diff options
author | Patrick J Volkerding <volkerdi@slackware.com> | 2023-02-15 19:48:10 +0000 |
---|---|---|
committer | Eric Hameleers <alien@slackware.com> | 2023-02-15 21:32:50 +0100 |
commit | 96a46e0fa18d13ba3e422f8431cb68d28ea9b706 (patch) | |
tree | 32d39f3c9a81acd8258dc927626400d80355391c /ChangeLog.rss | |
parent | 88d937fb4e8fcda2688596b4c6dc5b24d275eb8d (diff) | |
download | current-96a46e0fa18d13ba3e422f8431cb68d28ea9b706.tar.gz current-96a46e0fa18d13ba3e422f8431cb68d28ea9b706.tar.xz |
Wed Feb 15 19:48:10 UTC 202320230215194810
ap/sudo-1.9.13-x86_64-1.txz: Upgraded.
d/git-2.39.2-x86_64-1.txz: Upgraded.
This update fixes security issues:
Using a specially-crafted repository, Git can be tricked into using
its local clone optimization even when using a non-local transport.
Though Git will abort local clones whose source $GIT_DIR/objects
directory contains symbolic links (c.f., CVE-2022-39253), the objects
directory itself may still be a symbolic link.
These two may be combined to include arbitrary files based on known
paths on the victim's filesystem within the malicious repository's
working copy, allowing for data exfiltration in a similar manner as
CVE-2022-39253.
By feeding a crafted input to "git apply", a path outside the
working tree can be overwritten as the user who is running "git
apply".
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-22490
https://www.cve.org/CVERecord?id=CVE-2023-23946
(* Security fix *)
n/curl-7.88.0-x86_64-1.txz: Upgraded.
This update fixes security issues:
HTTP multi-header compression denial of service.
HSTS amnesia with --parallel.
HSTS ignored on multiple requests.
For more information, see:
https://curl.se/docs/CVE-2023-23916.html
https://curl.se/docs/CVE-2023-23915.html
https://curl.se/docs/CVE-2023-23914.html
https://www.cve.org/CVERecord?id=CVE-2023-23916
https://www.cve.org/CVERecord?id=CVE-2023-23915
https://www.cve.org/CVERecord?id=CVE-2023-23914
(* Security fix *)
Diffstat (limited to 'ChangeLog.rss')
-rw-r--r-- | ChangeLog.rss | 46 |
1 files changed, 44 insertions, 2 deletions
diff --git a/ChangeLog.rss b/ChangeLog.rss index 816ecb865..33ec120a7 100644 --- a/ChangeLog.rss +++ b/ChangeLog.rss @@ -11,10 +11,52 @@ <description>Tracking Slackware development in git.</description> <language>en-us</language> <id xmlns="http://www.w3.org/2005/Atom">urn:uuid:c964f45e-6732-11e8-bbe5-107b4450212f</id> - <pubDate>Wed, 15 Feb 2023 03:05:40 GMT</pubDate> - <lastBuildDate>Wed, 15 Feb 2023 05:50:09 GMT</lastBuildDate> + <pubDate>Wed, 15 Feb 2023 19:48:10 GMT</pubDate> + <lastBuildDate>Wed, 15 Feb 2023 20:32:46 GMT</lastBuildDate> <generator>maintain_current_git.sh v 1.17</generator> <item> + <title>Wed, 15 Feb 2023 19:48:10 GMT</title> + <pubDate>Wed, 15 Feb 2023 19:48:10 GMT</pubDate> + <link>https://git.slackware.nl/current/tag/?h=20230215194810</link> + <guid isPermaLink="false">20230215194810</guid> + <description> + <![CDATA[<pre> +ap/sudo-1.9.13-x86_64-1.txz: Upgraded. +d/git-2.39.2-x86_64-1.txz: Upgraded. + This update fixes security issues: + Using a specially-crafted repository, Git can be tricked into using + its local clone optimization even when using a non-local transport. + Though Git will abort local clones whose source $GIT_DIR/objects + directory contains symbolic links (c.f., CVE-2022-39253), the objects + directory itself may still be a symbolic link. + These two may be combined to include arbitrary files based on known + paths on the victim's filesystem within the malicious repository's + working copy, allowing for data exfiltration in a similar manner as + CVE-2022-39253. + By feeding a crafted input to "git apply", a path outside the + working tree can be overwritten as the user who is running "git + apply". + For more information, see: + https://www.cve.org/CVERecord?id=CVE-2023-22490 + https://www.cve.org/CVERecord?id=CVE-2023-23946 + (* Security fix *) +n/curl-7.88.0-x86_64-1.txz: Upgraded. + This update fixes security issues: + HTTP multi-header compression denial of service. + HSTS amnesia with --parallel. + HSTS ignored on multiple requests. + For more information, see: + https://curl.se/docs/CVE-2023-23916.html + https://curl.se/docs/CVE-2023-23915.html + https://curl.se/docs/CVE-2023-23914.html + https://www.cve.org/CVERecord?id=CVE-2023-23916 + https://www.cve.org/CVERecord?id=CVE-2023-23915 + https://www.cve.org/CVERecord?id=CVE-2023-23914 + (* Security fix *) + </pre>]]> + </description> + </item> + <item> <title>Wed, 15 Feb 2023 03:05:40 GMT</title> <pubDate>Wed, 15 Feb 2023 03:05:40 GMT</pubDate> <link>https://git.slackware.nl/current/tag/?h=20230215030540</link> |