Freenix Wiki

User Tools

Site Tools

Trace:
changelog_14.2

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
changelog_14.2 [2023/04/03 15:04] – [2023-03-22] conniechangelog_14.2 [2023/12/20 12:57] – [2023-12-13] connie
Line 2: Line 2:
  
 Slackware upstream ChangeLog entries are courtesy of Patrick Volkerding. Slackware upstream ChangeLog entries are courtesy of Patrick Volkerding.
 +
 +==== 2023-12-20 ====
 +
 +**libssh-0.10.6**:  Upgraded.
 +This update fixes security issues:
 +Command injection using proxycommand.
 +Potential downgrade attack using strict kex.
 +Missing checks for return values of MD functions.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-6004
 +  * https://www.cve.org/CVERecord?id=CVE-2023-48795
 +  * https://www.cve.org/CVERecord?id=CVE-2023-6918
 +(**Security fix**)
 +
 +**sudo-1.9.15p4**:  Upgraded.
 +This is a bugfix release.
 +
 +**libxml2-2.11.6**:  Upgraded.
 +We're going to drop back to the 2.11 branch here on the stable releases
 +since it has all of the relevant security fixes and better compatibility.
 +
 +**sudo-1.9.15p3**:  Upgraded.
 +This is a bugfix release.
 +
 +
 +==== 2023-12-13 ====
 +
 +**libxml2-2.12.3**:  Upgraded.
 +This update addresses regressions when building against libxml2 that were
 +due to header file refactoring.
 +
 +**libxml2-2.12.2**:  Upgraded.
 +Add --sysconfdir=/etc option so that this can find the xml catalog.
 +Thanks to SpiderTux.
 +Fix the following security issues:
 +Fix integer overflows with XML_PARSE_HUGE.
 +Fix dict corruption caused by entity reference cycles.
 +Hashing of empty dict strings isn't deterministic.
 +Fix null deref in xmlSchemaFixupComplexType.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2022-40303
 +  * https://www.cve.org/CVERecord?id=CVE-2022-40304
 +  * https://www.cve.org/CVERecord?id=CVE-2023-29469
 +  * https://www.cve.org/CVERecord?id=CVE-2023-28484
 +(**Security fix**)
 +
 +**ca-certificates-20231117**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +**sudo-1.9.15p1**:  Upgraded.
 +This is a bugfix release:
 +Fixed a bug introduced in sudo 1.9.15 that prevented LDAP-based sudoers
 +from being able to read the ldap.conf file.
 +
 +==== 2023-11-08 ====
 +
 +**sudo-1.9.15**:  Upgraded.
 +The sudoers plugin has been modified to make it more resilient to ROWHAMMER
 +attacks on authentication and policy matching.
 +The sudoers plugin now constructs the user time stamp file path name using
 +the user-ID instead of the user name. This avoids a potential problem with
 +user names that contain a path separator ('/') being interpreted as part of
 +the path name.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-42465
 +  * https://www.cve.org/CVERecord?id=CVE-2023-42456
 +(**Security fix**)
 +
 +
 +==== 2023-10-20 ====
 +
 +**httpd-2.4.58**:  Upgraded.
 +This update fixes bugs and security issues:
 +moderate: Apache HTTP Server: HTTP/2 stream memory not reclaimed
 +right away on RST.
 +low: mod_macro buffer over-read.
 +low: Apache HTTP Server: DoS in HTTP/2 with initial windows size 0.
 +For more information, see:
 +  * https://downloads.apache.org/httpd/CHANGES_2.4.58
 +  * https://www.cve.org/CVERecord?id=CVE-2023-45802
 +  * https://www.cve.org/CVERecord?id=CVE-2023-31122
 +  * https://www.cve.org/CVERecord?id=CVE-2023-43622
 +(**Security fix**)
 +
 +==== 2023-10-16 ====
 +
 +**curl-8.4.0**:  Upgraded.
 +This update fixes security issues:
 +Cookie injection with none file.
 +SOCKS5 heap buffer overflow.
 +For more information, see:
 +  * https://curl.se/docs/CVE-2023-38546.html
 +  * https://curl.se/docs/CVE-2023-38545.html
 +  * https://www.cve.org/CVERecord?id=CVE-2023-38546
 +  * https://www.cve.org/CVERecord?id=CVE-2023-38545
 +(**Security fix**)
 +
 +<code>
 +Mon Oct  9 18:10:01 UTC 2023
 +####################################################################
 +# NOTICE OF INPENDING EOL (END OF LIFE) FOR OLD SLACKWARE VERSIONS #
 +#                                                                  #
 +# Effective January 1, 2024, security patches will no longer be    #
 +# provided for the following versions of Slackware (which will all #
 +# be more than 7 years old at that time):                          #
 +#   Slackware 14.0, Slackware 14.1, Slackware 14.2.                #
 +# If you are still running these versions you should consider      #
 +# migrating to a newer version (preferably as recent as possible). #
 +# Alternately, you may make arrangements to handle your own        #
 +# security patches.                                                #
 +####################################################################
 +</code>
 +
 +==== 2023-10-04 ====
 +
 +**libX11-1.8.7**:  Upgraded.
 +This update fixes security issues:
 +libX11: out-of-bounds memory access in _XkbReadKeySyms().
 +libX11: stack exhaustion from infinite recursion in PutSubImage().
 +libX11: integer overflow in XCreateImage() leading to a heap overflow.
 +For more information, see:
 +  * https://lists.x.org/archives/xorg-announce/2023-October/003424.html
 +  * https://www.cve.org/CVERecord?id=CVE-2023-43785
 +  * https://www.cve.org/CVERecord?id=CVE-2023-43786
 +  * https://www.cve.org/CVERecord?id=CVE-2023-43787
 +(**Security fix**)
 +
 +**libXpm-3.5.17**:  Upgraded.
 +This update fixes security issues:
 +libXpm: out of bounds read in XpmCreateXpmImageFromBuffer().
 +libXpm: out of bounds read on XPM with corrupted colormap.
 +For more information, see:
 +  * https://lists.x.org/archives/xorg-announce/2023-October/003424.html
 +  * https://www.cve.org/CVERecord?id=CVE-2023-43788
 +  * https://www.cve.org/CVERecord?id=CVE-2023-43789
 +(**Security fix**)
 +
 +**cups-2.1.4**:  Rebuilt.
 +This update fixes bugs and a security issue:
 +Fixed Heap-based buffer overflow when reading Postscript in PPD files.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-4504
 +(**Security fix**)
 +
 +**netatalk-3.1.17**:  Upgraded.
 +This update fixes bugs and a security issue:
 +Validate data type in dalloc_value_for_key(). This flaw could allow a
 +malicious actor to cause Netatalk's afpd daemon to crash, or possibly to
 +execute arbitrary code.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-42464
 +(**Security fix**)
 +
 +**curl-8.3.0**:  Upgraded.
 +This update fixes a security issue:
 +HTTP headers eat all memory.
 +  * https://curl.se/docs/CVE-2023-38039.html
 +  * https://www.cve.org/CVERecord?id=CVE-2023-38039
 +(**Security fix**)
 +
 +**libarchive-3.7.2**:  Upgraded.
 +This update fixes multiple security vulnerabilities in the PAX writer:
 +Heap overflow in url_encode() in archive_write_set_format_pax.c.
 +NULL dereference in archive_write_pax_header_xattrs().
 +Another NULL dereference in archive_write_pax_header_xattrs().
 +NULL dereference in archive_write_pax_header_xattr().
 +(**Security fix**)
 +
 +**netatalk-3.1.16**:  Upgraded.
 +This update fixes bugs and security issues.
 +Shared library .so-version bump.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2022-23121
 +  * https://www.cve.org/CVERecord?id=CVE-2022-23123
 +(**Security fix**)
 +
 +**curl-8.2.1**:  Upgraded.
 +This is a bugfix release.
 +
 +**whois-5.5.18**:  Upgraded.
 +Updated the .ga TLD server.
 +Added new recovered IPv4 allocations.
 +Removed the delegation of 43.0.0.0/8 to JPNIC.
 +Removed 12 new gTLDs which are no longer active.
 +Improved the man page source, courtesy of Bjarni Ingi Gislason.
 +Added the .edu.za SLD server.
 +Updated the .alt.za SLD server.
 +Added the -ru and -su NIC handles servers.
 +
 +**ca-certificates-20230721**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +**curl-8.2.0**:  Upgraded.
 +This update fixes a security issue:
 +fopen race condition.
 +For more information, see:
 +  * https://curl.se/docs/CVE-2023-32001.html
 +  * https://www.cve.org/CVERecord?id=CVE-2023-32001
 +(**Security fix**)
 +
 +**sudo-1.9.14p2**:  Upgraded.
 +This is a bugfix release.
 +
 +**sudo-1.9.14p1**:  Upgraded.
 +This is a bugfix release.
 +
 +**cups-2.1.4**:  Rebuilt.
 +Fixed use-after-free when logging warnings in case of failures
 +in cupsdAcceptClient().
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-34241
 +(**Security fix**)
 +
 +==== 2023-06-15 ====
 +
 +**libX11-1.8.6**:  Upgraded.
 +This update fixes buffer overflows in InitExt.c that could at least cause
 +the client to crash due to memory corruption.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-3138
 +(**Security fix**)
 +
 +**ntp-4.2.8p17**:  Upgraded.
 +This is a bugfix release.
 +
 +
 +==== 2023-06-06 ====
 +
 +**cups-2.1.4**:  Rebuilt.
 +Fixed a heap buffer overflow in _cups_strlcpy(), when the configuration file
 +cupsd.conf sets the value of loglevel to DEBUG, that could allow a remote
 +attacker to launch a denial of service (DoS) attack, or possibly execute
 +arbirary code.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-32324
 +(**Security fix**)
 +
 +**ntp-4.2.8p16**:  Upgraded.
 +This update fixes bugs and security issues.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-26551
 +  * https://www.cve.org/CVERecord?id=CVE-2023-26552
 +  * https://www.cve.org/CVERecord?id=CVE-2023-26553
 +  * https://www.cve.org/CVERecord?id=CVE-2023-26554
 +  * https://www.cve.org/CVERecord?id=CVE-2023-26555
 +(**Security fix**)
 +
 +**curl-8.1.2**:  Upgraded.
 +This is a bugfix release.
 +
 +==== 2023-05-26 ====
 +
 +**ntfs-3g-2022.10.3**:  Upgraded.
 +Fixed vulnerabilities that may allow an attacker using a maliciously
 +crafted NTFS-formatted image file or external storage to potentially
 +execute arbitrary privileged code or cause a denial of service.
 +Thanks to opty.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40284
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30789
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30788
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30787
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30786
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30785
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30784
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30783
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46790
 +(**Security fix**)
 +
 +**curl-8.1.1**:  Upgraded.
 +This is a bugfix release.
 +
 +
 +==== 2023-05-18 ====
 +
 +**curl-8.1.0**:  Upgraded.
 +This update fixes security issues:
 +more POST-after-PUT confusion.
 +IDN wildcard match.
 +siglongjmp race condition.
 +UAF in SSH sha256 fingerprint check.
 +For more information, see:
 +  * https://curl.se/docs/CVE-2023-28322.html
 +  * https://curl.se/docs/CVE-2023-28321.html
 +  * https://curl.se/docs/CVE-2023-28320.html
 +  * https://curl.se/docs/CVE-2023-28319.html
 +  * https://www.cve.org/CVERecord?id=CVE-2023-28322
 +  * https://www.cve.org/CVERecord?id=CVE-2023-28321
 +  * https://www.cve.org/CVERecord?id=CVE-2023-28320
 +  * https://www.cve.org/CVERecord?id=CVE-2023-28319
 +(**Security fix**)
 +
 +**ca-certificates-20230506**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +==== 2023-05-05 ====
 +
 +**libssh-0.10.5**:  Upgraded.
 +This update fixes security issues:
 +A NULL dereference during rekeying with algorithm guessing.
 +A possible authorization bypass in pki_verify_data_signature under
 +low-memory conditions.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-1667
 +  * https://www.cve.org/CVERecord?id=CVE-2023-2283
 +(**Security fix**)
 +
 +**whois-5.5.17**:  Upgraded.
 +Added the .cd TLD server.
 +Updated the -kg NIC handles server name.
 +Removed 2 new gTLDs which are no longer active.
 +
 +
 +==== 2023-05-01 ====
 +
 +**netatalk-3.1.15**:  Upgraded.
 +This update fixes security issues, including a critical vulnerability that
 +allows remote attackers to execute arbitrary code on affected installations
 +of Netatalk. Authentication is not required to exploit this vulnerability.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2022-43634
 +  * https://www.cve.org/CVERecord?id=CVE-2022-45188
 +(**Security fix**)
 +
 +==== 2023-04-25 ====
 +
 +**git-2.30.9**:  Upgraded.
 +This update fixes security issues:
 +By feeding specially crafted input to `git apply --reject`, a
 +path outside the working tree can be overwritten with partially
 +controlled contents (corresponding to the rejected hunk(s) from
 +the given patch).
 +When Git is compiled with runtime prefix support and runs without
 +translated messages, it still used the gettext machinery to
 +display messages, which subsequently potentially looked for
 +translated messages in unexpected places. This allowed for
 +malicious placement of crafted messages.
 +When renaming or deleting a section from a configuration file,
 +certain malicious configuration values may be misinterpreted as
 +the beginning of a new configuration section, leading to arbitrary
 +configuration injection.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-25652
 +  * https://www.cve.org/CVERecord?id=CVE-2023-25815
 +  * https://www.cve.org/CVERecord?id=CVE-2023-29007
 +(**Security fix**)
 +
 +**httpd-2.4.57**:  Upgraded.
 +This is a bugfix release.
 +For more information, see:
 +  * https://downloads.apache.org/httpd/CHANGES_2.4.57
  
 ==== 2023-04-03 ==== ==== 2023-04-03 ====
changelog_14.2.txt · Last modified: 2023/12/23 13:40 by connie