User Tools

Site Tools


changelog_14.2

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Next revisionBoth sides next revision
changelog_14.2 [2019/02/12 23:41] conniechangelog_14.2 [2020/02/21 02:39] – [2020-02-14] connie
Line 2: Line 2:
  
 Slackware upstream ChangeLog entries are courtesy of Patrick Volkerding. Slackware upstream ChangeLog entries are courtesy of Patrick Volkerding.
 +
 +==== 2020-02-20 ====
 +
 +**proftpd-1.3.6c**:  Upgraded.
 +No CVEs assigned, but this sure looks like a security issue:
 +Use-after-free vulnerability in memory pools during data transfer.
 +(**Security fix**)
 +
 +==== 2020-02-14 ====
 +
 +**libarchive-3.4.2**:  Upgraded.
 +This update includes security fixes in the RAR5 reader.
 +(**Security fix**)
 +
 +==== 2020-01-31 ====
 +
 +**sudo-1.8.31**:  Upgraded.
 +This update fixes a security issue:
 +In Sudo before 1.8.31, if pwfeedback is enabled in /etc/sudoers, users can
 +trigger a stack-based buffer overflow in the privileged sudo process.
 +(pwfeedback is a default setting in some Linux distributions; however, it
 +is not the default for upstream or in Slackware, and would exist only if
 +enabled by an administrator.) The attacker needs to deliver a long string
 +to the stdin of getln() in tgetpass.c.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18634
 +(**Security fix**)
 +
 +**bind-9.11.15**:  Upgraded.
 +This is a bugfix release:
 +With some libmaxminddb versions, named could erroneously match an IP address
 +not belonging to any subnet defined in a given GeoIP2 database to one of the
 +existing entries in that database. [GL #1552]
 +Fix line spacing in `rndc secroots`. Thanks to Tony Finch. [GL #2478]
 +
 +==== 2020-01-11 ====
 +
 +**p7zip-16.02**: Added (FXP)
 +==== 2020-01-09 ====
 +
 +**linux-libre-*-4.4.208**:  Upgraded.
 +   IPV6_MULTIPLE_TABLES n -> y
 +  +IPV6_SUBTREES y
 +These updates fix various bugs and security issues.
 +Be sure to upgrade your initrd after upgrading the kernel packages.
 +If you use lilo to boot your machine, be sure lilo.conf points to the correct
 +kernel and initrd and run lilo as root to update the bootloader.
 +If you use elilo to boot your machine, you should run eliloconfig to copy the
 +kernel and initrd to the EFI System Partition.
 +For more information, see:
 +
 +Fixed in 4.4.203:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19524
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15917
 +Fixed in 4.4.204:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18660
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15291
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18683
 +Fixed in 4.4.206:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12614
 +Fixed in 4.4.207:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19227
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19062
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19338
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19332
 +Fixed in 4.4.208:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19057
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19063
 +(**Security fix**)
 +
 +**xfce4-weather-plugin-0.8.11**:  Upgraded.
 +Bugfix release to address the upcoming obsolescence of the
 +locationforecastLTS API from met.no. Thanks to Robby Workman.
 +
 +**libwmf-0.2.8.4**:  Rebuilt.
 +This is a bugfix release to correct the path for the GDK_PIXBUF_DIR.
 +Thanks to B. Watson and Robby Workman.
 +
 +==== 2019-12-21 ====
 +
 +**openssl-1.0.2u**:  Upgraded.
 +This update fixes a low severity security issue:
 +Fixed an an overflow bug in the x86_64 Montgomery squaring procedure used in
 +exponentiation with 512-bit moduli.
 +For more information, see:
 +  * https://www.openssl.org/news/secadv/20191206.txt
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551
 +(**Security fix**)
 +
 +**openssl-solibs-1.0.2u**:  Upgraded.
 +
 +**tigervnc-1.10.1**:  Upgraded.
 +From tigervnc.org: "This is a security release to fix a number of issues
 +that were found by Kaspersky Lab. These issues affect both the client and
 +server and could theoretically allow a malicious peer to take control
 +over the software on the other side. No working exploit is known at this
 +time, and the issues require the peer to first be authenticated. We still
 +urge users to upgrade when possible."
 +(**Security fix**)
 +
 +==== 2019-12-19 ====
 +
 +**bind-9.11.14**:  Upgraded.
 +This is a bugfix release:
 +Fixed a bug that caused named to leak memory on reconfiguration when
 +any GeoIP2 database was in use. [GL #1445]
 +Fixed several possible race conditions discovered by Thread Sanitizer.
 +
 +**wavpack-5.2.0**:  Upgraded.
 +Fixed denial-of-service and other potential security issues.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19840
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19841
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10536
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10537
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10538
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10539
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10540
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7254
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7253
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6767
 +(**Security fix**)
 +
 +**ca-certificates-20191130**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +==== 2019-11-21 ====
 +
 +**bind-9.11.13**:  Upgraded.
 +This update fixes a security issue:
 +Set a limit on the number of concurrently served pipelined TCP queries.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6477
 +(**Security fix**)
 +
 +==== 2019-11-17 ====
 +
 +**linux-libre-*-4.4.202**:  Upgraded.
 +  * CRYPTO_CRC32C_INTEL m -> y
 +  * +X86_INTEL_TSX_MODE_AUTO n
 +  * +X86_INTEL_TSX_MODE_OFF y
 +  * +X86_INTEL_TSX_MODE_ON n
 +These updates fix various bugs and security issues, including mitigation for
 +the TSX Asynchronous Abort condition on some CPUs.
 +Be sure to upgrade your initrd after upgrading the kernel packages.
 +If you use lilo to boot your machine, be sure lilo.conf points to the correct
 +kernel and initrd and run lilo as root to update the bootloader.
 +If you use elilo to boot your machine, you should run eliloconfig to copy the
 +kernel and initrd to the EFI System Partition.
 +For more information, see:
 +
 +Fixed in 4.4.201:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0155
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0154
 +Fixed in 4.4.202:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135
 +(**Security fix**)
 +
 +==== 2019-11-12 ====
 +
 +**kdelibs-4.14.38**:  Rebuilt.                                                                                                                                                           
 +Remove hardcoded TLSv1 allowing TLSv1.1 and TLSv1.2. Thanks to PJ Beers.
 +
 +**kdepim-4.14.10**:  Rebuilt.
 +Remove hardcoded TLSv1 allowing TLSv1.1 and TLSv1.2. Thanks to PJ Beers.
 +
 +**kdepimlibs-4.14.10**:  Rebuilt.
 +Remove hardcoded TLSv1 allowing TLSv1.1 and TLSv1.2. Thanks to PJ Beers.
 +
 +**linux-libre-*-4.4.199**:  Upgraded.
 +These updates fix various bugs and security issues.
 +Be sure to upgrade your initrd after upgrading the kernel packages.
 +If you use lilo to boot your machine, be sure lilo.conf points to the correct
 +kernel and initrd and run lilo as root to update the bootloader.
 +If you use elilo to boot your machine, you should run eliloconfig to copy the
 +kernel and initrd to the EFI System Partition.
 +For more information, see:
 +
 +Fixed in 4.4.191:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3900
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15118
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10906
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10905
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10638
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15117
 +Fixed in 4.4.193:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14835
 +Fixed in 4.4.194:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14816
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14814
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15505
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14821
 +Fixed in 4.4.195:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17053
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17052
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17056
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17055
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17054
 +Fixed in 4.4.196:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2215
 +Fixed in 4.4.197:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16746
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20976
 +Fixed in 4.4.198:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17075
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17133
 +Fixed in 4.4.199:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15098
 +(**Security fix**)
 +
 +==== 2019-11-04 ====
 +
 +**libtiff-4.1.0**:  Upgraded.
 +libtiff: fix integer overflow in _TIFFCheckMalloc() that could cause a crash.
 +tif_dir: unset transferfunction field if necessary.
 +pal2rgb: failed to free memory on a few errors.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14973
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19210
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6128
 +(**Security fix**)
 +
 +==== 2019-10-21 ====
 +
 +**python-2.7.17**:  Upgraded.
 +This update fixes bugs and security issues:
 +Update vendorized expat library version to 2.2.8.
 +Disallow URL paths with embedded whitespace or control characters into the
 +underlying http client request. Such potentially malicious header injection
 +URLs now cause an httplib.InvalidURL exception to be raised.
 +Avoid file reading by disallowing ``local-file://`` and ``local_file://``
 +URL schemes in :func:`urllib.urlopen`, :meth:`urllib.URLopener.open` and
 +:meth:`urllib.URLopener.retrieve`.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15903
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9740
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9948
 +(**Security fix**)
 +
 +**ca-certificates-20191018**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +**sudo-1.8.28p1**:  Rebuilt.
 +This is a bugfix release:
 +Ensure that /etc/environment exists to prevent complaints from "sudo -i".
 +
 +==== 2019-10-14 ====
 +
 +**sudo-1.8.28**:  Upgraded.
 +Fixed a bug where an sudo user may be able to run a command as root when
 +the Runas specification explicitly disallows root access as long as the
 +ALL keyword is listed first.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14287
 +(**Security fix**)
 +
 +==== 2019-10-02 ====
 +
 +**libpcap-1.9.1**:  Upgraded.
 +This update is required for the new version of tcpdump.
 +
 +**tcpdump-4.9.3**:  Upgraded.
 +Fix buffer overflow/overread vulnerabilities and command line
 +argument/local issues.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16808
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14468
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14469
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14470
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14466
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14461
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14462
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14465
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14881
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14464
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14463
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14467
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10103
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10105
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14880
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16451
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14882
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16227
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16229
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16301
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16230
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16452
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16300
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16228
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15166
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15167
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14879
 +(**Security fix**)
 +
 +==== 2019-09-16 ====
 +
 +**expat-2.2.8**:  Upgraded.
 +Fix heap overflow triggered by XML_GetCurrentLineNumber (or
 +XML_GetCurrentColumnNumber), and deny internal entities closing the doctype.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15903
 +(**Security fix**)
 +
 +==== 2019-09-12 ====
 +
 +**curl-7.66.0**:  Upgraded.
 +This update fixes security issues:
 +FTP-KRB double-free
 +TFTP small blocksize heap buffer overflow
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482
 +(**Security fix**)
 +
 +**glibc-zoneinfo-2019c**:  Upgraded.
 +This package provides the latest timezone updates.
 +
 +**openssl-1.0.2t**:  Upgraded.
 +This update fixes low severity security issues:
 +Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey
 +Compute ECC cofactors if not provided during EC_GROUP construction
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547
 +(**Security fix**)
 +
 +**openssl-solibs-1.0.2t**:  Upgraded.
 +
 +**emacs-26.3**:  Upgraded.
 +This is a bugfix release.
 +
 +==== 2019-08-27 ====
 +
 +**linux-libre-*-4.4.190**:  Upgraded.
 +These updates fix various bugs and a minor local denial-of-service security
 +issue. They also change this option:
 +  * FANOTIFY_ACCESS_PERMISSIONS n -> y
 +This is needed by on-access virus scanning software.
 +Be sure to upgrade your initrd after upgrading the kernel packages.
 +If you use lilo to boot your machine, be sure lilo.conf points to the correct
 +kernel and initrd and run lilo as root to update the bootloader.
 +If you use elilo to boot your machine, you should run eliloconfig to copy the
 +kernel and initrd to the EFI System Partition.
 +For more information, see: Fixed in 4.4.190:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20961
 +(**Security fix**)
 +
 +**ca-certificates-20190826**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +**bind-9.11.9**:  Upgraded.
 +This update fixes various bugs and also updates the named.root file in
 +the caching-example configuration to the latest version.
 +
 +==== 2019-08-14 ====
 +
 +**linux-libre-*-4.4.189**:  Upgraded.
 +These updates fix various bugs and many security issues, and include the
 +Spectre v1 SWAPGS mitigations.
 +Be sure to upgrade your initrd after upgrading the kernel packages.
 +If you use lilo to boot your machine, be sure lilo.conf points to the correct
 +kernel and initrd and run lilo as root to update the bootloader.
 +If you use elilo to boot your machine, you should run eliloconfig to copy the
 +kernel and initrd to the EFI System Partition. For more information, see:
 +
 +Fixed in 4.4.187:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13631
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18509
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14283
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10207
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14284
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13648
 +Fixed in 4.4.189:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20856
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1125
 +(**Security fix**)
 +
 +==== 2019-08-08 ====
 +
 +**kdelibs-4.14.38**:  Upgraded.
 +kconfig: malicious .desktop files (and others) would execute code.
 +For more information, see:
 +  * https://mail.kde.org/pipermail/kde-announce/2019-August/000047.html
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14744
 +(**Security fix**)
 +
 +==== 2019-07-25 ====
 +
 +**R-3.6.1**: Upgraded (FXP)
 +
 +==== 2019-07-22 ====
 +
 +**linux-libre-*-4.4.186**:  Upgraded.
 +These updates fix various bugs and many minor security issues.
 +Be sure to upgrade your initrd after upgrading the kernel packages.
 +If you use lilo to boot your machine, be sure lilo.conf points to the correct
 +kernel and initrd and run lilo as root to update the bootloader.
 +If you use elilo to boot your machine, you should run eliloconfig to copy the
 +kernel and initrd to the EFI System Partition.
 +For more information, see:
 +  * Fixed in 4.4.183:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11599
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3892
 +  * Fixed in 4.4.185:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13272
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16597
 +  * Fixed in 4.4.186:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10126
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3846
 +(**Security fix**)
 +
 +**curl-7.65.3**:  Upgraded.
 +This is a bugfix release:
 +Fix a regression that caused the progress meter not to appear.
 +For more information, see:
 +  * https://curl.haxx.se/changes.html
 +
 +**emacs-26.2**:  Upgraded.
 +This is a bugfix release.
 +Patched package.el to obey buffer-file-coding-system (bug #35739), fixing
 +bad signature from GNU ELPA for archive-contents.
 +Thanks to Stefan Monnier and Eric Lindblad.
 +
 +==== 2019-07-14 ====
 +
 +**bzip2-1.0.8**:  Upgraded.                                                                                                                                           
 +Fixes security issues:                                                                                                                                                
 +bzip2recover: Fix use after free issue with outFile.                                                                                                                  
 +Make sure nSelectors is not out of range.                                                                                                                             
 +For more information, see:                                                                                                                                            
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3189                                                                                                      
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12900                                                                                                     
 +(**Security fix**)
 +
 +**glibc-zoneinfo-2019b**:  Upgraded.                                                                                                             
 +This package provides the latest timezone updates.                                                                                                                    
 +                                                                                                                                                                      
 +**rust-1.36.0**:  Upgraded.
 +Upgraded to the latest Rust compiler for Firefox 68.0.
 +
 +**xscreensaver-5.43**:  Upgraded.
 +Here's an upgrade to the latest xscreensaver.
 +
 +==== 2019-07-13 ====
 +
 +**lincity-ng-2.0**: added (FXP). LinCity-NG is  a city simulation game.
 +It is a polished and improved
 +version of the classic LinCity game. In the game,you are required to
 +build and maintain a city. You can win the game either by building a
 +sustainable economy or by evacuating all citizens with spaceships.
 +
 +**SDL_gfx-2.0.25**: added (FXP). SDL graphics drawing  primitives
 +and other support functions. The
 +SDL_gfx  library  evolved  out of the SDL_gfxPrimitives code which
 +provided basic drawing routines such as lines, circles or polygons
 +and SDL_rotozoom which  implemented a interpolating rotozoomer for
 +SDL surfaces.
 +  * homepage: http://www.ferzkopp.net/Software/SDL_gfx-2.0/
 +
 +**jam-2.5**: added (FXP).
 +Jam is a program construction tool, like make(1). Jam recursively
 +builds target files from source files, using dependency information
 +and updating actions expressed in the Jambase file, which is written
 +in jam's own interpreted language. The default Jambase is compiled
 +into jam and provides a boilerplate for common use, relying on a
 +user-provide file "Jamfile" to enumerate actual targets and sources.
 +  * http://public.perforce.com/public/jam/src/Jam.html
 +
 +==== 2019-07-02 ====
 +
 +**icecat-60.7.0**: Upgraded (FXP). This update includes upstream features and patches.
 +  * https://www.mozilla.org/en-US/firefox/60.7.0/releasenotes/
 +
 +(**Security fix**)
 +
 +==== 2019-07-01 ====
 +
 +**linux-libre-*-4.4.182**:  Upgraded.
 +These updates fix various bugs and many security issues, including the
 +"SACK Panic" remote denial-of-service issue.
 +Be sure to upgrade your initrd after upgrading the kernel packages.
 +If you use lilo to boot your machine, be sure lilo.conf points to the correct
 +kernel and initrd and run lilo as root to update the bootloader.
 +If you use elilo to boot your machine, you should run eliloconfig to copy the
 +kernel and initrd to the EFI System Partition.
 +For more information, see:
 +
 +Fixed in 4.4.174:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5391
 +Fixed in 4.4.175:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7222
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7221
 +Fixed in 4.4.176:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6974
 +Fixed in 4.4.177:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9213
 +Fixed in 4.4.178:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3459
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3460
 +Fixed in 4.4.179:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11486
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11810
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11815
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11190
 +Fixed in 4.4.180:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20836
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3882
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11884
 +Fixed in 4.4.181:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11833
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20510
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000026
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9503
 +Fixed in 4.4.182:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11477
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11478
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11479
 +(**Security fix**)
 +
 +**irssi-1.1.3**:  Upgraded.
 +This update fixes a security issue: Use after free when sending SASL login
 +to the server found by ilbelkyr. May affect the stability of Irssi. SASL
 +logins may fail, especially during (manual and automated) reconnect.
 +For more information, see:
 +  * https://irssi.org/2019/06/29/irssi-1.2.1-1.1.3-1.0.8-released/
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13045
 +(**Security fix**)
 +
 +==== 2019-06-20 ====
 +
 +**bind-9.11.8**:  Upgraded.
 +Fixed a race condition in dns_dispatch_getnext() that could cause an
 +assertion failure if a significant number of incoming packets were rejected.
 +For more information, see:
 +  * https://kb.isc.org/docs/cve-2019-6471
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6471
 +(**Security fix**)
 +
 +**ca-certificates-20190617**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +==== 2019-06-16 ====
 +
 +**curl-7.65.1**:  Upgraded.
 +This is a bugfix release.
 +For more information, see:
 +  * https://curl.haxx.se/changes.html
 +
 +**openssl-1.0.2s**:  Upgraded.
 +This is a bugfix release:
 +Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
 +This changes the size when using the genpkey app when no size is given.
 +It fixes an omission in earlier changes that changed all RSA, DSA and DH
 +generation apps to use 2048 bits by default.  [Kurt Roeckx]
 +
 +**openssl-solibs-1.0.2s**:  Upgraded.
 +
 +**rdesktop-1.8.6**:  Upgraded.
 +This is a small bug fix release for rdesktop 1.8.5. An issue was discovered
 +soon after release where it was impossible to connect to some servers. This
 +issue has now been fixed, but otherwise this release is identical to 1.8.5.
 +
 +==== 2019-05-23 ====
 +
 +**curl-7.65.0**:  Upgraded.
 +This release fixes the following security issues:
 +Integer overflows in curl_url_set
 +tftp: use the current blksize for recvfrom()
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5435
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5436
 +(**Security fix**)
 +
 +==== 2019-05-16 ====
 +
 +**rdesktop-1.8.5**:  Upgraded.
 +This update fixes security issues:
 +Add bounds checking to protocol handling in order to fix many
 +security problems when communicating with a malicious server.
 +(**Security fix**)
 +
 +==== 2019-04-26 ====
 +
 +**bind-9.11.6_P1**:  Upgraded.
 +This update fixes a security issue:
 +The TCP client quota set using the tcp-clients option could be exceeded
 +in some cases. This could lead to exhaustion of file descriptors.
 +For more information, see:
 +  * https://kb.isc.org/docs/cve-2018-5743
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5743
 +(**Security fix**)
 +
 +**curl-7.64.1**:  Upgraded.
 +This update fixes a regression in curl-7.64.0 which could lead to
 +100% CPU usage. Thanks to arcctgx.
 +
 +
 +==== 2019-04-17 ====
 +
 +**libpng-1.6.37**:  Upgraded.
 +This update fixes security issues:
 +  * Fixed a use-after-free vulnerability (CVE-2019-7317) in png_image_free.
 +  * Fixed a memory leak in the ARM NEON implementation of png_do_expand_palette.
 +  * Fixed a memory leak in pngtest.c.
 +  * Fixed two vulnerabilities (CVE-2018-14048, CVE-2018-14550) in contrib/pngminus; refactor.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14048
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14550
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7317
 +(**Security fix**)
 +
 +**libssh2-1.8.2**:  Upgraded.
 +This update fixes a misapplied userauth patch that broke 1.8.1.
 +Thanks to Ook.
 +
 +**glibc-zoneinfo-2019a**:  Upgraded.
 +This package provides the latest timezone updates.
 +
 +==== 2019-04-06 ====
 +
 +**httpd-2.4.39**:  Upgraded.
 +This release contains security fixes and improvements.
 +In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker
 +or prefork, code executing in less-privileged child processes or threads
 +(including scripts executed by an in-process scripting interpreter) could
 +execute arbitrary code with the privileges of the parent process by
 +manipulating the scoreboard.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0211
 +(**Security fix**)
 +
 +==== 2019-04-06 ====
 +
 +**openjpeg-2.3.1**:  Upgraded.
 +Includes many bug fixes (including security fixes).
 +(**Security fix**)
 +
 +**wget-1.20.3**:  Upgraded.
 +Fixed a buffer overflow vulnerability:
 +src/iri.c(do_conversion): Reallocate the output buffer to a larger
 +size if it is already full.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5953
 +(**Security fix**)
 +
 +==== 2019-04-02 ====
 +
 +**ghostscript-9.26**:  Upgraded.                                                                                                                                      
 +Fixes security issues:                                                                                                                                                
 +A specially crafted PostScript file could have access to the file system                                                                                              
 +outside of the constrains imposed by -dSAFER.                                                                                                                         
 +Transient procedures can allow access to system operators, leading to                                                                                                 
 +remote code execution.                                                                                                                                                
 +For more information, see:                                                                                                                                            
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3835                                                                                                      
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3838                                                                                                      
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6116                                                                                                      
 +(**Security fix**)                                                                                                                                                    
 +                                                                                                                                                                      
 +**wget-1.20.2**:  Upgraded.                                                                                                                                           
 +Fixed an unspecified buffer overflow vulnerability.                                                                                                                   
 +(**Security fix**)
 +
 +==== 2019-03-27 ====
 +
 +**gnutls-3.6.7**:  Upgraded.
 +Fixes security issues:
 +  * libgnutls, gnutls tools: Every gnutls_free() will automatically set the free'd pointer to NULL. This prevents possible use-after-free and double free issues. Use-after-free will be turned into NULL dereference. The counter-measure does not extend to applications using gnutls_free().
 +  * libgnutls: Fixed a memory corruption (double free) vulnerability in the certificate verification API. Reported by Tavis Ormandy; addressed with the change above. [GNUTLS-SA-2019-03-27, #694]
 +  * libgnutls: Fixed an invalid pointer access via malformed TLS1.3 async messages; Found using tlsfuzzer. [GNUTLS-SA-2019-03-27, #704]
 +  * libgnutls: enforce key usage limitations on certificates more actively. Previously we would enforce it for TLS1.2 protocol, now we enforce it even when TLS1.3 is negotiated, or on client certificates as well. When an inappropriate for TLS1.3 certificate is seen on the credentials structure GnuTLS will disable TLS1.3 support for that session (#690).
 +  * libgnutls: enforce the equality of the two signature parameters fields in a certificate. We were already enforcing the signature algorithm, but there was a bug in parameter checking code.
 +
 +(**Security fix**)
 +
 +==== 2019-03-19 ====
 +
 +**libssh2-1.8.1**:  Upgraded.
 +Fixed several security issues.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3855
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3856
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3857
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3858
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3859
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3860
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3861
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3862
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3863
 +(**Security fix**)
 +
 +**mariadb-10.0.38**:  Rebuilt.
 +Fixed paths in /usr/bin/mysql_install_db.
 +Thanks to Stuart Winter.
 +
 +==== 2019-03-08 ====
 +
 +**ca-certificates-20190308**  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +**ntp-4.2.8p13**:  Upgraded.
 +This release fixes a bug that allows an attacker with access to an explicitly
 +trusted source to send a crafted malicious mode 6 (ntpq) packet that can
 +trigger a NULL pointer dereference, crashing ntpd.
 +It also provides 17 other bugfixes and 1 other improvement.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8936
 +(**Security fix**)
 +
 +==== 2019-03-03 ====
 +
 +**python-2.7.16**:  Upgraded.
 +Updated to the latest 2.7.x release, which fixes a few security issues.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1752
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010
 +(**Security fix**)
 +
 +==== 2019-03-01 ====
 +
 +**infozip-6.0**:  Rebuilt.
 +Added some patches that should fix extracting archives with non-latin
 +characters in the filenames. Thanks to saahriktu.
 +This update also fixes various security issues in zip and unzip.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8139
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8140
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8141
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9844
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18384
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035
 +(**Security fix**)
 +
 +**curl-7.64.0**:  Rebuilt.
 +Applied upstream patch to fix log spam:
 +[PATCH] multi: remove verbose "Expire in" ... messages
 +Thanks to compassnet.
 +
 +==== 2019-02-27 ====
 +
 +**ca-certificates-20181210**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +**openssl-1.0.2r**:  Upgraded.
 +Go into the error state if a fatal alert is sent or received. If an
 +application calls SSL_shutdown after a fatal alert has occured and
 +then behaves different based on error codes from that function then
 +the application may be vulnerable to a padding oracle.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559
 +(**Security fix**)
 +
 +**openssl-solibs-1.0.2r**:  Upgraded.
 +
 +==== 2019-02-23 ====
 +
 +**file-5.36**:  Upgraded.
 +Fix out-of-bounds read and denial-of-service security issues.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8906
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8907
 +(**Security fix**)
  
 ==== 2019-02-12 ==== ==== 2019-02-12 ====
changelog_14.2.txt · Last modified: 2023/12/23 13:40 by connie