From 9b5b70af5be71074990c96cde8c7b0ac38318721 Mon Sep 17 00:00:00 2001 From: Patrick J Volkerding Date: Wed, 15 Feb 2023 19:48:10 +0000 Subject: Wed Feb 15 19:48:10 UTC 2023 patches/packages/curl-7.88.0-x86_64-1_slack15.0.txz: Upgraded. This update fixes security issues: HTTP multi-header compression denial of service. HSTS amnesia with --parallel. HSTS ignored on multiple requests. For more information, see: https://curl.se/docs/CVE-2023-23916.html https://curl.se/docs/CVE-2023-23915.html https://curl.se/docs/CVE-2023-23914.html https://www.cve.org/CVERecord?id=CVE-2023-23916 https://www.cve.org/CVERecord?id=CVE-2023-23915 https://www.cve.org/CVERecord?id=CVE-2023-23914 (* Security fix *) patches/packages/git-2.35.7-x86_64-1_slack15.0.txz: Upgraded. This update fixes security issues: Using a specially-crafted repository, Git can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source $GIT_DIR/objects directory contains symbolic links (c.f., CVE-2022-39253), the objects directory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253. By feeding a crafted input to "git apply", a path outside the working tree can be overwritten as the user who is running "git apply". For more information, see: https://www.cve.org/CVERecord?id=CVE-2023-22490 https://www.cve.org/CVERecord?id=CVE-2023-23946 (* Security fix *) --- ChangeLog.txt | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) (limited to 'ChangeLog.txt') diff --git a/ChangeLog.txt b/ChangeLog.txt index bad42d626..c4a8ccf42 100644 --- a/ChangeLog.txt +++ b/ChangeLog.txt @@ -1,3 +1,36 @@ +Wed Feb 15 19:48:10 UTC 2023 +patches/packages/curl-7.88.0-x86_64-1_slack15.0.txz: Upgraded. + This update fixes security issues: + HTTP multi-header compression denial of service. + HSTS amnesia with --parallel. + HSTS ignored on multiple requests. + For more information, see: + https://curl.se/docs/CVE-2023-23916.html + https://curl.se/docs/CVE-2023-23915.html + https://curl.se/docs/CVE-2023-23914.html + https://www.cve.org/CVERecord?id=CVE-2023-23916 + https://www.cve.org/CVERecord?id=CVE-2023-23915 + https://www.cve.org/CVERecord?id=CVE-2023-23914 + (* Security fix *) +patches/packages/git-2.35.7-x86_64-1_slack15.0.txz: Upgraded. + This update fixes security issues: + Using a specially-crafted repository, Git can be tricked into using + its local clone optimization even when using a non-local transport. + Though Git will abort local clones whose source $GIT_DIR/objects + directory contains symbolic links (c.f., CVE-2022-39253), the objects + directory itself may still be a symbolic link. + These two may be combined to include arbitrary files based on known + paths on the victim's filesystem within the malicious repository's + working copy, allowing for data exfiltration in a similar manner as + CVE-2022-39253. + By feeding a crafted input to "git apply", a path outside the + working tree can be overwritten as the user who is running "git + apply". + For more information, see: + https://www.cve.org/CVERecord?id=CVE-2023-22490 + https://www.cve.org/CVERecord?id=CVE-2023-23946 + (* Security fix *) ++--------------------------+ Wed Feb 15 03:05:40 UTC 2023 extra/php80/php80-8.0.28-x86_64-1_slack15.0.txz: Upgraded. This update fixes security issues: -- cgit v1.2.3-79-gdb01