changelog_14.2
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
changelog_14.2 [2019/04/17 23:06] – connie | changelog_14.2 [2023/12/13 23:08] – [2023-11-08] connie | ||
---|---|---|---|
Line 2: | Line 2: | ||
Slackware upstream ChangeLog entries are courtesy of Patrick Volkerding. | Slackware upstream ChangeLog entries are courtesy of Patrick Volkerding. | ||
+ | |||
+ | ==== 2023-12-13 ==== | ||
+ | |||
+ | **libxml2-2.12.3**: | ||
+ | This update addresses regressions when building against libxml2 that were | ||
+ | due to header file refactoring. | ||
+ | |||
+ | **libxml2-2.12.2**: | ||
+ | Add --sysconfdir=/ | ||
+ | Thanks to SpiderTux. | ||
+ | Fix the following security issues: | ||
+ | Fix integer overflows with XML_PARSE_HUGE. | ||
+ | Fix dict corruption caused by entity reference cycles. | ||
+ | Hashing of empty dict strings isn't deterministic. | ||
+ | Fix null deref in xmlSchemaFixupComplexType. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **ca-certificates-20231117**: | ||
+ | This update provides the latest CA certificates to check for the | ||
+ | authenticity of SSL connections. | ||
+ | |||
+ | **sudo-1.9.15p1**: | ||
+ | This is a bugfix release: | ||
+ | Fixed a bug introduced in sudo 1.9.15 that prevented LDAP-based sudoers | ||
+ | from being able to read the ldap.conf file. | ||
+ | |||
+ | ==== 2023-11-08 ==== | ||
+ | |||
+ | **sudo-1.9.15**: | ||
+ | The sudoers plugin has been modified to make it more resilient to ROWHAMMER | ||
+ | attacks on authentication and policy matching. | ||
+ | The sudoers plugin now constructs the user time stamp file path name using | ||
+ | the user-ID instead of the user name. This avoids a potential problem with | ||
+ | user names that contain a path separator ('/' | ||
+ | the path name. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | |||
+ | ==== 2023-10-20 ==== | ||
+ | |||
+ | **httpd-2.4.58**: | ||
+ | This update fixes bugs and security issues: | ||
+ | moderate: Apache HTTP Server: HTTP/2 stream memory not reclaimed | ||
+ | right away on RST. | ||
+ | low: mod_macro buffer over-read. | ||
+ | low: Apache HTTP Server: DoS in HTTP/2 with initial windows size 0. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2023-10-16 ==== | ||
+ | |||
+ | **curl-8.4.0**: | ||
+ | This update fixes security issues: | ||
+ | Cookie injection with none file. | ||
+ | SOCKS5 heap buffer overflow. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | < | ||
+ | Mon Oct 9 18:10:01 UTC 2023 | ||
+ | #################################################################### | ||
+ | # NOTICE OF INPENDING EOL (END OF LIFE) FOR OLD SLACKWARE VERSIONS # | ||
+ | # # | ||
+ | # Effective January 1, 2024, security patches will no longer be # | ||
+ | # provided for the following versions of Slackware (which will all # | ||
+ | # be more than 7 years old at that time): | ||
+ | # | ||
+ | # If you are still running these versions you should consider | ||
+ | # migrating to a newer version (preferably as recent as possible). # | ||
+ | # Alternately, | ||
+ | # security patches. | ||
+ | #################################################################### | ||
+ | </ | ||
+ | |||
+ | ==== 2023-10-04 ==== | ||
+ | |||
+ | **libX11-1.8.7**: | ||
+ | This update fixes security issues: | ||
+ | libX11: out-of-bounds memory access in _XkbReadKeySyms(). | ||
+ | libX11: stack exhaustion from infinite recursion in PutSubImage(). | ||
+ | libX11: integer overflow in XCreateImage() leading to a heap overflow. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **libXpm-3.5.17**: | ||
+ | This update fixes security issues: | ||
+ | libXpm: out of bounds read in XpmCreateXpmImageFromBuffer(). | ||
+ | libXpm: out of bounds read on XPM with corrupted colormap. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **cups-2.1.4**: | ||
+ | This update fixes bugs and a security issue: | ||
+ | Fixed Heap-based buffer overflow when reading Postscript in PPD files. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **netatalk-3.1.17**: | ||
+ | This update fixes bugs and a security issue: | ||
+ | Validate data type in dalloc_value_for_key(). This flaw could allow a | ||
+ | malicious actor to cause Netatalk' | ||
+ | execute arbitrary code. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **curl-8.3.0**: | ||
+ | This update fixes a security issue: | ||
+ | HTTP headers eat all memory. | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **libarchive-3.7.2**: | ||
+ | This update fixes multiple security vulnerabilities in the PAX writer: | ||
+ | Heap overflow in url_encode() in archive_write_set_format_pax.c. | ||
+ | NULL dereference in archive_write_pax_header_xattrs(). | ||
+ | Another NULL dereference in archive_write_pax_header_xattrs(). | ||
+ | NULL dereference in archive_write_pax_header_xattr(). | ||
+ | (**Security fix**) | ||
+ | |||
+ | **netatalk-3.1.16**: | ||
+ | This update fixes bugs and security issues. | ||
+ | Shared library .so-version bump. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **curl-8.2.1**: | ||
+ | This is a bugfix release. | ||
+ | |||
+ | **whois-5.5.18**: | ||
+ | Updated the .ga TLD server. | ||
+ | Added new recovered IPv4 allocations. | ||
+ | Removed the delegation of 43.0.0.0/8 to JPNIC. | ||
+ | Removed 12 new gTLDs which are no longer active. | ||
+ | Improved the man page source, courtesy of Bjarni Ingi Gislason. | ||
+ | Added the .edu.za SLD server. | ||
+ | Updated the .alt.za SLD server. | ||
+ | Added the -ru and -su NIC handles servers. | ||
+ | |||
+ | **ca-certificates-20230721**: | ||
+ | This update provides the latest CA certificates to check for the | ||
+ | authenticity of SSL connections. | ||
+ | |||
+ | **curl-8.2.0**: | ||
+ | This update fixes a security issue: | ||
+ | fopen race condition. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **sudo-1.9.14p2**: | ||
+ | This is a bugfix release. | ||
+ | |||
+ | **sudo-1.9.14p1**: | ||
+ | This is a bugfix release. | ||
+ | |||
+ | **cups-2.1.4**: | ||
+ | Fixed use-after-free when logging warnings in case of failures | ||
+ | in cupsdAcceptClient(). | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2023-06-15 ==== | ||
+ | |||
+ | **libX11-1.8.6**: | ||
+ | This update fixes buffer overflows in InitExt.c that could at least cause | ||
+ | the client to crash due to memory corruption. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **ntp-4.2.8p17**: | ||
+ | This is a bugfix release. | ||
+ | |||
+ | |||
+ | ==== 2023-06-06 ==== | ||
+ | |||
+ | **cups-2.1.4**: | ||
+ | Fixed a heap buffer overflow in _cups_strlcpy(), | ||
+ | cupsd.conf sets the value of loglevel to DEBUG, that could allow a remote | ||
+ | attacker to launch a denial of service (DoS) attack, or possibly execute | ||
+ | arbirary code. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **ntp-4.2.8p16**: | ||
+ | This update fixes bugs and security issues. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **curl-8.1.2**: | ||
+ | This is a bugfix release. | ||
+ | |||
+ | ==== 2023-05-26 ==== | ||
+ | |||
+ | **ntfs-3g-2022.10.3**: | ||
+ | Fixed vulnerabilities that may allow an attacker using a maliciously | ||
+ | crafted NTFS-formatted image file or external storage to potentially | ||
+ | execute arbitrary privileged code or cause a denial of service. | ||
+ | Thanks to opty. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **curl-8.1.1**: | ||
+ | This is a bugfix release. | ||
+ | |||
+ | |||
+ | ==== 2023-05-18 ==== | ||
+ | |||
+ | **curl-8.1.0**: | ||
+ | This update fixes security issues: | ||
+ | more POST-after-PUT confusion. | ||
+ | IDN wildcard match. | ||
+ | siglongjmp race condition. | ||
+ | UAF in SSH sha256 fingerprint check. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **ca-certificates-20230506**: | ||
+ | This update provides the latest CA certificates to check for the | ||
+ | authenticity of SSL connections. | ||
+ | |||
+ | ==== 2023-05-05 ==== | ||
+ | |||
+ | **libssh-0.10.5**: | ||
+ | This update fixes security issues: | ||
+ | A NULL dereference during rekeying with algorithm guessing. | ||
+ | A possible authorization bypass in pki_verify_data_signature under | ||
+ | low-memory conditions. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **whois-5.5.17**: | ||
+ | Added the .cd TLD server. | ||
+ | Updated the -kg NIC handles server name. | ||
+ | Removed 2 new gTLDs which are no longer active. | ||
+ | |||
+ | |||
+ | ==== 2023-05-01 ==== | ||
+ | |||
+ | **netatalk-3.1.15**: | ||
+ | This update fixes security issues, including a critical vulnerability that | ||
+ | allows remote attackers to execute arbitrary code on affected installations | ||
+ | of Netatalk. Authentication is not required to exploit this vulnerability. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2023-04-25 ==== | ||
+ | |||
+ | **git-2.30.9**: | ||
+ | This update fixes security issues: | ||
+ | By feeding specially crafted input to `git apply --reject`, a | ||
+ | path outside the working tree can be overwritten with partially | ||
+ | controlled contents (corresponding to the rejected hunk(s) from | ||
+ | the given patch). | ||
+ | When Git is compiled with runtime prefix support and runs without | ||
+ | translated messages, it still used the gettext machinery to | ||
+ | display messages, which subsequently potentially looked for | ||
+ | translated messages in unexpected places. This allowed for | ||
+ | malicious placement of crafted messages. | ||
+ | When renaming or deleting a section from a configuration file, | ||
+ | certain malicious configuration values may be misinterpreted as | ||
+ | the beginning of a new configuration section, leading to arbitrary | ||
+ | configuration injection. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **httpd-2.4.57**: | ||
+ | This is a bugfix release. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | |||
+ | ==== 2023-04-03 ==== | ||
+ | |||
+ | **irssi-1.4.4**: | ||
+ | Do not crash Irssi when one line is printed as the result of another line | ||
+ | being printed. | ||
+ | Also solve a memory leak while printing unformatted lines. | ||
+ | (**Security fix**) | ||
+ | |||
+ | **glibc-zoneinfo-2023c**: | ||
+ | This package provides the latest timezone updates. | ||
+ | |||
+ | **tar-1.29**: | ||
+ | GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use | ||
+ | of uninitialized memory for a conditional jump. Exploitation to change the | ||
+ | flow of control has not been demonstrated. The issue occurs in from_header | ||
+ | in list.c via a V7 archive in which mtime has approximately 11 whitespace | ||
+ | characters. | ||
+ | Thanks to marav for the heads-up. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | |||
+ | ==== 2023-03-22 ==== | ||
+ | |||
+ | **curl-8.0.1**: | ||
+ | * This update fixes security issues: | ||
+ | * SSH connection too eager reuse still. | ||
+ | * HSTS double-free. | ||
+ | * GSS delegation too eager connection re-use. | ||
+ | * FTP too eager connection reuse. | ||
+ | * SFTP path ~ resolving discrepancy. | ||
+ | * TELNET option IAC injection. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2023-03-08 ==== | ||
+ | |||
+ | **httpd-2.4.56**: | ||
+ | This update fixes two security issues: | ||
+ | HTTP Response Smuggling vulnerability via mod_proxy_uwsgi. | ||
+ | HTTP Request Smuggling attack via mod_rewrite and mod_proxy. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **sudo-1.9.13p3**: | ||
+ | This is a bugfix release. | ||
+ | |||
+ | **whois-5.5.16**: | ||
+ | Add bash completion support, courtesy of Ville Skytta. | ||
+ | Updated the .tr TLD server. | ||
+ | Removed support for -metu NIC handles. | ||
+ | |||
+ | **curl-7.88.1**: | ||
+ | This is a bugfix release. | ||
+ | |||
+ | ==== 2023-02-16 ==== | ||
+ | |||
+ | **curl-7.88.0**: | ||
+ | This update fixes security issues: | ||
+ | HTTP multi-header compression denial of service. | ||
+ | HSTS amnesia with --parallel. | ||
+ | HSTS ignored on multiple requests. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **git-2.30.8**: | ||
+ | This update fixes security issues: | ||
+ | Using a specially-crafted repository, Git can be tricked into using | ||
+ | its local clone optimization even when using a non-local transport. | ||
+ | Though Git will abort local clones whose source $GIT_DIR/ | ||
+ | directory contains symbolic links (c.f., CVE-2022-39253), | ||
+ | directory itself may still be a symbolic link. | ||
+ | These two may be combined to include arbitrary files based on known | ||
+ | paths on the victim' | ||
+ | working copy, allowing for data exfiltration in a similar manner as | ||
+ | CVE-2022-39253. | ||
+ | By feeding a crafted input to "git apply", | ||
+ | working tree can be overwritten as the user who is running "git | ||
+ | apply" | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2023-01-19 ==== | ||
+ | |||
+ | **sudo-1.9.12p2**: | ||
+ | This update fixes a flaw in sudo's -e option (aka sudoedit) that could allow | ||
+ | a malicious user with sudoedit privileges to edit arbitrary files. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2023-01-18 ==== | ||
+ | |||
+ | **git-2.30.7**: | ||
+ | This release fixes two security issues: | ||
+ | * CVE-2022-41903: | ||
+ | git log has the ability to display commits using an arbitrary | ||
+ | format with its --format specifiers. This functionality is also | ||
+ | exposed to git archive via the export-subst gitattribute. | ||
+ | When processing the padding operators (e.g., %<(, %<|(, %>(, | ||
+ | %>>(, or %><( ), an integer overflow can occur in | ||
+ | pretty.c:: | ||
+ | stored as an int, and then added as an offset to a subsequent | ||
+ | memcpy() call. | ||
+ | This overflow can be triggered directly by a user running a | ||
+ | command which invokes the commit formatting machinery (e.g., git | ||
+ | log --format=...). It may also be triggered indirectly through | ||
+ | git archive via the export-subst mechanism, which expands format | ||
+ | specifiers inside of files within the repository during a git | ||
+ | archive. | ||
+ | This integer overflow can result in arbitrary heap writes, which | ||
+ | may result in remote code execution. | ||
+ | * CVE-2022-23521: | ||
+ | gitattributes are a mechanism to allow defining attributes for | ||
+ | paths. These attributes can be defined by adding a `.gitattributes` | ||
+ | file to the repository, which contains a set of file patterns and | ||
+ | the attributes that should be set for paths matching this pattern. | ||
+ | When parsing gitattributes, | ||
+ | when there is a huge number of path patterns, a huge number of | ||
+ | attributes for a single pattern, or when the declared attribute | ||
+ | names are huge. | ||
+ | These overflows can be triggered via a crafted `.gitattributes` file | ||
+ | that may be part of the commit history. Git silently splits lines | ||
+ | longer than 2KB when parsing gitattributes from a file, but not when | ||
+ | parsing them from the index. Consequentially, | ||
+ | depends on whether the file exists in the working tree, the index or | ||
+ | both. | ||
+ | This integer overflow can result in arbitrary heap reads and writes, | ||
+ | which may result in remote code execution. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **httpd-2.4.55**: | ||
+ | This update fixes bugs and the following security issues: | ||
+ | mod_proxy allows a backend to trigger HTTP response splitting. | ||
+ | mod_proxy_ajp possible request smuggling. | ||
+ | mod_dav out of bounds read, or write of zero byte. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **libXpm-3.5.15**: | ||
+ | This update fixes security issues: | ||
+ | Infinite loop on unclosed comments. | ||
+ | Runaway loop with width of 0 and enormous height. | ||
+ | Compression commands depend on $PATH. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2023-01-15 ==== | ||
+ | |||
+ | **netatalk-3.1.14**: | ||
+ | Netatalk through 3.1.13 has an afp_getappl heap-based buffer overflow | ||
+ | resulting in code execution via a crafted .appl file. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **ca-certificates-20221205**: | ||
+ | Make sure that if we're installing this package on another partition (such as | ||
+ | when using installpkg with a --root parameter) that the updates are done on | ||
+ | that partition. Thanks to fulalas. | ||
+ | |||
+ | |||
+ | ==== 2023-01-04 ==== | ||
+ | |||
+ | **libtiff-4.4.0**: | ||
+ | Patched various security bugs. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **whois-5.5.15**: | ||
+ | Updated the .bd, .nz and .tv TLD servers. | ||
+ | Added the .llyw.cymru, | ||
+ | Updated the .ac.uk and .gov.uk SLD servers. | ||
+ | Recursion has been enabled for whois.nic.tv. | ||
+ | Updated the list of new gTLDs with four generic TLDs assigned in October 2013 | ||
+ | which were missing due to a bug. | ||
+ | Removed 4 new gTLDs which are no longer active. | ||
+ | Added the Georgian translation, | ||
+ | Updated the Finnish translation, | ||
+ | |||
+ | ==== 2022-12-22 ==== | ||
+ | |||
+ | **curl-7.87.0**: | ||
+ | This is a bugfix release. | ||
+ | |||
+ | **libksba-1.6.3**: | ||
+ | Fix another integer overflow in the CRL's signature parser. | ||
+ | (**Security fix**) | ||
+ | |||
+ | **sdl-1.2.15**: | ||
+ | This update fixes a heap overflow problem in video/ | ||
+ | By crafting a malicious .BMP file, an attacker can cause the application | ||
+ | using this library to crash, denial of service, or code execution. | ||
+ | Thanks to marav for the heads-up. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **libarchive-3.6.2**: | ||
+ | This update fixes a regression causing a failure to compile against | ||
+ | libarchive: don't include iconv in libarchive.pc. | ||
+ | |||
+ | **libarchive-3.6.2**: | ||
+ | This is a bugfix and security release. | ||
+ | Relevant bugfixes: | ||
+ | * rar5 reader: fix possible garbled output with bsdtar -O (#1745) | ||
+ | * mtree reader: support reading mtree files with tabs (#1783) | ||
+ | Security fixes: | ||
+ | * various small fixes for issues found by CodeQL | ||
+ | (**Security fix**) | ||
+ | |||
+ | **ca-certificates-20221205**: | ||
+ | This update provides the latest CA certificates to check for the | ||
+ | authenticity of SSL connections. | ||
+ | |||
+ | **glibc-zoneinfo-2022g**: | ||
+ | This package provides the latest timezone updates. | ||
+ | |||
+ | ==== 2022-11-09 ==== | ||
+ | |||
+ | **sysstat-12.7.1**: | ||
+ | On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, | ||
+ | allocate_structures contains a size_t overflow in sa_common.c. The | ||
+ | allocate_structures function insufficiently checks bounds before arithmetic | ||
+ | multiplication, | ||
+ | buffer representing system activities. | ||
+ | This issue may lead to Remote Code Execution (RCE). | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **glibc-zoneinfo-2022f**: | ||
+ | This package provides the latest timezone updates. | ||
+ | |||
+ | **sudo-1.9.12p1**: | ||
+ | Fixed a potential out-of-bounds write for passwords smaller than 8 | ||
+ | characters when passwd authentication is enabled. | ||
+ | This does not affect configurations that use other authentication | ||
+ | methods such as PAM, AIX authentication or BSD authentication. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **curl-7.86.0**: | ||
+ | This update fixes security issues: | ||
+ | HSTS bypass via IDN. | ||
+ | HTTP proxy double-free. | ||
+ | .netrc parser out-of-bounds access. | ||
+ | POST following PUT confusion. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **expat-2.4.3**: | ||
+ | This update fixes a security issue: | ||
+ | Fix heap use-after-free after overeager destruction of a shared DTD in | ||
+ | function XML_ExternalEntityParserCreate in out-of-memory situations. | ||
+ | Expected impact is denial of service or potentially arbitrary code | ||
+ | execution. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **rsync-3.2.7**: | ||
+ | This is a bugfix release, fixing the list of supported auth checksums when | ||
+ | rsync is built against 1.0.x. | ||
+ | Thanks to niksoggia. | ||
+ | |||
+ | **rsync-3.2.7**: | ||
+ | This is a bugfix release. | ||
+ | Notably, this addresses some regressions caused by the file-list validation | ||
+ | fix in rsync-3.2.5. | ||
+ | Thanks to llgar. | ||
+ | |||
+ | **whois-5.5.14**: | ||
+ | This update adds the .bf and .sd TLD servers, removes the .gu TLD server, | ||
+ | updates the .dm, .fj, .mt and .pk TLD servers, updates the charset for | ||
+ | whois.nic.tr, | ||
+ | list of RIPE-like servers (because it is not one anymore), renames | ||
+ | whois.arnes.si to whois.register.si in the list of RIPE-like servers, and | ||
+ | adds the hiding string for whois.auda.org.au. | ||
+ | |||
+ | **git-2.30.6**: | ||
+ | This release fixes two security issues: | ||
+ | * CVE-2022-39253: | ||
+ | When relying on the `--local` clone optimization, | ||
+ | symbolic links in the source repository before creating hardlinks | ||
+ | (or copies) of the dereferenced link in the destination repository. | ||
+ | This can lead to surprising behavior where arbitrary files are | ||
+ | present in a repository' | ||
+ | repository. | ||
+ | Git will no longer dereference symbolic links via the `--local` | ||
+ | clone mechanism, and will instead refuse to clone repositories that | ||
+ | have symbolic links present in the `$GIT_DIR/ | ||
+ | Additionally, | ||
+ | " | ||
+ | * CVE-2022-39260: | ||
+ | An overly-long command string given to `git shell` can result in | ||
+ | overflow in `split_cmdline()`, | ||
+ | remote code execution when `git shell` is exposed and the directory | ||
+ | `$HOME/ | ||
+ | `git shell` is taught to refuse interactive commands that are | ||
+ | longer than 4MiB in size. `split_cmdline()` is hardened to reject | ||
+ | inputs larger than 2GiB. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2022-10-17 ==== | ||
+ | |||
+ | **glibc-zoneinfo-2022e**: | ||
+ | This package provides the latest timezone updates. | ||
+ | |||
+ | **zlib-1.2.13**: | ||
+ | Fixed a bug when getting a gzip header extra field with inflateGetHeader(). | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **libksba-1.6.2**: | ||
+ | Detect a possible overflow directly in the TLV parser. | ||
+ | This patch detects possible integer overflows immmediately when creating | ||
+ | the TI object. | ||
+ | Reported-by: | ||
+ | (**Security fix**) | ||
+ | |||
+ | |||
+ | ==== 2022-10-05 ==== | ||
+ | |||
+ | **dhcp-4.4.3_P1**: | ||
+ | This update fixes two security issues: | ||
+ | Corrected a reference count leak that occurs when the server builds | ||
+ | responses to leasequery packets. | ||
+ | Corrected a memory leak that occurs when unpacking a packet that has an | ||
+ | FQDN option (81) that contains a label with length greater than 63 bytes. | ||
+ | Thanks to VictorV of Cyber Kunlun Lab for reporting these issues. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **glibc-zoneinfo-2022d**: | ||
+ | This package provides the latest timezone updates. | ||
+ | |||
+ | **dnsmasq-2.87**: | ||
+ | Fix write-after-free error in DHCPv6 server code. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **ca-certificates-20220922**: | ||
+ | This update provides the latest CA certificates to check for the | ||
+ | authenticity of SSL connections. | ||
+ | |||
+ | **expat-2.4.3**: | ||
+ | This update fixes a security issue: | ||
+ | Heap use-after-free vulnerability in function doContent. Expected impact is | ||
+ | denial of service or potentially arbitrary code execution. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | |||
+ | ==== 2022-09-01 ==== | ||
+ | |||
+ | **curl-7.85.0**: | ||
+ | This update fixes a security issue: | ||
+ | control code in cookie denial of service. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **glibc-zoneinfo-2022c**: | ||
+ | This package provides the latest timezone updates. | ||
+ | |||
+ | ==== 2022-08-15 ==== | ||
+ | |||
+ | **rsync-3.2.5**: | ||
+ | Added some file-list safety checking that helps to ensure that a rogue | ||
+ | sending rsync can't add unrequested top-level names and/or include recursive | ||
+ | names that should have been excluded by the sender. These extra safety | ||
+ | checks only require the receiver rsync to be updated. When dealing with an | ||
+ | untrusted sending host, it is safest to copy into a dedicated destination | ||
+ | directory for the remote content (i.e. don't copy into a destination | ||
+ | directory that contains files that aren't from the remote host unless you | ||
+ | trust the remote host). | ||
+ | For more information, | ||
+ | | ||
+ | (**Security fix**) | ||
+ | |||
+ | **glibc-zoneinfo-2022b**: | ||
+ | This package provides the latest timezone updates. | ||
+ | |||
+ | **zlib-1.2.12**: | ||
+ | This is a bugfix update. | ||
+ | Applied an upstream patch to restore the handling of CRC inputs to be the | ||
+ | same as in previous releases of zlib. This fixes an issue with OpenJDK. | ||
+ | Thanks to alienBOB. | ||
+ | |||
+ | |||
+ | ==== 2022-07-10 ==== | ||
+ | |||
+ | **wavpack-5.5.0**: | ||
+ | WavPack 5.5.0 contains a fix for CVE-2021-44269 wherein encoding a specially | ||
+ | crafted DSD file causes an out-of-bounds read exception. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2022-06-30 ==== | ||
+ | |||
+ | **curl-7.84.0**: | ||
+ | This update fixes security issues: | ||
+ | Set-Cookie denial of service. | ||
+ | HTTP compression denial of service. | ||
+ | Unpreserved file permissions. | ||
+ | FTP-KRB bad message verification. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **openssl-1.0.2u**: | ||
+ | We're sending out the Slackware 14.2 updates again because the package | ||
+ | build number wasn't incremented which caused slackpkg to not pick up the | ||
+ | updates. It's been bumped and the packages rebuilt - otherwise there are | ||
+ | no new changes. Thanks to John Jenkins for the report. | ||
+ | For reference, here's the information from the previous advisory: | ||
+ | In addition to the c_rehash shell command injection identified in | ||
+ | CVE-2022-1292, | ||
+ | properly sanitise shell metacharacters to prevent command injection were | ||
+ | found by code review. | ||
+ | When the CVE-2022-1292 was fixed it was not discovered that there | ||
+ | are other places in the script where the file names of certificates | ||
+ | being hashed were possibly passed to a command executed through the shell. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **openssl-solibs-1.0.2u**: | ||
+ | |||
+ | |||
+ | ==== 2022-06-28 ==== | ||
+ | |||
+ | **ca-certificates-20220622**: | ||
+ | This update provides the latest CA certificates to check for the | ||
+ | authenticity of SSL connections. | ||
+ | |||
+ | **openssl-1.0.2u**: | ||
+ | In addition to the c_rehash shell command injection identified in | ||
+ | CVE-2022-1292, | ||
+ | properly sanitise shell metacharacters to prevent command injection were | ||
+ | found by code review. | ||
+ | When the CVE-2022-1292 was fixed it was not discovered that there | ||
+ | are other places in the script where the file names of certificates | ||
+ | being hashed were possibly passed to a command executed through the shell. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **openssl-solibs-1.0.2u**: | ||
+ | |||
+ | |||
+ | ==== 2022-06-09 ==== | ||
+ | |||
+ | **httpd-2.4.54**: | ||
+ | This update fixes bugs and the following security issues: | ||
+ | mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism. | ||
+ | Information Disclosure in mod_lua with websockets. | ||
+ | mod_sed denial of service. | ||
+ | Denial of service in mod_lua r: | ||
+ | Read beyond bounds in ap_strcmp_match(). | ||
+ | Read beyond bounds via ap_rwrite(). | ||
+ | Read beyond bounds in mod_isapi. | ||
+ | mod_proxy_ajp: | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2022-05-26 ==== | ||
+ | |||
+ | **cups-2.1.4**: | ||
+ | Fixed certificate strings comparison for Local authorization. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | |||
+ | ==== 2022-05-11 ==== | ||
+ | |||
+ | **curl-7.83.1**: | ||
+ | This update fixes security issues: | ||
+ | HSTS bypass via trailing dot. | ||
+ | TLS and SSH connection too eager reuse. | ||
+ | CERTINFO never-ending busy-loop. | ||
+ | percent-encoded path separator in URL host. | ||
+ | cookie for trailing dot TLD. | ||
+ | curl removes wrong file on error. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2022-05-03 ==== | ||
+ | |||
+ | **openssl-1.0.2u**: | ||
+ | Fixed a bug in the c_rehash script which was not properly sanitising shell | ||
+ | metacharacters to prevent command injection. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **openssl-solibs-1.0.2u**: | ||
+ | |||
+ | ==== 2022-05-03 ==== | ||
+ | |||
+ | **libxml2-2.9.14**: | ||
+ | This update fixes bugs and the following security issues: | ||
+ | Fix integer overflow in xmlBuf and xmlBuffer. | ||
+ | Fix potential double-free in xmlXPtrStringRangeFunction. | ||
+ | Fix memory leak in xmlFindCharEncodingHandler. | ||
+ | Normalize XPath strings in-place. | ||
+ | Prevent integer-overflow in htmlSkipBlankChars() and xmlSkipBlankChars(). | ||
+ | Fix leak of xmlElementContent. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2022-04-02 ==== | ||
+ | |||
+ | **pidgin-2.12.0**: | ||
+ | Mitigate the potential for a man in the middle attack via DNS spoofing by | ||
+ | removing the code that supported the _xmppconnect DNS TXT record. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **xz-5.2.5**: | ||
+ | This update fixes a regression with the previous package leading to compile | ||
+ | failures due to a missing liblzma.la. Thanks to csking. | ||
+ | |||
+ | ==== 2022-04-27 ==== | ||
+ | |||
+ | **curl-7.83.0**: | ||
+ | This update fixes security issues: | ||
+ | OAUTH2 bearer bypass in connection re-use. | ||
+ | Credential leak on redirect. | ||
+ | Bad local IPv6 connection reuse. | ||
+ | Auth/cookie leak on redirect. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | |||
+ | ==== 2022-04-15 ==== | ||
+ | |||
+ | **git-2.30.4**: | ||
+ | This update fixes a security issue where a Git worktree created by another | ||
+ | user might be able to execute arbitrary code. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **gzip-1.12**: | ||
+ | This update fixes a security issue: | ||
+ | zgrep applied to a crafted file name with two or more newlines can no | ||
+ | longer overwrite an arbitrary, attacker-selected file. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **xz-5.2.5**: | ||
+ | This update fixes a security issue: | ||
+ | xzgrep applied to a crafted file name with two or more newlines can no | ||
+ | longer overwrite an arbitrary, attacker-selected file. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **whois-5.5.13**: | ||
+ | This update adds the .sd TLD server, updates the list of new gTLDs, and adds | ||
+ | a Turkish translation. | ||
+ | |||
+ | ==== 2022-04-08 ==== | ||
+ | |||
+ | **libarchive-3.6.1**: | ||
+ | This is a bugfix and security release. | ||
+ | Security fixes: | ||
+ | * 7zip reader: fix PPMD read beyond boundary. | ||
+ | * ZIP reader: fix possible out of bounds read. | ||
+ | * ISO reader: fix possible heap buffer overflow in read_children(). | ||
+ | * RARv4 redaer: fix multiple issues in RARv4 filter code (introduced in libarchive 3.6.0). | ||
+ | * Fix heap use after free in archive_read_format_rar_read_data(). | ||
+ | * Fix null dereference in read_data_compressed(). | ||
+ | * Fix heap user after free in run_filters(). | ||
+ | (**Security fix**) | ||
+ | |||
+ | **ca-certificates-20220403**: | ||
+ | This update provides the latest CA certificates to check for the | ||
+ | authenticity of SSL connections. | ||
+ | |||
+ | **whois-5.5.12**: | ||
+ | This is a bugfix release. Thanks to Nobby6. | ||
+ | |||
+ | **zlib-1.2.12**: | ||
+ | This update fixes memory corruption when deflating (i.e., when compressing) | ||
+ | if the input has many distant matches. Thanks to marav. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **glibc-zoneinfo-2022a**: | ||
+ | This package provides the latest timezone updates. | ||
+ | |||
+ | ==== 2022-03-17 ==== | ||
+ | |||
+ | **bind-9.11.37**: | ||
+ | This update fixes bugs and the following security issue: | ||
+ | The rules for acceptance of records into the cache have been tightened to | ||
+ | prevent the possibility of poisoning if forwarders send records outside | ||
+ | the configured bailiwick. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **openssl-1.0.2u**: | ||
+ | This update fixes a high severity security issue: | ||
+ | The BN_mod_sqrt() function, which computes a modular square root, contains | ||
+ | a bug that can cause it to loop forever for non-prime moduli. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **openssl-solibs-1.0.2u**: | ||
+ | |||
+ | ==== 2022-03-15 ==== | ||
+ | |||
+ | **httpd-2.4.53**: | ||
+ | This update fixes bugs and the following security issues: | ||
+ | mod_sed: Read/write beyond bounds | ||
+ | core: Possible buffer overflow with very large or unlimited | ||
+ | LimitXMLRequestBody | ||
+ | HTTP request smuggling vulnerability | ||
+ | mod_lua: Use of uninitialized value in r:parsebody | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **ca-certificates-20220309**: | ||
+ | This update provides the latest CA certificates to check for the | ||
+ | authenticity of SSL connections. | ||
+ | |||
+ | **expat-2.4.3**: | ||
+ | This is a bugfix release: | ||
+ | Relax fix to CVE-2022-25236 (introduced with release 2.4.5) with regard to | ||
+ | all valid URI characters (RFC 3986). | ||
+ | |||
+ | ==== 2022-03-01 ==== | ||
+ | |||
+ | **libxml2-2.9.13**: | ||
+ | This update fixes bugs and the following security issues: | ||
+ | Use-after-free of ID and IDREF attributes | ||
+ | (Thanks to Shinji Sato for the report) | ||
+ | Use-after-free in xmlXIncludeCopyRange (David Kilzer) | ||
+ | Fix Null-deref-in-xmlSchemaGetComponentTargetNs (huangduirong) | ||
+ | Fix memory leak in xmlXPathCompNodeTest | ||
+ | Fix null pointer deref in xmlStringGetNodeList | ||
+ | Fix several memory leaks found by Coverity (David King) | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **libxslt-1.1.35**: | ||
+ | This update fixes bugs and the following security issues: | ||
+ | Fix use-after-free in xsltApplyTemplates | ||
+ | Fix memory leak in xsltDocumentElem (David King) | ||
+ | Fix memory leak in xsltCompileIdKeyPattern (David King) | ||
+ | Fix double-free with stylesheets containing entity nodes | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **cyrus-sasl-2.1.28**: | ||
+ | This update fixes bugs and security issues. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2022-02-22 ==== | ||
+ | |||
+ | **expat-2.4.3**: | ||
+ | Fixed a regression introduced by the fix for CVE-2022-25313 that affects | ||
+ | applications that (1) call function XML_SetElementDeclHandler and (2) are | ||
+ | parsing XML that contains nested element declarations, | ||
+ | "< | ||
+ | |||
+ | **flac-1.3.4**: | ||
+ | This update fixes overflow issues with encoding and decoding. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2022-02-01 ==== | ||
+ | |||
+ | **linux-libre-4.4.301**: | ||
+ | These updates fix various bugs and security issues, including the recently | ||
+ | announced i915 issue that could lead to user-space gaining access to random | ||
+ | memory pages (CVE-2022-0330). | ||
+ | Be sure to upgrade your initrd after upgrading the kernel packages. | ||
+ | If you use lilo to boot your machine, be sure lilo.conf points to the correct | ||
+ | kernel and initrd and run lilo as root to update the bootloader. | ||
+ | If you use elilo to boot your machine, you should run eliloconfig to copy the | ||
+ | kernel and initrd to the EFI System Partition. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | Fixed in 4.4.277: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.278: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.281: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.282: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.283: | ||
+ | * https:// | ||
+ | Fixed in 4.4.284: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.285: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.288: | ||
+ | * https:// | ||
+ | Fixed in 4.4.289: | ||
+ | * https:// | ||
+ | Fixed in 4.4.290: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.291: | ||
+ | * https:// | ||
+ | Fixed in 4.4.292: | ||
+ | * https:// | ||
+ | Fixed in 4.4.293: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.294: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.295: | ||
+ | * https:// | ||
+ | Fixed in 4.4.296: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.299: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.300: | ||
+ | * https:// | ||
+ | Fixed in 4.4.301: | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | |||
+ | ==== 2022-01-27 ==== | ||
+ | **expat-2.4.3**: | ||
+ | Prevent integer overflow in doProlog. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2022-01-26 ==== | ||
+ | **polkit-0.113**: | ||
+ | [PATCH] pkexec: local privilege escalation. | ||
+ | Thanks to Qualys Research Labs for reporting this issue. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2022-01-25 ==== | ||
+ | |||
+ | **expat-2.4.3**: | ||
+ | Fix signed integer overflow in function XML_GetBuffer for when | ||
+ | XML_CONTEXT_BYTES is defined to >0 (which is both common and | ||
+ | default). Impact is denial of service or other undefined behavior. | ||
+ | While we're here, also patch a memory leak on output file opening error. | ||
+ | Thanks to marav. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2022-01-19 ==== | ||
+ | **wpa_supplicant-2.9**: | ||
+ | This update contains patches for these security issues: | ||
+ | The implementations of EAP-pwd in hostapd before 2.10 and wpa_supplicant | ||
+ | before 2.10 are vulnerable to side-channel attacks as a result of cache | ||
+ | access patterns. | ||
+ | NOTE: this issue exists because of an incomplete fix for CVE-2019-9495. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2022-01-16 ==== | ||
+ | **expat-2.4.3**: | ||
+ | Fix issues with left shifts by >=29 places resulting in: | ||
+ | a) realloc acting as free | ||
+ | b) realloc allocating too few bytes | ||
+ | c) undefined behavior | ||
+ | Fix integer overflow on variable m_groupSize in function doProlog leading | ||
+ | to realloc acting as free. Impact is denial of service or other undefined | ||
+ | behavior. | ||
+ | Prevent integer overflows near memory allocation at multiple places. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | |||
+ | ==== 2021-12-29 ==== | ||
+ | |||
+ | **wpa_supplicant-2.9**: | ||
+ | This update fixes the following security issues: | ||
+ | AP mode PMF disconnection protection bypass. | ||
+ | UPnP SUBSCRIBE misbehavior in hostapd WPS AP. | ||
+ | P2P group information processing vulnerability. | ||
+ | P2P provision discovery processing vulnerability. | ||
+ | ASN.1: Validate DigestAlgorithmIdentifier parameters. | ||
+ | Flush pending control interface message for an interface to be removed. | ||
+ | These issues could result in a denial-of-service, | ||
+ | arbitrary code execution, or other unexpected behavior. | ||
+ | Thanks to nobodino for pointing out the patches. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2021-12-20 ==== | ||
+ | |||
+ | **httpd-2.4.52**: | ||
+ | SECURITY: CVE-2021-44790: | ||
+ | multipart content in mod_lua of Apache HTTP Server 2.4.51 and | ||
+ | earlier (cve.mitre.org) | ||
+ | A carefully crafted request body can cause a buffer overflow in | ||
+ | the mod_lua multipart parser (r: | ||
+ | scripts). | ||
+ | The Apache httpd team is not aware of an exploit for the | ||
+ | vulnerabilty though it might be possible to craft one. | ||
+ | This issue affects Apache HTTP Server 2.4.51 and earlier. | ||
+ | Credits: Chamal | ||
+ | SECURITY: CVE-2021-44224: | ||
+ | forward proxy configurations in Apache HTTP Server 2.4.51 and | ||
+ | earlier (cve.mitre.org) | ||
+ | A crafted URI sent to httpd configured as a forward proxy | ||
+ | (ProxyRequests on) can cause a crash (NULL pointer dereference) | ||
+ | or, for configurations mixing forward and reverse proxy | ||
+ | declarations, | ||
+ | declared Unix Domain Socket endpoint (Server Side Request | ||
+ | Forgery). | ||
+ | This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 | ||
+ | (included). | ||
+ | Credits: ae 1/4*a-o(R)e 1/4 | ||
+ | TengMA(@Te3t123) | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **ca-certificates-20211216**: | ||
+ | This update provides the latest CA certificates to check for the | ||
+ | authenticity of SSL connections. | ||
+ | |||
+ | |||
+ | ==== 2021-12-16 ==== | ||
+ | |||
+ | **xorg-server-1.18.3**: | ||
+ | Fixes for multiple input validation failures in X server extensions: | ||
+ | render: Fix out of bounds access in SProcRenderCompositeGlyphs() | ||
+ | xfixes: Fix out of bounds access in *ProcXFixesCreatePointerBarrier() | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **xorg-server-xephyr-1.18.3**: | ||
+ | |||
+ | **xorg-server-xnest-1.18.3**: | ||
+ | |||
+ | **xorg-server-xvfb-1.18.3**: | ||
+ | |||
+ | ==== 2021-12-03 ==== | ||
+ | |||
+ | **mozilla-nss-3.40.1**: | ||
+ | This update fixes a critical security issue: | ||
+ | NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are | ||
+ | vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS | ||
+ | signatures. Applications using NSS for handling signatures encoded within | ||
+ | CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be impacted. Applications | ||
+ | using NSS for certificate validation or other TLS, X.509, OCSP or CRL | ||
+ | functionality may be impacted, depending on how they configure NSS. | ||
+ | Note: This vulnerability does NOT impact Mozilla Firefox. However, email | ||
+ | clients and PDF viewers that use NSS for signature verification, | ||
+ | Thunderbird, | ||
+ | Thanks to Tavis Ormandy of Google Project Zero. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **mailx-12.5**: | ||
+ | Patched a bug where Heirloom mailx produces a " | ||
+ | incorrect when the system is in the Europe/ | ||
+ | to have been sent 2 hours earlier). | ||
+ | Thanks to Andrea Biardi. | ||
+ | |||
+ | ==== 2021-10-28 ==== | ||
+ | |||
+ | **bind-9.11.36**: | ||
+ | This update fixes bugs and the following security issue: | ||
+ | The " | ||
+ | the lame server cache, as it could previously be abused by an attacker to | ||
+ | significantly degrade resolver performance. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **glibc-zoneinfo-2021e**: | ||
+ | This package provides the latest timezone updates. | ||
+ | |||
+ | ==== 2021-10-10 ==== | ||
+ | |||
+ | **httpd-2.4.51**: | ||
+ | SECURITY: CVE-2021-42013: | ||
+ | Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete | ||
+ | fix of CVE-2021-41773) (cve.mitre.org) | ||
+ | It was found that the fix for CVE-2021-41773 in Apache HTTP | ||
+ | Server 2.4.50 was insufficient. | ||
+ | traversal attack to map URLs to files outside the directories | ||
+ | configured by Alias-like directives. | ||
+ | If files outside of these directories are not protected by the | ||
+ | usual default configuration " | ||
+ | can succeed. If CGI scripts are also enabled for these aliased | ||
+ | pathes, this could allow for remote code execution. | ||
+ | This issue only affects Apache 2.4.49 and Apache 2.4.50 and not | ||
+ | earlier versions. | ||
+ | Credits: Reported by Juan Escobar from Dreamlab Technologies, | ||
+ | Fernando MuA+-oz from NULL Life CTF Team, and Shungo Kumasaka | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2021-10-05 ==== | ||
+ | |||
+ | **httpd-2.4.50**: | ||
+ | This release contains security fixes and improvements. | ||
+ | Fixed null pointer dereference in h2 fuzzing. | ||
+ | Fixed path traversal and file disclosure vulnerability. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **ca-certificates-20211005** | ||
+ | This update provides the latest CA certificates to check for the | ||
+ | authenticity of SSL connections. | ||
+ | Don't install / | ||
+ | generated list that will just end up suffering a mismatch with the files | ||
+ | included in the package. Thanks to Weber Kai. | ||
+ | |||
+ | **glibc-zoneinfo-2021** | ||
+ | This package provides the latest timezone updates. | ||
+ | |||
+ | ==== 2021-09-21 ==== | ||
+ | |||
+ | **alpine-2.25**: | ||
+ | Fixed a denial-of-service security issue where untagged responses from an | ||
+ | IMAP server are accepted before STARTTLS. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2021-09-17 ==== | ||
+ | |||
+ | **httpd-2.4.49**: | ||
+ | This release contains security fixes and improvements. | ||
+ | mod_proxy: Server Side Request Forgery (SSRF) vulnerabilty [Yann Ylavic] | ||
+ | core: ap_escape_quotes buffer overflow | ||
+ | mod_proxy_uwsgi: | ||
+ | core: null pointer dereference on malformed request | ||
+ | mod_http2: Request splitting vulnerability with mod_proxy [Stefan Eissing] | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2021-09-16 ==== | ||
+ | |||
+ | **curl-7.79.0**: | ||
+ | This update fixes security issues: | ||
+ | clear the leftovers pointer when sending succeeds. | ||
+ | do not ignore --ssl-reqd. | ||
+ | reject STARTTLS server response pipelining. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2021-09-01 ==== | ||
+ | |||
+ | **ntfs-3g-2021.8.22**: | ||
+ | Shared library .so-version bump. | ||
+ | Fixed vulnerabilities that may allow an attacker using a maliciously | ||
+ | crafted NTFS-formatted image file or external storage to potentially | ||
+ | execute arbitrary privileged code. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2021-07-21 ==== | ||
+ | |||
+ | **curl-7.78.0**: | ||
+ | This update fixes security issues: | ||
+ | CURLOPT_SSLCERT mixup with Secure Transport | ||
+ | TELNET stack contents disclosure again | ||
+ | Bad connection reuse due to flawed path name checks | ||
+ | Metalink download sends credentials | ||
+ | Wrong content via metalink not discarded | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **linux-libre**: | ||
+ | These updates fix various bugs and security issues, including the recently | ||
+ | announced local privilege escalation vulnerability in the filesystem layer | ||
+ | (CVE-2021-33909). | ||
+ | Be sure to upgrade your initrd after upgrading the kernel packages. | ||
+ | If you use lilo to boot your machine, be sure lilo.conf points to the correct | ||
+ | kernel and initrd and run lilo as root to update the bootloader. | ||
+ | If you use elilo to boot your machine, you should run eliloconfig to copy the | ||
+ | kernel and initrd to the EFI System Partition. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | Fixed in 4.4.262: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.263: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.264: | ||
+ | * https:// | ||
+ | Fixed in 4.4.265: | ||
+ | * https:// | ||
+ | Fixed in 4.4.266: | ||
+ | * https:// | ||
+ | Fixed in 4.4.267: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.269: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.270: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.271: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.272: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.274: | ||
+ | * https:// | ||
+ | Fixed in 4.4.276: | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2021-06-07 ==== | ||
+ | |||
+ | **httpd-2.4.48**: | ||
+ | This release contains security fixes and improvements. | ||
+ | mod_http2: Fix a potential NULL pointer dereference. | ||
+ | Unexpected < | ||
+ | mod_auth_digest: | ||
+ | the Digest nonce. | ||
+ | mod_session: | ||
+ | could be used to cause a Denial of Service with a malicious backend | ||
+ | server and SessionHeader. | ||
+ | mod_session: | ||
+ | could be used to cause a Denial of Service. | ||
+ | mod_proxy_http: | ||
+ | could be used to cause a Denial of Service. | ||
+ | mod_proxy_wstunnel, | ||
+ | negotiation. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **libX11-1.7.2**: | ||
+ | This is a bug fix release, correcting a regression introduced by and | ||
+ | improving the checks from the fix for CVE-2021-31535. | ||
+ | |||
+ | **polkit-0.113**: | ||
+ | This update includes a mitigation for local privilege escalation using | ||
+ | polkit_system_bus_name_get_creds_sync(). | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **dhcp-4.4.2_P1**: | ||
+ | This update fixes a security issue: | ||
+ | Corrected a buffer overwrite possible when parsing hexadecimal | ||
+ | literals with more than 1024 octets. Reported by Jon Franklin from Dell, | ||
+ | and also by Pawel Wieczorkiewicz from Amazon Web Services. [Gitlab #182] | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2021-05-26 ==== | ||
+ | |||
+ | **ca-certificates-20210526**: | ||
+ | This update provides the latest CA certificates to check for the | ||
+ | authenticity of SSL connections. | ||
+ | |||
+ | **curl-7.77.0**: | ||
+ | This update fixes security issues: | ||
+ | schannel cipher selection surprise | ||
+ | TELNET stack contents disclosure | ||
+ | TLS session caching disaster | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2021-05-25 ==== | ||
+ | |||
+ | **gnutls-3.6.16**: | ||
+ | Fixed potential miscalculation of ECDSA/EdDSA code backported from Nettle. | ||
+ | In GnuTLS, as long as it is built and linked against the fixed version of | ||
+ | Nettle, this only affects GOST curves. | ||
+ | Fixed potential use-after-free in sending " | ||
+ | extensions. When sending those extensions, the client may dereference a | ||
+ | pointer no longer valid after realloc. This happens only when the client | ||
+ | sends a large Client Hello message, e.g., when HRR is sent in a resumed | ||
+ | session previously negotiated large FFDHE parameters, because the initial | ||
+ | allocation of the buffer is large enough without having to call realloc | ||
+ | (# | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2021-05-23 ==== | ||
+ | |||
+ | **expat-2.4.1**: | ||
+ | This update provides new mitigations against the " | ||
+ | of service attack. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2021-05-19 ==== | ||
+ | |||
+ | **libX11-1.7.1**: | ||
+ | This update fixes missing request length checks in libX11 that can lead to | ||
+ | the emission of extra X protocol requests to the X server. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2021-05-15 ==== | ||
+ | |||
+ | **libxml2-2.9.12**: | ||
+ | This update fixes a denial-of-service security issue. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2021-04-29 ==== | ||
+ | |||
+ | **bind-9.11.31**: | ||
+ | This update fixes bugs and the following security issues: | ||
+ | A specially crafted GSS-TSIG query could cause a buffer overflow in the | ||
+ | ISC implementation of SPNEGO. | ||
+ | named crashed when a DNAME record placed in the ANSWER section during DNAME | ||
+ | chasing turned out to be the final answer to a client query. | ||
+ | Insufficient IXFR checks could result in named serving a zone without an SOA | ||
+ | record at the apex, leading to a RUNTIME_CHECK assertion failure when the | ||
+ | zone was subsequently refreshed. This has been fixed by adding an owner name | ||
+ | check for all SOA records which are included in a zone transfer. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2021-04-12 ==== | ||
+ | |||
+ | **dnsmasq-2.85**: | ||
+ | Use random source ports where possible if source addresses/ | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **irssi-1.2.3**: | ||
+ | This update fixes bugs and security issues. | ||
+ | See the NEWS file for details. | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2021-03-31 ==== | ||
+ | |||
+ | **curl-7.76.0**: | ||
+ | This update fixes security issues: | ||
+ | Authentication Bypass by Spoofing. | ||
+ | Exposure of Private Personal Information to an Unauthorized Actor. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2021-03-28 ==== | ||
+ | |||
+ | **xterm-367**: | ||
+ | This update fixes a security issue: | ||
+ | xterm before Patch #366 allows remote attackers to execute arbitrary code or | ||
+ | cause a denial of service (segmentation fault) via a crafted UTF-8 combining | ||
+ | character sequence. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2021-03-14 ==== | ||
+ | |||
+ | **linux-libre-*-4.4.261**: | ||
+ | These updates fix various bugs and security issues, including the recently | ||
+ | announced iSCSI vulnerabilities allowing local privilege escalation. | ||
+ | Be sure to upgrade your initrd after upgrading the kernel packages. | ||
+ | If you use lilo to boot your machine, be sure lilo.conf points to the correct | ||
+ | kernel and initrd and run lilo as root to update the bootloader. | ||
+ | If you use elilo to boot your machine, you should run eliloconfig to copy the | ||
+ | kernel and initrd to the EFI System Partition. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **git-2.17.6**: | ||
+ | This update fixes a security issue: | ||
+ | On case-insensitive file systems with support for symbolic links, if Git is | ||
+ | configured globally to apply delay-capable clean/ | ||
+ | LFS), Git could be fooled into running remote code during a clone. Credit for | ||
+ | finding and fixing this vulnerability goes to Matheus Tavares, helped by | ||
+ | Johannes Schindelin. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **ca-certificates-20210308**: | ||
+ | This update provides the latest CA certificates to check for the | ||
+ | authenticity of SSL connections. | ||
+ | |||
+ | ==== 2021-02-09 ==== | ||
+ | |||
+ | **dnsmasq-2.84**: | ||
+ | This update fixes bugs and remotely exploitable security issues: | ||
+ | * Use the values of --min-port and --max-port in outgoing TCP connections to upstream DNS servers. | ||
+ | * Fix a remote buffer overflow problem in the DNSSEC code. Any dnsmasq with DNSSEC compiled in and enabled is vulnerable to this, referenced by CVE-2020-25681, | ||
+ | * Be sure to only accept UDP DNS query replies at the address | ||
+ | * Use the SHA-256 hash function to verify that DNS answers | ||
+ | * Handle multiple identical near simultaneous DNS queries better. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | |||
+ | ==== 2021-01-26 ==== | ||
+ | |||
+ | **sudo-1.9.5p2**: | ||
+ | When invoked as sudoedit, the same set of command line options | ||
+ | are now accepted as for "sudo -e". The -H and -P options are | ||
+ | now rejected for sudoedit and "sudo -e" which matches the sudo | ||
+ | 1.7 behavior. This is part of the fix for CVE-2021-3156. | ||
+ | Fixed a potential buffer overflow when unescaping backslashes | ||
+ | in the command' | ||
+ | characters when running a command via a shell (sudo -s or sudo | ||
+ | -i). However, it was also possible to run sudoedit with the -s | ||
+ | or -i flags in which case no escaping had actually been done, | ||
+ | making a buffer overflow possible. This fixes CVE-2021-3156. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **glibc-zoneinfo-2021a**: | ||
+ | This package provides the latest timezone updates. | ||
+ | |||
+ | |||
+ | ==== 2021-01-14 ==== | ||
+ | |||
+ | **wavpack-5.4.0**: | ||
+ | WavPack 5.4.0 fixes an issue where a specially crafted WAV file could cause | ||
+ | the wavpack command-line program to crash with an out-of-bounds write. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **xscreensaver-5.45**: | ||
+ | Here's an upgrade to the latest xscreensaver. | ||
+ | Thanks to drumz for the compile fix. | ||
+ | |||
+ | **sudo-1.9.5p1**: | ||
+ | Fixed a regression introduced in sudo 1.9.5 where the editor run by sudoedit | ||
+ | was set-user-ID root unless SELinux RBAC was in use. The editor is now run | ||
+ | with the user's real and effective user-IDs. | ||
+ | |||
+ | |||
+ | ==== 2021-01-11 ==== | ||
+ | |||
+ | **sudo-1.9.5**: | ||
+ | This update fixes security issues: | ||
+ | Potential information leak in sudoedit that could be used to test for | ||
+ | the existence of directories not normally accessible to the user. | ||
+ | Flaw in the temporary file handling of sudoedit' | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **glibc-zoneinfo-2020f**: | ||
+ | This package provides the latest timezone updates. | ||
+ | |||
+ | **ca-certificates-20201219**: | ||
+ | This update provides the latest CA certificates to check for the | ||
+ | authenticity of SSL connections. | ||
+ | |||
+ | ==== 2020-12-12 ==== | ||
+ | |||
+ | **p11-kit-0.23.22**: | ||
+ | Fix memory-safety issues that affect the RPC protocol. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2020-12-09 ==== | ||
+ | |||
+ | **curl-7.74.0**: | ||
+ | This release includes the following security related bugfixes: | ||
+ | * Inferior OCSP verification [93] | ||
+ | * FTP wildcard stack overflow [95] | ||
+ | * Trusting FTP PASV responses [97] | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2020-11-28 ==== | ||
+ | |||
+ | **bind-9.11.25**: | ||
+ | This update fixes bugs, including a denial-of-service security issue: | ||
+ | After a Negative Trust Anchor (NTA) is added, BIND performs periodic | ||
+ | checks to see if it is still necessary. If BIND encountered a failure | ||
+ | while creating a query to perform such a check, it attempted to | ||
+ | dereference a NULL pointer, resulting in a crash. [GL #2244] | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2020-11-25 ==== | ||
+ | |||
+ | **mutt-1.10.1**: | ||
+ | Mutt had incorrect error handling when initially connecting to an IMAP | ||
+ | server, which could result in an attempt to authenticate without enabling TLS. | ||
+ | For more information, | ||
+ | * http:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **ca-certificates-20201105**: | ||
+ | This update provides the latest CA certificates to check for the | ||
+ | authenticity of SSL connections. | ||
+ | |||
+ | **glibc-zoneinfo-2020d**: | ||
+ | This package provides the latest timezone updates. | ||
+ | |||
+ | **linux-libre-*-4.4.240**: | ||
+ | These updates fix various bugs and security issues, including the recently | ||
+ | discovered " | ||
+ | (CVE-2020-12351, | ||
+ | Be sure to upgrade your initrd after upgrading the kernel packages. | ||
+ | If you use lilo to boot your machine, be sure lilo.conf points to the correct | ||
+ | kernel and initrd and run lilo as root to update the bootloader. | ||
+ | If you use elilo to boot your machine, you should run eliloconfig to copy the | ||
+ | kernel and initrd to the EFI System Partition. | ||
+ | For more information, | ||
+ | |||
+ | Fixed in 4.4.228: | ||
+ | * https:// | ||
+ | Fixed in 4.4.229: | ||
+ | * https:// | ||
+ | Fixed in 4.4.230: | ||
+ | * https:// | ||
+ | Fixed in 4.4.232: | ||
+ | * https:// | ||
+ | Fixed in 4.4.233: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.234: | ||
+ | * https:// | ||
+ | Fixed in 4.4.236: | ||
+ | * https:// | ||
+ | Fixed in 4.4.237: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.238: | ||
+ | * https:// | ||
+ | Fixed in 4.4.239: | ||
+ | * https:// | ||
+ | Fixed in 4.4.240: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2020-10-20 ==== | ||
+ | |||
+ | **freetype-2.6.3**: | ||
+ | Fix heap buffer overflow in embedded PNG bitmap handling. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **glibc-zoneinfo-2020c**: | ||
+ | This package provides the latest timezone updates. | ||
+ | |||
+ | **ca-certificates-20201016**: | ||
+ | This update provides the latest CA certificates to check for the | ||
+ | authenticity of SSL connections. | ||
+ | |||
+ | **rust-1.46.0**: | ||
+ | |||
+ | ==== 2020-09-23 ==== | ||
+ | |||
+ | **linux-libre-image-4.4.27**: | ||
+ | |||
+ | **xonotic-0.8.2**: | ||
+ | |||
+ | ==== 2020-09-18 ==== | ||
+ | |||
+ | **avahi-0.7**: | ||
+ | |||
+ | **libdaemon-0.14**: | ||
+ | |||
+ | **libreoffice-6.2.8.2**: | ||
+ | |||
+ | ==== 2020-09-05 ==== | ||
+ | |||
+ | **gnutls-3.6.15**: | ||
+ | libgnutls: Fixed " | ||
+ | which could lead to an application crash. | ||
+ | [GNUTLS-SA-2020-09-04, | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2020-08-21 ==== | ||
+ | |||
+ | **bind-9.11.22**: | ||
+ | This update fixes three security issues: | ||
+ | " | ||
+ | " | ||
+ | names outside of the specified subdomains. The problem was fixed by making | ||
+ | sure " | ||
+ | When BIND 9 was compiled with native PKCS#11 support, it was possible to | ||
+ | trigger an assertion failure in code determining the number of bits in the | ||
+ | PKCS#11 RSA public key with a specially crafted packet. | ||
+ | It was possible to trigger an assertion failure when verifying the response | ||
+ | to a TSIG-signed request. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2020-08-19 ==== | ||
+ | |||
+ | **curl-7.72.0**: | ||
+ | This update fixes a security issue: | ||
+ | libcurl: wrong connect-only connection [98] | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **httpd-2.4.46**: | ||
+ | This is the latest release from the Apache HTTP Server 2.4.x stable branch. | ||
+ | |||
+ | ==== 2020-07-23 ==== | ||
+ | |||
+ | **libreoffice-6.2.8.2**: | ||
+ | |||
+ | ==== 2020-07-06 ==== | ||
+ | |||
+ | **libvorbis-1.3.7**: | ||
+ | Fix out-of-bounds read encoding very low sample rates. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **ca-certificates-20200630**: | ||
+ | This update provides the latest CA certificates to check for the | ||
+ | authenticity of SSL connections. | ||
+ | |||
+ | ==== 2020-06-24 ==== | ||
+ | |||
+ | **curl-7.71.0**: | ||
+ | This update fixes security issues: | ||
+ | curl overwrite local file with -J [111] | ||
+ | Partial password leak over DNS on HTTP redirect [48] | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **libjpeg-turbo-2.0.5**: | ||
+ | This update fixes bugs and a security issue: | ||
+ | Fixed an issue in the PPM reader that caused a buffer overrun in cjpeg, | ||
+ | TJBench, or the `tjLoadImage()` function if one of the values in a binary | ||
+ | PPM/PGM input file exceeded the maximum value defined in the file's header | ||
+ | and that maximum value was less than 255. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2020-06-23 ==== | ||
+ | |||
+ | **ntp-4.2.8p15**: | ||
+ | This release fixes one vulnerability: | ||
+ | authentication between ntpd from versions 4.2.8p11/ | ||
+ | 4.2.8p14/ | ||
+ | Eventually, ntpd will run out of memory and abort. | ||
+ | (**Security fix**) | ||
+ | |||
+ | **sudo-1.8.31p2**: | ||
+ | This is a bugfix release. For more information, | ||
+ | * https:// | ||
+ | |||
+ | ==== 2020-06-18 ==== | ||
+ | |||
+ | **bind-9.11.20**: | ||
+ | This update fixes a security issue: | ||
+ | It was possible to trigger an INSIST in lib/ | ||
+ | a particular zone content and query patterns. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2020-06-14 ==== | ||
+ | |||
+ | **R-4.0.1**: | ||
+ | |||
+ | **pcre2-10.35**: | ||
+ | |||
+ | **fuse-exfat-1.3.0**: | ||
+ | |||
+ | **linux-libre-*-4.4.227**: | ||
+ | These updates fix various bugs and security issues, including a mitigation | ||
+ | for SRBDS (Special Register Buffer Data Sampling). SRBDS is an MDS-like | ||
+ | speculative side channel that can leak bits from the random number generator | ||
+ | (RNG) across cores and threads. | ||
+ | Be sure to upgrade your initrd after upgrading the kernel packages. | ||
+ | If you use lilo to boot your machine, be sure lilo.conf points to the correct | ||
+ | kernel and initrd and run lilo as root to update the bootloader. | ||
+ | If you use elilo to boot your machine, you should run eliloconfig to copy the | ||
+ | kernel and initrd to the EFI System Partition. | ||
+ | For more information, | ||
+ | |||
+ | Fixed in 4.4.218: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.219: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.220: | ||
+ | * https:// | ||
+ | Fixed in 4.4.221: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.222: | ||
+ | * https:// | ||
+ | Fixed in 4.4.224: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.225: | ||
+ | * https:// | ||
+ | Fixed in 4.4.226: | ||
+ | * https:// | ||
+ | Fixed in 4.4.227: | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **gnutls-3.6.14**: | ||
+ | Fixed insecure session ticket key construction, | ||
+ | would not bind the session ticket encryption key with a value supplied by | ||
+ | the application until the initial key rotation, allowing attacker to bypass | ||
+ | authentication in TLS 1.3 and recover previous conversations in TLS 1.2. | ||
+ | [GNUTLS-SA-2020-06-03, | ||
+ | (**Security fix**) | ||
+ | |||
+ | **ca-certificates-20200602**: | ||
+ | This update provides the latest CA certificates to check for the | ||
+ | authenticity of SSL connections. | ||
+ | |||
+ | **proftpd-1.3.6d**: | ||
+ | This is a bugfix release: | ||
+ | Fixed issue with FTPS uploads of large files using TLSv1.3 (Issue #959). | ||
+ | |||
+ | ==== 2020-05-19 ==== | ||
+ | |||
+ | **bind-9.11.19**: | ||
+ | This update fixes security issues: | ||
+ | A malicious actor who intentionally exploits the lack of effective | ||
+ | limitation on the number of fetches performed when processing referrals | ||
+ | can, through the use of specially crafted referrals, cause a recursing | ||
+ | server to issue a very large number of fetches in an attempt to process | ||
+ | the referral. This has at least two potential effects: The performance of | ||
+ | the recursing server can potentially be degraded by the additional work | ||
+ | required to perform these fetches, and the attacker can exploit this | ||
+ | behavior to use the recursing server as a reflector in a reflection attack | ||
+ | with a high amplification factor. | ||
+ | Replaying a TSIG BADTIME response as a request could trigger an assertion | ||
+ | failure. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **libexif-0.6.22**: | ||
+ | This update fixes bugs and security issues: | ||
+ | * CVE-2018-20030: | ||
+ | * CVE-2020-13114: | ||
+ | * CVE-2020-13113: | ||
+ | * CVE-2020-13112: | ||
+ | * CVE-2020-0093: | ||
+ | * CVE-2019-9278: | ||
+ | * CVE-2020-12767: | ||
+ | * CVE-2016-6328: | ||
+ | * CVE-2017-7544: | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2020-05-18 ==== | ||
+ | |||
+ | **sane-1.0.30**: | ||
+ | This update fixes several security issues. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **glibc-zoneinfo-2020a**: | ||
+ | This package provides the latest timezone updates. | ||
+ | |||
+ | ==== 2020-04-21 ==== | ||
+ | |||
+ | **git-2.17.5**: | ||
+ | This update fixes a security issue: | ||
+ | With a crafted URL that contains a newline or empty host, or lacks | ||
+ | a scheme, the credential helper machinery can be fooled into | ||
+ | providing credential information that is not appropriate for the | ||
+ | protocol in use and host being contacted. | ||
+ | Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the | ||
+ | credentials are not for a host of the attacker' | ||
+ | they are for some unspecified host (based on how the configured | ||
+ | credential helper handles an absent " | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2020-04-17 ==== | ||
+ | |||
+ | **openvpn-2.4.9**: | ||
+ | This update fixes a security issue: | ||
+ | Fix illegal client float. Thanks to Lev Stipakov. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2020-04-15 ==== | ||
+ | |||
+ | **bind-9.11.18**: | ||
+ | This update fixes a security issue: | ||
+ | DNS rebinding protection was ineffective when BIND 9 is configured as a | ||
+ | forwarding DNS server. Found and responsibly reported by Tobias Klein. | ||
+ | [GL #1574] | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2020-04-14 ==== | ||
+ | |||
+ | **git-2.17.4**: | ||
+ | This update fixes a security issue: | ||
+ | With a crafted URL that contains a newline in it, the credential helper | ||
+ | machinery can be fooled to give credential information for a wrong host. | ||
+ | The attack has been made impossible by forbidding a newline character in | ||
+ | any value passed via the credential protocol. Credit for finding the | ||
+ | vulnerability goes to Felix Wilhelm of Google Project Zero. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2020-03-31 ==== | ||
+ | |||
+ | **gnutls-3.6.13**: | ||
+ | This update fixes a security issue: | ||
+ | libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3 support), | ||
+ | since 3.6.3. The DTLS client would not contribute any randomness to the | ||
+ | DTLS negotiation, | ||
+ | [GNUTLS-SA-2020-03-31, | ||
+ | (**Security fix**) | ||
+ | |||
+ | **httpd-2.4.43**: | ||
+ | This release contains security fixes (since 2.4.39) and improvements. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | |||
+ | ==== 2020-03-27 ==== | ||
+ | |||
+ | **linux-libre-*-4.4.217**: | ||
+ | These updates fix various bugs and security issues. | ||
+ | Be sure to upgrade your initrd after upgrading the kernel packages. | ||
+ | If you use lilo to boot your machine, be sure lilo.conf points to the correct | ||
+ | kernel and initrd and run lilo as root to update the bootloader. | ||
+ | If you use elilo to boot your machine, you should run eliloconfig to copy the | ||
+ | kernel and initrd to the EFI System Partition. | ||
+ | For more information, | ||
+ | |||
+ | Fixed in 4.4.209: | ||
+ | * https:// | ||
+ | Fixed in 4.4.210: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.211: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.212: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.215: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.216: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.217: | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2020-03-23 ==== | ||
+ | |||
+ | **gd-2.3.0**: | ||
+ | This update fixes bugs and security issues: | ||
+ | * Potential double-free in gdImage*Ptr(). | ||
+ | * gdImageColorMatch() out of bounds write on heap. | ||
+ | * Uninitialized read in gdImageCreateFromXbm(). | ||
+ | * Double-free in gdImageBmp. | ||
+ | * Potential NULL pointer dereference in gdImageClone(). | ||
+ | * Potential infinite loop in gdImageCreateFromGifCtx(). | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **NetworkManager-1.8.4**: | ||
+ | Recompiled to get PPP working again with the new pppd. Thanks to longus. | ||
+ | |||
+ | **sudo-1.8.31p1**: | ||
+ | This is a bugfix release: | ||
+ | Sudo once again ignores a failure to restore the RLIMIT_CORE resource limit, | ||
+ | as it did prior to version 1.8.29. Linux containers don't allow RLIMIT_CORE | ||
+ | to be set back to RLIM_INFINITY if we set the limit to zero, even for root, | ||
+ | which resulted in a warning from sudo. | ||
+ | |||
+ | **rp-pppoe-3.13**: | ||
+ | This needed a rebuild for ppp-2.4.8. Thanks to regdub. | ||
+ | |||
+ | ==== 2020-03-04 ==== | ||
+ | |||
+ | **ppp-2.4.8**: | ||
+ | This update fixes a security issue: | ||
+ | By sending an unsolicited EAP packet to a vulnerable ppp client or server, | ||
+ | an unauthenticated remote attacker could cause memory corruption in the | ||
+ | pppd process, which may allow for arbitrary code execution. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2020-02-20 ==== | ||
+ | |||
+ | **proftpd-1.3.6c**: | ||
+ | No CVEs assigned, but this sure looks like a security issue: | ||
+ | Use-after-free vulnerability in memory pools during data transfer. | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2020-02-14 ==== | ||
+ | |||
+ | **libarchive-3.4.2**: | ||
+ | This update includes security fixes in the RAR5 reader. | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2020-01-31 ==== | ||
+ | |||
+ | **sudo-1.8.31**: | ||
+ | This update fixes a security issue: | ||
+ | In Sudo before 1.8.31, if pwfeedback is enabled in / | ||
+ | trigger a stack-based buffer overflow in the privileged sudo process. | ||
+ | (pwfeedback is a default setting in some Linux distributions; | ||
+ | is not the default for upstream or in Slackware, and would exist only if | ||
+ | enabled by an administrator.) The attacker needs to deliver a long string | ||
+ | to the stdin of getln() in tgetpass.c. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **bind-9.11.15**: | ||
+ | This is a bugfix release: | ||
+ | With some libmaxminddb versions, named could erroneously match an IP address | ||
+ | not belonging to any subnet defined in a given GeoIP2 database to one of the | ||
+ | existing entries in that database. [GL #1552] | ||
+ | Fix line spacing in `rndc secroots`. Thanks to Tony Finch. [GL #2478] | ||
+ | |||
+ | ==== 2020-01-11 ==== | ||
+ | |||
+ | **p7zip-16.02**: | ||
+ | ==== 2020-01-09 ==== | ||
+ | |||
+ | **linux-libre-*-4.4.208**: | ||
+ | | ||
+ | +IPV6_SUBTREES y | ||
+ | These updates fix various bugs and security issues. | ||
+ | Be sure to upgrade your initrd after upgrading the kernel packages. | ||
+ | If you use lilo to boot your machine, be sure lilo.conf points to the correct | ||
+ | kernel and initrd and run lilo as root to update the bootloader. | ||
+ | If you use elilo to boot your machine, you should run eliloconfig to copy the | ||
+ | kernel and initrd to the EFI System Partition. | ||
+ | For more information, | ||
+ | |||
+ | Fixed in 4.4.203: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.204: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.206: | ||
+ | * https:// | ||
+ | Fixed in 4.4.207: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.208: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **xfce4-weather-plugin-0.8.11**: | ||
+ | Bugfix release to address the upcoming obsolescence of the | ||
+ | locationforecastLTS API from met.no. Thanks to Robby Workman. | ||
+ | |||
+ | **libwmf-0.2.8.4**: | ||
+ | This is a bugfix release to correct the path for the GDK_PIXBUF_DIR. | ||
+ | Thanks to B. Watson and Robby Workman. | ||
+ | |||
+ | ==== 2019-12-21 ==== | ||
+ | |||
+ | **openssl-1.0.2u**: | ||
+ | This update fixes a low severity security issue: | ||
+ | Fixed an an overflow bug in the x86_64 Montgomery squaring procedure used in | ||
+ | exponentiation with 512-bit moduli. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **openssl-solibs-1.0.2u**: | ||
+ | |||
+ | **tigervnc-1.10.1**: | ||
+ | From tigervnc.org: | ||
+ | that were found by Kaspersky Lab. These issues affect both the client and | ||
+ | server and could theoretically allow a malicious peer to take control | ||
+ | over the software on the other side. No working exploit is known at this | ||
+ | time, and the issues require the peer to first be authenticated. We still | ||
+ | urge users to upgrade when possible." | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2019-12-19 ==== | ||
+ | |||
+ | **bind-9.11.14**: | ||
+ | This is a bugfix release: | ||
+ | Fixed a bug that caused named to leak memory on reconfiguration when | ||
+ | any GeoIP2 database was in use. [GL #1445] | ||
+ | Fixed several possible race conditions discovered by Thread Sanitizer. | ||
+ | |||
+ | **wavpack-5.2.0**: | ||
+ | Fixed denial-of-service and other potential security issues. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **ca-certificates-20191130**: | ||
+ | This update provides the latest CA certificates to check for the | ||
+ | authenticity of SSL connections. | ||
+ | |||
+ | ==== 2019-11-21 ==== | ||
+ | |||
+ | **bind-9.11.13**: | ||
+ | This update fixes a security issue: | ||
+ | Set a limit on the number of concurrently served pipelined TCP queries. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2019-11-17 ==== | ||
+ | |||
+ | **linux-libre-*-4.4.202**: | ||
+ | * CRYPTO_CRC32C_INTEL m -> y | ||
+ | * +X86_INTEL_TSX_MODE_AUTO n | ||
+ | * +X86_INTEL_TSX_MODE_OFF y | ||
+ | * +X86_INTEL_TSX_MODE_ON n | ||
+ | These updates fix various bugs and security issues, including mitigation for | ||
+ | the TSX Asynchronous Abort condition on some CPUs. | ||
+ | Be sure to upgrade your initrd after upgrading the kernel packages. | ||
+ | If you use lilo to boot your machine, be sure lilo.conf points to the correct | ||
+ | kernel and initrd and run lilo as root to update the bootloader. | ||
+ | If you use elilo to boot your machine, you should run eliloconfig to copy the | ||
+ | kernel and initrd to the EFI System Partition. | ||
+ | For more information, | ||
+ | |||
+ | Fixed in 4.4.201: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.202: | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2019-11-12 ==== | ||
+ | |||
+ | **kdelibs-4.14.38**: | ||
+ | Remove hardcoded TLSv1 allowing TLSv1.1 and TLSv1.2. Thanks to PJ Beers. | ||
+ | |||
+ | **kdepim-4.14.10**: | ||
+ | Remove hardcoded TLSv1 allowing TLSv1.1 and TLSv1.2. Thanks to PJ Beers. | ||
+ | |||
+ | **kdepimlibs-4.14.10**: | ||
+ | Remove hardcoded TLSv1 allowing TLSv1.1 and TLSv1.2. Thanks to PJ Beers. | ||
+ | |||
+ | **linux-libre-*-4.4.199**: | ||
+ | These updates fix various bugs and security issues. | ||
+ | Be sure to upgrade your initrd after upgrading the kernel packages. | ||
+ | If you use lilo to boot your machine, be sure lilo.conf points to the correct | ||
+ | kernel and initrd and run lilo as root to update the bootloader. | ||
+ | If you use elilo to boot your machine, you should run eliloconfig to copy the | ||
+ | kernel and initrd to the EFI System Partition. | ||
+ | For more information, | ||
+ | |||
+ | Fixed in 4.4.191: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.193: | ||
+ | * https:// | ||
+ | Fixed in 4.4.194: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.195: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.196: | ||
+ | * https:// | ||
+ | Fixed in 4.4.197: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.198: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.199: | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2019-11-04 ==== | ||
+ | |||
+ | **libtiff-4.1.0**: | ||
+ | libtiff: fix integer overflow in _TIFFCheckMalloc() that could cause a crash. | ||
+ | tif_dir: unset transferfunction field if necessary. | ||
+ | pal2rgb: failed to free memory on a few errors. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2019-10-21 ==== | ||
+ | |||
+ | **python-2.7.17**: | ||
+ | This update fixes bugs and security issues: | ||
+ | Update vendorized expat library version to 2.2.8. | ||
+ | Disallow URL paths with embedded whitespace or control characters into the | ||
+ | underlying http client request. Such potentially malicious header injection | ||
+ | URLs now cause an httplib.InvalidURL exception to be raised. | ||
+ | Avoid file reading by disallowing ``local-file:// | ||
+ | URL schemes in : | ||
+ | : | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **ca-certificates-20191018**: | ||
+ | This update provides the latest CA certificates to check for the | ||
+ | authenticity of SSL connections. | ||
+ | |||
+ | **sudo-1.8.28p1**: | ||
+ | This is a bugfix release: | ||
+ | Ensure that / | ||
+ | |||
+ | ==== 2019-10-14 ==== | ||
+ | |||
+ | **sudo-1.8.28**: | ||
+ | Fixed a bug where an sudo user may be able to run a command as root when | ||
+ | the Runas specification explicitly disallows root access as long as the | ||
+ | ALL keyword is listed first. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2019-10-02 ==== | ||
+ | |||
+ | **libpcap-1.9.1**: | ||
+ | This update is required for the new version of tcpdump. | ||
+ | |||
+ | **tcpdump-4.9.3**: | ||
+ | Fix buffer overflow/ | ||
+ | argument/ | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2019-09-16 ==== | ||
+ | |||
+ | **expat-2.2.8**: | ||
+ | Fix heap overflow triggered by XML_GetCurrentLineNumber (or | ||
+ | XML_GetCurrentColumnNumber), | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2019-09-12 ==== | ||
+ | |||
+ | **curl-7.66.0**: | ||
+ | This update fixes security issues: | ||
+ | FTP-KRB double-free | ||
+ | TFTP small blocksize heap buffer overflow | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **glibc-zoneinfo-2019c**: | ||
+ | This package provides the latest timezone updates. | ||
+ | |||
+ | **openssl-1.0.2t**: | ||
+ | This update fixes low severity security issues: | ||
+ | Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey | ||
+ | Compute ECC cofactors if not provided during EC_GROUP construction | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **openssl-solibs-1.0.2t**: | ||
+ | |||
+ | **emacs-26.3**: | ||
+ | This is a bugfix release. | ||
+ | |||
+ | ==== 2019-08-27 ==== | ||
+ | |||
+ | **linux-libre-*-4.4.190**: | ||
+ | These updates fix various bugs and a minor local denial-of-service security | ||
+ | issue. They also change this option: | ||
+ | * FANOTIFY_ACCESS_PERMISSIONS n -> y | ||
+ | This is needed by on-access virus scanning software. | ||
+ | Be sure to upgrade your initrd after upgrading the kernel packages. | ||
+ | If you use lilo to boot your machine, be sure lilo.conf points to the correct | ||
+ | kernel and initrd and run lilo as root to update the bootloader. | ||
+ | If you use elilo to boot your machine, you should run eliloconfig to copy the | ||
+ | kernel and initrd to the EFI System Partition. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **ca-certificates-20190826**: | ||
+ | This update provides the latest CA certificates to check for the | ||
+ | authenticity of SSL connections. | ||
+ | |||
+ | **bind-9.11.9**: | ||
+ | This update fixes various bugs and also updates the named.root file in | ||
+ | the caching-example configuration to the latest version. | ||
+ | |||
+ | ==== 2019-08-14 ==== | ||
+ | |||
+ | **linux-libre-*-4.4.189**: | ||
+ | These updates fix various bugs and many security issues, and include the | ||
+ | Spectre v1 SWAPGS mitigations. | ||
+ | Be sure to upgrade your initrd after upgrading the kernel packages. | ||
+ | If you use lilo to boot your machine, be sure lilo.conf points to the correct | ||
+ | kernel and initrd and run lilo as root to update the bootloader. | ||
+ | If you use elilo to boot your machine, you should run eliloconfig to copy the | ||
+ | kernel and initrd to the EFI System Partition. For more information, | ||
+ | |||
+ | Fixed in 4.4.187: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.189: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2019-08-08 ==== | ||
+ | |||
+ | **kdelibs-4.14.38**: | ||
+ | kconfig: malicious .desktop files (and others) would execute code. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2019-07-25 ==== | ||
+ | |||
+ | **R-3.6.1**: | ||
+ | |||
+ | ==== 2019-07-22 ==== | ||
+ | |||
+ | **linux-libre-*-4.4.186**: | ||
+ | These updates fix various bugs and many minor security issues. | ||
+ | Be sure to upgrade your initrd after upgrading the kernel packages. | ||
+ | If you use lilo to boot your machine, be sure lilo.conf points to the correct | ||
+ | kernel and initrd and run lilo as root to update the bootloader. | ||
+ | If you use elilo to boot your machine, you should run eliloconfig to copy the | ||
+ | kernel and initrd to the EFI System Partition. | ||
+ | For more information, | ||
+ | * Fixed in 4.4.183: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * Fixed in 4.4.185: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * Fixed in 4.4.186: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **curl-7.65.3**: | ||
+ | This is a bugfix release: | ||
+ | Fix a regression that caused the progress meter not to appear. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | |||
+ | **emacs-26.2**: | ||
+ | This is a bugfix release. | ||
+ | Patched package.el to obey buffer-file-coding-system (bug #35739), fixing | ||
+ | bad signature from GNU ELPA for archive-contents. | ||
+ | Thanks to Stefan Monnier and Eric Lindblad. | ||
+ | |||
+ | ==== 2019-07-14 ==== | ||
+ | |||
+ | **bzip2-1.0.8**: | ||
+ | Fixes security issues: | ||
+ | bzip2recover: | ||
+ | Make sure nSelectors is not out of range. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **glibc-zoneinfo-2019b**: | ||
+ | This package provides the latest timezone updates. | ||
+ | | ||
+ | **rust-1.36.0**: | ||
+ | Upgraded to the latest Rust compiler for Firefox 68.0. | ||
+ | |||
+ | **xscreensaver-5.43**: | ||
+ | Here's an upgrade to the latest xscreensaver. | ||
+ | |||
+ | ==== 2019-07-13 ==== | ||
+ | |||
+ | **lincity-ng-2.0**: | ||
+ | It is a polished and improved | ||
+ | version of the classic LinCity game. In the game,you are required to | ||
+ | build and maintain a city. You can win the game either by building a | ||
+ | sustainable economy or by evacuating all citizens with spaceships. | ||
+ | |||
+ | **SDL_gfx-2.0.25**: | ||
+ | and other support functions. The | ||
+ | SDL_gfx | ||
+ | provided basic drawing routines such as lines, circles or polygons | ||
+ | and SDL_rotozoom which implemented a interpolating rotozoomer for | ||
+ | SDL surfaces. | ||
+ | * homepage: http:// | ||
+ | |||
+ | **jam-2.5**: | ||
+ | Jam is a program construction tool, like make(1). Jam recursively | ||
+ | builds target files from source files, using dependency information | ||
+ | and updating actions expressed in the Jambase file, which is written | ||
+ | in jam's own interpreted language. The default Jambase is compiled | ||
+ | into jam and provides a boilerplate for common use, relying on a | ||
+ | user-provide file " | ||
+ | * http:// | ||
+ | |||
+ | ==== 2019-07-02 ==== | ||
+ | |||
+ | **icecat-60.7.0**: | ||
+ | * https:// | ||
+ | |||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2019-07-01 ==== | ||
+ | |||
+ | **linux-libre-*-4.4.182**: | ||
+ | These updates fix various bugs and many security issues, including the | ||
+ | "SACK Panic" remote denial-of-service issue. | ||
+ | Be sure to upgrade your initrd after upgrading the kernel packages. | ||
+ | If you use lilo to boot your machine, be sure lilo.conf points to the correct | ||
+ | kernel and initrd and run lilo as root to update the bootloader. | ||
+ | If you use elilo to boot your machine, you should run eliloconfig to copy the | ||
+ | kernel and initrd to the EFI System Partition. | ||
+ | For more information, | ||
+ | |||
+ | Fixed in 4.4.174: | ||
+ | * https:// | ||
+ | Fixed in 4.4.175: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.176: | ||
+ | * https:// | ||
+ | Fixed in 4.4.177: | ||
+ | * https:// | ||
+ | Fixed in 4.4.178: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.179: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.180: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.181: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | Fixed in 4.4.182: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **irssi-1.1.3**: | ||
+ | This update fixes a security issue: Use after free when sending SASL login | ||
+ | to the server found by ilbelkyr. May affect the stability of Irssi. SASL | ||
+ | logins may fail, especially during (manual and automated) reconnect. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2019-06-20 ==== | ||
+ | |||
+ | **bind-9.11.8**: | ||
+ | Fixed a race condition in dns_dispatch_getnext() that could cause an | ||
+ | assertion failure if a significant number of incoming packets were rejected. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **ca-certificates-20190617**: | ||
+ | This update provides the latest CA certificates to check for the | ||
+ | authenticity of SSL connections. | ||
+ | |||
+ | ==== 2019-06-16 ==== | ||
+ | |||
+ | **curl-7.65.1**: | ||
+ | This is a bugfix release. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | |||
+ | **openssl-1.0.2s**: | ||
+ | This is a bugfix release: | ||
+ | Change the default RSA, DSA and DH size to 2048 bit instead of 1024. | ||
+ | This changes the size when using the genpkey app when no size is given. | ||
+ | It fixes an omission in earlier changes that changed all RSA, DSA and DH | ||
+ | generation apps to use 2048 bits by default. | ||
+ | |||
+ | **openssl-solibs-1.0.2s**: | ||
+ | |||
+ | **rdesktop-1.8.6**: | ||
+ | This is a small bug fix release for rdesktop 1.8.5. An issue was discovered | ||
+ | soon after release where it was impossible to connect to some servers. This | ||
+ | issue has now been fixed, but otherwise this release is identical to 1.8.5. | ||
+ | |||
+ | ==== 2019-05-23 ==== | ||
+ | |||
+ | **curl-7.65.0**: | ||
+ | This release fixes the following security issues: | ||
+ | Integer overflows in curl_url_set | ||
+ | tftp: use the current blksize for recvfrom() | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2019-05-16 ==== | ||
+ | |||
+ | **rdesktop-1.8.5**: | ||
+ | This update fixes security issues: | ||
+ | Add bounds checking to protocol handling in order to fix many | ||
+ | security problems when communicating with a malicious server. | ||
+ | (**Security fix**) | ||
+ | |||
+ | ==== 2019-04-26 ==== | ||
+ | |||
+ | **bind-9.11.6_P1**: | ||
+ | This update fixes a security issue: | ||
+ | The TCP client quota set using the tcp-clients option could be exceeded | ||
+ | in some cases. This could lead to exhaustion of file descriptors. | ||
+ | For more information, | ||
+ | * https:// | ||
+ | * https:// | ||
+ | (**Security fix**) | ||
+ | |||
+ | **curl-7.64.1**: | ||
+ | This update fixes a regression in curl-7.64.0 which could lead to | ||
+ | 100% CPU usage. Thanks to arcctgx. | ||
+ | |||
==== 2019-04-17 ==== | ==== 2019-04-17 ==== |
changelog_14.2.txt · Last modified: 2023/12/23 13:40 by connie