User Tools

Site Tools


changelog_14.2

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
changelog_14.2 [2020/03/04 19:48] – [2020-02-20] conniechangelog_14.2 [2023/12/23 13:40] (current) – [2023-12-20] connie
Line 2: Line 2:
  
 Slackware upstream ChangeLog entries are courtesy of Patrick Volkerding. Slackware upstream ChangeLog entries are courtesy of Patrick Volkerding.
 +
 +
 +==== 2023-12-23 ====
 +
 +**proftpd-1.3.8b**:  Upgraded.
 +This update fixes a security issue:
 +mod_sftp: implemented mitigations for "Terrapin" SSH attack.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-48795
 +(**Security fix**)
 +
 +
 +==== 2023-12-20 ====
 +
 +**libssh-0.10.6**:  Upgraded.
 +This update fixes security issues:
 +Command injection using proxycommand.
 +Potential downgrade attack using strict kex.
 +Missing checks for return values of MD functions.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-6004
 +  * https://www.cve.org/CVERecord?id=CVE-2023-48795
 +  * https://www.cve.org/CVERecord?id=CVE-2023-6918
 +(**Security fix**)
 +
 +**sudo-1.9.15p4**:  Upgraded.
 +This is a bugfix release.
 +
 +**libxml2-2.11.6**:  Upgraded.
 +We're going to drop back to the 2.11 branch here on the stable releases
 +since it has all of the relevant security fixes and better compatibility.
 +
 +**sudo-1.9.15p3**:  Upgraded.
 +This is a bugfix release.
 +
 +
 +==== 2023-12-13 ====
 +
 +**libxml2-2.12.3**:  Upgraded.
 +This update addresses regressions when building against libxml2 that were
 +due to header file refactoring.
 +
 +**libxml2-2.12.2**:  Upgraded.
 +Add --sysconfdir=/etc option so that this can find the xml catalog.
 +Thanks to SpiderTux.
 +Fix the following security issues:
 +Fix integer overflows with XML_PARSE_HUGE.
 +Fix dict corruption caused by entity reference cycles.
 +Hashing of empty dict strings isn't deterministic.
 +Fix null deref in xmlSchemaFixupComplexType.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2022-40303
 +  * https://www.cve.org/CVERecord?id=CVE-2022-40304
 +  * https://www.cve.org/CVERecord?id=CVE-2023-29469
 +  * https://www.cve.org/CVERecord?id=CVE-2023-28484
 +(**Security fix**)
 +
 +**ca-certificates-20231117**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +**sudo-1.9.15p1**:  Upgraded.
 +This is a bugfix release:
 +Fixed a bug introduced in sudo 1.9.15 that prevented LDAP-based sudoers
 +from being able to read the ldap.conf file.
 +
 +==== 2023-11-08 ====
 +
 +**sudo-1.9.15**:  Upgraded.
 +The sudoers plugin has been modified to make it more resilient to ROWHAMMER
 +attacks on authentication and policy matching.
 +The sudoers plugin now constructs the user time stamp file path name using
 +the user-ID instead of the user name. This avoids a potential problem with
 +user names that contain a path separator ('/') being interpreted as part of
 +the path name.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-42465
 +  * https://www.cve.org/CVERecord?id=CVE-2023-42456
 +(**Security fix**)
 +
 +
 +==== 2023-10-20 ====
 +
 +**httpd-2.4.58**:  Upgraded.
 +This update fixes bugs and security issues:
 +moderate: Apache HTTP Server: HTTP/2 stream memory not reclaimed
 +right away on RST.
 +low: mod_macro buffer over-read.
 +low: Apache HTTP Server: DoS in HTTP/2 with initial windows size 0.
 +For more information, see:
 +  * https://downloads.apache.org/httpd/CHANGES_2.4.58
 +  * https://www.cve.org/CVERecord?id=CVE-2023-45802
 +  * https://www.cve.org/CVERecord?id=CVE-2023-31122
 +  * https://www.cve.org/CVERecord?id=CVE-2023-43622
 +(**Security fix**)
 +
 +==== 2023-10-16 ====
 +
 +**curl-8.4.0**:  Upgraded.
 +This update fixes security issues:
 +Cookie injection with none file.
 +SOCKS5 heap buffer overflow.
 +For more information, see:
 +  * https://curl.se/docs/CVE-2023-38546.html
 +  * https://curl.se/docs/CVE-2023-38545.html
 +  * https://www.cve.org/CVERecord?id=CVE-2023-38546
 +  * https://www.cve.org/CVERecord?id=CVE-2023-38545
 +(**Security fix**)
 +
 +<code>
 +Mon Oct  9 18:10:01 UTC 2023
 +####################################################################
 +# NOTICE OF INPENDING EOL (END OF LIFE) FOR OLD SLACKWARE VERSIONS #
 +#                                                                  #
 +# Effective January 1, 2024, security patches will no longer be    #
 +# provided for the following versions of Slackware (which will all #
 +# be more than 7 years old at that time):                          #
 +#   Slackware 14.0, Slackware 14.1, Slackware 14.2.                #
 +# If you are still running these versions you should consider      #
 +# migrating to a newer version (preferably as recent as possible). #
 +# Alternately, you may make arrangements to handle your own        #
 +# security patches.                                                #
 +####################################################################
 +</code>
 +
 +==== 2023-10-04 ====
 +
 +**libX11-1.8.7**:  Upgraded.
 +This update fixes security issues:
 +libX11: out-of-bounds memory access in _XkbReadKeySyms().
 +libX11: stack exhaustion from infinite recursion in PutSubImage().
 +libX11: integer overflow in XCreateImage() leading to a heap overflow.
 +For more information, see:
 +  * https://lists.x.org/archives/xorg-announce/2023-October/003424.html
 +  * https://www.cve.org/CVERecord?id=CVE-2023-43785
 +  * https://www.cve.org/CVERecord?id=CVE-2023-43786
 +  * https://www.cve.org/CVERecord?id=CVE-2023-43787
 +(**Security fix**)
 +
 +**libXpm-3.5.17**:  Upgraded.
 +This update fixes security issues:
 +libXpm: out of bounds read in XpmCreateXpmImageFromBuffer().
 +libXpm: out of bounds read on XPM with corrupted colormap.
 +For more information, see:
 +  * https://lists.x.org/archives/xorg-announce/2023-October/003424.html
 +  * https://www.cve.org/CVERecord?id=CVE-2023-43788
 +  * https://www.cve.org/CVERecord?id=CVE-2023-43789
 +(**Security fix**)
 +
 +**cups-2.1.4**:  Rebuilt.
 +This update fixes bugs and a security issue:
 +Fixed Heap-based buffer overflow when reading Postscript in PPD files.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-4504
 +(**Security fix**)
 +
 +**netatalk-3.1.17**:  Upgraded.
 +This update fixes bugs and a security issue:
 +Validate data type in dalloc_value_for_key(). This flaw could allow a
 +malicious actor to cause Netatalk's afpd daemon to crash, or possibly to
 +execute arbitrary code.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-42464
 +(**Security fix**)
 +
 +**curl-8.3.0**:  Upgraded.
 +This update fixes a security issue:
 +HTTP headers eat all memory.
 +  * https://curl.se/docs/CVE-2023-38039.html
 +  * https://www.cve.org/CVERecord?id=CVE-2023-38039
 +(**Security fix**)
 +
 +**libarchive-3.7.2**:  Upgraded.
 +This update fixes multiple security vulnerabilities in the PAX writer:
 +Heap overflow in url_encode() in archive_write_set_format_pax.c.
 +NULL dereference in archive_write_pax_header_xattrs().
 +Another NULL dereference in archive_write_pax_header_xattrs().
 +NULL dereference in archive_write_pax_header_xattr().
 +(**Security fix**)
 +
 +**netatalk-3.1.16**:  Upgraded.
 +This update fixes bugs and security issues.
 +Shared library .so-version bump.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2022-23121
 +  * https://www.cve.org/CVERecord?id=CVE-2022-23123
 +(**Security fix**)
 +
 +**curl-8.2.1**:  Upgraded.
 +This is a bugfix release.
 +
 +**whois-5.5.18**:  Upgraded.
 +Updated the .ga TLD server.
 +Added new recovered IPv4 allocations.
 +Removed the delegation of 43.0.0.0/8 to JPNIC.
 +Removed 12 new gTLDs which are no longer active.
 +Improved the man page source, courtesy of Bjarni Ingi Gislason.
 +Added the .edu.za SLD server.
 +Updated the .alt.za SLD server.
 +Added the -ru and -su NIC handles servers.
 +
 +**ca-certificates-20230721**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +**curl-8.2.0**:  Upgraded.
 +This update fixes a security issue:
 +fopen race condition.
 +For more information, see:
 +  * https://curl.se/docs/CVE-2023-32001.html
 +  * https://www.cve.org/CVERecord?id=CVE-2023-32001
 +(**Security fix**)
 +
 +**sudo-1.9.14p2**:  Upgraded.
 +This is a bugfix release.
 +
 +**sudo-1.9.14p1**:  Upgraded.
 +This is a bugfix release.
 +
 +**cups-2.1.4**:  Rebuilt.
 +Fixed use-after-free when logging warnings in case of failures
 +in cupsdAcceptClient().
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-34241
 +(**Security fix**)
 +
 +==== 2023-06-15 ====
 +
 +**libX11-1.8.6**:  Upgraded.
 +This update fixes buffer overflows in InitExt.c that could at least cause
 +the client to crash due to memory corruption.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-3138
 +(**Security fix**)
 +
 +**ntp-4.2.8p17**:  Upgraded.
 +This is a bugfix release.
 +
 +
 +==== 2023-06-06 ====
 +
 +**cups-2.1.4**:  Rebuilt.
 +Fixed a heap buffer overflow in _cups_strlcpy(), when the configuration file
 +cupsd.conf sets the value of loglevel to DEBUG, that could allow a remote
 +attacker to launch a denial of service (DoS) attack, or possibly execute
 +arbirary code.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-32324
 +(**Security fix**)
 +
 +**ntp-4.2.8p16**:  Upgraded.
 +This update fixes bugs and security issues.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-26551
 +  * https://www.cve.org/CVERecord?id=CVE-2023-26552
 +  * https://www.cve.org/CVERecord?id=CVE-2023-26553
 +  * https://www.cve.org/CVERecord?id=CVE-2023-26554
 +  * https://www.cve.org/CVERecord?id=CVE-2023-26555
 +(**Security fix**)
 +
 +**curl-8.1.2**:  Upgraded.
 +This is a bugfix release.
 +
 +==== 2023-05-26 ====
 +
 +**ntfs-3g-2022.10.3**:  Upgraded.
 +Fixed vulnerabilities that may allow an attacker using a maliciously
 +crafted NTFS-formatted image file or external storage to potentially
 +execute arbitrary privileged code or cause a denial of service.
 +Thanks to opty.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40284
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30789
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30788
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30787
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30786
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30785
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30784
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30783
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46790
 +(**Security fix**)
 +
 +**curl-8.1.1**:  Upgraded.
 +This is a bugfix release.
 +
 +
 +==== 2023-05-18 ====
 +
 +**curl-8.1.0**:  Upgraded.
 +This update fixes security issues:
 +more POST-after-PUT confusion.
 +IDN wildcard match.
 +siglongjmp race condition.
 +UAF in SSH sha256 fingerprint check.
 +For more information, see:
 +  * https://curl.se/docs/CVE-2023-28322.html
 +  * https://curl.se/docs/CVE-2023-28321.html
 +  * https://curl.se/docs/CVE-2023-28320.html
 +  * https://curl.se/docs/CVE-2023-28319.html
 +  * https://www.cve.org/CVERecord?id=CVE-2023-28322
 +  * https://www.cve.org/CVERecord?id=CVE-2023-28321
 +  * https://www.cve.org/CVERecord?id=CVE-2023-28320
 +  * https://www.cve.org/CVERecord?id=CVE-2023-28319
 +(**Security fix**)
 +
 +**ca-certificates-20230506**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +==== 2023-05-05 ====
 +
 +**libssh-0.10.5**:  Upgraded.
 +This update fixes security issues:
 +A NULL dereference during rekeying with algorithm guessing.
 +A possible authorization bypass in pki_verify_data_signature under
 +low-memory conditions.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-1667
 +  * https://www.cve.org/CVERecord?id=CVE-2023-2283
 +(**Security fix**)
 +
 +**whois-5.5.17**:  Upgraded.
 +Added the .cd TLD server.
 +Updated the -kg NIC handles server name.
 +Removed 2 new gTLDs which are no longer active.
 +
 +
 +==== 2023-05-01 ====
 +
 +**netatalk-3.1.15**:  Upgraded.
 +This update fixes security issues, including a critical vulnerability that
 +allows remote attackers to execute arbitrary code on affected installations
 +of Netatalk. Authentication is not required to exploit this vulnerability.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2022-43634
 +  * https://www.cve.org/CVERecord?id=CVE-2022-45188
 +(**Security fix**)
 +
 +==== 2023-04-25 ====
 +
 +**git-2.30.9**:  Upgraded.
 +This update fixes security issues:
 +By feeding specially crafted input to `git apply --reject`, a
 +path outside the working tree can be overwritten with partially
 +controlled contents (corresponding to the rejected hunk(s) from
 +the given patch).
 +When Git is compiled with runtime prefix support and runs without
 +translated messages, it still used the gettext machinery to
 +display messages, which subsequently potentially looked for
 +translated messages in unexpected places. This allowed for
 +malicious placement of crafted messages.
 +When renaming or deleting a section from a configuration file,
 +certain malicious configuration values may be misinterpreted as
 +the beginning of a new configuration section, leading to arbitrary
 +configuration injection.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-25652
 +  * https://www.cve.org/CVERecord?id=CVE-2023-25815
 +  * https://www.cve.org/CVERecord?id=CVE-2023-29007
 +(**Security fix**)
 +
 +**httpd-2.4.57**:  Upgraded.
 +This is a bugfix release.
 +For more information, see:
 +  * https://downloads.apache.org/httpd/CHANGES_2.4.57
 +
 +==== 2023-04-03 ====
 +
 +**irssi-1.4.4**:  Upgraded.
 +Do not crash Irssi when one line is printed as the result of another line
 +being printed.
 +Also solve a memory leak while printing unformatted lines.
 +(**Security fix**)
 +
 +**glibc-zoneinfo-2023c**:  Upgraded.
 +This package provides the latest timezone updates.
 +
 +**tar-1.29**:  Rebuilt.
 +GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use
 +of uninitialized memory for a conditional jump. Exploitation to change the
 +flow of control has not been demonstrated. The issue occurs in from_header
 +in list.c via a V7 archive in which mtime has approximately 11 whitespace
 +characters.
 +Thanks to marav for the heads-up.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2022-48303
 +(**Security fix**)
 +
 +
 +==== 2023-03-22 ====
 +
 +**curl-8.0.1**:  Upgraded.
 +  * This update fixes security issues:
 +  * SSH connection too eager reuse still.
 +  * HSTS double-free.
 +  * GSS delegation too eager connection re-use.
 +  * FTP too eager connection reuse.
 +  * SFTP path ~ resolving discrepancy.
 +  * TELNET option IAC injection.
 +For more information, see:
 +  * https://curl.se/docs/CVE-2023-27538.html
 +  * https://curl.se/docs/CVE-2023-27537.html
 +  * https://curl.se/docs/CVE-2023-27536.html
 +  * https://curl.se/docs/CVE-2023-27535.html
 +  * https://curl.se/docs/CVE-2023-27534.html
 +  * https://curl.se/docs/CVE-2023-27533.html
 +  * https://www.cve.org/CVERecord?id=CVE-2023-27538
 +  * https://www.cve.org/CVERecord?id=CVE-2023-27537
 +  * https://www.cve.org/CVERecord?id=CVE-2023-27536
 +  * https://www.cve.org/CVERecord?id=CVE-2023-27535
 +  * https://www.cve.org/CVERecord?id=CVE-2023-27534
 +  * https://www.cve.org/CVERecord?id=CVE-2023-27533
 +(**Security fix**)
 +
 +==== 2023-03-08 ====
 +
 +**httpd-2.4.56**:  Upgraded.
 +This update fixes two security issues:
 +HTTP Response Smuggling vulnerability via mod_proxy_uwsgi.
 +HTTP Request Smuggling attack via mod_rewrite and mod_proxy.
 +For more information, see:
 +  * https://downloads.apache.org/httpd/CHANGES_2.4.56
 +  * https://www.cve.org/CVERecord?id=CVE-2023-27522
 +  * https://www.cve.org/CVERecord?id=CVE-2023-25690
 +(**Security fix**)
 +
 +**sudo-1.9.13p3**:  Upgraded.
 +This is a bugfix release.
 +
 +**whois-5.5.16**:  Upgraded.
 +Add bash completion support, courtesy of Ville Skytta.
 +Updated the .tr TLD server.
 +Removed support for -metu NIC handles.
 +
 +**curl-7.88.1**:  Upgraded.
 +This is a bugfix release.
 +
 +==== 2023-02-16 ====
 +
 +**curl-7.88.0**:  Upgraded.
 +This update fixes security issues:
 +HTTP multi-header compression denial of service.
 +HSTS amnesia with --parallel.
 +HSTS ignored on multiple requests.
 +For more information, see:
 +  * https://curl.se/docs/CVE-2023-23916.html
 +  * https://curl.se/docs/CVE-2023-23915.html
 +  * https://curl.se/docs/CVE-2023-23914.html
 +  * https://www.cve.org/CVERecord?id=CVE-2023-23916
 +  * https://www.cve.org/CVERecord?id=CVE-2023-23915
 +  * https://www.cve.org/CVERecord?id=CVE-2023-23914
 +(**Security fix**)
 +
 +**git-2.30.8**:  Upgraded.
 +This update fixes security issues:
 +Using a specially-crafted repository, Git can be tricked into using
 +its local clone optimization even when using a non-local transport.
 +Though Git will abort local clones whose source $GIT_DIR/objects
 +directory contains symbolic links (c.f., CVE-2022-39253), the objects
 +directory itself may still be a symbolic link.
 +These two may be combined to include arbitrary files based on known
 +paths on the victim's filesystem within the malicious repository's
 +working copy, allowing for data exfiltration in a similar manner as
 +CVE-2022-39253.
 +By feeding a crafted input to "git apply", a path outside the
 +working tree can be overwritten as the user who is running "git
 +apply".
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-22490
 +  * https://www.cve.org/CVERecord?id=CVE-2023-23946
 +(**Security fix**)
 +
 +==== 2023-01-19 ====
 +
 +**sudo-1.9.12p2**:  Upgraded.
 +This update fixes a flaw in sudo's -e option (aka sudoedit) that could allow
 +a malicious user with sudoedit privileges to edit arbitrary files.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-22809
 +(**Security fix**)
 +
 +==== 2023-01-18 ====
 +
 +**git-2.30.7**:  Upgraded.
 +This release fixes two security issues:
 +  * CVE-2022-41903:
 +git log has the ability to display commits using an arbitrary
 +format with its --format specifiers. This functionality is also
 +exposed to git archive via the export-subst gitattribute.
 +When processing the padding operators (e.g., %<(, %<|(, %>(,
 +%>>(, or %><( ), an integer overflow can occur in
 +pretty.c::format_and_pad_commit() where a size_t is improperly
 +stored as an int, and then added as an offset to a subsequent
 +memcpy() call.
 +This overflow can be triggered directly by a user running a
 +command which invokes the commit formatting machinery (e.g., git
 +log --format=...). It may also be triggered indirectly through
 +git archive via the export-subst mechanism, which expands format
 +specifiers inside of files within the repository during a git
 +archive.
 +This integer overflow can result in arbitrary heap writes, which
 +may result in remote code execution.
 +  * CVE-2022-23521:
 +gitattributes are a mechanism to allow defining attributes for
 +paths. These attributes can be defined by adding a `.gitattributes`
 +file to the repository, which contains a set of file patterns and
 +the attributes that should be set for paths matching this pattern.
 +When parsing gitattributes, multiple integer overflows can occur
 +when there is a huge number of path patterns, a huge number of
 +attributes for a single pattern, or when the declared attribute
 +names are huge.
 +These overflows can be triggered via a crafted `.gitattributes` file
 +that may be part of the commit history. Git silently splits lines
 +longer than 2KB when parsing gitattributes from a file, but not when
 +parsing them from the index. Consequentially, the failure mode
 +depends on whether the file exists in the working tree, the index or
 +both.
 +This integer overflow can result in arbitrary heap reads and writes,
 +which may result in remote code execution.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2022-41903
 +  * https://www.cve.org/CVERecord?id=CVE-2022-23521
 +(**Security fix**)
 +
 +**httpd-2.4.55**:  Upgraded.
 +This update fixes bugs and the following security issues:
 +mod_proxy allows a backend to trigger HTTP response splitting.
 +mod_proxy_ajp possible request smuggling.
 +mod_dav out of bounds read, or write of zero byte.
 +For more information, see:
 +  * https://downloads.apache.org/httpd/CHANGES_2.4.55
 +  * https://www.cve.org/CVERecord?id=CVE-2022-37436
 +  * https://www.cve.org/CVERecord?id=CVE-2022-36760
 +  * https://www.cve.org/CVERecord?id=CVE-2006-20001
 +(**Security fix**)
 +
 +**libXpm-3.5.15**:  Upgraded.
 +This update fixes security issues:
 +Infinite loop on unclosed comments.
 +Runaway loop with width of 0 and enormous height.
 +Compression commands depend on $PATH.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2022-46285
 +  * https://www.cve.org/CVERecord?id=CVE-2022-44617
 +  * https://www.cve.org/CVERecord?id=CVE-2022-4883
 +(**Security fix**)
 +
 +==== 2023-01-15 ====
 +
 +**netatalk-3.1.14**:  Upgraded.
 +Netatalk through 3.1.13 has an afp_getappl heap-based buffer overflow
 +resulting in code execution via a crafted .appl file.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2022-45188
 +(**Security fix**)
 +
 +**ca-certificates-20221205**:  Rebuilt.
 +Make sure that if we're installing this package on another partition (such as
 +when using installpkg with a --root parameter) that the updates are done on
 +that partition. Thanks to fulalas.
 +
 +
 +==== 2023-01-04 ====
 +
 +**libtiff-4.4.0**:  Upgraded.
 +Patched various security bugs.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2022-2056
 +  * https://www.cve.org/CVERecord?id=CVE-2022-2057
 +  * https://www.cve.org/CVERecord?id=CVE-2022-2058
 +  * https://www.cve.org/CVERecord?id=CVE-2022-3970
 +  * https://www.cve.org/CVERecord?id=CVE-2022-34526
 +(**Security fix**)
 +
 +**whois-5.5.15**:  Upgraded.
 +Updated the .bd, .nz and .tv TLD servers.
 +Added the .llyw.cymru, .gov.scot and .gov.wales SLD servers.
 +Updated the .ac.uk and .gov.uk SLD servers.
 +Recursion has been enabled for whois.nic.tv.
 +Updated the list of new gTLDs with four generic TLDs assigned in October 2013
 +which were missing due to a bug.
 +Removed 4 new gTLDs which are no longer active.
 +Added the Georgian translation, contributed by Temuri Doghonadze.
 +Updated the Finnish translation, contributed by Lauri Nurmi.
 +
 +==== 2022-12-22 ====
 +
 +**curl-7.87.0**:  Upgraded.
 +This is a bugfix release.
 +
 +**libksba-1.6.3**:  Upgraded.
 +Fix another integer overflow in the CRL's signature parser.
 +(**Security fix**)
 +
 +**sdl-1.2.15**:  Rebuilt.
 +This update fixes a heap overflow problem in video/SDL_pixels.c in SDL.
 +By crafting a malicious .BMP file, an attacker can cause the application
 +using this library to crash, denial of service, or code execution.
 +Thanks to marav for the heads-up.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2021-33657
 +(**Security fix**)
 +
 +**libarchive-3.6.2**:  Rebuilt.
 +This update fixes a regression causing a failure to compile against
 +libarchive: don't include iconv in libarchive.pc.
 +
 +**libarchive-3.6.2**:  Upgraded.
 +This is a bugfix and security release.
 +Relevant bugfixes:
 +  * rar5 reader: fix possible garbled output with bsdtar -O (#1745)
 +  * mtree reader: support reading mtree files with tabs (#1783)
 +Security fixes:
 +  * various small fixes for issues found by CodeQL
 +(**Security fix**)
 +
 +**ca-certificates-20221205**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +**glibc-zoneinfo-2022g**:  Upgraded.
 +This package provides the latest timezone updates.
 +
 +==== 2022-11-09 ====
 +
 +**sysstat-12.7.1**:  Upgraded.
 +On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1,
 +allocate_structures contains a size_t overflow in sa_common.c. The
 +allocate_structures function insufficiently checks bounds before arithmetic
 +multiplication, allowing for an overflow in the size allocated for the
 +buffer representing system activities.
 +This issue may lead to Remote Code Execution (RCE).
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2022-39377
 +(**Security fix**)
 +
 +**glibc-zoneinfo-2022f**:  Upgraded.
 +This package provides the latest timezone updates.
 +
 +**sudo-1.9.12p1**:  Upgraded.
 +Fixed a potential out-of-bounds write for passwords smaller than 8
 +characters when passwd authentication is enabled.
 +This does not affect configurations that use other authentication
 +methods such as PAM, AIX authentication or BSD authentication.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2022-43995
 +(**Security fix**)
 +
 +**curl-7.86.0**:  Upgraded.
 +This update fixes security issues:
 +HSTS bypass via IDN.
 +HTTP proxy double-free.
 +.netrc parser out-of-bounds access.
 +POST following PUT confusion. 
 +For more information, see:
 +  * https://curl.se/docs/CVE-2022-42916.html
 +  * https://curl.se/docs/CVE-2022-42915.html
 +  * https://curl.se/docs/CVE-2022-35260.html
 +  * https://curl.se/docs/CVE-2022-32221.html
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42916
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42915
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35260
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32221
 +(**Security fix**)
 +
 +**expat-2.4.3**:  Rebuilt.
 +This update fixes a security issue:
 +Fix heap use-after-free after overeager destruction of a shared DTD in
 +function XML_ExternalEntityParserCreate in out-of-memory situations.
 +Expected impact is denial of service or potentially arbitrary code
 +execution.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43680
 +(**Security fix**)
 +
 +**rsync-3.2.7**:  Rebuilt.
 +This is a bugfix release, fixing the list of supported auth checksums when
 +rsync is built against 1.0.x.
 +Thanks to niksoggia.
 +
 +**rsync-3.2.7**:  Upgraded.
 +This is a bugfix release.
 +Notably, this addresses some regressions caused by the file-list validation
 +fix in rsync-3.2.5.
 +Thanks to llgar.
 +
 +**whois-5.5.14**:  Upgraded.
 +This update adds the .bf and .sd TLD servers, removes the .gu TLD server,
 +updates the .dm, .fj, .mt and .pk TLD servers, updates the charset for
 +whois.nic.tr, updates the list of new gTLDs, removes whois.nic.fr from the
 +list of RIPE-like servers (because it is not one anymore), renames
 +whois.arnes.si to whois.register.si in the list of RIPE-like servers, and
 +adds the hiding string for whois.auda.org.au.
 +
 +**git-2.30.6**:  Upgraded.
 +This release fixes two security issues:
 +  * CVE-2022-39253:
 +When relying on the `--local` clone optimization, Git dereferences
 +symbolic links in the source repository before creating hardlinks
 +(or copies) of the dereferenced link in the destination repository.
 +This can lead to surprising behavior where arbitrary files are
 +present in a repository's `$GIT_DIR` when cloning from a malicious
 +repository.
 +Git will no longer dereference symbolic links via the `--local`
 +clone mechanism, and will instead refuse to clone repositories that
 +have symbolic links present in the `$GIT_DIR/objects` directory.
 +Additionally, the value of `protocol.file.allow` is changed to be
 +"user" by default.
 +  * CVE-2022-39260:
 +An overly-long command string given to `git shell` can result in
 +overflow in `split_cmdline()`, leading to arbitrary heap writes and
 +remote code execution when `git shell` is exposed and the directory
 +`$HOME/git-shell-commands` exists.
 +`git shell` is taught to refuse interactive commands that are
 +longer than 4MiB in size. `split_cmdline()` is hardened to reject
 +inputs larger than 2GiB.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39253
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39260
 +(**Security fix**)
 +
 +==== 2022-10-17 ====
 +
 +**glibc-zoneinfo-2022e**:  Upgraded.
 +This package provides the latest timezone updates.
 +
 +**zlib-1.2.13**:  Upgraded.
 +Fixed a bug when getting a gzip header extra field with inflateGetHeader().
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37434
 +(**Security fix**)
 +
 +**libksba-1.6.2**:  Upgraded.
 +Detect a possible overflow directly in the TLV parser.
 +This patch detects possible integer overflows immmediately when creating
 +the TI object.
 +Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929
 +(**Security fix**)
 +
 +
 +==== 2022-10-05 ====
 +
 +**dhcp-4.4.3_P1**:  Upgraded.
 +This update fixes two security issues:
 +Corrected a reference count leak that occurs when the server builds
 +responses to leasequery packets.
 +Corrected a memory leak that occurs when unpacking a packet that has an
 +FQDN option (81) that contains a label with length greater than 63 bytes.
 +Thanks to VictorV of Cyber Kunlun Lab for reporting these issues.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2928
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2929
 +(**Security fix**)
 +
 +**glibc-zoneinfo-2022d**:  Upgraded.
 +This package provides the latest timezone updates.
 +
 +**dnsmasq-2.87**:  Upgraded.
 +Fix write-after-free error in DHCPv6 server code.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0934
 +(**Security fix**)
 +
 +**ca-certificates-20220922**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +**expat-2.4.3**:  Rebuilt.
 +This update fixes a security issue:
 +Heap use-after-free vulnerability in function doContent. Expected impact is
 +denial of service or potentially arbitrary code execution.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40674
 +(**Security fix**)
 +
 +
 +==== 2022-09-01 ====
 +
 +**curl-7.85.0**:  Upgraded.
 +This update fixes a security issue:
 +control code in cookie denial of service.
 +For more information, see:
 +  * https://curl.se/docs/CVE-2022-35252.html
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35252
 +(**Security fix**)
 +
 +**glibc-zoneinfo-2022c**:  Upgraded.
 +This package provides the latest timezone updates.
 +
 +==== 2022-08-15 ====
 +
 +**rsync-3.2.5**:  Upgraded.
 +Added some file-list safety checking that helps to ensure that a rogue
 +sending rsync can't add unrequested top-level names and/or include recursive
 +names that should have been excluded by the sender. These extra safety
 +checks only require the receiver rsync to be updated. When dealing with an
 +untrusted sending host, it is safest to copy into a dedicated destination
 +directory for the remote content (i.e. don't copy into a destination
 +directory that contains files that aren't from the remote host unless you
 +trust the remote host).
 +For more information, see:
 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29154
 +(**Security fix**)
 +
 +**glibc-zoneinfo-2022b**:  Upgraded.
 +This package provides the latest timezone updates.
 +
 +**zlib-1.2.12**:  Rebuilt.
 +This is a bugfix update.
 +Applied an upstream patch to restore the handling of CRC inputs to be the
 +same as in previous releases of zlib. This fixes an issue with OpenJDK.
 +Thanks to alienBOB.
 +
 +
 +==== 2022-07-10 ====
 +
 +**wavpack-5.5.0**:  Upgraded.
 +WavPack 5.5.0 contains a fix for CVE-2021-44269 wherein encoding a specially
 +crafted DSD file causes an out-of-bounds read exception.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44269
 +(**Security fix**)
 +
 +==== 2022-06-30 ====
 +
 +**curl-7.84.0**:  Upgraded.
 +This update fixes security issues:
 +Set-Cookie denial of service.
 +HTTP compression denial of service.
 +Unpreserved file permissions.
 +FTP-KRB bad message verification.
 +For more information, see:
 +  * https://curl.se/docs/CVE-2022-32205.html
 +  * https://curl.se/docs/CVE-2022-32206.html
 +  * https://curl.se/docs/CVE-2022-32207.html
 +  * https://curl.se/docs/CVE-2022-32208.html
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32205
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32206
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32207
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32208
 +(**Security fix**)
 +
 +**openssl-1.0.2u**:  Rebuilt.
 +We're sending out the Slackware 14.2 updates again because the package
 +build number wasn't incremented which caused slackpkg to not pick up the
 +updates. It's been bumped and the packages rebuilt - otherwise there are
 +no new changes. Thanks to John Jenkins for the report.
 +For reference, here's the information from the previous advisory:
 +In addition to the c_rehash shell command injection identified in
 +CVE-2022-1292, further circumstances where the c_rehash script does not
 +properly sanitise shell metacharacters to prevent command injection were
 +found by code review.
 +When the CVE-2022-1292 was fixed it was not discovered that there
 +are other places in the script where the file names of certificates
 +being hashed were possibly passed to a command executed through the shell.
 +For more information, see:
 +  * https://www.openssl.org/news/secadv/20220621.txt
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2068
 +(**Security fix**)
 +
 +**openssl-solibs-1.0.2u**:  Rebuilt.
 +
 +
 +==== 2022-06-28 ====
 +
 +**ca-certificates-20220622**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +**openssl-1.0.2u**:  Rebuilt.
 +In addition to the c_rehash shell command injection identified in
 +CVE-2022-1292, further circumstances where the c_rehash script does not
 +properly sanitise shell metacharacters to prevent command injection were
 +found by code review.
 +When the CVE-2022-1292 was fixed it was not discovered that there
 +are other places in the script where the file names of certificates
 +being hashed were possibly passed to a command executed through the shell.
 +For more information, see:
 +  * https://www.openssl.org/news/secadv/20220621.txt
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2068
 +(**Security fix**)
 +
 +**openssl-solibs-1.0.2u**:  Rebuilt.
 +
 +
 +==== 2022-06-09 ====
 +
 +**httpd-2.4.54**:  Upgraded.
 +This update fixes bugs and the following security issues:
 +mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism.
 +Information Disclosure in mod_lua with websockets.
 +mod_sed denial of service.
 +Denial of service in mod_lua r:parsebody.
 +Read beyond bounds in ap_strcmp_match().
 +Read beyond bounds via ap_rwrite().
 +Read beyond bounds in mod_isapi.
 +mod_proxy_ajp: Possible request smuggling.
 +For more information, see:
 +  * https://downloads.apache.org/httpd/CHANGES_2.4.54
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31813
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30556
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30522
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29404
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28615
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28614
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28330
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26377
 +(**Security fix**)
 +
 +==== 2022-05-26 ====
 +
 +**cups-2.1.4**:  Rebuilt.
 +Fixed certificate strings comparison for Local authorization.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26691
 +(**Security fix**)
 +
 +
 +==== 2022-05-11 ====
 +
 +**curl-7.83.1**:  Upgraded.
 +This update fixes security issues:
 +HSTS bypass via trailing dot.
 +TLS and SSH connection too eager reuse.
 +CERTINFO never-ending busy-loop.
 +percent-encoded path separator in URL host.
 +cookie for trailing dot TLD.
 +curl removes wrong file on error.
 +For more information, see:
 +  * https://curl.se/docs/CVE-2022-30115.html
 +  * https://curl.se/docs/CVE-2022-27782.html
 +  * https://curl.se/docs/CVE-2022-27781.html
 +  * https://curl.se/docs/CVE-2022-27780.html
 +  * https://curl.se/docs/CVE-2022-27779.html
 +  * https://curl.se/docs/CVE-2022-27778.html
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30115
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27782
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27781
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27780
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27779
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27778
 +(**Security fix**)
 +
 +==== 2022-05-03 ====
 +
 +**openssl-1.0.2u**:  Rebuilt.
 +Fixed a bug in the c_rehash script which was not properly sanitising shell
 +metacharacters to prevent command injection.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1292
 +(**Security fix**)
 +
 +**openssl-solibs-1.0.2u**:  Rebuilt.
 +
 +==== 2022-05-03 ====
 +
 +**libxml2-2.9.14**:  Upgraded.
 +This update fixes bugs and the following security issues:
 +Fix integer overflow in xmlBuf and xmlBuffer.
 +Fix potential double-free in xmlXPtrStringRangeFunction.
 +Fix memory leak in xmlFindCharEncodingHandler.
 +Normalize XPath strings in-place.
 +Prevent integer-overflow in htmlSkipBlankChars() and xmlSkipBlankChars().
 +Fix leak of xmlElementContent.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29824
 +(**Security fix**)
 +
 +==== 2022-04-02 ====
 +
 +**pidgin-2.12.0**:  Rebuilt.
 +Mitigate the potential for a man in the middle attack via DNS spoofing by
 +removing the code that supported the _xmppconnect DNS TXT record.
 +For more information, see:
 +  * https://www.pidgin.im/about/security/advisories/cve-2022-26491/
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26491
 +(**Security fix**)
 +
 +**xz-5.2.5**:  Rebuilt.
 +This update fixes a regression with the previous package leading to compile
 +failures due to a missing liblzma.la. Thanks to csking.
 +
 +==== 2022-04-27 ====
 +
 +**curl-7.83.0**:  Upgraded.
 +This update fixes security issues:
 +OAUTH2 bearer bypass in connection re-use.
 +Credential leak on redirect.
 +Bad local IPv6 connection reuse.
 +Auth/cookie leak on redirect.
 +For more information, see:
 +  * https://curl.se/docs/CVE-2022-22576.html
 +  * https://curl.se/docs/CVE-2022-27774.html
 +  * https://curl.se/docs/CVE-2022-27775.html
 +  * https://curl.se/docs/CVE-2022-27776.html
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22576
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27774
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27775
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27776
 +(**Security fix**)
 +
 +
 +==== 2022-04-15 ====
 +
 +**git-2.30.4**:  Upgraded.
 +This update fixes a security issue where a Git worktree created by another
 +user might be able to execute arbitrary code.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765
 +(**Security fix**)
 +
 +**gzip-1.12**:  Upgraded.
 +This update fixes a security issue:
 +zgrep applied to a crafted file name with two or more newlines can no
 +longer overwrite an arbitrary, attacker-selected file.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1271
 +(**Security fix**)
 +
 +**xz-5.2.5**:  Upgraded.
 +This update fixes a security issue:
 +xzgrep applied to a crafted file name with two or more newlines can no
 +longer overwrite an arbitrary, attacker-selected file.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1271
 +(**Security fix**)
 +
 +**whois-5.5.13**:  Upgraded.
 +This update adds the .sd TLD server, updates the list of new gTLDs, and adds
 +a Turkish translation.
 +
 +==== 2022-04-08 ====
 +
 +**libarchive-3.6.1**:  Upgraded.
 +This is a bugfix and security release.
 +Security fixes:
 +  * 7zip reader: fix PPMD read beyond boundary.
 +  * ZIP reader: fix possible out of bounds read.
 +  * ISO reader: fix possible heap buffer overflow in read_children().
 +  * RARv4 redaer: fix multiple issues in RARv4 filter code (introduced in libarchive 3.6.0).
 +  * Fix heap use after free in archive_read_format_rar_read_data().
 +  * Fix null dereference in read_data_compressed().
 +  * Fix heap user after free in run_filters().
 +(**Security fix**)
 +
 +**ca-certificates-20220403**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +**whois-5.5.12**:  Upgraded.
 +This is a bugfix release. Thanks to Nobby6.
 +
 +**zlib-1.2.12**:  Upgraded.
 +This update fixes memory corruption when deflating (i.e., when compressing)
 +if the input has many distant matches. Thanks to marav.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25032
 +(**Security fix**)
 +
 +**glibc-zoneinfo-2022a**:  Upgraded.
 +This package provides the latest timezone updates.
 +
 +==== 2022-03-17 ====
 +
 +**bind-9.11.37**:  Upgraded.
 +This update fixes bugs and the following security issue:
 +The rules for acceptance of records into the cache have been tightened to
 +prevent the possibility of poisoning if forwarders send records outside
 +the configured bailiwick.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25220
 +(**Security fix**)
 +
 +**openssl-1.0.2u**:  Rebuilt.
 +This update fixes a high severity security issue:
 +The BN_mod_sqrt() function, which computes a modular square root, contains
 +a bug that can cause it to loop forever for non-prime moduli.
 +For more information, see:
 +  * https://www.openssl.org/news/secadv/20220315.txt
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0778
 +(**Security fix**)
 +
 +**openssl-solibs-1.0.2u**:  Rebuilt.
 +
 +==== 2022-03-15 ====
 +
 +**httpd-2.4.53**:  Upgraded.
 +This update fixes bugs and the following security issues:
 +mod_sed: Read/write beyond bounds
 +core: Possible buffer overflow with very large or unlimited
 +LimitXMLRequestBody
 +HTTP request smuggling vulnerability
 +mod_lua: Use of uninitialized value in r:parsebody
 +For more information, see:
 +  * https://downloads.apache.org/httpd/CHANGES_2.4.53
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23943
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22721
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22720
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22719
 +(**Security fix**)
 +
 +**ca-certificates-20220309**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +**expat-2.4.3**:  Rebuilt.
 +This is a bugfix release:
 +Relax fix to CVE-2022-25236 (introduced with release 2.4.5) with regard to
 +all valid URI characters (RFC 3986).
 +
 +==== 2022-03-01 ====
 +
 +**libxml2-2.9.13**:  Upgraded.
 +This update fixes bugs and the following security issues:
 +Use-after-free of ID and IDREF attributes
 +(Thanks to Shinji Sato for the report)
 +Use-after-free in xmlXIncludeCopyRange (David Kilzer)
 +Fix Null-deref-in-xmlSchemaGetComponentTargetNs (huangduirong)
 +Fix memory leak in xmlXPathCompNodeTest
 +Fix null pointer deref in xmlStringGetNodeList
 +Fix several memory leaks found by Coverity (David King)
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23308
 +(**Security fix**)
 +
 +**libxslt-1.1.35**:  Upgraded.
 +This update fixes bugs and the following security issues:
 +Fix use-after-free in xsltApplyTemplates
 +Fix memory leak in xsltDocumentElem (David King)
 +Fix memory leak in xsltCompileIdKeyPattern (David King)
 +Fix double-free with stylesheets containing entity nodes
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30560
 +(**Security fix**)
 +
 +**cyrus-sasl-2.1.28**:  Upgraded.
 +This update fixes bugs and security issues.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19906
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24407
 +(**Security fix**)
 +
 +==== 2022-02-22 ====
 +
 +**expat-2.4.3**:  Rebuilt.
 +Fixed a regression introduced by the fix for CVE-2022-25313 that affects
 +applications that (1) call function XML_SetElementDeclHandler and (2) are
 +parsing XML that contains nested element declarations, e.g.
 +  "<!ELEMENT junk ((bar|foo|xyz+), zebra*)>"
 +
 +**flac-1.3.4**:  Upgraded.
 +This update fixes overflow issues with encoding and decoding.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0499
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0561
 +(**Security fix**)
 +
 +==== 2022-02-01 ====
 +
 +**linux-libre-4.4.301**:  Upgraded.
 +These updates fix various bugs and security issues, including the recently
 +announced i915 issue that could lead to user-space gaining access to random
 +memory pages (CVE-2022-0330).
 +Be sure to upgrade your initrd after upgrading the kernel packages.
 +If you use lilo to boot your machine, be sure lilo.conf points to the correct
 +kernel and initrd and run lilo as root to update the bootloader.
 +If you use elilo to boot your machine, you should run eliloconfig to copy the
 +kernel and initrd to the EFI System Partition.
 +For more information, see:
 +  * https://seclists.org/oss-sec/2022/q1/81
 +  Fixed in 4.4.277:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38204
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3679
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37576
 +  Fixed in 4.4.278:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0920
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21781
 +  Fixed in 4.4.281:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38205
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3732
 +  Fixed in 4.4.282:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3653
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42008
 +  Fixed in 4.4.283:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3753
 +  Fixed in 4.4.284:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40490
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3702
 +  Fixed in 4.4.285:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20320
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3655
 +  Fixed in 4.4.288:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4203
 +  Fixed in 4.4.289:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29374
 +  Fixed in 4.4.290:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3896
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20321
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3760
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43389
 +  Fixed in 4.4.291:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3772
 +  Fixed in 4.4.292:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37159
 +  Fixed in 4.4.293:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4202
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3752
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3640
 +  Fixed in 4.4.294:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4002
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4083
 +  Fixed in 4.4.295:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39685
 +  Fixed in 4.4.296:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28715
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28713
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28712
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28711
 +  Fixed in 4.4.299:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45095
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4155
 +  Fixed in 4.4.300:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43976
 +  Fixed in 4.4.301:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0330
 +(**Security fix**)
 +
 +
 +==== 2022-01-27 ====
 +**expat-2.4.3**:  Rebuilt.
 +Prevent integer overflow in doProlog.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23990
 +(**Security fix**)
 +
 +==== 2022-01-26 ====
 +**polkit-0.113**:  Rebuilt.
 +[PATCH] pkexec: local privilege escalation.
 +Thanks to Qualys Research Labs for reporting this issue.
 +For more information, see:
 +  * https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034
 +(**Security fix**)
 +
 +==== 2022-01-25 ====
 +
 +**expat-2.4.3**:  Rebuilt.
 +Fix signed integer overflow in function XML_GetBuffer for when
 +XML_CONTEXT_BYTES is defined to >0 (which is both common and
 +default). Impact is denial of service or other undefined behavior.
 +While we're here, also patch a memory leak on output file opening error.
 +Thanks to marav.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23852
 +(**Security fix**)
 +
 +==== 2022-01-19 ====
 +**wpa_supplicant-2.9**:  Rebuilt.
 +This update contains patches for these security issues:
 +The implementations of EAP-pwd in hostapd before 2.10 and wpa_supplicant
 +before 2.10 are vulnerable to side-channel attacks as a result of cache
 +access patterns.
 +NOTE: this issue exists because of an incomplete fix for CVE-2019-9495.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23303
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23304
 +(**Security fix**)
 +
 +==== 2022-01-16 ====
 +**expat-2.4.3**:  Upgraded.
 +Fix issues with left shifts by >=29 places resulting in:
 +  a) realloc acting as free
 +  b) realloc allocating too few bytes
 +  c) undefined behavior
 +Fix integer overflow on variable m_groupSize in function doProlog leading
 +to realloc acting as free. Impact is denial of service or other undefined
 +behavior.
 +Prevent integer overflows near memory allocation at multiple places.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45960
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46143
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22822
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22823
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22824
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22825
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22826
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22827
 +(**Security fix**)
 +
 +
 +==== 2021-12-29 ====
 +
 +**wpa_supplicant-2.9**:  Upgraded.
 +This update fixes the following security issues:
 +AP mode PMF disconnection protection bypass.
 +UPnP SUBSCRIBE misbehavior in hostapd WPS AP.
 +P2P group information processing vulnerability.
 +P2P provision discovery processing vulnerability.
 +ASN.1: Validate DigestAlgorithmIdentifier parameters.
 +Flush pending control interface message for an interface to be removed.
 +These issues could result in a denial-of-service, privilege escalation,
 +arbitrary code execution, or other unexpected behavior.
 +Thanks to nobodino for pointing out the patches.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0326
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0535
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12695
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16275
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27803
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30004
 +(**Security fix**)
 +
 +==== 2021-12-20 ====
 +
 +**httpd-2.4.52**:  Upgraded.
 +SECURITY: CVE-2021-44790: Possible buffer overflow when parsing
 +multipart content in mod_lua of Apache HTTP Server 2.4.51 and
 +earlier (cve.mitre.org)
 +A carefully crafted request body can cause a buffer overflow in
 +the mod_lua multipart parser (r:parsebody() called from Lua
 +scripts).
 +The Apache httpd team is not aware of an exploit for the
 +vulnerabilty though it might be possible to craft one.
 +This issue affects Apache HTTP Server 2.4.51 and earlier.
 +Credits: Chamal
 +SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in
 +forward proxy configurations in Apache HTTP Server 2.4.51 and
 +earlier (cve.mitre.org)
 +A crafted URI sent to httpd configured as a forward proxy
 +(ProxyRequests on) can cause a crash (NULL pointer dereference)
 +or, for configurations mixing forward and reverse proxy
 +declarations, can allow for requests to be directed to a
 +declared Unix Domain Socket endpoint (Server Side Request
 +Forgery).
 +This issue affects Apache HTTP Server 2.4.7 up to 2.4.51
 +(included).
 +Credits: ae 1/4*a-o(R)e 1/4
 +TengMA(@Te3t123)
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44790
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44224
 +(**Security fix**)
 +
 +**ca-certificates-20211216**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +
 +==== 2021-12-16 ====
 +
 +**xorg-server-1.18.3**:  Rebuilt.
 +Fixes for multiple input validation failures in X server extensions:
 +render: Fix out of bounds access in SProcRenderCompositeGlyphs()
 +xfixes: Fix out of bounds access in *ProcXFixesCreatePointerBarrier()
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4008
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4009
 +(**Security fix**)
 +
 +**xorg-server-xephyr-1.18.3**:  Rebuilt.
 +
 +**xorg-server-xnest-1.18.3**:  Rebuilt.
 +
 +**xorg-server-xvfb-1.18.3**:  Rebuilt.
 +
 +==== 2021-12-03 ====
 +
 +**mozilla-nss-3.40.1**:  Rebuilt.
 +This update fixes a critical security issue:
 +NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are
 +vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS
 +signatures. Applications using NSS for handling signatures encoded within
 +CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be impacted. Applications
 +using NSS for certificate validation or other TLS, X.509, OCSP or CRL
 +functionality may be impacted, depending on how they configure NSS.
 +Note: This vulnerability does NOT impact Mozilla Firefox. However, email
 +clients and PDF viewers that use NSS for signature verification, such as
 +Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted.
 +Thanks to Tavis Ormandy of Google Project Zero.
 +For more information, see:
 +  * https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43527
 +(**Security fix**)
 +
 +**mailx-12.5**:  Rebuilt.
 +Patched a bug where Heirloom mailx produces a "Date:" header that is
 +incorrect when the system is in the Europe/Dublin timezone (email appears
 +to have been sent 2 hours earlier).
 +Thanks to Andrea Biardi.
 +
 +==== 2021-10-28 ====
 +
 +**bind-9.11.36**:  Upgraded.
 +This update fixes bugs and the following security issue:
 +The "lame-ttl" option is now forcibly set to 0. This effectively disables
 +the lame server cache, as it could previously be abused by an attacker to
 +significantly degrade resolver performance.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25219
 +(**Security fix**)
 +
 +**glibc-zoneinfo-2021e**:  Upgraded.
 +This package provides the latest timezone updates.
 +
 +==== 2021-10-10 ====
 +
 +**httpd-2.4.51**:  Upgraded.
 +SECURITY: CVE-2021-42013: Path Traversal and Remote Code
 +Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete
 +fix of CVE-2021-41773) (cve.mitre.org)
 +It was found that the fix for CVE-2021-41773 in Apache HTTP
 +Server 2.4.50 was insufficient.  An attacker could use a path
 +traversal attack to map URLs to files outside the directories
 +configured by Alias-like directives.
 +If files outside of these directories are not protected by the
 +usual default configuration "require all denied", these requests
 +can succeed. If CGI scripts are also enabled for these aliased
 +pathes, this could allow for remote code execution.
 +This issue only affects Apache 2.4.49 and Apache 2.4.50 and not
 +earlier versions.
 +Credits: Reported by Juan Escobar from Dreamlab Technologies,
 +Fernando MuA+-oz from NULL Life CTF Team, and Shungo Kumasaka
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42013
 +(**Security fix**)
 +
 +==== 2021-10-05 ====
 +
 +**httpd-2.4.50**:  Upgraded.
 +This release contains security fixes and improvements.
 +Fixed null pointer dereference in h2 fuzzing.
 +Fixed path traversal and file disclosure vulnerability.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41524
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773
 +(**Security fix**)
 +
 +**ca-certificates-20211005**  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +Don't install /etc/ca-certificates.conf as a .new file - it's an auto-
 +generated list that will just end up suffering a mismatch with the files
 +included in the package. Thanks to Weber Kai.
 +
 +**glibc-zoneinfo-2021**  Upgraded.
 +This package provides the latest timezone updates.
 +
 +==== 2021-09-21 ====
 +
 +**alpine-2.25**:  Upgraded.
 +Fixed a denial-of-service security issue where untagged responses from an
 +IMAP server are accepted before STARTTLS.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38370
 +(**Security fix**)
 +
 +==== 2021-09-17 ====
 +
 +**httpd-2.4.49**:  Upgraded.
 +This release contains security fixes and improvements.
 +mod_proxy: Server Side Request Forgery (SSRF) vulnerabilty [Yann Ylavic]
 +core: ap_escape_quotes buffer overflow
 +mod_proxy_uwsgi: Out of bound read vulnerability [Yann Ylavic]
 +core: null pointer dereference on malformed request
 +mod_http2: Request splitting vulnerability with mod_proxy [Stefan Eissing]
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40438
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39275
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36160
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34798
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33193
 +(**Security fix**)
 +
 +==== 2021-09-16 ====
 +
 +**curl-7.79.0**:  Upgraded.
 +This update fixes security issues:
 +clear the leftovers pointer when sending succeeds.
 +do not ignore --ssl-reqd.
 +reject STARTTLS server response pipelining.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22945
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22946
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22947
 +(**Security fix**)
 +
 +==== 2021-09-01 ====
 +
 +**ntfs-3g-2021.8.22**:  Upgraded.
 +Shared library .so-version bump.
 +Fixed vulnerabilities that may allow an attacker using a maliciously
 +crafted NTFS-formatted image file or external storage to potentially
 +execute arbitrary privileged code.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33285
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35269
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35268
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33289
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33286
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35266
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33287
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35267
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39251
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39252
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39253
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39254
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39255
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39256
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39257
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39258
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39259
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39260
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39261
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39262
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39263
 +(**Security fix**)
 +
 +==== 2021-07-21 ====
 +
 +**curl-7.78.0**:  Upgraded.
 +This update fixes security issues:
 +CURLOPT_SSLCERT mixup with Secure Transport
 +TELNET stack contents disclosure again
 +Bad connection reuse due to flawed path name checks
 +Metalink download sends credentials
 +Wrong content via metalink not discarded
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22926
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22925
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22924
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22923
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22922
 +(**Security fix**)
 +
 +**linux-libre**:  Upgraded.
 +These updates fix various bugs and security issues, including the recently
 +announced local privilege escalation vulnerability in the filesystem layer
 +(CVE-2021-33909).
 +Be sure to upgrade your initrd after upgrading the kernel packages.
 +If you use lilo to boot your machine, be sure lilo.conf points to the correct
 +kernel and initrd and run lilo as root to update the bootloader.
 +If you use elilo to boot your machine, you should run eliloconfig to copy the
 +kernel and initrd to the EFI System Partition.
 +For more information, see:
 +  * https://www.qualys.com/2021/07/20/cve-2021-33909/sequoia-local-privilege-escalation-linux.txt
 +Fixed in 4.4.262:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19060
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19061
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28660
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20261
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29265
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16232
 +Fixed in 4.4.263:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28964
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28972
 +Fixed in 4.4.264:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28688
 +Fixed in 4.4.265:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3483
 +Fixed in 4.4.266:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29154
 +Fixed in 4.4.267:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22555
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25672
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25673
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25670
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25671
 +Fixed in 4.4.269:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33034
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0605
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31916
 +Fixed in 4.4.270:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26558
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0129
 +Fixed in 4.4.271:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24587
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24586
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24588
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26139
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26147
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29650
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32399
 +Fixed in 4.4.272:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3564
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3573
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3587
 +Fixed in 4.4.274:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34693
 +Fixed in 4.4.276:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33909
 +(**Security fix**)
 +
 +==== 2021-06-07 ====
 +
 +**httpd-2.4.48**:  Upgraded.
 +This release contains security fixes and improvements.
 +mod_http2: Fix a potential NULL pointer dereference.
 +Unexpected <Location> section matching with 'MergeSlashes OFF'.
 +mod_auth_digest: possible stack overflow by one nul byte while validating
 +the Digest nonce.
 +mod_session: Fix possible crash due to NULL pointer dereference, which
 +could be used to cause a Denial of Service with a malicious backend
 +server and SessionHeader.
 +mod_session: Fix possible crash due to NULL pointer dereference, which
 +could be used to cause a Denial of Service.
 +mod_proxy_http: Fix possible crash due to NULL pointer dereference, which
 +could be used to cause a Denial of Service.
 +mod_proxy_wstunnel, mod_proxy_http: Handle Upgradable protocols end-to-end
 +negotiation.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31618
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30641
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35452
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26691
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26690
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13950
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17567
 +(**Security fix**)
 +
 +**libX11-1.7.2**:  Upgraded.
 +This is a bug fix release, correcting a regression introduced by and
 +improving the checks from the fix for CVE-2021-31535.
 +
 +**polkit-0.113**:  Rebuilt.
 +This update includes a mitigation for local privilege escalation using
 +polkit_system_bus_name_get_creds_sync().
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3560
 +(**Security fix**)
 +
 +**dhcp-4.4.2_P1**:  Upgraded.
 +This update fixes a security issue:
 +Corrected a buffer overwrite possible when parsing hexadecimal
 +literals with more than 1024 octets. Reported by Jon Franklin from Dell,
 +and also by Pawel Wieczorkiewicz from Amazon Web Services. [Gitlab #182]
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25217
 +(**Security fix**)
 +
 +==== 2021-05-26 ====
 +
 +**ca-certificates-20210526**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +**curl-7.77.0**:  Upgraded.
 +This update fixes security issues:
 +schannel cipher selection surprise
 +TELNET stack contents disclosure
 +TLS session caching disaster
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22297
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22298
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22901
 +(**Security fix**)
 +
 +==== 2021-05-25 ====
 +
 +**gnutls-3.6.16**:  Upgraded.
 +Fixed potential miscalculation of ECDSA/EdDSA code backported from Nettle.
 +In GnuTLS, as long as it is built and linked against the fixed version of
 +Nettle, this only affects GOST curves.  [CVE-2021-20305]
 +Fixed potential use-after-free in sending "key_share" and "pre_shared_key"
 +extensions. When sending those extensions, the client may dereference a
 +pointer no longer valid after realloc. This happens only when the client
 +sends a large Client Hello message, e.g., when HRR is sent in a resumed
 +session previously negotiated large FFDHE parameters, because the initial
 +allocation of the buffer is large enough without having to call realloc
 +(#1151).  [GNUTLS-SA-2021-03-10, CVSS: low]
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20305
 +(**Security fix**)
 +
 +==== 2021-05-23 ====
 +
 +**expat-2.4.1**:  Upgraded.
 +This update provides new mitigations against the "billion laughs" denial
 +of service attack.
 +For more information, see:
 +  * https://github.com/libexpat/libexpat/blob/R_2_4_1/expat/Changes
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0340
 +(**Security fix**)
 +
 +==== 2021-05-19 ====
 +
 +**libX11-1.7.1**:  Upgraded.
 +This update fixes missing request length checks in libX11 that can lead to
 +the emission of extra X protocol requests to the X server.
 +For more information, see:
 +  * https://lists.x.org/archives/xorg-announce/2021-May/003088.html
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31535
 +(**Security fix**)
 +
 +==== 2021-05-15 ====
 +
 +**libxml2-2.9.12**:  Upgraded.
 +This update fixes a denial-of-service security issue.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3541
 +(**Security fix**)
 +
 +==== 2021-04-29 ====
 +
 +**bind-9.11.31**:  Upgraded.
 +This update fixes bugs and the following security issues:
 +A specially crafted GSS-TSIG query could cause a buffer overflow in the
 +ISC implementation of SPNEGO.
 +named crashed when a DNAME record placed in the ANSWER section during DNAME
 +chasing turned out to be the final answer to a client query.
 +Insufficient IXFR checks could result in named serving a zone without an SOA
 +record at the apex, leading to a RUNTIME_CHECK assertion failure when the
 +zone was subsequently refreshed. This has been fixed by adding an owner name
 +check for all SOA records which are included in a zone transfer.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25216
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25215
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25214
 +(**Security fix**)
 +
 +==== 2021-04-12 ====
 +
 +**dnsmasq-2.85**:  Upgraded.
 +Use random source ports where possible if source addresses/interfaces in use.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3448
 +(**Security fix**)
 +
 +**irssi-1.2.3**:  Upgraded.
 +This update fixes bugs and security issues.
 +See the NEWS file for details.
 +(**Security fix**)
 +
 +==== 2021-03-31 ====
 +
 +**curl-7.76.0**:  Upgraded.
 +This update fixes security issues:
 +Authentication Bypass by Spoofing.
 +Exposure of Private Personal Information to an Unauthorized Actor.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22890
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22876
 +(**Security fix**)
 +
 +==== 2021-03-28 ====
 +
 +**xterm-367**:  Upgraded.
 +This update fixes a security issue:
 +xterm before Patch #366 allows remote attackers to execute arbitrary code or
 +cause a denial of service (segmentation fault) via a crafted UTF-8 combining
 +character sequence.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27135
 +(**Security fix**)
 +
 +==== 2021-03-14 ====
 +
 +**linux-libre-*-4.4.261**:  Upgraded.
 +These updates fix various bugs and security issues, including the recently
 +announced iSCSI vulnerabilities allowing local privilege escalation.
 +Be sure to upgrade your initrd after upgrading the kernel packages.
 +If you use lilo to boot your machine, be sure lilo.conf points to the correct
 +kernel and initrd and run lilo as root to update the bootloader.
 +If you use elilo to boot your machine, you should run eliloconfig to copy the
 +kernel and initrd to the EFI System Partition.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27363
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27364
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27365
 +(**Security fix**)
 +
 +**git-2.17.6**:  Upgraded.
 +This update fixes a security issue:
 +On case-insensitive file systems with support for symbolic links, if Git is
 +configured globally to apply delay-capable clean/smudge filters (such as Git
 +LFS), Git could be fooled into running remote code during a clone. Credit for
 +finding and fixing this vulnerability goes to Matheus Tavares, helped by
 +Johannes Schindelin.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21300
 +(**Security fix**)
 +
 +**ca-certificates-20210308**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +==== 2021-02-09 ====
 +
 +**dnsmasq-2.84**:  Upgraded.
 +This update fixes bugs and remotely exploitable security issues:
 +  * Use the values of --min-port and --max-port in outgoing TCP connections to upstream DNS servers.
 +  * Fix a remote buffer overflow problem in the DNSSEC code. Any  dnsmasq with DNSSEC compiled in and enabled is vulnerable to this,  referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683,  CVE-2020-25687.
 +  * Be sure to only accept UDP DNS query replies at the address  from which the query was originated. This keeps as much entropy  in the {query-ID, random-port} tuple as possible, to help defeat  cache poisoning attacks. Refer: CVE-2020-25684.
 +  * Use the SHA-256 hash function to verify that DNS answers  received are for the questions originally asked. This replaces  the slightly insecure SHA-1 (when compiled with DNSSEC) or  the very insecure CRC32 (otherwise). Refer: CVE-2020-25685.
 +  * Handle multiple identical near simultaneous DNS queries better.  Previously, such queries would all be forwarded  independently. This is, in theory, inefficent but in practise  not a problem, _except_ that is means that an answer for any  of the forwarded queries will be accepted and cached.  An attacker can send a query multiple times, and for each repeat,  another {port, ID} becomes capable of accepting the answer he is  sending in the blind, to random IDs and ports. The chance of a  succesful attack is therefore multiplied by the number of repeats  of the query. The new behaviour detects repeated queries and  merely stores the clients sending repeats so that when the  first query completes, the answer can be sent to all the  clients who asked. Refer: CVE-2020-25686.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25681
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25682
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25683
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25684
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25685
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25686
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25687
 +(**Security fix**)
 +
 +
 +==== 2021-01-26 ====
 +
 +**sudo-1.9.5p2**:  Upgraded.
 +When invoked as sudoedit, the same set of command line options
 +are now accepted as for "sudo -e". The -H and -P options are
 +now rejected for sudoedit and "sudo -e" which matches the sudo
 +1.7 behavior. This is part of the fix for CVE-2021-3156.
 +Fixed a potential buffer overflow when unescaping backslashes
 +in the command's arguments. Normally, sudo escapes special
 +characters when running a command via a shell (sudo -s or sudo
 +-i). However, it was also possible to run sudoedit with the -s
 +or -i flags in which case no escaping had actually been done,
 +making a buffer overflow possible. This fixes CVE-2021-3156.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3156
 +(**Security fix**)
 +
 +**glibc-zoneinfo-2021a**:  Upgraded.
 +This package provides the latest timezone updates.
 +
 +
 +==== 2021-01-14 ====
 +
 +**wavpack-5.4.0**:  Upgraded.
 +WavPack 5.4.0 fixes an issue where a specially crafted WAV file could cause
 +the wavpack command-line program to crash with an out-of-bounds write.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35738
 +(**Security fix**)
 +
 +**xscreensaver-5.45**:  Upgraded.
 +Here's an upgrade to the latest xscreensaver.
 +Thanks to drumz for the compile fix.
 +
 +**sudo-1.9.5p1**:  Upgraded.
 +Fixed a regression introduced in sudo 1.9.5 where the editor run by sudoedit
 +was set-user-ID root unless SELinux RBAC was in use. The editor is now run
 +with the user's real and effective user-IDs.
 +
 +
 +==== 2021-01-11 ====
 +
 +**sudo-1.9.5**:  Upgraded.
 +This update fixes security issues:
 +Potential information leak in sudoedit that could be used to test for
 +the existence of directories not normally accessible to the user.
 +Flaw in the temporary file handling of sudoedit's SELinux RBAC support.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23239
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23240
 +(**Security fix**)
 +
 +**glibc-zoneinfo-2020f**:  Upgraded.
 +This package provides the latest timezone updates.
 +
 +**ca-certificates-20201219**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +==== 2020-12-12 ====
 +
 +**p11-kit-0.23.22**:  Upgraded.
 +Fix memory-safety issues that affect the RPC protocol.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29361
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29362
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29363
 +(**Security fix**)
 +
 +==== 2020-12-09 ====
 +
 +**curl-7.74.0**:  Upgraded.
 +This release includes the following security related bugfixes:
 +  * Inferior OCSP verification [93]
 +  * FTP wildcard stack overflow [95]
 +  * Trusting FTP PASV responses [97]
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8286
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8285
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8284
 +(**Security fix**)
 +
 +==== 2020-11-28 ====
 +
 +**bind-9.11.25**:  Upgraded.
 +This update fixes bugs, including a denial-of-service security issue:
 +After a Negative Trust Anchor (NTA) is added, BIND performs periodic
 +checks to see if it is still necessary. If BIND encountered a failure
 +while creating a query to perform such a check, it attempted to
 +dereference a NULL pointer, resulting in a crash. [GL #2244]
 +(**Security fix**)
 +
 +==== 2020-11-25 ====
 +
 +**mutt-1.10.1**:  Rebuilt.
 +Mutt had incorrect error handling when initially connecting to an IMAP
 +server, which could result in an attempt to authenticate without enabling TLS.
 +For more information, see:
 +  * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28896
 +(**Security fix**)
 +
 +**ca-certificates-20201105**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +**glibc-zoneinfo-2020d**:  Upgraded.
 +This package provides the latest timezone updates.
 +
 +**linux-libre-*-4.4.240**:  Upgraded.
 +These updates fix various bugs and security issues, including the recently
 +discovered "Bleeding Tooth" vulnerability in the Bluetooth subsystem
 +(CVE-2020-12351, CVE-2020-12352, and CVE-2020-24490).
 +Be sure to upgrade your initrd after upgrading the kernel packages.
 +If you use lilo to boot your machine, be sure lilo.conf points to the correct
 +kernel and initrd and run lilo as root to update the bootloader.
 +If you use elilo to boot your machine, you should run eliloconfig to copy the
 +kernel and initrd to the EFI System Partition.
 +For more information, see:
 +
 +Fixed in 4.4.228:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20810
 +Fixed in 4.4.229:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12771
 +Fixed in 4.4.230:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15393
 +Fixed in 4.4.232:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10323
 +Fixed in 4.4.233:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26088
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19054
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25212
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9445
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13094
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8043
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16166
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14331
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19448
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19074
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19073
 +Fixed in 4.4.234:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14314
 +Fixed in 4.4.236:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25285
 +Fixed in 4.4.237:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25284
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14390
 +Fixed in 4.4.238:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25643
 +Fixed in 4.4.239:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25211
 +Fixed in 4.4.240:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12351
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12352
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24490
 +(**Security fix**)
 +
 +==== 2020-10-20 ====
 +
 +**freetype-2.6.3**:  Rebuilt.
 +Fix heap buffer overflow in embedded PNG bitmap handling.
 +For more information, see
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999
 +(**Security fix**)
 +
 +**glibc-zoneinfo-2020c**:  Upgraded.
 +This package provides the latest timezone updates.
 +
 +**ca-certificates-20201016**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +**rust-1.46.0**:  Upgraded.
 +
 +==== 2020-09-23 ====
 +
 +**linux-libre-image-4.4.27**: Removed (FXP). From now on, custom kernels will be distributed via Web.
 +
 +**xonotic-0.8.2**: Removed (FXP). This low-quality package will be refactored before coming back.
 +
 +==== 2020-09-18 ====
 +
 +**avahi-0.7**: Added (FXP)
 +
 +**libdaemon-0.14**: Added (FXP)
 +
 +**libreoffice-6.2.8.2**: Rebuilt (FXP). Run ''freepkg ir avahi'' and then ''freepkg u libreoffice'' to upgrade.
 +
 +==== 2020-09-05 ====
 +
 +**gnutls-3.6.15**:  Upgraded.
 +libgnutls: Fixed "no_renegotiation" alert handling at incorrect timing,
 +which could lead to an application crash.
 +[GNUTLS-SA-2020-09-04, CVSS: medium]
 +(**Security fix**)
 +
 +==== 2020-08-21 ====
 +
 +**bind-9.11.22**:  Upgraded.
 +This update fixes three security issues:
 +"update-policy" rules of type "subdomain" were incorrectly treated as
 +"zonesub" rules, which allowed keys used in "subdomain" rules to update
 +names outside of the specified subdomains. The problem was fixed by making
 +sure "subdomain" rules are again processed as described in the ARM.
 +When BIND 9 was compiled with native PKCS#11 support, it was possible to
 +trigger an assertion failure in code determining the number of bits in the
 +PKCS#11 RSA public key with a specially crafted packet.
 +It was possible to trigger an assertion failure when verifying the response
 +to a TSIG-signed request.
 +For more information, see:
 +  * https://kb.isc.org/docs/cve-2020-8624
 +  * https://kb.isc.org/docs/cve-2020-8623
 +  * https://kb.isc.org/docs/cve-2020-8622
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8624
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8623
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8622
 +(**Security fix**)
 +
 +==== 2020-08-19 ====
 +
 +**curl-7.72.0**:  Upgraded.
 +This update fixes a security issue:
 +libcurl: wrong connect-only connection [98]
 +For more information, see:
 +  * https://curl.haxx.se/docs/CVE-2020-8231.html
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8231
 +(**Security fix**)
 +
 +**httpd-2.4.46**:  Upgraded.
 +This is the latest release from the Apache HTTP Server 2.4.x stable branch.
 +
 +==== 2020-07-23 ====
 +
 +**libreoffice-6.2.8.2**: Upgraded (FXP). The full collection of language packs and help packs is not supplied, but they can be installed via libreoffice extension manager.
 +
 +==== 2020-07-06 ====
 +
 +**libvorbis-1.3.7**:  Upgraded.
 +Fix out-of-bounds read encoding very low sample rates.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10393
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14160
 +(**Security fix**)
 +
 +**ca-certificates-20200630**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +==== 2020-06-24 ====
 +
 +**curl-7.71.0**:  Upgraded.
 +This update fixes security issues:
 +curl overwrite local file with -J [111]
 +Partial password leak over DNS on HTTP redirect [48]
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8177
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8169
 +(**Security fix**)
 +
 +**libjpeg-turbo-2.0.5**:  Upgraded.
 +This update fixes bugs and a security issue:
 +Fixed an issue in the PPM reader that caused a buffer overrun in cjpeg,
 +TJBench, or the `tjLoadImage()` function if one of the values in a binary
 +PPM/PGM input file exceeded the maximum value defined in the file's header
 +and that maximum value was less than 255.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13790
 +(**Security fix**)
 +
 +==== 2020-06-23 ====
 +
 +**ntp-4.2.8p15**:  Upgraded.
 +This release fixes one vulnerability: Associations that use CMAC
 +authentication between ntpd from versions 4.2.8p11/4.3.97 and
 +4.2.8p14/4.3.100 will leak a small amount of memory for each packet.
 +Eventually, ntpd will run out of memory and abort.
 +(**Security fix**)
 +
 +**sudo-1.8.31p2**:  Upgraded.
 +This is a bugfix release. For more information, see:
 +  * https://www.sudo.ws/legacy.html#1.8.31p2
 +
 +==== 2020-06-18 ====
 +
 +**bind-9.11.20**:  Upgraded.
 +This update fixes a security issue:
 +It was possible to trigger an INSIST in lib/dns/rbtdb.c:new_reference() with
 +a particular zone content and query patterns.
 +For more information, see:
 +  * https://kb.isc.org/docs/cve-2020-8619
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8619
 +(**Security fix**)
 +
 +==== 2020-06-14 ====
 +
 +**R-4.0.1**: upgraded (FXP).
 +
 +**pcre2-10.35**: added (FXP) as a new requirement for R.
 +
 +**fuse-exfat-1.3.0**: added (FXP).
 +
 +**linux-libre-*-4.4.227**:  Upgraded.
 +These updates fix various bugs and security issues, including a mitigation
 +for SRBDS (Special Register Buffer Data Sampling). SRBDS is an MDS-like
 +speculative side channel that can leak bits from the random number generator
 +(RNG) across cores and threads.
 +Be sure to upgrade your initrd after upgrading the kernel packages.
 +If you use lilo to boot your machine, be sure lilo.conf points to the correct
 +kernel and initrd and run lilo as root to update the bootloader.
 +If you use elilo to boot your machine, you should run eliloconfig to copy the
 +kernel and initrd to the EFI System Partition.
 +For more information, see:
 +
 +Fixed in 4.4.218:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11668
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11608
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11609
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10942
 +Fixed in 4.4.219:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11494
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11565
 +Fixed in 4.4.220:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12826
 +Fixed in 4.4.221:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19319
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12464
 +Fixed in 4.4.222:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10751
 +Fixed in 4.4.224:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10711
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1749
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12769
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10690
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13143
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19768
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12770
 +Fixed in 4.4.225:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9517
 +Fixed in 4.4.226:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10732
 +Fixed in 4.4.227:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0543
 +(**Security fix**)
 +
 +**gnutls-3.6.14**:  Upgraded.
 +Fixed insecure session ticket key construction, since 3.6.4. The TLS server
 +would not bind the session ticket encryption key with a value supplied by
 +the application until the initial key rotation, allowing attacker to bypass
 +authentication in TLS 1.3 and recover previous conversations in TLS 1.2.
 +[GNUTLS-SA-2020-06-03, CVSS: high]
 +(**Security fix**)
 +
 +**ca-certificates-20200602**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +**proftpd-1.3.6d**:  Upgraded.
 +This is a bugfix release:
 +Fixed issue with FTPS uploads of large files using TLSv1.3 (Issue #959).
 +
 +==== 2020-05-19 ====
 +
 +**bind-9.11.19**:  Upgraded.
 +This update fixes security issues:
 +A malicious actor who intentionally exploits the lack of effective
 +limitation on the number of fetches performed when processing referrals
 +can, through the use of specially crafted referrals, cause a recursing
 +server to issue a very large number of fetches in an attempt to process
 +the referral. This has at least two potential effects: The performance of
 +the recursing server can potentially be degraded by the additional work
 +required to perform these fetches, and the attacker can exploit this
 +behavior to use the recursing server as a reflector in a reflection attack
 +with a high amplification factor.
 +Replaying a TSIG BADTIME response as a request could trigger an assertion
 +failure.
 +For more information, see:
 +  * https://kb.isc.org/docs/cve-2020-8616
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8616
 +  * https://kb.isc.org/docs/cve-2020-8617
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8617
 +(**Security fix**)
 +
 +**libexif-0.6.22**:  Upgraded.
 +This update fixes bugs and security issues:
 +  * CVE-2018-20030: Fix for recursion DoS
 +  * CVE-2020-13114: Time consumption DoS when parsing canon array markers
 +  * CVE-2020-13113: Potential use of uninitialized memory
 +  * CVE-2020-13112: Various buffer overread fixes due to integer overflows in maker notes
 +  * CVE-2020-0093:  read overflow
 +  * CVE-2019-9278:  replaced integer overflow checks the compiler could optimize away by safer constructs
 +  * CVE-2020-12767: fixed division by zero
 +  * CVE-2016-6328:  fixed integer overflow when parsing maker notes
 +  * CVE-2017-7544:  fixed buffer overread
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20030
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13114
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13113
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13112
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0093
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9278
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12767
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6328
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7544
 +(**Security fix**)
 +
 +==== 2020-05-18 ====
 +
 +**sane-1.0.30**:  Upgraded.
 +This update fixes several security issues.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12867
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12862
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12863
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12865
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12866
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12861
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12864
 +(**Security fix**)
 +
 +**glibc-zoneinfo-2020a**:  Upgraded.
 +This package provides the latest timezone updates.
 +
 +==== 2020-04-21 ====
 +
 +**git-2.17.5**:  Upgraded.
 +This update fixes a security issue:
 +With a crafted URL that contains a newline or empty host, or lacks
 +a scheme, the credential helper machinery can be fooled into
 +providing credential information that is not appropriate for the
 +protocol in use and host being contacted.
 +Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
 +credentials are not for a host of the attacker's choosing; instead,
 +they are for some unspecified host (based on how the configured
 +credential helper handles an absent "host" parameter).
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11008
 +(**Security fix**)
 +
 +==== 2020-04-17 ====
 +
 +**openvpn-2.4.9**:  Upgraded.
 +This update fixes a security issue:
 +Fix illegal client float. Thanks to Lev Stipakov.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11810
 +(**Security fix**)
 +
 +==== 2020-04-15 ====
 +
 +**bind-9.11.18**:  Upgraded.
 +This update fixes a security issue:
 +DNS rebinding protection was ineffective when BIND 9 is configured as a
 +forwarding DNS server. Found and responsibly reported by Tobias Klein.
 +[GL #1574]
 +(**Security fix**)
 +
 +==== 2020-04-14 ====
 +
 +**git-2.17.4**:  Upgraded.
 +This update fixes a security issue:
 +With a crafted URL that contains a newline in it, the credential helper
 +machinery can be fooled to give credential information for a wrong host.
 +The attack has been made impossible by forbidding a newline character in
 +any value passed via the credential protocol. Credit for finding the
 +vulnerability goes to Felix Wilhelm of Google Project Zero.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5260
 +(**Security fix**)
 +
 +==== 2020-03-31 ====
 +
 +**gnutls-3.6.13**:  Upgraded.
 +This update fixes a security issue:
 +libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3 support),
 +since 3.6.3. The DTLS client would not contribute any randomness to the
 +DTLS negotiation, breaking the security guarantees of the DTLS protocol.
 +[GNUTLS-SA-2020-03-31, CVSS: high]
 +(**Security fix**)
 +
 +**httpd-2.4.43**:  Upgraded.
 +This release contains security fixes (since 2.4.39) and improvements.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10097
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9517
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10098
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10092
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10082
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10081
 +(**Security fix**)
 +
 +
 +==== 2020-03-27 ====
 +
 +**linux-libre-*-4.4.217**:  Upgraded.
 +These updates fix various bugs and security issues.
 +Be sure to upgrade your initrd after upgrading the kernel packages.
 +If you use lilo to boot your machine, be sure lilo.conf points to the correct
 +kernel and initrd and run lilo as root to update the bootloader.
 +If you use elilo to boot your machine, you should run eliloconfig to copy the
 +kernel and initrd to the EFI System Partition.
 +For more information, see:
 +
 +Fixed in 4.4.209:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19965
 +Fixed in 4.4.210:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19068
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14615
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14895
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19056
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19066
 +Fixed in 4.4.211:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15217
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-21008
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15220
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15221
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5108
 +Fixed in 4.4.212:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14896
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14897
 +Fixed in 4.4.215:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9383
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2732
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16233
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0009
 +Fixed in 4.4.216:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11487
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8647
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8649
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16234
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8648
 +Fixed in 4.4.217:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14901
 +(**Security fix**)
 +
 +==== 2020-03-23 ====
 +
 +**gd-2.3.0**:  Upgraded.
 +This update fixes bugs and security issues:
 +  * Potential double-free in gdImage*Ptr().
 +  * gdImageColorMatch() out of bounds write on heap.
 +  * Uninitialized read in gdImageCreateFromXbm().
 +  * Double-free in gdImageBmp.
 +  * Potential NULL pointer dereference in gdImageClone().
 +  * Potential infinite loop in gdImageCreateFromGifCtx().
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6978
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6977
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11038
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000222
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14553
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5711
 +(**Security fix**)
 +
 +**NetworkManager-1.8.4**:  Rebuilt.
 +Recompiled to get PPP working again with the new pppd. Thanks to longus.
 +
 +**sudo-1.8.31p1**:  Upgraded.
 +This is a bugfix release:
 +Sudo once again ignores a failure to restore the RLIMIT_CORE resource limit,
 +as it did prior to version 1.8.29. Linux containers don't allow RLIMIT_CORE
 +to be set back to RLIM_INFINITY if we set the limit to zero, even for root,
 +which resulted in a warning from sudo.
 +
 +**rp-pppoe-3.13**:  Upgraded.
 +This needed a rebuild for ppp-2.4.8. Thanks to regdub.
  
 ==== 2020-03-04 ==== ==== 2020-03-04 ====
changelog_14.2.1583369293.txt.gz · Last modified: 2020/03/04 19:48 by connie