diff options
Diffstat (limited to 'ChangeLog.rss')
-rw-r--r-- | ChangeLog.rss | 61 |
1 files changed, 59 insertions, 2 deletions
diff --git a/ChangeLog.rss b/ChangeLog.rss index 591739eed..b670a7ff7 100644 --- a/ChangeLog.rss +++ b/ChangeLog.rss @@ -11,10 +11,67 @@ <description>Tracking Slackware development in git.</description> <language>en-us</language> <id xmlns="http://www.w3.org/2005/Atom">urn:uuid:c964f45e-6732-11e8-bbe5-107b4450212f</id> - <pubDate>Mon, 5 Dec 2022 21:00:46 GMT</pubDate> - <lastBuildDate>Tue, 6 Dec 2022 06:00:08 GMT</lastBuildDate> + <pubDate>Wed, 7 Dec 2022 18:48:07 GMT</pubDate> + <lastBuildDate>Wed, 7 Dec 2022 21:19:13 GMT</lastBuildDate> <generator>maintain_current_git.sh v 1.17</generator> <item> + <title>Wed, 7 Dec 2022 18:48:07 GMT</title> + <pubDate>Wed, 7 Dec 2022 18:48:07 GMT</pubDate> + <link>https://git.slackware.nl/current/tag/?h=20221207184807</link> + <guid isPermaLink="false">20221207184807</guid> + <description> + <![CDATA[<pre> +d/cargo-vendor-filterer-0.5.7-x86_64-1.txz: Added. + Thanks to Heinz Wiesinger. +d/cbindgen-0.24.3-x86_64-1.txz: Added. +d/python3-3.9.16-x86_64-1.txz: Upgraded. + This update fixes security issues: + gh-98739: Updated bundled libexpat to 2.5.0 to fix CVE-2022-43680 + (heap use-after-free). + gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio + related name resolution functions no longer involves a quadratic algorithm + to fix CVE-2022-45061. This prevents a potential CPU denial of service if an + out-of-spec excessive length hostname involving bidirectional characters were + decoded. Some protocols such as urllib http 3xx redirects potentially allow + for an attacker to supply such a name. + gh-100001: python -m http.server no longer allows terminal control characters + sent within a garbage request to be printed to the stderr server log. + gh-87604: Avoid publishing list of active per-interpreter audit hooks via the + gc module. + gh-97514: On Linux the multiprocessing module returns to using filesystem + backed unix domain sockets for communication with the forkserver process + instead of the Linux abstract socket namespace. Only code that chooses to use + the "forkserver" start method is affected. This prevents Linux CVE-2022-42919 + (potential privilege escalation) as abstract sockets have no permissions and + could allow any user on the system in the same network namespace (often the + whole system) to inject code into the multiprocessing forkserver process. + Filesystem based socket permissions restrict this to the forkserver process + user as was the default in Python 3.8 and earlier. + gh-98517: Port XKCP's fix for the buffer overflows in SHA-3 to fix + CVE-2022-37454. + gh-68966: The deprecated mailcap module now refuses to inject unsafe text + (filenames, MIME types, parameters) into shell commands to address + CVE-2015-20107. Instead of using such text, it will warn and act as if a + match was not found (or for test commands, as if the test failed). + For more information, see: + https://pythoninsider.blogspot.com/2022/12/python-3111-3109-3916-3816-3716-and.html + https://www.cve.org/CVERecord?id=CVE-2022-43680 + https://www.cve.org/CVERecord?id=CVE-2022-45061 + https://www.cve.org/CVERecord?id=CVE-2022-42919 + https://www.cve.org/CVERecord?id=CVE-2022-37454 + https://www.cve.org/CVERecord?id=CVE-2015-20107 + (* Security fix *) +d/rust-bindgen-0.63.0-x86_64-1.txz: Added. + Thanks to Heinz Wiesinger. +l/pcre2-10.41-x86_64-1.txz: Upgraded. +n/proftpd-1.3.8-x86_64-1.txz: Upgraded. +x/mesa-22.3.0-x86_64-1.txz: Upgraded. + Compiled with Rusticl support. Thanks to Heinz Wiesinger. +x/xdm-1.1.14-x86_64-1.txz: Upgraded. + </pre>]]> + </description> + </item> + <item> <title>Mon, 5 Dec 2022 21:00:46 GMT</title> <pubDate>Mon, 5 Dec 2022 21:00:46 GMT</pubDate> <link>https://git.slackware.nl/current/tag/?h=20221205210046</link> |