summaryrefslogtreecommitdiffstats
path: root/ChangeLog.txt
diff options
context:
space:
mode:
Diffstat (limited to 'ChangeLog.txt')
-rw-r--r--ChangeLog.txt49
1 files changed, 49 insertions, 0 deletions
diff --git a/ChangeLog.txt b/ChangeLog.txt
index f0941fbc8..5a760af1c 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -1,3 +1,52 @@
+Wed Dec 7 18:48:07 UTC 2022
+d/cargo-vendor-filterer-0.5.7-x86_64-1.txz: Added.
+ Thanks to Heinz Wiesinger.
+d/cbindgen-0.24.3-x86_64-1.txz: Added.
+d/python3-3.9.16-x86_64-1.txz: Upgraded.
+ This update fixes security issues:
+ gh-98739: Updated bundled libexpat to 2.5.0 to fix CVE-2022-43680
+ (heap use-after-free).
+ gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio
+ related name resolution functions no longer involves a quadratic algorithm
+ to fix CVE-2022-45061. This prevents a potential CPU denial of service if an
+ out-of-spec excessive length hostname involving bidirectional characters were
+ decoded. Some protocols such as urllib http 3xx redirects potentially allow
+ for an attacker to supply such a name.
+ gh-100001: python -m http.server no longer allows terminal control characters
+ sent within a garbage request to be printed to the stderr server log.
+ gh-87604: Avoid publishing list of active per-interpreter audit hooks via the
+ gc module.
+ gh-97514: On Linux the multiprocessing module returns to using filesystem
+ backed unix domain sockets for communication with the forkserver process
+ instead of the Linux abstract socket namespace. Only code that chooses to use
+ the "forkserver" start method is affected. This prevents Linux CVE-2022-42919
+ (potential privilege escalation) as abstract sockets have no permissions and
+ could allow any user on the system in the same network namespace (often the
+ whole system) to inject code into the multiprocessing forkserver process.
+ Filesystem based socket permissions restrict this to the forkserver process
+ user as was the default in Python 3.8 and earlier.
+ gh-98517: Port XKCP's fix for the buffer overflows in SHA-3 to fix
+ CVE-2022-37454.
+ gh-68966: The deprecated mailcap module now refuses to inject unsafe text
+ (filenames, MIME types, parameters) into shell commands to address
+ CVE-2015-20107. Instead of using such text, it will warn and act as if a
+ match was not found (or for test commands, as if the test failed).
+ For more information, see:
+ https://pythoninsider.blogspot.com/2022/12/python-3111-3109-3916-3816-3716-and.html
+ https://www.cve.org/CVERecord?id=CVE-2022-43680
+ https://www.cve.org/CVERecord?id=CVE-2022-45061
+ https://www.cve.org/CVERecord?id=CVE-2022-42919
+ https://www.cve.org/CVERecord?id=CVE-2022-37454
+ https://www.cve.org/CVERecord?id=CVE-2015-20107
+ (* Security fix *)
+d/rust-bindgen-0.63.0-x86_64-1.txz: Added.
+ Thanks to Heinz Wiesinger.
+l/pcre2-10.41-x86_64-1.txz: Upgraded.
+n/proftpd-1.3.8-x86_64-1.txz: Upgraded.
+x/mesa-22.3.0-x86_64-1.txz: Upgraded.
+ Compiled with Rusticl support. Thanks to Heinz Wiesinger.
+x/xdm-1.1.14-x86_64-1.txz: Upgraded.
++--------------------------+
Mon Dec 5 21:00:46 UTC 2022
a/glibc-zoneinfo-2022g-noarch-1.txz: Upgraded.
This package provides the latest timezone updates.
generated by cgit v1.2.3 (git 2.26.2) at 2024-05-17 08:03:02 +0000