summaryrefslogtreecommitdiff
path: root/ChangeLog.txt
diff options
context:
space:
mode:
authorPatrick J Volkerding <volkerdi@slackware.com>2018-05-25 23:29:36 +0000
committerEric Hameleers <alien@slackware.com>2018-05-31 15:10:50 -0700
commit329684b59b8d55dd403c2c59f76d37210ba2f517 (patch)
tree10421c6ee3bf179d50915cc00d4c15c1b83cb77a /ChangeLog.txt
parentb76270bf9e6dd375e495fec92140a79a79415d27 (diff)
downloadcurrent-329684b59b8d55dd403c2c59f76d37210ba2f517.tar.gz
Fri May 25 23:29:36 UTC 201813.1
patches/packages/glibc-zoneinfo-2018e-noarch-2_slack13.1.txz: Rebuilt. Handle removal of US/Pacific-New timezone. If we see that the machine is using this, it will be automatically switched to US/Pacific.
Diffstat (limited to 'ChangeLog.txt')
-rw-r--r--ChangeLog.txt3706
1 files changed, 3706 insertions, 0 deletions
diff --git a/ChangeLog.txt b/ChangeLog.txt
index 478a419d..1dc05e1d 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -1,3 +1,3709 @@
+Fri May 25 23:29:36 UTC 2018
+patches/packages/glibc-zoneinfo-2018e-noarch-2_slack13.1.txz: Rebuilt.
+ Handle removal of US/Pacific-New timezone. If we see that the machine is
+ using this, it will be automatically switched to US/Pacific.
++--------------------------+
+Thu May 10 01:24:19 UTC 2018
+patches/packages/glibc-zoneinfo-2018e-noarch-1_slack13.1.txz: Upgraded.
+ This package provides the latest timezone updates.
+patches/packages/wget-1.19.5-x86_64-1_slack13.1.txz: Upgraded.
+ Fixed a security issue where a malicious web server could inject arbitrary
+ cookies into the cookie jar file.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0494
+ (* Security fix *)
++--------------------------+
+Mon Apr 30 22:35:43 UTC 2018
+patches/packages/libwmf-0.2.8.4-x86_64-6_slack13.1.txz: Rebuilt.
+ Patched denial of service and possible execution of arbitrary code
+ security issues.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0941
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3376
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0455
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2756
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3472
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3473
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3477
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3546
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0848
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4588
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4695
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4696
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10167
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10168
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9011
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9317
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6362
+ (* Security fix *)
++--------------------------+
+Fri Apr 27 03:58:48 UTC 2018
+patches/packages/openvpn-2.4.6-x86_64-1_slack13.1.txz: Upgraded.
+ This is a security update fixing a potential double-free() in Interactive
+ Service. This usually only leads to a process crash (DoS by an unprivileged
+ local account) but since it could possibly lead to memory corruption if
+ happening while multiple other threads are active at the same time,
+ CVE-2018-9336 has been assigned to acknowledge this risk.
+ For more information, see:
+ https://github.com/OpenVPN/openvpn/commit/1394192b210cb3c6624a7419bcf3ff966742e79b
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9336
+ (* Security fix *)
++--------------------------+
+Fri Apr 6 20:47:43 UTC 2018
+####################################################################
+# NOTICE OF INPENDING EOL (END OF LIFE) FOR OLD SLACKWARE VERSIONS #
+# #
+# Effective July 5, 2018, security patches will no longer be #
+# provided for the following versions of Slackware (which will all #
+# be more than 7 years old at that time): #
+# Slackware 13.0, Slackware 13.1, Slackware 13.37. #
+# If you are still running these versions you should consider #
+# migrating to a newer version (preferably as recent as possible). #
+# Alternately, you may make arrangements to handle your own #
+# security patches. #
+####################################################################
+patches/packages/patch-2.7.4-x86_64-2_slack13.1.txz: Rebuilt.
+ Fix arbitrary shell execution possible with obsolete ed format patches.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000156
+ (* Security fix *)
++--------------------------+
+Sun Apr 1 19:45:12 UTC 2018
+patches/packages/libidn-1.34-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes security issues:
+ Fix integer overflow in combine_hangul()
+ Fix integer overflow in punycode decoder
+ Fix NULL pointer dereference in g_utf8_normalize()
+ Fix NULL pointer dereference in stringprep_ucs4_nfkc_normalize()
+ (* Security fix *)
++--------------------------+
+Fri Mar 23 22:28:20 UTC 2018
+patches/packages/glibc-zoneinfo-2018d-noarch-1_slack13.1.txz: Upgraded.
+ This package provides the latest timezone updates.
++--------------------------+
+Thu Mar 8 07:07:45 UTC 2018
+patches/packages/openssh-7.4p1-x86_64-2_slack13.1.txz: Rebuilt.
+ sftp-server: in read-only mode, sftp-server was incorrectly permitting
+ creation of zero-length files. Reported by Michal Zalewski.
+ Thanks to arny (of Bluewhite64 fame) for the heads-up.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15906
+ (* Security fix *)
++--------------------------+
+Thu Mar 1 23:24:54 UTC 2018
+patches/packages/dhcp-4.4.1-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes two security issues:
+ Corrected an issue where large sized 'X/x' format options were causing
+ option handling logic to overwrite memory when expanding them to human
+ readable form. Reported by Felix Wilhelm, Google Security Team.
+ Option reference count was not correctly decremented in error path
+ when parsing buffer for options. Reported by Felix Wilhelm, Google
+ Security Team.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5732
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5733
+ (* Security fix *)
++--------------------------+
+Sat Feb 24 07:41:40 UTC 2018
+patches/packages/wget-1.19.4-x86_64-2_slack13.1.txz: Rebuilt.
+ Applied upstream patch to fix logging in background mode.
+ Thanks to Willy Sudiarto Raharjo.
++--------------------------+
+Thu Feb 1 18:24:15 UTC 2018
+patches/packages/rsync-3.1.3-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes two security issues:
+ Fixed a buffer overrun in the protocol's handling of xattr names and
+ ensure that the received name is null terminated.
+ Fix an issue with --protect-args where the user could specify the arg in
+ the protected-arg list and short-circuit some of the arg-sanitizing code.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16548
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5764
+ (* Security fix *)
++--------------------------+
+Wed Jan 24 04:21:44 UTC 2018
+patches/packages/glibc-zoneinfo-2018c-noarch-1_slack13.1.txz: Upgraded.
+ This package provides the latest timezone updates.
++--------------------------+
+Mon Jan 22 22:47:47 UTC 2018
+patches/packages/wget-1.19.4-x86_64-1_slack13.1.txz: Upgraded.
+ More bug fixes:
+ A major bug that caused GZip'ed pages to never be decompressed has been fixed
+ Support for Content-Encoding and Transfer-Encoding have been marked as
+ experimental and disabled by default
++--------------------------+
+Sat Jan 20 16:00:51 UTC 2018
+patches/packages/wget-1.19.3-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes various non-security bugs, including this one:
+ Prevent erroneous decompression of .gz and .tgz files with broken servers.
++--------------------------+
+Wed Jan 17 21:36:23 UTC 2018
+patches/packages/bind-9.9.11_P1-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes a high severity security issue:
+ Improper sequencing during cleanup can lead to a use-after-free error,
+ triggering an assertion failure and crash in named.
+ For more information, see:
+ https://kb.isc.org/article/AA-01542
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3145
+ (* Security fix *)
++--------------------------+
+Wed Nov 29 08:15:09 UTC 2017
+patches/packages/libXcursor-1.1.15-x86_64-1_slack13.1.txz: Upgraded.
+ Fix heap overflows when parsing malicious files. (CVE-2017-16612)
+ It is possible to trigger heap overflows due to an integer overflow
+ while parsing images and a signedness issue while parsing comments.
+ The integer overflow occurs because the chosen limit 0x10000 for
+ dimensions is too large for 32 bit systems, because each pixel takes
+ 4 bytes. Properly chosen values allow an overflow which in turn will
+ lead to less allocated memory than needed for subsequent reads.
+ The signedness bug is triggered by reading the length of a comment
+ as unsigned int, but casting it to int when calling the function
+ XcursorCommentCreate. Turning length into a negative value allows the
+ check against XCURSOR_COMMENT_MAX_LEN to pass, and the following
+ addition of sizeof (XcursorComment) + 1 makes it possible to allocate
+ less memory than needed for subsequent reads.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16612
+ (* Security fix *)
+patches/packages/libXfont-1.4.7-x86_64-2_slack13.1.txz: Rebuilt.
+ Open files with O_NOFOLLOW. (CVE-2017-16611)
+ A non-privileged X client can instruct X server running under root
+ to open any file by creating own directory with "fonts.dir",
+ "fonts.alias" or any font file being a symbolic link to any other
+ file in the system. X server will then open it. This can be issue
+ with special files such as /dev/watchdog (which could then reboot
+ the system).
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16611
+ (* Security fix *)
++--------------------------+
+Fri Oct 27 20:34:35 UTC 2017
+patches/packages/wget-1.19.2-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes stack and heap overflows in in HTTP protocol handling.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13089
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13090
+ (* Security fix *)
++--------------------------+
+Wed Oct 25 19:09:26 UTC 2017
+patches/packages/glibc-zoneinfo-2017c-noarch-1_slack13.1.txz: Upgraded.
+ This package provides the latest timezone updates.
++--------------------------+
+Mon Oct 2 17:16:06 UTC 2017
+patches/packages/dnsmasq-2.78-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes bugs and remotely exploitable security issues that may
+ have impacts including denial of service, information leak, and execution
+ of arbitrary code. Thanks to Felix Wilhelm, Fermin J. Serna, Gabriel Campana,
+ Kevin Hamacher, Ron Bowes, and Gynvael Coldwind of the Google Security Team.
+ For more information, see:
+ https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13704
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14491
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14492
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14493
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14494
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14495
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14496
+ (* Security fix *)
++--------------------------+
+Mon Sep 18 19:15:03 UTC 2017
+patches/packages/httpd-2.2.34-x86_64-2_slack13.1.txz: Rebuilt.
+ This update patches a security issue ("Optionsbleed") with the OPTIONS http
+ method which may leak arbitrary pieces of memory to a potential attacker.
+ Thanks to Hanno Bo:ck.
+ For more information, see:
+ http://seclists.org/oss-sec/2017/q3/477
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9798
+ (* Security fix *)
++--------------------------+
+Fri Sep 15 17:31:57 UTC 2017
+patches/packages/bluez-4.64-x86_64-2_slack13.1.txz: Rebuilt.
+ Fixed an information disclosure vulnerability which allows remote attackers
+ to obtain sensitive information from the bluetoothd process memory. This
+ vulnerability lies in the processing of SDP search attribute requests.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000250
+ (* Security fix *)
++--------------------------+
+Tue Sep 12 22:18:51 UTC 2017
+patches/packages/emacs-25.3-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes a security vulnerability in Emacs. Gnus no longer
+ supports "richtext" and "enriched" inline MIME objects. This support
+ was disabled to avoid evaluation of arbitrary Lisp code contained in
+ email messages and news articles.
+ For more information, see:
+ http://seclists.org/oss-sec/2017/q3/422
+ https://bugs.gnu.org/28350
+ (* Security fix *)
++--------------------------+
+Fri Sep 8 17:56:01 UTC 2017
+patches/packages/bash-4.1.017-x86_64-2_slack13.1.txz: Rebuilt.
+ This update fixes two security issues found in bash before 4.4:
+ The expansion of '\h' in the prompt string allows remote authenticated users
+ to execute arbitrary code via shell metacharacters placed in 'hostname' of a
+ machine. The theoretical attack vector is a hostile DHCP server providing a
+ crafted hostname, but this is unlikely to occur in a normal Slackware
+ configuration as we ignore the hostname provided by DHCP.
+ Specially crafted SHELLOPTS+PS4 environment variables used against bogus
+ setuid binaries using system()/popen() allowed local attackers to execute
+ arbitrary code as root.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0634
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7543
+ (* Security fix *)
++--------------------------+
+Tue Aug 15 22:16:12 UTC 2017
+patches/packages/xorg-server-1.7.7-x86_64-4_slack13.1.txz: Rebuilt.
+ This update fixes two security issues:
+ A user authenticated to an X Session could crash or execute code in the
+ context of the X Server by exploiting a stack overflow in the endianness
+ conversion of X Events.
+ Uninitialized data in endianness conversion in the XEvent handling of the
+ X.Org X Server allowed authenticated malicious users to access potentially
+ privileged data from the X server.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10971
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10972
+ (* Security fix *)
+patches/packages/xorg-server-xephyr-1.7.7-x86_64-4_slack13.1.txz: Rebuilt.
+patches/packages/xorg-server-xnest-1.7.7-x86_64-4_slack13.1.txz: Rebuilt.
+patches/packages/xorg-server-xvfb-1.7.7-x86_64-4_slack13.1.txz: Rebuilt.
++--------------------------+
+Fri Aug 11 23:02:43 UTC 2017
+patches/packages/git-2.14.1-x86_64-1_slack13.1.txz: Upgraded.
+ Fixes security issues:
+ A "ssh://..." URL can result in a "ssh" command line with a hostname that
+ begins with a dash "-", which would cause the "ssh" command to instead
+ (mis)treat it as an option. This is now prevented by forbidding such a
+ hostname (which should not impact any real-world usage).
+ Similarly, when GIT_PROXY_COMMAND is configured, the command is run with
+ host and port that are parsed out from "ssh://..." URL; a poorly written
+ GIT_PROXY_COMMAND could be tricked into treating a string that begins with a
+ dash "-" as an option. This is now prevented by forbidding such a hostname
+ and port number (again, which should not impact any real-world usage).
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000117
+ (* Security fix *)
++--------------------------+
+Wed Aug 9 20:23:16 UTC 2017
+patches/packages/curl-7.55.0-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes three security issues:
+ URL globbing out of bounds read
+ TFTP sends more than buffer size
+ FILE buffer read out of bounds
+ For more information, see:
+ https://curl.haxx.se/docs/adv_20170809A.html
+ https://curl.haxx.se/docs/adv_20170809B.html
+ https://curl.haxx.se/docs/adv_20170809C.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000101
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000100
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000099
+ (* Security fix *)
++--------------------------+
+Wed Aug 2 03:43:51 UTC 2017
+patches/packages/gnupg-1.4.22-x86_64-1_slack13.1.txz: Upgraded.
+ Mitigate a flush+reload side-channel attack on RSA secret keys dubbed
+ "Sliding right into disaster".
+ For more information, see:
+ https://eprint.iacr.org/2017/627
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7526
+ (* Security fix *)
++--------------------------+
+Tue Jul 25 21:09:42 UTC 2017
+patches/packages/bind-9.9.10_P3-x86_64-1_slack13.1.txz: Upgraded.
+ Fix a regression in the previous BIND release that broke verification
+ of TSIG signed TCP message sequences where not all the messages contain
+ TSIG records.
++--------------------------+
+Tue Jul 18 23:10:25 UTC 2017
+patches/packages/expat-2.2.2-x86_64-1_slack13.1.txz: Upgraded.
+ Fixes security issues including:
+ External entity infinite loop DoS
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9233
+ https://libexpat.github.io/doc/cve-2017-9233/
+ (* Security fix *)
++--------------------------+
+Thu Jul 13 18:19:01 UTC 2017
+patches/packages/httpd-2.2.34-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes a security issue:
+ Uninitialized memory reflection in mod_auth_digest (CVE-2017-9788)
+ Thanks to Robert Swiecki for reporting this issue.
+ For more information, see:
+ https://httpd.apache.org/security/vulnerabilities_22.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9788
+ (* Security fix *)
++--------------------------+
+Thu Jun 29 20:55:09 UTC 2017
+patches/packages/bind-9.9.10_P2-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes a high severity security issue:
+ An error in TSIG handling could permit unauthorized zone transfers
+ or zone updates.
+ For more information, see:
+ https://kb.isc.org/article/AA-01503/0
+ https://kb.isc.org/article/AA-01504/0
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3142
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3143
+ (* Security fix *)
+patches/packages/httpd-2.2.32-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes security issues which may lead to an authentication bypass
+ or a denial of service:
+ important: ap_get_basic_auth_pw() Authentication Bypass CVE-2017-3167
+ important: mod_ssl Null Pointer Dereference CVE-2017-3169
+ important: mod_http2 Null Pointer Dereference CVE-2017-7659
+ important: ap_find_token() Buffer Overread CVE-2017-7668
+ important: mod_mime Buffer Overread CVE-2017-7679
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3167
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3169
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7659
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7668
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7679
+ (* Security fix *)
++--------------------------+
+Wed Jun 21 18:38:46 UTC 2017
+patches/packages/openvpn-2.3.17-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes several denial of service issues discovered
+ by Guido Vranken.
+ For more information, see:
+ https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7508
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7520
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7521
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7512
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7522
+ (* Security fix *)
++--------------------------+
+Wed Jun 14 22:04:45 UTC 2017
+patches/packages/bind-9.9.10_P1-x86_64-1_slack13.1.txz: Upgraded.
+ Fixed denial of service security issue:
+ Some RPZ configurations could go into an infinite query loop when
+ encountering responses with TTL=0.
+ For more information, see:
+ https://kb.isc.org/article/AA-01495
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3140
+ (* Security fix *)
++--------------------------+
+Wed Jun 7 22:42:04 UTC 2017
+patches/packages/irssi-0.8.21-x86_64-2_slack13.1.txz: Rebuilt.
+ Fixed security issues that may result in a denial of service.
+ For more information, see:
+ https://irssi.org/security/irssi_sa_2017_06.txt
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9468
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9469
+ (* Security fix *)
++--------------------------+
+Wed May 31 23:07:23 UTC 2017
+patches/packages/sudo-1.8.20p2-x86_64-1_slack13.1.txz: Upgraded.
+ This is a bugfix release:
+ Fixed a bug parsing /proc/pid/stat when the process name contains
+ a newline. This is not exploitable due to the /dev traversal changes
+ made in sudo 1.8.20p1.
++--------------------------+
+Tue May 30 17:39:17 UTC 2017
+patches/packages/lynx-2.8.8rel.2-x86_64-1_slack13.1.txz: Upgraded.
+ Fixed lynx startup without a URL by correcting STARTFILE in lynx.cfg to use
+ the new URL for the Lynx homepage. Thanks to John David Yost.
+patches/packages/sudo-1.8.20p1-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes a potential overwrite of arbitrary system files.
+ This bug was discovered and analyzed by Qualys, Inc.
+ For more information, see:
+ https://www.sudo.ws/alerts/linux_tty.html
+ http://www.openwall.com/lists/oss-security/2017/05/30/16
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000367
+ (* Security fix *)
++--------------------------+
+Wed May 24 19:38:59 UTC 2017
+patches/packages/samba-3.5.22-x86_64-2_slack13.1.txz: Rebuilt.
+ This update fixes a remote code execution vulnerability, allowing a
+ malicious client to upload a shared library to a writable share, and
+ then cause the server to load and execute it.
+ For more information, see:
+ https://www.samba.org/samba/security/CVE-2017-7494.html
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7494
+ (* Security fix *)
++--------------------------+
+Tue May 16 20:11:03 UTC 2017
+patches/packages/freetype-2.5.5-x86_64-2_slack13.1.txz: Rebuilt.
+ This update fixes an out-of-bounds write caused by a heap-based buffer
+ overflow related to the t1_builder_close_contour function in psaux/psobjs.c.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8287
+ (* Security fix *)
++--------------------------+
+Mon May 1 23:31:02 UTC 2017
+patches/packages/rxvt-2.7.10-x86_64-5_slack13.1.txz: Rebuilt.
+ Patched an integer overflow that can crash rxvt with an escape sequence,
+ or possibly have unspecified other impact.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7483
+ (* Security fix *)
++--------------------------+
+Fri Apr 21 22:40:12 UTC 2017
+patches/packages/ntp-4.2.8p10-x86_64-1_slack13.1.txz: Upgraded.
+ In addition to bug fixes and enhancements, this release fixes security
+ issues of medium and low severity:
+ Denial of Service via Malformed Config (Medium)
+ Authenticated DoS via Malicious Config Option (Medium)
+ Potential Overflows in ctl_put() functions (Medium)
+ Buffer Overflow in ntpq when fetching reslist from a malicious ntpd (Medium)
+ 0rigin DoS (Medium)
+ Buffer Overflow in DPTS Clock (Low)
+ Improper use of snprintf() in mx4200_send() (Low)
+ The following issues do not apply to Linux systems:
+ Privileged execution of User Library code (WINDOWS PPSAPI ONLY) (Low)
+ Stack Buffer Overflow from Command Line (WINDOWS installer ONLY) (Low)
+ Data Structure terminated insufficiently (WINDOWS installer ONLY) (Low)
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6464
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6463
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6458
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6460
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9042
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6462
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6451
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6455
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6452
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6459
+ (* Security fix *)
+patches/packages/proftpd-1.3.5e-x86_64-1_slack13.1.txz: Upgraded.
+ This release fixes a security issue:
+ AllowChrootSymlinks off does not check entire DefaultRoot path for symlinks.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7418
+ (* Security fix *)
++--------------------------+
+Wed Apr 19 04:46:45 UTC 2017
+patches/packages/minicom-2.7.1-x86_64-1_slack13.1.txz: Upgraded.
+ Fix an out of bounds data access that can lead to remote code execution.
+ This issue was found by Solar Designer of Openwall during a security audit
+ of the Virtuozzo 7 product, which contains derived downstream code in its
+ prl-vzvncserver component.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7467
+ (* Security fix *)
++--------------------------+
+Thu Apr 13 21:19:45 UTC 2017
+patches/packages/bind-9.9.9_P8-x86_64-1_slack13.1.txz: Upgraded.
+ Fixed denial of service security issues.
+ For more information, see:
+ https://kb.isc.org/article/AA-01465
+ https://kb.isc.org/article/AA-01466
+ https://kb.isc.org/article/AA-01471
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3136
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3137
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3138
+ (* Security fix *)
++--------------------------+
+Thu Mar 23 21:38:23 UTC 2017
+patches/packages/glibc-zoneinfo-2017b-noarch-1_slack13.1.txz: Upgraded.
+ This package provides the latest timezone updates.
++--------------------------+
+Thu Mar 16 01:37:05 UTC 2017
+patches/packages/pidgin-2.12.0-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes a minor security issue (out of bounds memory read in
+ purple_markup_unescape_entity).
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2640
+ (* Security fix *)
++--------------------------+
+Tue Feb 28 23:51:55 UTC 2017
+patches/packages/glibc-zoneinfo-2017a-noarch-1_slack13.1.txz: Upgraded.
+ This package provides the latest timezone updates.
++--------------------------+
+Fri Feb 10 21:07:35 UTC 2017
+patches/packages/bind-9.9.9_P6-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes a denial-of-service vulnerability. Under some conditions
+ when using both DNS64 and RPZ to rewrite query responses, query processing
+ can resume in an inconsistent state leading to either an INSIST assertion
+ failure or an attempt to read through a NULL pointer.
+ For more information, see:
+ https://kb.isc.org/article/AA-01453
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3135
+ (* Security fix *)
++--------------------------+
+Thu Jan 12 01:15:52 UTC 2017
+patches/packages/bind-9.9.9_P5-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes a denial-of-service vulnerability. An error in handling
+ certain queries can cause an assertion failure when a server is using the
+ nxdomain-redirect feature to cover a zone for which it is also providing
+ authoritative service. A vulnerable server could be intentionally stopped
+ by an attacker if it was using a configuration that met the criteria for
+ the vulnerability and if the attacker could cause it to accept a query
+ that possessed the required attributes.
+ Please note: This vulnerability affects the "nxdomain-redirect" feature,
+ which is one of two methods of handling NXDOMAIN redirection, and is only
+ available in certain versions of BIND. Redirection using zones of type
+ "redirect" is not affected by this vulnerability.
+ For more information, see:
+ https://kb.isc.org/article/AA-01442
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9778
+ (* Security fix *)
+patches/packages/irssi-0.8.21-x86_64-1_slack13.1.txz: Upgraded.
+ Fixed security issues that may result in a denial of service.
+ For more information, see:
+ https://irssi.org/security/irssi_sa_2017_01.txt
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5193
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5194
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5195
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5196
+ (* Security fix *)
++--------------------------+
+Fri Dec 30 19:29:13 UTC 2016
+patches/packages/libpng-1.4.20-x86_64-1_slack13.1.txz: Upgraded.
+ This release fixes an old NULL pointer dereference bug in png_set_text_2()
+ discovered and patched by Patrick Keshishian. The potential "NULL
+ dereference" bug has existed in libpng since version 0.71 of June 26, 1995.
+ To be vulnerable, an application has to load a text chunk into the png
+ structure, then delete all text, then add another text chunk to the same
+ png structure, which seems to be an unlikely sequence, but it has happened.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10087
+ (* Security fix *)
++--------------------------+
+Sat Dec 24 18:14:51 UTC 2016
+patches/packages/expat-2.2.0-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes bugs and security issues:
+ Multiple integer overflows in XML_GetBuffer.
+ Fix crash on malformed input.
+ Improve insufficient fix to CVE-2015-1283 / CVE-2015-2716.
+ Use more entropy for hash initialization.
+ Resolve troublesome internal call to srand.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1283
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4472
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5300
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6702
+ (* Security fix *)
++--------------------------+
+Sat Dec 24 02:36:05 UTC 2016
+patches/packages/openssh-7.4p1-x86_64-1_slack13.1.txz: Upgraded.
+ This is primarily a bugfix release, and also addresses security issues.
+ ssh-agent(1): Will now refuse to load PKCS#11 modules from paths outside
+ a trusted whitelist.
+ sshd(8): When privilege separation is disabled, forwarded Unix-domain
+ sockets would be created by sshd(8) with the privileges of 'root'.
+ sshd(8): Avoid theoretical leak of host private key material to
+ privilege-separated child processes via realloc().
+ sshd(8): The shared memory manager used by pre-authentication compression
+ support had a bounds checks that could be elided by some optimising
+ compilers to potentially allow attacks against the privileged monitor.
+ process from the sandboxed privilege-separation process.
+ sshd(8): Validate address ranges for AllowUser and DenyUsers directives at
+ configuration load time and refuse to accept invalid ones. It was
+ previously possible to specify invalid CIDR address ranges
+ (e.g. user@127.1.2.3/55) and these would always match, possibly resulting
+ in granting access where it was not intended.
+ For more information, see:
+ https://www.openssh.com/txt/release-7.4
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10009
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10010
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10011
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10012
+ (* Security fix *)
++--------------------------+
+Sun Dec 18 05:20:25 UTC 2016
+patches/packages/glibc-zoneinfo-2016j-noarch-1_slack13.1.txz: Upgraded.
+ This package provides the latest timezone updates.
++--------------------------+
+Mon Nov 21 19:21:22 UTC 2016
+patches/packages/ntp-4.2.8p9-x86_64-1_slack13.1.txz: Upgraded.
+ In addition to bug fixes and enhancements, this release fixes the
+ following 1 high- (Windows only :-), 2 medium-, 2 medium-/low, and
+ 5 low-severity vulnerabilities, and provides 28 other non-security
+ fixes and improvements.
+ CVE-2016-9311: Trap crash
+ CVE-2016-9310: Mode 6 unauthenticated trap info disclosure and DDoS vector
+ CVE-2016-7427: Broadcast Mode Replay Prevention DoS
+ CVE-2016-7428: Broadcast Mode Poll Interval Enforcement DoS
+ CVE-2016-9312: Windows: ntpd DoS by oversized UDP packet
+ CVE-2016-7431: Regression: 010-origin: Zero Origin Timestamp Bypass
+ CVE-2016-7434: Null pointer dereference in _IO_str_init_static_internal()
+ CVE-2016-7429: Interface selection attack
+ CVE-2016-7426: Client rate limiting and server responses
+ CVE-2016-7433: Reboot sync calculation problem
+ For more information, see:
+ https://www.kb.cert.org/vuls/id/633847
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9311
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9310
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7427
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7428
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9312
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7431
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7434
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7429
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7426
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7433
+ (* Security fix *)
++--------------------------+
+Fri Nov 18 22:49:40 UTC 2016
+patches/packages/libxcb-1.11.1-x86_64-2_slack13.1.txz: Rebuilt.
+ This update fixes a regression where previously compiled binaries could be
+ broken due to a changed shared library soname. This package adds
+ compatibility symlinks to the old names where needed.
++--------------------------+
+Fri Nov 4 03:31:38 UTC 2016
+patches/packages/bind-9.9.9_P4-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes a denial-of-service vulnerability. A defect in BIND's
+ handling of responses containing a DNAME answer can cause a resolver to exit
+ after encountering an assertion failure in db.c or resolver.c. A server
+ encountering either of these error conditions will stop, resulting in denial
+ of service to clients. The risk to authoritative servers is minimal;
+ recursive servers are chiefly at risk.
+ For more information, see:
+ https://kb.isc.org/article/AA-01434
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8864
+ (* Security fix *)
+patches/packages/curl-7.51.0-x86_64-1_slack13.1.txz: Upgraded.
+ This release fixes security issues:
+ CVE-2016-8615: cookie injection for other servers
+ CVE-2016-8616: case insensitive password comparison
+ CVE-2016-8617: OOB write via unchecked multiplication
+ CVE-2016-8618: double-free in curl_maprintf
+ CVE-2016-8619: double-free in krb5 code
+ CVE-2016-8620: glob parser write/read out of bounds
+ CVE-2016-8621: curl_getdate read out of bounds
+ CVE-2016-8622: URL unescape heap overflow via integer truncation
+ CVE-2016-8623: Use-after-free via shared cookies
+ CVE-2016-8624: invalid URL parsing with '#'
+ CVE-2016-8625: IDNA 2003 makes curl use wrong host
+ For more information, see:
+ https://curl.haxx.se/docs/adv_20161102A.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8615
+ https://curl.haxx.se/docs/adv_20161102B.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8616
+ https://curl.haxx.se/docs/adv_20161102C.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8617
+ https://curl.haxx.se/docs/adv_20161102D.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8618
+ https://curl.haxx.se/docs/adv_20161102E.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8619
+ https://curl.haxx.se/docs/adv_20161102F.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8620
+ https://curl.haxx.se/docs/adv_20161102G.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8621
+ https://curl.haxx.se/docs/adv_20161102H.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8622
+ https://curl.haxx.se/docs/adv_20161102I.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8623
+ https://curl.haxx.se/docs/adv_20161102J.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8624
+ https://curl.haxx.se/docs/adv_20161102K.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8625
+ (* Security fix *)
+patches/packages/glibc-zoneinfo-2016i-noarch-1_slack13.1.txz: Upgraded.
+ This package provides the latest timezone updates.
++--------------------------+
+Mon Oct 31 23:38:24 UTC 2016
+patches/packages/fixesproto-5.0-x86_64-1_slack13.1.txz: Upgraded.
+ This update is a prerequisite for other security updates.
+patches/packages/inputproto-2.3.2-noarch-1_slack13.1.txz: Upgraded.
+ This update is a prerequisite for other security updates.
+patches/packages/libX11-1.6.4-x86_64-1_slack13.1.txz: Upgraded.
+ Insufficient validation of data from the X server can cause out of boundary
+ memory read in XGetImage() or write in XListFonts().
+ Affected versions libX11 <= 1.6.3.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7942
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7943
+ (* Security fix *)
+patches/packages/libXext-1.3.3-x86_64-1_slack13.1.txz: Upgraded.
+patches/packages/libXfixes-5.0.3-x86_64-1_slack13.1.txz: Upgraded.
+ Insufficient validation of data from the X server can cause an integer
+ overflow on 32 bit architectures.
+ Affected versions : libXfixes <= 5.0.2.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7944
+ (* Security fix *)
+patches/packages/libXi-1.7.8-x86_64-1_slack13.1.txz: Upgraded.
+ Insufficient validation of data from the X server can cause out of boundary
+ memory access or endless loops (Denial of Service).
+ Affected versions libXi <= 1.7.6.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7945
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7946
+ (* Security fix *)
+patches/packages/libXrandr-1.5.1-x86_64-1_slack13.1.txz: Upgraded.
+ Insufficient validation of data from the X server can cause out of boundary
+ memory writes.
+ Affected versions: libXrandr <= 1.5.0.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7947
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948
+ (* Security fix *)
+patches/packages/libXrender-0.9.10-x86_64-1_slack13.1.txz: Upgraded.
+ Insufficient validation of data from the X server can cause out of boundary
+ memory writes.
+ Affected version: libXrender <= 0.9.9.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7949
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7950
+ (* Security fix *)
+patches/packages/libXtst-1.2.3-x86_64-1_slack13.1.txz: Upgraded.
+ Insufficient validation of data from the X server can cause out of boundary
+ memory access or endless loops (Denial of Service).
+ Affected version libXtst <= 1.2.2.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7951
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7952
+ (* Security fix *)
+patches/packages/libXv-1.0.11-x86_64-1_slack13.1.txz: Upgraded.
+ Insufficient validation of data from the X server can cause out of boundary
+ memory and memory corruption.
+ Affected version libXv <= 1.0.10.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5407
+ (* Security fix *)
+patches/packages/libXvMC-1.0.10-x86_64-1_slack13.1.txz: Upgraded.
+ Insufficient validation of data from the X server can cause a one byte buffer
+ read underrun.
+ Affected version: libXvMC <= 1.0.9.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7953
+ (* Security fix *)
+patches/packages/libxcb-1.11.1-x86_64-1_slack13.1.txz: Upgraded.
+ This update is a prerequisite for other security updates.
+patches/packages/randrproto-1.5.0-noarch-1_slack13.1.txz: Upgraded.
+ This update is a prerequisite for other security updates.
+patches/packages/recordproto-1.14.2-noarch-1_slack13.1.txz: Upgraded.
+ This update is a prerequisite for other security updates.
+patches/packages/xcb-proto-1.11-x86_64-1_slack13.1.txz: Upgraded.
+ This update is a prerequisite for other security updates.
+patches/packages/xextproto-7.3.0-x86_64-1_slack13.1.txz: Upgraded.
+ This update is a prerequisite for other security updates.
+patches/packages/xproto-7.0.29-noarch-1_slack13.1.txz: Upgraded.
+ This update is a prerequisite for other security updates.
++--------------------------+
+Wed Sep 28 23:24:37 UTC 2016
+patches/packages/glibc-zoneinfo-2016g-noarch-1_slack13.1.txz: Upgraded.
+ This package provides the latest timezone updates.
++--------------------------+
+Tue Sep 27 19:16:56 UTC 2016
+patches/packages/bind-9.9.9_P3-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes a denial-of-service vulnerability. Testing by ISC has
+ uncovered a critical error condition which can occur when a nameserver is
+ constructing a response. A defect in the rendering of messages into
+ packets can cause named to exit with an assertion failure in buffer.c while
+ constructing a response to a query that meets certain criteria.
+ For more information, see:
+ https://kb.isc.org/article/AA-01419/0
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2776
+ (* Security fix *)
++--------------------------+
+Thu Sep 22 18:38:07 UTC 2016
+patches/packages/pidgin-2.11.0-x86_64-1_slack13.1.txz: Upgraded.
+ NOTE: These packages provide updates to pidgin-2.11.0, since the previous
+ version was mistakenly reissued for Slackware 13.0 - 14.1. Sorry!
+ This release fixes bugs and security issues.
+ For more information, see:
+ https://www.pidgin.im/news/security/
+ (* Security fix *)
++--------------------------+
+Wed Sep 21 21:10:52 UTC 2016
+patches/packages/irssi-0.8.20-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes two remote crash and heap corruption vulnerabilites
+ in Irssi's format parsing code. Impact: Remote crash and heap
+ corruption. Remote code execution seems difficult since only Nuls are
+ written. Bugs discovered by, and patches provided by Gabriel Campana
+ and Adrien Guinet from Quarkslab.
+ For more information, see:
+ https://irssi.org/security/irssi_sa_2016.txt
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7044
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7045
+ (* Security fix *)
++--------------------------+
+Wed Sep 21 15:54:06 UTC 2016
+patches/packages/pidgin-2.10.11-x86_64-1_slack13.1.txz: Upgraded.
+ This release fixes bugs and security issues.
+ For more information, see:
+ https://www.pidgin.im/news/security/
+ (* Security fix *)
++--------------------------+
+Thu Sep 15 22:54:52 UTC 2016
+patches/packages/curl-7.50.3-x86_64-1_slack13.1.txz: Upgraded.
+ Fixed heap overflows in four libcurl functions: curl_escape(),
+ curl_easy_escape(), curl_unescape() and curl_easy_unescape().
+ For more information, see:
+ https://curl.haxx.se/docs/adv_20160914.html
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7167
+ (* Security fix *)
++--------------------------+
+Tue Aug 23 19:45:33 UTC 2016
+patches/packages/gnupg-1.4.21-x86_64-1_slack13.1.txz: Upgraded.
+ Fix critical security bug in the RNG [CVE-2016-6313]. An attacker who
+ obtains 580 bytes from the standard RNG can trivially predict the next
+ 20 bytes of output. (This is according to the NEWS file included in the
+ source. According to the annoucement linked below, an attacker who obtains
+ 4640 bits from the RNG can trivially predict the next 160 bits of output.)
+ Problem detected by Felix Doerre and Vladimir Klebanov, KIT.
+ For more information, see:
+ https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6313
+ (* Security fix *)
+patches/packages/libgcrypt-1.5.6-x86_64-1_slack13.1.txz: Upgraded.
+ Fix critical security bug in the RNG [CVE-2016-6313]. An attacker who
+ obtains 580 bytes from the standard RNG can trivially predict the next
+ 20 bytes of output. (This is according to the NEWS file included in the
+ source. According to the annoucement linked below, an attacker who obtains
+ 4640 bits from the RNG can trivially predict the next 160 bits of output.)
+ Problem detected by Felix Doerre and Vladimir Klebanov, KIT.
+ For more information, see:
+ https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6313
+ (* Security fix *)
+patches/packages/stunnel-5.35-x86_64-2_slack13.1.txz: Rebuilt.
+ Fixed incorrect config file name in generate-stunnel-key.sh.
+ Thanks to Ebben Aries.
++--------------------------+
+Thu Aug 11 18:55:48 UTC 2016
+patches/packages/glibc-zoneinfo-2016f-noarch-1_slack13.1.txz: Upgraded.
+ This package provides the latest timezone updates.
++--------------------------+
+Sat Aug 6 19:29:16 UTC 2016
+patches/packages/curl-7.50.1-x86_64-1_slack13.1.txz: Upgraded.
+ This release fixes security issues:
+ TLS: switch off SSL session id when client cert is used
+ TLS: only reuse connections with the same client cert
+ curl_multi_cleanup: clear connection pointer for easy handles
+ For more information, see:
+ https://curl.haxx.se/docs/adv_20160803A.html
+ https://curl.haxx.se/docs/adv_20160803B.html
+ https://curl.haxx.se/docs/adv_20160803C.html
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5419
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5420
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5421
+ (* Security fix *)
+patches/packages/openssh-7.3p1-x86_64-1_slack13.1.txz: Upgraded.
+ This is primarily a bugfix release, and also addresses security issues.
+ sshd(8): Mitigate a potential denial-of-service attack against the system's
+ crypt(3) function via sshd(8).
+ sshd(8): Mitigate timing differences in password authentication that could
+ be used to discern valid from invalid account names when long passwords were
+ sent and particular password hashing algorithms are in use on the server.
+ ssh(1), sshd(8): Fix observable timing weakness in the CBC padding oracle
+ countermeasures.
+ ssh(1), sshd(8): Improve operation ordering of MAC verification for
+ Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the MAC
+ before decrypting any ciphertext.
+ sshd(8): (portable only) Ignore PAM environment vars when UseLogin=yes.
+ For more information, see:
+ http://www.openssh.com/txt/release-7.3
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6210
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8325
+ (* Security fix *)
+patches/packages/stunnel-5.35-x86_64-1_slack13.1.txz: Upgraded.
+ Fixes security issues:
+ Fixed malfunctioning "verify = 4".
+ Fixed incorrectly enforced client certificate requests.
+ (* Security fix *)
++--------------------------+
+Thu Jul 28 18:17:17 UTC 2016
+patches/packages/libidn-1.33-x86_64-1_slack13.1.txz: Upgraded.
+ Fixed out-of-bounds read bugs. Fixed crashes on invalid UTF-8.
+ Thanks to Hanno Böck.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8948
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6261
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6262
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6263
+ (* Security fix *)
++--------------------------+
+Fri Jul 22 20:51:23 UTC 2016
+patches/packages/bind-9.9.9_P2-x86_64-1_slack13.1.txz: Upgraded.
+ Fixed a security issue:
+ getrrsetbyname with a non absolute name could trigger an infinite
+ recursion bug in lwresd and named with lwres configured if when
+ combined with a search list entry the resulting name is too long.
+ (CVE-2016-2775) [RT #42694]
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2775
+ (* Security fix *)
++--------------------------+
+Wed Jun 15 01:57:05 UTC 2016
+patches/packages/glibc-zoneinfo-2016e-noarch-1_slack13.1.txz: Upgraded.
+ This package provides the latest timezone updates.
++--------------------------+
+Mon Jun 13 07:07:39 UTC 2016
+patches/packages/wget-1.18-x86_64-1_slack13.1.txz: Upgraded.
+ This version fixes a security vulnerability present in all old versions
+ of wget. On a server redirect from HTTP to a FTP resource, wget would
+ trust the HTTP server and use the name in the redirected URL as the
+ destination filename. This behaviour was changed and now it works
+ similarly as a redirect from HTTP to another HTTP resource so the original
+ name is used as the destination file. To keep the previous behaviour the
+ user must provide --trust-server-names.
+ The vulnerability was discovered by Dawid Golunski and was reported by
+ Beyond Security's SecuriTeam.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4971
+ (* Security fix *)
++--------------------------+
+Fri Jun 3 23:36:07 UTC 2016
+patches/packages/ntp-4.2.8p8-x86_64-1_slack13.1.txz: Upgraded.
+ This release patches one high and four low severity security issues:
+ CVE-2016-4957: Crypto-NAK crash
+ CVE-2016-4953: Bad authentication demobilizes ephemeral associations
+ CVE-2016-4954: Processing spoofed server packets
+ CVE-2016-4955: Autokey association reset
+ CVE-2016-4956: Broadcast interleave
+ For more information, see:
+ http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4957
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4953
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4954
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4955
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4956
+ (* Security fix *)
++--------------------------+
+Fri May 20 21:20:29 UTC 2016
+patches/packages/curl-7.49.0-x86_64-1_slack13.1.txz: Upgraded.
+ Fixed a TLS certificate check bypass with mbedTLS/PolarSSL.
+ For more information, see:
+ https://curl.haxx.se/docs/adv_20160518.html
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3739
+ (* Security fix *)
++--------------------------+
+Wed May 11 05:20:01 UTC 2016
+patches/packages/git-2.8.2-x86_64-1_slack13.1.txz: Upgraded.
+ This is a bugfix package update to change color "lime" to "00FF00" in
+ gitk. Otherwise it might not start if "lime" is not defined.
+ Thanks to AlvaroG.
++--------------------------+
+Mon May 2 19:42:54 UTC 2016
+patches/packages/mercurial-3.8.1-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes possible arbitrary code execution when converting Git
+ repos. Mercurial prior to 3.8 allowed arbitrary code execution when using
+ the convert extension on Git repos with hostile names. This could affect
+ automated code conversion services that allow arbitrary repository names.
+ This is a further side-effect of Git CVE-2015-7545.
+ Reported and fixed by Blake Burkhart.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3105
+ (* Security fix *)
++--------------------------+
+Fri Apr 29 20:54:01 UTC 2016
+patches/packages/ntp-4.2.8p7-x86_64-1_slack13.1.txz: Upgraded.
+ This release patches several low and medium severity security issues:
+ CVE-2016-1551: Refclock impersonation vulnerability, AKA: refclock-peering
+ CVE-2016-1549: Sybil vulnerability: ephemeral association attack,
+ AKA: ntp-sybil - MITIGATION ONLY
+ CVE-2016-2516: Duplicate IPs on unconfig directives will cause an assertion
+ botch
+ CVE-2016-2517: Remote configuration trustedkey/requestkey values are not
+ properly validated
+ CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with
+ MATCH_ASSOC
+ CVE-2016-2519: ctl_getitem() return value not always checked
+ CVE-2016-1547: Validate crypto-NAKs, AKA: nak-dos
+ CVE-2016-1548: Interleave-pivot - MITIGATION ONLY
+ CVE-2015-7704: KoD fix: peer associations were broken by the fix for
+ NtpBug2901, AKA: Symmetric active/passive mode is broken
+ CVE-2015-8138: Zero Origin Timestamp Bypass, AKA: Additional KoD Checks
+ CVE-2016-1550: Improve NTP security against buffer comparison timing attacks,
+ authdecrypt-timing, AKA: authdecrypt-timing
+ For more information, see:
+ http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1547
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1548
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1550
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1551
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2516
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2517
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2518
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2519
+ (* Security fix *)
++--------------------------+
+Mon Apr 18 22:21:58 UTC 2016
+patches/packages/glibc-zoneinfo-2016d-noarch-1_slack13.1.txz: Upgraded.
+ This package provides the latest timezone updates.
++--------------------------+
+Fri Apr 1 21:17:37 UTC 2016
+patches/packages/dhcp-4.3.4-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes bugs and (previously patched) security issues.
+patches/packages/mercurial-3.7.3-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes security issues and bugs, including remote code execution
+ in binary delta decoding, arbitrary code execution with Git subrepos, and
+ arbitrary code execution when converting Git repos.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3630
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3068
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3069
+ (* Security fix *)
++--------------------------+
+Fri Mar 25 20:43:59 UTC 2016
+patches/packages/glibc-zoneinfo-2016c-noarch-1_slack13.1.txz: Upgraded.
+ This package provides the latest timezone updates.
++--------------------------+
+Fri Mar 18 20:02:40 UTC 2016
+patches/packages/git-2.7.4-x86_64-1_slack13.1.txz: Upgraded.
+ NOTE: Issuing this patch again since the bug reporter listed the
+ wrong git version (2.7.1) as fixed. The vulnerability was actually
+ patched in git-2.7.4.
+ Fixed buffer overflows allowing server and client side remote code
+ execution in all git versions before 2.7.4.
+ For more information, see:
+ http://seclists.org/oss-sec/2016/q1/645
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2315
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2324
+ (* Security fix *)
++--------------------------+
+Tue Mar 15 21:31:49 UTC 2016
+patches/packages/git-2.7.3-x86_64-1_slack13.1.txz: Upgraded.
+ Fixed buffer overflows allowing server and client side remote code
+ execution in all git versions before 2.7.1.
+ For more information, see:
+ http://seclists.org/oss-sec/2016/q1/645
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2315
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2324
+ (* Security fix *)
+patches/packages/glibc-zoneinfo-2016b-noarch-1_slack13.1.txz: Upgraded.
+ This package provides the latest timezone updates.
++--------------------------+
+Thu Mar 10 23:43:47 UTC 2016
+patches/packages/openssh-7.2p2-x86_64-1_slack13.1.txz: Upgraded.
+ This release fixes a security bug:
+ sshd(8): sanitise X11 authentication credentials to avoid xauth
+ command injection when X11Forwarding is enabled.
+ For more information, see:
+ http://www.openssh.com/txt/x11fwd.adv
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3115
+ (* Security fix *)
++--------------------------+
+Thu Mar 10 02:46:49 UTC 2016
+patches/packages/bind-9.9.8_P4-x86_64-1_slack13.1.txz: Upgraded.
+ Fixed security issues:
+ Fix resolver assertion failure due to improper DNAME handling when
+ parsing fetch reply messages. (CVE-2016-1286) [RT #41753]
+ Malformed control messages can trigger assertions in named and rndc.
+ (CVE-2016-1285) [RT #41666]
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1286
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1285
+ (* Security fix *)
++--------------------------+
+Thu Mar 3 05:41:26 UTC 2016
+patches/packages/mailx-12.5-x86_64-1_slack13.1.txz: Upgraded.
+ Drop SSLv2 support (no longer supported by OpenSSL), and fix security issues
+ that could allow a local attacker to cause mailx to execute arbitrary
+ shell commands through the use of a specially-crafted email address.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2771
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7844
+ (* Security fix *)
+patches/packages/openssl-0.9.8zh-x86_64-2_slack13.1.txz: Rebuilt.
+ This update fixes the following security issues:
+ Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)
+ Double-free in DSA code (CVE-2016-0705)
+ Memory leak in SRP database lookups (CVE-2016-0798)
+ BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)
+ Fix memory issues in BIO_*printf functions (CVE-2016-0799)
+ Side channel attack on modular exponentiation (CVE-2016-0702)
+ To avoid breaking the ABI, "enable-ssl2" is used, but all the vulnerable or
+ weak ciphers have been removed.
+ For more information, see:
+ https://www.openssl.org/news/secadv/20160301.txt
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0705
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0798
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0797
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0799
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0702
+ (* Security fix *)
+patches/packages/openssl-solibs-0.9.8zh-x86_64-2_slack13.1.txz: Rebuilt.
++--------------------------+
+Tue Feb 23 19:31:59 UTC 2016
+patches/packages/bind-9.9.8_P3-x86_64-1_slack13.1.txz: Upgraded.
+ This release fixes two possible denial-of-service issues:
+ render_ecs errors were mishandled when printing out a OPT record resulting
+ in a assertion failure. (CVE-2015-8705) [RT #41397]
+ Specific APL data could trigger a INSIST. (CVE-2015-8704) [RT #41396]
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8704
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8705
+ (* Security fix *)
+patches/packages/libgcrypt-1.5.5-x86_64-1_slack13.1.txz: Upgraded.
+ Mitigate chosen cipher text attacks on ECDH with Weierstrass curves.
+ Use ciphertext blinding for Elgamal decryption.
+ For more information, see:
+ http://www.cs.tau.ac.IL/~tromer/ecdh/
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7511
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3591
+ (* Security fix *)
+patches/packages/ntp-4.2.8p6-x86_64-1_slack13.1.txz: Upgraded.
+ In addition to bug fixes and enhancements, this release fixes
+ several low and medium severity vulnerabilities.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158
+ (* Security fix *)
++--------------------------+
+Mon Feb 8 22:08:35 UTC 2016
+patches/packages/curl-7.47.1-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes a security issue where NTLM credentials are not checked
+ for proxy connection reuse. The effects of this flaw is that the application
+ could be reusing a proxy connection using the previously used credentials
+ and thus it could be given to or prevented access from resources that it
+ wasn't intended to. Thanks to Isaac Boukris.
+ For more information, see:
+ https://curl.haxx.se/docs/adv_20160127A.html
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0755
+ (* Security fix *)
++--------------------------+
+Wed Feb 3 22:39:25 UTC 2016
+patches/packages/glibc-zoneinfo-2016a-noarch-1_slack13.1.txz: Upgraded.
+ This package provides the latest timezone updates.
+patches/packages/MPlayer-1.2_20160125-x86_64-1_slack13.1.txz: Upgraded.
+ This is the latest MPlayer-1.2 branch, identical to the 1.2.1 stable release.
+ The bundled ffmpeg has been upgraded to 2.8.5, which fixes two security
+ issues by which a remote attacker may conduct a cross-origin attack and read
+ arbitrary files on the system.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1897
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1898
+ (* Security fix *)
++--------------------------+
+Fri Jan 15 02:29:54 UTC 2016
+patches/packages/openssh-7.1p2-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes an information leak and a buffer overflow. In particular,
+ the information leak allows a malicious SSH server to steal the client's
+ private keys. Thanks to Qualys for reporting this issue.
+ For more information, see:
+ https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0777
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0778
+ *****************************************************************
+ * IMPORTANT: READ BELOW ABOUT POTENTIALLY INCOMPATIBLE CHANGES *
+ *****************************************************************
+ Rather than backport the fix for the information leak (which is the only
+ hazardous flaw), we have upgraded to the latest OpenSSH. As of version
+ 7.0, OpenSSH has deprecated some older (and presumably less secure)
+ algorithms, and also (by default) only allows root login by public-key,
+ hostbased and GSSAPI authentication. Make sure that your keys and
+ authentication method will allow you to continue accessing your system
+ after the upgrade.
+ The release notes for OpenSSH 7.0 list the following incompatible changes
+ to be aware of:
+ * Support for the legacy SSH version 1 protocol is disabled by
+ default at compile time.
+ * Support for the 1024-bit diffie-hellman-group1-sha1 key exchange
+ is disabled by default at run-time. It may be re-enabled using
+ the instructions at http://www.openssh.com/legacy.html
+ * Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled
+ by default at run-time. These may be re-enabled using the
+ instructions at http://www.openssh.com/legacy.html
+ * Support for the legacy v00 cert format has been removed.
+ * The default for the sshd_config(5) PermitRootLogin option has
+ changed from "yes" to "prohibit-password".
+ * PermitRootLogin=without-password/prohibit-password now bans all
+ interactive authentication methods, allowing only public-key,
+ hostbased and GSSAPI authentication (previously it permitted
+ keyboard-interactive and password-less authentication if those
+ were enabled).
+ (* Security fix *)
++--------------------------+
+Wed Jan 13 00:01:23 UTC 2016
+patches/packages/dhcp-4.3.3_P1-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes a denial-of-service vulnerability.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8605
+ (* Security fix *)
++--------------------------+
+Fri Dec 18 05:28:25 UTC 2015
+patches/packages/libpng-1.4.19-x86_64-1_slack13.1.txz: Upgraded.
+ Fixed an out-of-range read in png_check_keyword(). Thanks to Qixue Xiao.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8540
+ (* Security fix *)
++--------------------------+
+Wed Dec 16 04:21:07 UTC 2015
+patches/packages/bind-9.9.8_P2-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes three security issues:
+ Update allowed OpenSSL versions as named is potentially vulnerable
+ to CVE-2015-3193.
+ Insufficient testing when parsing a message allowed records with an
+ incorrect class to be be accepted, triggering a REQUIRE failure when
+ those records were subsequently cached. (CVE-2015-8000)
+ Address fetch context reference count handling error on socket error.
+ (CVE-2015-8461)
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3193
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8000
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8461
+ (* Security fix *)
+patches/packages/libpng-1.4.18-x86_64-1_slack13.1.txz: Upgraded.
+ Fixed incorrect implementation of png_set_PLTE() that uses png_ptr
+ not info_ptr, that left png_set_PLTE() open to the CVE-2015-8126
+ vulnerability.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8472
+ (* Security fix *)
+patches/packages/openssl-0.9.8zh-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes the following security issues:
+ BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193).
+ Certificate verify crash with missing PSS parameter (CVE-2015-3194).
+ X509_ATTRIBUTE memory leak (CVE-2015-3195).
+ Race condition handling PSK identify hint (CVE-2015-3196).
+ Anon DH ServerKeyExchange with 0 p parameter (CVE-2015-1794).
+ For more information, see:
+ https://openssl.org/news/secadv_20151203.txt
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1794
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3193
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3194
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3195
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3196
+ (* Security fix *)
+patches/packages/openssl-solibs-0.9.8zh-x86_64-1_slack13.1.txz: Upgraded.
++--------------------------+
+Thu Dec 3 07:28:30 UTC 2015
+patches/packages/libpng-1.4.17-x86_64-1_slack13.1.txz: Upgraded.
+ Fixed buffer overflows in the png_set_PLTE(), png_get_PLTE(),
+ png_set_tIME(), and png_convert_to_rfc1123() functions that allow
+ attackers to cause a denial of service (application crash) or
+ possibly have unspecified other impact via a small bit-depth value
+ in an IHDR (aka image header) chunk in a PNG image.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7981
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8126.
+ (* Security fix *)
++--------------------------+
+Thu Oct 29 20:12:14 UTC 2015
+patches/packages/curl-7.45.0-x86_64-1_slack13.1.txz: Upgraded.
+ Fixes some security issues.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3143
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3144
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3145
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3148
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3236
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3237
+ (* Security fix *)
+patches/packages/jasper-1.900.1-x86_64-4_slack13.1.txz: Rebuilt.
+ Applied many security and bug fixes.
+ Thanks to Heinz Wiesinger.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3520
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3522
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4516
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4517
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8137
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8138
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8157
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8158
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9029
+ (* Security fix *)
+patches/packages/ntp-4.2.8p4-x86_64-1_slack13.1.txz: Upgraded.
+ In addition to bug fixes and enhancements, this release fixes
+ several low and medium severity vulnerabilities.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9750
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5196
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7691
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7692
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7705
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871
+ (* Security fix *)
++--------------------------+
+Mon Oct 5 17:24:30 UTC 2015
+patches/packages/glibc-zoneinfo-2015g-noarch-1_slack13.1.txz: Upgraded.
+ This package provides the latest timezone updates.
++--------------------------+
+Wed Sep 2 19:36:31 UTC 2015
+patches/packages/bind-9.9.7_P3-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes two denial-of-service vulnerabilities:
+ + CVE-2015-5722 is a denial-of-service vector which can be
+ exploited remotely against a BIND server that is performing
+ validation on DNSSEC-signed records. Validating recursive
+ resolvers are at the greatest risk from this defect, but it has not
+ been ruled out that it could be exploited against an
+ authoritative-only nameserver under limited conditions. Servers
+ that are not performing validation are not vulnerable. However,
+ ISC does not recommend disabling validation as a workaround to
+ this issue as it exposes the server to other types of attacks.
+ Upgrading to the patched versions is the recommended solution.
+ All versions of BIND since 9.0.0 are vulnerable to CVE-2015-5722.
+ + CVE-2015-5986 is a denial-of-service vector which can be used
+ against a BIND server that is performing recursion. Validation
+ is not required. Recursive resolvers are at the greatest risk
+ from this defect, but it has not been ruled out that it could
+ be exploited against an authoritative-only nameserver under
+ limited conditions.
+ Only versions of BIND since 9.9.7 and 9.10.2 are vulnerable to
+ CVE-2015-5986.
+ For more information, see:
+ https://kb.isc.org/article/AA-01287/0
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5722
+ https://kb.isc.org/article/AA-01291/0
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5986
+ (* Security fix *)
++--------------------------+
+Tue Jul 28 19:36:39 UTC 2015
+patches/packages/bind-9.9.7_P2-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes a security issue where an error in the handling of TKEY
+ queries can be exploited by an attacker for use as a denial-of-service
+ vector, as a constructed packet can use the defect to trigger a REQUIRE
+ assertion failure, causing BIND to exit.
+ Impact:
+ Both recursive and authoritative servers are vulnerable to this defect.
+ Additionally, exposure is not prevented by either ACLs or configuration
+ options limiting or denying service because the exploitable code occurs
+ early in the packet handling, before checks enforcing those boundaries.
+ Operators should take steps to upgrade to a patched version as soon as
+ possible.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5477
+ https://kb.isc.org/article/AA-01272
+ (* Security fix *)
++--------------------------+
+Tue Jul 7 22:59:17 UTC 2015
+patches/packages/bind-9.9.7_P1-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes a security issue where an attacker who can cause
+ a validating resolver to query a zone containing specifically constructed
+ contents can cause that resolver to fail an assertion and terminate due
+ to a defect in validation code. This means that a recursive resolver that
+ is performing DNSSEC validation can be deliberately stopped by an attacker
+ who can cause the resolver to perform a query against a
+ maliciously-constructed zone. This will result in a denial of service to
+ clients who rely on that resolver.
+ For more information, see:
+ https://kb.isc.org/article/AA-01267/
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4620
+ (* Security fix *)
+patches/packages/cups-1.4.5-x86_64-3_slack13.1.txz: Rebuilt.
+ This release fixes a security issue:
+ CWE-911: Improper Update of Reference Count - CVE-2015-1158
+ This bug could allow an attacker to upload a replacement CUPS
+ configuration file and mount further attacks.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1158
+ (* Security fix *)
+patches/packages/ntp-4.2.8p3-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes a security issue where under specific circumstances an
+ attacker can send a crafted packet to cause a vulnerable ntpd instance to
+ crash. Since this requires 1) ntpd set up to allow remote configuration
+ (not allowed by default), and 2) knowledge of the configuration password,
+ and 3) access to a computer entrusted to perform remote configuration,
+ the vulnerability is considered low-risk.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5146
+ (* Security fix *)
++--------------------------+
+Thu Jun 11 21:31:47 UTC 2015
+patches/packages/openssl-0.9.8zg-x86_64-1_slack13.1.txz: Upgraded.
+ Fixes several bugs and security issues:
+ o Malformed ECParameters causes infinite loop (CVE-2015-1788)
+ o Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789)
+ o PKCS7 crash with missing EnvelopedContent (CVE-2015-1790)
+ o CMS verify infinite loop with unknown hash function (CVE-2015-1792)
+ o Race condition handling NewSessionTicket (CVE-2015-1791)
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1788
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1789
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1790
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1792
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1791
+ (* Security fix *)
+patches/packages/openssl-solibs-0.9.8zg-x86_64-1_slack13.1.txz: Upgraded.
++--------------------------+
+Wed Apr 29 05:10:52 UTC 2015
+patches/packages/gnupg-1.4.19-x86_64-2_slack13.1.txz: Rebuilt.
+ Patched to fix spurious debug messages that may break sbopkg and slackpkg.
+ Thanks to Willy Sudiarto Raharjo.
++--------------------------+
+Tue Apr 21 23:44:00 UTC 2015
+patches/packages/bind-9.9.6_P2-x86_64-1_slack13.1.txz: Upgraded.
+ Fix some denial-of-service and other security issues.
+ For more information, see:
+ https://kb.isc.org/article/AA-01166/
+ https://kb.isc.org/article/AA-01161/
+ https://kb.isc.org/article/AA-01167/
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1349
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8500
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8680
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3214
+ (* Security fix *)
+patches/packages/gnupg-1.4.19-x86_64-1_slack13.1.txz: Upgraded.
+ * Use ciphertext blinding for Elgamal decryption [CVE-2014-3591].
+ See http://www.cs.tau.ac.il/~tromer/radioexp/ for details.
+ * Fixed data-dependent timing variations in modular exponentiation
+ [related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks
+ are Practical].
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3591
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0837
+ (* Security fix *)
+patches/packages/httpd-2.2.29-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes the following security issues:
+ * CVE-2014-3583 mod_proxy_fcgi: Fix a potential crash due to buffer
+ over-read, with response headers' size above 8K.
+ * CVE-2014-3581 mod_cache: Avoid a crash when Content-Type has an
+ empty value. PR 56924.
+ * CVE-2014-8109 mod_lua: Fix handling of the Require line when a
+ LuaAuthzProvider is used in multiple Require directives with
+ different arguments. PR57204.
+ * CVE-2013-5704 core: HTTP trailers could be used to replace HTTP
+ headers late during request processing, potentially undoing or
+ otherwise confusing modules that examined or modified request
+ headers earlier. Adds "MergeTrailers" directive to restore legacy
+ behavior.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3583
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3581
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8109
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5704
+ (* Security fix *)
+patches/packages/ntp-4.2.8p2-x86_64-1_slack13.1.txz: Upgraded.
+ In addition to bug fixes and enhancements, this release fixes the
+ following medium-severity vulnerabilities involving private key
+ authentication:
+ * ntpd accepts unauthenticated packets with symmetric key crypto.
+ * Authentication doesn't protect symmetric associations against DoS attacks.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799
+ (* Security fix *)
+patches/packages/openssl-0.9.8zf-x86_64-1_slack13.1.txz: Upgraded.
+ Fixes several bugs and security issues:
+ o Segmentation fault in ASN1_TYPE_cmp fix (CVE-2015-0286)
+ o ASN.1 structure reuse memory corruption fix (CVE-2015-0287)
+ o PKCS7 NULL pointer dereferences fix (CVE-2015-0289)
+ o DoS via reachable assert in SSLv2 servers fix (CVE-2015-0293)
+ o Use After Free following d2i_ECPrivatekey error fix (CVE-2015-0209)
+ o X509_to_X509_REQ NULL pointer deref fix (CVE-2015-0288)
+ o Removed the export ciphers from the DEFAULT ciphers
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0286
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0287
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0289
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0293
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0209
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0288
+ (* Security fix *)
+patches/packages/openssl-solibs-0.9.8zf-x86_64-1_slack13.1.txz: Upgraded.
+patches/packages/ppp-2.4.5-x86_64-2_slack13.1.txz: Rebuilt.
+ Fixed a potential security issue in parsing option files.
+ Fixed remotely triggerable PID overflow that causes pppd to crash.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3158
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3310
+ (* Security fix *)
+patches/packages/proftpd-1.3.4e-x86_64-1_slack13.1.txz: Upgraded.
+ Patched an issue where mod_copy allowed unauthenticated copying
+ of files via SITE CPFR/CPTO.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3306
+ (* Security fix *)
++--------------------------+
+Mon Feb 16 19:33:36 UTC 2015
+patches/packages/patch-2.7.4-x86_64-1_slack13.1.txz: Upgraded.
+ Patch no longer follows symbolic links to input and output files. This
+ ensures that symbolic links created by git-style patches cannot cause
+ patch to write outside the working directory.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1196
+ (* Security fix *)
+patches/packages/sudo-1.8.12-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes a potential security issue by only passing the TZ
+ environment variable it is considered safe. This prevents exploiting bugs
+ in glibc's TZ parser that could be used to read files that the user does
+ not have access to, or to cause a denial of service.
+ For more information, see:
+ http://www.sudo.ws/sudo/alerts/tz.html
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9680
+ (* Security fix *)
++--------------------------+
+Wed Jan 28 19:23:00 UTC 2015
+patches/packages/glibc-2.11.1-x86_64-9_slack13.1.txz: Rebuilt.
+ This update patches a security issue __nss_hostname_digits_dots() function
+ of glibc which may be triggered through the gethostbyname*() set of
+ functions. This flaw could allow local or remote attackers to take control
+ of a machine running a vulnerable version of glibc. Thanks to Qualys for
+ discovering this issue (also known as the GHOST vulnerability.)
+ For more information, see:
+ https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
+ (* Security fix *)
+patches/packages/glibc-i18n-2.11.1-x86_64-9_slack13.1.txz: Rebuilt.
+patches/packages/glibc-profile-2.11.1-x86_64-9_slack13.1.txz: Rebuilt.
+patches/packages/glibc-solibs-2.11.1-x86_64-9_slack13.1.txz: Rebuilt.
+patches/packages/glibc-zoneinfo-2014j-noarch-1.txz: Upgraded.
+ Upgraded to tzcode2014j and tzdata2014j.
++--------------------------+
+Sat Jan 17 04:26:41 UTC 2015
+patches/packages/freetype-2.5.5-x86_64-1_slack13.1.txz: Upgraded.
++--------------------------+
+Fri Jan 9 17:47:53 UTC 2015
+patches/packages/openssl-0.9.8zd-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes several security issues:
+ DTLS segmentation fault in dtls1_get_record (CVE-2014-3571)
+ DTLS memory leak in dtls1_buffer_record (CVE-2015-0206)
+ no-ssl3 configuration sets method to NULL (CVE-2014-3569)
+ ECDHE silently downgrades to ECDH [Client] (CVE-2014-3572)
+ RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
+ DH client certificates accepted without verification [Server] (CVE-2015-0205)
+ Certificate fingerprints can be modified (CVE-2014-8275)
+ Bignum squaring may produce incorrect results (CVE-2014-3570)
+ For more information, see:
+ https://www.openssl.org/news/secadv_20150108.txt
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3571
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0206
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3569
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3572
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0205
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8275
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3570
+ (* Security fix *)
+patches/packages/openssl-solibs-0.9.8zd-x86_64-1_slack13.1.txz: Upgraded.
++--------------------------+
+Tue Dec 23 00:05:23 UTC 2014
+patches/packages/ntp-4.2.8-x86_64-1_slack13.1.txz: Upgraded.
+ In addition to bug fixes and enhancements, this release fixes
+ several high-severity vulnerabilities discovered by Neel Mehta
+ and Stephen Roettger of the Google Security Team.
+ For more information, see:
+ https://www.kb.cert.org/vuls/id/852879
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9293
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9294
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9295
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9296
+ (* Security fix *)
++--------------------------+
+Thu Dec 11 01:18:35 UTC 2014
+patches/packages/bind-9.9.6_P1-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes a security issue where a failure to place limits on
+ delegation chaining can allow an attacker to crash BIND or cause memory
+ exhaustion.
+ For more information, see:
+ https://kb.isc.org/article/AA-01216
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8500
+ (* Security fix *)
+patches/packages/openvpn-2.3.6-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes a security issue that allows remote authenticated
+ users to cause a denial of service (server crash) via a small control
+ channel packet.
+ For more information, see:
+ https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8104
+ (* Security fix *)
+patches/packages/pidgin-2.10.11-x86_64-1_slack13.1.txz: Upgraded.
+ This update contains login fixes for MSN and some XMPP servers.
++--------------------------+
+Fri Nov 7 21:02:55 UTC 2014
+patches/packages/bash-4.1.017-x86_64-1_slack13.1.txz: Upgraded.
+ Applied all upstream patches. The previously applied patch requiring
+ a specific prefix/suffix in order to parse variables for functions
+ closed all of the known vulnerabilities anyway, but it's clear that
+ until all the patches were applied that the "is this still vulnerable"
+ questions were not going to end...
++--------------------------+
+Wed Oct 29 18:21:12 UTC 2014
+patches/packages/wget-1.12-x86_64-2_slack13.1.txz: Rebuilt.
+ This update fixes a symlink vulnerability that could allow an attacker
+ to write outside of the expected directory.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4877
+ (* Security fix *)
++--------------------------+
+Fri Oct 24 04:55:44 UTC 2014
+patches/packages/glibc-zoneinfo-2014i-noarch-1_slack13.1.txz: Upgraded.
+ This package provides the latest timezone updates.
+patches/packages/pidgin-2.10.10-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes several security issues:
+ Insufficient SSL certificate validation (CVE-2014-3694)
+ Remote crash parsing malformed MXit emoticon (CVE-2014-3695)
+ Remote crash parsing malformed Groupwise message (CVE-2014-3696)
+ Malicious smiley themes could alter arbitrary files (CVE-2014-3697)
+ Potential information leak from XMPP (CVE-2014-3698)
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3694
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3695
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3696
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3697
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3698
+ (* Security fix *)
++--------------------------+
+Mon Oct 20 22:21:45 UTC 2014
+patches/packages/openssh-5.9p1-x86_64-2_slack13.1.txz: Rebuilt.
+ This update fixes a security issue that allows remote servers to trigger
+ the skipping of SSHFP DNS RR checking by presenting an unacceptable
+ HostCertificate.
+ Thanks to mancha for the backported patch.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2653
+ (* Security fix *)
++--------------------------+
+Wed Oct 15 17:28:59 UTC 2014
+patches/packages/openssl-solibs-0.9.8zc-x86_64-1_slack13.1.txz: Upgraded.
+ (* Security fix *)
+patches/packages/openssl-0.9.8zc-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes several security issues:
+ SRTP Memory Leak (CVE-2014-3513):
+ A flaw in the DTLS SRTP extension parsing code allows an attacker, who
+ sends a carefully crafted handshake message, to cause OpenSSL to fail
+ to free up to 64k of memory causing a memory leak. This could be
+ exploited in a Denial Of Service attack.
+ Session Ticket Memory Leak (CVE-2014-3567):
+ When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
+ integrity of that ticket is first verified. In the event of a session
+ ticket integrity check failing, OpenSSL will fail to free memory
+ causing a memory leak. By sending a large number of invalid session
+ tickets an attacker could exploit this issue in a Denial Of Service
+ attack.
+ SSL 3.0 Fallback protection:
+ OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications
+ to block the ability for a MITM attacker to force a protocol
+ downgrade.
+ Some client applications (such as browsers) will reconnect using a
+ downgraded protocol to work around interoperability bugs in older
+ servers. This could be exploited by an active man-in-the-middle to
+ downgrade connections to SSL 3.0 even if both sides of the connection
+ support higher protocols. SSL 3.0 contains a number of weaknesses
+ including POODLE (CVE-2014-3566).
+ Build option no-ssl3 is incomplete (CVE-2014-3568):
+ When OpenSSL is configured with "no-ssl3" as a build option, servers
+ could accept and complete a SSL 3.0 handshake, and clients could be
+ configured to send them.
+ For more information, see:
+ https://www.openssl.org/news/secadv_20141015.txt
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3513
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3567
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3568
+ (* Security fix *)
++--------------------------+
+Mon Sep 29 18:41:23 UTC 2014
+patches/packages/bash-4.1.014-x86_64-1_slack13.1.txz: Upgraded.
+ Another bash update. Here's some information included with the patch:
+ "This patch changes the encoding bash uses for exported functions to avoid
+ clashes with shell variables and to avoid depending only on an environment
+ variable's contents to determine whether or not to interpret it as a shell
+ function."
+ After this update, an environment variable will not go through the parser
+ unless it follows this naming structure: BASH_FUNC_*%%
+ Most scripts never expected to import functions from environment variables,
+ so this change (although not backwards compatible) is not likely to break
+ many existing scripts. It will, however, close off access to the parser as
+ an attack surface in the vast majority of cases. There's already another
+ vulnerability similar to CVE-2014-6271 for which there is not yet a fix,
+ but this hardening patch prevents it (and likely many more similar ones).
+ Thanks to Florian Weimer and Chet Ramey.
+ (* Security fix *)
++--------------------------+
+Fri Sep 26 22:23:32 UTC 2014
+patches/packages/bash-4.1.013-x86_64-1_slack13.1.txz: Upgraded.
+ This is essentially a rebuild as the preliminary patch for CVE-2014-7169
+ has been accepted by upstream and is now signed. This also bumps the
+ patchlevel, making it easy to tell this is the fixed version.
+ Possibly more changes to come, given the ongoing discussions on oss-sec.
++--------------------------+
+Thu Sep 25 19:55:13 UTC 2014
+patches/packages/bash-4.1.012-x86_64-2_slack13.1.txz: Rebuilt.
+ Patched an additional trailing string processing vulnerability discovered
+ by Tavis Ormandy.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
+ (* Security fix *)
++--------------------------+
+Wed Sep 24 22:52:53 UTC 2014
+patches/packages/bash-4.1.012-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes a vulnerability in bash related to how environment
+ variables are processed: trailing code in function definitions was
+ executed, independent of the variable name. In many common configurations
+ (such as the use of CGI scripts), this vulnerability is exploitable over
+ the network. Thanks to Stephane Chazelas for discovering this issue.
+ For more information, see:
+ http://seclists.org/oss-sec/2014/q3/650
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
+ (* Security fix *)
++--------------------------+
+Thu Sep 4 19:43:25 UTC 2014
+patches/packages/php-5.3.29-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes bugs and security issues.
+ The PHP 5.3.x series is now EOL -- no further updates are planned.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6712
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0207
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0237
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0238
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3478
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3479
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3480
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3487
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3515
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3981
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4049
+ (* Security fix *)
++--------------------------+
+Fri Aug 8 19:02:50 UTC 2014
+patches/packages/openssl-0.9.8zb-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes several security issues:
+ Double Free when processing DTLS packets (CVE-2014-3505)
+ DTLS memory exhaustion (CVE-2014-3506)
+ DTLS memory leak from zero-length fragments (CVE-2014-3507)
+ Information leak in pretty printing functions (CVE-2014-3508)
+ Race condition in ssl_parse_serverhello_tlsext (CVE-2014-3509)
+ OpenSSL DTLS anonymous EC(DH) denial of service (CVE-2014-3510)
+ OpenSSL TLS protocol downgrade attack (CVE-2014-3511)
+ SRP buffer overrun (CVE-2014-3512)
+ Crash with SRP ciphersuite in Server Hello message (CVE-2014-5139)
+ For more information, see:
+ https://www.openssl.org/news/secadv_20140806.txt
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3505
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3506
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3507
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3508
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3509
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3510
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3511
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3512
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5139
+ (* Security fix *)
+patches/packages/openssl-solibs-0.9.8zb-x86_64-1_slack13.1.txz: Upgraded.
+ (* Security fix *)
++--------------------------+
+Fri Aug 1 21:13:18 UTC 2014
+patches/packages/dhcpcd-5.2.12-x86_64-2_slack13.1.txz: Rebuilt.
+ This update fixes a security issue where a specially crafted packet
+ received from a malicious DHCP server causes dhcpcd to enter an infinite
+ loop causing a denial of service.
+ Thanks to Tobias Stoeckmann for the bug report.
+ (* Security fix *)
++--------------------------+
+Wed Jul 23 23:00:34 UTC 2014
+patches/packages/httpd-2.2.27-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes the following security issues:
+ *) SECURITY: CVE-2014-0117 (cve.mitre.org)
+ mod_proxy: Fix crash in Connection header handling which
+ allowed a denial of service attack against a reverse proxy
+ with a threaded MPM. [Ben Reser]
+ *) SECURITY: CVE-2014-0118 (cve.mitre.org)
+ mod_deflate: The DEFLATE input filter (inflates request bodies) now
+ limits the length and compression ratio of inflated request bodies to
+ avoid denial of sevice via highly compressed bodies. See directives
+ DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
+ and DeflateInflateRatioBurst. [Yann Ylavic, Eric Covener]
+ *) SECURITY: CVE-2014-0226 (cve.mitre.org)
+ Fix a race condition in scoreboard handling, which could lead to
+ a heap buffer overflow. [Joe Orton, Eric Covener]
+ *) SECURITY: CVE-2014-0231 (cve.mitre.org)
+ mod_cgid: Fix a denial of service against CGI scripts that do
+ not consume stdin that could lead to lingering HTTPD child processes
+ filling up the scoreboard and eventually hanging the server. By
+ default, the client I/O timeout (Timeout directive) now applies to
+ communication with scripts. The CGIDScriptTimeout directive can be
+ used to set a different timeout for communication with scripts.
+ [Rainer Jung, Eric Covener, Yann Ylavic]
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0117
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0118
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231
+ (* Security fix *)
++--------------------------+
+Tue Jun 24 22:35:07 UTC 2014
+patches/packages/bind-9.8.7_P1-x86_64-1_slack13.1.txz: Upgraded.
+ This fixes security issues and other bugs. Please note that the first
+ CVE only affects Windows, and the second one was claimed to be fixed by
+ an earlier version of BIND. But we'll update anyway just in case. :-)
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6230
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0591
+ (* Security fix *)
+patches/packages/gnupg-1.4.17-x86_64-1_slack13.1.txz: Upgraded.
+ This release includes a security fix to stop a denial of service using
+ garbled compressed data packets which can be used to put gpg into an
+ infinite loop.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4617
+ (* Security fix *)
++--------------------------+
+Mon Jun 9 20:16:02 UTC 2014
+patches/packages/php-5.3.28-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes bugs and security issues, including:
+ Fixed handling null bytes in subjectAltName.
+ Fixed memory corruption in openssl_x509_parse().
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4248
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6420
+ (* Security fix *)
++--------------------------+
+Fri Jun 6 04:27:01 UTC 2014
+patches/packages/gnutls-2.8.6-x86_64-4_slack13.1.txz: Rebuilt.
+ A security issue has been corrected in gnutls. This vulnerability
+ affects the client side of the gnutls library. A server that sends
+ a specially crafted ServerHello could corrupt the memory of a requesting
+ client. This may allow a remote attacker to execute arbitrary code.
+ Additional vulnerabilities in the embedded libtasn1 library have also
+ been patched.
+ Thanks to mancha for the backported patches.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3465
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3466
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3467
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3468
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3469
+ (* Security fix *)
+patches/packages/openssl-0.9.8za-x86_64-1_slack13.1.txz: Upgraded.
+ Multiple security issues have been corrected, including a possible
+ man-in-the-middle attack where weak keying material is forced, denial
+ of service, and the execution of arbitrary code.
+ For more information, see:
+ http://www.openssl.org/news/secadv_20140605.txt
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0195
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0221
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470
+ (* Security fix *)
+patches/packages/openssl-solibs-0.9.8za-x86_64-1_slack13.1.txz: Upgraded.
+patches/packages/sendmail-8.14.9-x86_64-1_slack13.1.txz: Upgraded.
+ This release fixes one security related bug by properly closing file
+ descriptors (except stdin, stdout, and stderr) before executing programs.
+ This bug could enable local users to interfere with an open SMTP
+ connection if they can execute their own program for mail delivery
+ (e.g., via procmail or the prog mailer).
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3956
+ (* Security fix *)
+patches/packages/sendmail-cf-8.14.9-noarch-1_slack13.1.txz: Upgraded.
++--------------------------+
+Mon Apr 21 20:09:48 UTC 2014
+patches/packages/libyaml-0.1.6-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes a heap overflow in URI escape parsing of YAML in Ruby,
+ where a specially crafted string could cause a heap overflow leading to
+ arbitrary code execution.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2525
+ https://www.ruby-lang.org/en/news/2014/03/29/heap-overflow-in-yaml-uri-escape-parsing-cve-2014-2525/
+ (* Security fix *)
++--------------------------+
+Fri Mar 28 03:43:11 UTC 2014
+patches/packages/curl-7.36.0-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes four security issues.
+ For more information, see:
+ http://curl.haxx.se/docs/adv_20140326A.html
+ http://curl.haxx.se/docs/adv_20140326B.html
+ http://curl.haxx.se/docs/adv_20140326C.html
+ http://curl.haxx.se/docs/adv_20140326D.html
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0138
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0139
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1263
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2522
+ (* Security fix *)
+patches/packages/openssh-5.9p1-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes a security issue when using environment passing with
+ a sshd_config(5) AcceptEnv pattern with a wildcard. OpenSSH could be
+ tricked into accepting any environment variable that contains the
+ characters before the wildcard character.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2532
+ (* Security fix *)
++--------------------------+
+Thu Mar 6 04:14:23 UTC 2014
+patches/packages/sudo-1.7.10p8-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes a security issue where if the env_reset option is disabled
+ in the sudoers file, a malicious user with sudo permissions may be able to
+ run arbitrary commands with elevated privileges by manipulating the
+ environment of a command the user is legitimately allowed to run.
+ For more information, see:
+ http://www.sudo.ws/sudo/alerts/env_add.html
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0106
+ (* Security fix *)
++--------------------------+
+Mon Mar 3 23:32:18 UTC 2014
+patches/packages/gnutls-2.8.6-x86_64-3_slack13.1.txz: Rebuilt.
+ Fixed a security issue where a specially crafted certificate could
+ bypass certificate validation checks.
+ Thanks to mancha for the backported patch.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0092
+ (* Security fix *)
++--------------------------+
+Thu Feb 20 00:30:49 UTC 2014
+patches/packages/mysql-5.1.73-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes a buffer overflow in the mysql command line client which
+ may allow malicious or compromised database servers to cause a denial of
+ service (crash) and possibly execute arbitrary code via a long server
+ version string.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0001
+ (* Security fix *)
++--------------------------+
+Thu Feb 13 23:45:53 UTC 2014
+patches/packages/curl-7.35.0-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes a flaw where libcurl could, in some circumstances, reuse
+ the wrong connection when asked to do an NTLM-authenticated HTTP or HTTPS
+ request.
+ For more information, see:
+ http://curl.haxx.se/docs/adv_20140129.html
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0015
+ (* Security fix *)
+patches/packages/ntp-4.2.6p5-x86_64-1_slack13.1.txz: Upgraded.
+ All stable versions of NTP remain vulnerable to a remote attack where the
+ "ntpdc -c monlist" command can be used to amplify network traffic as part
+ of a denial of service attack. By default, Slackware is not vulnerable
+ since it includes "noquery" as a default restriction. However, it is
+ vulnerable if this restriction is removed. To help mitigate this flaw,
+ "disable monitor" has been added to the default ntp.conf (which will disable
+ the monlist command even if other queries are allowed), and the default
+ restrictions have been extended to IPv6 as well.
+ All users of the NTP daemon should make sure that their ntp.conf contains
+ "disable monitor" to prevent misuse of the NTP service. The new ntp.conf
+ file will be installed as /etc/ntp.conf.new with a package upgrade, but the
+ changes will need to be merged into any existing ntp.conf file by the admin.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5211
+ http://www.kb.cert.org/vuls/id/348126
+ (* Security fix *)
++--------------------------+
+Mon Feb 3 20:58:32 UTC 2014
+patches/packages/pidgin-2.10.9-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes various security issues and other bugs.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6152
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6477
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6478
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6479
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6481
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6482
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6483
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6484
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6485
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6486
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6487
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6489
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6490
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0020
+ (* Security fix *)
++--------------------------+
+Tue Jan 28 21:07:13 UTC 2014
+patches/packages/bind-9.8.6_P2-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes a defect in the handling of NSEC3-signed zones that can
+ cause BIND to be crashed by a specific set of queries.
+ NOTE: According to the second link below, Slackware is probably not
+ vulnerable since we aren't using glibc-2.18 yet. Might as well fix it
+ anyway, though.
+ For more information, see:
+ https://kb.isc.org/article/AA-01078
+ https://kb.isc.org/article/AA-01085
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0591
+ (* Security fix *)
++--------------------------+
+Tue Jan 14 03:54:48 UTC 2014
+patches/packages/libXfont-1.4.7-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes a stack overflow when reading a BDF font file containing
+ a longer than expected string, which could lead to crashes or privilege
+ escalation.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6462
+ (* Security fix *)
++--------------------------+
+Fri Dec 20 22:46:09 UTC 2013
+patches/packages/gnupg-1.4.16-x86_64-1_slack13.1.txz: Upgraded.
+ Fixed the RSA Key Extraction via Low-Bandwidth Acoustic
+ Cryptanalysis attack as described by Genkin, Shamir, and Tromer.
+ For more information, see:
+ http://www.cs.tau.ac.il/~tromer/acoustic/
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4576
+ (* Security fix *)
++--------------------------+
+Mon Dec 16 20:51:01 UTC 2013
+patches/packages/libiodbc-3.52.8-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes an rpath pointing to a location in /tmp that was found in
+ two test programs (iodbctest and iodbctestw). This could have allowed a
+ local attacker with write access to /tmp to add modified libraries (and
+ execute arbitrary code) as any user running the test programs.
+ Thanks to Christopher Oliver for the bug report.
+ (* Security fix *)
+patches/packages/libjpeg-v8a-x86_64-2_slack13.1.txz: Rebuilt.
+ Fix use of uninitialized memory when decoding images with missing SOS data
+ for the luminance component (Y) in presence of valid chroma data (Cr, Cb).
+ This could allow remote attackers to obtain sensitive information from
+ uninitialized memory locations via a crafted JPEG image.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6629
+ (* Security fix *)
+patches/packages/ruby-1.9.3_p484-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes a heap overflow in floating point parsing. A specially
+ crafted string could cause a heap overflow leading to a denial of service
+ attack via segmentation faults and possibly arbitrary code execution.
+ For more information, see:
+ https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4164
+ (* Security fix *)
++--------------------------+
+Sat Oct 19 03:42:15 UTC 2013
+patches/packages/hplip-3.10.2-x86_64-4_slack13.1.txz: Rebuilt.
+ This fixes a polkit race condition that could allow local users to bypass
+ intended access restrictions.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4325
+ (* Security fix *)
++--------------------------+
+Fri Oct 18 02:41:09 UTC 2013
+patches/packages/libtiff-3.9.7-x86_64-1_slack13.1.txz: Upgraded.
+ Patched overflows, crashes, and out of bounds writes.
+ Thanks to mancha for the backported patches.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2088
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2113
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4447
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4564
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1960
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1961
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4231
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4232
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4244
+ (* Security fix *)
++--------------------------+
+Mon Oct 14 22:09:17 UTC 2013
+patches/packages/gnupg-1.4.15-x86_64-1_slack13.1.txz: Upgraded.
+ Fixed possible infinite recursion in the compressed packet
+ parser. [CVE-2013-4402]
+ Protect against rogue keyservers sending secret keys.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4402
+ (* Security fix *)
+patches/packages/gnutls-2.8.6-x86_64-2_slack13.1.txz: Rebuilt.
+ [Updated to the correct version to fix fetching the "latest" from gnu.org]
+ This update prevents a side-channel attack which may allow remote attackers
+ to conduct distinguishing attacks and plaintext recovery attacks using
+ statistical analysis of timing data for crafted packets.
+ Other minor security issues are patched as well.
+ Thanks to mancha for backporting these patches.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4128
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1569
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1573
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1619
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2116
+ (* Security fix *)
+patches/packages/xorg-server-1.7.7-x86_64-3_slack13.1.txz: Rebuilt.
+ Patched a use-after-free bug that can cause an X server crash or
+ memory corruption.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4396
+ (* Security fix *)
+patches/packages/xorg-server-xephyr-1.7.7-x86_64-3_slack13.1.txz: Rebuilt.
+patches/packages/xorg-server-xnest-1.7.7-x86_64-3_slack13.1.txz: Rebuilt.
+patches/packages/xorg-server-xvfb-1.7.7-x86_64-3_slack13.1.txz: Rebuilt.
++--------------------------+
+Sun Sep 29 02:39:29 UTC 2013
+patches/packages/lm_sensors-3.3.4-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes issues with sensors-detect that may cause serious trouble
+ on recent hardware (most notably laptops.) The symptoms are that the
+ display starts misbehaving (wrong resolution or wrong gamma factor.)
+ The risk is mitigated in this package by changing the default behavior of
+ sensors-detect to no longer touch EDID EEPROMs and then to no longer probe
+ graphics adapters at all unless the user asks for it.
++--------------------------+
+Wed Sep 18 02:56:19 UTC 2013
+patches/packages/glibc-2.11.1-x86_64-8_slack13.1.txz: Rebuilt.
+ Patched to fix integer overflows in pvalloc, valloc, and
+ posix_memalign/memalign/aligned_alloc.
+ Thanks to mancha for the backported patch.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4332
+ (* Security fix *)
+patches/packages/glibc-i18n-2.11.1-x86_64-8_slack13.1.txz: Rebuilt.
+patches/packages/glibc-profile-2.11.1-x86_64-8_slack13.1.txz: Rebuilt.
+patches/packages/glibc-solibs-2.11.1-x86_64-8_slack13.1.txz: Rebuilt.
+patches/packages/glibc-zoneinfo-2013d-noarch-8_slack13.1.txz: Rebuilt.
++--------------------------+
+Wed Aug 21 06:11:23 UTC 2013
+patches/packages/hplip-3.10.2-x86_64-3_slack13.1.txz: Rebuilt.
+ This update fixes a stack-based buffer overflow in the hpmud_get_pml
+ function that can allow remote attackers to cause a denial of service
+ (crash) and possibly execute arbitrary code via a crafted SNMP response
+ with a large length value.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4267
+ (* Security fix *)
+patches/packages/xpdf-3.03-x86_64-1_slack13.1.txz: Upgraded.
+ Sanitize error messages to remove escape sequences that could be used to
+ exploit vulnerable terminal emulators.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2142
+ Thanks to mancha.
+ (* Security fix *)
++--------------------------+
+Tue Aug 6 05:23:34 UTC 2013
+patches/packages/bind-9.8.5_P2-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes a security issue where a specially crafted query can cause
+ BIND to terminate abnormally, resulting in a denial of service.
+ For more information, see:
+ https://kb.isc.org/article/AA-01015
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4854
+ (* Security fix *)
+patches/packages/httpd-2.2.25-x86_64-1_slack13.1.txz: Upgraded.
+ This update addresses two security issues:
+ * SECURITY: CVE-2013-1862 (cve.mitre.org) mod_rewrite: Ensure that client
+ data written to the RewriteLog is escaped to prevent terminal escape
+ sequences from entering the log file.
+ * SECURITY: CVE-2013-1896 (cve.mitre.org) mod_dav: Sending a MERGE request
+ against a URI handled by mod_dav_svn with the source href (sent as part of
+ the request body as XML) pointing to a URI that is not configured for DAV
+ will trigger a segfault.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1862
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1896
+ (* Security fix *)
+patches/packages/samba-3.5.22-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes missing integer wrap protection in an EA list reading
+ that can allow authenticated or guest connections to cause the server to
+ loop, resulting in a denial of service.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4124
+ (* Security fix *)
++--------------------------+
+Sat Aug 3 20:36:53 UTC 2013
+patches/packages/gnupg-1.4.14-x86_64-1_slack13.1.txz: Upgraded.
+ Mitigate the Yarom/Falkner flush+reload side-channel attack on RSA
+ secret keys.
+ For more information, see:
+ http://eprint.iacr.org/2013/448
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4242
+ (* Security fix *)
+patches/packages/libgcrypt-1.5.3-x86_64-1_slack13.1.txz: Upgraded.
+ Mitigate the Yarom/Falkner flush+reload side-channel attack on RSA
+ secret keys.
+ For more information, see:
+ http://eprint.iacr.org/2013/448
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4242
+ (* Security fix *)
+patches/packages/libgpg-error-1.11-x86_64-1_slack13.1.txz: Upgraded.
+ This package upgrade was needed by the new version of libgcrypt.
++--------------------------+
+Tue Jul 16 21:18:56 UTC 2013
+patches/packages/php-5.3.27-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes an issue where XML in PHP does not properly consider
+ parsing depth, which allows remote attackers to cause a denial of service
+ (heap memory corruption) or possibly have unspecified other impact via a
+ crafted document that is processed by the xml_parse_into_struct function.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4113
+ (* Security fix *)
++--------------------------+
+Thu Jun 27 23:56:34 UTC 2013
+patches/packages/ruby-1.9.3_p448-x86_64-1_slack13.1.txz: Upgraded.
+ This update patches a vulnerability in Ruby's SSL client that could allow
+ man-in-the-middle attackers to spoof SSL servers via a valid certificate
+ issued by a trusted certification authority.
+ For more information, see:
+ http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4073
+ (* Security fix *)
++--------------------------+
+Sun Jun 23 21:00:00 UTC 2013
+patches/packages/curl-7.20.1-x86_64-2_slack13.1.txz: Rebuilt.
+ This fixes a minor security issue where a decode buffer boundary flaw in
+ libcurl could lead to heap corruption.
+ For more information, see:
+ http://curl.haxx.se/docs/adv_20130622.html
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2174
+ (* Security fix *)
++--------------------------+
+Mon Jun 10 21:51:54 UTC 2013
+patches/packages/php-5.3.26-x86_64-1_slack13.1.txz: Upgraded.
+ This is a bugfix release. It also fixes a security issue -- a heap-based
+ overflow in the quoted_printable_encode() function, which could be used by
+ a remote attacker to crash PHP or execute code as the 'apache' user.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2110
+ (* Security fix *)
++--------------------------+
+Thu May 16 21:42:08 UTC 2013
+patches/packages/ruby-1.9.3_p429-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes a security issue in DL and Fiddle included in Ruby where
+ tainted strings can be used by system calls regardless of the $SAFE level
+ setting.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2065
+ http://www.ruby-lang.org/en/news/2013/05/14/taint-bypass-dl-fiddle-cve-2013-2065/
+ (* Security fix *)
++--------------------------+
+Fri Apr 5 05:21:45 UTC 2013
+patches/packages/subversion-1.6.21-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes some denial of service bugs:
+ mod_dav_svn excessive memory usage from property changes
+ mod_dav_svn crashes on LOCK requests against activity URLs
+ mod_dav_svn crashes on LOCK requests against non-existant URLs
+ mod_dav_svn crashes on PROPFIND requests against activity URLs
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1845
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1846
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1847
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1849
+ (* Security fix *)
++--------------------------+
+Wed Mar 27 06:09:29 UTC 2013
+patches/packages/bind-9.8.4_P2-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes a critical defect in BIND 9 that allows an attacker
+ to cause excessive memory consumption in named or other programs linked
+ to libdns.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2266
+ https://kb.isc.org/article/AA-00871
+ (* Security fix *)
+patches/packages/dhcp-4.2.5_P1-x86_64-1_slack13.1.txz: Upgraded.
+ This update replaces the included BIND 9 code that the DHCP programs
+ link against. Those contained a defect that could possibly lead to
+ excessive memory consumption and a denial of service.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2266
+ (* Security fix *)
++--------------------------+
+Sat Mar 23 20:22:12 UTC 2013
+patches/packages/php-5.3.23-x86_64-1_slack13.1.txz: Upgraded.
+ This release fixes two security issues in SOAP:
+ Added check that soap.wsdl_cache_dir conforms to open_basedir.
+ Disabled external entities loading.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1635
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1643
+ (* Security fix *)
++--------------------------+
+Sat Mar 16 07:10:09 UTC 2013
+patches/packages/libyaml-0.1.4-x86_64-1_slack13.1.txz: Added.
+ This is needed for Psych (YAML wrapper) in the new Ruby package.
+patches/packages/ruby-1.9.3_p392-x86_64-1_slack13.1.txz: Upgraded.
+ This release includes security fixes about bundled JSON and REXML.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0269
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1821
+ (* Security fix *)
++--------------------------+
+Thu Mar 14 03:55:33 UTC 2013
+patches/packages/perl-5.10.1-x86_64-2_slack13.1.txz: Rebuilt.
+ This update fixes a flaw in the rehashing code that can be exploited
+ to carry out a denial of service attack against code that uses arbitrary
+ user input as hash keys.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1667
+ (* Security fix *)
++--------------------------+
+Tue Mar 12 06:59:27 UTC 2013
+patches/packages/glibc-zoneinfo-2013b-noarch-1_slack13.1.txz: Upgraded.
+ This package provides the latest timezone updates.
++--------------------------+
+Thu Mar 7 00:16:35 UTC 2013
+patches/packages/sudo-1.7.10p7-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes security issues that could allow a user to run commands
+ without authenticating after the password timeout has already expired.
+ Note that the vulnerability did not permit a user to run commands other
+ than those allowed by the sudoers policy.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1775
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1776
+ (* Security fix *)
++--------------------------+
+Sun Mar 3 22:10:56 UTC 2013
+patches/packages/httpd-2.2.24-x86_64-1_slack13.1.txz: Upgraded.
+ This update provides bugfixes and enhancements.
+ Two security issues are fixed:
+ * Various XSS flaws due to unescaped hostnames and URIs HTML output in
+ mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp.
+ [Jim Jagielski, Stefan Fritsch, Niels Heinen <heinenn google com>]
+ * XSS in mod_proxy_balancer manager interface. [Jim Jagielski,
+ Niels Heinen <heinenn google com>]
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3499
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4558
+ (* Security fix *)
++--------------------------+
+Fri Feb 15 22:46:52 UTC 2013
+patches/packages/pidgin-2.10.7-x86_64-3_slack13.1.txz: Rebuilt.
+ Fixed linking libirc.so with libsasl2.
+ Added Makefile.in and Makefile to the patch, and applied it after
+ running ./configure. Using autoreconf is not an option since most
+ versions of Slackware aren't using the same libtools versions as the
+ Pidgin developers are. Third times the charm?
+ Thanks to Willy Sudiarto Raharjo.
++--------------------------+
+Fri Feb 15 07:26:45 UTC 2013
+patches/packages/pidgin-2.10.7-x86_64-2_slack13.1.txz: Rebuilt.
+ Fixed IRC support. When building with SASL support (new in 2.10.7), the
+ IRC plugin needs to link against libsasl2, otherwise it will fail to load.
++--------------------------+
+Thu Feb 14 05:35:22 UTC 2013
+patches/packages/pidgin-2.10.7-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes several security issues:
+ Remote MXit user could specify local file path.
+ MXit buffer overflow reading data from network.
+ Sametime crash with long user IDs.
+ Crash when receiving a UPnP response with abnormally long values.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0271
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0272
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0273
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0274
+ (* Security fix *)
+patches/packages/sdl-1.2.14-x86_64-3_slack13.1.txz: Rebuilt.
+ Patched mouse clicking bug.
++--------------------------+
+Sat Feb 9 21:45:56 UTC 2013
+patches/packages/openssl-0.9.8y-x86_64-1_slack13.1.txz: Upgraded.
+ Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
+ This addresses the flaw in CBC record processing discovered by
+ Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
+ at: http://www.isg.rhul.ac.uk/tls/
+ Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
+ Security Group at Royal Holloway, University of London
+ (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
+ Emilia Käsper for the initial patch.
+ (CVE-2013-0169)
+ [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
+ Return an error when checking OCSP signatures when key is NULL.
+ This fixes a DoS attack. (CVE-2013-0166)
+ [Steve Henson]
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0166
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169
+ (* Security fix *)
+patches/packages/openssl-solibs-0.9.8y-x86_64-1_slack13.1.txz: Upgraded.
+ (* Security fix *)
++--------------------------+
+Tue Jan 22 23:40:16 UTC 2013
+patches/packages/mysql-5.1.67-x86_64-1_slack13.1.txz: Upgraded.
+ Upgraded to the latest upstream version to fix security issues and provide
+ other bug fixes and improvements. Note that some of the changes may
+ possibly introduce incompatibilities with the previous package.
+ (* Security fix *)
++--------------------------+
+Wed Jan 16 02:54:52 UTC 2013
+patches/packages/freetype-2.4.11-x86_64-1_slack13.1.txz: Upgraded.
+ This release fixes several security bugs that could cause freetype to
+ crash or run programs upon opening a specially crafted file.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5668
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5669
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5670
+ (* Security fix *)
++--------------------------+
+Fri Dec 7 01:41:59 UTC 2012
+patches/packages/bind-9.8.4_P1-x86_64-1_slack13.1.txz: Upgraded.
+ IMPORTANT NOTE: This package updates BIND from 9.7.6_P4 to
+ 9.8.4_P1 since the 9.7 series is no longer supported. It is
+ possible that some changes may be required to your local
+ configuration.
+ This release addresses some denial-of-service and other bugs.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5688
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5166
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3817
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1667
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3868
+ (* Security fix *)
+patches/packages/libxml2-2.7.6-x86_64-3_slack13.1.txz: Rebuilt.
+ Patched a heap-based buffer underflow in the xmlParseAttValueComplex
+ function in parser.c in libxml2 2.9.0 and earlier that could allow a
+ remote attacker to cause a denial of service or possibly execute
+ arbitrary code via crafted entities in an XML document.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5134
+ (* Security fix *)
+patches/packages/ruby-1.9.3_p327-x86_64-1_slack13.1.txz: Upgraded.
+ This release fixes a hash-flooding DoS vulnerability and many other bugs.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5371
+ (* Security fix *)
++--------------------------+
+Thu Oct 11 01:14:57 UTC 2012
+patches/packages/bind-9.7.6_P4-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes a security issue where a certain combination of records
+ in the RBT could cause named to hang while populating the additional
+ section of a response. [RT #31090]
+ (* Security fix *)
++--------------------------+
+Wed Sep 19 23:52:16 UTC 2012
+patches/packages/patch-2.7-x86_64-2_slack13.1.txz: Upgraded.
+ Applied two upstream git commits to fix bugs which could cause target
+ files to be removed or truncated. Thanks to Qun-Ying.
++--------------------------+
+Fri Sep 14 20:29:40 UTC 2012
+patches/packages/dhcp-4.1_ESV_R7-x86_64-1_slack13.1.txz: Upgraded.
+ An issue with the use of lease times was found and fixed. Making certain
+ changes to the end time of an IPv6 lease could cause the server to abort.
+ Thanks to Glen Eustace of Massey University, New Zealand for finding this
+ issue. [ISC-Bugs #30281]
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3955
+ (* Security fix *)
+patches/packages/php-5.3.17-x86_64-1_slack13.1.txz: Upgraded.
+ This is a bugfix release.
++--------------------------+
+Fri Sep 14 02:16:53 UTC 2012
+patches/packages/bind-9.7.6_P3-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes a security issue where named could crash on a specially
+ crafted record. [RT #30416]
+ (* Security fix *)
+patches/packages/patch-2.7-x86_64-1_slack13.1.txz: Upgraded.
+ This version of patch ignores destination filenames that are absolute or
+ that contain a component of "..", unless such a filename is provided as
+ an argument.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4651
+ (* Security fix *)
++--------------------------+
+Thu Aug 30 23:35:53 UTC 2012
+patches/packages/glibc-2.11.1-x86_64-7_slack13.1.txz: Rebuilt.
+ Patched multiple integer overflows in the strtod, strtof, strtold, and
+ strtod_l functions in stdlib in the GNU C Library allow local users to
+ cause a denial of service (application crash) and possibly execute
+ arbitrary code via a long string, which triggers a stack-based buffer
+ overflow.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3480
+ (* Security fix *)
+patches/packages/glibc-i18n-2.11.1-x86_64-7_slack13.1.txz: Rebuilt.
+patches/packages/glibc-profile-2.11.1-x86_64-7_slack13.1.txz: Rebuilt.
+patches/packages/glibc-solibs-2.11.1-x86_64-7_slack13.1.txz: Rebuilt.
+patches/packages/glibc-zoneinfo-2.11.1-noarch-7_slack13.1.txz: Rebuilt.
+patches/packages/slocate-3.1-x86_64-4_slack13.1.txz: Rebuilt.
+ Patched to use lstat64 and -D_LARGEFILE64_SOURCE. Thanks to Mancha+.
+ Patched to fix information leak of filenames in protected directories.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0227
+ (* Security fix *)
++--------------------------+
+Fri Aug 24 20:08:37 UTC 2012
+patches/packages/php-5.3.16-x86_64-1_slack13.1.txz: Upgraded.
+ This is a bugfix release.
+patches/packages/dhcp-4.1_ESV_R6-x86_64-1_slack13.1.txz: Upgraded.
+ This fixes memory leaks, denial of service vulnerabilities, and
+ disallows packets with zero length client ids (not valid according to
+ RFC 2132 section 9.14).
+ For more information, see:
+ https://kb.isc.org/article/AA-00736
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4539
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4868
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3954
+ (* Security fix *)
++--------------------------+
+Thu Aug 16 04:01:31 UTC 2012
+patches/packages/emacs-23.2-x86_64-2_slack13.1.txz: Rebuilt.
+ Patched to fix a security flaw in the file-local variables code.
+ When the Emacs user option `enable-local-variables' is set to `:safe'
+ (the default value is t), Emacs should automatically refuse to evaluate
+ `eval' forms in file-local variable sections. Due to the bug, Emacs
+ instead automatically evaluates such `eval' forms. Thus, if the user
+ changes the value of `enable-local-variables' to `:safe', visiting a
+ malicious file can cause automatic execution of arbitrary Emacs Lisp
+ code with the permissions of the user. Bug discovered by Paul Ling.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3479
+ (* Security fix *)
+patches/packages/t1lib-5.1.2-x86_64-2_slack13.1.txz: Rebuilt.
+ Patched various overflows, crashes, and pointer bugs.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2642
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0764
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1552
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1553
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1554
+ (* Security fix *)
++--------------------------+
+Fri Jul 27 17:15:24 UTC 2012
+patches/packages/bind-9.7.6_P2-x86_64-1_slack13.1.txz: Upgraded.
+ Prevents a named assert (crash) when validating caused by using
+ "Bad cache" data before it has been initialized. [RT #30025]
+ ISC_QUEUE handling for recursive clients was updated to address a
+ race condition that could cause a memory leak. This rarely occurred
+ with UDP clients, but could be a significant problem for a server
+ handling a steady rate of TCP queries. [RT #29539 & #30233]
+ Under heavy incoming TCP query loads named could experience a
+ memory leak which could lead to significant reductions in query
+ response or cause the server to be terminated on systems with
+ "out of memory" killers. [RT #29539]
+ A condition has been corrected where improper handling of zero-length
+ RDATA could cause undesirable behavior, including termination of
+ the named process. [RT #29644]
+ (* Security fix *)
++--------------------------+
+Wed Jul 25 02:02:40 UTC 2012
+patches/packages/libpng-1.4.12-x86_64-1_slack13.1.txz: Upgraded.
+ Fixed incorrect type (int copy should be png_size_t copy) in png_inflate()
+ (fixes CVE-2011-3045).
+ Revised png_set_text_2() to avoid potential memory corruption (fixes
+ CVE-2011-3048).
+ Changed "a+w" to "u+w" in Makefile.in to fix CVE-2012-3386.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3045
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3048
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3386
+ (* Security fix *)
++--------------------------+
+Sun Jul 22 19:45:25 UTC 2012
+patches/packages/php-5.3.15-x86_64-1_slack13.1.txz: Upgraded.
+ Fixed potential overflow in _php_stream_scandir (CVE-2012-2688).
+ (Thanks to Jason Powell, Stas)
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2688
+ (* Security fix *)
++--------------------------+
+Wed Jul 18 05:35:26 UTC 2012
+patches/packages/libexif-0.6.21-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes a number of remotely exploitable issues in libexif
+ with effects ranging from information leakage to potential remote
+ code execution.
+ For more information, see:
+ http://sourceforge.net/mailarchive/message.php?msg_id=29534027
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2812
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2813
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2814
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2836
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2837
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2840
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2841
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2845
+ (* Security fix *)
++--------------------------+
+Fri Jul 13 23:14:15 UTC 2012
+patches/packages/php-5.3.14-x86_64-1_slack13.1.txz: Upgraded.
+ This release fixes a weakness in the DES implementation of crypt
+ and a heap overflow issue in the phar extension.
+ (* Security fix *)
+patches/packages/pidgin-2.10.6-x86_64-1_slack13.1.txz: Upgraded.
+ Fixes a security issue for users of MXit: Incorrect handing of inline
+ images in incoming instant messages can cause a buffer overflow and in
+ some cases can be exploited to execute arbitrary code.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3374
+ (* Security fix *)
++--------------------------+
+Mon Jun 25 02:32:37 UTC 2012
+patches/packages/freetype-2.4.10-x86_64-1_slack13.1.txz: Upgraded.
+ Since freetype-2.4.8 many fixes were made to better handle invalid fonts.
+ Many of them are vulnerabilities (see CVE-2012-1126 up to CVE-2012-1144
+ and SA48320) so all users should upgrade.
+ (* Security fix *)
++--------------------------+
+Thu Jun 14 05:02:39 UTC 2012
+patches/packages/bind-9.7.6_P1-x86_64-1_slack13.1.txz: Upgraded.
+ This release fixes an issue that could crash BIND, leading to a denial of
+ service. It also fixes the so-called "ghost names attack" whereby a
+ remote attacker may trigger continued resolvability of revoked domain names.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1033
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1667
+ IMPORTANT NOTE: This is a upgraded version of BIND, _not_ a patched one.
+ It is likely to be more strict about the correctness of configuration files.
+ Care should be taken about deploying this upgrade on production servers to
+ avoid an unintended interruption of service.
+ (* Security fix *)
++--------------------------+
+Wed May 23 00:14:52 UTC 2012
+patches/packages/libxml2-2.7.6-x86_64-2_slack13.1.txz: Upgraded.
+ Patched an off-by-one error in XPointer that could lead to a crash or
+ possibly the execution of arbitrary code.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3102
+ (* Security fix *)
++--------------------------+
+Sat May 19 19:03:37 UTC 2012
+patches/packages/openssl-0.9.8x-x86_64-1_slack13.1.txz: Upgraded.
+ This is a very minor security fix:
+ o Fix DTLS record length checking bug CVE-2012-2333
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2333
+ (* Security fix *)
+patches/packages/openssl-solibs-0.9.8x-x86_64-1_slack13.1.txz: Upgraded.
+ This is a very minor security fix:
+ o Fix DTLS record length checking bug CVE-2012-2333
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2333
+ (* Security fix *)
++--------------------------+
+Wed May 9 20:16:40 UTC 2012
+patches/packages/wicd-1.7.2.4-x86_64-2_slack13.1.txz: Rebuilt.
+ Fixed an input sanitization bug that breaks accepting a passphrase for a new
+ password protected access point. Patch from upstream.
+ Thanks to Willy Sudiarto Raharjo for the notice.
++--------------------------+
+Tue May 8 21:21:10 UTC 2012
+patches/packages/php-5.3.13-x86_64-1_slack13.1.txz: Upgraded.
+ This release completes a fix for a vulnerability in CGI-based setups.
+ Note: mod_php and php-fpm are not vulnerable to this attack.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2311
+ (* Security fix *)
++--------------------------+
+Mon May 7 18:54:03 UTC 2012
+patches/packages/pidgin-2.10.4-x86_64-1_slack13.1.txz: Upgraded.
+ Fixed possible MSN remote crash.
+ Fixed XMPP remote crash.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2214
+ (* Security fix *)
++--------------------------+
+Mon Apr 30 22:24:10 UTC 2012
+patches/packages/wicd-1.7.2.4-x86_64-1_slack13.1.txz: Upgraded.
+ Correct the fix for CVE-2012-2095 (and fix other new bugs).
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2095
+ (* Security fix *)
++--------------------------+
+Fri Apr 27 01:07:23 UTC 2012
+patches/packages/openssl-0.9.8w-x86_64-1_slack13.1.txz: Upgraded.
+ Fixes some potentially exploitable buffer overflows.
+ Thanks to Tavis Ormandy, Google Security Team, for discovering this
+ issue and to Adam Langley <agl@chromium.org> for fixing it.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2110
+ (* Security fix *)
+patches/packages/openssl-solibs-0.9.8w-x86_64-1_slack13.1.txz: Upgraded.
+ Fixes some potentially exploitable buffer overflows.
+ Thanks to Tavis Ormandy, Google Security Team, for discovering this
+ issue and to Adam Langley <agl@chromium.org> for fixing it.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2110
+ (* Security fix *)
++--------------------------+
+Mon Apr 23 18:18:31 UTC 2012
+patches/packages/openssl-0.9.8v-x86_64-1_slack13.1.txz: Upgraded.
+ Fixes some potentially exploitable buffer overflows.
+ Thanks to Tavis Ormandy, Google Security Team, for discovering this
+ issue and to Adam Langley <agl@chromium.org> for fixing it.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2110
+ (* Security fix *)
+patches/packages/openssl-solibs-0.9.8v-x86_64-1_slack13.1.txz: Upgraded.
+ Fixes some potentially exploitable buffer overflows.
+ Thanks to Tavis Ormandy, Google Security Team, for discovering this
+ issue and to Adam Langley <agl@chromium.org> for fixing it.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2110
+ (* Security fix *)
+extra/wicd/wicd-1.7.2.1-x86_64-1_slack13.1.txz: Upgraded.
+ This fixes a local privilege escalation that allows a user to set arbitrary
+ pre/post-connection scripts through D-Bus which are then executed as the
+ wicd user (generally root).
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2095
+ Thanks to dapal for the workaround allowing us to skip the pybabel
+ requirement (for now), and to Robby Workman for the script update.
+ (* Security fix *)
++--------------------------+
+Wed Apr 11 17:16:32 UTC 2012
+patches/packages/pidgin-2.10.3-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes several remotely triggerable crash bugs.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2943
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3184
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3185
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3594
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4601
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4602
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4603
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4939
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1178
+ (* Security fix *)
+patches/packages/samba-3.5.14-x86_64-1_slack13.1.txz: Upgraded.
+ This is a security release in order to address a vulnerability that allows
+ remote code execution as the "root" user. All sites running a Samba
+ server should update to the new Samba package and restart Samba.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1182
+ (* Security fix *)
++--------------------------+
+Sat Apr 7 21:48:42 UTC 2012
+patches/packages/libtiff-3.9.6-x86_64-1_slack13.1.txz: Upgraded.
+ Patched overflows that could lead to arbitrary code execution when parsing
+ a malformed image file.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1173
+ (* Security fix *)
++--------------------------+
+Wed Mar 14 22:27:52 UTC 2012
+patches/packages/mozilla-firefox-3.6.28-x86_64-1_slack13.1.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/firefox.html
+ (* Security fix *)
+patches/packages/mozilla-thunderbird-3.1.20-x86_64-1_slack13.1.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html
+ (* Security fix *)
++--------------------------+
+Wed Feb 22 18:14:58 UTC 2012
+patches/packages/libpng-1.4.9-x86_64-1_slack13.1.txz: Upgraded.
+ All branches of libpng prior to versions 1.5.9, 1.4.9, 1.2.47, and 1.0.57,
+ respectively, fail to correctly validate a heap allocation in
+ png_decompress_chunk(), which can lead to a buffer-overrun and the
+ possibility of execution of hostile code on 32-bit systems.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3026
+ (* Security fix *)
+patches/packages/mozilla-firefox-3.6.27-x86_64-1_slack13.1.txz: Upgraded.
+ This fixes some security issues.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/firefox36.html
+ (* Security fix *)
+patches/packages/mozilla-thunderbird-3.1.19-x86_64-1_slack13.1.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/thunderbird31.html
+ (* Security fix *)
++--------------------------+
+Wed Feb 8 01:21:42 UTC 2012
+patches/packages/apr-util-1.4.1-x86_64-1_slack13.1.txz: Upgraded.
+ Version bump for httpd upgrade.
+patches/packages/glibc-2.11.1-x86_64-6_slack13.1.txz: Rebuilt.
+ Patched an overflow in tzfile. This was evidently first reported in
+ 2009, but is only now getting around to being patched. To exploit it,
+ one must be able to write beneath /usr/share/zoneinfo, which is usually
+ not possible for a normal user, but may be in the case where they are
+ chroot()ed to a directory that they own.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5029
+ (* Security fix *)
+patches/packages/glibc-i18n-2.11.1-x86_64-6_slack13.1.txz: Rebuilt.
+patches/packages/glibc-profile-2.11.1-x86_64-6_slack13.1.txz: Rebuilt.
+ (* Security fix *)
+patches/packages/glibc-solibs-2.11.1-x86_64-6_slack13.1.txz: Rebuilt.
+ (* Security fix *)
+patches/packages/glibc-zoneinfo-2.11.1-noarch-6_slack13.1.txz: Rebuilt.
+patches/packages/httpd-2.2.22-x86_64-1_slack13.1.txz: Upgraded.
+ *) SECURITY: CVE-2011-3368 (cve.mitre.org)
+ Reject requests where the request-URI does not match the HTTP
+ specification, preventing unexpected expansion of target URLs in
+ some reverse proxy configurations. [Joe Orton]
+ *) SECURITY: CVE-2011-3607 (cve.mitre.org)
+ Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
+ is enabled, could allow local users to gain privileges via a .htaccess
+ file. [Stefan Fritsch, Greg Ames]
+ *) SECURITY: CVE-2011-4317 (cve.mitre.org)
+ Resolve additional cases of URL rewriting with ProxyPassMatch or
+ RewriteRule, where particular request-URIs could result in undesired
+ backend network exposure in some configurations.
+ [Joe Orton]
+ *) SECURITY: CVE-2012-0021 (cve.mitre.org)
+ mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
+ string is in use and a client sends a nameless, valueless cookie, causing
+ a denial of service. The issue existed since version 2.2.17. PR 52256.
+ [Rainer Canavan <rainer-apache 7val com>]
+ *) SECURITY: CVE-2012-0031 (cve.mitre.org)
+ Fix scoreboard issue which could allow an unprivileged child process
+ could cause the parent to crash at shutdown rather than terminate
+ cleanly. [Joe Orton]
+ *) SECURITY: CVE-2012-0053 (cve.mitre.org)
+ Fix an issue in error responses that could expose "httpOnly" cookies
+ when no custom ErrorDocument is specified for status code 400.
+ [Eric Covener]
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3368
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3607
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4317
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0021
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0031
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0053
+ (* Security fix *)
+patches/packages/php-5.3.10-x86_64-1_slack13.1.txz: Upgraded.
+ Fixed arbitrary remote code execution vulnerability reported by Stefan
+ Esser, CVE-2012-0830. (Stas, Dmitry)
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0830
+ (* Security fix *)
+patches/packages/proftpd-1.3.4a-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes a use-after-free() memory corruption error,
+ and possibly other unspecified issues.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4130
+ (* Security fix *)
+patches/packages/vsftpd-2.3.5-x86_64-1_slack13.1.txz: Upgraded.
+ Minor version bump, this also works around a hard to trigger heap overflow
+ in glibc (glibc zoneinfo caching vuln). For there to be any possibility
+ to trigger the glibc bug within vsftpd, the non-default option
+ "chroot_local_user" must be set in /etc/vsftpd.conf.
+ Considered 1) low severity (hard to exploit) and 2) not a vsftpd bug :-)
+ Nevertheless:
+ (* Security fix *)
++--------------------------+
+Thu Feb 2 00:13:21 UTC 2012
+patches/packages/coreutils-8.15-x86_64-1_slack13.1.txz: Upgraded.
+ This will be provided as a patch to fix some important issues with ext4.
+ Thanks to Georgy Salnikov for the notification.
+patches/packages/freetype-2.4.8-x86_64-1_slack13.1.txz: Upgraded.
+ Some vulnerabilities in handling CID-keyed PostScript fonts have
+ been fixed.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3439
+ (* Security fix *)
+patches/packages/mozilla-firefox-3.6.26-x86_64-1_slack13.1.txz: Upgraded.
+ This fixes some security issues.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/firefox36.html
+ (* Security fix *)
+patches/packages/mozilla-thunderbird-3.1.18-x86_64-1_slack13.1.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/thunderbird31.html
+ (* Security fix *)
+patches/packages/openssl-0.9.8t-x86_64-1_slack13.1.txz: Upgraded.
+ This fixes a bug where DTLS applications were not properly supported. This
+ bug could have allowed remote attackers to cause a denial of service via
+ unspecified vectors.
+ CVE-2012-0050 has been assigned to this issue.
+ For more details see:
+ http://openssl.org/news/secadv_20120118.txt
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0050
+ (* Security fix *)
+patches/packages/openssl-solibs-0.9.8t-x86_64-1_slack13.1.txz: Upgraded.
+ This fixes a bug where DTLS applications were not properly supported. This
+ bug could have allowed remote attackers to cause a denial of service via
+ unspecified vectors.
+ CVE-2012-0050 has been assigned to this issue.
+ For more details see:
+ http://openssl.org/news/secadv_20120118.txt
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0050
+ (* Security fix *)
++--------------------------+
+Sun Nov 27 03:37:52 UTC 2011
+patches/packages/mozilla-thunderbird-3.1.16-x86_64-1_slack13.1.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/thunderbird31.html
+ (* Security fix *)
+patches/packages/mozilla-firefox-3.6.24-x86_64-1_slack13.1.txz: Upgraded.
+ This fixes some security issues.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/firefox36.html
+ (* Security fix *)
+patches/packages/yasm-1.2.0-x86_64-1_slack13.1.txz: Upgraded.
++--------------------------+
+Thu Nov 17 02:09:25 UTC 2011
+patches/packages/bind-9.4_ESV_R5_P1-x86_64-1_slack13.1.txz: Upgraded.
+ --- 9.4-ESV-R5-P1 released ---
+3218. [security] Cache lookup could return RRSIG data associated with
+ nonexistent records, leading to an assertion
+ failure. [RT #26590]
+ (* Security fix *)
++--------------------------+
+Fri Nov 11 18:58:21 UTC 2011
+ Good 11-11-11, everyone! Enjoy some fresh time. :)
+patches/packages/glibc-zoneinfo-2011i_2011n-noarch-1.txz: Upgraded.
+ New upstream homepage: http://www.iana.org/time-zones
++--------------------------+
+Tue Oct 11 07:50:04 UTC 2011
+patches/packages/httpd-2.2.21-x86_64-1_slack13.1.txz: Upgraded.
+ Respond with HTTP_NOT_IMPLEMENTED when the method is not
+ recognized. [Jean-Frederic Clere] SECURITY: CVE-2011-3348
+ Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20.
+ PR 51748. [<lowprio20 gmail.com>]
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3348
+ (* Security fix *)
++--------------------------+
+Tue Sep 6 00:15:03 UTC 2011
+patches/packages/httpd-2.2.20-x86_64-1_slack13.1.txz: Upgraded.
+ SECURITY: CVE-2011-3192 (cve.mitre.org)
+ core: Fix handling of byte-range requests to use less memory, to avoid
+ denial of service. If the sum of all ranges in a request is larger than
+ the original file, ignore the ranges and send the complete file.
+ PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener]
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
+ (* Security fix *)
+patches/packages/mozilla-firefox-3.6.22-x86_64-1_slack13.1.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/firefox36.html
+ http://www.mozilla.org/security/known-vulnerabilities/firefox.html
+ http://www.mozilla.org/security/announce/2011/mfsa2011-34.html
+ (* Security fix *)
+patches/packages/mozilla-thunderbird-3.1.13-x86_64-1_slack13.1.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/thunderbird31.html
+ http://www.mozilla.org/security/announce/2011/mfsa2011-34.html
+ (* Security fix *)
++--------------------------+
+Thu Aug 25 09:10:45 UTC 2011
+patches/packages/php-5.3.8-x86_64-1_slack13.1.txz: Upgraded.
+ Security fixes vs. 5.3.6 (5.3.7 was not usable):
+ Updated crypt_blowfish to 1.2. (CVE-2011-2483)
+ Fixed crash in error_log(). Reported by Mateusz Kocielski
+ Fixed buffer overflow on overlog salt in crypt().
+ Fixed bug #54939 (File path injection vulnerability in RFC1867
+ File upload filename). Reported by Krzysztof Kotowicz. (CVE-2011-2202)
+ Fixed stack buffer overflow in socket_connect(). (CVE-2011-1938)
+ Fixed bug #54238 (use-after-free in substr_replace()). (CVE-2011-1148)
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1148
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1938
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2202
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2483
+ For those upgrading from PHP 5.2.x, be aware that quite a bit has
+ changed, and it will very likely not 'drop in', but PHP 5.2.x is not
+ supported by php.net any longer, so there wasn't a lot of choice
+ in the matter. We're not able to support a security fork of
+ PHP 5.2.x here either, so you'll have to just bite the bullet on
+ this. You'll be better off in the long run. :)
+ (* Security fix *)
++--------------------------+
+Fri Aug 12 23:20:00 UTC 2011
+patches/packages/bind-9.4_ESV_R5-x86_64-1_slack13.1.txz: Upgraded.
+ This BIND update addresses a couple of security issues:
+ * named, set up to be a caching resolver, is vulnerable to a user
+ querying a domain with very large resource record sets (RRSets)
+ when trying to negatively cache the response. Due to an off-by-one
+ error, caching the response could cause named to crash. [RT #24650]
+ [CVE-2011-1910]
+ * Change #2912 (see CHANGES) exposed a latent bug in the DNS message
+ processing code that could allow certain UPDATE requests to crash
+ named. [RT #24777] [CVE-2011-2464]
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1910
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2464
+ (* Security fix *)
++--------------------------+
+Fri Jul 29 18:22:40 UTC 2011
+patches/packages/dhcpcd-5.2.12-x86_64-1_slack13.1.txz: Upgraded.
+ Sanitize the host name provided by the DHCP server to insure that it does
+ not contain any shell metacharacters.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0996
+ (* Security fix *)
+patches/packages/libpng-1.4.8-x86_64-1_slack13.1.txz: Upgraded.
+ Fixed uninitialized memory read in png_format_buffer()
+ (Bug report by Frank Busse, related to CVE-2004-0421).
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0421
+ (* Security fix *)
+patches/packages/samba-3.5.10-x86_64-1_slack13.1.txz: Upgraded.
+ Fixed cross-site request forgery and cross-site scripting vulnerability
+ in SWAT (the Samba Web Administration Tool).
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2522
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2694
+ (* Security fix *)
++--------------------------+
+Thu Jul 14 21:34:41 UTC 2011
+patches/packages/mozilla-firefox-3.6.19-x86_64-1_slack13.1.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/firefox36.html
+ (* Security fix *)
++--------------------------+
+Fri Jul 8 16:55:13 UTC 2011
+patches/packages/mozilla-thunderbird-3.1.11-x86_64-1_slack13.1.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/thunderbird30.html
+ (* Security fix *)
++--------------------------+
+Mon Jun 27 21:29:54 UTC 2011
+patches/packages/pidgin-2.9.0-x86_64-1_slack13.1.txz: Upgraded.
+ Fixed a remote denial of service. A remote attacker could set a specially
+ crafted GIF file as their buddy icon causing vulerable versions of pidgin
+ to crash due to excessive memory use.
+ For more information, see:
+ http://pidgin.im/news/security/?id=52
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2485
+ (* Security fix *)
++--------------------------+
+Fri Jun 24 02:55:39 UTC 2011
+patches/packages/mozilla-firefox-3.6.18-x86_64-1_slack13.1.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/firefox36.html
+ (* Security fix *)
++--------------------------+
+Mon Jun 20 00:49:34 UTC 2011
+patches/packages/fetchmail-6.3.20-x86_64-1_slack13.1.txz: Upgraded.
+ This release fixes a denial of service in STARTTLS protocol phases.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1947
+ http://www.fetchmail.info/fetchmail-SA-2011-01.txt
+ (* Security fix *)
++--------------------------+
+Fri May 27 22:56:00 UTC 2011
+patches/packages/bind-9.4_ESV_R4_P1-x86_64-1_slack13.1.txz: Upgraded.
+ This release fixes security issues:
+ * A large RRSET from a remote authoritative server that results in
+ the recursive resolver trying to negatively cache the response can
+ hit an off by one code error in named, resulting in named crashing.
+ [RT #24650] [CVE-2011-1910]
+ * Zones that have a DS record in the parent zone but are also listed
+ in a DLV and won't validate without DLV could fail to validate. [RT
+ #24631]
+ For more information, see:
+ http://www.isc.org/software/bind/advisories/cve-2011-1910
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1910
+ (* Security fix *)
++--------------------------+
+Wed May 25 20:03:16 UTC 2011
+patches/packages/apr-1.4.5-x86_64-1_slack13.1.txz: Upgraded.
+ This fixes a possible denial of service due to a problem with a loop in
+ the new apr_fnmatch() implementation consuming CPU.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1928
+ (* Security fix *)
+patches/packages/apr-util-1.3.12-x86_64-1_slack13.1.txz: Upgraded.
+ Fix crash because of NULL cleanup registered by apr_ldap_rebind_init().
+patches/packages/httpd-2.2.19-x86_64-1_slack13.1.txz: Upgraded.
+ Revert ABI breakage in 2.2.18 caused by the function signature change
+ of ap_unescape_url_keep2f(). This release restores the signature from
+ 2.2.17 and prior, and introduces ap_unescape_url_keep2f_ex().
+ Apache httpd-2.2.18 is considered abandoned. All users must upgrade.
++--------------------------+
+Fri May 13 20:30:07 UTC 2011
+patches/packages/apr-1.4.4-x86_64-1_slack13.1.txz: Upgraded.
+ This fixes a possible denial of service due to an unconstrained, recursive
+ invocation of apr_fnmatch(). This function has been reimplemented using a
+ non-recursive algorithm. Thanks to William Rowe.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0419
+ (* Security fix *)
+patches/packages/apr-util-1.3.11-x86_64-1_slack13.1.txz: Upgraded.
+patches/packages/httpd-2.2.18-x86_64-1_slack13.1.txz: Upgraded.
+ This is a bug fix release, but since the upgrades to apr/apr-util require at
+ least an httpd recompile we opted to upgrade to the newest httpd.
++--------------------------+
+Mon May 2 20:20:50 UTC 2011
+patches/packages/mozilla-firefox-3.6.17-x86_64-1_slack13.1.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/firefox36.html
+ (* Security fix *)
+patches/packages/mozilla-thunderbird-3.1.10-x86_64-1_slack13.1.txz: Upgraded.
+ This release contains security fixes and improvements.
+ As Thunderbird 3.0.x will not have further releases, all the platforms for
+ which we still support Thunderbird are encouraged to upgrade to this
+ Thunderbird 3.1.10 package.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/thunderbird30.html
+ (* Security fix *)
+patches/packages/seamonkey-2.0.14-x86_64-1_slack13.1.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/seamonkey20.html
+ (* Security fix *)
+patches/packages/seamonkey-solibs-2.0.14-x86_64-1_slack13.1.txz: Upgraded.
+ (* Security fix *)
++--------------------------+
+Thu Apr 21 03:13:14 UTC 2011
+patches/packages/rdesktop-1.6.0-x86_64-2_slack13.1.txz: Rebuilt.
+ Patched a traversal vulnerability (disallow /.. requests).
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1595
+ (* Security fix *)
++--------------------------+
+Wed Apr 20 04:26:15 UTC 2011
+patches/packages/polkit-1_14bdfd8-x86_64-2_slack13.1.txz: Rebuilt.
+ Patched to fix a race condition that could allow a local user to execute
+ arbitrary code as root. Thanks to Neel Mehta of Google.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1485
+ (* Security fix *)
++--------------------------+
+Mon Apr 18 19:59:50 UTC 2011
+patches/packages/acl-2.2.50-x86_64-1_slack13.1.txz: Upgraded.
+ Fix the --physical option in setfacl and getfacl to prevent symlink attacks.
+ Thanks to Martijn Dekker for the notification.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4411
+ (* Security fix *)
++--------------------------+
+Mon Apr 11 19:09:47 UTC 2011
+patches/packages/kdelibs-4.4.3-x86_64-2_slack13.1.txz: Rebuilt.
+ Patched CVE-2011-1168.
+ For more information, see:
+ http://www.kde.org/info/security/advisory-20110411-1.txt
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1168
+ (* Security fix *)
++--------------------------+
+Mon Apr 11 06:26:26 UTC 2011
+patches/packages/shadow-4.1.4.3-x86_64-2_slack13.1.txz: Rebuilt.
+ Corrected a packaging error where incorrect permissions on /usr/sbin/lastlog
+ and /usr/sbin/faillog allow any user to set login failure limits on any
+ other user (including root), potentially leading to a denial of service.
+ Thanks to pyllyukko for discovering and reporting this vulnerability.
+ (* Security fix *)
++--------------------------+
+Fri Apr 8 06:58:48 UTC 2011
+patches/packages/libtiff-3.9.4-x86_64-2_slack13.1.txz: Rebuilt.
+ Patched overflows that could lead to arbitrary code execution when parsing
+ a malformed image file.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0192
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1167
+ (* Security fix *)
++--------------------------+
+Thu Apr 7 04:07:29 UTC 2011
+patches/packages/dhcp-4.1_ESV_R2-x86_64-1_slack13.1.txz: Upgraded.
+ In dhclient, check the data for some string options for reasonableness
+ before passing it along to the script that interfaces with the OS.
+ This prevents some possible attacks by a hostile DHCP server.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0997
+ (* Security fix *)
++--------------------------+
+Wed Apr 6 06:32:00 UTC 2011
+patches/packages/xrdb-1.0.9-x86_64-1_slack13.1.txz: Upgraded.
+ This fixes a security issue where improperly sanitized input could lead to
+ privilege escalation or arbitrary command execution as root.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0465
+ (* Security fix *)
++--------------------------+
+Tue Apr 5 05:10:33 UTC 2011
+patches/packages/proftpd-1.3.3e-x86_64-1_slack13.1.txz: Upgraded.
+ Fixes CVE-2011-1137 (badly formed SSH messages cause DoS).
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1137
+ (* Security fix *)
++--------------------------+
+Sun Mar 27 09:24:29 UTC 2011
+patches/packages/mozilla-firefox-3.6.16-x86_64-1_slack13.1.txz: Upgraded.
+ This release fixes a security vulnerability by blacklisting several
+ invalid HTTPS certificates.
+ For more information, see:
+ http://www.mozilla.org/security/announce/2011/mfsa2011-11.html
+ (* Security fix *)
+patches/packages/seamonkey-2.0.13-x86_64-1_slack13.1.txz: Upgraded.
+ This release fixes a security vulnerability by blacklisting several
+ invalid HTTPS certificates.
+ For more information, see:
+ http://www.mozilla.org/security/announce/2011/mfsa2011-11.html
+ (* Security fix *)
+patches/packages/seamonkey-solibs-2.0.13-x86_64-1_slack13.1.txz: Upgraded.
+patches/packages/shadow-4.1.4.3-x86_64-1_slack13.1.txz: Rebuilt.
+ This release fixes a security issue where local users may be able to add
+ themselves to NIS groups through chfn and chsh.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0721
+ (* Security fix *)
+ Thanks to Gary Langshaw for collecting important additional patches from svn.
++--------------------------+
+Fri Mar 11 20:10:16 UTC 2011
+patches/packages/pidgin-2.7.11-x86_64-1_slack13.1.txz: Upgraded.
+ Fixed denials of service caused by NULL pointer dereferences due to
+ improper handling of malformed YMSG packets.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1091
+ (* Security fix *)
++--------------------------+
+Fri Mar 11 06:34:03 UTC 2011
+patches/packages/subversion-1.6.16-x86_64-1_slack13.1.txz: Upgraded.
+ Fixed a remotely triggerable NULL-pointer dereference in mod_dav_svn.
+ For more information, see:
+ http://subversion.apache.org/security/CVE-2011-0715-advisory.txt
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0715
+ (* Security fix *)
++--------------------------+
+Wed Mar 9 05:52:06 UTC 2011
+patches/packages/mozilla-firefox-3.6.15-x86_64-1_slack13.1.txz: Upgraded.
+ Firefox 3.6.15 is a security and stability update to Firefox 3.6.x.
+ (* Security fix *)
+patches/packages/seamonkey-2.0.12-x86_64-1_slack13.1.txz: Upgraded.
+ This release fixes some more security vulnerabilities.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/seamonkey20.html
+ (* Security fix *)
+patches/packages/seamonkey-solibs-2.0.12-x86_64-1_slack13.1.txz: Upgraded.
+ (* Security fix *)
+patches/packages/samba-3.5.8-x86_64-1_slack13.1.txz: Upgraded.
+ Samba 3.5.8 is a bugfix release addressing problems in Samba 3.5.7.
++--------------------------+
+Wed Mar 2 03:13:56 UTC 2011
+patches/packages/mozilla-firefox-3.6.14-x86_64-1_slack13.1.txz: Upgraded.
+ Firefox 3.6.14 is a regular security and stability update to Firefox 3.6.x.
+ (* Security fix *)
++--------------------------+
+Mon Feb 28 22:19:08 UTC 2011
+patches/packages/samba-3.5.7-x86_64-1_slack13.1.txz: Upgraded.
+ Fix memory corruption denial of service issue.
+ For more information, see:
+ http://www.samba.org/samba/security/CVE-2011-0719
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0719
+ (* Security fix *)
++--------------------------+
+Fri Feb 25 01:10:49 UTC 2011
+patches/packages/pidgin-2.7.10-x86_64-1_slack13.1.txz: Upgraded.
+ Fixed potential information disclosure issue in libpurple.
+ (* Security fix *)
++--------------------------+
+Thu Feb 10 21:19:38 UTC 2011
+patches/packages/apr-1.3.12-x86_64-1_slack13.1.txz: Upgraded.
+patches/packages/apr-util-1.3.10-x86_64-1_slack13.1.txz: Upgraded.
+ Fixes a memory leak and DoS in apr_brigade_split_line().
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1623
+ (* Security fix *)
+patches/packages/expat-2.0.1-x86_64-2_slack13.1.txz: Upgraded.
+ Fixed various crash and hang bugs.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720
+ (* Security fix *)
+patches/packages/httpd-2.2.17-x86_64-1_slack13.1.txz: Upgraded.
+ This fixes some denial of service bugs in the bundled libraries.
+ On Slackware we do not use the bundled expat or apr-util, so the
+ issues are also fixed in those external libraries.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1623
+ (* Security fix *)
+patches/packages/openssl-0.9.8r-x86_64-1_slack13.1.txz: Upgraded.
+ This OpenSSL update fixes an "OCSP stapling vulnerability".
+ For more information, see the included CHANGES and NEWS files, and:
+ http://www.openssl.org/news/secadv_20110208.txt
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0014
+ (* Security fix *)
+ Patched certwatch to work with recent versions of "file".
+ Thanks to Ulrich Schäfer and Jan Rafaj.
+patches/packages/openssl-solibs-0.9.8r-x86_64-1_slack13.1.txz: Upgraded.
+ (* Security fix *)
+patches/packages/sudo-1.7.4p6-x86_64-1_slack13.1.txz: Upgraded.
+ Fix Runas group password checking.
+ For more information, see the included CHANGES and NEWS files, and:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0010
+ (* Security fix *)
++--------------------------+
+Mon Jan 10 20:03:00 UTC 2011
+patches/packages/php-5.2.17-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes an infinite loop with conversions from string to
+ double that may result in a denial of service.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4645
+ (* Security fix *)
++--------------------------+
+Mon Dec 27 18:47:35 UTC 2010
+patches/packages/pidgin-2.7.9-x86_64-1_slack13.1.txz: Upgraded.
+ Fixed denial-of-service flaw in the MSN protocol.
+ (* Security fix *)
++--------------------------+
+Fri Dec 24 00:53:19 UTC 2010
+patches/packages/php-5.2.16-x86_64-1_slack13.1.txz: Upgraded.
+ This fixes many bugs, including some security issues.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3436
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3709
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4150
+ (* Security fix *)
+patches/packages/proftpd-1.3.3d-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes an unbounded copy operation in sql_prepare_where() that
+ could be exploited to execute arbitrary code. However, this only affects
+ servers that use the sql_mod module (which Slackware does not ship), and
+ in addition the ability to exploit this depends on an SQL injection bug
+ that was already fixed in proftpd-1.3.2rc2 (this according to upstream).
+ So in theory, this fix should only be of academic interest.
+ But in practice, better safe than sorry.
+ (* Security fix *)
++--------------------------+
+Thu Dec 16 18:57:05 UTC 2010
+patches/packages/bind-9.4_ESV_R4-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes some security issues.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3613
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3614
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3615
+ (* Security fix *)
+patches/packages/cups-1.4.5-x86_64-2_slack13.1.txz: Rebuilt.
+ Patched a locking bug that could cause print dialog crashes in Firefox
+ if gnome-vfs is installed.
++--------------------------+
+Sat Dec 11 01:49:31 UTC 2010
+patches/packages/seamonkey-2.0.11-x86_64-1_slack13.1.txz: Upgraded.
+ This release fixes some more security vulnerabilities.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/seamonkey20.html
+ (* Security fix *)
+patches/packages/seamonkey-solibs-2.0.11-x86_64-1_slack13.1.txz: Upgraded.
+ (* Security fix *)
++--------------------------+
+Fri Dec 10 03:57:27 UTC 2010
+patches/packages/mozilla-firefox-3.6.13-x86_64-1_slack13.1.txz: Upgraded.
+ This fixes some security issues.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/firefox36.html
+ (* Security fix *)
+patches/packages/mozilla-thunderbird-3.0.11-x86_64-1_slack13.1.txz: Upgraded.
+ This upgrade fixes some more security bugs.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/thunderbird30.html
+ (* Security fix *)
++--------------------------+
+Tue Dec 7 05:01:53 UTC 2010
+patches/packages/openssl-0.9.8q-x86_64-1_slack13.1.txz: Upgraded.
+ This OpenSSL update contains some security related bugfixes.
+ For more information, see the included CHANGES and NEWS files, and:
+ http://www.openssl.org/news/secadv_20101202.txt
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4180
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4252
+ (* Security fix *)
+patches/packages/openssl-solibs-0.9.8q-x86_64-1_slack13.1.txz: Upgraded.
+ (* Security fix *)
++--------------------------+
+Tue Nov 30 23:12:00 UTC 2010
+patches/packages/pidgin-2.7.7-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes connection issues for AIM and MSN.
++--------------------------+
+Mon Nov 29 22:00:24 UTC 2010
+patches/packages/cups-1.4.5-x86_64-1_slack13.1.txz: Upgraded.
+ Fixed memory corruption bugs that could lead to a denial of service
+ or possibly execution of arbitrary code through a crafted IPP request.
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2941
+ (* Security fix *)
++--------------------------+
+Mon Nov 22 04:11:40 UTC 2010
+patches/packages/openssl-0.9.8p-x86_64-1_slack13.1.txz: Rebuilt.
+ This OpenSSL update contains some security related bugfixes.
+ For more information, see the included CHANGES and NEWS files, and:
+ http://www.openssl.org/news/secadv_20101116.txt
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2939
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3864
+ (* Security fix *)
+patches/packages/openssl-solibs-0.9.8p-x86_64-1_slack13.1.txz: Rebuilt.
+ (* Security fix *)
++--------------------------+
+Sat Nov 20 21:20:27 UTC 2010
+patches/packages/xpdf-3.02pl5-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes security issues that could lead to an
+ application crash, or execution of arbitrary code.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3702
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3703
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3704
+ (* Security fix *)
+patches/packages/poppler-0.12.4-x86_64-2_slack13.1.txz: Rebuilt.
+ This updated package includes patches based on xpdf 3.02pl5.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3702
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3703
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3704
+ (* Security fix *)
++--------------------------+
+Sun Nov 14 01:03:51 UTC 2010
+patches/packages/mozilla-thunderbird-3.0.10-x86_64-1_slack13.1.txz: Upgraded.
+ This upgrade fixes some more security bugs.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/thunderbird30.html
+ (* Security fix *)
++--------------------------+
+Mon Nov 1 23:21:39 UTC 2010
+patches/packages/pidgin-2.7.5-x86_64-1_slack13.1.txz: Upgraded.
+ This update addresses some denial of service bugs.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3711
+ (* Security fix *)
+patches/packages/proftpd-1.3.3c-x86_64-1_slack13.1.txz: Upgraded.
+ Fixed Telnet IAC stack overflow vulnerability (ZDI-CAN-925), which can
+ allow remote execution of arbitrary code as the user running the
+ ProFTPD daemon. Thanks to TippingPoint and the Zero Day Initiative (ZDI).
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3867
+ (* Security fix *)
++--------------------------+
+Sun Oct 31 20:25:05 UTC 2010
+patches/packages/seamonkey-2.0.10-x86_64-1_slack13.1.txz: Upgraded.
+ This release fixes some more security vulnerabilities.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/seamonkey20.html
+ (* Security fix *)
+patches/packages/seamonkey-solibs-2.0.10-x86_64-1_slack13.1.txz: Upgraded.
++--------------------------+
+Thu Oct 28 22:13:53 UTC 2010
+patches/packages/glibc-2.11.1-x86_64-5_slack13.1.txz: Rebuilt.
+ Patched "The GNU C library dynamic linker will dlopen arbitrary DSOs
+ during setuid loads." This security issue allows a local attacker to
+ gain root by specifying an unsafe DSO in the library search path to be
+ used with a setuid binary in LD_AUDIT mode.
+ Bug found by Tavis Ormandy (with thanks to Ben Hawkes and Julien Tinnes).
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3856
+ http://seclists.org/fulldisclosure/2010/Oct/344
+ (* Security fix *)
+patches/packages/glibc-i18n-2.11.1-x86_64-5_slack13.1.txz: Rebuilt.
+patches/packages/glibc-profile-2.11.1-x86_64-5_slack13.1.txz: Rebuilt.
+patches/packages/glibc-solibs-2.11.1-x86_64-5_slack13.1.txz: Upgraded.
+ (* Security fix *)
+patches/packages/glibc-zoneinfo-2.11.1-noarch-5_slack13.1.txz: Upgraded.
+ Rebuilt to tzcode2010n and tzdata2010n.
+patches/packages/mozilla-firefox-3.6.12-x86_64-1_slack13.1.txz: Upgraded.
+ This fixes some security issues.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/firefox36.html
+ (* Security fix *)
++--------------------------+
+Tue Oct 26 17:02:19 UTC 2010
+patches/packages/seamonkey-2.0.9-x86_64-1_slack13.1.txz: Upgraded.
+ This release fixes some more security vulnerabilities.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/seamonkey20.html
+ (* Security fix *)
+patches/packages/seamonkey-solibs-2.0.9-x86_64-1_slack13.1.txz: Upgraded.
++--------------------------+
+Wed Oct 20 21:54:05 UTC 2010
+patches/packages/glibc-2.11.1-x86_64-4_slack13.1.txz: Rebuilt.
+ Patched "dynamic linker expands $ORIGIN in setuid library search path".
+ This security issue allows a local attacker to gain root if they can create
+ a hard link to a setuid root binary. Thanks to Tavis Ormandy.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3847
+ http://seclists.org/fulldisclosure/2010/Oct/257
+ (* Security fix *)
+patches/packages/glibc-i18n-2.11.1-x86_64-4_slack13.1.txz: Rebuilt.
+patches/packages/glibc-profile-2.11.1-x86_64-4_slack13.1.txz: Rebuilt.
+patches/packages/glibc-solibs-2.11.1-x86_64-4_slack13.1.txz: Rebuilt.
+patches/packages/glibc-zoneinfo-2.11.1-noarch-4_slack13.1.txz: Rebuilt.
+patches/packages/mozilla-thunderbird-3.0.9-x86_64-1.txz: Upgraded.
+ This upgrade fixes some more security bugs.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/thunderbird30.html
+ (* Security fix *)
+patches/packages/mozilla-firefox-3.6.11-x86_64-1_slack13.1.txz: Upgraded.
+ This fixes some security issues.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/firefox36.html
+ (* Security fix *)
++--------------------------+
+Wed Sep 22 03:03:58 UTC 2010
+patches/packages/linux-2.6.33.4-2/kernel-firmware-2.6.33.4-noarch-2.txz: Rebuilt.
+patches/packages/linux-2.6.33.4-2/kernel-generic-2.6.33.4-x86_64-2.txz: Rebuilt.
+ This kernel has been patched to fix security problems on x86_64:
+ 64-bit Compatibility Mode Stack Pointer Underflow (CVE-2010-3081).
+ IA32 System Call Entry Point Vulnerability (CVE-2010-3301).
+ These vulnerabilities allow local users to gain root privileges.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3081
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3301
+ (* Security fix *)
+patches/packages/linux-2.6.33.4-2/kernel-headers-2.6.33.4-x86-2.txz: Rebuilt.
+patches/packages/linux-2.6.33.4-2/kernel-huge-2.6.33.4-x86_64-2.txz: Rebuilt.
+ Patched for CVE-2010-3081 and CVE-2010-3301.
+ (* Security fix *)
+patches/packages/linux-2.6.33.4-2/kernel-modules-2.6.33.4-x86_64-2.txz: Rebuilt.
+patches/packages/linux-2.6.33.4-2/kernel-source-2.6.33.4-noarch-2.txz: Rebuilt.
+ Patched for CVE-2010-3081 and CVE-2010-3301.
+ (* Security fix *)
+patches/packages/linux-2.6.33.4-2/kernels/*: Rebuilt.
+ Patched for CVE-2010-3081 and CVE-2010-3301.
+ (* Security fix *)
++--------------------------+
+Mon Sep 20 18:39:57 UTC 2010
+patches/packages/bzip2-1.0.6-x86_64-1_slack13.1.txz: Upgraded.
+ This update fixes an integer overflow that could allow a specially
+ crafted bzip2 archive to cause a crash (denial of service), or execute
+ arbitrary code.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0405
+ (* Security fix *)
++--------------------------+
+Fri Sep 17 23:34:42 UTC 2010
+patches/packages/mozilla-firefox-3.6.10-x86_64-1_slack13.1.txz: Upgraded.
+patches/packages/mozilla-thunderbird-3.0.8-x86_64-1.txz: Upgraded.
+patches/packages/seamonkey-2.0.8-x86_64-1_slack13.1.txz: Upgraded.
+patches/packages/seamonkey-solibs-2.0.8-x86_64-1_slack13.1.txz: Upgraded.
++--------------------------+
+Wed Sep 15 18:51:21 UTC 2010
+patches/packages/sudo-1.7.4p4-x86_64-3_slack13.1.txz: Rebuilt.
+ Hi folks, since the patches for old systems (8.1 - 10.2) were briefly
+ available containing a /var/lib with incorrect permissions, I'm issuing
+ these again just to be 100% sure that no systems out there will be left
+ with problems due to that. This should do it (third time's the charm).
++--------------------------+
+Wed Sep 15 05:58:55 UTC 2010
+patches/packages/sudo-1.7.4p4-x86_64-2_slack13.1.txz: Rebuilt.
+ The last sudo packages accidentally changed the permissions on /var from
+ 755 to 700. This build restores the proper permissions.
+ Thanks to Petri Kaukasoina for pointing this out.
++--------------------------+
+Wed Sep 15 00:41:13 UTC 2010
+patches/packages/samba-3.5.5-x86_64-1_slack13.1.txz: Upgraded.
+ This upgrade fixes a buffer overflow in the sid_parse() function.
+ For more information, see:
+ http://www.samba.org/samba/security/CVE-2010-3069
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3069
+ (* Security fix *)
+patches/packages/sudo-1.7.4p4-x86_64-1_slack13.1.txz: Upgraded.
+ This fixes a flaw that could lead to privilege escalation.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2956
+ (* Security fix *)
++--------------------------+
+Fri Sep 10 04:07:41 UTC 2010
+patches/packages/mozilla-firefox-3.6.9-x86_64-1.txz: Upgraded.
+ This fixes some security issues.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/firefox36.html
+ (* Security fix *)
+patches/packages/mozilla-thunderbird-3.0.7-x86_64-1.txz: Upgraded.
+ This upgrade fixes some more security bugs.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/thunderbird31.html
+ (* Security fix *)
+patches/packages/seamonkey-2.0.7-x86_64-1_slack13.1.txz: Upgraded.
+ This release fixes some more security vulnerabilities.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/seamonkey20.html
+ (* Security fix *)
+patches/packages/seamonkey-solibs-2.0.7-x86_64-1_slack13.1.txz: Upgraded.
++--------------------------+
+Fri Aug 27 00:23:17 UTC 2010
+patches/packages/gnupg2-2.0.14-x86_64-3_slack13.1.txz: Rebuilt.
+ Patched to fix "Realloc Bug with X.509 certificates in GnuPG".
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2547
+ (* Security fix *)
+patches/packages/httpd-2.2.16-x86_64-1_slack13.1.txz: Upgraded.
+ Fix Handling of requests without a path segment.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1452
+ (* Security fix *)
+patches/packages/kdegraphics-4.4.3-x86_64-3_slack13.1.txz: Rebuilt.
+ Patched "Okular PDB Processing Memory Corruption Vulnerability"
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2575
+ http://www.kde.org/info/security/advisory-20100825-1.txt
+ (* Security fix *)
+patches/packages/php-5.2.14-x86_64-1_slack13.1.txz: Upgraded.
+ Fixed several security issues.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1917
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2225
+ http://www.php-security.org/2010/05/31/mops-2010-060-php-session-serializer-session-data-injection-vulnerability/index.html
+ http://www.php-security.org/2010/06/25/mops-2010-061-php-splobjectstorage-deserialization-use-after-free-vulnerability/index.html
+ (* Security fix *)
+patches/packages/pidgin-2.7.3-x86_64-1_slack13.1.txz: Upgraded.
+ This fixes a crash due to malformed X-Status messages.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2528
+ (* Security fix *)
+patches/packages/xorg-server-1.7.7-x86_64-2_slack13.1.txz: Rebuilt.
+ Patched to prevent overwriting stack memory and bypassing security mechanisms
+ on systems that use a 2.6 Linux kernel. Reported by Rafal Wojtczuk.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2240
+ (* Security fix *)
+patches/packages/xorg-server-xephyr-1.7.7-x86_64-2_slack13.1.txz: Rebuilt.
+patches/packages/xorg-server-xnest-1.7.7-x86_64-2_slack13.1.txz: Rebuilt.
+patches/packages/xorg-server-xvfb-1.7.7-x86_64-2_slack13.1.txz: Rebuilt.
++--------------------------+
+Sat Jul 24 03:02:29 UTC 2010
+patches/packages/mozilla-firefox-3.6.8-x86_64-1_slack13.1.txz: Upgraded.
+ This fixes a regression in Firefox 3.6.7.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/firefox36.html
+ (* Security fix *)
++--------------------------+
+Wed Jul 21 21:37:53 UTC 2010
+patches/packages/mozilla-firefox-3.6.7-x86_64-1_slack13.1.txz: Upgraded.
+ This fixes some security issues.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/firefox36.html
+ (* Security fix *)
+patches/packages/mozilla-thunderbird-3.0.6-x86_64-1.txz: Upgraded.
+ This upgrade fixes some more security bugs.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/thunderbird30.html
+ (* Security fix *)
+patches/packages/seamonkey-solibs-2.0.6-x86_64-1_slack13.1.txz: Upgraded.
+patches/packages/seamonkey-2.0.6-x86_64-1_slack13.1.txz: Upgraded.
+ This release fixes some more security vulnerabilities.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/seamonkey20.html
+ (* Security fix *)
++--------------------------+
+Wed Jun 30 04:51:49 UTC 2010
+patches/packages/libtiff-3.9.4-x86_64-1_slack13.1.txz: Upgraded.
+ This fixes image structure handling bugs that could lead to crashes or
+ execution of arbitrary code if a specially-crafted TIFF image is loaded.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1411
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2065
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2067
+ (* Security fix *)
+patches/packages/libpng-1.4.3-x86_64-1_slack13.1.txz: Upgraded.
+ Upgraded to libpng-1.2.44 and libpng-1.4.3.
+ This fixes out-of-bounds memory write bugs that could lead to crashes
+ or the execution of arbitrary code, and a memory leak bug which could
+ lead to application crashes.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1205
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2249
+ (* Security fix *)
++--------------------------+
+Mon Jun 28 18:56:29 UTC 2010
+patches/packages/k3b-2.0.0-x86_64-1_slack13.1.txz: Upgraded.
+ It's not too late to get the stable k3b release into Slackware 13.1, right?
++--------------------------+
+Sun Jun 27 17:25:18 UTC 2010
+patches/packages/mozilla-firefox-3.6.6-x86_64-1_slack13.1.txz: Upgraded.
+ This changes the crash protection feature to increase the timeout
+ before a plugin is considered non-responsive.
++--------------------------+
+Sun Jun 27 03:43:13 UTC 2010
+patches/packages/ghostscript-8.71-x86_64-3_slack13.1.txz: Rebuilt.
+ Merged an upstream patch from Till Kamppeter to fix printing black pages
+ with CUPS and certain printers.
++--------------------------+
+Fri Jun 25 17:04:13 UTC 2010
+patches/packages/bind-9.4.3_P5-x86_64-1_slack13.1.txz: Upgraded.
+ This fixes possible DNS cache poisoning attacks when DNSSEC is enabled
+ and checking is disabled (CD).
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4022
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0097
+ (* Security fix *)
+patches/packages/cups-1.4.4-x86_64-1_slack13.1.txz: Upgraded.
+ Fixed a memory allocation error in texttops.
+ Fixed a Cross-Site Request Forgery (CSRF) that could allow a remote
+ attacker to reconfigure or disable CUPS if a CUPS admin logged into the
+ web interface visited a specially-crafted website.
+ Fixed a bug where uninitialized memory from the cupsd process could
+ reveal sensitive information.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0540
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0542
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1748
+ (* Security fix *)
+patches/packages/imlib-1.9.15-x86_64-7_slack13.1.txz: Rebuilt.
+ This fixes problems linking with libpng.
+patches/packages/mozilla-firefox-3.6.4-x86_64-1_slack13.1.txz: Upgraded.
+ This fixes some security issues.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/firefox36.html
+ (* Security fix *)
+patches/packages/mozilla-thunderbird-3.0.5-x86_64-1.txz: Upgraded.
+ This upgrade fixes some more security bugs.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/thunderbird30.html
+ (* Security fix *)
+patches/packages/seamonkey-2.0.5-x86_64-1_slack13.1.txz: Upgraded.
+ This release fixes some more security vulnerabilities.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/seamonkey20.html
+ (* Security fix *)
+patches/packages/seamonkey-solibs-2.0.5-x86_64-1_slack13.1.txz: Upgraded.
++--------------------------+
Wed May 19 08:58:23 UTC 2010
Slackware 13.1 x86_64 stable is released!
Lots of thanks are due -- see the RELEASE_NOTES and the rest of the