| Commit message (Expand) | Author | Age | Files | Lines |
|---|
| * | Wed Jan 4 02:18:08 UTC 2023...patches/packages/libtiff-4.4.0-x86_64-1_slack15.0.txz: Upgraded.
Patched various security bugs.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-2056
https://www.cve.org/CVERecord?id=CVE-2022-2057
https://www.cve.org/CVERecord?id=CVE-2022-2058
https://www.cve.org/CVERecord?id=CVE-2022-3970
https://www.cve.org/CVERecord?id=CVE-2022-34526
(* Security fix *)
patches/packages/rxvt-unicode-9.26-x86_64-3_slack15.0.txz: Rebuilt.
When the "background" extension was loaded, an attacker able to control the
data written to the terminal would be able to execute arbitrary code as the
terminal's user. Thanks to David Leadbeater and Ben Collver.
For more information, see:
https://www.openwall.com/lists/oss-security/2022/12/05/1
https://www.cve.org/CVERecord?id=CVE-2022-4170
(* Security fix *)
patches/packages/whois-5.5.15-x86_64-1_slack15.0.txz: Upgraded.
Updated the .bd, .nz and .tv TLD servers.
Added the .llyw.cymru, .gov.scot and .gov.wales SLD servers.
Updated the .ac.uk and .gov.uk SLD servers.
Recursion has been enabled for whois.nic.tv.
Updated the list of new gTLDs with four generic TLDs assigned in October 2013
which were missing due to a bug.
Removed 4 new gTLDs which are no longer active.
Added the Georgian translation, contributed by Temuri Doghonadze.
Updated the Finnish translation, contributed by Lauri Nurmi.
20230104021808_15.0 |   Patrick J Volkerding | 2023-01-04 | 13 | -0/+1827 |
| * | Tue Dec 20 20:40:18 UTC 2022...patches/packages/libksba-1.6.3-x86_64-1_slack15.0.txz: Upgraded.
Fix another integer overflow in the CRL's signature parser.
(* Security fix *)
patches/packages/sdl-1.2.15-x86_64-13_slack15.0.txz: Rebuilt.
This update fixes a heap overflow problem in video/SDL_pixels.c in SDL.
By crafting a malicious .BMP file, an attacker can cause the application
using this library to crash, denial of service, or code execution.
Thanks to marav for the heads-up.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2021-33657
(* Security fix *)
20221220204018_15.0 | Patrick J Volkerding | 2022-12-21 | 7 | -0/+466 |
| * | Mon Dec 19 21:18:22 UTC 2022...patches/packages/xorg-server-1.20.14-x86_64-6_slack15.0.txz: Rebuilt.
This release fixes an invalid event type mask in XTestSwapFakeInput which
was inadvertently changed from octal 0177 to hexadecimal 0x177 in the fix
for CVE-2022-46340.
patches/packages/xorg-server-xephyr-1.20.14-x86_64-6_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-6_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-6_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xwayland-21.1.4-x86_64-5_slack15.0.txz: Rebuilt.
This release fixes an invalid event type mask in XTestSwapFakeInput which
was inadvertently changed from octal 0177 to hexadecimal 0x177 in the fix
for CVE-2022-46340.
20221219211822_15.0 | Patrick J Volkerding | 2022-12-20 | 5 | -2/+32 |
| * | Sun Dec 18 20:28:03 UTC 2022...patches/packages/libarchive-3.6.2-x86_64-2_slack15.0.txz: Rebuilt.
This update fixes a regression causing a failure to compile against
libarchive: don't include iconv in libarchive.pc.
20221218202803_15.0 | Patrick J Volkerding | 2022-12-19 | 1 | -1/+4 |
| * | Sat Dec 17 21:14:11 UTC 2022...patches/packages/samba-4.15.13-x86_64-1_slack15.0.txz: Upgraded.
This update fixes security issues:
This is the Samba CVE for the Windows Kerberos RC4-HMAC Elevation of
Privilege Vulnerability disclosed by Microsoft on Nov 8 2022.
A Samba Active Directory DC will issue weak rc4-hmac session keys for
use between modern clients and servers despite all modern Kerberos
implementations supporting the aes256-cts-hmac-sha1-96 cipher.
On Samba Active Directory DCs and members
'kerberos encryption types = legacy'
would force rc4-hmac as a client even if the server supports
aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.
This is the Samba CVE for the Windows Kerberos Elevation of Privilege
Vulnerability disclosed by Microsoft on Nov 8 2022.
A service account with the special constrained delegation permission
could forge a more powerful ticket than the one it was presented with.
The "RC4" protection of the NetLogon Secure channel uses the same
algorithms as rc4-hmac cryptography in Kerberos, and so must also be
assumed to be weak.
Since the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability
was disclosed by Microsoft on Nov 8 2022 and per RFC8429 it is assumed
that rc4-hmac is weak, Vulnerable Samba Active Directory DCs will issue
rc4-hmac encrypted tickets despite the target server supporting better
encryption (eg aes256-cts-hmac-sha1-96).
Note that there are several important behavior changes included in this
release, which may cause compatibility problems interacting with system
still expecting the former behavior.
Please read the advisories of CVE-2022-37966, CVE-2022-37967 and
CVE-2022-38023 carefully!
For more information, see:
https://www.samba.org/samba/security/CVE-2022-37966.html
https://www.samba.org/samba/security/CVE-2022-37967.html
https://www.samba.org/samba/security/CVE-2022-38023.html
https://www.samba.org/samba/security/CVE-2022-45141.html
https://www.cve.org/CVERecord?id=CVE-2022-37966
https://www.cve.org/CVERecord?id=CVE-2022-37967
https://www.cve.org/CVERecord?id=CVE-2022-38023
https://www.cve.org/CVERecord?id=CVE-2022-45141
(* Security fix *)
20221217211411_15.0 | Patrick J Volkerding | 2022-12-18 | 1 | -2/+2 |
| * | Wed Dec 14 21:19:34 UTC 2022...patches/packages/mozilla-firefox-102.6.0esr-x86_64-1_slack15.0.txz: Upgraded.
This update contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/firefox/102.6.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2022-52/
https://www.cve.org/CVERecord?id=CVE-2022-46880
https://www.cve.org/CVERecord?id=CVE-2022-46872
https://www.cve.org/CVERecord?id=CVE-2022-46881
https://www.cve.org/CVERecord?id=CVE-2022-46874
https://www.cve.org/CVERecord?id=CVE-2022-46875
https://www.cve.org/CVERecord?id=CVE-2022-46882
https://www.cve.org/CVERecord?id=CVE-2022-46878
(* Security fix *)
patches/packages/mozilla-thunderbird-102.6.0-x86_64-1_slack15.0.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/102.6.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2022-53/
https://www.cve.org/CVERecord?id=CVE-2022-46880
https://www.cve.org/CVERecord?id=CVE-2022-46872
https://www.cve.org/CVERecord?id=CVE-2022-46881
https://www.cve.org/CVERecord?id=CVE-2022-46874
https://www.cve.org/CVERecord?id=CVE-2022-46875
https://www.cve.org/CVERecord?id=CVE-2022-46882
https://www.cve.org/CVERecord?id=CVE-2022-46878
(* Security fix *)
patches/packages/xorg-server-1.20.14-x86_64-5_slack15.0.txz: Rebuilt.
This release fixes 6 recently reported security vulnerabilities in
various extensions.
For more information, see:
https://lists.x.org/archives/xorg-announce/2022-December/003302.html
https://www.cve.org/CVERecord?id=CVE-2022-46340
https://www.cve.org/CVERecord?id=CVE-2022-46341
https://www.cve.org/CVERecord?id=CVE-2022-46342
https://www.cve.org/CVERecord?id=CVE-2022-46343
https://www.cve.org/CVERecord?id=CVE-2022-46344
https://www.cve.org/CVERecord?id=CVE-2022-4283
(* Security fix *)
patches/packages/xorg-server-xephyr-1.20.14-x86_64-5_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-5_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-5_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xwayland-21.1.4-x86_64-4_slack15.0.txz: Rebuilt.
This release fixes 6 recently reported security vulnerabilities in
various extensions.
For more information, see:
https://lists.x.org/archives/xorg-announce/2022-December/003302.html
https://www.cve.org/CVERecord?id=CVE-2022-46340
https://www.cve.org/CVERecord?id=CVE-2022-46341
https://www.cve.org/CVERecord?id=CVE-2022-46342
https://www.cve.org/CVERecord?id=CVE-2022-46343
https://www.cve.org/CVERecord?id=CVE-2022-46344
https://www.cve.org/CVERecord?id=CVE-2022-4283
(* Security fix *)
20221214211934_15.0 | Patrick J Volkerding | 2022-12-15 | 15 | -2/+738 |
| * | Thu Dec 8 22:48:34 UTC 2022...patches/packages/emacs-27.2-x86_64-2_slack15.0.txz: Rebuilt.
GNU Emacs through 28.2 allows attackers to execute commands via shell
metacharacters in the name of a source-code file, because lib-src/etags.c
uses the system C library function in its implementation of the ctags
program. For example, a victim may use the "ctags *" command (suggested in
the ctags documentation) in a situation where the current working directory
has contents that depend on untrusted input.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-45939
(* Security fix *)
patches/packages/vim-9.0.1034-x86_64-1_slack15.0.txz: Upgraded.
This update fixes various security issues such as a heap-based buffer
overflow and use after free.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-4141
https://www.cve.org/CVERecord?id=CVE-2022-3591
https://www.cve.org/CVERecord?id=CVE-2022-3520
https://www.cve.org/CVERecord?id=CVE-2022-3491
https://www.cve.org/CVERecord?id=CVE-2022-4292
https://www.cve.org/CVERecord?id=CVE-2022-4293
(* Security fix *)
patches/packages/vim-gvim-9.0.1034-x86_64-1_slack15.0.txz: Upgraded.
20221208224834_15.0 | Patrick J Volkerding | 2022-12-09 | 4 | -0/+9546 |
| * | Mon Dec 5 21:00:46 UTC 2022...patches/packages/ca-certificates-20221205-noarch-1_slack15.0.txz: Upgraded.
This update provides the latest CA certificates to check for the
authenticity of SSL connections.
patches/packages/glibc-zoneinfo-2022g-noarch-1_slack15.0.txz: Upgraded.
This package provides the latest timezone updates.
20221205210046_15.0 | Patrick J Volkerding | 2022-12-06 | 1 | -688/+25 |
| * | Fri Dec 2 20:58:24 UTC 2022...patches/packages/krusader-2.8.0-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
patches/packages/mozilla-thunderbird-102.5.1-x86_64-1_slack15.0.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/102.5.1/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2022-50/
https://www.cve.org/CVERecord?id=CVE-2022-45414
(* Security fix *)
20221202205824_15.0 | Patrick J Volkerding | 2022-12-03 | 12 | -0/+892 |
| * | Tue Nov 29 20:56:03 UTC 2022...patches/packages/kernel-firmware-20221123_cdf9499-noarch-1.txz: Upgraded.
patches/packages/linux-5.15.80/*: Upgraded.
These updates fix various bugs and security issues.
Be sure to upgrade your initrd after upgrading the kernel packages.
If you use lilo to boot your machine, be sure lilo.conf points to the correct
kernel and initrd and run lilo as root to update the bootloader.
If you use elilo to boot your machine, you should run eliloconfig to copy the
kernel and initrd to the EFI System Partition.
For more information, see:
Fixed in 5.15.63:
https://www.cve.org/CVERecord?id=CVE-2022-3629
https://www.cve.org/CVERecord?id=CVE-2022-3635
https://www.cve.org/CVERecord?id=CVE-2022-3633
https://www.cve.org/CVERecord?id=CVE-2022-3625
Fixed in 5.15.64:
https://www.cve.org/CVERecord?id=CVE-2022-39190
https://www.cve.org/CVERecord?id=CVE-2022-3028
https://www.cve.org/CVERecord?id=CVE-2022-2905
Fixed in 5.15.65:
https://www.cve.org/CVERecord?id=CVE-2022-42703
https://www.cve.org/CVERecord?id=CVE-2022-3176
Fixed in 5.15.66:
https://www.cve.org/CVERecord?id=CVE-2022-4095
https://www.cve.org/CVERecord?id=CVE-2022-20421
Fixed in 5.15.68:
https://www.cve.org/CVERecord?id=CVE-2022-3303
https://www.cve.org/CVERecord?id=CVE-2022-2663
https://www.cve.org/CVERecord?id=CVE-2022-40307
https://www.cve.org/CVERecord?id=CVE-2022-3586
Fixed in 5.15.70:
https://www.cve.org/CVERecord?id=CVE-2022-0171
https://www.cve.org/CVERecord?id=CVE-2022-39842
https://www.cve.org/CVERecord?id=CVE-2022-3061
Fixed in 5.15.72:
https://www.cve.org/CVERecord?id=CVE-2022-2308
Fixed in 5.15.73:
https://www.cve.org/CVERecord?id=CVE-2022-2978
https://www.cve.org/CVERecord?id=CVE-2022-43750
Fixed in 5.15.74:
https://www.cve.org/CVERecord?id=CVE-2022-40768
https://www.cve.org/CVERecord?id=CVE-2022-42721
https://www.cve.org/CVERecord?id=CVE-2022-3621
https://www.cve.org/CVERecord?id=CVE-2022-42722
https://www.cve.org/CVERecord?id=CVE-2022-42719
https://www.cve.org/CVERecord?id=CVE-2022-41674
https://www.cve.org/CVERecord?id=CVE-2022-3649
https://www.cve.org/CVERecord?id=CVE-2022-3646
https://www.cve.org/CVERecord?id=CVE-2022-42720
Fixed in 5.15.75:
https://www.cve.org/CVERecord?id=CVE-2022-43945
https://www.cve.org/CVERecord?id=CVE-2022-41849
https://www.cve.org/CVERecord?id=CVE-2022-3535
https://www.cve.org/CVERecord?id=CVE-2022-3594
https://www.cve.org/CVERecord?id=CVE-2022-2602
https://www.cve.org/CVERecord?id=CVE-2022-41850
https://www.cve.org/CVERecord?id=CVE-2022-3565
https://www.cve.org/CVERecord?id=CVE-2022-3542
Fixed in 5.15.77:
https://www.cve.org/CVERecord?id=CVE-2022-3524
Fixed in 5.15.78:
https://www.cve.org/CVERecord?id=CVE-2022-3628
https://www.cve.org/CVERecord?id=CVE-2022-3623
https://www.cve.org/CVERecord?id=CVE-2022-42896
https://www.cve.org/CVERecord?id=CVE-2022-42895
https://www.cve.org/CVERecord?id=CVE-2022-3543
https://www.cve.org/CVERecord?id=CVE-2022-3564
https://www.cve.org/CVERecord?id=CVE-2022-3619
Fixed in 5.15.80:
https://www.cve.org/CVERecord?id=CVE-2022-3521
https://www.cve.org/CVERecord?id=CVE-2022-3169
(* Security fix *)
patches/packages/openssl-1.1.1s-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
patches/packages/openssl-solibs-1.1.1s-x86_64-1_slack15.0.txz: Upgraded.
20221129205603_15.0 | Patrick J Volkerding | 2022-11-30 | 23 | -12/+38 |
| * | Thu Nov 17 20:02:33 UTC 2022...patches/packages/freerdp-2.9.0-x86_64-1_slack15.0.txz: Upgraded.
Fixed multiple client side input validation issues.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-39316
https://www.cve.org/CVERecord?id=CVE-2022-39317
https://www.cve.org/CVERecord?id=CVE-2022-39318
https://www.cve.org/CVERecord?id=CVE-2022-39319
https://www.cve.org/CVERecord?id=CVE-2022-39320
https://www.cve.org/CVERecord?id=CVE-2022-41877
https://www.cve.org/CVERecord?id=CVE-2022-39347
(* Security fix *)
20221117200233_15.0 | Patrick J Volkerding | 2022-11-18 | 1 | -1/+1 |
| * | Thu Nov 17 01:49:28 UTC 2022...patches/packages/krb5-1.19.2-x86_64-3_slack15.0.txz: Rebuilt.
Fixed integer overflows in PAC parsing.
Fixed memory leak in OTP kdcpreauth module.
Fixed PKCS11 module path search.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-42898
(* Security fix *)
patches/packages/mozilla-firefox-102.5.0esr-x86_64-1_slack15.0.txz: Upgraded.
This update contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/firefox/102.5.0/releasenotes/
https://www.mozilla.org/security/advisories/mfsa2022-48/
https://www.cve.org/CVERecord?id=CVE-2022-45403
https://www.cve.org/CVERecord?id=CVE-2022-45404
https://www.cve.org/CVERecord?id=CVE-2022-45405
https://www.cve.org/CVERecord?id=CVE-2022-45406
https://www.cve.org/CVERecord?id=CVE-2022-45408
https://www.cve.org/CVERecord?id=CVE-2022-45409
https://www.cve.org/CVERecord?id=CVE-2022-45410
https://www.cve.org/CVERecord?id=CVE-2022-45411
https://www.cve.org/CVERecord?id=CVE-2022-45412
https://www.cve.org/CVERecord?id=CVE-2022-45416
https://www.cve.org/CVERecord?id=CVE-2022-45418
https://www.cve.org/CVERecord?id=CVE-2022-45420
https://www.cve.org/CVERecord?id=CVE-2022-45421
(* Security fix *)
patches/packages/mozilla-thunderbird-102.5.0-x86_64-1_slack15.0.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/102.5.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2022-49/
https://www.cve.org/CVERecord?id=CVE-2022-45403
https://www.cve.org/CVERecord?id=CVE-2022-45404
https://www.cve.org/CVERecord?id=CVE-2022-45405
https://www.cve.org/CVERecord?id=CVE-2022-45406
https://www.cve.org/CVERecord?id=CVE-2022-45408
https://www.cve.org/CVERecord?id=CVE-2022-45409
https://www.cve.org/CVERecord?id=CVE-2022-45410
https://www.cve.org/CVERecord?id=CVE-2022-45411
https://www.cve.org/CVERecord?id=CVE-2022-45412
https://www.cve.org/CVERecord?id=CVE-2022-45416
https://www.cve.org/CVERecord?id=CVE-2022-45418
https://www.cve.org/CVERecord?id=CVE-2022-45420
https://www.cve.org/CVERecord?id=CVE-2022-45421
(* Security fix *)
patches/packages/samba-4.15.12-x86_64-1_slack15.0.txz: Upgraded.
Fixed a security issue where Samba's Kerberos libraries and AD DC failed
to guard against integer overflows when parsing a PAC on a 32-bit system,
which allowed an attacker with a forged PAC to corrupt the heap.
For more information, see:
https://www.samba.org/samba/security/CVE-2022-42898.html
https://www.cve.org/CVERecord?id=CVE-2022-42898
(* Security fix *)
patches/packages/xfce4-settings-4.16.5-x86_64-1_slack15.0.txz: Upgraded.
This update fixes regressions in the previous security fix:
mime-settings: Properly quote command parameters.
Revert "Escape characters which do not belong into an URI/URL (Issue #390)."
20221117014928_15.0 | Patrick J Volkerding | 2022-11-17 | 16 | -0/+700 |
| * | Thu Nov 10 19:47:59 UTC 2022...patches/packages/php-7.4.33-x86_64-1_slack15.0.txz: Upgraded.
This update fixes bugs and security issues:
GD: OOB read due to insufficient input validation in imageloadfont().
Hash: buffer overflow in hash_update() on long parameter.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-31630
https://www.cve.org/CVERecord?id=CVE-2022-37454
(* Security fix *)
20221110194759_15.0 | Patrick J Volkerding | 2022-11-11 | 1 | -2/+2 |
| * | Wed Nov 9 22:16:30 UTC 2022...patches/packages/sysstat-12.7.1-x86_64-1_slack15.0.txz: Upgraded.
On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1,
allocate_structures contains a size_t overflow in sa_common.c. The
allocate_structures function insufficiently checks bounds before arithmetic
multiplication, allowing for an overflow in the size allocated for the
buffer representing system activities.
This issue may lead to Remote Code Execution (RCE).
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-39377
(* Security fix *)
patches/packages/xfce4-settings-4.16.4-x86_64-1_slack15.0.txz: Upgraded.
Fixed an argument injection vulnerability in xfce4-mime-helper.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-45062
(* Security fix *)
20221109221630_15.0 | Patrick J Volkerding | 2022-11-10 | 9 | -0/+434 |
| * | Tue Nov 8 22:21:43 UTC 2022...patches/packages/glibc-zoneinfo-2022f-noarch-1_slack15.0.txz: Upgraded.
This package provides the latest timezone updates.
patches/packages/mariadb-10.5.18-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
For more information, see:
https://mariadb.com/kb/en/mariadb-10-5-18-release-notes
20221108222143_15.0 | Patrick J Volkerding | 2022-11-09 | 1 | -2/+2 |
| * | Sat Nov 5 19:18:19 UTC 2022...patches/packages/sudo-1.9.12p1-x86_64-1_slack15.0.txz: Upgraded.
Fixed a potential out-of-bounds write for passwords smaller than 8
characters when passwd authentication is enabled.
This does not affect configurations that use other authentication
methods such as PAM, AIX authentication or BSD authentication.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-43995
(* Security fix *)
20221105191819_15.0 | Patrick J Volkerding | 2022-11-06 | 4 | -0/+184 |
| * | Fri Nov 4 19:29:28 UTC 2022...patches/packages/mozilla-thunderbird-102.4.2-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/102.4.2/releasenotes/
20221104192928_15.0 | Patrick J Volkerding | 2022-11-05 | 8 | -0/+2050 |
| * | Tue Oct 25 18:38:58 UTC 2022...patches/packages/expat-2.5.0-x86_64-1_slack15.0.txz: Upgraded.
This update fixes a security issue:
Fix heap use-after-free after overeager destruction of a shared DTD in
function XML_ExternalEntityParserCreate in out-of-memory situations.
Expected impact is denial of service or potentially arbitrary code
execution.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43680
(* Security fix *)
patches/packages/samba-4.15.11-x86_64-1_slack15.0.txz: Upgraded.
This update fixes the following security issue:
There is a limited write heap buffer overflow in the GSSAPI unwrap_des()
and unwrap_des3() routines of Heimdal (included in Samba).
For more information, see:
https://www.samba.org/samba/security/CVE-2022-3437.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3437
(* Security fix *)
20221025183858_15.0 | Patrick J Volkerding | 2022-10-26 | 1 | -2/+2 |
| * | Wed Oct 19 20:06:33 UTC 2022...patches/packages/samba-4.15.10-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
For more information, see:
https://www.samba.org/samba/history/samba-4.15.10.html
20221019200633_15.0 | Patrick J Volkerding | 2022-10-20 | 1 | -2/+2 |
| * | Mon Oct 17 19:31:45 UTC 2022...patches/packages/xorg-server-1.20.14-x86_64-4_slack15.0.txz: Rebuilt.
xkb: proof GetCountedString against request length attacks.
xkb: fix some possible memleaks in XkbGetKbdByName.
xquartz: Fix a possible crash when editing the Application menu due
to mutating immutable arrays.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3550
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3551
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3553
(* Security fix *)
patches/packages/xorg-server-xephyr-1.20.14-x86_64-4_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-4_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-4_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xwayland-21.1.4-x86_64-3_slack15.0.txz: Rebuilt.
xkb: proof GetCountedString against request length attacks.
xkb: fix some possible memleaks in XkbGetKbdByName.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3550
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3551
(* Security fix *)
20221017193145_15.0 | Patrick J Volkerding | 2022-10-18 | 8 | -2/+240 |
| * | Sat Oct 15 20:28:34 UTC 2022...patches/packages/zlib-1.2.13-x86_64-1_slack15.0.txz: Upgraded.
Fixed a bug when getting a gzip header extra field with inflateGetHeader().
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37434
(* Security fix *)
20221015202834_15.0 | Patrick J Volkerding | 2022-10-16 | 2 | -54/+1 |
| * | Sat Oct 8 19:23:31 UTC 2022...patches/packages/libksba-1.6.2-x86_64-1_slack15.0.txz: Upgraded.
Detect a possible overflow directly in the TLV parser.
This patch detects possible integer overflows immmediately when creating
the TI object.
Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929
(* Security fix *)
20221008192331_15.0 | Patrick J Volkerding | 2022-10-09 | 3 | -0/+146 |
| * | Wed Oct 5 18:55:36 UTC 2022...patches/packages/dhcp-4.4.3_P1-x86_64-1_slack15.0.txz: Upgraded.
This update fixes two security issues:
Corrected a reference count leak that occurs when the server builds
responses to leasequery packets.
Corrected a memory leak that occurs when unpacking a packet that has an
FQDN option (81) that contains a label with length greater than 63 bytes.
Thanks to VictorV of Cyber Kunlun Lab for reporting these issues.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2928
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2929
(* Security fix *)
20221005185536_15.0 | Patrick J Volkerding | 2022-10-06 | 6 | -0/+291 |
| * | Fri Sep 30 17:52:21 UTC 2022...extra/php80/php80-8.0.24-x86_64-1_slack15.0.txz: Upgraded.
This update fixes bugs and security issues:
phar wrapper: DOS when using quine gzip file.
Don't mangle HTTP variable names that clash with ones that have a specific
semantic meaning.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31628
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31629
(* Security fix *)
extra/php81/php81-8.1.11-x86_64-1_slack15.0.txz: Upgraded.
This update fixes bugs and security issues:
phar wrapper: DOS when using quine gzip file.
Don't mangle HTTP variable names that clash with ones that have a specific
semantic meaning.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31628
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31629
(* Security fix *)
patches/packages/mozilla-thunderbird-102.3.1-x86_64-1_slack15.0.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/102.3.1/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2022-43/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39249
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39250
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39251
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39236
(* Security fix *)
patches/packages/php-7.4.32-x86_64-1_slack15.0.txz: Upgraded.
This update fixes bugs and security issues:
phar wrapper: DOS when using quine gzip file.
Don't mangle HTTP variable names that clash with ones that have a specific
semantic meaning.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31628
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31629
(* Security fix *)
patches/packages/seamonkey-2.53.14-x86_64-1_slack15.0.txz: Upgraded.
This update contains security fixes and improvements.
For more information, see:
https://www.seamonkey-project.org/releases/seamonkey2.53.14
(* Security fix *)
patches/packages/vim-9.0.0623-x86_64-1_slack15.0.txz: Upgraded.
Fixed use-after-free and stack-based buffer overflow.
Thanks to marav for the heads-up.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-3352
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-3324
(* Security fix *)
patches/packages/vim-gvim-9.0.0623-x86_64-1_slack15.0.txz: Upgraded.
20220930175221_15.0 | Patrick J Volkerding | 2022-10-01 | 1 | -2/+2 |
| * | Wed Sep 28 18:59:51 UTC 2022...patches/packages/xorg-server-xwayland-21.1.4-x86_64-2_slack15.0.txz: Rebuilt.
xkb: switch to array index loops to moving pointers.
xkb: add request length validation for XkbSetGeometry.
xkb: swap XkbSetDeviceInfo and XkbSetDeviceInfoCheck.
I hadn't realized that the xorg-server patches were needed (or applied
cleanly) to Xwayland. Thanks to LuckyCyborg for the kind reminder. :-)
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2319
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2320
(* Security fix *)
20220928185951_15.0 | Patrick J Volkerding | 2022-09-29 | 5 | -0/+615 |
| * | Mon Sep 26 19:43:54 UTC 2022...patches/packages/dnsmasq-2.87-x86_64-1_slack15.0.txz: Upgraded.
Fix write-after-free error in DHCPv6 server code.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0934
(* Security fix *)
patches/packages/vim-9.0.0594-x86_64-1_slack15.0.txz: Upgraded.
Fixed stack-based buffer overflow.
Thanks to marav for the heads-up.
In addition, Mig21 pointed out an issue where the defaults.vim file might
need to be edited for some purposes as its contents will override the
settings in the system-wide vimrc. Usually this file is replaced whenever
vim is upgraded, which in those situations would be inconvenient for the
admin. So, I've added support for a file named defaults.vim.custom which
(if it exists) will be used instead of the defaults.vim file shipped in
the package and will persist through upgrades.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3296
(* Security fix *)
patches/packages/vim-gvim-9.0.0594-x86_64-1_slack15.0.txz: Upgraded.
20220926194354_15.0 | Patrick J Volkerding | 2022-09-27 | 8 | -16/+270 |
| * | Thu Sep 22 19:50:20 UTC 2022...patches/packages/ca-certificates-20220922-noarch-1_slack15.0.txz: Upgraded.
This update provides the latest CA certificates to check for the
authenticity of SSL connections.
20220922195020_15.0 | Patrick J Volkerding | 2022-09-23 | 1 | -164/+581 |
| * | Wed Sep 21 19:19:07 UTC 2022...patches/packages/cups-2.4.2-x86_64-3_slack15.0.txz: Rebuilt.
Fixed crash when using the CUPS web setup interface:
[PATCH] Fix OpenSSL crash bug - "tls" pointer wasn't cleared after freeing
it (Issue #409).
Thanks to MisterL, bryjen, and kjhambrick.
Fixed an OpenSSL certificate loading issue:
[PATCH] The OpenSSL code path wasn't loading the full certificate
chain (Issue #465).
Thanks to tmmukunn.
20220921191907_15.0 | Patrick J Volkerding | 2022-09-22 | 3 | -1/+80 |
| * | Tue Sep 20 22:50:28 UTC 2022...patches/packages/expat-2.4.9-x86_64-1_slack15.0.txz: Upgraded.
This update fixes a security issue:
Heap use-after-free vulnerability in function doContent. Expected impact is
denial of service or potentially arbitrary code execution.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40674
(* Security fix *)
patches/packages/mozilla-firefox-102.3.0esr-x86_64-1_slack15.0.txz: Upgraded.
This update contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/firefox/102.3.0/releasenotes/
https://www.mozilla.org/security/advisories/mfsa2022-41/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40959
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40960
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40958
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40956
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40957
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40962
(* Security fix *)
patches/packages/mozilla-thunderbird-102.3.0-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/102.3.0/releasenotes/
20220920225028_15.0 | Patrick J Volkerding | 2022-09-21 | 22 | -0/+62230 |
| * | Tue Sep 6 20:21:24 UTC 2022...extra/rust-for-mozilla/rust-1.60.0-x86_64-1_slack15.0.txz: Upgraded.
Upgraded the Rust compiler for Firefox 102.2.0 and Thunderbird 102.2.1.
patches/packages/mozilla-firefox-102.2.0esr-x86_64-1_slack15.0.txz: Upgraded.
This update contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/firefox/102.2.0/releasenotes/
https://www.mozilla.org/security/advisories/mfsa2022-34/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38473
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38476
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38477
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38478
(* Security fix *)
patches/packages/mozilla-thunderbird-102.2.1-x86_64-1_slack15.0.txz: Upgraded.
This release contains security fixes and improvements.
Some accounts may need to be reconfigured after moving from
Thunderbird 91.13.0 to Thunderbird 102.2.1.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/102.2.1/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2022-38/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3033
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3032
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3034
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36059
(* Security fix *)
patches/packages/vim-9.0.0396-x86_64-1_slack15.0.txz: Upgraded.
Fixed use after free.
Thanks to marav for the heads-up.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3099
(* Security fix *)
patches/packages/vim-gvim-9.0.0396-x86_64-1_slack15.0.txz: Upgraded.
20220906202124_15.0 | Patrick J Volkerding | 2022-09-07 | 5 | -5/+46 |
| * | Thu Sep 1 20:01:13 UTC 2022...patches/packages/poppler-21.12.0-x86_64-2_slack15.0.txz: Rebuilt.
[PATCH] JBIG2Stream: Fix crash on broken file.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30860
(* Security fix *)
20220901200113_15.0 | Patrick J Volkerding | 2022-09-02 | 3 | -0/+195 |
| * | Fri Aug 26 04:02:20 UTC 2022...patches/packages/linux-5.15.63/*: Upgraded.
These updates fix various bugs and security issues.
Be sure to upgrade your initrd after upgrading the kernel packages.
If you use lilo to boot your machine, be sure lilo.conf points to the correct
kernel and initrd and run lilo as root to update the bootloader.
If you use elilo to boot your machine, you should run eliloconfig to copy the
kernel and initrd to the EFI System Partition.
For more information, see:
Fixed in 5.15.39:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1974
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1975
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1734
Fixed in 5.15.40:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1943
Fixed in 5.15.41:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28893
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32296
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1012
Fixed in 5.15.42:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1652
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1729
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21499
Fixed in 5.15.44:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1789
Fixed in 5.15.45:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2873
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1966
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32250
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2078
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1852
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1972
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2503
Fixed in 5.15.46:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1184
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1973
Fixed in 5.15.47:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34494
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34495
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32981
Fixed in 5.15.48:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21125
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21166
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21123
Fixed in 5.15.53:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2318
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33743
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33742
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33741
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33740
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26365
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33744
Fixed in 5.15.54:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33655
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34918
Fixed in 5.15.56:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36123
Fixed in 5.15.57:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29900
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29901
Fixed in 5.15.58:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21505
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1462
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36879
Fixed in 5.15.59:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36946
Fixed in 5.15.60:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26373
Fixed in 5.15.61:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2586
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2585
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1679
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2588
(* Security fix *)
patches/packages/vim-9.0.0270-x86_64-1_slack15.0.txz: Upgraded.
We're just going to move to vim-9 instead of continuing to backport patches
to the vim-8 branch. Most users will be better served by this.
Fixed use after free and null pointer dereference.
Thanks to marav for the heads-up.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2946
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2923
(* Security fix *)
patches/packages/vim-gvim-9.0.0270-x86_64-1_slack15.0.txz: Upgraded.
20220826040220_15.0 | Patrick J Volkerding | 2022-08-27 | 6 | -387/+4 |
| * | Tue Aug 23 19:27:56 UTC 2022...extra/sendmail/sendmail-8.17.1-x86_64-3_slack15.0.txz: Rebuilt.
In recent versions of glibc, USE_INET6 has been removed which caused sendmail
to reject mail from IPv6 addresses. Adding -DHAS_GETHOSTBYNNAME2=1 to the
site.config.m4 allows the reverse lookups to work again fixing this issue.
Thanks to talo.
extra/sendmail/sendmail-cf-8.17.1-noarch-3_slack15.0.txz: Rebuilt.
patches/packages/hunspell-1.7.1-x86_64-1_slack15.0.txz: Upgraded.
Fixed invalid read operation in SuggestMgr::leftcommonsubstring
in suggestmgr.cxx.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16707
(* Security fix *)
patches/packages/mozilla-firefox-91.13.0esr-x86_64-1_slack15.0.txz: Upgraded.
This update contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/firefox/91.13.0/releasenotes/
https://www.mozilla.org/security/advisories/mfsa2022-35/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38472
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38473
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38478
(* Security fix *)
patches/packages/mozilla-thunderbird-91.13.0-x86_64-1_slack15.0.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/91.13.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2022-37/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38472
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38473
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38478
(* Security fix *)
20220823192756_15.0 | Patrick J Volkerding | 2022-08-24 | 5 | -4/+168 |
| * | Sat Aug 20 20:04:15 UTC 2022...patches/packages/vim-8.2.4649-x86_64-3_slack15.0.txz: Rebuilt.
Fix use after free.
Thanks to marav for the heads-up.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2889
(* Security fix *)
patches/packages/vim-gvim-8.2.4649-x86_64-3_slack15.0.txz: Rebuilt.
20220820200415_15.0 | Patrick J Volkerding | 2022-08-21 | 3 | -2/+240 |
| * | Wed Aug 17 20:41:53 UTC 2022...patches/packages/vim-8.2.4649-x86_64-2_slack15.0.txz: Rebuilt.
Fix use after free, out-of-bounds read, and heap based buffer overflow.
Thanks to marav for the heads-up.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2816
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2817
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2819
(* Security fix *)
patches/packages/vim-gvim-8.2.4649-x86_64-2_slack15.0.txz: Rebuilt.
20220817204153_15.0 | Patrick J Volkerding | 2022-08-18 | 5 | -2/+147 |
| * | Mon Aug 15 20:23:47 UTC 2022...patches/packages/rsync-3.2.5-x86_64-1_slack15.0.txz: Upgraded.
Added some file-list safety checking that helps to ensure that a rogue
sending rsync can't add unrequested top-level names and/or include recursive
names that should have been excluded by the sender. These extra safety
checks only require the receiver rsync to be updated. When dealing with an
untrusted sending host, it is safest to copy into a dedicated destination
directory for the remote content (i.e. don't copy into a destination
directory that contains files that aren't from the remote host unless you
trust the remote host).
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29154
(* Security fix *)
20220815202347_15.0 | Patrick J Volkerding | 2022-08-16 | 2 | -0/+139 |
| * | Tue Aug 9 19:25:22 UTC 2022...patches/packages/zlib-1.2.12-x86_64-2_slack15.0.txz: Rebuilt.
This is a bugfix update.
Applied an upstream patch to restore the handling of CRC inputs to be the
same as in previous releases of zlib. This fixes an issue with OpenJDK.
Thanks to alienBOB.
20220809192522_15.0 | Patrick J Volkerding | 2022-08-10 | 2 | -1/+54 |
| * | Fri Jul 29 19:59:03 UTC 2022...patches/packages/gnutls-3.7.7-x86_64-1_slack15.0.txz: Upgraded.
libgnutls: Fixed double free during verification of pkcs7 signatures.
Reported by Jaak Ristioja.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2509
(* Security fix *)
20220729195903_15.0 | Patrick J Volkerding | 2022-07-30 | 2 | -0/+187 |
| * | Wed Jul 27 19:17:38 UTC 2022...patches/packages/samba-4.15.9-x86_64-1_slack15.0.txz: Upgraded.
This update fixes the following security issues:
Samba AD users can bypass certain restrictions associated with changing
passwords.
Samba AD users can forge password change requests for any user.
Samba AD users can crash the server process with an LDAP add or modify
request.
Samba AD users can induce a use-after-free in the server process with an
LDAP add or modify request.
Server memory information leak via SMB1.
For more information, see:
https://www.samba.org/samba/security/CVE-2022-2031.html
https://www.samba.org/samba/security/CVE-2022-32744.html
https://www.samba.org/samba/security/CVE-2022-32745.html
https://www.samba.org/samba/security/CVE-2022-32746.html
https://www.samba.org/samba/security/CVE-2022-32742.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2031
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32744
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32745
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32746
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32742
(* Security fix *)
20220727191738_15.0 | Patrick J Volkerding | 2022-07-28 | 1 | -2/+2 |
| * | Mon Jul 25 20:53:49 UTC 2022...patches/packages/mozilla-firefox-91.12.0esr-x86_64-1_slack15.0.txz: Upgraded.
This update contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/firefox/91.12.0/releasenotes/
(* Security fix *)
patches/packages/perl-5.34.0-x86_64-2_slack15.0.txz: Rebuilt.
This is a bugfix release.
Upgraded: Devel-CheckLib-1.16, IO-Socket-SSL-2.074, Net-SSLeay-1.92,
Path-Tiny-0.122, Template-Toolkit-3.100, URI-5.12, libnet-3.14.
Added a symlink to libperl.so in /usr/${LIBDIRSUFFIX} since net-snmp (and
possibly other programs) might have trouble linking with it since it's not
in the LD_LIBRARY_PATH. Thanks to oneforall.
20220725205349_15.0 | Patrick J Volkerding | 2022-07-26 | 5 | -0/+642 |
| * | Thu Jul 21 18:13:18 UTC 2022...patches/packages/net-snmp-5.9.3-x86_64-1_slack15.0.txz: Upgraded.
This update fixes security issues:
A buffer overflow in the handling of the INDEX of NET-SNMP-VACM-MIB can cause
an out-of-bounds memory access.
A malformed OID in a GET-NEXT to the nsVacmAccessTable can cause a NULL
pointer dereference.
Improper Input Validation when SETing malformed OIDs in master agent and
subagent simultaneously.
A malformed OID in a SET request to SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable
can cause an out-of-bounds memory access.
A malformed OID in a SET request to NET-SNMP-AGENT-MIB::nsLogTable can cause a
NULL pointer dereference.
A malformed OID in a SET to the nsVacmAccessTable can cause a NULL pointer
dereference.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24805
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24809
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24806
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24807
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24808
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24810
(* Security fix *)
20220721181318_15.0 | Patrick J Volkerding | 2022-07-22 | 12 | -0/+949 |
| * | Wed Jul 13 19:56:59 UTC 2022...patches/packages/xorg-server-1.20.14-x86_64-3_slack15.0.txz: Rebuilt.
xkb: switch to array index loops to moving pointers.
xkb: add request length validation for XkbSetGeometry.
xkb: swap XkbSetDeviceInfo and XkbSetDeviceInfoCheck.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2319
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2320
(* Security fix *)
patches/packages/xorg-server-xephyr-1.20.14-x86_64-3_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-3_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-3_slack15.0.txz: Rebuilt.
20220713195659_15.0 | Patrick J Volkerding | 2022-07-14 | 26 | -0/+2098 |
| * | Sun Jul 10 18:49:34 UTC 2022...patches/packages/wavpack-5.5.0-x86_64-1_slack15.0.txz: Upgraded.
WavPack 5.5.0 contains a fix for CVE-2021-44269 wherein encoding a specially
crafted DSD file causes an out-of-bounds read exception.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44269
(* Security fix *)
20220710184934_15.0 | Patrick J Volkerding | 2022-07-11 | 3 | -0/+159 |
| * | Thu Jul 7 23:03:01 UTC 2022...patches/packages/gnupg2-2.2.36-x86_64-1_slack15.0.txz: Upgraded.
g10: Fix possibly garbled status messages in NOTATION_DATA. This bug could
trick GPGME and other parsers to accept faked status lines.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34903
(* Security fix *)
extra/php81/php81-8.1.8-x86_64-1_slack15.0.txz: Upgraded.
This update fixes bugs and a security issue:
Fileinfo: Fixed bug #81723 (Heap buffer overflow in finfo_buffer).
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31627
(* Security fix *)
20220707230301_15.0 | Patrick J Volkerding | 2022-07-08 | 2 | -0/+160 |
| * | Fri Jul 1 01:23:50 UTC 2022...patches/packages/mozilla-thunderbird-91.11.0-x86_64-1_slack15.0.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/91.11.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2022-26/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34479
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34470
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34468
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2226
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34481
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31744
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34472
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34478
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2200
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34484
(* Security fix *)
20220701012350_15.0 | Patrick J Volkerding | 2022-07-01 | 1 | -1/+4 |
| * | Tue Jun 28 19:16:08 UTC 2022...patches/packages/curl-7.84.0-x86_64-1_slack15.0.txz: Upgraded.
This update fixes security issues:
Set-Cookie denial of service.
HTTP compression denial of service.
Unpreserved file permissions.
FTP-KRB bad message verification.
For more information, see:
https://curl.se/docs/CVE-2022-32205.html
https://curl.se/docs/CVE-2022-32206.html
https://curl.se/docs/CVE-2022-32207.html
https://curl.se/docs/CVE-2022-32208.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32205
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32206
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32207
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32208
(* Security fix *)
patches/packages/mozilla-firefox-91.11.0esr-x86_64-1_slack15.0.txz: Upgraded.
This update contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/firefox/91.11.0/releasenotes/
https://www.mozilla.org/security/advisories/mfsa2022-25/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34479
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34470
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34468
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34481
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31744
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34472
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34478
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2200
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34484
(* Security fix *)
20220628191608_15.0 | Patrick J Volkerding | 2022-06-29 | 1 | -1/+2 |
| * | Thu Jun 23 05:30:51 UTC 2022...patches/packages/ca-certificates-20220622-noarch-1_slack15.0.txz: Upgraded.
This update provides the latest CA certificates to check for the
authenticity of SSL connections.
patches/packages/openssl-1.1.1p-x86_64-1_slack15.0.txz: Upgraded.
In addition to the c_rehash shell command injection identified in
CVE-2022-1292, further circumstances where the c_rehash script does not
properly sanitise shell metacharacters to prevent command injection were
found by code review.
When the CVE-2022-1292 was fixed it was not discovered that there
are other places in the script where the file names of certificates
being hashed were possibly passed to a command executed through the shell.
For more information, see:
https://www.openssl.org/news/secadv/20220621.txt
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2068
(* Security fix *)
patches/packages/openssl-solibs-1.1.1p-x86_64-1_slack15.0.txz: Upgraded.
20220623053051_15.0 | Patrick J Volkerding | 2022-06-24 | 1 | -158/+1138 |
| * | Mon Jun 13 21:02:58 UTC 2022...patches/packages/php-7.4.30-x86_64-1_slack15.0.txz: Upgraded.
This update fixes bugs and security issues:
mysqlnd/pdo password buffer overflow.
Uninitialized array in pg_query_params().
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31626
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31625
(* Security fix *)
extra/php80/php80-8.0.20-x86_64-1_slack15.0.txz: Upgraded.
This update fixes bugs and security issues:
mysqlnd/pdo password buffer overflow.
Uninitialized array in pg_query_params().
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31626
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31625
(* Security fix *)
extra/php81/php81-8.1.7-x86_64-1_slack15.0.txz: Upgraded.
This update fixes bugs and security issues:
mysqlnd/pdo password buffer overflow.
Uninitialized array in pg_query_params().
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31626
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31625
(* Security fix *)
20220613210258_15.0 | Patrick J Volkerding | 2022-06-14 | 1 | -2/+2 |
| * | Thu May 26 18:27:32 UTC 2022...patches/packages/cups-2.4.2-x86_64-1_slack15.0.txz: Upgraded.
Fixed certificate strings comparison for Local authorization.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26691
(* Security fix *)
20220526182732_15.0 | Patrick J Volkerding | 2022-05-27 | 4 | -0/+261 |
| * | Sat May 21 19:30:02 UTC 2022...patches/packages/mariadb-10.5.16-x86_64-1_slack15.0.txz: Upgraded.
This update fixes bugs and several security issues.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27376
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27377
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27378
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27379
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27380
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27381
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27382
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27383
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27384
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27386
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27387
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27444
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27445
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27446
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27447
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27448
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27449
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27451
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27452
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27455
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27456
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27457
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27458
(* Security fix *)
20220521193002_15.0 | Patrick J Volkerding | 2022-05-22 | 1 | -1/+1 |
Patrick J Volkerding