-certificates-20190308**  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +**ntp-4.2.8p13**:  Upgraded.
 +This release fixes a bug that allows an attacker with access to an explicitly
 +trusted source to send a crafted malicious mode 6 (ntpq) packet that can
 +trigger a NULL pointer dereference, crashing ntpd.
 +It also provides 17 other bugfixes and 1 other improvement.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8936
 +(**Security fix**)
 +
 +==== 2019-03-03 ====
 +
 +**python-2.7.16**:  Upgraded.
 +Updated to the latest 2.7.x release, which fixes a few security issues.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1752
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010
 +(**Security fix**)
 +
 +==== 2019-03-01 ====
 +
 +**infozip-6.0**:  Rebuilt.
 +Added some patches that should fix extracting archives with non-latin
 +characters in the filenames. Thanks to saahriktu.
 +This update also fixes various security issues in zip and unzip.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8139
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8140
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8141
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9844
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18384
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035
 +(**Security fix**)
 +
 +**curl-7.64.0**:  Rebuilt.
 +Applied upstream patch to fix log spam:
 +[PATCH] multi: remove verbose "Expire in" ... messages
 +Thanks to compassnet.
 +
 +==== 2019-02-27 ====
 +
 +**ca-certificates-20181210**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +**openssl-1.0.2r**:  Upgraded.
 +Go into the error state if a fatal alert is sent or received. If an
 +application calls SSL_shutdown after a fatal alert has occured and
 +then behaves different based on error codes from that function then
 +the application may be vulnerable to a padding oracle.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559
 +(**Security fix**)
 +
 +**openssl-solibs-1.0.2r**:  Upgraded.
 +
 +==== 2019-02-23 ====
 +
 +**file-5.36**:  Upgraded.
 +Fix out-of-bounds read and denial-of-service security issues.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8906
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8907
 +(**Security fix**)
  
 ==== 2019-02-12 ==== ==== 2019-02-12 ====
changelog_14.2.txt · Last modified: 2023/12/23 13:40 by connie