diff options
| author |   Patrick J Volkerding <volkerdi@slackware.com> | 2023-07-19 20:36:46 +0000 |
|---|---|---|
| committer |   Eric Hameleers <alien@slackware.com> | 2023-07-21 13:30:33 +0200 |
| commit | b9cb99a88e34842a370c2a5a3cbe265b4ce1157b (patch) | |
| tree | 02d53aef4e382ce9ddf6df3087f52437817458f0 /ChangeLog.rss | |
| parent | 1b65c2bfe328af09af1c2da015b62557c26b8254 (diff) | |
| download | current-b9cb99a88e34842a370c2a5a3cbe265b4ce1157b.tar.gz current-b9cb99a88e34842a370c2a5a3cbe265b4ce1157b.tar.xz | |
Wed Jul 19 20:36:46 UTC 202320230719203646_15.0
patches/packages/curl-8.2.0-x86_64-1_slack15.0.txz: Upgraded.
This update fixes a security issue:
fopen race condition.
For more information, see:
https://curl.se/docs/CVE-2023-32001.html
https://www.cve.org/CVERecord?id=CVE-2023-32001
(* Security fix *)
patches/packages/openssh-9.3p2-x86_64-1_slack15.0.txz: Upgraded.
This update fixes a security issue:
ssh-agent(1) in OpenSSH between and 5.5 and 9.3p1 (inclusive): remote code
execution relating to PKCS#11 providers.
The PKCS#11 support ssh-agent(1) could be abused to achieve remote code
execution via a forwarded agent socket if the following conditions are met:
* Exploitation requires the presence of specific libraries on the victim
system.
* Remote exploitation requires that the agent was forwarded to an
attacker-controlled system.
Exploitation can also be prevented by starting ssh-agent(1) with an empty
PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that
contains only specific provider libraries.
This vulnerability was discovered and demonstrated to be exploitable by the
Qualys Security Advisory team.
Potentially-incompatible changes:
* ssh-agent(8): the agent will now refuse requests to load PKCS#11 modules
issued by remote clients by default. A flag has been added to restore the
previous behaviour: "-Oallow-remote-pkcs11".
For more information, see:
https://www.openssh.com/txt/release-9.3p2
https://www.cve.org/CVERecord?id=CVE-2023-38408
(* Security fix *)
Diffstat (limited to 'ChangeLog.rss')
| -rw-r--r-- | ChangeLog.rss | 44 |
1 files changed, 42 insertions, 2 deletions
diff --git a/ChangeLog.rss b/ChangeLog.rss index 397884600..bd857b2a9 100644 --- a/ChangeLog.rss +++ b/ChangeLog.rss @@ -11,10 +11,50 @@ <description>Tracking Slackware development in git.</description> <language>en-us</language> <id xmlns="http://www.w3.org/2005/Atom">urn:uuid:c964f45e-6732-11e8-bbe5-107b4450212f</id> - <pubDate>Mon, 17 Jul 2023 19:17:19 GMT</pubDate> - <lastBuildDate>Tue, 18 Jul 2023 11:30:21 GMT</lastBuildDate> + <pubDate>Wed, 19 Jul 2023 20:36:46 GMT</pubDate> + <lastBuildDate>Fri, 21 Jul 2023 11:30:19 GMT</lastBuildDate> <generator>maintain_current_git.sh v 1.17</generator> <item> + <title>Wed, 19 Jul 2023 20:36:46 GMT</title> + <pubDate>Wed, 19 Jul 2023 20:36:46 GMT</pubDate> + <link>https://git.slackware.nl/current/tag/?h=20230719203646</link> + <guid isPermaLink="false">20230719203646</guid> + <description> + <![CDATA[<pre> +patches/packages/curl-8.2.0-x86_64-1_slack15.0.txz: Upgraded. + This update fixes a security issue: + fopen race condition. + For more information, see: + https://curl.se/docs/CVE-2023-32001.html + https://www.cve.org/CVERecord?id=CVE-2023-32001 + (* Security fix *) +patches/packages/openssh-9.3p2-x86_64-1_slack15.0.txz: Upgraded. + This update fixes a security issue: + ssh-agent(1) in OpenSSH between and 5.5 and 9.3p1 (inclusive): remote code + execution relating to PKCS#11 providers. + The PKCS#11 support ssh-agent(1) could be abused to achieve remote code + execution via a forwarded agent socket if the following conditions are met: + * Exploitation requires the presence of specific libraries on the victim + system. + * Remote exploitation requires that the agent was forwarded to an + attacker-controlled system. + Exploitation can also be prevented by starting ssh-agent(1) with an empty + PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that + contains only specific provider libraries. + This vulnerability was discovered and demonstrated to be exploitable by the + Qualys Security Advisory team. + Potentially-incompatible changes: + * ssh-agent(8): the agent will now refuse requests to load PKCS#11 modules + issued by remote clients by default. A flag has been added to restore the + previous behaviour: "-Oallow-remote-pkcs11". + For more information, see: + https://www.openssh.com/txt/release-9.3p2 + https://www.cve.org/CVERecord?id=CVE-2023-38408 + (* Security fix *) + </pre>]]> + </description> + </item> + <item> <title>Mon, 17 Jul 2023 19:17:19 GMT</title> <pubDate>Mon, 17 Jul 2023 19:17:19 GMT</pubDate> <link>https://git.slackware.nl/current/tag/?h=20230717191719</link> |