| Commit message (Expand) | Author | Files | Lines |
2023-03-25 | Fri Mar 24 19:42:46 UTC 2023...patches/packages/glibc-zoneinfo-2023b-noarch-1_slack15.0.txz: Upgraded.
This package provides the latest timezone updates.
patches/packages/tar-1.34-x86_64-2_slack15.0.txz: Rebuilt.
GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use
of uninitialized memory for a conditional jump. Exploitation to change the
flow of control has not been demonstrated. The issue occurs in from_header
in list.c via a V7 archive in which mtime has approximately 11 whitespace
characters.
Thanks to marav for the heads-up.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-48303
(* Security fix *)
20230324194246_15.0 | Patrick J Volkerding | 11 | -69/+445 |
2023-03-21 | Mon Mar 20 18:26:23 UTC 2023...patches/packages/curl-8.0.1-x86_64-1_slack15.0.txz: Upgraded.
This update fixes security issues:
SSH connection too eager reuse still.
HSTS double-free.
GSS delegation too eager connection re-use.
FTP too eager connection reuse.
SFTP path ~ resolving discrepancy.
TELNET option IAC injection.
For more information, see:
https://curl.se/docs/CVE-2023-27538.html
https://curl.se/docs/CVE-2023-27537.html
https://curl.se/docs/CVE-2023-27536.html
https://curl.se/docs/CVE-2023-27535.html
https://curl.se/docs/CVE-2023-27534.html
https://curl.se/docs/CVE-2023-27533.html
https://www.cve.org/CVERecord?id=CVE-2023-27538
https://www.cve.org/CVERecord?id=CVE-2023-27537
https://www.cve.org/CVERecord?id=CVE-2023-27536
https://www.cve.org/CVERecord?id=CVE-2023-27535
https://www.cve.org/CVERecord?id=CVE-2023-27534
https://www.cve.org/CVERecord?id=CVE-2023-27533
(* Security fix *)
patches/packages/vim-9.0.1418-x86_64-1_slack15.0.txz: Upgraded.
Fixed security issues:
NULL pointer dereference issue in utfc_ptr2len.
Incorrect Calculation of Buffer Size.
Heap-based Buffer Overflow.
Thanks to marav for the heads-up.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-1264
https://www.cve.org/CVERecord?id=CVE-2023-1175
https://www.cve.org/CVERecord?id=CVE-2023-1170
(* Security fix *)
patches/packages/vim-gvim-9.0.1418-x86_64-1_slack15.0.txz: Upgraded.
20230320182623_15.0 | Patrick J Volkerding | 6 | -30/+110 |
2023-03-17 | Thu Mar 16 23:34:56 UTC 2023...patches/packages/bind-9.16.39-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
patches/packages/mozilla-thunderbird-102.9.0-x86_64-1_slack15.0.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/102.9.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2023-11/
https://www.cve.org/CVERecord?id=CVE-2023-25751
https://www.cve.org/CVERecord?id=CVE-2023-28164
https://www.cve.org/CVERecord?id=CVE-2023-28162
https://www.cve.org/CVERecord?id=CVE-2023-25752
https://www.cve.org/CVERecord?id=CVE-2023-28163
https://www.cve.org/CVERecord?id=CVE-2023-28176
(* Security fix *)
patches/packages/openssh-9.3p1-x86_64-1_slack15.0.txz: Upgraded.
This release contains fixes for a security problem and a memory
safety problem. The memory safety problem is not believed to be
exploitable, but we report most network-reachable memory faults as
security bugs.
For more information, see:
https://www.openssh.com/txt/release-9.3
(* Security fix *)
testing/packages/bind-9.18.13-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
20230316233456_15.0 | Patrick J Volkerding | 6 | -67/+121 |
2023-03-15 | Tue Mar 14 20:42:47 UTC 2023...patches/packages/mozilla-firefox-102.9.0esr-x86_64-1_slack15.0.txz: Upgraded.
This update contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/firefox/102.9.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2023-10
https://www.cve.org/CVERecord?id=CVE-2023-25751
https://www.cve.org/CVERecord?id=CVE-2023-28164
https://www.cve.org/CVERecord?id=CVE-2023-28162
https://www.cve.org/CVERecord?id=CVE-2023-25752
https://www.cve.org/CVERecord?id=CVE-2023-28163
https://www.cve.org/CVERecord?id=CVE-2023-28176
(* Security fix *)
20230314204247_15.0 | Patrick J Volkerding | 7 | -45/+80 |
2023-03-09 | Wed Mar 8 20:26:54 UTC 2023...patches/packages/httpd-2.4.56-x86_64-1_slack15.0.txz: Upgraded.
This update fixes two security issues:
HTTP Response Smuggling vulnerability via mod_proxy_uwsgi.
HTTP Request Smuggling attack via mod_rewrite and mod_proxy.
For more information, see:
https://downloads.apache.org/httpd/CHANGES_2.4.56
https://www.cve.org/CVERecord?id=CVE-2023-27522
https://www.cve.org/CVERecord?id=CVE-2023-25690
(* Security fix *)
20230308202654_15.0 | Patrick J Volkerding | 5 | -25/+55 |
2023-03-07 | Mon Mar 6 20:18:10 UTC 2023...patches/packages/sudo-1.9.13p3-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
20230306201810_15.0 | Patrick J Volkerding | 4 | -21/+37 |
2023-03-06 | Mon Mar 6 02:21:57 UTC 2023...patches/packages/xscreensaver-6.06-x86_64-1_slack15.0.txz: Upgraded.
Here's an upgrade to the latest xscreensaver.
20230306022157_15.0 | Patrick J Volkerding | 15 | -86/+1417 |
2023-03-01 | Tue Feb 28 21:33:32 UTC 2023...patches/packages/whois-5.5.16-x86_64-1_slack15.0.txz: Upgraded.
Add bash completion support, courtesy of Ville Skytta.
Updated the .tr TLD server.
Removed support for -metu NIC handles.
20230228213332_15.0 | Patrick J Volkerding | 5 | -23/+46 |
2023-02-21 | Mon Feb 20 19:41:06 UTC 2023...patches/packages/curl-7.88.1-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
20230220194106_15.0 | Patrick J Volkerding | 4 | -24/+40 |
2023-02-18 | Sat Feb 18 02:04:34 UTC 2023...patches/packages/kernel-firmware-20230214_a253a37-noarch-1.txz: Upgraded.
patches/packages/linux-5.15.80/*: Upgraded.
These updates fix various bugs and security issues.
Be sure to upgrade your initrd after upgrading the kernel packages.
If you use lilo to boot your machine, be sure lilo.conf points to the correct
kernel and initrd and run lilo as root to update the bootloader.
If you use elilo to boot your machine, you should run eliloconfig to copy the
kernel and initrd to the EFI System Partition.
For more information, see:
Fixed in 5.15.81:
https://www.cve.org/CVERecord?id=CVE-2022-47519
https://www.cve.org/CVERecord?id=CVE-2022-47518
https://www.cve.org/CVERecord?id=CVE-2022-47520
https://www.cve.org/CVERecord?id=CVE-2022-47521
https://www.cve.org/CVERecord?id=CVE-2022-3344
Fixed in 5.15.82:
https://www.cve.org/CVERecord?id=CVE-2022-45869
https://www.cve.org/CVERecord?id=CVE-2022-4378
Fixed in 5.15.83:
https://www.cve.org/CVERecord?id=CVE-2022-3643
Fixed in 5.15.84:
https://www.cve.org/CVERecord?id=CVE-2022-3545
Fixed in 5.15.85:
https://www.cve.org/CVERecord?id=CVE-2022-45934
Fixed in 5.15.86:
https://www.cve.org/CVERecord?id=CVE-2022-3534
https://www.cve.org/CVERecord?id=CVE-2022-3424
Fixed in 5.15.87:
https://www.cve.org/CVERecord?id=CVE-2022-41218
https://www.cve.org/CVERecord?id=CVE-2023-23455
https://www.cve.org/CVERecord?id=CVE-2023-23454
https://www.cve.org/CVERecord?id=CVE-2023-0045
https://www.cve.org/CVERecord?id=CVE-2023-0210
https://www.cve.org/CVERecord?id=CVE-2022-36280
Fixed in 5.15.88:
https://www.cve.org/CVERecord?id=CVE-2023-0266
https://www.cve.org/CVERecord?id=CVE-2022-47929
Fixed in 5.15.89:
https://www.cve.org/CVERecord?id=CVE-2023-0179
https://www.cve.org/CVERecord?id=CVE-2023-0394
Fixed in 5.15.90:
https://www.cve.org/CVERecord?id=CVE-2022-4382
https://www.cve.org/CVERecord?id=CVE-2022-4842
Fixed in 5.15.91:
https://www.cve.org/CVERecord?id=CVE-2022-4129
https://www.cve.org/CVERecord?id=CVE-2023-23559
(* Security fix *)
20230218020434_15.0 | Patrick J Volkerding | 31 | -66/+178 |
2023-02-17 | Thu Feb 16 22:07:06 UTC 2023...patches/packages/mozilla-thunderbird-102.8.0-x86_64-1_slack15.0.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/102.8.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2023-07/
https://www.cve.org/CVERecord?id=CVE-2023-0616
https://www.cve.org/CVERecord?id=CVE-2023-25728
https://www.cve.org/CVERecord?id=CVE-2023-25730
https://www.cve.org/CVERecord?id=CVE-2023-0767
https://www.cve.org/CVERecord?id=CVE-2023-25735
https://www.cve.org/CVERecord?id=CVE-2023-25737
https://www.cve.org/CVERecord?id=CVE-2023-25738
https://www.cve.org/CVERecord?id=CVE-2023-25739
https://www.cve.org/CVERecord?id=CVE-2023-25729
https://www.cve.org/CVERecord?id=CVE-2023-25732
https://www.cve.org/CVERecord?id=CVE-2023-25734
https://www.cve.org/CVERecord?id=CVE-2023-25742
https://www.cve.org/CVERecord?id=CVE-2023-25746
(* Security fix *)
20230216220706_15.0 | Patrick J Volkerding | 4 | -22/+72 |
2023-02-16 | Wed Feb 15 19:48:10 UTC 2023...patches/packages/curl-7.88.0-x86_64-1_slack15.0.txz: Upgraded.
This update fixes security issues:
HTTP multi-header compression denial of service.
HSTS amnesia with --parallel.
HSTS ignored on multiple requests.
For more information, see:
https://curl.se/docs/CVE-2023-23916.html
https://curl.se/docs/CVE-2023-23915.html
https://curl.se/docs/CVE-2023-23914.html
https://www.cve.org/CVERecord?id=CVE-2023-23916
https://www.cve.org/CVERecord?id=CVE-2023-23915
https://www.cve.org/CVERecord?id=CVE-2023-23914
(* Security fix *)
patches/packages/git-2.35.7-x86_64-1_slack15.0.txz: Upgraded.
This update fixes security issues:
Using a specially-crafted repository, Git can be tricked into using
its local clone optimization even when using a non-local transport.
Though Git will abort local clones whose source $GIT_DIR/objects
directory contains symbolic links (c.f., CVE-2022-39253), the objects
directory itself may still be a symbolic link.
These two may be combined to include arbitrary files based on known
paths on the victim's filesystem within the malicious repository's
working copy, allowing for data exfiltration in a similar manner as
CVE-2022-39253.
By feeding a crafted input to "git apply", a path outside the
working tree can be overwritten as the user who is running "git
apply".
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-22490
https://www.cve.org/CVERecord?id=CVE-2023-23946
(* Security fix *)
20230215194810_15.0 | Patrick J Volkerding | 7 | -32/+106 |
2023-02-16 | Wed Feb 15 03:05:40 UTC 2023...extra/php80/php80-8.0.28-x86_64-1_slack15.0.txz: Upgraded.
This update fixes security issues:
Core: Password_verify() always return true with some hash.
Core: 1-byte array overrun in common path resolve code.
SAPI: DOS vulnerability when parsing multipart request body.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-0567
https://www.cve.org/CVERecord?id=CVE-2023-0568
https://www.cve.org/CVERecord?id=CVE-2023-0662
(* Security fix *)
extra/php81/php81-8.1.16-x86_64-1_slack15.0.txz: Upgraded.
This update fixes security issues:
Core: Password_verify() always return true with some hash.
Core: 1-byte array overrun in common path resolve code.
SAPI: DOS vulnerability when parsing multipart request body.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-0567
https://www.cve.org/CVERecord?id=CVE-2023-0568
https://www.cve.org/CVERecord?id=CVE-2023-0662
(* Security fix *)
patches/packages/hwdata-0.367-noarch-1_slack15.0.txz: Upgraded.
Upgraded to get information for newer hardware.
Requested by kingbeowulf on LQ.
patches/packages/mozilla-firefox-102.8.0esr-x86_64-1_slack15.0.txz: Upgraded.
This update contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/firefox/102.8.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2023-06/
https://www.cve.org/CVERecord?id=CVE-2023-25728
https://www.cve.org/CVERecord?id=CVE-2023-25730
https://www.cve.org/CVERecord?id=CVE-2023-25743
https://www.cve.org/CVERecord?id=CVE-2023-0767
https://www.cve.org/CVERecord?id=CVE-2023-25735
https://www.cve.org/CVERecord?id=CVE-2023-25737
https://www.cve.org/CVERecord?id=CVE-2023-25738
https://www.cve.org/CVERecord?id=CVE-2023-25739
https://www.cve.org/CVERecord?id=CVE-2023-25729
https://www.cve.org/CVERecord?id=CVE-2023-25732
https://www.cve.org/CVERecord?id=CVE-2023-25734
https://www.cve.org/CVERecord?id=CVE-2023-25742
https://www.cve.org/CVERecord?id=CVE-2023-25746
(* Security fix *)
patches/packages/php-7.4.33-x86_64-3_slack15.0.txz: Rebuilt.
This update fixes security issues:
Core: Password_verify() always return true with some hash.
Core: 1-byte array overrun in common path resolve code.
SAPI: DOS vulnerability when parsing multipart request body.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-0567
https://www.cve.org/CVERecord?id=CVE-2023-0568
https://www.cve.org/CVERecord?id=CVE-2023-0662
(* Security fix *)
20230215030540_15.0 | Patrick J Volkerding | 13 | -103/+1002 |
2023-02-11 | Fri Feb 10 20:08:41 UTC 2023...patches/packages/gnutls-3.7.9-x86_64-1_slack15.0.txz: Upgraded.
libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key exchange.
Reported by Hubert Kario (#1050). Fix developed by Alexander Sosedkin.
[GNUTLS-SA-2020-07-14, CVSS: medium] [CVE-2023-0361]
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-0361
(* Security fix *)
20230210200841_15.0 | Patrick J Volkerding | 4 | -22/+48 |
2023-02-09 | Thu Feb 9 00:59:27 UTC 2023...patches/packages/mozilla-thunderbird-102.7.2-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/102.7.2/releasenotes/
20230209005927_15.0 | Patrick J Volkerding | 4 | -24/+44 |
2023-02-08 | Tue Feb 7 20:48:57 UTC 2023...patches/packages/openssl-1.1.1t-x86_64-1_slack15.0.txz: Upgraded.
This update fixes security issues:
X.400 address type confusion in X.509 GeneralName.
Timing Oracle in RSA Decryption.
Use-after-free following BIO_new_NDEF.
Double free after calling PEM_read_bio_ex.
For more information, see:
https://www.openssl.org/news/secadv/20230207.txt
https://www.cve.org/CVERecord?id=CVE-2023-0286
https://www.cve.org/CVERecord?id=CVE-2022-4304
https://www.cve.org/CVERecord?id=CVE-2023-0215
https://www.cve.org/CVERecord?id=CVE-2022-4450
(* Security fix *)
patches/packages/openssl-solibs-1.1.1t-x86_64-1_slack15.0.txz: Upgraded.
patches/packages/xorg-server-1.20.14-x86_64-7_slack15.0.txz: Rebuilt.
[PATCH] Xi: fix potential use-after-free in DeepCopyPointerClasses.
Also merged another patch to prevent crashes when using a compositor with
the NVIDIA blob. Thanks to mdinslage, willysr, and Daedra.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-0494
(* Security fix *)
patches/packages/xorg-server-xephyr-1.20.14-x86_64-7_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-7_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-7_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xwayland-21.1.4-x86_64-6_slack15.0.txz: Rebuilt.
[PATCH] Xi: fix potential use-after-free in DeepCopyPointerClasses.
Also merged another patch to prevent crashes when using a compositor with
the NVIDIA blob. Thanks to mdinslage, willysr, and Daedra.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-0494
(* Security fix *)
20230207204857_15.0 | Patrick J Volkerding | 18 | -3232/+3482 |
2023-02-03 | Thu Feb 2 22:52:48 UTC 2023...patches/packages/openssh-9.2p1-x86_64-1_slack15.0.txz: Upgraded.
This release contains fixes for two security problems and a memory safety
problem. The memory safety problem is not believed to be exploitable, but
upstream reports most network-reachable memory faults as security bugs.
This update contains some potentially incompatible changes regarding the
scp utility. For more information, see:
https://www.openssh.com/releasenotes.html#9.0
For more information, see:
https://www.openssh.com/releasenotes.html#9.2
(* Security fix *)
20230202225248_15.0 | Patrick J Volkerding | 14 | -55/+642 |
2023-02-02 | Wed Feb 1 22:27:31 UTC 2023...patches/packages/apr-1.7.2-x86_64-1_slack15.0.txz: Upgraded.
This update fixes security issues:
Integer Overflow or Wraparound vulnerability in apr_encode functions of
Apache Portable Runtime (APR) allows an attacker to write beyond bounds
of a buffer. (CVE-2022-24963)
Restore fix for out-of-bounds array dereference in apr_time_exp*() functions.
(This issue was addressed as CVE-2017-12613 in APR 1.6.3 and
later 1.6.x releases, but was missing in 1.7.0.) (CVE-2021-35940)
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-24963
https://www.cve.org/CVERecord?id=CVE-2021-35940
https://www.cve.org/CVERecord?id=CVE-2017-12613
(* Security fix *)
patches/packages/apr-util-1.6.3-x86_64-1_slack15.0.txz: Upgraded.
This update fixes a security issue:
Integer Overflow or Wraparound vulnerability in apr_base64 functions
of Apache Portable Runtime Utility (APR-util) allows an attacker to
write beyond bounds of a buffer. (CVE-2022-25147)
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-25147
(* Security fix *)
patches/packages/mozilla-thunderbird-102.7.1-x86_64-1_slack15.0.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/102.7.1/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2023-04/
https://www.cve.org/CVERecord?id=CVE-2023-0430
(* Security fix *)
20230201222731_15.0 | Patrick J Volkerding | 12 | -73/+470 |
2023-01-26 | Thu Jan 26 00:34:41 UTC 2023...patches/packages/bind-9.16.37-x86_64-1_slack15.0.txz: Upgraded.
This update fixes bugs and the following security issues:
An UPDATE message flood could cause :iscman:`named` to exhaust all
available memory. This flaw was addressed by adding a new
:any:`update-quota` option that controls the maximum number of
outstanding DNS UPDATE messages that :iscman:`named` can hold in a
queue at any given time (default: 100).
:iscman:`named` could crash with an assertion failure when an RRSIG
query was received and :any:`stale-answer-client-timeout` was set to a
non-zero value. This has been fixed.
:iscman:`named` running as a resolver with the
:any:`stale-answer-client-timeout` option set to any value greater
than ``0`` could crash with an assertion failure, when the
:any:`recursive-clients` soft quota was reached. This has been fixed.
For more information, see:
https://kb.isc.org/docs/cve-2022-3094
https://kb.isc.org/docs/cve-2022-3736
https://kb.isc.org/docs/cve-2022-3924
https://www.cve.org/CVERecord?id=CVE-2022-3094
https://www.cve.org/CVERecord?id=CVE-2022-3736
https://www.cve.org/CVERecord?id=CVE-2022-3924
(* Security fix *)
patches/packages/vim-9.0.1241-x86_64-1_slack15.0.txz: Upgraded.
Fixed a security issue:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1225.
Thanks to marav for the heads-up.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-0433
(* Security fix *)
patches/packages/vim-gvim-9.0.1241-x86_64-1_slack15.0.txz: Upgraded.
testing/packages/bind-9.18.11-x86_64-1_slack15.0.txz: Upgraded.
This update fixes bugs and the following security issues:
An UPDATE message flood could cause :iscman:`named` to exhaust all
available memory. This flaw was addressed by adding a new
:any:`update-quota` option that controls the maximum number of
outstanding DNS UPDATE messages that :iscman:`named` can hold in a
queue at any given time (default: 100).
:iscman:`named` could crash with an assertion failure when an RRSIG
query was received and :any:`stale-answer-client-timeout` was set to a
non-zero value. This has been fixed.
:iscman:`named` running as a resolver with the
:any:`stale-answer-client-timeout` option set to any value greater
than ``0`` could crash with an assertion failure, when the
:any:`recursive-clients` soft quota was reached. This has been fixed.
For more information, see:
https://kb.isc.org/docs/cve-2022-3094
https://kb.isc.org/docs/cve-2022-3736
https://kb.isc.org/docs/cve-2022-3924
https://www.cve.org/CVERecord?id=CVE-2022-3094
https://www.cve.org/CVERecord?id=CVE-2022-3736
https://www.cve.org/CVERecord?id=CVE-2022-3924
(* Security fix *)
20230126003441_15.0 | Patrick J Volkerding | 6 | -51/+167 |
2023-01-21 | Fri Jan 20 23:58:24 UTC 2023...patches/packages/mozilla-thunderbird-102.7.0-x86_64-1_slack15.0.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/102.7.0/releasenotes/
https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird102.7
(* Security fix *)
patches/packages/seamonkey-2.53.15-x86_64-1_slack15.0.txz: Upgraded.
This update contains security fixes and improvements.
For more information, see:
https://www.seamonkey-project.org/releases/seamonkey2.53.15
(* Security fix *)
20230120235824_15.0 | Patrick J Volkerding | 5 | -29/+63 |
2023-01-19 | Thu Jan 19 00:40:12 UTC 2023...patches/packages/sudo-1.9.12p2-x86_64-1_slack15.0.txz: Upgraded.
This update fixes a flaw in sudo's -e option (aka sudoedit) that could allow
a malicious user with sudoedit privileges to edit arbitrary files.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-22809
(* Security fix *)
20230119004012_15.0 | Patrick J Volkerding | 19 | -104/+1211 |
2023-01-14 | Fri Jan 13 20:29:55 UTC 2023...patches/packages/netatalk-3.1.14-x86_64-1_slack15.0.txz: Upgraded.
Netatalk through 3.1.13 has an afp_getappl heap-based buffer overflow
resulting in code execution via a crafted .appl file.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-45188
(* Security fix *)
20230113202955_15.0 | Patrick J Volkerding | 10 | -48/+358 |
2023-01-11 | Tue Jan 10 21:32:00 UTC 2023...patches/packages/ca-certificates-20221205-noarch-2_slack15.0.txz: Rebuilt.
Make sure that if we're installing this package on another partition (such as
when using installpkg with a --root parameter) that the updates are done on
that partition. Thanks to fulalas.
20230110213200_15.0 | Patrick J Volkerding | 6 | -24/+48 |
2023-01-07 | Sat Jan 7 01:50:00 UTC 2023...extra/php80/php80-8.0.27-x86_64-1_slack15.0.txz: Upgraded.
This update fixes a security issue:
PDO::quote() may return unquoted string.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-31631
(* Security fix *)
extra/php81/php81-8.1.14-x86_64-1_slack15.0.txz: Upgraded.
This update fixes bugs and a security issue:
PDO::quote() may return unquoted string.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-31631
(* Security fix *)
patches/packages/mozilla-nss-3.87-x86_64-1_slack15.0.txz: Upgraded.
Fixed memory corruption in NSS via DER-encoded DSA and RSA-PSS signatures.
For more information, see:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/
https://www.cve.org/CVERecord?id=CVE-2021-43527
(* Security fix *)
patches/packages/php-7.4.33-x86_64-2_slack15.0.txz: Rebuilt.
This update fixes a security issue:
PDO::quote() may return unquoted string.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-31631
(* Security fix *)
20230107015000_15.0 | Patrick J Volkerding | 12 | -88/+176 |
2023-01-06 | Thu Jan 5 03:09:24 UTC 2023...patches/packages/vim-9.0.1146-x86_64-1_slack15.0.txz: Upgraded.
Fixed security issues:
Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.1143.
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1144.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-0049
https://www.cve.org/CVERecord?id=CVE-2023-0051
(* Security fix *)
patches/packages/vim-gvim-9.0.1146-x86_64-1_slack15.0.txz: Upgraded.
20230105030924_15.0 | Patrick J Volkerding | 5 | -24/+54 |
2023-01-04 | Wed Jan 4 02:18:08 UTC 2023...patches/packages/libtiff-4.4.0-x86_64-1_slack15.0.txz: Upgraded.
Patched various security bugs.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-2056
https://www.cve.org/CVERecord?id=CVE-2022-2057
https://www.cve.org/CVERecord?id=CVE-2022-2058
https://www.cve.org/CVERecord?id=CVE-2022-3970
https://www.cve.org/CVERecord?id=CVE-2022-34526
(* Security fix *)
patches/packages/rxvt-unicode-9.26-x86_64-3_slack15.0.txz: Rebuilt.
When the "background" extension was loaded, an attacker able to control the
data written to the terminal would be able to execute arbitrary code as the
terminal's user. Thanks to David Leadbeater and Ben Collver.
For more information, see:
https://www.openwall.com/lists/oss-security/2022/12/05/1
https://www.cve.org/CVERecord?id=CVE-2022-4170
(* Security fix *)
patches/packages/whois-5.5.15-x86_64-1_slack15.0.txz: Upgraded.
Updated the .bd, .nz and .tv TLD servers.
Added the .llyw.cymru, .gov.scot and .gov.wales SLD servers.
Updated the .ac.uk and .gov.uk SLD servers.
Recursion has been enabled for whois.nic.tv.
Updated the list of new gTLDs with four generic TLDs assigned in October 2013
which were missing due to a bug.
Removed 4 new gTLDs which are no longer active.
Added the Georgian translation, contributed by Temuri Doghonadze.
Updated the Finnish translation, contributed by Lauri Nurmi.
20230104021808_15.0 | Patrick J Volkerding | 20 | -112/+2057 |
2022-12-23 | Fri Dec 23 02:37:47 UTC 2022...testing/packages/bind-9.18.10-x86_64-1_slack15.0.txz: Upgraded.
20221223023747_15.0 | Patrick J Volkerding | 6 | -54/+104 |
2022-12-21 | Tue Dec 20 20:40:18 UTC 2022...patches/packages/libksba-1.6.3-x86_64-1_slack15.0.txz: Upgraded.
Fix another integer overflow in the CRL's signature parser.
(* Security fix *)
patches/packages/sdl-1.2.15-x86_64-13_slack15.0.txz: Rebuilt.
This update fixes a heap overflow problem in video/SDL_pixels.c in SDL.
By crafting a malicious .BMP file, an attacker can cause the application
using this library to crash, denial of service, or code execution.
Thanks to marav for the heads-up.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2021-33657
(* Security fix *)
20221220204018_15.0 | Patrick J Volkerding | 13 | -76/+610 |
2022-12-20 | Mon Dec 19 21:18:22 UTC 2022...patches/packages/xorg-server-1.20.14-x86_64-6_slack15.0.txz: Rebuilt.
This release fixes an invalid event type mask in XTestSwapFakeInput which
was inadvertently changed from octal 0177 to hexadecimal 0x177 in the fix
for CVE-2022-46340.
patches/packages/xorg-server-xephyr-1.20.14-x86_64-6_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-6_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-6_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xwayland-21.1.4-x86_64-5_slack15.0.txz: Rebuilt.
This release fixes an invalid event type mask in XTestSwapFakeInput which
was inadvertently changed from octal 0177 to hexadecimal 0x177 in the fix
for CVE-2022-46340.
20221219211822_15.0 | Patrick J Volkerding | 14 | -47/+115 |
2022-12-19 | Sun Dec 18 20:28:03 UTC 2022...patches/packages/libarchive-3.6.2-x86_64-2_slack15.0.txz: Rebuilt.
This update fixes a regression causing a failure to compile against
libarchive: don't include iconv in libarchive.pc.
20221218202803_15.0 | Patrick J Volkerding | 5 | -21/+42 |
2022-12-18 | Sat Dec 17 21:14:11 UTC 2022...patches/packages/samba-4.15.13-x86_64-1_slack15.0.txz: Upgraded.
This update fixes security issues:
This is the Samba CVE for the Windows Kerberos RC4-HMAC Elevation of
Privilege Vulnerability disclosed by Microsoft on Nov 8 2022.
A Samba Active Directory DC will issue weak rc4-hmac session keys for
use between modern clients and servers despite all modern Kerberos
implementations supporting the aes256-cts-hmac-sha1-96 cipher.
On Samba Active Directory DCs and members
'kerberos encryption types = legacy'
would force rc4-hmac as a client even if the server supports
aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.
This is the Samba CVE for the Windows Kerberos Elevation of Privilege
Vulnerability disclosed by Microsoft on Nov 8 2022.
A service account with the special constrained delegation permission
could forge a more powerful ticket than the one it was presented with.
The "RC4" protection of the NetLogon Secure channel uses the same
algorithms as rc4-hmac cryptography in Kerberos, and so must also be
assumed to be weak.
Since the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability
was disclosed by Microsoft on Nov 8 2022 and per RFC8429 it is assumed
that rc4-hmac is weak, Vulnerable Samba Active Directory DCs will issue
rc4-hmac encrypted tickets despite the target server supporting better
encryption (eg aes256-cts-hmac-sha1-96).
Note that there are several important behavior changes included in this
release, which may cause compatibility problems interacting with system
still expecting the former behavior.
Please read the advisories of CVE-2022-37966, CVE-2022-37967 and
CVE-2022-38023 carefully!
For more information, see:
https://www.samba.org/samba/security/CVE-2022-37966.html
https://www.samba.org/samba/security/CVE-2022-37967.html
https://www.samba.org/samba/security/CVE-2022-38023.html
https://www.samba.org/samba/security/CVE-2022-45141.html
https://www.cve.org/CVERecord?id=CVE-2022-37966
https://www.cve.org/CVERecord?id=CVE-2022-37967
https://www.cve.org/CVERecord?id=CVE-2022-38023
https://www.cve.org/CVERecord?id=CVE-2022-45141
(* Security fix *)
20221217211411_15.0 | Patrick J Volkerding | 5 | -25/+113 |
2022-12-15 | Wed Dec 14 21:19:34 UTC 2022...patches/packages/mozilla-firefox-102.6.0esr-x86_64-1_slack15.0.txz: Upgraded.
This update contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/firefox/102.6.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2022-52/
https://www.cve.org/CVERecord?id=CVE-2022-46880
https://www.cve.org/CVERecord?id=CVE-2022-46872
https://www.cve.org/CVERecord?id=CVE-2022-46881
https://www.cve.org/CVERecord?id=CVE-2022-46874
https://www.cve.org/CVERecord?id=CVE-2022-46875
https://www.cve.org/CVERecord?id=CVE-2022-46882
https://www.cve.org/CVERecord?id=CVE-2022-46878
(* Security fix *)
patches/packages/mozilla-thunderbird-102.6.0-x86_64-1_slack15.0.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/102.6.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2022-53/
https://www.cve.org/CVERecord?id=CVE-2022-46880
https://www.cve.org/CVERecord?id=CVE-2022-46872
https://www.cve.org/CVERecord?id=CVE-2022-46881
https://www.cve.org/CVERecord?id=CVE-2022-46874
https://www.cve.org/CVERecord?id=CVE-2022-46875
https://www.cve.org/CVERecord?id=CVE-2022-46882
https://www.cve.org/CVERecord?id=CVE-2022-46878
(* Security fix *)
patches/packages/xorg-server-1.20.14-x86_64-5_slack15.0.txz: Rebuilt.
This release fixes 6 recently reported security vulnerabilities in
various extensions.
For more information, see:
https://lists.x.org/archives/xorg-announce/2022-December/003302.html
https://www.cve.org/CVERecord?id=CVE-2022-46340
https://www.cve.org/CVERecord?id=CVE-2022-46341
https://www.cve.org/CVERecord?id=CVE-2022-46342
https://www.cve.org/CVERecord?id=CVE-2022-46343
https://www.cve.org/CVERecord?id=CVE-2022-46344
https://www.cve.org/CVERecord?id=CVE-2022-4283
(* Security fix *)
patches/packages/xorg-server-xephyr-1.20.14-x86_64-5_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-5_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-5_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xwayland-21.1.4-x86_64-4_slack15.0.txz: Rebuilt.
This release fixes 6 recently reported security vulnerabilities in
various extensions.
For more information, see:
https://lists.x.org/archives/xorg-announce/2022-December/003302.html
https://www.cve.org/CVERecord?id=CVE-2022-46340
https://www.cve.org/CVERecord?id=CVE-2022-46341
https://www.cve.org/CVERecord?id=CVE-2022-46342
https://www.cve.org/CVERecord?id=CVE-2022-46343
https://www.cve.org/CVERecord?id=CVE-2022-46344
https://www.cve.org/CVERecord?id=CVE-2022-4283
(* Security fix *)
20221214211934_15.0 | Patrick J Volkerding | 26 | -107/+985 |
2022-12-10 | Fri Dec 9 19:43:46 UTC 2022...patches/packages/libarchive-3.6.2-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix and security release.
Relevant bugfixes:
rar5 reader: fix possible garbled output with bsdtar -O (#1745)
mtree reader: support reading mtree files with tabs (#1783)
Security fixes:
various small fixes for issues found by CodeQL
(* Security fix *)
20221209194346_15.0 | Patrick J Volkerding | 4 | -22/+50 |
2022-12-09 | Thu Dec 8 22:48:34 UTC 2022...patches/packages/emacs-27.2-x86_64-2_slack15.0.txz: Rebuilt.
GNU Emacs through 28.2 allows attackers to execute commands via shell
metacharacters in the name of a source-code file, because lib-src/etags.c
uses the system C library function in its implementation of the ctags
program. For example, a victim may use the "ctags *" command (suggested in
the ctags documentation) in a situation where the current working directory
has contents that depend on untrusted input.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-45939
(* Security fix *)
patches/packages/vim-9.0.1034-x86_64-1_slack15.0.txz: Upgraded.
This update fixes various security issues such as a heap-based buffer
overflow and use after free.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-4141
https://www.cve.org/CVERecord?id=CVE-2022-3591
https://www.cve.org/CVERecord?id=CVE-2022-3520
https://www.cve.org/CVERecord?id=CVE-2022-3491
https://www.cve.org/CVERecord?id=CVE-2022-4292
https://www.cve.org/CVERecord?id=CVE-2022-4293
(* Security fix *)
patches/packages/vim-gvim-9.0.1034-x86_64-1_slack15.0.txz: Upgraded.
20221208224834_15.0 | Patrick J Volkerding | 11 | -50/+9675 |
2022-12-08 | Wed Dec 7 18:48:07 UTC 2022...patches/packages/python3-3.9.16-x86_64-1_slack15.0.txz: Upgraded.
This update fixes security issues:
gh-98739: Updated bundled libexpat to 2.5.0 to fix CVE-2022-43680
(heap use-after-free).
gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio
related name resolution functions no longer involves a quadratic algorithm
to fix CVE-2022-45061. This prevents a potential CPU denial of service if an
out-of-spec excessive length hostname involving bidirectional characters were
decoded. Some protocols such as urllib http 3xx redirects potentially allow
for an attacker to supply such a name.
gh-100001: python -m http.server no longer allows terminal control characters
sent within a garbage request to be printed to the stderr server log.
gh-87604: Avoid publishing list of active per-interpreter audit hooks via the
gc module.
gh-97514: On Linux the multiprocessing module returns to using filesystem
backed unix domain sockets for communication with the forkserver process
instead of the Linux abstract socket namespace. Only code that chooses to use
the "forkserver" start method is affected. This prevents Linux CVE-2022-42919
(potential privilege escalation) as abstract sockets have no permissions and
could allow any user on the system in the same network namespace (often the
whole system) to inject code into the multiprocessing forkserver process.
Filesystem based socket permissions restrict this to the forkserver process
user as was the default in Python 3.8 and earlier.
gh-98517: Port XKCP's fix for the buffer overflows in SHA-3 to fix
CVE-2022-37454.
gh-68966: The deprecated mailcap module now refuses to inject unsafe text
(filenames, MIME types, parameters) into shell commands to address
CVE-2015-20107. Instead of using such text, it will warn and act as if a
match was not found (or for test commands, as if the test failed).
For more information, see:
https://pythoninsider.blogspot.com/2022/12/python-3111-3109-3916-3816-3716-and.html
https://www.cve.org/CVERecord?id=CVE-2022-43680
https://www.cve.org/CVERecord?id=CVE-2022-45061
https://www.cve.org/CVERecord?id=CVE-2022-42919
https://www.cve.org/CVERecord?id=CVE-2022-37454
https://www.cve.org/CVERecord?id=CVE-2015-20107
(* Security fix *)
20221207184807_15.0 | Patrick J Volkerding | 4 | -23/+109 |
2022-12-06 | Mon Dec 5 21:00:46 UTC 2022...patches/packages/ca-certificates-20221205-noarch-1_slack15.0.txz: Upgraded.
This update provides the latest CA certificates to check for the
authenticity of SSL connections.
patches/packages/glibc-zoneinfo-2022g-noarch-1_slack15.0.txz: Upgraded.
This package provides the latest timezone updates.
20221205210046_15.0 | Patrick J Volkerding | 6 | -717/+76 |
2022-12-03 | Fri Dec 2 20:58:24 UTC 2022...patches/packages/krusader-2.8.0-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
patches/packages/mozilla-thunderbird-102.5.1-x86_64-1_slack15.0.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/102.5.1/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2022-50/
https://www.cve.org/CVERecord?id=CVE-2022-45414
(* Security fix *)
20221202205824_15.0 | Patrick J Volkerding | 17 | -109/+1074 |
2022-11-30 | Tue Nov 29 20:56:03 UTC 2022...patches/packages/kernel-firmware-20221123_cdf9499-noarch-1.txz: Upgraded.
patches/packages/linux-5.15.80/*: Upgraded.
These updates fix various bugs and security issues.
Be sure to upgrade your initrd after upgrading the kernel packages.
If you use lilo to boot your machine, be sure lilo.conf points to the correct
kernel and initrd and run lilo as root to update the bootloader.
If you use elilo to boot your machine, you should run eliloconfig to copy the
kernel and initrd to the EFI System Partition.
For more information, see:
Fixed in 5.15.63:
https://www.cve.org/CVERecord?id=CVE-2022-3629
https://www.cve.org/CVERecord?id=CVE-2022-3635
https://www.cve.org/CVERecord?id=CVE-2022-3633
https://www.cve.org/CVERecord?id=CVE-2022-3625
Fixed in 5.15.64:
https://www.cve.org/CVERecord?id=CVE-2022-39190
https://www.cve.org/CVERecord?id=CVE-2022-3028
https://www.cve.org/CVERecord?id=CVE-2022-2905
Fixed in 5.15.65:
https://www.cve.org/CVERecord?id=CVE-2022-42703
https://www.cve.org/CVERecord?id=CVE-2022-3176
Fixed in 5.15.66:
https://www.cve.org/CVERecord?id=CVE-2022-4095
https://www.cve.org/CVERecord?id=CVE-2022-20421
Fixed in 5.15.68:
https://www.cve.org/CVERecord?id=CVE-2022-3303
https://www.cve.org/CVERecord?id=CVE-2022-2663
https://www.cve.org/CVERecord?id=CVE-2022-40307
https://www.cve.org/CVERecord?id=CVE-2022-3586
Fixed in 5.15.70:
https://www.cve.org/CVERecord?id=CVE-2022-0171
https://www.cve.org/CVERecord?id=CVE-2022-39842
https://www.cve.org/CVERecord?id=CVE-2022-3061
Fixed in 5.15.72:
https://www.cve.org/CVERecord?id=CVE-2022-2308
Fixed in 5.15.73:
https://www.cve.org/CVERecord?id=CVE-2022-2978
https://www.cve.org/CVERecord?id=CVE-2022-43750
Fixed in 5.15.74:
https://www.cve.org/CVERecord?id=CVE-2022-40768
https://www.cve.org/CVERecord?id=CVE-2022-42721
https://www.cve.org/CVERecord?id=CVE-2022-3621
https://www.cve.org/CVERecord?id=CVE-2022-42722
https://www.cve.org/CVERecord?id=CVE-2022-42719
https://www.cve.org/CVERecord?id=CVE-2022-41674
https://www.cve.org/CVERecord?id=CVE-2022-3649
https://www.cve.org/CVERecord?id=CVE-2022-3646
https://www.cve.org/CVERecord?id=CVE-2022-42720
Fixed in 5.15.75:
https://www.cve.org/CVERecord?id=CVE-2022-43945
https://www.cve.org/CVERecord?id=CVE-2022-41849
https://www.cve.org/CVERecord?id=CVE-2022-3535
https://www.cve.org/CVERecord?id=CVE-2022-3594
https://www.cve.org/CVERecord?id=CVE-2022-2602
https://www.cve.org/CVERecord?id=CVE-2022-41850
https://www.cve.org/CVERecord?id=CVE-2022-3565
https://www.cve.org/CVERecord?id=CVE-2022-3542
Fixed in 5.15.77:
https://www.cve.org/CVERecord?id=CVE-2022-3524
Fixed in 5.15.78:
https://www.cve.org/CVERecord?id=CVE-2022-3628
https://www.cve.org/CVERecord?id=CVE-2022-3623
https://www.cve.org/CVERecord?id=CVE-2022-42896
https://www.cve.org/CVERecord?id=CVE-2022-42895
https://www.cve.org/CVERecord?id=CVE-2022-3543
https://www.cve.org/CVERecord?id=CVE-2022-3564
https://www.cve.org/CVERecord?id=CVE-2022-3619
Fixed in 5.15.80:
https://www.cve.org/CVERecord?id=CVE-2022-3521
https://www.cve.org/CVERecord?id=CVE-2022-3169
(* Security fix *)
patches/packages/openssl-1.1.1s-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
patches/packages/openssl-solibs-1.1.1s-x86_64-1_slack15.0.txz: Upgraded.
20221129205603_15.0 | Patrick J Volkerding | 34 | -92/+292 |
2022-11-25 | Thu Nov 24 20:55:37 UTC 2022...patches/packages/ruby-3.0.5-x86_64-1_slack15.0.txz: Upgraded.
This release includes a security fix:
HTTP response splitting in CGI.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2021-33621
(* Security fix *)
20221124205537_15.0 | Patrick J Volkerding | 4 | -21/+45 |
2022-11-18 | Thu Nov 17 20:02:33 UTC 2022...patches/packages/freerdp-2.9.0-x86_64-1_slack15.0.txz: Upgraded.
Fixed multiple client side input validation issues.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-39316
https://www.cve.org/CVERecord?id=CVE-2022-39317
https://www.cve.org/CVERecord?id=CVE-2022-39318
https://www.cve.org/CVERecord?id=CVE-2022-39319
https://www.cve.org/CVERecord?id=CVE-2022-39320
https://www.cve.org/CVERecord?id=CVE-2022-41877
https://www.cve.org/CVERecord?id=CVE-2022-39347
(* Security fix *)
20221117200233_15.0 | Patrick J Volkerding | 5 | -23/+57 |
2022-11-17 | Thu Nov 17 01:49:28 UTC 2022...patches/packages/krb5-1.19.2-x86_64-3_slack15.0.txz: Rebuilt.
Fixed integer overflows in PAC parsing.
Fixed memory leak in OTP kdcpreauth module.
Fixed PKCS11 module path search.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-42898
(* Security fix *)
patches/packages/mozilla-firefox-102.5.0esr-x86_64-1_slack15.0.txz: Upgraded.
This update contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/firefox/102.5.0/releasenotes/
https://www.mozilla.org/security/advisories/mfsa2022-48/
https://www.cve.org/CVERecord?id=CVE-2022-45403
https://www.cve.org/CVERecord?id=CVE-2022-45404
https://www.cve.org/CVERecord?id=CVE-2022-45405
https://www.cve.org/CVERecord?id=CVE-2022-45406
https://www.cve.org/CVERecord?id=CVE-2022-45408
https://www.cve.org/CVERecord?id=CVE-2022-45409
https://www.cve.org/CVERecord?id=CVE-2022-45410
https://www.cve.org/CVERecord?id=CVE-2022-45411
https://www.cve.org/CVERecord?id=CVE-2022-45412
https://www.cve.org/CVERecord?id=CVE-2022-45416
https://www.cve.org/CVERecord?id=CVE-2022-45418
https://www.cve.org/CVERecord?id=CVE-2022-45420
https://www.cve.org/CVERecord?id=CVE-2022-45421
(* Security fix *)
patches/packages/mozilla-thunderbird-102.5.0-x86_64-1_slack15.0.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/102.5.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2022-49/
https://www.cve.org/CVERecord?id=CVE-2022-45403
https://www.cve.org/CVERecord?id=CVE-2022-45404
https://www.cve.org/CVERecord?id=CVE-2022-45405
https://www.cve.org/CVERecord?id=CVE-2022-45406
https://www.cve.org/CVERecord?id=CVE-2022-45408
https://www.cve.org/CVERecord?id=CVE-2022-45409
https://www.cve.org/CVERecord?id=CVE-2022-45410
https://www.cve.org/CVERecord?id=CVE-2022-45411
https://www.cve.org/CVERecord?id=CVE-2022-45412
https://www.cve.org/CVERecord?id=CVE-2022-45416
https://www.cve.org/CVERecord?id=CVE-2022-45418
https://www.cve.org/CVERecord?id=CVE-2022-45420
https://www.cve.org/CVERecord?id=CVE-2022-45421
(* Security fix *)
patches/packages/samba-4.15.12-x86_64-1_slack15.0.txz: Upgraded.
Fixed a security issue where Samba's Kerberos libraries and AD DC failed
to guard against integer overflows when parsing a PAC on a 32-bit system,
which allowed an attacker with a forged PAC to corrupt the heap.
For more information, see:
https://www.samba.org/samba/security/CVE-2022-42898.html
https://www.cve.org/CVERecord?id=CVE-2022-42898
(* Security fix *)
patches/packages/xfce4-settings-4.16.5-x86_64-1_slack15.0.txz: Upgraded.
This update fixes regressions in the previous security fix:
mime-settings: Properly quote command parameters.
Revert "Escape characters which do not belong into an URI/URL (Issue #390)."
20221117014928_15.0 | Patrick J Volkerding | 25 | -102/+962 |
2022-11-11 | Thu Nov 10 19:47:59 UTC 2022...patches/packages/php-7.4.33-x86_64-1_slack15.0.txz: Upgraded.
This update fixes bugs and security issues:
GD: OOB read due to insufficient input validation in imageloadfont().
Hash: buffer overflow in hash_update() on long parameter.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-31630
https://www.cve.org/CVERecord?id=CVE-2022-37454
(* Security fix *)
20221110194759_15.0 | Patrick J Volkerding | 5 | -25/+53 |
2022-11-10 | Wed Nov 9 22:16:30 UTC 2022...patches/packages/sysstat-12.7.1-x86_64-1_slack15.0.txz: Upgraded.
On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1,
allocate_structures contains a size_t overflow in sa_common.c. The
allocate_structures function insufficiently checks bounds before arithmetic
multiplication, allowing for an overflow in the size allocated for the
buffer representing system activities.
This issue may lead to Remote Code Execution (RCE).
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-39377
(* Security fix *)
patches/packages/xfce4-settings-4.16.4-x86_64-1_slack15.0.txz: Upgraded.
Fixed an argument injection vulnerability in xfce4-mime-helper.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-45062
(* Security fix *)
20221109221630_15.0 | Patrick J Volkerding | 15 | -73/+593 |
2022-11-09 | Tue Nov 8 22:21:43 UTC 2022...patches/packages/glibc-zoneinfo-2022f-noarch-1_slack15.0.txz: Upgraded.
This package provides the latest timezone updates.
patches/packages/mariadb-10.5.18-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
For more information, see:
https://mariadb.com/kb/en/mariadb-10-5-18-release-notes
20221108222143_15.0 | Patrick J Volkerding | 6 | -32/+56 |
2022-11-06 | Sat Nov 5 19:18:19 UTC 2022...patches/packages/sudo-1.9.12p1-x86_64-1_slack15.0.txz: Upgraded.
Fixed a potential out-of-bounds write for passwords smaller than 8
characters when passwd authentication is enabled.
This does not affect configurations that use other authentication
methods such as PAM, AIX authentication or BSD authentication.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-43995
(* Security fix *)
20221105191819_15.0 | Patrick J Volkerding | 9 | -37/+270 |
2022-11-05 | Fri Nov 4 19:29:28 UTC 2022...patches/packages/mozilla-thunderbird-102.4.2-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/102.4.2/releasenotes/
20221104192928_15.0 | Patrick J Volkerding | 14 | -61/+2183 |
2022-11-01 | Mon Oct 31 23:31:36 UTC 2022...extra/php80/php80-8.0.25-x86_64-1_slack15.0.txz: Upgraded.
This update fixes security issues:
GD: OOB read due to insufficient input validation in imageloadfont().
Hash: buffer overflow in hash_update() on long parameter.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-31630
https://www.cve.org/CVERecord?id=CVE-2022-37454
(* Security fix *)
extra/php81/php81-8.1.12-x86_64-1_slack15.0.txz: Upgraded.
This update fixes security issues:
GD: OOB read due to insufficient input validation in imageloadfont().
Hash: buffer overflow in hash_update() on long parameter.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-31630
https://www.cve.org/CVERecord?id=CVE-2022-37454
(* Security fix *)
patches/packages/mozilla-thunderbird-102.4.1-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/102.4.1/releasenotes/
patches/packages/vim-9.0.0814-x86_64-1_slack15.0.txz: Upgraded.
A vulnerability was found in vim and classified as problematic. Affected by
this issue is the function qf_update_buffer of the file quickfix.c of the
component autocmd Handler. The manipulation leads to use after free. The
attack may be launched remotely. Upgrading to version 9.0.0805 is able to
address this issue.
Thanks to marav for the heads-up.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-3705
(* Security fix *)
patches/packages/vim-gvim-9.0.0814-x86_64-1_slack15.0.txz: Upgraded.
20221031233136_15.0 | Patrick J Volkerding | 8 | -57/+131 |
2022-10-28 | Thu Oct 27 02:30:15 UTC 2022...patches/packages/curl-7.86.0-x86_64-1_slack15.0.txz: Upgraded.
This update fixes security issues:
HSTS bypass via IDN.
HTTP proxy double-free.
.netrc parser out-of-bounds access.
POST following PUT confusion.
For more information, see:
https://curl.se/docs/CVE-2022-42916.html
https://curl.se/docs/CVE-2022-42915.html
https://curl.se/docs/CVE-2022-35260.html
https://curl.se/docs/CVE-2022-32221.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42916
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42915
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35260
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32221
(* Security fix *)
20221027023015_15.0 | Patrick J Volkerding | 4 | -22/+66 |
2022-10-26 | Tue Oct 25 18:38:58 UTC 2022...patches/packages/expat-2.5.0-x86_64-1_slack15.0.txz: Upgraded.
This update fixes a security issue:
Fix heap use-after-free after overeager destruction of a shared DTD in
function XML_ExternalEntityParserCreate in out-of-memory situations.
Expected impact is denial of service or potentially arbitrary code
execution.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43680
(* Security fix *)
patches/packages/samba-4.15.11-x86_64-1_slack15.0.txz: Upgraded.
This update fixes the following security issue:
There is a limited write heap buffer overflow in the GSSAPI unwrap_des()
and unwrap_des3() routines of Heimdal (included in Samba).
For more information, see:
https://www.samba.org/samba/security/CVE-2022-3437.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3437
(* Security fix *)
20221025183858_15.0 | Patrick J Volkerding | 6 | -31/+77 |
2022-10-22 | Fri Oct 21 18:19:00 UTC 2022...patches/packages/rsync-3.2.7-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
Notably, this addresses some regressions caused by the file-list validation
fix in rsync-3.2.5.
Thanks to llgar.
20221021181900_15.0 | Patrick J Volkerding | 4 | -21/+43 |