User Tools

Site Tools


changelog_14.2

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Next revisionBoth sides next revision
changelog_14.2 [2020/01/11 13:09] – [2020-01-11] conniechangelog_14.2 [2020/07/23 17:55] – [2020-07-23] connie
Line 2: Line 2:
  
 Slackware upstream ChangeLog entries are courtesy of Patrick Volkerding. Slackware upstream ChangeLog entries are courtesy of Patrick Volkerding.
 +
 +==== 2020-07-23 ====
 +
 +**libreoffice-6.2.8.2**: Upgraded (FXP). The full collection of language packs and help packs is not supplied, but they can be installed via libreoffice extension manager.
 +
 +==== 2020-07-06 ====
 +
 +**libvorbis-1.3.7**:  Upgraded.
 +Fix out-of-bounds read encoding very low sample rates.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10393
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14160
 +(**Security fix**)
 +
 +**ca-certificates-20200630**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +==== 2020-06-24 ====
 +
 +**curl-7.71.0**:  Upgraded.
 +This update fixes security issues:
 +curl overwrite local file with -J [111]
 +Partial password leak over DNS on HTTP redirect [48]
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8177
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8169
 +(**Security fix**)
 +
 +**libjpeg-turbo-2.0.5**:  Upgraded.
 +This update fixes bugs and a security issue:
 +Fixed an issue in the PPM reader that caused a buffer overrun in cjpeg,
 +TJBench, or the `tjLoadImage()` function if one of the values in a binary
 +PPM/PGM input file exceeded the maximum value defined in the file's header
 +and that maximum value was less than 255.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13790
 +(**Security fix**)
 +
 +==== 2020-06-23 ====
 +
 +**ntp-4.2.8p15**:  Upgraded.
 +This release fixes one vulnerability: Associations that use CMAC
 +authentication between ntpd from versions 4.2.8p11/4.3.97 and
 +4.2.8p14/4.3.100 will leak a small amount of memory for each packet.
 +Eventually, ntpd will run out of memory and abort.
 +(**Security fix**)
 +
 +**sudo-1.8.31p2**:  Upgraded.
 +This is a bugfix release. For more information, see:
 +  * https://www.sudo.ws/legacy.html#1.8.31p2
 +
 +==== 2020-06-18 ====
 +
 +**bind-9.11.20**:  Upgraded.
 +This update fixes a security issue:
 +It was possible to trigger an INSIST in lib/dns/rbtdb.c:new_reference() with
 +a particular zone content and query patterns.
 +For more information, see:
 +  * https://kb.isc.org/docs/cve-2020-8619
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8619
 +(**Security fix**)
 +
 +==== 2020-06-14 ====
 +
 +**R-4.0.1**: upgraded (FXP).
 +
 +**pcre2-10.35**: added (FXP) as a new requirement for R.
 +
 +**fuse-exfat-1.3.0**: added (FXP).
 +
 +**linux-libre-*-4.4.227**:  Upgraded.
 +These updates fix various bugs and security issues, including a mitigation
 +for SRBDS (Special Register Buffer Data Sampling). SRBDS is an MDS-like
 +speculative side channel that can leak bits from the random number generator
 +(RNG) across cores and threads.
 +Be sure to upgrade your initrd after upgrading the kernel packages.
 +If you use lilo to boot your machine, be sure lilo.conf points to the correct
 +kernel and initrd and run lilo as root to update the bootloader.
 +If you use elilo to boot your machine, you should run eliloconfig to copy the
 +kernel and initrd to the EFI System Partition.
 +For more information, see:
 +
 +Fixed in 4.4.218:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11668
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11608
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11609
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10942
 +Fixed in 4.4.219:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11494
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11565
 +Fixed in 4.4.220:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12826
 +Fixed in 4.4.221:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19319
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12464
 +Fixed in 4.4.222:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10751
 +Fixed in 4.4.224:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10711
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1749
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12769
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10690
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13143
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19768
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12770
 +Fixed in 4.4.225:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9517
 +Fixed in 4.4.226:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10732
 +Fixed in 4.4.227:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0543
 +(**Security fix**)
 +
 +**gnutls-3.6.14**:  Upgraded.
 +Fixed insecure session ticket key construction, since 3.6.4. The TLS server
 +would not bind the session ticket encryption key with a value supplied by
 +the application until the initial key rotation, allowing attacker to bypass
 +authentication in TLS 1.3 and recover previous conversations in TLS 1.2.
 +[GNUTLS-SA-2020-06-03, CVSS: high]
 +(**Security fix**)
 +
 +**ca-certificates-20200602**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +**proftpd-1.3.6d**:  Upgraded.
 +This is a bugfix release:
 +Fixed issue with FTPS uploads of large files using TLSv1.3 (Issue #959).
 +
 +==== 2020-05-19 ====
 +
 +**bind-9.11.19**:  Upgraded.
 +This update fixes security issues:
 +A malicious actor who intentionally exploits the lack of effective
 +limitation on the number of fetches performed when processing referrals
 +can, through the use of specially crafted referrals, cause a recursing
 +server to issue a very large number of fetches in an attempt to process
 +the referral. This has at least two potential effects: The performance of
 +the recursing server can potentially be degraded by the additional work
 +required to perform these fetches, and the attacker can exploit this
 +behavior to use the recursing server as a reflector in a reflection attack
 +with a high amplification factor.
 +Replaying a TSIG BADTIME response as a request could trigger an assertion
 +failure.
 +For more information, see:
 +  * https://kb.isc.org/docs/cve-2020-8616
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8616
 +  * https://kb.isc.org/docs/cve-2020-8617
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8617
 +(**Security fix**)
 +
 +**libexif-0.6.22**:  Upgraded.
 +This update fixes bugs and security issues:
 +  * CVE-2018-20030: Fix for recursion DoS
 +  * CVE-2020-13114: Time consumption DoS when parsing canon array markers
 +  * CVE-2020-13113: Potential use of uninitialized memory
 +  * CVE-2020-13112: Various buffer overread fixes due to integer overflows in maker notes
 +  * CVE-2020-0093:  read overflow
 +  * CVE-2019-9278:  replaced integer overflow checks the compiler could optimize away by safer constructs
 +  * CVE-2020-12767: fixed division by zero
 +  * CVE-2016-6328:  fixed integer overflow when parsing maker notes
 +  * CVE-2017-7544:  fixed buffer overread
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20030
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13114
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13113
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13112
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0093
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9278
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12767
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6328
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7544
 +(**Security fix**)
 +
 +==== 2020-05-18 ====
 +
 +**sane-1.0.30**:  Upgraded.
 +This update fixes several security issues.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12867
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12862
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12863
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12865
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12866
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12861
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12864
 +(**Security fix**)
 +
 +**glibc-zoneinfo-2020a**:  Upgraded.
 +This package provides the latest timezone updates.
 +
 +==== 2020-04-21 ====
 +
 +**git-2.17.5**:  Upgraded.
 +This update fixes a security issue:
 +With a crafted URL that contains a newline or empty host, or lacks
 +a scheme, the credential helper machinery can be fooled into
 +providing credential information that is not appropriate for the
 +protocol in use and host being contacted.
 +Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
 +credentials are not for a host of the attacker's choosing; instead,
 +they are for some unspecified host (based on how the configured
 +credential helper handles an absent "host" parameter).
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11008
 +(**Security fix**)
 +
 +==== 2020-04-17 ====
 +
 +**openvpn-2.4.9**:  Upgraded.
 +This update fixes a security issue:
 +Fix illegal client float. Thanks to Lev Stipakov.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11810
 +(**Security fix**)
 +
 +==== 2020-04-15 ====
 +
 +**bind-9.11.18**:  Upgraded.
 +This update fixes a security issue:
 +DNS rebinding protection was ineffective when BIND 9 is configured as a
 +forwarding DNS server. Found and responsibly reported by Tobias Klein.
 +[GL #1574]
 +(**Security fix**)
 +
 +==== 2020-04-14 ====
 +
 +**git-2.17.4**:  Upgraded.
 +This update fixes a security issue:
 +With a crafted URL that contains a newline in it, the credential helper
 +machinery can be fooled to give credential information for a wrong host.
 +The attack has been made impossible by forbidding a newline character in
 +any value passed via the credential protocol. Credit for finding the
 +vulnerability goes to Felix Wilhelm of Google Project Zero.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5260
 +(**Security fix**)
 +
 +==== 2020-03-31 ====
 +
 +**gnutls-3.6.13**:  Upgraded.
 +This update fixes a security issue:
 +libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3 support),
 +since 3.6.3. The DTLS client would not contribute any randomness to the
 +DTLS negotiation, breaking the security guarantees of the DTLS protocol.
 +[GNUTLS-SA-2020-03-31, CVSS: high]
 +(**Security fix**)
 +
 +**httpd-2.4.43**:  Upgraded.
 +This release contains security fixes (since 2.4.39) and improvements.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10097
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9517
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10098
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10092
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10082
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10081
 +(**Security fix**)
 +
 +
 +==== 2020-03-27 ====
 +
 +**linux-libre-*-4.4.217**:  Upgraded.
 +These updates fix various bugs and security issues.
 +Be sure to upgrade your initrd after upgrading the kernel packages.
 +If you use lilo to boot your machine, be sure lilo.conf points to the correct
 +kernel and initrd and run lilo as root to update the bootloader.
 +If you use elilo to boot your machine, you should run eliloconfig to copy the
 +kernel and initrd to the EFI System Partition.
 +For more information, see:
 +
 +Fixed in 4.4.209:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19965
 +Fixed in 4.4.210:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19068
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14615
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14895
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19056
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19066
 +Fixed in 4.4.211:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15217
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-21008
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15220
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15221
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5108
 +Fixed in 4.4.212:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14896
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14897
 +Fixed in 4.4.215:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9383
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2732
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16233
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0009
 +Fixed in 4.4.216:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11487
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8647
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8649
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16234
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8648
 +Fixed in 4.4.217:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14901
 +(**Security fix**)
 +
 +==== 2020-03-23 ====
 +
 +**gd-2.3.0**:  Upgraded.
 +This update fixes bugs and security issues:
 +  * Potential double-free in gdImage*Ptr().
 +  * gdImageColorMatch() out of bounds write on heap.
 +  * Uninitialized read in gdImageCreateFromXbm().
 +  * Double-free in gdImageBmp.
 +  * Potential NULL pointer dereference in gdImageClone().
 +  * Potential infinite loop in gdImageCreateFromGifCtx().
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6978
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6977
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11038
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000222
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14553
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5711
 +(**Security fix**)
 +
 +**NetworkManager-1.8.4**:  Rebuilt.
 +Recompiled to get PPP working again with the new pppd. Thanks to longus.
 +
 +**sudo-1.8.31p1**:  Upgraded.
 +This is a bugfix release:
 +Sudo once again ignores a failure to restore the RLIMIT_CORE resource limit,
 +as it did prior to version 1.8.29. Linux containers don't allow RLIMIT_CORE
 +to be set back to RLIM_INFINITY if we set the limit to zero, even for root,
 +which resulted in a warning from sudo.
 +
 +**rp-pppoe-3.13**:  Upgraded.
 +This needed a rebuild for ppp-2.4.8. Thanks to regdub.
 +
 +==== 2020-03-04 ====
 +
 +**ppp-2.4.8**:  Upgraded.
 +This update fixes a security issue:
 +By sending an unsolicited EAP packet to a vulnerable ppp client or server,
 +an unauthenticated remote attacker could cause memory corruption in the
 +pppd process, which may allow for arbitrary code execution.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8597
 +(**Security fix**)
 +
 +==== 2020-02-20 ====
 +
 +**proftpd-1.3.6c**:  Upgraded.
 +No CVEs assigned, but this sure looks like a security issue:
 +Use-after-free vulnerability in memory pools during data transfer.
 +(**Security fix**)
 +
 +==== 2020-02-14 ====
 +
 +**libarchive-3.4.2**:  Upgraded.
 +This update includes security fixes in the RAR5 reader.
 +(**Security fix**)
 +
 +==== 2020-01-31 ====
 +
 +**sudo-1.8.31**:  Upgraded.
 +This update fixes a security issue:
 +In Sudo before 1.8.31, if pwfeedback is enabled in /etc/sudoers, users can
 +trigger a stack-based buffer overflow in the privileged sudo process.
 +(pwfeedback is a default setting in some Linux distributions; however, it
 +is not the default for upstream or in Slackware, and would exist only if
 +enabled by an administrator.) The attacker needs to deliver a long string
 +to the stdin of getln() in tgetpass.c.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18634
 +(**Security fix**)
 +
 +**bind-9.11.15**:  Upgraded.
 +This is a bugfix release:
 +With some libmaxminddb versions, named could erroneously match an IP address
 +not belonging to any subnet defined in a given GeoIP2 database to one of the
 +existing entries in that database. [GL #1552]
 +Fix line spacing in `rndc secroots`. Thanks to Tony Finch. [GL #2478]
  
 ==== 2020-01-11 ==== ==== 2020-01-11 ====
changelog_14.2.txt · Last modified: 2023/12/23 13:40 by connie