User Tools

Site Tools


changelog_14.2

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
changelog_14.2 [2019/02/12 23:41]
connie
changelog_14.2 [2019/04/17 23:06] (current)
connie
Line 2: Line 2:
  
 Slackware upstream ChangeLog entries are courtesy of Patrick Volkerding. Slackware upstream ChangeLog entries are courtesy of Patrick Volkerding.
 +
 +==== 2019-04-17 ====
 +
 +**libpng-1.6.37**: ​ Upgraded.
 +This update fixes security issues:
 +  * Fixed a use-after-free vulnerability (CVE-2019-7317) in png_image_free.
 +  * Fixed a memory leak in the ARM NEON implementation of png_do_expand_palette.
 +  * Fixed a memory leak in pngtest.c.
 +  * Fixed two vulnerabilities (CVE-2018-14048,​ CVE-2018-14550) in contrib/​pngminus;​ refactor.
 +For more information,​ see:
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-14048
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-14550
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-7317
 +(**Security fix**)
 +
 +**libssh2-1.8.2**: ​ Upgraded.
 +This update fixes a misapplied userauth patch that broke 1.8.1.
 +Thanks to Ook.
 +
 +**glibc-zoneinfo-2019a**: ​ Upgraded.
 +This package provides the latest timezone updates.
 +
 +==== 2019-04-06 ====
 +
 +**httpd-2.4.39**: ​ Upgraded.
 +This release contains security fixes and improvements.
 +In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker
 +or prefork, code executing in less-privileged child processes or threads
 +(including scripts executed by an in-process scripting interpreter) could
 +execute arbitrary code with the privileges of the parent process by
 +manipulating the scoreboard.
 +For more information,​ see:
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-0211
 +(**Security fix**)
 +
 +==== 2019-04-06 ====
 +
 +**openjpeg-2.3.1**: ​ Upgraded.
 +Includes many bug fixes (including security fixes).
 +(**Security fix**)
 +
 +**wget-1.20.3**: ​ Upgraded.
 +Fixed a buffer overflow vulnerability:​
 +src/​iri.c(do_conversion):​ Reallocate the output buffer to a larger
 +size if it is already full.
 +For more information,​ see:
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-5953
 +(**Security fix**)
 +
 +==== 2019-04-02 ====
 +
 +**ghostscript-9.26**: ​ Upgraded. ​                                                                                                                                     ​
 +Fixes security issues: ​                                                                                                                                               ​
 +A specially crafted PostScript file could have access to the file system ​                                                                                             ​
 +outside of the constrains imposed by -dSAFER. ​                                                                                                                        
 +Transient procedures can allow access to system operators, leading to                                                                                                 
 +remote code execution. ​                                                                                                                                               ​
 +For more information,​ see:                                                                                                                                            ​
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-3835 ​                                                                                                     ​
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-3838 ​                                                                                                     ​
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-6116 ​                                                                                                     ​
 +(**Security fix**) ​                                                                                                                                                   ​
 +                                                                                                                                                                      ​
 +**wget-1.20.2**: ​ Upgraded. ​                                                                                                                                          
 +Fixed an unspecified buffer overflow vulnerability. ​                                                                                                                  
 +(**Security fix**)
 +
 +==== 2019-03-27 ====
 +
 +**gnutls-3.6.7**: ​ Upgraded.
 +Fixes security issues:
 +  * libgnutls, gnutls tools: Every gnutls_free() will automatically set the free'd pointer to NULL. This prevents possible use-after-free and double free issues. Use-after-free will be turned into NULL dereference. The counter-measure does not extend to applications using gnutls_free().
 +  * libgnutls: Fixed a memory corruption (double free) vulnerability in the certificate verification API. Reported by Tavis Ormandy; addressed with the change above. [GNUTLS-SA-2019-03-27,​ #694]
 +  * libgnutls: Fixed an invalid pointer access via malformed TLS1.3 async messages; Found using tlsfuzzer. [GNUTLS-SA-2019-03-27,​ #704]
 +  * libgnutls: enforce key usage limitations on certificates more actively. Previously we would enforce it for TLS1.2 protocol, now we enforce it even when TLS1.3 is negotiated, or on client certificates as well. When an inappropriate for TLS1.3 certificate is seen on the credentials structure GnuTLS will disable TLS1.3 support for that session (#690).
 +  * libgnutls: enforce the equality of the two signature parameters fields in a certificate. We were already enforcing the signature algorithm, but there was a bug in parameter checking code.
 +
 +(**Security fix**)
 +
 +==== 2019-03-19 ====
 +
 +**libssh2-1.8.1**: ​ Upgraded.
 +Fixed several security issues.
 +For more information,​ see:
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-3855
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-3856
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-3857
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-3858
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-3859
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-3860
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-3861
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-3862
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-3863
 +(**Security fix**)
 +
 +**mariadb-10.0.38**: ​ Rebuilt.
 +Fixed paths in /​usr/​bin/​mysql_install_db.
 +Thanks to Stuart Winter.
 +
 +==== 2019-03-08 ====
 +
 +**ca-certificates-20190308** ​ Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +**ntp-4.2.8p13**: ​ Upgraded.
 +This release fixes a bug that allows an attacker with access to an explicitly
 +trusted source to send a crafted malicious mode 6 (ntpq) packet that can
 +trigger a NULL pointer dereference,​ crashing ntpd.
 +It also provides 17 other bugfixes and 1 other improvement.
 +For more information,​ see:
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-8936
 +(**Security fix**)
 +
 +==== 2019-03-03 ====
 +
 +**python-2.7.16**: ​ Upgraded.
 +Updated to the latest 2.7.x release, which fixes a few security issues.
 +For more information,​ see:
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2013-1752
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-14647
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-5010
 +(**Security fix**)
 +
 +==== 2019-03-01 ====
 +
 +**infozip-6.0**: ​ Rebuilt.
 +Added some patches that should fix extracting archives with non-latin
 +characters in the filenames. Thanks to saahriktu.
 +This update also fixes various security issues in zip and unzip.
 +For more information,​ see:
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2014-8139
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2014-8140
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2014-8141
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2016-9844
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-18384
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-1000035
 +(**Security fix**)
 +
 +**curl-7.64.0**: ​ Rebuilt.
 +Applied upstream patch to fix log spam:
 +[PATCH] multi: remove verbose "​Expire in" ... messages
 +Thanks to compassnet.
 +
 +==== 2019-02-27 ====
 +
 +**ca-certificates-20181210**: ​ Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +**openssl-1.0.2r**: ​ Upgraded.
 +Go into the error state if a fatal alert is sent or received. If an
 +application calls SSL_shutdown after a fatal alert has occured and
 +then behaves different based on error codes from that function then
 +the application may be vulnerable to a padding oracle.
 +For more information,​ see:
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-1559
 +(**Security fix**)
 +
 +**openssl-solibs-1.0.2r**: ​ Upgraded.
 +
 +==== 2019-02-23 ====
 +
 +**file-5.36**: ​ Upgraded.
 +Fix out-of-bounds read and denial-of-service security issues.
 +For more information,​ see:
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-8906
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-8907
 +(**Security fix**)
  
 ==== 2019-02-12 ==== ==== 2019-02-12 ====
changelog_14.2.1550032897.txt.gz ยท Last modified: 2019/02/12 23:41 by connie