Differences

This shows you the differences between two versions of the page.

--- changelog_14.2 [2023/02/16 16:09] – connie
+++ changelog_14.2 [2023/12/23 13:40] (current) – [2023-12-20] connie
@@ Line 2: / Line 2: @@
 Slackware upstream ChangeLog entries are courtesy of Patrick Volkerding.
+==== 2023-12-23 ====
+**proftpd-1.3.8b**:  Upgraded.
+This update fixes a security issue:
+mod_sftp: implemented mitigations for "Terrapin" SSH attack.
+For more information, see:
+  * https://www.cve.org/CVERecord?id=CVE-2023-48795
+(**Security fix**)
+==== 2023-12-20 ====
+**libssh-0.10.6**:  Upgraded.
+This update fixes security issues:
+Command injection using proxycommand.
+Potential downgrade attack using strict kex.
+Missing checks for return values of MD functions.
+For more information, see:
+  * https://www.cve.org/CVERecord?id=CVE-2023-6004
+  * https://www.cve.org/CVERecord?id=CVE-2023-48795
+  * https://www.cve.org/CVERecord?id=CVE-2023-6918
+(**Security fix**)
+**sudo-1.9.15p4**:  Upgraded.
+This is a bugfix release.
+**libxml2-2.11.6**:  Upgraded.
+We're going to drop back to the 2.11 branch here on the stable releases
+since it has all of the relevant security fixes and better compatibility.
+**sudo-1.9.15p3**:  Upgraded.
+This is a bugfix release.
+==== 2023-12-13 ====
+**libxml2-2.12.3**:  Upgraded.
+This update addresses regressions when building against libxml2 that were
+due to header file refactoring.
+**libxml2-2.12.2**:  Upgraded.
+Add --sysconfdir=/etc option so that this can find the xml catalog.
+Thanks to SpiderTux.
+Fix the following security issues:
+Fix integer overflows with XML_PARSE_HUGE.
+Fix dict corruption caused by entity reference cycles.
+Hashing of empty dict strings isn't deterministic.
+Fix null deref in xmlSchemaFixupComplexType.
+For more information, see:
+  * https://www.cve.org/CVERecord?id=CVE-2022-40303
+  * https://www.cve.org/CVERecord?id=CVE-2022-40304
+  * https://www.cve.org/CVERecord?id=CVE-2023-29469
+  * https://www.cve.org/CVERecord?id=CVE-2023-28484
+(**Security fix**)
+**ca-certificates-20231117**:  Upgraded.
+This update provides the latest CA certificates to check for the
+authenticity of SSL connections.
+**sudo-1.9.15p1**:  Upgraded.
+This is a bugfix release:
+Fixed a bug introduced in sudo 1.9.15 that prevented LDAP-based sudoers
+from being able to read the ldap.conf file.
+==== 2023-11-08 ====
+**sudo-1.9.15**:  Upgraded.
+The sudoers plugin has been modified to make it more resilient to ROWHAMMER
+attacks on authentication and policy matching.
+The sudoers plugin now constructs the user time stamp file path name using
+the user-ID instead of the user name. This avoids a potential problem with
+user names that contain a path separator ('/') being interpreted as part of
+the path name.
+For more information, see:
+  * https://www.cve.org/CVERecord?id=CVE-2023-42465
+  * https://www.cve.org/CVERecord?id=CVE-2023-42456
+(**Security fix**)
+==== 2023-10-20 ====
+**httpd-2.4.58**:  Upgraded.
+This update fixes bugs and security issues:
+moderate: Apache HTTP Server: HTTP/2 stream memory not reclaimed
+right away on RST.
+low: mod_macro buffer over-read.
+low: Apache HTTP Server: DoS in HTTP/2 with initial windows size 0.
+For more information, see:
+  * https://downloads.apache.org/httpd/CHANGES_2.4.58
+  * https://www.cve.org/CVERecord?id=CVE-2023-45802
+  * https://www.cve.org/CVERecord?id=CVE-2023-31122
+  * https://www.cve.org/CVERecord?id=CVE-2023-43622
+(**Security fix**)
+==== 2023-10-16 ====
+**curl-8.4.0**:  Upgraded.
+This update fixes security issues:
+Cookie injection with none file.
+SOCKS5 heap buffer overflow.
+For more information, see:
+  * https://curl.se/docs/CVE-2023-38546.html
+  * https://curl.se/docs/CVE-2023-38545.html
+  * https://www.cve.org/CVERecord?id=CVE-2023-38546
+  * https://www.cve.org/CVERecord?id=CVE-2023-38545
+(**Security fix**)
+<code>
+Mon Oct  9 18:10:01 UTC 2023
+####################################################################
+# NOTICE OF INPENDING EOL (END OF LIFE) FOR OLD SLACKWARE VERSIONS #
+#                                                                  #
+# Effective January 1, 2024, security patches will no longer be    #
+# provided for the following versions of Slackware (which will all #
+# be more than 7 years old at that time):                          #
+#   Slackware 14.0, Slackware 14.1, Slackware 14.2.                #
+# If you are still running these versions you should consider      #
+# migrating to a newer version (preferably as recent as possible). #
+# Alternately, you may make arrangements to handle your own        #
+# security patches.                                                #
+####################################################################
+</code>
+==== 2023-10-04 ====
+**libX11-1.8.7**:  Upgraded.
+This update fixes security issues:
+libX11: out-of-bounds memory access in _XkbReadKeySyms().
+libX11: stack exhaustion from infinite recursion in PutSubImage().
+libX11: integer overflow in XCreateImage() leading to a heap overflow.
+For more information, see:
+  * https://lists.x.org/archives/xorg-announce/2023-October/003424.html
+  * https://www.cve.org/CVERecord?id=CVE-2023-43785
+  * https://www.cve.org/CVERecord?id=CVE-2023-43786
+  * https://www.cve.org/CVERecord?id=CVE-2023-43787
+(**Security fix**)
+**libXpm-3.5.17**:  Upgraded.
+This update fixes security issues:
+libXpm: out of bounds read in XpmCreateXpmImageFromBuffer().
+libXpm: out of bounds read on XPM with corrupted colormap.
+For more information, see:
+  * https://lists.x.org/archives/xorg-announce/2023-October/003424.html
+  * https://www.cve.org/CVERecord?id=CVE-2023-43788
+  * https://www.cve.org/CVERecord?id=CVE-2023-43789
+(**Security fix**)
+**cups-2.1.4**:  Rebuilt.
+This update fixes bugs and a security issue:
+Fixed Heap-based buffer overflow when reading Postscript in PPD files.
+For more information, see:
+  * https://www.cve.org/CVERecord?id=CVE-2023-4504
+(**Security fix**)
+**netatalk-3.1.17**:  Upgraded.
+This update fixes bugs and a security issue:
+Validate data type in dalloc_value_for_key(). This flaw could allow a
+malicious actor to cause Netatalk's afpd daemon to crash, or possibly to
+execute arbitrary code.
+For more information, see:
+  * https://www.cve.org/CVERecord?id=CVE-2023-42464
+(**Security fix**)
+**curl-8.3.0**:  Upgraded.
+This update fixes a security issue:
+HTTP headers eat all memory.
+  * https://curl.se/docs/CVE-2023-38039.html
+  * https://www.cve.org/CVERecord?id=CVE-2023-38039
+(**Security fix**)
+**libarchive-3.7.2**:  Upgraded.
+This update fixes multiple security vulnerabilities in the PAX writer:
+Heap overflow in url_encode() in archive_write_set_format_pax.c.
+NULL dereference in archive_write_pax_header_xattrs().
+Another NULL dereference in archive_write_pax_header_xattrs().
+NULL dereference in archive_write_pax_header_xattr().
+(**Security fix**)
+**netatalk-3.1.16**:  Upgraded.
+This update fixes bugs and security issues.
+Shared library .so-version bump.
+For more information, see:
+  * https://www.cve.org/CVERecord?id=CVE-2022-23121
+  * https://www.cve.org/CVERecord?id=CVE-2022-23123
+(**Security fix**)
+**curl-8.2.1**:  Upgraded.
+This is a bugfix release.
+**whois-5.5.18**:  Upgraded.
+Updated the .ga TLD server.
+Added new recovered IPv4 allocations.
+Removed the delegation of 43.0.0.0/8 to JPNIC.
+Removed 12 new gTLDs which are no longer active.
+Improved the man page source, courtesy of Bjarni Ingi Gislason.
+Added the .edu.za SLD server.
+Updated the .alt.za SLD server.
+Added the -ru and -su NIC handles servers.
+**ca-certificates-20230721**:  Upgraded.
+This update provides the latest CA certificates to check for the
+authenticity of SSL connections.
+**curl-8.2.0**:  Upgraded.
+This update fixes a security issue:
+fopen race condition.
+For more information, see:
+  * https://curl.se/docs/CVE-2023-32001.html
+  * https://www.cve.org/CVERecord?id=CVE-2023-32001
+(**Security fix**)
+**sudo-1.9.14p2**:  Upgraded.
+This is a bugfix release.
+**sudo-1.9.14p1**:  Upgraded.
+This is a bugfix release.
+**cups-2.1.4**:  Rebuilt.
+Fixed use-after-free when logging warnings in case of failures
+in cupsdAcceptClient().
+For more information, see:
+  * https://www.cve.org/CVERecord?id=CVE-2023-34241
+(**Security fix**)
+==== 2023-06-15 ====
+**libX11-1.8.6**:  Upgraded.
+This update fixes buffer overflows in InitExt.c that could at least cause
+the client to crash due to memory corruption.
+For more information, see:
+  * https://www.cve.org/CVERecord?id=CVE-2023-3138
+(**Security fix**)
+**ntp-4.2.8p17**:  Upgraded.
+This is a bugfix release.
+==== 2023-06-06 ====
+**cups-2.1.4**:  Rebuilt.
+Fixed a heap buffer overflow in _cups_strlcpy(), when the configuration file
+cupsd.conf sets the value of loglevel to DEBUG, that could allow a remote
+attacker to launch a denial of service (DoS) attack, or possibly execute
+arbirary code.
+For more information, see:
+  * https://www.cve.org/CVERecord?id=CVE-2023-32324
+(**Security fix**)
+**ntp-4.2.8p16**:  Upgraded.
+This update fixes bugs and security issues.
+For more information, see:
+  * https://www.cve.org/CVERecord?id=CVE-2023-26551
+  * https://www.cve.org/CVERecord?id=CVE-2023-26552
+  * https://www.cve.org/CVERecord?id=CVE-2023-26553
+  * https://www.cve.org/CVERecord?id=CVE-2023-26554
+  * https://www.cve.org/CVERecord?id=CVE-2023-26555
+(**Security fix**)
+**curl-8.1.2**:  Upgraded.
+This is a bugfix release.
+==== 2023-05-26 ====
+**ntfs-3g-2022.10.3**:  Upgraded.
+Fixed vulnerabilities that may allow an attacker using a maliciously
+crafted NTFS-formatted image file or external storage to potentially
+execute arbitrary privileged code or cause a denial of service.
+Thanks to opty.
+For more information, see:
+  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40284
+  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30789
+  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30788
+  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30787
+  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30786
+  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30785
+  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30784
+  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30783
+  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46790
+(**Security fix**)
+**curl-8.1.1**:  Upgraded.
+This is a bugfix release.
+==== 2023-05-18 ====
+**curl-8.1.0**:  Upgraded.
+This update fixes security issues:
+more POST-after-PUT confusion.
+IDN wildcard match.
+siglongjmp race condition.
+UAF in SSH sha256 fingerprint check.
+For more information, see:
+  * https://curl.se/docs/CVE-2023-28322.html
+  * https://curl.se/docs/CVE-2023-28321.html
+  * https://curl.se/docs/CVE-2023-28320.html
+  * https://curl.se/docs/CVE-2023-28319.html
+  * https://www.cve.org/CVERecord?id=CVE-2023-28322
+  * https://www.cve.org/CVERecord?id=CVE-2023-28321
+  * https://www.cve.org/CVERecord?id=CVE-2023-28320
+  * https://www.cve.org/CVERecord?id=CVE-2023-28319
+(**Security fix**)
+**ca-certificates-20230506**:  Upgraded.
+This update provides the latest CA certificates to check for the
+authenticity of SSL connections.
+==== 2023-05-05 ====
+**libssh-0.10.5**:  Upgraded.
+This update fixes security issues:
+A NULL dereference during rekeying with algorithm guessing.
+A possible authorization bypass in pki_verify_data_signature under
+low-memory conditions.
+For more information, see:
+  * https://www.cve.org/CVERecord?id=CVE-2023-1667
+  * https://www.cve.org/CVERecord?id=CVE-2023-2283
+(**Security fix**)
+**whois-5.5.17**:  Upgraded.
+Added the .cd TLD server.
+Updated the -kg NIC handles server name.
+Removed 2 new gTLDs which are no longer active.
+==== 2023-05-01 ====
+**netatalk-3.1.15**:  Upgraded.
+This update fixes security issues, including a critical vulnerability that
+allows remote attackers to execute arbitrary code on affected installations
+of Netatalk. Authentication is not required to exploit this vulnerability.
+For more information, see:
+  * https://www.cve.org/CVERecord?id=CVE-2022-43634
+  * https://www.cve.org/CVERecord?id=CVE-2022-45188
+(**Security fix**)
+==== 2023-04-25 ====
+**git-2.30.9**:  Upgraded.
+This update fixes security issues:
+By feeding specially crafted input to `git apply --reject`, a
+path outside the working tree can be overwritten with partially
+controlled contents (corresponding to the rejected hunk(s) from
+the given patch).
+When Git is compiled with runtime prefix support and runs without
+translated messages, it still used the gettext machinery to
+display messages, which subsequently potentially looked for
+translated messages in unexpected places. This allowed for
+malicious placement of crafted messages.
+When renaming or deleting a section from a configuration file,
+certain malicious configuration values may be misinterpreted as
+the beginning of a new configuration section, leading to arbitrary
+configuration injection.
+For more information, see:
+  * https://www.cve.org/CVERecord?id=CVE-2023-25652
+  * https://www.cve.org/CVERecord?id=CVE-2023-25815
+  * https://www.cve.org/CVERecord?id=CVE-2023-29007
+(**Security fix**)
+**httpd-2.4.57**:  Upgraded.
+This is a bugfix release.
+For more information, see:
+  * https://downloads.apache.org/httpd/CHANGES_2.4.57
+==== 2023-04-03 ====
+**irssi-1.4.4**:  Upgraded.
+Do not crash Irssi when one line is printed as the result of another line
+being printed.
+Also solve a memory leak while printing unformatted lines.
+(**Security fix**)
+**glibc-zoneinfo-2023c**:  Upgraded.
+This package provides the latest timezone updates.
+**tar-1.29**:  Rebuilt.
+GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use
+of uninitialized memory for a conditional jump. Exploitation to change the
+flow of control has not been demonstrated. The issue occurs in from_header
+in list.c via a V7 archive in which mtime has approximately 11 whitespace
+characters.
+Thanks to marav for the heads-up.
+For more information, see:
+  * https://www.cve.org/CVERecord?id=CVE-2022-48303
+(**Security fix**)
+==== 2023-03-22 ====
+**curl-8.0.1**:  Upgraded.
+  * This update fixes security issues:
+  * SSH connection too eager reuse still.
+  * HSTS double-free.
+  * GSS delegation too eager connection re-use.
+  * FTP too eager connection reuse.
+  * SFTP path ~ resolving discrepancy.
+  * TELNET option IAC injection.
+For more information, see:
+  * https://curl.se/docs/CVE-2023-27538.html
+  * https://curl.se/docs/CVE-2023-27537.html
+  * https://curl.se/docs/CVE-2023-27536.html
+  * https://curl.se/docs/CVE-2023-27535.html
+  * https://curl.se/docs/CVE-2023-27534.html
+  * https://curl.se/docs/CVE-2023-27533.html
+  * https://www.cve.org/CVERecord?id=CVE-2023-27538
+  * https://www.cve.org/CVERecord?id=CVE-2023-27537
+  * https://www.cve.org/CVERecord?id=CVE-2023-27536
+  * https://www.cve.org/CVERecord?id=CVE-2023-27535
+  * https://www.cve.org/CVERecord?id=CVE-2023-27534
+  * https://www.cve.org/CVERecord?id=CVE-2023-27533
+(**Security fix**)
+==== 2023-03-08 ====
+**httpd-2.4.56**:  Upgraded.
+This update fixes two security issues:
+HTTP Response Smuggling vulnerability via mod_proxy_uwsgi.
+HTTP Request Smuggling attack via mod_rewrite and mod_proxy.
+For more information, see:
+  * https://downloads.apache.org/httpd/CHANGES_2.4.56
+  * https://www.cve.org/CVERecord?id=CVE-2023-27522
+  * https://www.cve.org/CVERecord?id=CVE-2023-25690
+(**Security fix**)
+**sudo-1.9.13p3**:  Upgraded.
+This is a bugfix release.
+**whois-5.5.16**:  Upgraded.
+Add bash completion support, courtesy of Ville Skytta.
+Updated the .tr TLD server.
+Removed support for -metu NIC handles.
+**curl-7.88.1**:  Upgraded.
+This is a bugfix release.
 ==== 2023-02-16 ====