| Commit message (Expand) | Author | Files | Lines |
|---|
| 2024-03-25 | Sun Mar 24 18:21:46 UTC 2024...patches/packages/emacs-29.3-x86_64-1_slack15.0.txz: Upgraded.
GNU Emacs through 28.2 allows attackers to execute commands via shell
metacharacters in the name of a source-code file, because lib-src/etags.c
uses the system C library function in its implementation of the ctags
program. For example, a victim may use the "ctags *" command (suggested in
the ctags documentation) in a situation where the current working directory
has contents that depend on untrusted input.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-45939
(* Security fix *)
20240324182146_15.0 |   Patrick J Volkerding | 7 | -9330/+65 |
| 2024-03-24 | Sat Mar 23 19:34:02 UTC 2024...patches/packages/mozilla-firefox-115.9.1esr-x86_64-1_slack15.0.txz: Upgraded.
This update fixes a critical security issue:
An attacker was able to inject an event handler into a privileged object
that would allow arbitrary JavaScript execution in the parent process.
For more information, see:
https://www.mozilla.org/en-US/firefox/115.9.1esr/releasenotes/
https://www.mozilla.org/security/advisories/mfsa2024-16/
https://www.cve.org/CVERecord?id=CVE-2024-29944
(* Security fix *)
20240323193402_15.0 | Patrick J Volkerding | 5 | -23/+56 |
| 2024-03-21 | Wed Mar 20 21:10:30 UTC 2024...patches/packages/bind-9.16.49-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
patches/packages/python3-3.9.19-x86_64-1_slack15.0.txz: Upgraded.
This update fixes security issues:
bundled libexpat was updated to 2.6.0.
zipfile is now protected from the "quoted-overlap" zipbomb.
tempfile.TemporaryDirectory cleanup no longer dereferences symlinks when
working around file system permission errors.
For more information, see:
https://pythoninsider.blogspot.com/2024/03/python-31014-3919-and-3819-is-now.html
https://www.cve.org/CVERecord?id=CVE-2023-52425
https://www.cve.org/CVERecord?id=CVE-2024-0450
https://www.cve.org/CVERecord?id=CVE-2023-6597
(* Security fix *)
testing/packages/bind-9.18.25-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
20240320211030_15.0 | Patrick J Volkerding | 5 | -43/+87 |
| 2024-03-20 | Wed Mar 20 00:08:59 UTC 2024...patches/packages/gnutls-3.8.4-x86_64-1_slack15.0.txz: Upgraded.
This update fixes two medium severity security issues:
libgnutls: Fix side-channel in the deterministic ECDSA.
Reported by George Pantelakis (#1516).
libgnutls: Fixed a bug where certtool crashed when verifying a certificate
chain with more than 16 certificates. Reported by William Woodruff (#1525)
and yixiangzhike (#1527).
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2024-28834
https://www.cve.org/CVERecord?id=CVE-2024-28835
(* Security fix *)
patches/packages/mozilla-firefox-115.9.0esr-x86_64-1_slack15.0.txz: Upgraded.
This update contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/firefox/115.9.0/releasenotes/
https://www.mozilla.org/security/advisories/mfsa2024-13/
https://www.cve.org/CVERecord?id=CVE-2024-0743
https://www.cve.org/CVERecord?id=CVE-2024-2605
https://www.cve.org/CVERecord?id=CVE-2024-2607
https://www.cve.org/CVERecord?id=CVE-2024-2608
https://www.cve.org/CVERecord?id=CVE-2024-2616
https://www.cve.org/CVERecord?id=CVE-2023-5388
https://www.cve.org/CVERecord?id=CVE-2024-2610
https://www.cve.org/CVERecord?id=CVE-2024-2611
https://www.cve.org/CVERecord?id=CVE-2024-2612
https://www.cve.org/CVERecord?id=CVE-2024-2614
(* Security fix *)
patches/packages/mozilla-thunderbird-115.9.0-x86_64-1_slack15.0.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/115.9.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2024-14/
https://www.cve.org/CVERecord?id=CVE-2024-0743
https://www.cve.org/CVERecord?id=CVE-2024-2605
https://www.cve.org/CVERecord?id=CVE-2024-2607
https://www.cve.org/CVERecord?id=CVE-2024-2608
https://www.cve.org/CVERecord?id=CVE-2024-2616
https://www.cve.org/CVERecord?id=CVE-2023-5388
https://www.cve.org/CVERecord?id=CVE-2024-2610
https://www.cve.org/CVERecord?id=CVE-2024-2611
https://www.cve.org/CVERecord?id=CVE-2024-2612
https://www.cve.org/CVERecord?id=CVE-2024-2614
(* Security fix *)
20240320000859_15.0 | Patrick J Volkerding | 6 | -34/+132 |
| 2024-03-14 | Wed Mar 13 19:46:48 UTC 2024...patches/packages/expat-2.6.2-x86_64-1_slack15.0.txz: Upgraded.
Prevent billion laughs attacks with isolated use of external parsers.
For more information, see:
https://github.com/libexpat/libexpat/commit/1d50b80cf31de87750103656f6eb693746854aa8
https://www.cve.org/CVERecord?id=CVE-2024-28757
(* Security fix *)
20240313194648_15.0 | Patrick J Volkerding | 4 | -22/+46 |
| 2024-03-09 | Fri Mar 8 19:20:11 UTC 2024...patches/packages/xfce4-weather-plugin-0.11.2-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
20240308192011_15.0 | Patrick J Volkerding | 7 | -80/+251 |
| 2024-03-08 | Thu Mar 7 20:40:08 UTC 2024...patches/packages/ghostscript-9.55.0-x86_64-2_slack15.0.txz: Rebuilt.
Fixes security issues:
A vulnerability was identified in the way Ghostscript/GhostPDL called
tesseract for the OCR devices, which could allow arbitrary code execution.
Thanks to J_W for the heads-up.
Mishandling of permission validation for pipe devices could allow arbitrary
code execution.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36664
(* Security fix *)
20240307204008_15.0 | Patrick J Volkerding | 13 | -3064/+3799 |
| 2024-03-06 | Tue Mar 5 21:16:50 UTC 2024...patches/packages/mozilla-thunderbird-115.8.1-x86_64-1_slack15.0.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/115.8.1/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2024-11/
https://www.cve.org/CVERecord?id=CVE-2024-1936
(* Security fix *)
patches/packages/postfix-3.6.15-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
For more information, see:
https://www.postfix.org/announcements/postfix-3.8.6.html
20240305211650_15.0 | Patrick J Volkerding | 5 | -27/+61 |
| 2024-03-02 | Fri Mar 1 22:13:28 UTC 2024...patches/packages/expat-2.6.1-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
20240301221328_15.0 | Patrick J Volkerding | 4 | -22/+38 |
| 2024-03-01 | Thu Feb 29 19:11:19 UTC 2024...patches/packages/openjpeg-2.5.2-x86_64-1_slack15.0.txz: Upgraded.
Fixed a regression in openjpeg-2.5.1:
API breakage / openjpeg version no longer detected (openjpeg.h no longer
includes opj_config.h).
20240229191119_15.0 | Patrick J Volkerding | 4 | -21/+41 |
| 2024-02-29 | Wed Feb 28 18:36:48 UTC 2024...patches/packages/wpa_supplicant-2.10-x86_64-2_slack15.0.txz: Rebuilt.
Patched the implementation of PEAP in wpa_supplicant to prevent an
authentication bypass. For a successful attack, wpa_supplicant must be
configured to not verify the network's TLS certificate during Phase 1
authentication, and an eap_peap_decrypt vulnerability can then be abused
to skip Phase 2 authentication. The attack vector is sending an EAP-TLV
Success packet instead of starting Phase 2. This allows an adversary to
impersonate Enterprise Wi-Fi networks.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-52160
(* Security fix *)
20240228183648_15.0 | Patrick J Volkerding | 19 | -137/+1438 |
| 2024-02-27 | Mon Feb 26 20:09:43 UTC 2024...patches/packages/openjpeg-2.5.1-x86_64-1_slack15.0.txz: Upgraded.
Fixed a heap-based buffer overflow in openjpeg in color.c:379:42 in
sycc420_to_rgb when decompressing a crafted .j2k file. An attacker could use
this to execute arbitrary code with the permissions of the application
compiled against openjpeg.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2021-3575
(* Security fix *)
20240226200943_15.0 | Patrick J Volkerding | 8 | -56/+265 |
| 2024-02-26 | Sun Feb 25 19:16:52 UTC 2024...patches/packages/whois-5.5.21-x86_64-1_slack15.0.txz: Upgraded.
Updated the .cv and .sd TLD servers.
Removed 4 new gTLDs which are no longer active.
20240225191652_15.0 | Patrick J Volkerding | 4 | -21/+39 |
| 2024-02-24 | Fri Feb 23 20:37:29 UTC 2024...patches/packages/dcron-4.5-x86_64-13_slack15.0.txz: Rebuilt.
This is a bugfix release.
run-parts.8: document skiping *.orig files. Thanks to metaed.
20240223203729_15.0 | Patrick J Volkerding | 6 | -25/+43 |
| 2024-02-22 | Wed Feb 21 20:00:08 UTC 2024...patches/packages/dcron-4.5-x86_64-12_slack15.0.txz: Rebuilt.
This is a bugfix release.
run-parts: skip *.orig files. Thanks to metaed.
patches/packages/mozilla-thunderbird-115.8.0-x86_64-1_slack15.0.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/115.8.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2024-07/
https://www.cve.org/CVERecord?id=CVE-2024-1546
https://www.cve.org/CVERecord?id=CVE-2024-1547
https://www.cve.org/CVERecord?id=CVE-2024-1548
https://www.cve.org/CVERecord?id=CVE-2024-1549
https://www.cve.org/CVERecord?id=CVE-2024-1550
https://www.cve.org/CVERecord?id=CVE-2024-1551
https://www.cve.org/CVERecord?id=CVE-2024-1552
https://www.cve.org/CVERecord?id=CVE-2024-1553
(* Security fix *)
20240221200008_15.0 | Patrick J Volkerding | 20 | -120/+713 |
| 2024-02-21 | Tue Feb 20 21:08:27 UTC 2024...patches/packages/libuv-1.48.0-x86_64-1_slack15.0.txz: Upgraded.
This update fixes a server-side request forgery (SSRF) flaw.
Thanks to alex2grad for the heads-up.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2024-24806
(* Security fix *)
20240220210827_15.0 | Patrick J Volkerding | 8 | -62/+297 |
| 2024-02-19 | Sun Feb 18 21:03:57 UTC 2024...extra/llvm-17.0.6-x86_64-1_slack15.0.txz: Added.
In case anyone needs a newer compiler.
extra/llvm13-compat-13.0.0-x86_64-1_slack15.0.txz: Added.
In case anyone needs to run binaries linked to the old compiler.
20240218210357_15.0 | Patrick J Volkerding | 16 | -223/+1090 |
| 2024-02-17 | Fri Feb 16 20:18:59 UTC 2024...patches/packages/ca-certificates-20240216-noarch-1_slack15.0.txz: Upgraded.
This update provides the latest CA certificates to check for the
authenticity of SSL connections.
20240216201859_15.0 | Patrick J Volkerding | 5 | -22/+40 |
| 2024-02-15 | Wed Feb 14 04:18:12 UTC 2024...patches/packages/dnsmasq-2.90-x86_64-1_slack15.0.txz: Upgraded.
Add limits on the resources used to do DNSSEC validation.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-50387
https://www.cve.org/CVERecord?id=CVE-2023-50868
(* Security fix *)
20240214041812_15.0 | Patrick J Volkerding | 5 | -25/+51 |
| 2024-02-14 | Tue Feb 13 19:19:24 UTC 2024...patches/packages/bind-9.16.48-x86_64-1_slack15.0.txz: Upgraded.
This update fixes bugs and security issues:
Specific DNS answers could cause a denial-of-service condition due to DNS
validation taking a long time.
Query patterns that continuously triggered cache database maintenance could
exhaust all available memory on the host running named.
Restore DNS64 state when handling a serve-stale timeout.
Specific queries could trigger an assertion check with nxdomain-redirect
enabled.
Speed up parsing of DNS messages with many different names.
For more information, see:
https://kb.isc.org/docs/cve-2023-50387
https://www.cve.org/CVERecord?id=CVE-2023-50387
https://kb.isc.org/docs/cve-2023-6516
https://www.cve.org/CVERecord?id=CVE-2023-6516
https://kb.isc.org/docs/cve-2023-5679
https://www.cve.org/CVERecord?id=CVE-2023-5679
https://kb.isc.org/docs/cve-2023-5517
https://www.cve.org/CVERecord?id=CVE-2023-5517
https://kb.isc.org/docs/cve-2023-4408
https://www.cve.org/CVERecord?id=CVE-2023-4408
(* Security fix *)
testing/packages/bind-9.18.24-x86_64-1_slack15.0.txz: Upgraded.
This update fixes bugs and security issues:
Specific DNS answers could cause a denial-of-service condition due to DNS
validation taking a long time.
Restore DNS64 state when handling a serve-stale timeout.
Specific queries could trigger an assertion check with nxdomain-redirect
enabled.
Speed up parsing of DNS messages with many different names.
For more information, see:
https://kb.isc.org/docs/cve-2023-50387
https://www.cve.org/CVERecord?id=CVE-2023-50387
https://kb.isc.org/docs/cve-2023-5679
https://www.cve.org/CVERecord?id=CVE-2023-5679
https://kb.isc.org/docs/cve-2023-5517
https://www.cve.org/CVERecord?id=CVE-2023-5517
https://kb.isc.org/docs/cve-2023-4408
https://www.cve.org/CVERecord?id=CVE-2023-4408
(* Security fix *)
20240213191924_15.0 | Patrick J Volkerding | 4 | -36/+128 |
| 2024-02-12 | Sun Feb 11 22:11:59 UTC 2024...patches/packages/mariadb-10.5.24-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
For more information, see:
https://mariadb.com/kb/en/mariadb-10-5-24-release-notes/
20240211221159_15.0 | Patrick J Volkerding | 4 | -21/+41 |
| 2024-02-10 | Fri Feb 9 21:48:09 UTC 2024...patches/packages/xpdf-4.05-x86_64-1_slack15.0.txz: Upgraded.
This update fixes security issues:
Fixed a bug in the ICCBased color space parser that was allowing the number
of components to be zero. Thanks to huckleberry for the bug report.
Fixed a bug in the ICCBased color space parser that was allowing the number
of components to be zero. Thanks to huckleberry for the bug report.
Added checks for PDF object loops in AcroForm::scanField(),
Catalog::readPageLabelTree2(), and Catalog::readEmbeddedFileTree().
The zero-width character problem can also happen if the page size is very
large -- that needs to be limited too, the same way as character position
coordinates. Thanks to jlinliu for the bug report.
Add some missing bounds check code in DCTStream. Thanks to Jiahao Liu for
the bug report.
Fix a deadlock when an object stream's length field is contained in another
object stream. Thanks to Jiahao Liu for the bug report.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-2662
https://www.cve.org/CVERecord?id=CVE-2023-2662
https://www.cve.org/CVERecord?id=CVE-2018-7453
https://www.cve.org/CVERecord?id=CVE-2018-16369
https://www.cve.org/CVERecord?id=CVE-2022-36561
https://www.cve.org/CVERecord?id=CVE-2022-41844
https://www.cve.org/CVERecord?id=CVE-2023-2663
https://www.cve.org/CVERecord?id=CVE-2023-2664
https://www.cve.org/CVERecord?id=CVE-2023-3044
https://www.cve.org/CVERecord?id=CVE-2023-3436
(* Security fix *)
20240209214809_15.0 | Patrick J Volkerding | 23 | -175/+866 |
| 2024-02-09 | Thu Feb 8 22:17:18 UTC 2024...patches/packages/dehydrated-0.7.1-noarch-1_slack15.0.txz: Upgraded.
This is a bugfix release that addresses (among other things) an
"unbound variable" error if the signing server is not available.
Thanks to metaed for the heads-up.
20240208221718_15.0 | Patrick J Volkerding | 10 | -56/+250 |
| 2024-02-08 | Wed Feb 7 20:07:29 UTC 2024...patches/packages/expat-2.6.0-x86_64-1_slack15.0.txz: Upgraded.
This update fixes security issues:
Fix quadratic runtime issues with big tokens that can cause
denial of service.
Fix billion laughs attacks for users compiling *without* XML_DTD
defined (which is not common).
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-52425
https://www.cve.org/CVERecord?id=CVE-2023-52426
(* Security fix *)
20240207200729_15.0 | Patrick J Volkerding | 4 | -22/+54 |
| 2024-02-05 | Sun Feb 4 19:37:40 UTC 2024...patches/packages/libxml2-2.11.7-x86_64-1_slack15.0.txz: Upgraded.
Fix the following security issue:
xmlreader: Don't expand XIncludes when backtracking.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2024-25062
(* Security fix *)
20240204193740_15.0 | Patrick J Volkerding | 4 | -21/+45 |
| 2024-02-04 | Sat Feb 3 20:54:00 UTC 2024...patches/packages/ca-certificates-20240203-noarch-1_slack15.0.txz: Upgraded.
This update provides the latest CA certificates to check for the
authenticity of SSL connections.
patches/packages/glibc-zoneinfo-2024a-noarch-1_slack15.0.txz: Upgraded.
This package provides the latest timezone updates.
20240203205400_15.0 | Patrick J Volkerding | 6 | -161/+925 |
| 2024-02-01 | Wed Jan 31 21:19:19 UTC 2024...extra/sendmail/sendmail-8.18.1-x86_64-1_slack15.0.txz: Upgraded.
sendmail through 8.17.2 allows SMTP smuggling in certain configurations.
Remote attackers can use a published exploitation technique to inject e-mail
messages with a spoofed MAIL FROM address, allowing bypass of an SPF
protection mechanism. This occurs because sendmail supports <LF>.<CR><LF>
but some other popular e-mail servers do not. This is resolved in 8.18 and
later versions with 'o' in srv_features.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-51765
(* Security fix *)
extra/sendmail/sendmail-cf-8.18.1-noarch-1_slack15.0.txz: Upgraded.
patches/packages/curl-8.6.0-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
patches/packages/libmilter-8.18.1-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
20240131211919_15.0 | Patrick J Volkerding | 9 | -55/+96 |
| 2024-01-27 | Fri Jan 26 20:59:27 UTC 2024...patches/packages/pam-1.6.0-x86_64-1_slack15.0.txz: Upgraded.
pam_namespace.so: fixed a possible local denial-of-service vulnerability.
For more information, see:
https://seclists.org/oss-sec/2024/q1/31
https://www.cve.org/CVERecord?id=CVE-2024-22365
(* Security fix *)
20240126205927_15.0 | Patrick J Volkerding | 15 | -92/+502 |
| 2024-01-25 | Wed Jan 24 04:53:38 UTC 2024...patches/packages/mozilla-thunderbird-115.7.0-x86_64-1_slack15.0.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/115.7.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/
https://www.cve.org/CVERecord?id=CVE-2024-0741
https://www.cve.org/CVERecord?id=CVE-2024-0742
https://www.cve.org/CVERecord?id=CVE-2024-0746
https://www.cve.org/CVERecord?id=CVE-2024-0747
https://www.cve.org/CVERecord?id=CVE-2024-0749
https://www.cve.org/CVERecord?id=CVE-2024-0750
https://www.cve.org/CVERecord?id=CVE-2024-0751
https://www.cve.org/CVERecord?id=CVE-2024-0753
https://www.cve.org/CVERecord?id=CVE-2024-0755
(* Security fix *)
20240124045338_15.0 | Patrick J Volkerding | 4 | -24/+66 |
| 2024-01-24 | Tue Jan 23 20:08:07 UTC 2024...patches/packages/mozilla-firefox-115.7.0esr-x86_64-1_slack15.0.txz: Upgraded.
This update contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/firefox/115.7.0/releasenotes/
https://www.mozilla.org/security/advisories/mfsa2024-02/
https://www.cve.org/CVERecord?id=CVE-2024-0741
https://www.cve.org/CVERecord?id=CVE-2024-0742
https://www.cve.org/CVERecord?id=CVE-2024-0746
https://www.cve.org/CVERecord?id=CVE-2024-0747
https://www.cve.org/CVERecord?id=CVE-2024-0749
https://www.cve.org/CVERecord?id=CVE-2024-0750
https://www.cve.org/CVERecord?id=CVE-2024-0751
https://www.cve.org/CVERecord?id=CVE-2024-0753
https://www.cve.org/CVERecord?id=CVE-2024-0755
(* Security fix *)
20240123200807_15.0 | Patrick J Volkerding | 4 | -24/+66 |
| 2024-01-23 | Mon Jan 22 20:57:12 UTC 2024...patches/packages/postfix-3.6.14-x86_64-1_slack15.0.txz: Upgraded.
Security (inbound SMTP smuggling): with "smtpd_forbid_bare_newline
= normalize" (default "no" for Postfix < 3.9), the Postfix
SMTP server requires the standard End-of-DATA sequence
<CR><LF>.<CR><LF>, and otherwise allows command or message
content lines ending in the non-standard <LF>, processing
them as if the client sent the standard <CR><LF>.
The alternative setting, "smtpd_forbid_bare_newline = reject"
will reject any command or message that contains a bare
<LF>, and is more likely to cause problems with legitimate
clients.
For backwards compatibility, local clients are excluded by
default with "smtpd_forbid_bare_newline_exclusions =
$mynetworks".
For more information, see:
https://www.postfix.org/smtp-smuggling.html
(* Security fix *)
20240122205712_15.0 | Patrick J Volkerding | 4 | -21/+67 |
| 2024-01-22 | Sun Jan 21 20:50:08 UTC 2024...extra/tigervnc/tigervnc-1.12.0-x86_64-5_slack15.0.txz: Rebuilt.
Recompiled against xorg-server-1.20.14, including the latest patches for
several security issues. Thanks to marav.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-6377
https://www.cve.org/CVERecord?id=CVE-2023-6478
https://www.cve.org/CVERecord?id=CVE-2023-6816
https://www.cve.org/CVERecord?id=CVE-2024-0229
https://www.cve.org/CVERecord?id=CVE-2024-0408
https://www.cve.org/CVERecord?id=CVE-2024-0409
https://www.cve.org/CVERecord?id=CVE-2024-21885
https://www.cve.org/CVERecord?id=CVE-2024-21886
https://www.cve.org/CVERecord?id=CVE-2024-21886
(* Security fix *)
20240121205008_15.0 | Patrick J Volkerding | 16 | -83/+1026 |
| 2024-01-18 | Wed Jan 17 21:13:27 UTC 2024...patches/packages/seamonkey-2.53.18.1-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
For more information, see:
https://www.seamonkey-project.org/releases/seamonkey2.53.18.1
20240117211327_15.0 | Patrick J Volkerding | 4 | -28/+48 |
| 2024-01-17 | Tue Jan 16 20:49:28 UTC 2024...patches/packages/gnutls-3.8.3-x86_64-1_slack15.0.txz: Upgraded.
This update fixes two medium severity security issues:
Fix more timing side-channel inside RSA-PSK key exchange.
Fix assertion failure when verifying a certificate chain with a cycle of
cross signatures.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2024-0553
https://www.cve.org/CVERecord?id=CVE-2024-0567
(* Security fix *)
patches/packages/xorg-server-1.20.14-x86_64-11_slack15.0.txz: Rebuilt.
This update fixes security issues:
Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer.
Reattaching to different master device may lead to out-of-bounds memory access.
Heap buffer overflow in XISendDeviceHierarchyEvent.
Heap buffer overflow in DisableDevice.
SELinux context corruption.
SELinux unlabeled GLX PBuffer.
For more information, see:
https://lists.x.org/archives/xorg/2024-January/061525.html
https://www.cve.org/CVERecord?id=CVE-2023-6816
https://www.cve.org/CVERecord?id=CVE-2024-0229
https://www.cve.org/CVERecord?id=CVE-2024-21885
https://www.cve.org/CVERecord?id=CVE-2024-21886
https://www.cve.org/CVERecord?id=CVE-2024-0408
https://www.cve.org/CVERecord?id=CVE-2024-0409
(* Security fix *)
patches/packages/xorg-server-xephyr-1.20.14-x86_64-11_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-11_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-11_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xwayland-21.1.4-x86_64-10_slack15.0.txz: Rebuilt.
This update fixes security issues:
Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer.
Reattaching to different master device may lead to out-of-bounds memory access.
Heap buffer overflow in XISendDeviceHierarchyEvent.
Heap buffer overflow in DisableDevice.
SELinux unlabeled GLX PBuffer.
For more information, see:
https://lists.x.org/archives/xorg/2024-January/061525.html
https://www.cve.org/CVERecord?id=CVE-2023-6816
https://www.cve.org/CVERecord?id=CVE-2024-0229
https://www.cve.org/CVERecord?id=CVE-2024-21885
https://www.cve.org/CVERecord?id=CVE-2024-21886
https://www.cve.org/CVERecord?id=CVE-2024-0408
(* Security fix *)
20240116204928_15.0 | Patrick J Volkerding | 31 | -164/+1796 |
| 2024-01-11 | Wed Jan 10 20:25:54 UTC 2024...patches/packages/xorriso-1.5.6.pl02-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
20240110202554_15.0 | Patrick J Volkerding | 6 | -53/+258 |
| 2024-01-10 | Tue Jan 9 20:49:08 UTC 2024...patches/packages/mozilla-thunderbird-115.6.1-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
For more information, see:
https://www.thunderbird.net/en-US/thunderbird/115.6.1/releasenotes/
20240109204908_15.0 | Patrick J Volkerding | 4 | -22/+42 |
| 2023-12-31 | Sat Dec 30 19:53:07 UTC 2023...patches/packages/sudo-1.9.15p5-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
20231230195307_15.0 | Patrick J Volkerding | 4 | -21/+37 |
| 2023-12-26 | Tue Dec 26 00:20:26 UTC 2023...patches/packages/kernel-firmware-20231222_a7dee43-noarch-1.txz: Upgraded.
Updated to the latest kernel firmware.
patches/packages/linux-5.15.145/*: Upgraded.
These updates fix various bugs and security issues.
Thanks to jwoithe for the PCI fix!
Be sure to upgrade your initrd after upgrading the kernel packages.
If you use lilo to boot your machine, be sure lilo.conf points to the correct
kernel and initrd and run lilo as root to update the bootloader.
If you use elilo to boot your machine, you should run eliloconfig to copy the
kernel and initrd to the EFI System Partition.
For more information, see:
Fixed in 5.15.140:
https://www.cve.org/CVERecord?id=CVE-2023-46862
Fixed in 5.15.141:
https://www.cve.org/CVERecord?id=CVE-2023-6121
(* Security fix *)
20231226002026_15.0 | Patrick J Volkerding | 58 | -2953/+65324 |
| 2023-12-23 | Sat Dec 23 02:48:56 UTC 2023...patches/packages/glibc-zoneinfo-2023d-noarch-1_slack15.0.txz: Upgraded.
This package provides the latest timezone updates.
patches/packages/postfix-3.6.13-x86_64-1_slack15.0.txz: Upgraded.
Security: this release adds support to defend against an email spoofing
attack (SMTP smuggling) on recipients at a Postfix server. Sites
concerned about SMTP smuggling attacks should enable this feature on
Internet-facing Postfix servers. For compatibility with non-standard
clients, Postfix by default excludes clients in mynetworks from this
countermeasure.
The recommended settings are:
# Optionally disconnect remote SMTP clients that send bare newlines,
# but allow local clients with non-standard SMTP implementations
# such as netcat, fax machines, or load balancer health checks.
#
smtpd_forbid_bare_newline = yes
smtpd_forbid_bare_newline_exclusions = $mynetworks
The smtpd_forbid_bare_newline feature is disabled by default.
For more information, see:
https://www.postfix.org/smtp-smuggling.html
(* Security fix *)
20231223024856_15.0 | Patrick J Volkerding | 14 | -89/+624 |
| 2023-12-22 | Thu Dec 21 20:46:11 UTC 2023...extra/php81/php81-8.1.27-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
For more information, see:
https://www.php.net/ChangeLog-8.php#8.1.27
20231221204611_15.0 | Patrick J Volkerding | 6 | -44/+61 |
| 2023-12-21 | Wed Dec 20 21:10:47 UTC 2023...patches/packages/bind-9.16.45-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
patches/packages/proftpd-1.3.8b-x86_64-1_slack15.0.txz: Upgraded.
This update fixes a security issue:
mod_sftp: implemented mitigations for "Terrapin" SSH attack.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-48795
(* Security fix *)
testing/packages/bind-9.18.21-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
20231220211047_15.0 | Patrick J Volkerding | 16 | -112/+565 |
| 2023-12-20 | Tue Dec 19 21:24:05 UTC 2023...patches/packages/bluez-5.71-x86_64-2_slack15.0.txz: Rebuilt.
Fix a regression in bluez-5.71:
[PATCH] adapter: Fix link key address type for old kernels.
Thanks to marav.
patches/packages/libssh-0.10.6-x86_64-1_slack15.0.txz: Upgraded.
This update fixes security issues:
Command injection using proxycommand.
Potential downgrade attack using strict kex.
Missing checks for return values of MD functions.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-6004
https://www.cve.org/CVERecord?id=CVE-2023-48795
https://www.cve.org/CVERecord?id=CVE-2023-6918
(* Security fix *)
patches/packages/mozilla-firefox-115.6.0esr-x86_64-1_slack15.0.txz: Upgraded.
This update contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/firefox/115.6.0/releasenotes/
https://www.mozilla.org/security/advisories/mfsa2023-54/
https://www.cve.org/CVERecord?id=CVE-2023-6856
https://www.cve.org/CVERecord?id=CVE-2023-6865
https://www.cve.org/CVERecord?id=CVE-2023-6857
https://www.cve.org/CVERecord?id=CVE-2023-6858
https://www.cve.org/CVERecord?id=CVE-2023-6859
https://www.cve.org/CVERecord?id=CVE-2023-6860
https://www.cve.org/CVERecord?id=CVE-2023-6867
https://www.cve.org/CVERecord?id=CVE-2023-6861
https://www.cve.org/CVERecord?id=CVE-2023-6862
https://www.cve.org/CVERecord?id=CVE-2023-6863
https://www.cve.org/CVERecord?id=CVE-2023-6864
(* Security fix *)
patches/packages/mozilla-thunderbird-115.6.0-x86_64-1_slack15.0.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:
https://www.thunderbird.net/en-US/thunderbird/115.6.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/
https://www.cve.org/CVERecord?id=CVE-2023-50762
https://www.cve.org/CVERecord?id=CVE-2023-50761
https://www.cve.org/CVERecord?id=CVE-2023-6856
https://www.cve.org/CVERecord?id=CVE-2023-6857
https://www.cve.org/CVERecord?id=CVE-2023-6858
https://www.cve.org/CVERecord?id=CVE-2023-6859
https://www.cve.org/CVERecord?id=CVE-2023-6860
https://www.cve.org/CVERecord?id=CVE-2023-6861
https://www.cve.org/CVERecord?id=CVE-2023-6862
https://www.cve.org/CVERecord?id=CVE-2023-6863
https://www.cve.org/CVERecord?id=CVE-2023-6864
(* Security fix *)
20231219212405_15.0 | Patrick J Volkerding | 11 | -57/+204 |
| 2023-12-17 | Sat Dec 16 20:33:34 UTC 2023...patches/packages/sudo-1.9.15p4-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
20231216203334_15.0 | Patrick J Volkerding | 4 | -21/+37 |
| 2023-12-15 | Thu Dec 14 20:09:31 UTC 2023...patches/packages/bluez-5.71-x86_64-1_slack15.0.txz: Upgraded.
This update fixes a security issue:
It may have been possible for an attacker within Bluetooth range to inject
keystrokes (and possibly execute commands) while devices were discoverable.
Thanks to marav for the heads-up.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-45866
(* Security fix *)
patches/packages/libxml2-2.11.6-x86_64-1_slack15.0.txz: Upgraded.
We're going to drop back to the 2.11 branch here on the stable releases
since it has all of the relevant security fixes and better compatibility.
20231214200931_15.0 | Patrick J Volkerding | 7 | -33/+87 |
| 2023-12-14 | Wed Dec 13 22:01:34 UTC 2023...patches/packages/libxml2-2.12.3-x86_64-1_slack15.0.txz: Upgraded.
This update addresses regressions when building against libxml2 that were
due to header file refactoring.
patches/packages/xorg-server-1.20.14-x86_64-10_slack15.0.txz: Rebuilt.
This update fixes two security issues:
Out-of-bounds memory write in XKB button actions.
Out-of-bounds memory read in RRChangeOutputProperty and
RRChangeProviderProperty.
For more information, see:
https://lists.x.org/archives/xorg/2023-December/061517.html
https://www.cve.org/CVERecord?id=CVE-2023-6377
https://www.cve.org/CVERecord?id=CVE-2023-6478
(* Security fix *)
patches/packages/xorg-server-xephyr-1.20.14-x86_64-10_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-10_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-10_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xwayland-21.1.4-x86_64-9_slack15.0.txz: Rebuilt.
This update fixes two security issues:
Out-of-bounds memory write in XKB button actions.
Out-of-bounds memory read in RRChangeOutputProperty and
RRChangeProviderProperty.
For more information, see:
https://lists.x.org/archives/xorg/2023-December/061517.html
https://www.cve.org/CVERecord?id=CVE-2023-6377
https://www.cve.org/CVERecord?id=CVE-2023-6478
(* Security fix *)
20231213220134_15.0 | Patrick J Volkerding | 17 | -66/+413 |
| 2023-12-13 | Tue Dec 12 19:54:42 UTC 2023...patches/packages/mozilla-thunderbird-115.5.2-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/115.5.2/releasenotes/
20231212195442_15.0 | Patrick J Volkerding | 4 | -22/+42 |
| 2023-12-10 | Sun Dec 10 01:12:17 UTC 2023...patches/packages/libxml2-2.12.2-x86_64-1_slack15.0.txz: Upgraded.
Add --sysconfdir=/etc option so that this can find the xml catalog.
Thanks to SpiderTux.
Fix the following security issues:
Fix integer overflows with XML_PARSE_HUGE.
Fix dict corruption caused by entity reference cycles.
Hashing of empty dict strings isn't deterministic.
Fix null deref in xmlSchemaFixupComplexType.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-40303
https://www.cve.org/CVERecord?id=CVE-2022-40304
https://www.cve.org/CVERecord?id=CVE-2023-29469
https://www.cve.org/CVERecord?id=CVE-2023-28484
(* Security fix *)
20231210011217_15.0 | Patrick J Volkerding | 12 | -105/+149 |
| 2023-12-07 | Wed Dec 6 20:29:23 UTC 2023...patches/packages/rdfind-1.6.0-x86_64-1_slack15.0.txz: Upgraded.
Redundant data finder utility, needed to build the kernel-firmware package.
20231206202923_15.0 | Patrick J Volkerding | 7 | -51/+250 |
| 2023-12-01 | Thu Nov 30 21:21:55 UTC 2023...patches/packages/samba-4.18.9-x86_64-1_slack15.0.txz: Upgraded.
This is a security release in order to address the following defect:
An information leak vulnerability was discovered in Samba's LDAP server.
Due to missing access control checks, an authenticated but unprivileged
attacker could discover the names and preserved attributes of deleted objects
in the LDAP store. Upgrading to this package will not prevent this
information leak - if you are using Samba as an Active Directory Domain
Controller, you will need to follow the instructions in the samba.org link
given below.
For more information, see:
https://www.samba.org/samba/security/CVE-2018-14628.html
https://www.cve.org/CVERecord?id=CVE-2018-14628
(* Security fix *)
20231130212155_15.0 | Patrick J Volkerding | 5 | -25/+63 |
| 2023-11-29 | Tue Nov 28 22:13:48 UTC 2023...patches/packages/mozilla-thunderbird-115.5.1-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/115.5.1/releasenotes/
20231128221348_15.0 | Patrick J Volkerding | 6 | -27/+47 |
Patrick J Volkerding