From b9cb99a88e34842a370c2a5a3cbe265b4ce1157b Mon Sep 17 00:00:00 2001 From: Patrick J Volkerding Date: Wed, 19 Jul 2023 20:36:46 +0000 Subject: Wed Jul 19 20:36:46 UTC 2023 patches/packages/curl-8.2.0-x86_64-1_slack15.0.txz: Upgraded. This update fixes a security issue: fopen race condition. For more information, see: https://curl.se/docs/CVE-2023-32001.html https://www.cve.org/CVERecord?id=CVE-2023-32001 (* Security fix *) patches/packages/openssh-9.3p2-x86_64-1_slack15.0.txz: Upgraded. This update fixes a security issue: ssh-agent(1) in OpenSSH between and 5.5 and 9.3p1 (inclusive): remote code execution relating to PKCS#11 providers. The PKCS#11 support ssh-agent(1) could be abused to achieve remote code execution via a forwarded agent socket if the following conditions are met: * Exploitation requires the presence of specific libraries on the victim system. * Remote exploitation requires that the agent was forwarded to an attacker-controlled system. Exploitation can also be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries. This vulnerability was discovered and demonstrated to be exploitable by the Qualys Security Advisory team. Potentially-incompatible changes: * ssh-agent(8): the agent will now refuse requests to load PKCS#11 modules issued by remote clients by default. A flag has been added to restore the previous behaviour: "-Oallow-remote-pkcs11". For more information, see: https://www.openssh.com/txt/release-9.3p2 https://www.cve.org/CVERecord?id=CVE-2023-38408 (* Security fix *) --- ChangeLog.txt | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) (limited to 'ChangeLog.txt') diff --git a/ChangeLog.txt b/ChangeLog.txt index 9e7c249a4..10de8592f 100644 --- a/ChangeLog.txt +++ b/ChangeLog.txt @@ -1,3 +1,35 @@ +Wed Jul 19 20:36:46 UTC 2023 +patches/packages/curl-8.2.0-x86_64-1_slack15.0.txz: Upgraded. + This update fixes a security issue: + fopen race condition. + For more information, see: + https://curl.se/docs/CVE-2023-32001.html + https://www.cve.org/CVERecord?id=CVE-2023-32001 + (* Security fix *) +patches/packages/openssh-9.3p2-x86_64-1_slack15.0.txz: Upgraded. + This update fixes a security issue: + ssh-agent(1) in OpenSSH between and 5.5 and 9.3p1 (inclusive): remote code + execution relating to PKCS#11 providers. + The PKCS#11 support ssh-agent(1) could be abused to achieve remote code + execution via a forwarded agent socket if the following conditions are met: + * Exploitation requires the presence of specific libraries on the victim + system. + * Remote exploitation requires that the agent was forwarded to an + attacker-controlled system. + Exploitation can also be prevented by starting ssh-agent(1) with an empty + PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that + contains only specific provider libraries. + This vulnerability was discovered and demonstrated to be exploitable by the + Qualys Security Advisory team. + Potentially-incompatible changes: + * ssh-agent(8): the agent will now refuse requests to load PKCS#11 modules + issued by remote clients by default. A flag has been added to restore the + previous behaviour: "-Oallow-remote-pkcs11". + For more information, see: + https://www.openssh.com/txt/release-9.3p2 + https://www.cve.org/CVERecord?id=CVE-2023-38408 + (* Security fix *) ++--------------------------+ Mon Jul 17 19:17:19 UTC 2023 patches/packages/sudo-1.9.14p2-x86_64-1_slack15.0.txz: Upgraded. This is a bugfix release. -- cgit v1.2.3-79-gdb01