Freenix Wiki

User Tools

Site Tools

Trace:
changelog_14.2

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
changelog_14.2 [2023/01/19 17:29] – [2023-01-18] conniechangelog_14.2 [2023/12/20 12:57] – [2023-12-13] connie
Line 2: Line 2:
  
 Slackware upstream ChangeLog entries are courtesy of Patrick Volkerding. Slackware upstream ChangeLog entries are courtesy of Patrick Volkerding.
 +
 +==== 2023-12-20 ====
 +
 +**libssh-0.10.6**:  Upgraded.
 +This update fixes security issues:
 +Command injection using proxycommand.
 +Potential downgrade attack using strict kex.
 +Missing checks for return values of MD functions.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-6004
 +  * https://www.cve.org/CVERecord?id=CVE-2023-48795
 +  * https://www.cve.org/CVERecord?id=CVE-2023-6918
 +(**Security fix**)
 +
 +**sudo-1.9.15p4**:  Upgraded.
 +This is a bugfix release.
 +
 +**libxml2-2.11.6**:  Upgraded.
 +We're going to drop back to the 2.11 branch here on the stable releases
 +since it has all of the relevant security fixes and better compatibility.
 +
 +**sudo-1.9.15p3**:  Upgraded.
 +This is a bugfix release.
 +
 +
 +==== 2023-12-13 ====
 +
 +**libxml2-2.12.3**:  Upgraded.
 +This update addresses regressions when building against libxml2 that were
 +due to header file refactoring.
 +
 +**libxml2-2.12.2**:  Upgraded.
 +Add --sysconfdir=/etc option so that this can find the xml catalog.
 +Thanks to SpiderTux.
 +Fix the following security issues:
 +Fix integer overflows with XML_PARSE_HUGE.
 +Fix dict corruption caused by entity reference cycles.
 +Hashing of empty dict strings isn't deterministic.
 +Fix null deref in xmlSchemaFixupComplexType.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2022-40303
 +  * https://www.cve.org/CVERecord?id=CVE-2022-40304
 +  * https://www.cve.org/CVERecord?id=CVE-2023-29469
 +  * https://www.cve.org/CVERecord?id=CVE-2023-28484
 +(**Security fix**)
 +
 +**ca-certificates-20231117**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +**sudo-1.9.15p1**:  Upgraded.
 +This is a bugfix release:
 +Fixed a bug introduced in sudo 1.9.15 that prevented LDAP-based sudoers
 +from being able to read the ldap.conf file.
 +
 +==== 2023-11-08 ====
 +
 +**sudo-1.9.15**:  Upgraded.
 +The sudoers plugin has been modified to make it more resilient to ROWHAMMER
 +attacks on authentication and policy matching.
 +The sudoers plugin now constructs the user time stamp file path name using
 +the user-ID instead of the user name. This avoids a potential problem with
 +user names that contain a path separator ('/') being interpreted as part of
 +the path name.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-42465
 +  * https://www.cve.org/CVERecord?id=CVE-2023-42456
 +(**Security fix**)
 +
 +
 +==== 2023-10-20 ====
 +
 +**httpd-2.4.58**:  Upgraded.
 +This update fixes bugs and security issues:
 +moderate: Apache HTTP Server: HTTP/2 stream memory not reclaimed
 +right away on RST.
 +low: mod_macro buffer over-read.
 +low: Apache HTTP Server: DoS in HTTP/2 with initial windows size 0.
 +For more information, see:
 +  * https://downloads.apache.org/httpd/CHANGES_2.4.58
 +  * https://www.cve.org/CVERecord?id=CVE-2023-45802
 +  * https://www.cve.org/CVERecord?id=CVE-2023-31122
 +  * https://www.cve.org/CVERecord?id=CVE-2023-43622
 +(**Security fix**)
 +
 +==== 2023-10-16 ====
 +
 +**curl-8.4.0**:  Upgraded.
 +This update fixes security issues:
 +Cookie injection with none file.
 +SOCKS5 heap buffer overflow.
 +For more information, see:
 +  * https://curl.se/docs/CVE-2023-38546.html
 +  * https://curl.se/docs/CVE-2023-38545.html
 +  * https://www.cve.org/CVERecord?id=CVE-2023-38546
 +  * https://www.cve.org/CVERecord?id=CVE-2023-38545
 +(**Security fix**)
 +
 +<code>
 +Mon Oct  9 18:10:01 UTC 2023
 +####################################################################
 +# NOTICE OF INPENDING EOL (END OF LIFE) FOR OLD SLACKWARE VERSIONS #
 +#                                                                  #
 +# Effective January 1, 2024, security patches will no longer be    #
 +# provided for the following versions of Slackware (which will all #
 +# be more than 7 years old at that time):                          #
 +#   Slackware 14.0, Slackware 14.1, Slackware 14.2.                #
 +# If you are still running these versions you should consider      #
 +# migrating to a newer version (preferably as recent as possible). #
 +# Alternately, you may make arrangements to handle your own        #
 +# security patches.                                                #
 +####################################################################
 +</code>
 +
 +==== 2023-10-04 ====
 +
 +**libX11-1.8.7**:  Upgraded.
 +This update fixes security issues:
 +libX11: out-of-bounds memory access in _XkbReadKeySyms().
 +libX11: stack exhaustion from infinite recursion in PutSubImage().
 +libX11: integer overflow in XCreateImage() leading to a heap overflow.
 +For more information, see:
 +  * https://lists.x.org/archives/xorg-announce/2023-October/003424.html
 +  * https://www.cve.org/CVERecord?id=CVE-2023-43785
 +  * https://www.cve.org/CVERecord?id=CVE-2023-43786
 +  * https://www.cve.org/CVERecord?id=CVE-2023-43787
 +(**Security fix**)
 +
 +**libXpm-3.5.17**:  Upgraded.
 +This update fixes security issues:
 +libXpm: out of bounds read in XpmCreateXpmImageFromBuffer().
 +libXpm: out of bounds read on XPM with corrupted colormap.
 +For more information, see:
 +  * https://lists.x.org/archives/xorg-announce/2023-October/003424.html
 +  * https://www.cve.org/CVERecord?id=CVE-2023-43788
 +  * https://www.cve.org/CVERecord?id=CVE-2023-43789
 +(**Security fix**)
 +
 +**cups-2.1.4**:  Rebuilt.
 +This update fixes bugs and a security issue:
 +Fixed Heap-based buffer overflow when reading Postscript in PPD files.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-4504
 +(**Security fix**)
 +
 +**netatalk-3.1.17**:  Upgraded.
 +This update fixes bugs and a security issue:
 +Validate data type in dalloc_value_for_key(). This flaw could allow a
 +malicious actor to cause Netatalk's afpd daemon to crash, or possibly to
 +execute arbitrary code.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-42464
 +(**Security fix**)
 +
 +**curl-8.3.0**:  Upgraded.
 +This update fixes a security issue:
 +HTTP headers eat all memory.
 +  * https://curl.se/docs/CVE-2023-38039.html
 +  * https://www.cve.org/CVERecord?id=CVE-2023-38039
 +(**Security fix**)
 +
 +**libarchive-3.7.2**:  Upgraded.
 +This update fixes multiple security vulnerabilities in the PAX writer:
 +Heap overflow in url_encode() in archive_write_set_format_pax.c.
 +NULL dereference in archive_write_pax_header_xattrs().
 +Another NULL dereference in archive_write_pax_header_xattrs().
 +NULL dereference in archive_write_pax_header_xattr().
 +(**Security fix**)
 +
 +**netatalk-3.1.16**:  Upgraded.
 +This update fixes bugs and security issues.
 +Shared library .so-version bump.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2022-23121
 +  * https://www.cve.org/CVERecord?id=CVE-2022-23123
 +(**Security fix**)
 +
 +**curl-8.2.1**:  Upgraded.
 +This is a bugfix release.
 +
 +**whois-5.5.18**:  Upgraded.
 +Updated the .ga TLD server.
 +Added new recovered IPv4 allocations.
 +Removed the delegation of 43.0.0.0/8 to JPNIC.
 +Removed 12 new gTLDs which are no longer active.
 +Improved the man page source, courtesy of Bjarni Ingi Gislason.
 +Added the .edu.za SLD server.
 +Updated the .alt.za SLD server.
 +Added the -ru and -su NIC handles servers.
 +
 +**ca-certificates-20230721**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +**curl-8.2.0**:  Upgraded.
 +This update fixes a security issue:
 +fopen race condition.
 +For more information, see:
 +  * https://curl.se/docs/CVE-2023-32001.html
 +  * https://www.cve.org/CVERecord?id=CVE-2023-32001
 +(**Security fix**)
 +
 +**sudo-1.9.14p2**:  Upgraded.
 +This is a bugfix release.
 +
 +**sudo-1.9.14p1**:  Upgraded.
 +This is a bugfix release.
 +
 +**cups-2.1.4**:  Rebuilt.
 +Fixed use-after-free when logging warnings in case of failures
 +in cupsdAcceptClient().
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-34241
 +(**Security fix**)
 +
 +==== 2023-06-15 ====
 +
 +**libX11-1.8.6**:  Upgraded.
 +This update fixes buffer overflows in InitExt.c that could at least cause
 +the client to crash due to memory corruption.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-3138
 +(**Security fix**)
 +
 +**ntp-4.2.8p17**:  Upgraded.
 +This is a bugfix release.
 +
 +
 +==== 2023-06-06 ====
 +
 +**cups-2.1.4**:  Rebuilt.
 +Fixed a heap buffer overflow in _cups_strlcpy(), when the configuration file
 +cupsd.conf sets the value of loglevel to DEBUG, that could allow a remote
 +attacker to launch a denial of service (DoS) attack, or possibly execute
 +arbirary code.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-32324
 +(**Security fix**)
 +
 +**ntp-4.2.8p16**:  Upgraded.
 +This update fixes bugs and security issues.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-26551
 +  * https://www.cve.org/CVERecord?id=CVE-2023-26552
 +  * https://www.cve.org/CVERecord?id=CVE-2023-26553
 +  * https://www.cve.org/CVERecord?id=CVE-2023-26554
 +  * https://www.cve.org/CVERecord?id=CVE-2023-26555
 +(**Security fix**)
 +
 +**curl-8.1.2**:  Upgraded.
 +This is a bugfix release.
 +
 +==== 2023-05-26 ====
 +
 +**ntfs-3g-2022.10.3**:  Upgraded.
 +Fixed vulnerabilities that may allow an attacker using a maliciously
 +crafted NTFS-formatted image file or external storage to potentially
 +execute arbitrary privileged code or cause a denial of service.
 +Thanks to opty.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40284
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30789
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30788
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30787
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30786
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30785
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30784
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30783
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46790
 +(**Security fix**)
 +
 +**curl-8.1.1**:  Upgraded.
 +This is a bugfix release.
 +
 +
 +==== 2023-05-18 ====
 +
 +**curl-8.1.0**:  Upgraded.
 +This update fixes security issues:
 +more POST-after-PUT confusion.
 +IDN wildcard match.
 +siglongjmp race condition.
 +UAF in SSH sha256 fingerprint check.
 +For more information, see:
 +  * https://curl.se/docs/CVE-2023-28322.html
 +  * https://curl.se/docs/CVE-2023-28321.html
 +  * https://curl.se/docs/CVE-2023-28320.html
 +  * https://curl.se/docs/CVE-2023-28319.html
 +  * https://www.cve.org/CVERecord?id=CVE-2023-28322
 +  * https://www.cve.org/CVERecord?id=CVE-2023-28321
 +  * https://www.cve.org/CVERecord?id=CVE-2023-28320
 +  * https://www.cve.org/CVERecord?id=CVE-2023-28319
 +(**Security fix**)
 +
 +**ca-certificates-20230506**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +==== 2023-05-05 ====
 +
 +**libssh-0.10.5**:  Upgraded.
 +This update fixes security issues:
 +A NULL dereference during rekeying with algorithm guessing.
 +A possible authorization bypass in pki_verify_data_signature under
 +low-memory conditions.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-1667
 +  * https://www.cve.org/CVERecord?id=CVE-2023-2283
 +(**Security fix**)
 +
 +**whois-5.5.17**:  Upgraded.
 +Added the .cd TLD server.
 +Updated the -kg NIC handles server name.
 +Removed 2 new gTLDs which are no longer active.
 +
 +
 +==== 2023-05-01 ====
 +
 +**netatalk-3.1.15**:  Upgraded.
 +This update fixes security issues, including a critical vulnerability that
 +allows remote attackers to execute arbitrary code on affected installations
 +of Netatalk. Authentication is not required to exploit this vulnerability.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2022-43634
 +  * https://www.cve.org/CVERecord?id=CVE-2022-45188
 +(**Security fix**)
 +
 +==== 2023-04-25 ====
 +
 +**git-2.30.9**:  Upgraded.
 +This update fixes security issues:
 +By feeding specially crafted input to `git apply --reject`, a
 +path outside the working tree can be overwritten with partially
 +controlled contents (corresponding to the rejected hunk(s) from
 +the given patch).
 +When Git is compiled with runtime prefix support and runs without
 +translated messages, it still used the gettext machinery to
 +display messages, which subsequently potentially looked for
 +translated messages in unexpected places. This allowed for
 +malicious placement of crafted messages.
 +When renaming or deleting a section from a configuration file,
 +certain malicious configuration values may be misinterpreted as
 +the beginning of a new configuration section, leading to arbitrary
 +configuration injection.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-25652
 +  * https://www.cve.org/CVERecord?id=CVE-2023-25815
 +  * https://www.cve.org/CVERecord?id=CVE-2023-29007
 +(**Security fix**)
 +
 +**httpd-2.4.57**:  Upgraded.
 +This is a bugfix release.
 +For more information, see:
 +  * https://downloads.apache.org/httpd/CHANGES_2.4.57
 +
 +==== 2023-04-03 ====
 +
 +**irssi-1.4.4**:  Upgraded.
 +Do not crash Irssi when one line is printed as the result of another line
 +being printed.
 +Also solve a memory leak while printing unformatted lines.
 +(**Security fix**)
 +
 +**glibc-zoneinfo-2023c**:  Upgraded.
 +This package provides the latest timezone updates.
 +
 +**tar-1.29**:  Rebuilt.
 +GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use
 +of uninitialized memory for a conditional jump. Exploitation to change the
 +flow of control has not been demonstrated. The issue occurs in from_header
 +in list.c via a V7 archive in which mtime has approximately 11 whitespace
 +characters.
 +Thanks to marav for the heads-up.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2022-48303
 +(**Security fix**)
 +
 +
 +==== 2023-03-22 ====
 +
 +**curl-8.0.1**:  Upgraded.
 +  * This update fixes security issues:
 +  * SSH connection too eager reuse still.
 +  * HSTS double-free.
 +  * GSS delegation too eager connection re-use.
 +  * FTP too eager connection reuse.
 +  * SFTP path ~ resolving discrepancy.
 +  * TELNET option IAC injection.
 +For more information, see:
 +  * https://curl.se/docs/CVE-2023-27538.html
 +  * https://curl.se/docs/CVE-2023-27537.html
 +  * https://curl.se/docs/CVE-2023-27536.html
 +  * https://curl.se/docs/CVE-2023-27535.html
 +  * https://curl.se/docs/CVE-2023-27534.html
 +  * https://curl.se/docs/CVE-2023-27533.html
 +  * https://www.cve.org/CVERecord?id=CVE-2023-27538
 +  * https://www.cve.org/CVERecord?id=CVE-2023-27537
 +  * https://www.cve.org/CVERecord?id=CVE-2023-27536
 +  * https://www.cve.org/CVERecord?id=CVE-2023-27535
 +  * https://www.cve.org/CVERecord?id=CVE-2023-27534
 +  * https://www.cve.org/CVERecord?id=CVE-2023-27533
 +(**Security fix**)
 +
 +==== 2023-03-08 ====
 +
 +**httpd-2.4.56**:  Upgraded.
 +This update fixes two security issues:
 +HTTP Response Smuggling vulnerability via mod_proxy_uwsgi.
 +HTTP Request Smuggling attack via mod_rewrite and mod_proxy.
 +For more information, see:
 +  * https://downloads.apache.org/httpd/CHANGES_2.4.56
 +  * https://www.cve.org/CVERecord?id=CVE-2023-27522
 +  * https://www.cve.org/CVERecord?id=CVE-2023-25690
 +(**Security fix**)
 +
 +**sudo-1.9.13p3**:  Upgraded.
 +This is a bugfix release.
 +
 +**whois-5.5.16**:  Upgraded.
 +Add bash completion support, courtesy of Ville Skytta.
 +Updated the .tr TLD server.
 +Removed support for -metu NIC handles.
 +
 +**curl-7.88.1**:  Upgraded.
 +This is a bugfix release.
 +
 +==== 2023-02-16 ====
 +
 +**curl-7.88.0**:  Upgraded.
 +This update fixes security issues:
 +HTTP multi-header compression denial of service.
 +HSTS amnesia with --parallel.
 +HSTS ignored on multiple requests.
 +For more information, see:
 +  * https://curl.se/docs/CVE-2023-23916.html
 +  * https://curl.se/docs/CVE-2023-23915.html
 +  * https://curl.se/docs/CVE-2023-23914.html
 +  * https://www.cve.org/CVERecord?id=CVE-2023-23916
 +  * https://www.cve.org/CVERecord?id=CVE-2023-23915
 +  * https://www.cve.org/CVERecord?id=CVE-2023-23914
 +(**Security fix**)
 +
 +**git-2.30.8**:  Upgraded.
 +This update fixes security issues:
 +Using a specially-crafted repository, Git can be tricked into using
 +its local clone optimization even when using a non-local transport.
 +Though Git will abort local clones whose source $GIT_DIR/objects
 +directory contains symbolic links (c.f., CVE-2022-39253), the objects
 +directory itself may still be a symbolic link.
 +These two may be combined to include arbitrary files based on known
 +paths on the victim's filesystem within the malicious repository's
 +working copy, allowing for data exfiltration in a similar manner as
 +CVE-2022-39253.
 +By feeding a crafted input to "git apply", a path outside the
 +working tree can be overwritten as the user who is running "git
 +apply".
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-22490
 +  * https://www.cve.org/CVERecord?id=CVE-2023-23946
 +(**Security fix**)
  
 ==== 2023-01-19 ==== ==== 2023-01-19 ====
changelog_14.2.txt · Last modified: 2023/12/23 13:40 by connie