From cffeb680aad4319c1d5fb44fc6b2c53a42d69617 Mon Sep 17 00:00:00 2001 From: Patrick J Volkerding Date: Mon, 15 Aug 2022 20:23:47 +0000 Subject: Mon Aug 15 20:23:47 UTC 2022 patches/packages/rsync-3.2.5-x86_64-1_slack15.0.txz: Upgraded. Added some file-list safety checking that helps to ensure that a rogue sending rsync can't add unrequested top-level names and/or include recursive names that should have been excluded by the sender. These extra safety checks only require the receiver rsync to be updated. When dealing with an untrusted sending host, it is safest to copy into a dedicated destination directory for the remote content (i.e. don't copy into a destination directory that contains files that aren't from the remote host unless you trust the remote host). For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29154 (* Security fix *) --- ChangeLog.txt | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'ChangeLog.txt') diff --git a/ChangeLog.txt b/ChangeLog.txt index 3f043ad8a..cae87ac9b 100644 --- a/ChangeLog.txt +++ b/ChangeLog.txt @@ -1,3 +1,17 @@ +Mon Aug 15 20:23:47 UTC 2022 +patches/packages/rsync-3.2.5-x86_64-1_slack15.0.txz: Upgraded. + Added some file-list safety checking that helps to ensure that a rogue + sending rsync can't add unrequested top-level names and/or include recursive + names that should have been excluded by the sender. These extra safety + checks only require the receiver rsync to be updated. When dealing with an + untrusted sending host, it is safest to copy into a dedicated destination + directory for the remote content (i.e. don't copy into a destination + directory that contains files that aren't from the remote host unless you + trust the remote host). + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29154 + (* Security fix *) ++--------------------------+ Sat Aug 13 19:12:40 UTC 2022 patches/packages/glibc-zoneinfo-2022b-noarch-1_slack15.0.txz: Upgraded. This package provides the latest timezone updates. -- cgit v1.2.3-65-gdbad