User Tools

Site Tools


changelog_14.2

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
changelog_14.2 [2019/09/12 12:54]
connie
changelog_14.2 [2020/02/21 02:39] (current)
connie [2020-02-14]
Line 2: Line 2:
  
 Slackware upstream ChangeLog entries are courtesy of Patrick Volkerding. Slackware upstream ChangeLog entries are courtesy of Patrick Volkerding.
 +
 +==== 2020-02-20 ====
 +
 +**proftpd-1.3.6c**: ​ Upgraded.
 +No CVEs assigned, but this sure looks like a security issue:
 +Use-after-free vulnerability in memory pools during data transfer.
 +(**Security fix**)
 +
 +==== 2020-02-14 ====
 +
 +**libarchive-3.4.2**: ​ Upgraded.
 +This update includes security fixes in the RAR5 reader.
 +(**Security fix**)
 +
 +==== 2020-01-31 ====
 +
 +**sudo-1.8.31**: ​ Upgraded.
 +This update fixes a security issue:
 +In Sudo before 1.8.31, if pwfeedback is enabled in /​etc/​sudoers,​ users can
 +trigger a stack-based buffer overflow in the privileged sudo process.
 +(pwfeedback is a default setting in some Linux distributions;​ however, it
 +is not the default for upstream or in Slackware, and would exist only if
 +enabled by an administrator.) The attacker needs to deliver a long string
 +to the stdin of getln() in tgetpass.c.
 +For more information,​ see:
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-18634
 +(**Security fix**)
 +
 +**bind-9.11.15**: ​ Upgraded.
 +This is a bugfix release:
 +With some libmaxminddb versions, named could erroneously match an IP address
 +not belonging to any subnet defined in a given GeoIP2 database to one of the
 +existing entries in that database. [GL #1552]
 +Fix line spacing in `rndc secroots`. Thanks to Tony Finch. [GL #2478]
 +
 +==== 2020-01-11 ====
 +
 +**p7zip-16.02**:​ Added (FXP)
 +==== 2020-01-09 ====
 +
 +**linux-libre-*-4.4.208**: ​ Upgraded.
 +   ​IPV6_MULTIPLE_TABLES n -> y
 +  +IPV6_SUBTREES y
 +These updates fix various bugs and security issues.
 +Be sure to upgrade your initrd after upgrading the kernel packages.
 +If you use lilo to boot your machine, be sure lilo.conf points to the correct
 +kernel and initrd and run lilo as root to update the bootloader.
 +If you use elilo to boot your machine, you should run eliloconfig to copy the
 +kernel and initrd to the EFI System Partition.
 +For more information,​ see:
 +
 +Fixed in 4.4.203:
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-19524
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-15917
 +Fixed in 4.4.204:
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-18660
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-15291
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-18683
 +Fixed in 4.4.206:
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-12614
 +Fixed in 4.4.207:
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-19227
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-19062
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-19338
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-19332
 +Fixed in 4.4.208:
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-19057
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-19063
 +(**Security fix**)
 +
 +**xfce4-weather-plugin-0.8.11**: ​ Upgraded.
 +Bugfix release to address the upcoming obsolescence of the
 +locationforecastLTS API from met.no. Thanks to Robby Workman.
 +
 +**libwmf-0.2.8.4**: ​ Rebuilt.
 +This is a bugfix release to correct the path for the GDK_PIXBUF_DIR.
 +Thanks to B. Watson and Robby Workman.
 +
 +==== 2019-12-21 ====
 +
 +**openssl-1.0.2u**: ​ Upgraded.
 +This update fixes a low severity security issue:
 +Fixed an an overflow bug in the x86_64 Montgomery squaring procedure used in
 +exponentiation with 512-bit moduli.
 +For more information,​ see:
 +  * https://​www.openssl.org/​news/​secadv/​20191206.txt
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-1551
 +(**Security fix**)
 +
 +**openssl-solibs-1.0.2u**: ​ Upgraded.
 +
 +**tigervnc-1.10.1**: ​ Upgraded.
 +From tigervnc.org:​ "This is a security release to fix a number of issues
 +that were found by Kaspersky Lab. These issues affect both the client and
 +server and could theoretically allow a malicious peer to take control
 +over the software on the other side. No working exploit is known at this
 +time, and the issues require the peer to first be authenticated. We still
 +urge users to upgrade when possible."​
 +(**Security fix**)
 +
 +==== 2019-12-19 ====
 +
 +**bind-9.11.14**: ​ Upgraded.
 +This is a bugfix release:
 +Fixed a bug that caused named to leak memory on reconfiguration when
 +any GeoIP2 database was in use. [GL #1445]
 +Fixed several possible race conditions discovered by Thread Sanitizer.
 +
 +**wavpack-5.2.0**: ​ Upgraded.
 +Fixed denial-of-service and other potential security issues.
 +For more information,​ see:
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-19840
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-19841
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-10536
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-10537
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-10538
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-10539
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-10540
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-7254
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-7253
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-6767
 +(**Security fix**)
 +
 +**ca-certificates-20191130**: ​ Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +==== 2019-11-21 ====
 +
 +**bind-9.11.13**: ​ Upgraded.
 +This update fixes a security issue:
 +Set a limit on the number of concurrently served pipelined TCP queries.
 +For more information,​ see:
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-6477
 +(**Security fix**)
 +
 +==== 2019-11-17 ====
 +
 +**linux-libre-*-4.4.202**: ​ Upgraded.
 +  * CRYPTO_CRC32C_INTEL m -> y
 +  * +X86_INTEL_TSX_MODE_AUTO n
 +  * +X86_INTEL_TSX_MODE_OFF y
 +  * +X86_INTEL_TSX_MODE_ON n
 +These updates fix various bugs and security issues, including mitigation for
 +the TSX Asynchronous Abort condition on some CPUs.
 +Be sure to upgrade your initrd after upgrading the kernel packages.
 +If you use lilo to boot your machine, be sure lilo.conf points to the correct
 +kernel and initrd and run lilo as root to update the bootloader.
 +If you use elilo to boot your machine, you should run eliloconfig to copy the
 +kernel and initrd to the EFI System Partition.
 +For more information,​ see:
 +
 +Fixed in 4.4.201:
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-0155
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-0154
 +Fixed in 4.4.202:
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-11135
 +(**Security fix**)
 +
 +==== 2019-11-12 ====
 +
 +**kdelibs-4.14.38**: ​ Rebuilt. ​                                                                                                                                                          
 +Remove hardcoded TLSv1 allowing TLSv1.1 and TLSv1.2. Thanks to PJ Beers.
 +
 +**kdepim-4.14.10**: ​ Rebuilt.
 +Remove hardcoded TLSv1 allowing TLSv1.1 and TLSv1.2. Thanks to PJ Beers.
 +
 +**kdepimlibs-4.14.10**: ​ Rebuilt.
 +Remove hardcoded TLSv1 allowing TLSv1.1 and TLSv1.2. Thanks to PJ Beers.
 +
 +**linux-libre-*-4.4.199**: ​ Upgraded.
 +These updates fix various bugs and security issues.
 +Be sure to upgrade your initrd after upgrading the kernel packages.
 +If you use lilo to boot your machine, be sure lilo.conf points to the correct
 +kernel and initrd and run lilo as root to update the bootloader.
 +If you use elilo to boot your machine, you should run eliloconfig to copy the
 +kernel and initrd to the EFI System Partition.
 +For more information,​ see:
 +
 +Fixed in 4.4.191:
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-3900
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-15118
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2016-10906
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2016-10905
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-10638
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-15117
 +Fixed in 4.4.193:
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-14835
 +Fixed in 4.4.194:
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-14816
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-14814
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-15505
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-14821
 +Fixed in 4.4.195:
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-17053
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-17052
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-17056
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-17055
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-17054
 +Fixed in 4.4.196:
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-2215
 +Fixed in 4.4.197:
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-16746
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-20976
 +Fixed in 4.4.198:
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-17075
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-17133
 +Fixed in 4.4.199:
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-15098
 +(**Security fix**)
 +
 +==== 2019-11-04 ====
 +
 +**libtiff-4.1.0**: ​ Upgraded.
 +libtiff: fix integer overflow in _TIFFCheckMalloc() that could cause a crash.
 +tif_dir: unset transferfunction field if necessary.
 +pal2rgb: failed to free memory on a few errors.
 +For more information,​ see:
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-14973
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-19210
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-6128
 +(**Security fix**)
 +
 +==== 2019-10-21 ====
 +
 +**python-2.7.17**: ​ Upgraded.
 +This update fixes bugs and security issues:
 +Update vendorized expat library version to 2.2.8.
 +Disallow URL paths with embedded whitespace or control characters into the
 +underlying http client request. Such potentially malicious header injection
 +URLs now cause an httplib.InvalidURL exception to be raised.
 +Avoid file reading by disallowing ``local-file://​`` and ``local_file://​``
 +URL schemes in :​func:​`urllib.urlopen`,​ :​meth:​`urllib.URLopener.open` and
 +:​meth:​`urllib.URLopener.retrieve`.
 +For more information,​ see:
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-15903
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-9740
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-9948
 +(**Security fix**)
 +
 +**ca-certificates-20191018**: ​ Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +**sudo-1.8.28p1**: ​ Rebuilt.
 +This is a bugfix release:
 +Ensure that /​etc/​environment exists to prevent complaints from "sudo -i".
 +
 +==== 2019-10-14 ====
 +
 +**sudo-1.8.28**: ​ Upgraded.
 +Fixed a bug where an sudo user may be able to run a command as root when
 +the Runas specification explicitly disallows root access as long as the
 +ALL keyword is listed first.
 +For more information,​ see:
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-14287
 +(**Security fix**)
 +
 +==== 2019-10-02 ====
 +
 +**libpcap-1.9.1**: ​ Upgraded.
 +This update is required for the new version of tcpdump.
 +
 +**tcpdump-4.9.3**: ​ Upgraded.
 +Fix buffer overflow/​overread vulnerabilities and command line
 +argument/​local issues.
 +For more information,​ see:
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2017-16808
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-14468
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-14469
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-14470
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-14466
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-14461
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-14462
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-14465
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-14881
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-14464
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-14463
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-14467
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-10103
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-10105
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-14880
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-16451
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-14882
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-16227
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-16229
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-16301
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-16230
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-16452
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-16300
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-16228
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-15166
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-15167
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2018-14879
 +(**Security fix**)
 +
 +==== 2019-09-16 ====
 +
 +**expat-2.2.8**: ​ Upgraded.
 +Fix heap overflow triggered by XML_GetCurrentLineNumber (or
 +XML_GetCurrentColumnNumber),​ and deny internal entities closing the doctype.
 +For more information,​ see:
 +  * https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-15903
 +(**Security fix**)
  
 ==== 2019-09-12 ==== ==== 2019-09-12 ====
changelog_14.2.1568307244.txt.gz ยท Last modified: 2019/09/12 12:54 by connie