summaryrefslogtreecommitdiffstats
path: root/ChangeLog.txt (follow)
Commit message (Expand)AuthorAgeFilesLines
...
* Fri May 19 18:59:24 UTC 2023...patches/packages/cups-filters-1.28.17-x86_64-1_slack15.0.txz: Upgraded. [PATCH] Merge pull request from GHSA-gpxc-v2m8-fr3x. With execv() command line arguments are passed as separate strings and not the full command line in a single string. This prevents arbitrary command execution by escaping the quoting of the arguments in a job with forged job title. Thanks to marav. For more information, see: https://www.cve.org/CVERecord?id=CVE-2023-24805 (* Security fix *) 20230519185924_15.0 Patrick J Volkerding2023-05-201-0/+12
* Wed May 17 20:59:51 UTC 2023...patches/packages/curl-8.1.0-x86_64-1_slack15.0.txz: Upgraded. This update fixes security issues: more POST-after-PUT confusion. IDN wildcard match. siglongjmp race condition. UAF in SSH sha256 fingerprint check. For more information, see: https://curl.se/docs/CVE-2023-28322.html https://curl.se/docs/CVE-2023-28321.html https://curl.se/docs/CVE-2023-28320.html https://curl.se/docs/CVE-2023-28319.html https://www.cve.org/CVERecord?id=CVE-2023-28322 https://www.cve.org/CVERecord?id=CVE-2023-28321 https://www.cve.org/CVERecord?id=CVE-2023-28320 https://www.cve.org/CVERecord?id=CVE-2023-28319 (* Security fix *) patches/packages/bind-9.16.41-x86_64-1_slack15.0.txz: Upgraded. This is a bugfix release. testing/packages/bind-9.18.15-x86_64-1_slack15.0.txz: Upgraded. This is a bugfix release. 20230517205951_15.0 Patrick J Volkerding2023-05-181-0/+22
* Sun May 14 17:03:16 UTC 2023...extra/php80/php80-8.0.28-x86_64-2_slack15.0.txz: Rebuilt. This update removes extension=xmlrpc from the php.ini files. extra/php81/php81-8.1.19-x86_64-1_slack15.0.txz: Upgraded. This is a bugfix release. For more information, see: https://www.php.net/ChangeLog-8.php#8.1.19 20230514170316_15.0 Patrick J Volkerding2023-05-151-0/+8
* Wed May 10 23:42:53 UTC 2023...patches/packages/mozilla-thunderbird-102.11.0-x86_64-1_slack15.0.txz: Upgraded. This release contains security fixes and improvements. For more information, see: https://www.mozilla.org/en-US/thunderbird/102.11.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2023-18/ https://www.cve.org/CVERecord?id=CVE-2023-32206 https://www.cve.org/CVERecord?id=CVE-2023-32207 https://www.cve.org/CVERecord?id=CVE-2023-32211 https://www.cve.org/CVERecord?id=CVE-2023-32212 https://www.cve.org/CVERecord?id=CVE-2023-32213 https://www.cve.org/CVERecord?id=CVE-2023-32214 https://www.cve.org/CVERecord?id=CVE-2023-32215 (* Security fix *) 20230510234253_15.0 Patrick J Volkerding2023-05-111-0/+15
* Tue May 9 20:11:22 UTC 2023...patches/packages/mozilla-firefox-102.11.0esr-x86_64-1_slack15.0.txz: Upgraded. This update contains security fixes and improvements. For more information, see: https://www.mozilla.org/en-US/firefox/102.11.0/releasenotes/ https://www.mozilla.org/security/advisories/mfsa2023-17/ https://www.cve.org/CVERecord?id=CVE-2023-32205 https://www.cve.org/CVERecord?id=CVE-2023-32206 https://www.cve.org/CVERecord?id=CVE-2023-32207 https://www.cve.org/CVERecord?id=CVE-2023-32211 https://www.cve.org/CVERecord?id=CVE-2023-32212 https://www.cve.org/CVERecord?id=CVE-2023-32213 https://www.cve.org/CVERecord?id=CVE-2023-32214 https://www.cve.org/CVERecord?id=CVE-2023-32215 (* Security fix *) 20230509201122_15.0 Patrick J Volkerding2023-05-101-0/+16
* Sat May 6 19:01:04 UTC 2023...patches/packages/ca-certificates-20230506-noarch-1_slack15.0.txz: Upgraded. This update provides the latest CA certificates to check for the authenticity of SSL connections. 20230506190104_15.0 Patrick J Volkerding2023-05-071-0/+5
* Thu May 4 19:02:58 UTC 2023...patches/packages/libssh-0.10.5-x86_64-1_slack15.0.txz: Upgraded. This update fixes security issues: A NULL dereference during rekeying with algorithm guessing. A possible authorization bypass in pki_verify_data_signature under low-memory conditions. For more information, see: https://www.cve.org/CVERecord?id=CVE-2023-1667 https://www.cve.org/CVERecord?id=CVE-2023-2283 (* Security fix *) 20230504190258_15.0 Patrick J Volkerding2023-05-051-0/+11
* Wed May 3 19:33:18 UTC 2023...patches/packages/whois-5.5.17-x86_64-1_slack15.0.txz: Upgraded. Added the .cd TLD server. Updated the -kg NIC handles server name. Removed 2 new gTLDs which are no longer active. 20230503193318_15.0 Patrick J Volkerding2023-05-041-0/+6
* Mon May 1 20:22:43 UTC 2023...patches/packages/netatalk-3.1.15-x86_64-1_slack15.0.txz: Upgraded. This update fixes security issues, including a critical vulnerability that allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. For more information, see: https://www.cve.org/CVERecord?id=CVE-2022-43634 https://www.cve.org/CVERecord?id=CVE-2022-45188 (* Security fix *) 20230501202243_15.0 Patrick J Volkerding2023-05-021-0/+10
* Tue Apr 25 21:20:19 UTC 2023...patches/packages/git-2.35.8-x86_64-1_slack15.0.txz: Upgraded. This update fixes security issues: By feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). When Git is compiled with runtime prefix support and runs without translated messages, it still used the gettext machinery to display messages, which subsequently potentially looked for translated messages in unexpected places. This allowed for malicious placement of crafted messages. When renaming or deleting a section from a configuration file, certain malicious configuration values may be misinterpreted as the beginning of a new configuration section, leading to arbitrary configuration injection. For more information, see: https://www.cve.org/CVERecord?id=CVE-2023-25652 https://www.cve.org/CVERecord?id=CVE-2023-25815 https://www.cve.org/CVERecord?id=CVE-2023-29007 (* Security fix *) patches/packages/mozilla-thunderbird-102.10.1-x86_64-1_slack15.0.txz: Upgraded. This is a bugfix release. For more information, see: https://www.mozilla.org/en-US/thunderbird/102.10.1/releasenotes/ 20230425212019_15.0 Patrick J Volkerding2023-04-261-0/+26
* Wed Apr 19 19:17:14 UTC 2023...patches/packages/bind-9.16.40-x86_64-1_slack15.0.txz: Upgraded. This is a bugfix release. testing/packages/bind-9.18.14-x86_64-1_slack15.0.txz: Upgraded. This is a bugfix release. 20230419191714_15.0 Patrick J Volkerding2023-04-201-0/+6
* Thu Apr 13 22:25:18 UTC 2023...extra/php81/php81-8.1.17-x86_64-1_slack15.0.txz: Upgraded. This is a bugfix release. For more information, see: https://www.php.net/ChangeLog-8.php#8.1.17 20230413222518_15.0 Patrick J Volkerding2023-04-141-0/+6
* Thu Apr 13 01:10:27 UTC 2023...patches/packages/mozilla-thunderbird-102.10.0-x86_64-1_slack15.0.txz: Upgraded. This release contains security fixes and improvements. For more information, see: https://www.mozilla.org/en-US/thunderbird/102.10.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2023-15/ https://www.mozilla.org/en-US/security/advisories/mfsa2023-15/#MFSA-TMP-2023-0001 https://www.cve.org/CVERecord?id=CVE-2023-29531 https://www.cve.org/CVERecord?id=CVE-2023-29532 https://www.cve.org/CVERecord?id=CVE-2023-29533 https://www.cve.org/CVERecord?id=CVE-2023-29535 https://www.cve.org/CVERecord?id=CVE-2023-29536 https://www.cve.org/CVERecord?id=CVE-2023-0547 https://www.cve.org/CVERecord?id=CVE-2023-29479 https://www.cve.org/CVERecord?id=CVE-2023-29539 https://www.cve.org/CVERecord?id=CVE-2023-29541 https://www.cve.org/CVERecord?id=CVE-2023-29542 https://www.cve.org/CVERecord?id=CVE-2023-29545 https://www.cve.org/CVERecord?id=CVE-2023-1945 https://www.cve.org/CVERecord?id=CVE-2023-29548 https://www.cve.org/CVERecord?id=CVE-2023-29550 (* Security fix *) 20230413011027_15.0 Patrick J Volkerding2023-04-131-0/+23
* Tue Apr 11 18:49:02 UTC 2023...patches/packages/mozilla-firefox-102.10.0esr-x86_64-1_slack15.0.txz: Upgraded. This update contains security fixes and improvements. For more information, see: https://www.mozilla.org/en-US/firefox/102.10.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2023-14 https://www.mozilla.org/en-US/security/advisories/mfsa2023-14/#MFSA-TMP-2023-0001 https://www.cve.org/CVERecord?id=CVE-2023-29531 https://www.cve.org/CVERecord?id=CVE-2023-29532 https://www.cve.org/CVERecord?id=CVE-2023-29533 https://www.cve.org/CVERecord?id=CVE-2023-29535 https://www.cve.org/CVERecord?id=CVE-2023-29536 https://www.cve.org/CVERecord?id=CVE-2023-29539 https://www.cve.org/CVERecord?id=CVE-2023-29541 https://www.cve.org/CVERecord?id=CVE-2023-29545 https://www.cve.org/CVERecord?id=CVE-2023-1945 https://www.cve.org/CVERecord?id=CVE-2023-29548 https://www.cve.org/CVERecord?id=CVE-2023-29550 (* Security fix *) 20230411184902_15.0 Patrick J Volkerding2023-04-121-0/+20
* Fri Apr 7 18:53:33 UTC 2023...patches/packages/httpd-2.4.57-x86_64-1_slack15.0.txz: Upgraded. This is a bugfix release. For more information, see: https://downloads.apache.org/httpd/CHANGES_2.4.57 20230407185333_15.0 Patrick J Volkerding2023-04-081-0/+6
* Wed Apr 5 18:31:03 UTC 2023...patches/packages/zstd-1.5.5-x86_64-1_slack15.0.txz: Upgraded. This is a bugfix release. The primary focus is to correct a rare corruption bug in high compression mode. While the probability might be very small, corruption issues are nonetheless very serious, so an update to this version is highly recommended, especially if you employ high compression modes (levels 16+). 20230405183103_15.0 Patrick J Volkerding2023-04-061-0/+8
* Sun Apr 2 18:33:01 UTC 2023...patches/packages/irssi-1.4.4-x86_64-1_slack15.0.txz: Upgraded. Do not crash Irssi when one line is printed as the result of another line being printed. Also solve a memory leak while printing unformatted lines. (* Security fix *) 20230402183301_15.0 Patrick J Volkerding2023-04-031-0/+7
* Fri Mar 31 18:01:09 UTC 2023...patches/packages/ruby-3.0.6-x86_64-1_slack15.0.txz: Upgraded. This update fixes security issues: ReDoS vulnerability in URI. ReDoS vulnerability in Time. For more information, see: https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/ https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756/ https://www.cve.org/CVERecord?id=CVE-2023-28755 https://www.cve.org/CVERecord?id=CVE-2023-28756 (* Security fix *) patches/packages/seamonkey-2.53.16-x86_64-1_slack15.0.txz: Upgraded. This update contains security fixes and improvements. For more information, see: https://www.seamonkey-project.org/releases/seamonkey2.53.16 (* Security fix *) 20230331180109_15.0 Patrick J Volkerding2023-04-011-0/+17
* Wed Mar 29 20:56:21 UTC 2023...patches/packages/glibc-zoneinfo-2023c-noarch-1_slack15.0.txz: Upgraded. This package provides the latest timezone updates. patches/packages/mozilla-thunderbird-102.9.1-x86_64-1_slack15.0.txz: Upgraded. This release contains security fixes and improvements. For more information, see: https://www.mozilla.org/en-US/thunderbird/102.9.1/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2023-12/ https://www.cve.org/CVERecord?id=CVE-2023-28427 (* Security fix *) patches/packages/xorg-server-1.20.14-x86_64-8_slack15.0.txz: Rebuilt. [PATCH] composite: Fix use-after-free of the COW. Fix use-after-free that can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions. For more information, see: https://lists.x.org/archives/xorg-announce/2023-March/003374.html https://www.cve.org/CVERecord?id=CVE-2023-1393 (* Security fix *) patches/packages/xorg-server-xephyr-1.20.14-x86_64-8_slack15.0.txz: Rebuilt. patches/packages/xorg-server-xnest-1.20.14-x86_64-8_slack15.0.txz: Rebuilt. patches/packages/xorg-server-xvfb-1.20.14-x86_64-8_slack15.0.txz: Rebuilt. patches/packages/xorg-server-xwayland-21.1.4-x86_64-7_slack15.0.txz: Rebuilt. [PATCH] composite: Fix use-after-free of the COW. Fix use-after-free that can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions. For more information, see: https://lists.x.org/archives/xorg-announce/2023-March/003374.html https://www.cve.org/CVERecord?id=CVE-2023-1393 (* Security fix *) 20230329205621_15.0 Patrick J Volkerding2023-03-301-0/+32
* Fri Mar 24 19:42:46 UTC 2023...patches/packages/glibc-zoneinfo-2023b-noarch-1_slack15.0.txz: Upgraded. This package provides the latest timezone updates. patches/packages/tar-1.34-x86_64-2_slack15.0.txz: Rebuilt. GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters. Thanks to marav for the heads-up. For more information, see: https://www.cve.org/CVERecord?id=CVE-2022-48303 (* Security fix *) 20230324194246_15.0 Patrick J Volkerding2023-03-251-0/+14
* Mon Mar 20 18:26:23 UTC 2023...patches/packages/curl-8.0.1-x86_64-1_slack15.0.txz: Upgraded. This update fixes security issues: SSH connection too eager reuse still. HSTS double-free. GSS delegation too eager connection re-use. FTP too eager connection reuse. SFTP path ~ resolving discrepancy. TELNET option IAC injection. For more information, see: https://curl.se/docs/CVE-2023-27538.html https://curl.se/docs/CVE-2023-27537.html https://curl.se/docs/CVE-2023-27536.html https://curl.se/docs/CVE-2023-27535.html https://curl.se/docs/CVE-2023-27534.html https://curl.se/docs/CVE-2023-27533.html https://www.cve.org/CVERecord?id=CVE-2023-27538 https://www.cve.org/CVERecord?id=CVE-2023-27537 https://www.cve.org/CVERecord?id=CVE-2023-27536 https://www.cve.org/CVERecord?id=CVE-2023-27535 https://www.cve.org/CVERecord?id=CVE-2023-27534 https://www.cve.org/CVERecord?id=CVE-2023-27533 (* Security fix *) patches/packages/vim-9.0.1418-x86_64-1_slack15.0.txz: Upgraded. Fixed security issues: NULL pointer dereference issue in utfc_ptr2len. Incorrect Calculation of Buffer Size. Heap-based Buffer Overflow. Thanks to marav for the heads-up. For more information, see: https://www.cve.org/CVERecord?id=CVE-2023-1264 https://www.cve.org/CVERecord?id=CVE-2023-1175 https://www.cve.org/CVERecord?id=CVE-2023-1170 (* Security fix *) patches/packages/vim-gvim-9.0.1418-x86_64-1_slack15.0.txz: Upgraded. 20230320182623_15.0 Patrick J Volkerding2023-03-211-0/+36
* Thu Mar 16 23:34:56 UTC 2023...patches/packages/bind-9.16.39-x86_64-1_slack15.0.txz: Upgraded. This is a bugfix release. patches/packages/mozilla-thunderbird-102.9.0-x86_64-1_slack15.0.txz: Upgraded. This release contains security fixes and improvements. For more information, see: https://www.mozilla.org/en-US/thunderbird/102.9.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2023-11/ https://www.cve.org/CVERecord?id=CVE-2023-25751 https://www.cve.org/CVERecord?id=CVE-2023-28164 https://www.cve.org/CVERecord?id=CVE-2023-28162 https://www.cve.org/CVERecord?id=CVE-2023-25752 https://www.cve.org/CVERecord?id=CVE-2023-28163 https://www.cve.org/CVERecord?id=CVE-2023-28176 (* Security fix *) patches/packages/openssh-9.3p1-x86_64-1_slack15.0.txz: Upgraded. This release contains fixes for a security problem and a memory safety problem. The memory safety problem is not believed to be exploitable, but we report most network-reachable memory faults as security bugs. For more information, see: https://www.openssh.com/txt/release-9.3 (* Security fix *) testing/packages/bind-9.18.13-x86_64-1_slack15.0.txz: Upgraded. This is a bugfix release. 20230316233456_15.0 Patrick J Volkerding2023-03-171-0/+26
* Tue Mar 14 20:42:47 UTC 2023...patches/packages/mozilla-firefox-102.9.0esr-x86_64-1_slack15.0.txz: Upgraded. This update contains security fixes and improvements. For more information, see: https://www.mozilla.org/en-US/firefox/102.9.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2023-10 https://www.cve.org/CVERecord?id=CVE-2023-25751 https://www.cve.org/CVERecord?id=CVE-2023-28164 https://www.cve.org/CVERecord?id=CVE-2023-28162 https://www.cve.org/CVERecord?id=CVE-2023-25752 https://www.cve.org/CVERecord?id=CVE-2023-28163 https://www.cve.org/CVERecord?id=CVE-2023-28176 (* Security fix *) 20230314204247_15.0 Patrick J Volkerding2023-03-151-0/+14
* Wed Mar 8 20:26:54 UTC 2023...patches/packages/httpd-2.4.56-x86_64-1_slack15.0.txz: Upgraded. This update fixes two security issues: HTTP Response Smuggling vulnerability via mod_proxy_uwsgi. HTTP Request Smuggling attack via mod_rewrite and mod_proxy. For more information, see: https://downloads.apache.org/httpd/CHANGES_2.4.56 https://www.cve.org/CVERecord?id=CVE-2023-27522 https://www.cve.org/CVERecord?id=CVE-2023-25690 (* Security fix *) 20230308202654_15.0 Patrick J Volkerding2023-03-091-0/+11
* Mon Mar 6 20:18:10 UTC 2023...patches/packages/sudo-1.9.13p3-x86_64-1_slack15.0.txz: Upgraded. This is a bugfix release. 20230306201810_15.0 Patrick J Volkerding2023-03-071-0/+4
* Mon Mar 6 02:21:57 UTC 2023...patches/packages/xscreensaver-6.06-x86_64-1_slack15.0.txz: Upgraded. Here's an upgrade to the latest xscreensaver. 20230306022157_15.0 Patrick J Volkerding2023-03-061-0/+4
* Tue Feb 28 21:33:32 UTC 2023...patches/packages/whois-5.5.16-x86_64-1_slack15.0.txz: Upgraded. Add bash completion support, courtesy of Ville Skytta. Updated the .tr TLD server. Removed support for -metu NIC handles. 20230228213332_15.0 Patrick J Volkerding2023-03-011-0/+6
* Mon Feb 20 19:41:06 UTC 2023...patches/packages/curl-7.88.1-x86_64-1_slack15.0.txz: Upgraded. This is a bugfix release. 20230220194106_15.0 Patrick J Volkerding2023-02-211-1/+5
* Sat Feb 18 02:04:34 UTC 2023...patches/packages/kernel-firmware-20230214_a253a37-noarch-1.txz: Upgraded. patches/packages/linux-5.15.80/*: Upgraded. These updates fix various bugs and security issues. Be sure to upgrade your initrd after upgrading the kernel packages. If you use lilo to boot your machine, be sure lilo.conf points to the correct kernel and initrd and run lilo as root to update the bootloader. If you use elilo to boot your machine, you should run eliloconfig to copy the kernel and initrd to the EFI System Partition. For more information, see: Fixed in 5.15.81: https://www.cve.org/CVERecord?id=CVE-2022-47519 https://www.cve.org/CVERecord?id=CVE-2022-47518 https://www.cve.org/CVERecord?id=CVE-2022-47520 https://www.cve.org/CVERecord?id=CVE-2022-47521 https://www.cve.org/CVERecord?id=CVE-2022-3344 Fixed in 5.15.82: https://www.cve.org/CVERecord?id=CVE-2022-45869 https://www.cve.org/CVERecord?id=CVE-2022-4378 Fixed in 5.15.83: https://www.cve.org/CVERecord?id=CVE-2022-3643 Fixed in 5.15.84: https://www.cve.org/CVERecord?id=CVE-2022-3545 Fixed in 5.15.85: https://www.cve.org/CVERecord?id=CVE-2022-45934 Fixed in 5.15.86: https://www.cve.org/CVERecord?id=CVE-2022-3534 https://www.cve.org/CVERecord?id=CVE-2022-3424 Fixed in 5.15.87: https://www.cve.org/CVERecord?id=CVE-2022-41218 https://www.cve.org/CVERecord?id=CVE-2023-23455 https://www.cve.org/CVERecord?id=CVE-2023-23454 https://www.cve.org/CVERecord?id=CVE-2023-0045 https://www.cve.org/CVERecord?id=CVE-2023-0210 https://www.cve.org/CVERecord?id=CVE-2022-36280 Fixed in 5.15.88: https://www.cve.org/CVERecord?id=CVE-2023-0266 https://www.cve.org/CVERecord?id=CVE-2022-47929 Fixed in 5.15.89: https://www.cve.org/CVERecord?id=CVE-2023-0179 https://www.cve.org/CVERecord?id=CVE-2023-0394 Fixed in 5.15.90: https://www.cve.org/CVERecord?id=CVE-2022-4382 https://www.cve.org/CVERecord?id=CVE-2022-4842 Fixed in 5.15.91: https://www.cve.org/CVERecord?id=CVE-2022-4129 https://www.cve.org/CVERecord?id=CVE-2023-23559 (* Security fix *) 20230218020434_15.0 Patrick J Volkerding2023-02-181-0/+49
* Thu Feb 16 22:07:06 UTC 2023...patches/packages/mozilla-thunderbird-102.8.0-x86_64-1_slack15.0.txz: Upgraded. This release contains security fixes and improvements. For more information, see: https://www.mozilla.org/en-US/thunderbird/102.8.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2023-07/ https://www.cve.org/CVERecord?id=CVE-2023-0616 https://www.cve.org/CVERecord?id=CVE-2023-25728 https://www.cve.org/CVERecord?id=CVE-2023-25730 https://www.cve.org/CVERecord?id=CVE-2023-0767 https://www.cve.org/CVERecord?id=CVE-2023-25735 https://www.cve.org/CVERecord?id=CVE-2023-25737 https://www.cve.org/CVERecord?id=CVE-2023-25738 https://www.cve.org/CVERecord?id=CVE-2023-25739 https://www.cve.org/CVERecord?id=CVE-2023-25729 https://www.cve.org/CVERecord?id=CVE-2023-25732 https://www.cve.org/CVERecord?id=CVE-2023-25734 https://www.cve.org/CVERecord?id=CVE-2023-25742 https://www.cve.org/CVERecord?id=CVE-2023-25746 (* Security fix *) 20230216220706_15.0 Patrick J Volkerding2023-02-171-0/+21
* Wed Feb 15 19:48:10 UTC 2023...patches/packages/curl-7.88.0-x86_64-1_slack15.0.txz: Upgraded. This update fixes security issues: HTTP multi-header compression denial of service. HSTS amnesia with --parallel. HSTS ignored on multiple requests. For more information, see: https://curl.se/docs/CVE-2023-23916.html https://curl.se/docs/CVE-2023-23915.html https://curl.se/docs/CVE-2023-23914.html https://www.cve.org/CVERecord?id=CVE-2023-23916 https://www.cve.org/CVERecord?id=CVE-2023-23915 https://www.cve.org/CVERecord?id=CVE-2023-23914 (* Security fix *) patches/packages/git-2.35.7-x86_64-1_slack15.0.txz: Upgraded. This update fixes security issues: Using a specially-crafted repository, Git can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source $GIT_DIR/objects directory contains symbolic links (c.f., CVE-2022-39253), the objects directory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253. By feeding a crafted input to "git apply", a path outside the working tree can be overwritten as the user who is running "git apply". For more information, see: https://www.cve.org/CVERecord?id=CVE-2023-22490 https://www.cve.org/CVERecord?id=CVE-2023-23946 (* Security fix *) 20230215194810_15.0 Patrick J Volkerding2023-02-161-0/+33
* Wed Feb 15 03:05:40 UTC 2023...extra/php80/php80-8.0.28-x86_64-1_slack15.0.txz: Upgraded. This update fixes security issues: Core: Password_verify() always return true with some hash. Core: 1-byte array overrun in common path resolve code. SAPI: DOS vulnerability when parsing multipart request body. For more information, see: https://www.cve.org/CVERecord?id=CVE-2023-0567 https://www.cve.org/CVERecord?id=CVE-2023-0568 https://www.cve.org/CVERecord?id=CVE-2023-0662 (* Security fix *) extra/php81/php81-8.1.16-x86_64-1_slack15.0.txz: Upgraded. This update fixes security issues: Core: Password_verify() always return true with some hash. Core: 1-byte array overrun in common path resolve code. SAPI: DOS vulnerability when parsing multipart request body. For more information, see: https://www.cve.org/CVERecord?id=CVE-2023-0567 https://www.cve.org/CVERecord?id=CVE-2023-0568 https://www.cve.org/CVERecord?id=CVE-2023-0662 (* Security fix *) patches/packages/hwdata-0.367-noarch-1_slack15.0.txz: Upgraded. Upgraded to get information for newer hardware. Requested by kingbeowulf on LQ. patches/packages/mozilla-firefox-102.8.0esr-x86_64-1_slack15.0.txz: Upgraded. This update contains security fixes and improvements. For more information, see: https://www.mozilla.org/en-US/firefox/102.8.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2023-06/ https://www.cve.org/CVERecord?id=CVE-2023-25728 https://www.cve.org/CVERecord?id=CVE-2023-25730 https://www.cve.org/CVERecord?id=CVE-2023-25743 https://www.cve.org/CVERecord?id=CVE-2023-0767 https://www.cve.org/CVERecord?id=CVE-2023-25735 https://www.cve.org/CVERecord?id=CVE-2023-25737 https://www.cve.org/CVERecord?id=CVE-2023-25738 https://www.cve.org/CVERecord?id=CVE-2023-25739 https://www.cve.org/CVERecord?id=CVE-2023-25729 https://www.cve.org/CVERecord?id=CVE-2023-25732 https://www.cve.org/CVERecord?id=CVE-2023-25734 https://www.cve.org/CVERecord?id=CVE-2023-25742 https://www.cve.org/CVERecord?id=CVE-2023-25746 (* Security fix *) patches/packages/php-7.4.33-x86_64-3_slack15.0.txz: Rebuilt. This update fixes security issues: Core: Password_verify() always return true with some hash. Core: 1-byte array overrun in common path resolve code. SAPI: DOS vulnerability when parsing multipart request body. For more information, see: https://www.cve.org/CVERecord?id=CVE-2023-0567 https://www.cve.org/CVERecord?id=CVE-2023-0568 https://www.cve.org/CVERecord?id=CVE-2023-0662 (* Security fix *) 20230215030540_15.0 Patrick J Volkerding2023-02-161-0/+54
* Fri Feb 10 20:08:41 UTC 2023...patches/packages/gnutls-3.7.9-x86_64-1_slack15.0.txz: Upgraded. libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key exchange. Reported by Hubert Kario (#1050). Fix developed by Alexander Sosedkin. [GNUTLS-SA-2020-07-14, CVSS: medium] [CVE-2023-0361] For more information, see: https://www.cve.org/CVERecord?id=CVE-2023-0361 (* Security fix *) 20230210200841_15.0 Patrick J Volkerding2023-02-111-0/+9
* Thu Feb 9 00:59:27 UTC 2023...patches/packages/mozilla-thunderbird-102.7.2-x86_64-1_slack15.0.txz: Upgraded. This is a bugfix release. For more information, see: https://www.mozilla.org/en-US/thunderbird/102.7.2/releasenotes/ 20230209005927_15.0 Patrick J Volkerding2023-02-091-0/+6
* Tue Feb 7 20:48:57 UTC 2023...patches/packages/openssl-1.1.1t-x86_64-1_slack15.0.txz: Upgraded. This update fixes security issues: X.400 address type confusion in X.509 GeneralName. Timing Oracle in RSA Decryption. Use-after-free following BIO_new_NDEF. Double free after calling PEM_read_bio_ex. For more information, see: https://www.openssl.org/news/secadv/20230207.txt https://www.cve.org/CVERecord?id=CVE-2023-0286 https://www.cve.org/CVERecord?id=CVE-2022-4304 https://www.cve.org/CVERecord?id=CVE-2023-0215 https://www.cve.org/CVERecord?id=CVE-2022-4450 (* Security fix *) patches/packages/openssl-solibs-1.1.1t-x86_64-1_slack15.0.txz: Upgraded. patches/packages/xorg-server-1.20.14-x86_64-7_slack15.0.txz: Rebuilt. [PATCH] Xi: fix potential use-after-free in DeepCopyPointerClasses. Also merged another patch to prevent crashes when using a compositor with the NVIDIA blob. Thanks to mdinslage, willysr, and Daedra. For more information, see: https://www.cve.org/CVERecord?id=CVE-2023-0494 (* Security fix *) patches/packages/xorg-server-xephyr-1.20.14-x86_64-7_slack15.0.txz: Rebuilt. patches/packages/xorg-server-xnest-1.20.14-x86_64-7_slack15.0.txz: Rebuilt. patches/packages/xorg-server-xvfb-1.20.14-x86_64-7_slack15.0.txz: Rebuilt. patches/packages/xorg-server-xwayland-21.1.4-x86_64-6_slack15.0.txz: Rebuilt. [PATCH] Xi: fix potential use-after-free in DeepCopyPointerClasses. Also merged another patch to prevent crashes when using a compositor with the NVIDIA blob. Thanks to mdinslage, willysr, and Daedra. For more information, see: https://www.cve.org/CVERecord?id=CVE-2023-0494 (* Security fix *) 20230207204857_15.0 Patrick J Volkerding2023-02-081-0/+33
* Thu Feb 2 22:52:48 UTC 2023...patches/packages/openssh-9.2p1-x86_64-1_slack15.0.txz: Upgraded. This release contains fixes for two security problems and a memory safety problem. The memory safety problem is not believed to be exploitable, but upstream reports most network-reachable memory faults as security bugs. This update contains some potentially incompatible changes regarding the scp utility. For more information, see: https://www.openssh.com/releasenotes.html#9.0 For more information, see: https://www.openssh.com/releasenotes.html#9.2 (* Security fix *) 20230202225248_15.0 Patrick J Volkerding2023-02-031-0/+12
* Wed Feb 1 22:27:31 UTC 2023...patches/packages/apr-1.7.2-x86_64-1_slack15.0.txz: Upgraded. This update fixes security issues: Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer. (CVE-2022-24963) Restore fix for out-of-bounds array dereference in apr_time_exp*() functions. (This issue was addressed as CVE-2017-12613 in APR 1.6.3 and later 1.6.x releases, but was missing in 1.7.0.) (CVE-2021-35940) For more information, see: https://www.cve.org/CVERecord?id=CVE-2022-24963 https://www.cve.org/CVERecord?id=CVE-2021-35940 https://www.cve.org/CVERecord?id=CVE-2017-12613 (* Security fix *) patches/packages/apr-util-1.6.3-x86_64-1_slack15.0.txz: Upgraded. This update fixes a security issue: Integer Overflow or Wraparound vulnerability in apr_base64 functions of Apache Portable Runtime Utility (APR-util) allows an attacker to write beyond bounds of a buffer. (CVE-2022-25147) For more information, see: https://www.cve.org/CVERecord?id=CVE-2022-25147 (* Security fix *) patches/packages/mozilla-thunderbird-102.7.1-x86_64-1_slack15.0.txz: Upgraded. This release contains security fixes and improvements. For more information, see: https://www.mozilla.org/en-US/thunderbird/102.7.1/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2023-04/ https://www.cve.org/CVERecord?id=CVE-2023-0430 (* Security fix *) 20230201222731_15.0 Patrick J Volkerding2023-02-021-0/+30
* Thu Jan 26 00:34:41 UTC 2023...patches/packages/bind-9.16.37-x86_64-1_slack15.0.txz: Upgraded. This update fixes bugs and the following security issues: An UPDATE message flood could cause :iscman:`named` to exhaust all available memory. This flaw was addressed by adding a new :any:`update-quota` option that controls the maximum number of outstanding DNS UPDATE messages that :iscman:`named` can hold in a queue at any given time (default: 100). :iscman:`named` could crash with an assertion failure when an RRSIG query was received and :any:`stale-answer-client-timeout` was set to a non-zero value. This has been fixed. :iscman:`named` running as a resolver with the :any:`stale-answer-client-timeout` option set to any value greater than ``0`` could crash with an assertion failure, when the :any:`recursive-clients` soft quota was reached. This has been fixed. For more information, see: https://kb.isc.org/docs/cve-2022-3094 https://kb.isc.org/docs/cve-2022-3736 https://kb.isc.org/docs/cve-2022-3924 https://www.cve.org/CVERecord?id=CVE-2022-3094 https://www.cve.org/CVERecord?id=CVE-2022-3736 https://www.cve.org/CVERecord?id=CVE-2022-3924 (* Security fix *) patches/packages/vim-9.0.1241-x86_64-1_slack15.0.txz: Upgraded. Fixed a security issue: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1225. Thanks to marav for the heads-up. For more information, see: https://www.cve.org/CVERecord?id=CVE-2023-0433 (* Security fix *) patches/packages/vim-gvim-9.0.1241-x86_64-1_slack15.0.txz: Upgraded. testing/packages/bind-9.18.11-x86_64-1_slack15.0.txz: Upgraded. This update fixes bugs and the following security issues: An UPDATE message flood could cause :iscman:`named` to exhaust all available memory. This flaw was addressed by adding a new :any:`update-quota` option that controls the maximum number of outstanding DNS UPDATE messages that :iscman:`named` can hold in a queue at any given time (default: 100). :iscman:`named` could crash with an assertion failure when an RRSIG query was received and :any:`stale-answer-client-timeout` was set to a non-zero value. This has been fixed. :iscman:`named` running as a resolver with the :any:`stale-answer-client-timeout` option set to any value greater than ``0`` could crash with an assertion failure, when the :any:`recursive-clients` soft quota was reached. This has been fixed. For more information, see: https://kb.isc.org/docs/cve-2022-3094 https://kb.isc.org/docs/cve-2022-3736 https://kb.isc.org/docs/cve-2022-3924 https://www.cve.org/CVERecord?id=CVE-2022-3094 https://www.cve.org/CVERecord?id=CVE-2022-3736 https://www.cve.org/CVERecord?id=CVE-2022-3924 (* Security fix *) 20230126003441_15.0 Patrick J Volkerding2023-01-261-0/+54
* Fri Jan 20 23:58:24 UTC 2023...patches/packages/mozilla-thunderbird-102.7.0-x86_64-1_slack15.0.txz: Upgraded. This release contains security fixes and improvements. For more information, see: https://www.mozilla.org/en-US/thunderbird/102.7.0/releasenotes/ https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird102.7 (* Security fix *) patches/packages/seamonkey-2.53.15-x86_64-1_slack15.0.txz: Upgraded. This update contains security fixes and improvements. For more information, see: https://www.seamonkey-project.org/releases/seamonkey2.53.15 (* Security fix *) 20230120235824_15.0 Patrick J Volkerding2023-01-211-0/+13
* Thu Jan 19 00:40:12 UTC 2023...patches/packages/sudo-1.9.12p2-x86_64-1_slack15.0.txz: Upgraded. This update fixes a flaw in sudo's -e option (aka sudoedit) that could allow a malicious user with sudoedit privileges to edit arbitrary files. For more information, see: https://www.cve.org/CVERecord?id=CVE-2023-22809 (* Security fix *) 20230119004012_15.0 Patrick J Volkerding2023-01-191-0/+85
* Fri Jan 13 20:29:55 UTC 2023...patches/packages/netatalk-3.1.14-x86_64-1_slack15.0.txz: Upgraded. Netatalk through 3.1.13 has an afp_getappl heap-based buffer overflow resulting in code execution via a crafted .appl file. For more information, see: https://www.cve.org/CVERecord?id=CVE-2022-45188 (* Security fix *) 20230113202955_15.0 Patrick J Volkerding2023-01-141-0/+8
* Tue Jan 10 21:32:00 UTC 2023...patches/packages/ca-certificates-20221205-noarch-2_slack15.0.txz: Rebuilt. Make sure that if we're installing this package on another partition (such as when using installpkg with a --root parameter) that the updates are done on that partition. Thanks to fulalas. 20230110213200_15.0 Patrick J Volkerding2023-01-111-0/+6
* Sat Jan 7 01:50:00 UTC 2023...extra/php80/php80-8.0.27-x86_64-1_slack15.0.txz: Upgraded. This update fixes a security issue: PDO::quote() may return unquoted string. For more information, see: https://www.cve.org/CVERecord?id=CVE-2022-31631 (* Security fix *) extra/php81/php81-8.1.14-x86_64-1_slack15.0.txz: Upgraded. This update fixes bugs and a security issue: PDO::quote() may return unquoted string. For more information, see: https://www.cve.org/CVERecord?id=CVE-2022-31631 (* Security fix *) patches/packages/mozilla-nss-3.87-x86_64-1_slack15.0.txz: Upgraded. Fixed memory corruption in NSS via DER-encoded DSA and RSA-PSS signatures. For more information, see: https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/ https://www.cve.org/CVERecord?id=CVE-2021-43527 (* Security fix *) patches/packages/php-7.4.33-x86_64-2_slack15.0.txz: Rebuilt. This update fixes a security issue: PDO::quote() may return unquoted string. For more information, see: https://www.cve.org/CVERecord?id=CVE-2022-31631 (* Security fix *) 20230107015000_15.0 Patrick J Volkerding2023-01-071-0/+26
* Thu Jan 5 03:09:24 UTC 2023...patches/packages/vim-9.0.1146-x86_64-1_slack15.0.txz: Upgraded. Fixed security issues: Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.1143. Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1144. For more information, see: https://www.cve.org/CVERecord?id=CVE-2023-0049 https://www.cve.org/CVERecord?id=CVE-2023-0051 (* Security fix *) patches/packages/vim-gvim-9.0.1146-x86_64-1_slack15.0.txz: Upgraded. 20230105030924_15.0 Patrick J Volkerding2023-01-061-0/+11
* Wed Jan 4 02:18:08 UTC 2023...patches/packages/libtiff-4.4.0-x86_64-1_slack15.0.txz: Upgraded. Patched various security bugs. For more information, see: https://www.cve.org/CVERecord?id=CVE-2022-2056 https://www.cve.org/CVERecord?id=CVE-2022-2057 https://www.cve.org/CVERecord?id=CVE-2022-2058 https://www.cve.org/CVERecord?id=CVE-2022-3970 https://www.cve.org/CVERecord?id=CVE-2022-34526 (* Security fix *) patches/packages/rxvt-unicode-9.26-x86_64-3_slack15.0.txz: Rebuilt. When the "background" extension was loaded, an attacker able to control the data written to the terminal would be able to execute arbitrary code as the terminal's user. Thanks to David Leadbeater and Ben Collver. For more information, see: https://www.openwall.com/lists/oss-security/2022/12/05/1 https://www.cve.org/CVERecord?id=CVE-2022-4170 (* Security fix *) patches/packages/whois-5.5.15-x86_64-1_slack15.0.txz: Upgraded. Updated the .bd, .nz and .tv TLD servers. Added the .llyw.cymru, .gov.scot and .gov.wales SLD servers. Updated the .ac.uk and .gov.uk SLD servers. Recursion has been enabled for whois.nic.tv. Updated the list of new gTLDs with four generic TLDs assigned in October 2013 which were missing due to a bug. Removed 4 new gTLDs which are no longer active. Added the Georgian translation, contributed by Temuri Doghonadze. Updated the Finnish translation, contributed by Lauri Nurmi. 20230104021808_15.0 Patrick J Volkerding2023-01-041-0/+29
* Fri Dec 23 02:37:47 UTC 2022...testing/packages/bind-9.18.10-x86_64-1_slack15.0.txz: Upgraded. 20221223023747_15.0 Patrick J Volkerding2022-12-231-0/+17
* Tue Dec 20 20:40:18 UTC 2022...patches/packages/libksba-1.6.3-x86_64-1_slack15.0.txz: Upgraded. Fix another integer overflow in the CRL's signature parser. (* Security fix *) patches/packages/sdl-1.2.15-x86_64-13_slack15.0.txz: Rebuilt. This update fixes a heap overflow problem in video/SDL_pixels.c in SDL. By crafting a malicious .BMP file, an attacker can cause the application using this library to crash, denial of service, or code execution. Thanks to marav for the heads-up. For more information, see: https://www.cve.org/CVERecord?id=CVE-2021-33657 (* Security fix *) 20221220204018_15.0 Patrick J Volkerding2022-12-211-0/+13
* Mon Dec 19 21:18:22 UTC 2022...patches/packages/xorg-server-1.20.14-x86_64-6_slack15.0.txz: Rebuilt. This release fixes an invalid event type mask in XTestSwapFakeInput which was inadvertently changed from octal 0177 to hexadecimal 0x177 in the fix for CVE-2022-46340. patches/packages/xorg-server-xephyr-1.20.14-x86_64-6_slack15.0.txz: Rebuilt. patches/packages/xorg-server-xnest-1.20.14-x86_64-6_slack15.0.txz: Rebuilt. patches/packages/xorg-server-xvfb-1.20.14-x86_64-6_slack15.0.txz: Rebuilt. patches/packages/xorg-server-xwayland-21.1.4-x86_64-5_slack15.0.txz: Rebuilt. This release fixes an invalid event type mask in XTestSwapFakeInput which was inadvertently changed from octal 0177 to hexadecimal 0x177 in the fix for CVE-2022-46340. 20221219211822_15.0 Patrick J Volkerding2022-12-201-0/+13
* Sun Dec 18 20:28:03 UTC 2022...patches/packages/libarchive-3.6.2-x86_64-2_slack15.0.txz: Rebuilt. This update fixes a regression causing a failure to compile against libarchive: don't include iconv in libarchive.pc. 20221218202803_15.0 Patrick J Volkerding2022-12-191-0/+5
* Sat Dec 17 21:14:11 UTC 2022...patches/packages/samba-4.15.13-x86_64-1_slack15.0.txz: Upgraded. This update fixes security issues: This is the Samba CVE for the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability disclosed by Microsoft on Nov 8 2022. A Samba Active Directory DC will issue weak rc4-hmac session keys for use between modern clients and servers despite all modern Kerberos implementations supporting the aes256-cts-hmac-sha1-96 cipher. On Samba Active Directory DCs and members 'kerberos encryption types = legacy' would force rc4-hmac as a client even if the server supports aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96. This is the Samba CVE for the Windows Kerberos Elevation of Privilege Vulnerability disclosed by Microsoft on Nov 8 2022. A service account with the special constrained delegation permission could forge a more powerful ticket than the one it was presented with. The "RC4" protection of the NetLogon Secure channel uses the same algorithms as rc4-hmac cryptography in Kerberos, and so must also be assumed to be weak. Since the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability was disclosed by Microsoft on Nov 8 2022 and per RFC8429 it is assumed that rc4-hmac is weak, Vulnerable Samba Active Directory DCs will issue rc4-hmac encrypted tickets despite the target server supporting better encryption (eg aes256-cts-hmac-sha1-96). Note that there are several important behavior changes included in this release, which may cause compatibility problems interacting with system still expecting the former behavior. Please read the advisories of CVE-2022-37966, CVE-2022-37967 and CVE-2022-38023 carefully! For more information, see: https://www.samba.org/samba/security/CVE-2022-37966.html https://www.samba.org/samba/security/CVE-2022-37967.html https://www.samba.org/samba/security/CVE-2022-38023.html https://www.samba.org/samba/security/CVE-2022-45141.html https://www.cve.org/CVERecord?id=CVE-2022-37966 https://www.cve.org/CVERecord?id=CVE-2022-37967 https://www.cve.org/CVERecord?id=CVE-2022-38023 https://www.cve.org/CVERecord?id=CVE-2022-45141 (* Security fix *) 20221217211411_15.0 Patrick J Volkerding2022-12-181-0/+40
generated by cgit v1.2.3-79-gdb01 (git 2.46.1) at 2024-09-22 12:45:15 +0000