diff options
Diffstat (limited to 'ChangeLog.rss')
-rw-r--r-- | ChangeLog.rss | 51 |
1 files changed, 49 insertions, 2 deletions
diff --git a/ChangeLog.rss b/ChangeLog.rss index 806c4cfff..14a6cf539 100644 --- a/ChangeLog.rss +++ b/ChangeLog.rss @@ -11,10 +11,57 @@ <description>Tracking Slackware development in git.</description> <language>en-us</language> <id xmlns="http://www.w3.org/2005/Atom">urn:uuid:c964f45e-6732-11e8-bbe5-107b4450212f</id> - <pubDate>Mon, 5 Dec 2022 21:00:46 GMT</pubDate> - <lastBuildDate>Tue, 6 Dec 2022 12:30:22 GMT</lastBuildDate> + <pubDate>Wed, 7 Dec 2022 18:48:07 GMT</pubDate> + <lastBuildDate>Thu, 8 Dec 2022 12:30:17 GMT</lastBuildDate> <generator>maintain_current_git.sh v 1.17</generator> <item> + <title>Wed, 7 Dec 2022 18:48:07 GMT</title> + <pubDate>Wed, 7 Dec 2022 18:48:07 GMT</pubDate> + <link>https://git.slackware.nl/current/tag/?h=20221207184807</link> + <guid isPermaLink="false">20221207184807</guid> + <description> + <![CDATA[<pre> +patches/packages/python3-3.9.16-x86_64-1_slack15.0.txz: Upgraded. + This update fixes security issues: + gh-98739: Updated bundled libexpat to 2.5.0 to fix CVE-2022-43680 + (heap use-after-free). + gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio + related name resolution functions no longer involves a quadratic algorithm + to fix CVE-2022-45061. This prevents a potential CPU denial of service if an + out-of-spec excessive length hostname involving bidirectional characters were + decoded. Some protocols such as urllib http 3xx redirects potentially allow + for an attacker to supply such a name. + gh-100001: python -m http.server no longer allows terminal control characters + sent within a garbage request to be printed to the stderr server log. + gh-87604: Avoid publishing list of active per-interpreter audit hooks via the + gc module. + gh-97514: On Linux the multiprocessing module returns to using filesystem + backed unix domain sockets for communication with the forkserver process + instead of the Linux abstract socket namespace. Only code that chooses to use + the "forkserver" start method is affected. This prevents Linux CVE-2022-42919 + (potential privilege escalation) as abstract sockets have no permissions and + could allow any user on the system in the same network namespace (often the + whole system) to inject code into the multiprocessing forkserver process. + Filesystem based socket permissions restrict this to the forkserver process + user as was the default in Python 3.8 and earlier. + gh-98517: Port XKCP's fix for the buffer overflows in SHA-3 to fix + CVE-2022-37454. + gh-68966: The deprecated mailcap module now refuses to inject unsafe text + (filenames, MIME types, parameters) into shell commands to address + CVE-2015-20107. Instead of using such text, it will warn and act as if a + match was not found (or for test commands, as if the test failed). + For more information, see: + https://pythoninsider.blogspot.com/2022/12/python-3111-3109-3916-3816-3716-and.html + https://www.cve.org/CVERecord?id=CVE-2022-43680 + https://www.cve.org/CVERecord?id=CVE-2022-45061 + https://www.cve.org/CVERecord?id=CVE-2022-42919 + https://www.cve.org/CVERecord?id=CVE-2022-37454 + https://www.cve.org/CVERecord?id=CVE-2015-20107 + (* Security fix *) + </pre>]]> + </description> + </item> + <item> <title>Mon, 5 Dec 2022 21:00:46 GMT</title> <pubDate>Mon, 5 Dec 2022 21:00:46 GMT</pubDate> <link>https://git.slackware.nl/current/tag/?h=20221205210046</link> |