diff options
Diffstat (limited to 'ChangeLog.txt')
-rw-r--r-- | ChangeLog.txt | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/ChangeLog.txt b/ChangeLog.txt index 3b3e49023..43c234363 100644 --- a/ChangeLog.txt +++ b/ChangeLog.txt @@ -1,3 +1,41 @@ +Tue Oct 18 20:29:54 UTC 2022 +patches/packages/git-2.35.5-x86_64-1_slack15.0.txz: Upgraded. + This release fixes two security issues: + * CVE-2022-39253: + When relying on the `--local` clone optimization, Git dereferences + symbolic links in the source repository before creating hardlinks + (or copies) of the dereferenced link in the destination repository. + This can lead to surprising behavior where arbitrary files are + present in a repository's `$GIT_DIR` when cloning from a malicious + repository. + Git will no longer dereference symbolic links via the `--local` + clone mechanism, and will instead refuse to clone repositories that + have symbolic links present in the `$GIT_DIR/objects` directory. + Additionally, the value of `protocol.file.allow` is changed to be + "user" by default. + * CVE-2022-39260: + An overly-long command string given to `git shell` can result in + overflow in `split_cmdline()`, leading to arbitrary heap writes and + remote code execution when `git shell` is exposed and the directory + `$HOME/git-shell-commands` exists. + `git shell` is taught to refuse interactive commands that are + longer than 4MiB in size. `split_cmdline()` is hardened to reject + inputs larger than 2GiB. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39253 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39260 + (* Security fix *) +patches/packages/mozilla-firefox-102.4.0esr-x86_64-1_slack15.0.txz: Upgraded. + This update contains security fixes and improvements. + For more information, see: + https://www.mozilla.org/en-US/firefox/102.4.0/releasenotes/ + https://www.mozilla.org/security/advisories/mfsa2022-45/ + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42927 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42928 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42929 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42932 + (* Security fix *) ++--------------------------+ Mon Oct 17 19:31:45 UTC 2022 patches/packages/xorg-server-1.20.14-x86_64-4_slack15.0.txz: Rebuilt. xkb: proof GetCountedString against request length attacks. |