summaryrefslogtreecommitdiff
path: root/ChangeLog.txt
diff options
context:
space:
mode:
authorPatrick J Volkerding <volkerdi@slackware.com>2018-05-25 23:29:36 +0000
committerEric Hameleers <alien@slackware.com>2018-06-01 00:36:01 +0200
commit39366733c3fe943363566756e2e152c45a1b3cb2 (patch)
tree228b0735896af90ca78151c9a69aa3efd12c8cae /ChangeLog.txt
parentd31c50870d0bee042ce660e445c9294a59a3a65b (diff)
downloadcurrent-14.2.tar.gz
Fri May 25 23:29:36 UTC 201814.2
patches/packages/glibc-zoneinfo-2018e-noarch-2_slack14.2.txz: Rebuilt. Handle removal of US/Pacific-New timezone. If we see that the machine is using this, it will be automatically switched to US/Pacific.
Diffstat (limited to 'ChangeLog.txt')
-rw-r--r--ChangeLog.txt2622
1 files changed, 2622 insertions, 0 deletions
diff --git a/ChangeLog.txt b/ChangeLog.txt
index f603590b..19acb233 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -1,3 +1,2625 @@
+Fri May 25 23:29:36 UTC 2018
+patches/packages/glibc-zoneinfo-2018e-noarch-2_slack14.2.txz: Rebuilt.
+ Handle removal of US/Pacific-New timezone. If we see that the machine is
+ using this, it will be automatically switched to US/Pacific.
++--------------------------+
+Wed May 23 04:42:29 UTC 2018
+patches/packages/linux-4.4.132/*: Upgraded.
+ This kernel upgrade is being provided primarily to fix a regression in the
+ getsockopt() function, but it also contains fixes for two denial-of-service
+ security issues.
+ Be sure to upgrade your initrd after upgrading the kernel packages.
+ If you use lilo to boot your machine, be sure lilo.conf points to the correct
+ kernel and initrd and run lilo as root to update the bootloader.
+ If you use elilo to boot your machine, you should run eliloconfig to copy the
+ kernel and initrd to the EFI System Partition.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000004
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1092
+ (* Security fix *)
+patches/packages/mozilla-thunderbird-52.8.0-x86_64-1_slack14.2.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ https://www.mozilla.org/en-US/thunderbird/52.8.0/releasenotes/
+ https://www.mozilla.org/en-US/security/advisories/mfsa2018-13/
+ (* Security fix *)
+patches/packages/procps-ng-3.3.15-x86_64-1_slack14.2.txz: Upgraded.
+ Shared library .so-version bump.
+ This update fixes bugs and security issues:
+ library: Fix integer overflow and LPE in file2strvec
+ library: Use size_t for alloc functions
+ pgrep: Fix stack-based buffer overflow
+ ps: Fix buffer overflow in output buffer, causing DOS
+ top: Don't use cwd for location of config
+ For more information, see:
+ https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1124
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1126
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1125
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1123
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1122
+ (* Security fix *)
++--------------------------+
+Thu May 17 04:13:16 UTC 2018
+patches/packages/curl-7.60.0-x86_64-1_slack14.2.txz: Upgraded.
+ This release contains security fixes:
+ FTP: shutdown response buffer overflow
+ RTSP: bad headers buffer over-read
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000300
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000301
+ (* Security fix *)
+patches/packages/php-5.6.36-x86_64-1_slack14.2.txz: Upgraded.
+ This fixes many bugs, including some security issues:
+ Heap Buffer Overflow (READ: 1786) in exif_iif_add_value
+ stream filter convert.iconv leads to infinite loop on invalid sequence
+ Malicious LDAP-Server Response causes crash
+ fix for CVE-2018-5712 may not be complete
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10549
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10546
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10548
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10547
+ (* Security fix *)
++--------------------------+
+Thu May 10 21:01:11 UTC 2018
+patches/packages/mariadb-10.0.35-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes bugs and security issues.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2782
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2784
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2787
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2766
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2755
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2819
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2817
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2761
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2781
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2771
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2813
+ (* Security fix *)
++--------------------------+
+Thu May 10 01:24:19 UTC 2018
+patches/packages/glibc-zoneinfo-2018e-noarch-1_slack14.2.txz: Upgraded.
+ This package provides the latest timezone updates.
+patches/packages/mozilla-firefox-52.8.0esr-x86_64-1_slack14.2.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
+ https://www.mozilla.org/en-US/security/advisories/mfsa2018-12/
+ (* Security fix *)
+patches/packages/wget-1.19.5-x86_64-1_slack14.2.txz: Upgraded.
+ Fixed a security issue where a malicious web server could inject arbitrary
+ cookies into the cookie jar file.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0494
+ (* Security fix *)
++--------------------------+
+Fri May 4 19:40:52 UTC 2018
+patches/packages/python-2.7.15-x86_64-1_slack14.2.txz: Upgraded.
+ Updated to the latest 2.7.x release.
+ This fixes some security issues in difflib and poplib (regexes vulnerable
+ to denial of service attacks), as well as security issues with the bundled
+ expat library.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0876
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4472
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5300
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9063
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9233
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1061
+ (* Security fix *)
++--------------------------+
+Thu May 3 22:42:35 UTC 2018
+patches/packages/seamonkey-2.49.3-x86_64-1_slack14.2.txz: Upgraded.
+ This update contains security fixes and improvements.
+ For more information (when it appears), see:
+ http://www.seamonkey-project.org/releases/seamonkey2.49.3
+ (* Security fix *)
+patches/packages/seamonkey-solibs-2.49.3-x86_64-1_slack14.2.txz: Upgraded.
++--------------------------+
+Tue May 1 06:24:40 UTC 2018
+patches/packages/libwmf-0.2.8.4-x86_64-7_slack14.2.txz: Rebuilt.
+ Renamed package to fix wrong package tag (was slack14.1, should be
+ slack14.2). Thanks to rworkman for the heads-up.
++--------------------------+
+Mon Apr 30 22:35:43 UTC 2018
+patches/packages/libwmf-0.2.8.4-x86_64-7_slack14.1.txz: Rebuilt.
+ Patched denial of service and possible execution of arbitrary code
+ security issues.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0941
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3376
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0455
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2756
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3472
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3473
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3477
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3546
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0848
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4588
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4695
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4696
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10167
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10168
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9011
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9317
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6362
+ (* Security fix *)
+patches/packages/mozilla-firefox-52.7.4esr-x86_64-1_slack14.2.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
+ (* Security fix *)
++--------------------------+
+Fri Apr 27 03:58:48 UTC 2018
+patches/packages/openvpn-2.4.6-x86_64-1_slack14.2.txz: Upgraded.
+ This is a security update fixing a potential double-free() in Interactive
+ Service. This usually only leads to a process crash (DoS by an unprivileged
+ local account) but since it could possibly lead to memory corruption if
+ happening while multiple other threads are active at the same time,
+ CVE-2018-9336 has been assigned to acknowledge this risk.
+ For more information, see:
+ https://github.com/OpenVPN/openvpn/commit/1394192b210cb3c6624a7419bcf3ff966742e79b
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9336
+ (* Security fix *)
++--------------------------+
+Thu Apr 19 01:04:06 UTC 2018
+patches/packages/gd-2.2.5-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes two security issues:
+ Double-free in gdImagePngPtr() (denial of service).
+ Buffer over-read into uninitialized memory (information leak).
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6362
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7890
+ (* Security fix *)
++--------------------------+
+Fri Apr 6 20:47:43 UTC 2018
+patches/packages/patch-2.7.6-x86_64-1_slack14.2.txz: Upgraded.
+ Fix arbitrary shell execution possible with obsolete ed format patches.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000156
+ (* Security fix *)
++--------------------------+
+Sun Apr 1 19:45:12 UTC 2018
+patches/packages/libidn-1.34-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes security issues:
+ Fix integer overflow in combine_hangul()
+ Fix integer overflow in punycode decoder
+ Fix NULL pointer dereference in g_utf8_normalize()
+ Fix NULL pointer dereference in stringprep_ucs4_nfkc_normalize()
+ (* Security fix *)
++--------------------------+
+Sun Apr 1 02:53:26 UTC 2018
+patches/packages/php-5.6.35-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes a security issue where sensitive data belonging to other
+ accounts might be accessed by a local user.
+ For more information, see:
+ http://bugs.php.net/75605
+ (* Security fix *)
++--------------------------+
+Thu Mar 29 20:48:28 UTC 2018
+patches/packages/ruby-2.2.10-x86_64-1_slack14.2.txz: Upgraded.
+ This release includes some bug fixes and some security fixes:
+ HTTP response splitting in WEBrick.
+ Unintentional file and directory creation with directory traversal in
+ tempfile and tmpdir.
+ DoS by large request in WEBrick.
+ Buffer under-read in String#unpack.
+ Unintentional socket creation by poisoned NUL byte in UNIXServer
+ and UNIXSocket.
+ Unintentional directory traversal by poisoned NUL byte in Dir.
+ Multiple vulnerabilities in RubyGems.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17742
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6914
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8777
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8778
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8779
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8780
+ (* Security fix *)
++--------------------------+
+Thu Mar 29 01:02:50 UTC 2018
+patches/packages/openssl-1.0.2o-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes a security issue:
+ Constructed ASN.1 types with a recursive definition could exceed the stack.
+ For more information, see:
+ https://www.openssl.org/news/secadv/20180327.txt
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0739
+ (* Security fix *)
+patches/packages/openssl-solibs-1.0.2o-x86_64-1_slack14.2.txz: Upgraded.
++--------------------------+
+Mon Mar 26 22:06:38 UTC 2018
+patches/packages/mozilla-firefox-52.7.3esr-x86_64-1_slack14.2.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ https://www.mozilla.org/en-US/security/advisories/mfsa2018-10/
+ https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
+ (* Security fix *)
++--------------------------+
+Fri Mar 23 22:28:20 UTC 2018
+patches/packages/glibc-zoneinfo-2018d-noarch-1_slack14.2.txz: Upgraded.
+ This package provides the latest timezone updates.
+patches/packages/mozilla-thunderbird-52.7.0-x86_64-1_slack14.2.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ https://www.mozilla.org/en-US/thunderbird/52.7.0/releasenotes/
+ (* Security fix *)
++--------------------------+
+Sun Mar 18 00:55:39 UTC 2018
+patches/packages/libvorbis-1.3.6-x86_64-1_slack14.2.txz: Upgraded.
+ This release fixes security issues.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14632
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14633
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5146
+ (* Security fix *)
++--------------------------+
+Sat Mar 17 03:25:26 UTC 2018
+patches/packages/mozilla-firefox-52.7.2esr-x86_64-1_slack14.2.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ https://www.mozilla.org/en-US/security/advisories/mfsa2018-08/
+ https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
+ (* Security fix *)
++--------------------------+
+Fri Mar 16 02:29:29 UTC 2018
+patches/packages/curl-7.59.0-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes security issues:
+ FTP path trickery leads to NIL byte out of bounds write
+ LDAP NULL pointer dereference
+ RTSP RTP buffer over-read
+ For more information, see:
+ https://curl.haxx.se/docs/adv_2018-9cd6.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000120
+ https://curl.haxx.se/docs/adv_2018-97a2.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000121
+ https://curl.haxx.se/docs/adv_2018-b047.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000122
+ (* Security fix *)
++--------------------------+
+Tue Mar 13 21:12:51 UTC 2018
+patches/packages/mozilla-firefox-52.7.0esr-x86_64-1_slack14.2.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ https://www.mozilla.org/en-US/security/advisories/mfsa2018-07/
+ https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
+ (* Security fix *)
+patches/packages/samba-4.4.16-x86_64-3_slack14.2.txz: Rebuilt.
+ This is a security update in order to patch the following defect:
+ On a Samba 4 AD DC the LDAP server in all versions of Samba from
+ 4.0.0 onwards incorrectly validates permissions to modify passwords
+ over LDAP allowing authenticated users to change any other users`
+ passwords, including administrative users.
+ For more information, see:
+ https://www.samba.org/samba/security/CVE-2018-1057.html
+ https://wiki.samba.org/index.php/CVE-2018-1057
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1057
+ (* Security fix *)
++--------------------------+
+Thu Mar 8 07:07:45 UTC 2018
+patches/packages/libtool-2.4.6-x86_64-5_slack14.2.txz: Rebuilt.
+ Rebuilt to fix the embedded GCC version number. Thanks to David Spencer.
+patches/packages/openssh-7.4p1-x86_64-2_slack14.2.txz: Rebuilt.
+ sftp-server: in read-only mode, sftp-server was incorrectly permitting
+ creation of zero-length files. Reported by Michal Zalewski.
+ Thanks to arny (of Bluewhite64 fame) for the heads-up.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15906
+ (* Security fix *)
+patches/packages/php-5.6.34-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes a stack buffer overflow vulnerability.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7584
+ (* Security fix *)
++--------------------------+
+Thu Mar 1 23:24:54 UTC 2018
+patches/packages/dhcp-4.4.1-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes two security issues:
+ Corrected an issue where large sized 'X/x' format options were causing
+ option handling logic to overwrite memory when expanding them to human
+ readable form. Reported by Felix Wilhelm, Google Security Team.
+ Option reference count was not correctly decremented in error path
+ when parsing buffer for options. Reported by Felix Wilhelm, Google
+ Security Team.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5732
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5733
+ (* Security fix *)
+patches/packages/ntp-4.2.8p11-x86_64-1_slack14.2.txz: Upgraded.
+ This release addresses five security issues in ntpd:
+ * LOW/MEDIUM: Sec 3012 / CVE-2016-1549 / VU#961909: Sybil vulnerability:
+ ephemeral association attack. While fixed in ntp-4.2.8p7, there are
+ significant additional protections for this issue in 4.2.8p11.
+ Reported by Matt Van Gundy of Cisco.
+ * INFO/MEDIUM: Sec 3412 / CVE-2018-7182 / VU#961909: ctl_getitem(): buffer
+ read overrun leads to undefined behavior and information leak.
+ Reported by Yihan Lian of Qihoo 360.
+ * LOW: Sec 3415 / CVE-2018-7170 / VU#961909: Multiple authenticated
+ ephemeral associations. Reported on the questions@ list.
+ * LOW: Sec 3453 / CVE-2018-7184 / VU#961909: Interleaved symmetric mode
+ cannot recover from bad state. Reported by Miroslav Lichvar of Red Hat.
+ * LOW/MEDIUM: Sec 3454 / CVE-2018-7185 / VU#961909: Unauthenticated packet
+ can reset authenticated interleaved association.
+ Reported by Miroslav Lichvar of Red Hat.
+ For more information, see:
+ http://support.ntp.org/bin/view/Main/SecurityNotice#February_2018_ntp_4_2_8p11_NTP_S
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7182
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7170
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7184
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7185
+ (* Security fix *)
++--------------------------+
+Mon Feb 26 21:32:03 UTC 2018
+patches/packages/linux-4.4.118/*: Upgraded.
+ This kernel includes __user pointer sanitization mitigation for the Spectre
+ (variant 1) speculative side channel attack.
+ Be sure to upgrade your initrd after upgrading the kernel packages.
+ If you use lilo to boot your machine, be sure lilo.conf points to the correct
+ kernel and initrd and run lilo as root to update the bootloader.
+ If you use elilo to boot your machine, you should run eliloconfig to copy the
+ kernel and initrd to the EFI System Partition.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753
+ (* Security fix *)
++--------------------------+
+Sat Feb 24 07:41:40 UTC 2018
+patches/packages/wget-1.19.4-x86_64-2_slack14.2.txz: Rebuilt.
+ Applied upstream patch to fix logging in background mode.
+ Thanks to Willy Sudiarto Raharjo.
++--------------------------+
+Fri Feb 16 03:19:36 UTC 2018
+patches/packages/irssi-1.0.7-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes bugs and security issues.
+ For more information, see:
+ https://irssi.org/security/html/irssi_sa_2018_02
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7054
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7053
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7050
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7052
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7051
+ (* Security fix *)
++--------------------------+
+Wed Feb 14 19:48:51 UTC 2018
+patches/packages/seamonkey-2.49.2-x86_64-1_slack14.2.txz: Upgraded.
+ This is a bugfix release.
+patches/packages/seamonkey-solibs-2.49.2-x86_64-1_slack14.2.txz: Upgraded.
++--------------------------+
+Wed Feb 7 04:28:48 UTC 2018
+patches/packages/gcc-5.5.0-x86_64-1_slack14.2.txz: Upgraded.
+ Upgraded to the latest gcc-5 release, with patches to support
+ -mindirect-branch=thunk-extern, allowing full mitigation of Spectre v2
+ in the kernel (when CONFIG_RETPOLINE is used).
+patches/packages/gcc-g++-5.5.0-x86_64-1_slack14.2.txz: Upgraded.
+patches/packages/gcc-gfortran-5.5.0-x86_64-1_slack14.2.txz: Upgraded.
+patches/packages/gcc-gnat-5.5.0-x86_64-1_slack14.2.txz: Upgraded.
+patches/packages/gcc-go-5.5.0-x86_64-1_slack14.2.txz: Upgraded.
+patches/packages/gcc-java-5.5.0-x86_64-1_slack14.2.txz: Upgraded.
+patches/packages/gcc-objc-5.5.0-x86_64-1_slack14.2.txz: Upgraded.
+patches/packages/linux-4.4.115/*: Upgraded.
+ This kernel includes full retpoline mitigation for the Spectre (variant 2)
+ speculative side channel attack.
+ Please note that this kernel was compiled with gcc-5.5.0, also provided as
+ an update for Slackware 14.2. You'll need to install the updated gcc in order
+ to compile kernel modules that will load into this updated kernel.
+ Be sure to upgrade your initrd after upgrading the kernel packages.
+ If you use lilo to boot your machine, be sure lilo.conf points to the correct
+ kernel and initrd and run lilo as root to update the bootloader.
+ If you use elilo to boot your machine, you should run eliloconfig to copy the
+ kernel and initrd to the EFI System Partition.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
+ (* Security fix *)
++--------------------------+
+Sun Feb 4 05:13:27 UTC 2018
+patches/packages/php-5.6.33-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes bugs and security issues, including:
+ Potential infinite loop in gdImageCreateFromGifCtx.
+ Reflected XSS in .phar 404 page.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5711
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5712
+ (* Security fix *)
++--------------------------+
+Thu Feb 1 18:24:15 UTC 2018
+patches/packages/mariadb-10.0.34-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes bugs and security issues.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2562
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2622
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2640
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2665
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2668
+ (* Security fix *)
+patches/packages/rsync-3.1.3-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes two security issues:
+ Fixed a buffer overrun in the protocol's handling of xattr names and
+ ensure that the received name is null terminated.
+ Fix an issue with --protect-args where the user could specify the arg in
+ the protected-arg list and short-circuit some of the arg-sanitizing code.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16548
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5764
+ (* Security fix *)
++--------------------------+
+Fri Jan 26 03:46:16 UTC 2018
+patches/packages/curl-7.58.0-x86_64-2_slack14.2.txz: Rebuilt.
+ Recompiled using --with-libssh2, which is evidently no longer a default
+ option. Thanks to Markus Wiesner.
+patches/packages/mozilla-thunderbird-52.6.0-x86_64-1_slack14.2.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ https://www.mozilla.org/en-US/thunderbird/52.6.0/releasenotes/
+ (* Security fix *)
++--------------------------+
+Thu Jan 25 02:24:04 UTC 2018
+patches/packages/curl-7.58.0-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes security issues:
+ HTTP authentication leak in redirects
+ HTTP/2 trailer out-of-bounds read
+ For more information, see:
+ https://curl.haxx.se/docs/adv_2018-b3bf.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000007
+ https://curl.haxx.se/docs/adv_2018-824a.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000005
+ (* Security fix *)
++--------------------------+
+Wed Jan 24 04:21:44 UTC 2018
+patches/packages/glibc-zoneinfo-2018c-noarch-1_slack14.2.txz: Upgraded.
+ This package provides the latest timezone updates.
++--------------------------+
+Mon Jan 22 22:47:47 UTC 2018
+patches/packages/wget-1.19.4-x86_64-1_slack14.2.txz: Upgraded.
+ More bug fixes:
+ A major bug that caused GZip'ed pages to never be decompressed has been fixed
+ Support for Content-Encoding and Transfer-Encoding have been marked as
+ experimental and disabled by default
++--------------------------+
+Sat Jan 20 16:00:51 UTC 2018
+patches/packages/mozilla-firefox-52.6.0esr-x86_64-1_slack14.2.txz: Upgraded.
+ This release contains security fixes and improvements.
+ Specifically, this update contains performance.now() mitigations for Spectre.
+ For more information, see:
+ https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
+ http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
+ (* Security fix *)
+patches/packages/wget-1.19.3-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes various non-security bugs, including this one:
+ Prevent erroneous decompression of .gz and .tgz files with broken servers.
++--------------------------+
+Wed Jan 17 21:36:23 UTC 2018
+patches/packages/bind-9.10.6_P1-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes a high severity security issue:
+ Improper sequencing during cleanup can lead to a use-after-free error,
+ triggering an assertion failure and crash in named.
+ For more information, see:
+ https://kb.isc.org/article/AA-01542
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3145
+ (* Security fix *)
++--------------------------+
+Mon Jan 15 23:13:01 UTC 2018
+patches/packages/linux-4.4.111/*: Upgraded.
+ This kernel includes mitigations for the Spectre (variant 2) and Meltdown
+ speculative side channel attacks.
+ Be sure to upgrade your initrd after upgrading the kernel packages.
+ If you use lilo to boot your machine, be sure lilo.conf points to the correct
+ kernel and initrd and run lilo as root to update the bootloader.
+ If you use elilo to boot your machine, you should run eliloconfig to copy the
+ kernel and initrd to the EFI System Partition.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754
+ (* Security fix *)
++--------------------------+
+Tue Jan 9 00:54:19 UTC 2018
+patches/packages/irssi-1.0.6-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes multiple security vulnerabilities.
+ For more information, see:
+ https://irssi.org/security/irssi_sa_2018_01.txt
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5205
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5206
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5207
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5208
+ (* Security fix *)
++--------------------------+
+Fri Dec 29 23:09:14 UTC 2017
+patches/packages/mozilla-firefox-52.5.3esr-x86_64-1_slack14.2.txz: Upgraded.
+ This is a bugfix release.
++--------------------------+
+Mon Dec 25 00:00:16 UTC 2017
+patches/packages/xscreensaver-5.38-x86_64-1_slack14.2.txz: Upgraded.
+ Here's an upgrade to the latest xscreensaver.
++--------------------------+
+Fri Dec 22 21:49:01 UTC 2017
+patches/packages/mozilla-thunderbird-52.5.2-x86_64-1_slack14.2.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ https://www.mozilla.org/en-US/thunderbird/52.5.2/releasenotes/
+ (* Security fix *)
++--------------------------+
+Wed Dec 20 03:05:58 UTC 2017
+patches/packages/ruby-2.2.9-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes a security issue:
+ Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile
+ use Kernel#open to open a local file. If the localfile argument starts with
+ the pipe character "|", the command following the pipe character is executed.
+ The default value of localfile is File.basename(remotefile), so malicious FTP
+ servers could cause arbitrary command execution.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17405
+ (* Security fix *)
++--------------------------+
+Sat Dec 9 00:02:28 UTC 2017
+patches/packages/openssl-1.0.2n-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes security issues:
+ Read/write after SSL object in error state
+ rsaz_1024_mul_avx2 overflow bug on x86_64
+ For more information, see:
+ https://www.openssl.org/news/secadv/20171207.txt
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3737
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3738
+ (* Security fix *)
+patches/packages/openssl-solibs-1.0.2n-x86_64-1_slack14.2.txz: Upgraded.
++--------------------------+
+Fri Dec 8 05:54:21 UTC 2017
+patches/packages/mozilla-firefox-52.5.2esr-x86_64-1_slack14.2.txz: Upgraded.
+ This is a bugfix release.
++--------------------------+
+Sat Dec 2 20:32:45 UTC 2017
+patches/packages/mozilla-firefox-52.5.1esr-x86_64-1_slack14.2.txz: Upgraded.
+ This is a bugfix release.
++--------------------------+
+Wed Nov 29 21:48:33 UTC 2017
+patches/packages/curl-7.57.0-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes security issues:
+ SSL out of buffer access
+ FTP wildcard out of bounds read
+ NTLM buffer overflow via integer overflow
+ For more information, see:
+ https://curl.haxx.se/docs/adv_2017-af0a.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8818
+ https://curl.haxx.se/docs/adv_2017-ae72.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8817
+ https://curl.haxx.se/docs/adv_2017-12e7.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8816
+ (* Security fix *)
++--------------------------+
+Wed Nov 29 08:15:09 UTC 2017
+patches/packages/libXcursor-1.1.15-x86_64-1_slack14.2.txz: Upgraded.
+ Fix heap overflows when parsing malicious files. (CVE-2017-16612)
+ It is possible to trigger heap overflows due to an integer overflow
+ while parsing images and a signedness issue while parsing comments.
+ The integer overflow occurs because the chosen limit 0x10000 for
+ dimensions is too large for 32 bit systems, because each pixel takes
+ 4 bytes. Properly chosen values allow an overflow which in turn will
+ lead to less allocated memory than needed for subsequent reads.
+ The signedness bug is triggered by reading the length of a comment
+ as unsigned int, but casting it to int when calling the function
+ XcursorCommentCreate. Turning length into a negative value allows the
+ check against XCURSOR_COMMENT_MAX_LEN to pass, and the following
+ addition of sizeof (XcursorComment) + 1 makes it possible to allocate
+ less memory than needed for subsequent reads.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16612
+ (* Security fix *)
+patches/packages/libXfont-1.5.1-x86_64-2_slack14.2.txz: Rebuilt.
+ Open files with O_NOFOLLOW. (CVE-2017-16611)
+ A non-privileged X client can instruct X server running under root
+ to open any file by creating own directory with "fonts.dir",
+ "fonts.alias" or any font file being a symbolic link to any other
+ file in the system. X server will then open it. This can be issue
+ with special files such as /dev/watchdog (which could then reboot
+ the system).
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16611
+ (* Security fix *)
++--------------------------+
+Tue Nov 28 06:20:03 UTC 2017
+patches/packages/samba-4.4.16-x86_64-2_slack14.2.txz: Rebuilt.
+ This is a security update in order to patch the following defects:
+ CVE-2017-14746 (Use-after-free vulnerability.)
+ All versions of Samba from 4.0.0 onwards are vulnerable to a use after
+ free vulnerability, where a malicious SMB1 request can be used to
+ control the contents of heap memory via a deallocated heap pointer. It
+ is possible this may be used to compromise the SMB server.
+ CVE-2017-15275 (Server heap memory information leak.)
+ All versions of Samba from 3.6.0 onwards are vulnerable to a heap
+ memory information leak, where server allocated heap memory may be
+ returned to the client without being cleared.
+ For more information, see:
+ https://www.samba.org/samba/security/CVE-2017-14746.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14746
+ https://www.samba.org/samba/security/CVE-2017-15275.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15275
+ (* Security fix *)
++--------------------------+
+Sat Nov 25 07:44:07 UTC 2017
+patches/packages/mozilla-thunderbird-52.5.0-x86_64-1_slack14.2.txz: Upgraded.
+ This is a bugfix release.
++--------------------------+
+Tue Nov 21 05:05:41 UTC 2017
+patches/packages/libtiff-4.0.9-x86_64-1_slack14.2.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8128
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5318
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10095
+ (* Security fix *)
++--------------------------+
+Fri Nov 17 00:56:25 UTC 2017
+patches/packages/libplist-2.0.0-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes several security issues.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6440
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6439
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6438
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6437
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6436
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6435
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5836
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5835
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5834
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5545
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5209
+ (* Security fix *)
+patches/packages/mozilla-firefox-52.5.0esr-x86_64-1_slack14.2.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
+ (* Security fix *)
++--------------------------+
+Fri Nov 3 03:31:56 UTC 2017
+patches/packages/mariadb-10.0.33-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes bugs and security issues.
+ For more information, see:
+ https://jira.mariadb.org/browse/MDEV-13819
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10268
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10378
+ (* Security fix *)
+patches/packages/openssl-1.0.2m-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes a security issue:
+ There is a carry propagating bug in the x64 Montgomery squaring procedure.
+ No EC algorithms are affected. Analysis suggests that attacks against RSA
+ and DSA as a result of this defect would be very difficult to perform and
+ are not believed likely. Attacks against DH are considered just feasible
+ (although very difficult) because most of the work necessary to deduce
+ information about a private key may be performed offline. The amount of
+ resources required for such an attack would be very significant and likely
+ only accessible to a limited number of attackers. An attacker would
+ additionally need online access to an unpatched system using the target
+ private key in a scenario with persistent DH parameters and a private
+ key that is shared between multiple clients.
+ This only affects processors that support the BMI1, BMI2 and ADX extensions
+ like Intel Broadwell (5th generation) and later or AMD Ryzen.
+ For more information, see:
+ https://www.openssl.org/news/secadv/20171102.txt
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3736
+ (* Security fix *)
+patches/packages/openssl-solibs-1.0.2m-x86_64-1_slack14.2.txz: Upgraded.
++--------------------------+
+Fri Oct 27 20:34:35 UTC 2017
+patches/packages/NetworkManager-1.8.4-x86_64-1_slack14.2.txz: Upgraded.
+ This update is provided to address issues with wifi scanning when using the
+ new wpa_supplicant with certain hardware drivers. If you're not having
+ problems, you don't need this update (but it probably won't hurt).
+patches/packages/network-manager-applet-1.8.4-x86_64-1_slack14.2.txz: Upgraded.
+ This package goes along with the optional NetworkManager update.
+patches/packages/php-5.6.32-x86_64-1_slack14.2.txz: Upgraded.
+ Several security bugs were fixed in this release:
+ Out of bounds read in timelib_meridian().
+ The arcfour encryption stream filter crashes PHP.
+ Applied upstream patch for PCRE (CVE-2016-1283).
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1283
+ (* Security fix *)
+patches/packages/wget-1.19.2-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes stack and heap overflows in in HTTP protocol handling.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13089
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13090
+ (* Security fix *)
++--------------------------+
+Wed Oct 25 19:09:26 UTC 2017
+patches/packages/glibc-zoneinfo-2017c-noarch-1_slack14.2.txz: Upgraded.
+ This package provides the latest timezone updates.
+patches/packages/httpd-2.4.29-x86_64-1_slack14.2.txz: Upgraded.
+ This is a bugfix release.
+patches/packages/irssi-1.0.5-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes some remote denial of service issues.
+ For more information, see:
+ https://irssi.org/security/irssi_sa_2017_10.txt
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15228
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15227
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15721
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15723
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15722
+ (* Security fix *)
+patches/packages/xfce4-weather-plugin-0.8.10-x86_64-1_slack14.2.txz: Upgraded.
+ This has a bugfix related to setting the location:
+ https://bugzilla.xfce.org/show_bug.cgi?id=13877
++--------------------------+
+Tue Oct 24 05:31:18 UTC 2017
+patches/packages/curl-7.56.1-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes a security issue:
+ IMAP FETCH response out of bounds read may cause a crash or information leak.
+ For more information, see:
+ https://curl.haxx.se/docs/adv_20171023.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000257
+ (* Security fix *)
+patches/packages/seamonkey-2.49.1-x86_64-1_slack14.2.txz: Upgraded.
+ This is a bugfix release.
+patches/packages/seamonkey-solibs-2.49.1-x86_64-1_slack14.2.txz: Upgraded.
++--------------------------+
+Wed Oct 18 18:21:18 UTC 2017
+patches/packages/libXres-1.2.0-x86_64-1_slack14.2.txz: Upgraded.
+ Integer overflows may allow X servers to trigger allocation of insufficient
+ memory and a buffer overflow via vectors related to the (1)
+ XResQueryClients and (2) XResQueryClientResources functions.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1988
+ (* Security fix *)
+patches/packages/wpa_supplicant-2.6-x86_64-1_slack14.2.txz: Upgraded.
+ This update includes patches to mitigate the WPA2 protocol issues known
+ as "KRACK" (Key Reinstallation AttaCK), which may be used to decrypt data,
+ hijack TCP connections, and to forge and inject packets. This is the
+ list of vulnerabilities that are addressed here:
+ CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the
+ 4-way handshake.
+ CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
+ CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way
+ handshake.
+ CVE-2017-13080: Reinstallation of the group key (GTK) in the group key
+ handshake.
+ CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group
+ key handshake.
+ CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT)
+ Reassociation Request and reinstalling the pairwise encryption key (PTK-TK)
+ while processing it.
+ CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
+ CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS)
+ PeerKey (TPK) key in the TDLS handshake.
+ CVE-2017-13087: reinstallation of the group key (GTK) when processing a
+ Wireless Network Management (WNM) Sleep Mode Response frame.
+ CVE-2017-13088: reinstallation of the integrity group key (IGTK) when
+ processing a Wireless Network Management (WNM) Sleep Mode Response frame.
+ For more information, see:
+ https://www.krackattacks.com/
+ https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13077
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13078
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13079
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13080
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13081
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13082
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13084
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13086
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13087
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13088
+ (* Security fix *)
+patches/packages/xorg-server-1.18.3-x86_64-5_slack14.2.txz: Rebuilt.
+ This update fixes integer overflows and other possible security issues.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12176
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12177
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12178
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12179
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12180
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12181
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12182
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12183
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12184
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12185
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12186
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12187
+ (* Security fix *)
+patches/packages/xorg-server-xephyr-1.18.3-x86_64-5_slack14.2.txz: Rebuilt.
+patches/packages/xorg-server-xnest-1.18.3-x86_64-5_slack14.2.txz: Rebuilt.
+patches/packages/xorg-server-xvfb-1.18.3-x86_64-5_slack14.2.txz: Rebuilt.
++--------------------------+
+Sat Oct 7 02:53:31 UTC 2017
+patches/packages/mozilla-thunderbird-52.4.0-x86_64-1_slack14.2.txz: Upgraded.
+ This is a bugfix release.
++--------------------------+
+Fri Oct 6 06:32:32 UTC 2017
+patches/packages/curl-7.56.0-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes a security issue:
+ libcurl may read outside of a heap allocated buffer when doing FTP.
+ For more information, see:
+ https://curl.haxx.se/docs/adv_20171004.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000254
+ (* Security fix *)
+patches/packages/openjpeg-2.3.0-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes security issues which may lead to a denial of service
+ or possibly remote code execution.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9572
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9573
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9580
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9581
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12982
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14039
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14040
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14041
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14151
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14152
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14164
+ (* Security fix *)
+patches/packages/xorg-server-1.18.3-x86_64-4_slack14.2.txz: Rebuilt.
+ This update fixes two security issues:
+ Xext/shm: Validate shmseg resource id, otherwise it can belong to a
+ non-existing client and abort X server with FatalError "client not
+ in use", or overwrite existing segment of another existing client.
+ Generating strings for XKB data used a single shared static buffer,
+ which offered several opportunities for errors. Use a ring of
+ resizable buffers instead, to avoid problems when strings end up
+ longer than anticipated.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13721
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13723
+ (* Security fix *)
+patches/packages/xorg-server-xephyr-1.18.3-x86_64-4_slack14.2.txz: Rebuilt.
+patches/packages/xorg-server-xnest-1.18.3-x86_64-4_slack14.2.txz: Rebuilt.
+patches/packages/xorg-server-xvfb-1.18.3-x86_64-4_slack14.2.txz: Rebuilt.
++--------------------------+
+Mon Oct 2 17:16:06 UTC 2017
+patches/packages/dnsmasq-2.78-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes bugs and remotely exploitable security issues that may
+ have impacts including denial of service, information leak, and execution
+ of arbitrary code. Thanks to Felix Wilhelm, Fermin J. Serna, Gabriel Campana,
+ Kevin Hamacher, Ron Bowes, and Gynvael Coldwind of the Google Security Team.
+ For more information, see:
+ https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13704
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14491
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14492
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14493
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14494
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14495
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14496
+ (* Security fix *)
++--------------------------+
+Sun Oct 1 19:19:08 UTC 2017
+patches/packages/openexr-2.2.0-x86_64-2_slack14.2.txz: Rebuilt.
+ Patched bugs that may lead to program crashes or possibly execution of
+ arbitrary code. Thanks to Thomas Choi for the patch.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9110
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9111
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9112
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9113
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9114
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9115
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9116
+ (* Security fix *)
++--------------------------+
+Thu Sep 28 21:03:26 UTC 2017
+patches/packages/mozilla-firefox-52.4.0esr-x86_64-1_slack14.2.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
+ (* Security fix *)
++--------------------------+
+Thu Sep 28 05:31:20 UTC 2017
+patches/packages/gegl-0.2.0-x86_64-4_slack14.2.txz: Rebuilt.
+ Patched integer overflows in operations/external/ppm-load.c that could allow
+ a denial of service (application crash) or possibly the execution of
+ arbitrary code via a large width or height value in a ppm image.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4433
+ (* Security fix *)
++--------------------------+
+Sat Sep 23 01:02:32 UTC 2017
+patches/packages/libxml2-2.9.5-x86_64-1_slack14.2.txz: Upgraded.
+ This release fixes some security issues:
+ Detect infinite recursion in parameter entities (Nick Wellnhofer),
+ Fix handling of parameter-entity references (Nick Wellnhofer),
+ Disallow namespace nodes in XPointer ranges (Nick Wellnhofer),
+ Fix XPointer paths beginning with range-to (Nick Wellnhofer).
+ (* Security fix *)
+patches/packages/python-2.7.14-x86_64-1_slack14.2.txz: Upgraded.
+ Updated to the latest 2.7.x release.
+ This fixes some security issues related to the bundled expat library.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4472
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9063
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9233
+ (* Security fix *)
++--------------------------+
+Thu Sep 21 01:23:24 UTC 2017
+patches/packages/samba-4.4.16-x86_64-1_slack14.2.txz: Upgraded.
+ This is a security release in order to address the following defects:
+ SMB1/2/3 connections may not require signing where they should. A man in the
+ middle attack may hijack client connections.
+ SMB3 connections don't keep encryption across DFS redirects. A man in the
+ middle attack can read and may alter confidential documents transferred via
+ a client connection, which are reached via DFS redirect when the original
+ connection used SMB3.
+ Server memory information leak over SMB1. Client with write access to a share
+ can cause server memory contents to be written into a file or printer.
+ For more information, see:
+ https://www.samba.org/samba/security/CVE-2017-12150.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12150
+ https://www.samba.org/samba/security/CVE-2017-12151.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12151
+ https://www.samba.org/samba/security/CVE-2017-12163.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12163
+ (* Security fix *)
++--------------------------+
+Mon Sep 18 19:15:03 UTC 2017
+patches/packages/httpd-2.4.27-x86_64-2_slack14.2.txz: Rebuilt.
+ This update patches a security issue ("Optionsbleed") with the OPTIONS http
+ method which may leak arbitrary pieces of memory to a potential attacker.
+ Thanks to Hanno Bo:ck.
+ For more information, see:
+ http://seclists.org/oss-sec/2017/q3/477
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9798
+ (* Security fix *)
+patches/packages/libgcrypt-1.7.9-x86_64-1_slack14.2.txz: Upgraded.
+ Mitigate a local side-channel attack on Curve25519 dubbed "May
+ the Fourth be With You".
+ For more information, see:
+ https://eprint.iacr.org/2017/806
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0379
+ (* Security fix *)
+patches/packages/ruby-2.2.8-x86_64-1_slack14.2.txz: Upgraded.
+ This release includes several security fixes.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0898
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0899
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0900
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0901
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0902
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10784
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14033
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14064
+ (* Security fix *)
++--------------------------+
+Fri Sep 15 17:31:57 UTC 2017
+patches/packages/bluez-5.47-x86_64-1_slack14.2.txz: Upgraded.
+ Fixed an information disclosure vulnerability which allows remote attackers
+ to obtain sensitive information from the bluetoothd process memory. This
+ vulnerability lies in the processing of SDP search attribute requests.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000250
+ (* Security fix *)
+patches/packages/linux-4.4.88/*: Upgraded.
+ This update fixes the security vulnerability known as "BlueBorne".
+ The native Bluetooth stack in the Linux Kernel (BlueZ), starting at
+ Linux kernel version 3.3-rc1 is vulnerable to a stack overflow in
+ the processing of L2CAP configuration responses resulting in remote
+ code execution in kernel space.
+ Be sure to upgrade your initrd after upgrading the kernel packages.
+ If you use lilo to boot your machine, be sure lilo.conf points to the correct
+ kernel and initrd and run lilo as root to update the bootloader.
+ If you use elilo to boot your machine, you should run eliloconfig to copy the
+ kernel and initrd to the EFI System Partition.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000251
+ https://www.armis.com/blueborne
+ (* Security fix *)
++--------------------------+
+Tue Sep 12 22:18:51 UTC 2017
+patches/packages/emacs-25.3-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes a security vulnerability in Emacs. Gnus no longer
+ supports "richtext" and "enriched" inline MIME objects. This support
+ was disabled to avoid evaluation of arbitrary Lisp code contained in
+ email messages and news articles.
+ For more information, see:
+ http://seclists.org/oss-sec/2017/q3/422
+ https://bugs.gnu.org/28350
+ (* Security fix *)
+patches/packages/libzip-1.0.1-x86_64-3_slack14.2.txz: Rebuilt.
+ Fix a denial of service security issue.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14107
+ (* Security fix *)
++--------------------------+
+Fri Sep 8 17:56:01 UTC 2017
+patches/packages/bash-4.3.048-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes two security issues found in bash before 4.4:
+ The expansion of '\h' in the prompt string allows remote authenticated users
+ to execute arbitrary code via shell metacharacters placed in 'hostname' of a
+ machine. The theoretical attack vector is a hostile DHCP server providing a
+ crafted hostname, but this is unlikely to occur in a normal Slackware
+ configuration as we ignore the hostname provided by DHCP.
+ Specially crafted SHELLOPTS+PS4 environment variables used against bogus
+ setuid binaries using system()/popen() allowed local attackers to execute
+ arbitrary code as root.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0634
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7543
+ (* Security fix *)
+patches/packages/mariadb-10.0.32-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes bugs and security issues.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3636
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3641
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3653
+ (* Security fix *)
+patches/packages/mozilla-nss-3.31.1-x86_64-1_slack14.2.txz: Upgraded.
+ Upgraded to nss-3.31.1 and nspr-4.16.
+ This is a bugfix release.
+patches/packages/tcpdump-4.9.2-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes bugs and many security issues (see the included
+ CHANGES file).
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11541
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11541
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11542
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11542
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11543
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11543
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12893
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12894
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12895
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12896
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12897
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12898
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12899
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12900
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12901
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12902
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12985
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12986
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12987
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12988
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12989
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12990
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12991
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12992
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12993
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12994
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12995
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12996
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12997
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12998
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12999
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13000
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13001
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13002
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13003
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13004
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13005
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13006
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13007
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13008
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13009
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13010
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13011
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13012
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13013
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13014
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13015
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13016
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13017
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13018
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13019
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13020
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13021
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13022
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13023
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13024
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13025
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13026
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13027
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13028
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13029
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13030
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13031
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13032
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13033
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13034
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13035
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13036
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13037
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13038
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13039
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13040
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13041
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13042
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13043
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13044
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13045
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13046
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13047
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13048
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13049
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13050
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13051
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13052
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13053
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13054
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13055
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13687
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13688
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13689
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13690
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13725
+ (* Security fix *)
++--------------------------+
+Thu Aug 17 05:36:28 UTC 2017
+patches/packages/mozilla-thunderbird-52.3.0-x86_64-1_slack14.2.txz: Upgraded.
+ This is a bugfix release.
++--------------------------+
+Tue Aug 15 22:16:12 UTC 2017
+patches/packages/xorg-server-1.18.3-x86_64-3_slack14.2.txz: Rebuilt.
+ This update fixes two security issues:
+ A user authenticated to an X Session could crash or execute code in the
+ context of the X Server by exploiting a stack overflow in the endianness
+ conversion of X Events.
+ Uninitialized data in endianness conversion in the XEvent handling of the
+ X.Org X Server allowed authenticated malicious users to access potentially
+ privileged data from the X server.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10971
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10972
+ (* Security fix *)
+patches/packages/xorg-server-xephyr-1.18.3-x86_64-3_slack14.2.txz: Rebuilt.
+patches/packages/xorg-server-xnest-1.18.3-x86_64-3_slack14.2.txz: Rebuilt.
+patches/packages/xorg-server-xvfb-1.18.3-x86_64-3_slack14.2.txz: Rebuilt.
++--------------------------+
+Fri Aug 11 23:02:43 UTC 2017
+patches/packages/git-2.14.1-x86_64-1_slack14.2.txz: Upgraded.
+ Fixes security issues:
+ A "ssh://..." URL can result in a "ssh" command line with a hostname that
+ begins with a dash "-", which would cause the "ssh" command to instead
+ (mis)treat it as an option. This is now prevented by forbidding such a
+ hostname (which should not impact any real-world usage).
+ Similarly, when GIT_PROXY_COMMAND is configured, the command is run with
+ host and port that are parsed out from "ssh://..." URL; a poorly written
+ GIT_PROXY_COMMAND could be tricked into treating a string that begins with a
+ dash "-" as an option. This is now prevented by forbidding such a hostname
+ and port number (again, which should not impact any real-world usage).
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000117
+ (* Security fix *)
+patches/packages/libsoup-2.52.2-x86_64-3_slack14.2.txz: Rebuilt.
+ Fixed a chunked decoding buffer overrun that could be exploited against
+ either clients or servers.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2885
+ (* Security fix *)
+patches/packages/mercurial-4.3.1-x86_64-1_slack14.2.txz: Upgraded.
+ Fixes security issues:
+ Mercurial's symlink auditing was incomplete prior to 4.3, and could
+ be abused to write to files outside the repository.
+ Mercurial was not sanitizing hostnames passed to ssh, allowing
+ shell injection attacks on clients by specifying a hostname starting
+ with -oProxyCommand.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000115
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000116
+ (* Security fix *)
+patches/packages/subversion-1.9.7-x86_64-1_slack14.2.txz: Upgraded.
+ Fixed client side arbitrary code execution vulnerability.
+ For more information, see:
+ https://subversion.apache.org/security/CVE-2017-9800-advisory.txt
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9800
+ (* Security fix *)
++--------------------------+
+Wed Aug 9 20:23:16 UTC 2017
+patches/packages/curl-7.55.0-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes three security issues:
+ URL globbing out of bounds read
+ TFTP sends more than buffer size
+ FILE buffer read out of bounds
+ For more information, see:
+ https://curl.haxx.se/docs/adv_20170809A.html
+ https://curl.haxx.se/docs/adv_20170809B.html
+ https://curl.haxx.se/docs/adv_20170809C.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000101
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000100
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000099
+ (* Security fix *)
+patches/packages/glibc-2.23-x86_64-4_slack14.2.txz: Rebuilt.
+ Fixed a regression with the recent glibc patch packages:
+ Don't clobber the libm.so linker script with a symlink.
+ Thanks to guanx.
+patches/packages/glibc-i18n-2.23-x86_64-4_slack14.2.txz: Rebuilt.
+patches/packages/glibc-profile-2.23-x86_64-4_slack14.2.txz: Rebuilt.
+patches/packages/glibc-solibs-2.23-x86_64-4_slack14.2.txz: Rebuilt.
+patches/packages/mozilla-firefox-52.3.0esr-x86_64-1_slack14.2.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
+ (* Security fix *)
++--------------------------+
+Wed Aug 2 03:43:51 UTC 2017
+patches/packages/gnupg-1.4.22-x86_64-1_slack14.2.txz: Upgraded.
+ Mitigate a flush+reload side-channel attack on RSA secret keys dubbed
+ "Sliding right into disaster".
+ For more information, see:
+ https://eprint.iacr.org/2017/627
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7526
+ (* Security fix *)
++--------------------------+
+Fri Jul 28 20:29:47 UTC 2017
+patches/packages/squashfs-tools-4.3-x86_64-2_slack14.2.txz: Rebuilt.
+ Patched a couple of denial of service issues and other bugs.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4645
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4646
+ (* Security fix *)
++--------------------------+
+Thu Jul 27 01:03:02 UTC 2017
+patches/packages/dbus-1.10.8-x86_64-2_slack14.2.txz: Rebuilt.
+ Don't demand high-quality entropy from expat-2.2.2+ because 1) dbus doesn't
+ need it and 2) it can cause the boot process to hang if dbus times out.
+ Thanks to SeB for a link to the bug report and patch.
++--------------------------+
+Tue Jul 25 21:09:42 UTC 2017
+patches/packages/bind-9.10.5_P3-x86_64-1_slack14.2.txz: Upgraded.
+ Fix a regression in the previous BIND release that broke verification
+ of TSIG signed TCP message sequences where not all the messages contain
+ TSIG records.
+ Compiled to use libidn rather than the deprecated (and broken) idnkit.
++--------------------------+
+Mon Jul 24 19:59:34 UTC 2017
+patches/packages/tcpdump-4.9.1-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes an issue where tcpdump 4.9.0 allows remote attackers
+ to cause a denial of service (heap-based buffer over-read and application
+ crash) via crafted packet data.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11108
+ (* Security fix *)
++--------------------------+
+Fri Jul 21 20:09:49 UTC 2017
+patches/packages/seamonkey-2.48-x86_64-1_slack14.2.txz: Upgraded.
+ This update contains security fixes and improvements.
+ For more information, see:
+ http://www.seamonkey-project.org/releases/seamonkey2.48
+ (* Security fix *)
+patches/packages/seamonkey-solibs-2.48-x86_64-1_slack14.2.txz: Upgraded.
++--------------------------+
+Tue Jul 18 23:10:25 UTC 2017
+patches/packages/expat-2.2.2-x86_64-1_slack14.2.txz: Upgraded.
+ Fixes security issues including:
+ External entity infinite loop DoS
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9233
+ https://libexpat.github.io/doc/cve-2017-9233/
+ (* Security fix *)
+patches/packages/gd-2.2.4-x86_64-1_slack14.2.txz: Upgraded.
+ Fixes security issues:
+ gdImageCreate() doesn't check for oversized images and as such is prone to
+ DoS vulnerabilities. (CVE-2016-9317)
+ double-free in gdImageWebPtr() (CVE-2016-6912)
+ potential unsigned underflow in gd_interpolation.c (CVE-2016-10166)
+ DOS vulnerability in gdImageCreateFromGd2Ctx() (CVE-2016-10167)
+ Signed Integer Overflow gd_io.c (CVE-2016-10168)
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9317
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6912
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10166
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10167
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10168
+ (* Security fix *)
+patches/packages/libtirpc-1.0.2-x86_64-1_slack14.2.txz: Upgraded.
+ This is a bugfix release.
+patches/packages/rpcbind-0.2.4-x86_64-2_slack14.2.txz: Rebuilt.
+ Fixed a bug in a previous patch where a svc_freeargs() call ended up freeing
+ a static pointer causing rpcbind to crash. Thanks to Jonathan Woithe,
+ Rafael Jorge Csura Szendrodi, and Robby Workman for identifying the problem
+ and helping to test a fix.
++--------------------------+
+Fri Jul 14 22:11:58 UTC 2017
+patches/packages/mariadb-10.0.31-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes bugs and security issues.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3308
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3309
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3453
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3456
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3464
+ (* Security fix *)
+patches/packages/samba-4.4.15-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes an authentication validation bypass security issue:
+ "Orpheus' Lyre mutual authentication validation bypass"
+ All versions of Samba from 4.0.0 onwards using embedded Heimdal
+ Kerberos are vulnerable to a man-in-the-middle attack impersonating
+ a trusted server, who may gain elevated access to the domain by
+ returning malicious replication or authorization data.
+ Samba binaries built against MIT Kerberos are not vulnerable.
+ For more information, see:
+ https://www.samba.org/samba/security/CVE-2017-11103.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103
+ (* Security fix *)
++--------------------------+
+Thu Jul 13 18:19:01 UTC 2017
+patches/packages/httpd-2.4.27-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes two security issues:
+ Read after free in mod_http2 (CVE-2017-9789)
+ Uninitialized memory reflection in mod_auth_digest (CVE-2017-9788)
+ Thanks to Robert Swiecki for reporting these issues.
+ For more information, see:
+ https://httpd.apache.org/security/vulnerabilities_24.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9789
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9788
+ (* Security fix *)
++--------------------------+
+Mon Jul 10 21:43:37 UTC 2017
+patches/packages/libtirpc-1.0.1-x86_64-3_slack14.2.txz: Rebuilt.
+ Patched a bug which can cause a denial of service through memory exhaustion.
+ Thanks to Robby Workman.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779
+ (* Security fix *)
+patches/packages/rpcbind-0.2.4-x86_64-1_slack14.2.txz: Upgraded.
+ Patched a bug which can cause a denial of service through memory exhaustion.
+ Thanks to Robby Workman.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779
+ (* Security fix *)
++--------------------------+
+Sun Jul 9 20:38:08 UTC 2017
+patches/packages/irssi-1.0.4-x86_64-1_slack14.2.txz: Upgraded.
+ This release fixes two remote crash issues as well as a few bugs.
+ For more information, see:
+ https://irssi.org/security/irssi_sa_2017_07.txt
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10965
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10966
+ (* Security fix *)
++--------------------------+
+Sat Jul 8 00:11:34 UTC 2017
+patches/packages/ca-certificates-20161130-noarch-1_slack14.2.txz: Upgraded.
+ This update provides the latest CA certificates to check for the
+ authenticity of SSL connections.
+patches/packages/php-5.6.31-x86_64-1_slack14.2.txz: Upgraded.
+ This release fixes bugs and security issues.
+ For more information, see:
+ https://php.net/ChangeLog-5.php#5.6.31
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9224
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9226
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9227
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9228
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9229
+ (* Security fix *)
++--------------------------+
+Thu Jul 6 00:57:41 UTC 2017
+patches/packages/glibc-2.23-x86_64-3_slack14.2.txz: Rebuilt.
+ Recompiled with upstream patch from git:
+ "[PATCH] X86: Don't assert on older Intel CPUs [BZ #20647]"
+ This fixes an ldconfig failure on older Intel CPUs including Pentium MMX.
+patches/packages/glibc-i18n-2.23-x86_64-3_slack14.2.txz: Rebuilt.
+patches/packages/glibc-profile-2.23-x86_64-3_slack14.2.txz: Rebuilt.
+patches/packages/glibc-solibs-2.23-x86_64-3_slack14.2.txz: Rebuilt.
+patches/packages/xscreensaver-5.37-x86_64-1_slack14.2.txz: Upgraded.
+ Here's an upgrade to the latest xscreensaver.
++--------------------------+
+Fri Jun 30 21:14:15 UTC 2017
+patches/packages/glibc-2.23-x86_64-2_slack14.2.txz: Rebuilt.
+ Applied upstream security hardening patches from git.
+ For more information, see:
+ https://sourceware.org/git/?p=glibc.git;a=commit;h=3c7cd21290cabdadd72984fb69bc51e64ff1002d
+ https://sourceware.org/git/?p=glibc.git;a=commit;h=46703a3995aa3ca2b816814aa4ad05ed524194dd
+ https://sourceware.org/git/?p=glibc.git;a=commit;h=c69d4a0f680a24fdbe323764a50382ad324041e9
+ https://sourceware.org/git/?p=glibc.git;a=commit;h=3776f38fcd267c127ba5eb222e2c614c191744aa
+ https://sourceware.org/git/?p=glibc.git;a=commit;h=adc7e06fb412a2a1ee52f8cb788caf436335b9f3
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000366
+ (* Security fix *)
+patches/packages/glibc-i18n-2.23-x86_64-2_slack14.2.txz: Rebuilt.
+patches/packages/glibc-profile-2.23-x86_64-2_slack14.2.txz: Rebuilt.
+ (* Security fix *)
+patches/packages/glibc-solibs-2.23-x86_64-2_slack14.2.txz: Rebuilt.
+ (* Security fix *)
+patches/packages/linux-4.4.75/*: Upgraded.
+ This kernel fixes security issues that include possible stack exhaustion,
+ memory corruption, and arbitrary code execution.
+ Be sure to upgrade your initrd after upgrading the kernel packages.
+ If you use lilo to boot your machine, be sure lilo.conf points to the correct
+ kernel and initrd and run lilo as root to update the bootloader.
+ If you use elilo to boot your machine, you should run eliloconfig to copy the
+ kernel and initrd to the EFI System Partition.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7482
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000365
+ (* Security fix *)
++--------------------------+
+Thu Jun 29 20:55:09 UTC 2017
+patches/packages/bind-9.10.5_P2-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes a high severity security issue:
+ An error in TSIG handling could permit unauthorized zone transfers
+ or zone updates.
+ For more information, see:
+ https://kb.isc.org/article/AA-01503/0
+ https://kb.isc.org/article/AA-01504/0
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3142
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3143
+ (* Security fix *)
+patches/packages/httpd-2.4.26-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes security issues which may lead to an authentication bypass
+ or a denial of service:
+ important: ap_get_basic_auth_pw() Authentication Bypass CVE-2017-3167
+ important: mod_ssl Null Pointer Dereference CVE-2017-3169
+ important: mod_http2 Null Pointer Dereference CVE-2017-7659
+ important: ap_find_token() Buffer Overread CVE-2017-7668
+ important: mod_mime Buffer Overread CVE-2017-7679
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3167
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3169
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7659
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7668
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7679
+ (* Security fix *)
+patches/packages/libgcrypt-1.7.8-x86_64-1_slack14.2.txz: Upgraded.
+ Mitigate a local flush+reload side-channel attack on RSA secret keys
+ dubbed "Sliding right into disaster".
+ For more information, see:
+ https://eprint.iacr.org/2017/627
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7526
+ (* Security fix *)
+patches/packages/mkinitrd-1.4.10-x86_64-1_slack14.2.txz: Upgraded.
+ Added support for -P option and MICROCODE_ARCH in mkinitrd.conf to specify
+ a microcode archive to be prepended to the initrd for early CPU microcode
+ patching by the kernel. Thanks to SeB.
++--------------------------+
+Mon Jun 26 20:36:18 UTC 2017
+patches/packages/linux-4.4.74/*: Upgraded.
+ This kernel fixes two "Stack Clash" vulnerabilities reported by Qualys.
+ The first issue may allow attackers to execute arbitrary code with elevated
+ privileges. Failed attack attempts will likely result in denial-of-service
+ conditions. The second issue can be exploited to bypass certain security
+ restrictions and perform unauthorized actions.
+ Be sure to upgrade your initrd after upgrading the kernel packages.
+ If you use lilo to boot your machine, be sure lilo.conf points to the correct
+ kernel and initrd and run lilo as root to update the bootloader.
+ If you use elilo to boot your machine, you should run eliloconfig to copy the
+ kernel and initrd to the EFI System Partition.
+ For more information, see:
+ https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000364
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000365
+ (* Security fix *)
+patches/packages/mozilla-thunderbird-52.2.1-x86_64-1_slack14.2.txz: Upgraded.
+ This is a bugfix release.
++--------------------------+
+Fri Jun 23 20:11:00 UTC 2017
+patches/packages/nasm-2.13.01-x86_64-1_slack14.2.txz: Upgraded.
+ This update is needed for some newer projects to compile properly.
++--------------------------+
+Wed Jun 21 18:38:46 UTC 2017
+patches/packages/openvpn-2.3.17-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes several denial of service issues discovered
+ by Guido Vranken.
+ For more information, see:
+ https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7508
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7520
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7521
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7512
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7522
+ (* Security fix *)
++--------------------------+
+Thu Jun 15 02:08:28 UTC 2017
+patches/packages/bind-9.10.5_P1-x86_64-1_slack14.2.txz: Upgraded.
+ Fixed denial of service security issue:
+ Some RPZ configurations could go into an infinite query loop when
+ encountering responses with TTL=0.
+ For more information, see:
+ https://kb.isc.org/article/AA-01495
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3140
+ (* Security fix *)
+patches/packages/mozilla-firefox-52.2.0esr-x86_64-1_slack14.2.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
+ (* Security fix *)
+patches/packages/mozilla-thunderbird-52.2.0-x86_64-1_slack14.2.txz: Upgraded.
+ This is a bugfix release.
++--------------------------+
+Tue Jun 13 19:54:24 UTC 2017
+patches/packages/pkg-config-0.29.2-x86_64-1_slack14.2.txz: Upgraded.
+ This is a bugfix release, and is needed for some updates on slackbuilds.org
+ to compile properly. Thanks to Willy Sudiarto Raharjo.
++--------------------------+
+Wed Jun 7 22:42:04 UTC 2017
+patches/packages/irssi-1.0.3-x86_64-1_slack14.2.txz: Upgraded.
+ Fixed security issues that may result in a denial of service.
+ For more information, see:
+ https://irssi.org/security/irssi_sa_2017_06.txt
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9468
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9469
+ (* Security fix *)
++--------------------------+
+Wed May 31 23:07:23 UTC 2017
+patches/packages/sudo-1.8.20p2-x86_64-1_slack14.2.txz: Upgraded.
+ This is a bugfix release:
+ Fixed a bug parsing /proc/pid/stat when the process name contains
+ a newline. This is not exploitable due to the /dev traversal changes
+ made in sudo 1.8.20p1.
++--------------------------+
+Tue May 30 17:39:17 UTC 2017
+patches/packages/lynx-2.8.8rel.2-x86_64-3_slack14.2.txz: Rebuilt.
+ Fixed lynx startup without a URL by correcting STARTFILE in lynx.cfg to use
+ the new URL for the Lynx homepage. Thanks to John David Yost.
+patches/packages/sudo-1.8.20p1-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes a potential overwrite of arbitrary system files.
+ This bug was discovered and analyzed by Qualys, Inc.
+ For more information, see:
+ https://www.sudo.ws/alerts/linux_tty.html
+ http://www.openwall.com/lists/oss-security/2017/05/30/16
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000367
+ (* Security fix *)
++--------------------------+
+Wed May 24 19:38:59 UTC 2017
+patches/packages/samba-4.4.14-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes a remote code execution vulnerability, allowing a
+ malicious client to upload a shared library to a writable share, and
+ then cause the server to load and execute it.
+ For more information, see:
+ https://www.samba.org/samba/security/CVE-2017-7494.html
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7494
+ (* Security fix *)
++--------------------------+
+Mon May 22 20:58:20 UTC 2017
+patches/packages/gkrellm-2.3.10-x86_64-1_slack14.2.txz: Upgraded.
+ This is a bugfix release to fix a broken gkrellm.pc.
+patches/packages/mozilla-firefox-52.1.2esr-x86_64-1_slack14.2.txz: Upgraded.
+ This is a bugfix release.
++--------------------------+
+Tue May 16 20:11:03 UTC 2017
+patches/packages/freetype-2.6.3-x86_64-2_slack14.2.txz: Rebuilt.
+ This update fixes an out-of-bounds write caused by a heap-based buffer
+ overflow related to the t1_builder_close_contour function in psaux/psobjs.c.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8287
+ (* Security fix *)
+patches/packages/kdelibs-4.14.32-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes a security issue with KAuth that can lead to gaining
+ root from an unprivileged account.
+ For more information, see:
+ http://www.openwall.com/lists/oss-security/2017/05/10/3
+ https://www.kde.org/info/security/advisory-20170510-1.txt
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8422
+ (* Security fix *)
+patches/packages/mozilla-thunderbird-52.1.1-x86_64-1_slack14.2.txz: Upgraded.
+ This is a bugfix release.
++--------------------------+
+Mon May 1 23:31:02 UTC 2017
+patches/packages/mozilla-thunderbird-52.1.0-x86_64-1_slack14.2.txz: Upgraded.
+ This is a bugfix release.
+patches/packages/rxvt-2.7.10-x86_64-5_slack14.2.txz: Rebuilt.
+ Patched an integer overflow that can crash rxvt with an escape sequence,
+ or possibly have unspecified other impact.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7483
+ (* Security fix *)
++--------------------------+
+Wed Apr 26 23:09:45 UTC 2017
+patches/packages/xfce4-weather-plugin-0.8.9-x86_64-1_slack14.2.txz: Upgraded.
+ Package upgraded to fix the API used to fetch weather data.
+ Thanks to Robby Workman.
++--------------------------+
+Mon Apr 24 18:06:06 UTC 2017
+patches/packages/mozilla-firefox-52.1.0esr-x86_64-1_slack14.2.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
+ (* Security fix *)
++--------------------------+
+Fri Apr 21 22:40:12 UTC 2017
+patches/packages/getmail-4.54.0-x86_64-1_slack14.2.txz: Upgraded.
+ This is a bugfix release to fix a failure to retrieve HTML formatted emails
+ that contain a line longer than 1024 characters. Thanks to Edward Trumbo.
+patches/packages/ntp-4.2.8p10-x86_64-1_slack14.2.txz: Upgraded.
+ In addition to bug fixes and enhancements, this release fixes security
+ issues of medium and low severity:
+ Denial of Service via Malformed Config (Medium)
+ Authenticated DoS via Malicious Config Option (Medium)
+ Potential Overflows in ctl_put() functions (Medium)
+ Buffer Overflow in ntpq when fetching reslist from a malicious ntpd (Medium)
+ 0rigin DoS (Medium)
+ Buffer Overflow in DPTS Clock (Low)
+ Improper use of snprintf() in mx4200_send() (Low)
+ The following issues do not apply to Linux systems:
+ Privileged execution of User Library code (WINDOWS PPSAPI ONLY) (Low)
+ Stack Buffer Overflow from Command Line (WINDOWS installer ONLY) (Low)
+ Data Structure terminated insufficiently (WINDOWS installer ONLY) (Low)
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6464
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6463
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6458
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6460
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9042
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6462
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6451
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6455
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6452
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6459
+ (* Security fix *)
+patches/packages/proftpd-1.3.5e-x86_64-1_slack14.2.txz: Upgraded.
+ This release fixes a security issue:
+ AllowChrootSymlinks off does not check entire DefaultRoot path for symlinks.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7418
+ (* Security fix *)
++--------------------------+
+Wed Apr 19 04:46:45 UTC 2017
+patches/packages/minicom-2.7.1-x86_64-1_slack14.2.txz: Upgraded.
+ Fix an out of bounds data access that can lead to remote code execution.
+ This issue was found by Solar Designer of Openwall during a security audit
+ of the Virtuozzo 7 product, which contains derived downstream code in its
+ prl-vzvncserver component.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7467
+ (* Security fix *)
++--------------------------+
+Tue Apr 18 04:21:33 UTC 2017
+patches/packages/mozilla-thunderbird-52.0.1-x86_64-1_slack14.2.txz: Upgraded.
+ This is a bugfix release.
++--------------------------+
+Thu Apr 13 21:19:45 UTC 2017
+patches/packages/bind-9.10.4_P8-x86_64-1_slack14.2.txz: Upgraded.
+ Fixed denial of service security issues.
+ For more information, see:
+ https://kb.isc.org/article/AA-01465
+ https://kb.isc.org/article/AA-01466
+ https://kb.isc.org/article/AA-01471
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3136
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3137
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3138
+ (* Security fix *)
++--------------------------+
+Sat Apr 8 16:24:35 UTC 2017
+patches/packages/libtiff-4.0.7-x86_64-1_slack14.2.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8127
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8665
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8683
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3622
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3623
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3658
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5321
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5323
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5652
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5875
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9273
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9448
+ (* Security fix *)
+patches/packages/mozilla-thunderbird-52.0-x86_64-1_slack14.2.txz: Upgraded.
++--------------------------+
+Sat Apr 1 05:16:59 UTC 2017
+patches/packages/samba-4.4.13-x86_64-1_slack14.2.txz: Upgraded.
+ This is a bug fix release to address a regression introduced by the security
+ fixes for CVE-2017-2619 (Symlink race allows access outside share definition).
+ Please see https://bugzilla.samba.org/show_bug.cgi?id=12721 for details.
++--------------------------+
+Tue Mar 28 20:30:50 UTC 2017
+patches/packages/mariadb-10.0.30-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes security issues:
+ Crash in libmysqlclient.so.
+ Difficult to exploit vulnerability allows low privileged attacker with
+ logon to compromise the server. Successful attacks of this vulnerability
+ can result in unauthorized access to data.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3302
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3313
+ (* Security fix *)
+patches/packages/mozilla-firefox-52.0.2esr-x86_64-1_slack14.2.txz: Upgraded.
+ Upgraded to new Firefox 52.x ESR branch.
++--------------------------+
+Thu Mar 23 21:38:23 UTC 2017
+patches/packages/glibc-zoneinfo-2017b-noarch-1_slack14.2.txz: Upgraded.
+ This package provides the latest timezone updates.
+patches/packages/mcabber-1.0.5-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes a security issue:
+ An incorrect implementation of XEP-0280: Message Carbons in multiple XMPP
+ clients allows a remote attacker to impersonate any user, including
+ contacts, in the vulnerable application's display. This allows for various
+ kinds of social engineering attacks.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5604
+ (* Security fix *)
+patches/packages/samba-4.4.12-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes a security issue:
+ All versions of Samba prior to 4.6.1, 4.5.7, 4.4.12 are vulnerable to
+ a malicious client using a symlink race to allow access to areas of
+ the server file system not exported under the share definition.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2619
+ (* Security fix *)
++--------------------------+
+Thu Mar 16 01:37:05 UTC 2017
+patches/packages/pidgin-2.12.0-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes a minor security issue (out of bounds memory read in
+ purple_markup_unescape_entity).
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2640
+ (* Security fix *)
++--------------------------+
+Wed Mar 8 00:17:36 UTC 2017
+patches/packages/mozilla-firefox-45.8.0esr-x86_64-1_slack14.2.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
+ (* Security fix *)
+patches/packages/mozilla-thunderbird-45.8.0-x86_64-1_slack14.2.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html
+ (* Security fix *)
++--------------------------+
+Wed Mar 1 19:09:44 UTC 2017
+patches/packages/libcgroup-0.41-x86_64-2_slack14.2.txz: Rebuilt.
+ This is a bugfix package update.
+ Fixed rc.cgred to source the correct config file.
+ Don't remove the entire cgroup file system with "rc.cgconfig stop".
+ Thanks to chris.willing.
+ NOTE: Be sure to install any .new config files.
++--------------------------+
+Tue Feb 28 23:51:55 UTC 2017
+patches/packages/glibc-zoneinfo-2017a-noarch-1_slack14.2.txz: Upgraded.
+ This package provides the latest timezone updates.
++--------------------------+
+Fri Feb 10 21:07:35 UTC 2017
+patches/packages/bind-9.10.4_P6-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes a denial-of-service vulnerability. Under some conditions
+ when using both DNS64 and RPZ to rewrite query responses, query processing
+ can resume in an inconsistent state leading to either an INSIST assertion
+ failure or an attempt to read through a NULL pointer.
+ For more information, see:
+ https://kb.isc.org/article/AA-01453
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3135
+ (* Security fix *)
+patches/packages/libpcap-1.8.1-x86_64-1_slack14.2.txz: Upgraded.
+ This update is required for the new version of tcpdump.
+patches/packages/mozilla-thunderbird-45.7.1-x86_64-1_slack14.2.txz: Upgraded.
+ Fixed crash when viewing certain IMAP messages (introduced in 45.7.0)
+patches/packages/openssl-1.0.2k-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes security issues:
+ Truncated packet could crash via OOB read (CVE-2017-3731)
+ BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)
+ Montgomery multiplication may produce incorrect results (CVE-2016-7055)
+ For more information, see:
+ https://www.openssl.org/news/secadv/20170126.txt
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3731
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3732
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7055
+ (* Security fix *)
+patches/packages/openssl-solibs-1.0.2k-x86_64-1_slack14.2.txz: Upgraded.
+patches/packages/php-5.6.30-x86_64-1_slack14.2.txz: Upgraded.
+ This release fixes bugs and security issues.
+ For more information, see:
+ https://php.net/ChangeLog-5.php#5.6.30
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10158
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10167
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10168
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10159
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10160
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10161
+ (* Security fix *)
+patches/packages/tcpdump-4.9.0-x86_64-1_slack14.2.txz: Upgraded.
+ Fixed bugs which allow an attacker to crash tcpdump (denial of service).
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7922
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7923
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7924
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7925
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7926
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7927
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7928
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7929
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7930
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7931
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7932
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7933
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7934
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7935
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7936
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7937
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7938
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7939
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7940
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7973
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7974
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7975
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7983
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7984
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7985
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7986
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7992
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7993
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8574
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8575
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5202
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5203
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5204
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5205
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5341
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5342
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5482
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5483
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5484
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5485
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5486
+ (* Security fix *)
++--------------------------+
+Thu Jan 26 18:42:29 UTC 2017
+patches/packages/mozilla-thunderbird-45.7.0-x86_64-1_slack14.2.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5375
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5376
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5378
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5380
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5390
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5396
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5383
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5386
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5373
+ (* Security fix *)
++--------------------------+
+Mon Jan 23 21:30:13 UTC 2017
+patches/packages/mozilla-firefox-45.7.0esr-x86_64-1_slack14.2.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
+ (* Security fix *)
++--------------------------+
+Fri Jan 20 04:18:02 UTC 2017
+patches/packages/seamonkey-2.46-x86_64-3_slack14.2.txz: Rebuilt.
+ Recompiled with less aggressive optimization (-Os) to fix crashes.
+patches/packages/seamonkey-solibs-2.46-x86_64-3_slack14.2.txz: Rebuilt.
++--------------------------+
+Wed Jan 18 20:39:17 UTC 2017
+patches/packages/mariadb-10.0.29-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes several security issues.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6664
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3238
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3243
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3244
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3257
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3258
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3265
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3291
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3312
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3317
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3318
+ (* Security fix *)
++--------------------------+
+Wed Jan 18 01:02:19 UTC 2017
+patches/packages/seamonkey-2.46-x86_64-2_slack14.2.txz: Rebuilt.
+ Restored missing nspr/obsolete headers.
+patches/packages/seamonkey-solibs-2.46-x86_64-2_slack14.2.txz: Rebuilt.
++--------------------------+
+Sat Jan 14 05:34:32 UTC 2017
+patches/packages/scim-1.4.17-x86_64-1_slack14.2.txz: Upgraded.
+ This is a bugfix package update.
++--------------------------+
+Thu Jan 12 01:15:52 UTC 2017
+patches/packages/bind-9.10.4_P5-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes a denial-of-service vulnerability. An error in handling
+ certain queries can cause an assertion failure when a server is using the
+ nxdomain-redirect feature to cover a zone for which it is also providing
+ authoritative service. A vulnerable server could be intentionally stopped
+ by an attacker if it was using a configuration that met the criteria for
+ the vulnerability and if the attacker could cause it to accept a query
+ that possessed the required attributes.
+ Please note: This vulnerability affects the "nxdomain-redirect" feature,
+ which is one of two methods of handling NXDOMAIN redirection, and is only
+ available in certain versions of BIND. Redirection using zones of type
+ "redirect" is not affected by this vulnerability.
+ For more information, see:
+ https://kb.isc.org/article/AA-01442
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9778
+ (* Security fix *)
+patches/packages/gnutls-3.5.8-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes some bugs and security issues.
+ For more information, see:
+ https://gnutls.org/security.html#GNUTLS-SA-2017-1
+ https://gnutls.org/security.html#GNUTLS-SA-2017-2
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5334
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5335
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5336
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5337
+ (* Security fix *)
+patches/packages/irssi-0.8.21-x86_64-1_slack14.2.txz: Upgraded.
+ Fixed security issues that may result in a denial of service.
+ For more information, see:
+ https://irssi.org/security/irssi_sa_2017_01.txt
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5193
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5194
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5195
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5196
+ (* Security fix *)
+patches/packages/python-2.7.13-x86_64-2_slack14.2.txz: Rebuilt.
+ This is a rebuilt package to fix a build-time regression with the
+ multiprocessing.synchronize module.
+ Thanks to Damien Goutte-Gattat for the bug report.
++--------------------------+
+Fri Dec 30 19:29:13 UTC 2016
+patches/packages/libpng-1.6.27-x86_64-1_slack14.2.txz: Upgraded.
+ This release fixes an old NULL pointer dereference bug in png_set_text_2()
+ discovered and patched by Patrick Keshishian. The potential "NULL
+ dereference" bug has existed in libpng since version 0.71 of June 26, 1995.
+ To be vulnerable, an application has to load a text chunk into the png
+ structure, then delete all text, then add another text chunk to the same
+ png structure, which seems to be an unlikely sequence, but it has happened.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10087
+ (* Security fix *)
+patches/packages/mozilla-thunderbird-45.6.0-x86_64-1_slack14.2.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9899
+ (* Security fix *)
+patches/packages/seamonkey-2.46-x86_64-1_slack14.2.txz: Upgraded.
+ This update contains security fixes and improvements.
+ For more information, see:
+ http://www.seamonkey-project.org/releases/seamonkey2.46
+ (* Security fix *)
+patches/packages/seamonkey-solibs-2.46-x86_64-1_slack14.2.txz: Upgraded.
++--------------------------+
+Wed Dec 28 21:05:19 UTC 2016
+patches/packages/python-2.7.13-x86_64-1_slack14.2.txz: Upgraded.
+ This release fixes security issues:
+ Issue #27850: Remove 3DES from ssl module's default cipher list to counter
+ measure sweet32 attack (CVE-2016-2183).
+ Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the
+ HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates
+ that the script is in CGI mode.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2183
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000110
+ (* Security fix *)
+patches/packages/samba-4.4.8-x86_64-1_slack14.2.txz: Upgraded.
+ This release fixes security issues:
+ CVE-2016-2123 (Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer
+ Overflow Remote Code Execution Vulnerability).
+ CVE-2016-2125 (Unconditional privilege delegation to Kerberos servers
+ in trusted realms).
+ CVE-2016-2126 (Flaws in Kerberos PAC validation can trigger privilege
+ elevation).
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2123
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2125
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2126
+ (* Security fix *)
++--------------------------+
+Sat Dec 24 18:14:51 UTC 2016
+patches/packages/expat-2.2.0-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes bugs and security issues:
+ Multiple integer overflows in XML_GetBuffer.
+ Fix crash on malformed input.
+ Improve insufficient fix to CVE-2015-1283 / CVE-2015-2716.
+ Use more entropy for hash initialization.
+ Resolve troublesome internal call to srand.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1283
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4472
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5300
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6702
+ (* Security fix *)
++--------------------------+
+Sat Dec 24 02:36:05 UTC 2016
+patches/packages/httpd-2.4.25-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes the following security issues:
+ * CVE-2016-8740: mod_http2: Mitigate DoS memory exhaustion via endless
+ CONTINUATION frames.
+ * CVE-2016-5387: core: Mitigate [f]cgi "httpoxy" issues.
+ * CVE-2016-2161: mod_auth_digest: Prevent segfaults during client entry
+ allocation when the shared memory space is exhausted.
+ * CVE-2016-0736: mod_session_crypto: Authenticate the session data/cookie
+ with a MAC (SipHash) to prevent deciphering or tampering with a padding
+ oracle attack.
+ * CVE-2016-8743: Enforce HTTP request grammar corresponding to RFC7230 for
+ request lines and request headers, to prevent response splitting and
+ cache pollution by malicious clients or downstream proxies.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8740
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5387
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2161
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0736
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743
+ (* Security fix *)
+patches/packages/openssh-7.4p1-x86_64-1_slack14.2.txz: Upgraded.
+ This is primarily a bugfix release, and also addresses security issues.
+ ssh-agent(1): Will now refuse to load PKCS#11 modules from paths outside
+ a trusted whitelist.
+ sshd(8): When privilege separation is disabled, forwarded Unix-domain
+ sockets would be created by sshd(8) with the privileges of 'root'.
+ sshd(8): Avoid theoretical leak of host private key material to
+ privilege-separated child processes via realloc().
+ sshd(8): The shared memory manager used by pre-authentication compression
+ support had a bounds checks that could be elided by some optimising
+ compilers to potentially allow attacks against the privileged monitor.
+ process from the sandboxed privilege-separation process.
+ sshd(8): Validate address ranges for AllowUser and DenyUsers directives at
+ configuration load time and refuse to accept invalid ones. It was
+ previously possible to specify invalid CIDR address ranges
+ (e.g. user@127.1.2.3/55) and these would always match, possibly resulting
+ in granting access where it was not intended.
+ For more information, see:
+ https://www.openssh.com/txt/release-7.4
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10009
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10010
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10011
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10012
+ (* Security fix *)
+patches/packages/xfce4-weather-plugin-0.8.8-x86_64-1_slack14.2.txz: Upgraded.
+ Package upgraded to fix the API used to fetch weather data.
+ Thanks to Robby Workman.
++--------------------------+
+Sun Dec 18 05:20:25 UTC 2016
+patches/packages/glibc-zoneinfo-2016j-noarch-1_slack14.2.txz: Upgraded.
+ This package provides the latest timezone updates.
++--------------------------+
+Tue Dec 13 22:14:13 UTC 2016
+patches/packages/mozilla-firefox-45.6.0esr-x86_64-1_slack14.2.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
+ (* Security fix *)
++--------------------------+
+Mon Dec 12 21:25:50 UTC 2016
+patches/packages/linux-4.4.38/*: Upgraded.
+ This kernel fixes a security issue with a race condition in
+ net/packet/af_packet.c that can be exploited to gain kernel code execution
+ from unprivileged processes.
+ Thanks to Philip Pettersson for discovering the bug and providing a patch.
+ Be sure to upgrade your initrd after upgrading the kernel packages.
+ If you use lilo to boot your machine, be sure lilo.conf points to the correct
+ kernel and initrd and run lilo as root to update the bootloader.
+ If you use elilo to boot your machine, you should run eliloconfig to copy the
+ kernel and initrd to the EFI System Partition.
+ For more information, see:
+ https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0c
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8655
+ (* Security fix *)
+patches/packages/loudmouth-1.5.3-x86_64-1_slack14.2.txz: Upgraded.
+ This update is needed for the mcabber security update.
+patches/packages/mcabber-1.0.4-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes a security issue which can lead to a malicious actor
+ MITMing a conversation, or adding themselves as an entity on a third
+ parties roster (thereby granting themselves the associated priviledges
+ such as observing when the user is online).
+ For more information, see:
+ https://gultsch.de/gajim_roster_push_and_message_interception.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9928
+ (* Security fix *)
+patches/packages/php-5.6.29-x86_64-1_slack14.2.txz: Upgraded.
+ This release fixes bugs and security issues.
+ For more information, see:
+ https://php.net/ChangeLog-5.php#5.6.29
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9933
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9934
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9935
+ (* Security fix *)
++--------------------------+
+Thu Dec 1 08:49:20 UTC 2016
+patches/packages/intltool-0.51.0-x86_64-3_slack14.2.txz: Rebuilt.
+ Added a patch to fix issues when $(builddir) != $(srcdir). This avoids
+ possible build failures when intltool is used with automake >= 1.15.
+ Thanks to Willy Sudiarto Raharjo.
+patches/packages/mozilla-firefox-45.5.1esr-x86_64-1_slack14.2.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9079
+ (* Security fix *)
+patches/packages/mozilla-thunderbird-45.5.1-x86_64-1_slack14.2.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9079
+ (* Security fix *)
++--------------------------+
+Mon Nov 21 19:21:22 UTC 2016
+patches/packages/ntp-4.2.8p9-x86_64-1_slack14.2.txz: Upgraded.
+ In addition to bug fixes and enhancements, this release fixes the
+ following 1 high- (Windows only :-), 2 medium-, 2 medium-/low, and
+ 5 low-severity vulnerabilities, and provides 28 other non-security
+ fixes and improvements.
+ CVE-2016-9311: Trap crash
+ CVE-2016-9310: Mode 6 unauthenticated trap info disclosure and DDoS vector
+ CVE-2016-7427: Broadcast Mode Replay Prevention DoS
+ CVE-2016-7428: Broadcast Mode Poll Interval Enforcement DoS
+ CVE-2016-9312: Windows: ntpd DoS by oversized UDP packet
+ CVE-2016-7431: Regression: 010-origin: Zero Origin Timestamp Bypass
+ CVE-2016-7434: Null pointer dereference in _IO_str_init_static_internal()
+ CVE-2016-7429: Interface selection attack
+ CVE-2016-7426: Client rate limiting and server responses
+ CVE-2016-7433: Reboot sync calculation problem
+ For more information, see:
+ https://www.kb.cert.org/vuls/id/633847
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9311
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9310
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7427
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7428
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9312
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7431
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7434
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7429
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7426
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7433
+ (* Security fix *)
++--------------------------+
+Fri Nov 18 22:49:40 UTC 2016
+patches/packages/mozilla-firefox-45.5.0esr-x86_64-1_slack14.2.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
+ (* Security fix *)
++--------------------------+
+Fri Nov 4 03:31:38 UTC 2016
+patches/packages/bind-9.10.4_P4-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes a denial-of-service vulnerability. A defect in BIND's
+ handling of responses containing a DNAME answer can cause a resolver to exit
+ after encountering an assertion failure in db.c or resolver.c. A server
+ encountering either of these error conditions will stop, resulting in denial
+ of service to clients. The risk to authoritative servers is minimal;
+ recursive servers are chiefly at risk.
+ For more information, see:
+ https://kb.isc.org/article/AA-01434
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8864
+ (* Security fix *)
+patches/packages/curl-7.51.0-x86_64-1_slack14.2.txz: Upgraded.
+ This release fixes security issues:
+ CVE-2016-8615: cookie injection for other servers
+ CVE-2016-8616: case insensitive password comparison
+ CVE-2016-8617: OOB write via unchecked multiplication
+ CVE-2016-8618: double-free in curl_maprintf
+ CVE-2016-8619: double-free in krb5 code
+ CVE-2016-8620: glob parser write/read out of bounds
+ CVE-2016-8621: curl_getdate read out of bounds
+ CVE-2016-8622: URL unescape heap overflow via integer truncation
+ CVE-2016-8623: Use-after-free via shared cookies
+ CVE-2016-8624: invalid URL parsing with '#'
+ CVE-2016-8625: IDNA 2003 makes curl use wrong host
+ For more information, see:
+ https://curl.haxx.se/docs/adv_20161102A.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8615
+ https://curl.haxx.se/docs/adv_20161102B.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8616
+ https://curl.haxx.se/docs/adv_20161102C.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8617
+ https://curl.haxx.se/docs/adv_20161102D.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8618
+ https://curl.haxx.se/docs/adv_20161102E.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8619
+ https://curl.haxx.se/docs/adv_20161102F.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8620
+ https://curl.haxx.se/docs/adv_20161102G.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8621
+ https://curl.haxx.se/docs/adv_20161102H.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8622
+ https://curl.haxx.se/docs/adv_20161102I.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8623
+ https://curl.haxx.se/docs/adv_20161102J.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8624
+ https://curl.haxx.se/docs/adv_20161102K.html
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8625
+ (* Security fix *)
+patches/packages/glibc-zoneinfo-2016i-noarch-1_slack14.2.txz: Upgraded.
+ This package provides the latest timezone updates.
++--------------------------+
+Mon Oct 31 23:38:24 UTC 2016
+patches/packages/libX11-1.6.4-x86_64-1_slack14.2.txz: Upgraded.
+ Insufficient validation of data from the X server can cause out of boundary
+ memory read in XGetImage() or write in XListFonts().
+ Affected versions libX11 <= 1.6.3.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7942
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7943
+ (* Security fix *)
+patches/packages/libXfixes-5.0.3-x86_64-1_slack14.2.txz: Upgraded.
+ Insufficient validation of data from the X server can cause an integer
+ overflow on 32 bit architectures.
+ Affected versions : libXfixes <= 5.0.2.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7944
+ (* Security fix *)
+patches/packages/libXi-1.7.8-x86_64-1_slack14.2.txz: Upgraded.
+ Insufficient validation of data from the X server can cause out of boundary
+ memory access or endless loops (Denial of Service).
+ Affected versions libXi <= 1.7.6.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7945
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7946
+ (* Security fix *)
+patches/packages/libXrandr-1.5.1-x86_64-1_slack14.2.txz: Upgraded.
+ Insufficient validation of data from the X server can cause out of boundary
+ memory writes.
+ Affected versions: libXrandr <= 1.5.0.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7947
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948
+ (* Security fix *)
+patches/packages/libXrender-0.9.10-x86_64-1_slack14.2.txz: Upgraded.
+ Insufficient validation of data from the X server can cause out of boundary
+ memory writes.
+ Affected version: libXrender <= 0.9.9.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7949
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7950
+ (* Security fix *)
+patches/packages/libXtst-1.2.3-x86_64-1_slack14.2.txz: Upgraded.
+ Insufficient validation of data from the X server can cause out of boundary
+ memory access or endless loops (Denial of Service).
+ Affected version libXtst <= 1.2.2.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7951
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7952
+ (* Security fix *)
+patches/packages/libXv-1.0.11-x86_64-1_slack14.2.txz: Upgraded.
+ Insufficient validation of data from the X server can cause out of boundary
+ memory and memory corruption.
+ Affected version libXv <= 1.0.10.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5407
+ (* Security fix *)
+patches/packages/libXvMC-1.0.10-x86_64-1_slack14.2.txz: Upgraded.
+ Insufficient validation of data from the X server can cause a one byte buffer
+ read underrun.
+ Affected version: libXvMC <= 1.0.9.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7953
+ (* Security fix *)
+patches/packages/linux-4.4.29/*: Upgraded.
+ This kernel fixes a security issue known as "Dirty COW". A race condition
+ was found in the way the Linux kernel's memory subsystem handled the
+ copy-on-write (COW) breakage of private read-only memory mappings. An
+ unprivileged local user could use this flaw to gain write access to
+ otherwise read-only memory mappings and thus increase their privileges on
+ the system.
+ Be sure to upgrade your initrd after upgrading the kernel packages.
+ If you use lilo to boot your machine, be sure lilo.conf points to the correct
+ kernel and initrd and run lilo as root to update the bootloader.
+ If you use elilo to boot your machine, you should run eliloconfig to copy the
+ kernel and initrd to the EFI System Partition.
+ For more information, see:
+ https://dirtycow.ninja/
+ https://www.kb.cert.org/vuls/id/243144
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195
+ (* Security fix *)
+patches/packages/mariadb-10.0.28-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes several security issues.
+ For more information, see:
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5616
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5624
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5626
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3492
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5629
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8283
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7440
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5584
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6663
+ (* Security fix *)
+patches/packages/php-5.6.27-x86_64-1_slack14.2.txz: Upgraded.
+ This release fixes bugs and security issues.
+ For more information, see:
+ https://php.net/ChangeLog-5.php#5.6.27
+ (* Security fix *)
+patches/packages/xscreensaver-5.36-x86_64-1_slack14.2.txz: Upgraded.
+ Here's an upgrade to the latest xscreensaver.
++--------------------------+
+Sat Oct 1 17:11:13 UTC 2016
+patches/packages/mozilla-thunderbird-45.4.0-x86_64-1_slack14.2.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html
+ (* Security fix *)
++--------------------------+
+Wed Sep 28 23:24:37 UTC 2016
+patches/packages/glibc-zoneinfo-2016g-noarch-1_slack14.2.txz: Upgraded.
+ This package provides the latest timezone updates.
++--------------------------+
+Tue Sep 27 19:16:56 UTC 2016
+patches/packages/bind-9.10.4_P3-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes a denial-of-service vulnerability. Testing by ISC has
+ uncovered a critical error condition which can occur when a nameserver is
+ constructing a response. A defect in the rendering of messages into
+ packets can cause named to exit with an assertion failure in buffer.c while
+ constructing a response to a query that meets certain criteria.
+ For more information, see:
+ https://kb.isc.org/article/AA-01419/0
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2776
+ (* Security fix *)
++--------------------------+
+Mon Sep 26 18:14:08 UTC 2016
+patches/packages/openssl-1.0.2j-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes a security issue:
+ Missing CRL sanity check (CVE-2016-7052)
+ For more information, see:
+ https://www.openssl.org/news/secadv/20160926.txt
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7052
+ (* Security fix *)
+patches/packages/openssl-solibs-1.0.2j-x86_64-1_slack14.2.txz: Upgraded.
++--------------------------+
+Fri Sep 23 23:30:53 UTC 2016
+patches/packages/php-5.6.26-x86_64-1_slack14.2.txz: Upgraded.
+ This release fixes bugs and security issues.
+ For more information, see:
+ https://php.net/ChangeLog-5.php#5.6.26
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7416
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7412
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7414
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7417
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7411
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7413
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7418
+ (* Security fix *)
++--------------------------+
+Thu Sep 22 18:38:07 UTC 2016
+patches/packages/openssl-1.0.2i-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes denial-of-service and other security issues.
+ For more information, see:
+ https://www.openssl.org/news/secadv/20160922.txt
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6305
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2183
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6303
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6302
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2182
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2180
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2177
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2178
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2179
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2181
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6306
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6307
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6308
+ (* Security fix *)
+patches/packages/openssl-solibs-1.0.2i-x86_64-1_slack14.2.txz: Upgraded.
++--------------------------+
+Wed Sep 21 21:10:52 UTC 2016
+patches/packages/irssi-0.8.20-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes two remote crash and heap corruption vulnerabilites
+ in Irssi's format parsing code. Impact: Remote crash and heap
+ corruption. Remote code execution seems difficult since only Nuls are
+ written. Bugs discovered by, and patches provided by Gabriel Campana
+ and Adrien Guinet from Quarkslab.
+ For more information, see:
+ https://irssi.org/security/irssi_sa_2016.txt
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7044
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7045
+ (* Security fix *)
++--------------------------+
+Wed Sep 21 15:54:06 UTC 2016
+patches/packages/mozilla-firefox-45.4.0esr-x86_64-1_slack14.2.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
+ (* Security fix *)
+patches/packages/pidgin-2.11.0-x86_64-1_slack14.2.txz: Upgraded.
+ This release fixes bugs and security issues.
+ For more information, see:
+ https://www.pidgin.im/news/security/
+ (* Security fix *)
++--------------------------+
+Thu Sep 15 22:54:52 UTC 2016
+patches/packages/curl-7.50.3-x86_64-1_slack14.2.txz: Upgraded.
+ Fixed heap overflows in four libcurl functions: curl_escape(),
+ curl_easy_escape(), curl_unescape() and curl_easy_unescape().
+ For more information, see:
+ https://curl.haxx.se/docs/adv_20160914.html
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7167
+ (* Security fix *)
++--------------------------+
+Tue Sep 13 18:13:32 UTC 2016
+patches/packages/mariadb-10.0.27-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes a critical vulnerability which can allow local and
+ remote attackers to inject malicious settings into MySQL configuration
+ files (my.cnf). A successful exploitation could allow attackers to
+ execute arbitrary code with root privileges which would then allow them
+ to fully compromise the server.
+ This issue was discovered and reported by Dawid Golunski.
+ For more information, see:
+ http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html
+ https://jira.mariadb.org/browse/MDEV-10465
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6662
+ (* Security fix *)
++--------------------------+
+Mon Sep 12 18:39:03 UTC 2016
+patches/packages/sdl-1.2.15-x86_64-5_slack14.2.txz: Rebuilt.
+ Fixed a regression that broke MOD support. Thanks to B Watson.
++--------------------------+
+Sat Sep 10 18:04:42 UTC 2016
+patches/packages/gnutls-3.4.15-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes some bugs and security issues.
+ For more information, see:
+ http://www.gnutls.org/security.html#GNUTLS-SA-2015-2
+ http://www.gnutls.org/security.html#GNUTLS-SA-2015-3
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6251
+ (* Security fix *)
+patches/packages/gtk+2-2.24.31-x86_64-1_slack14.2.txz: Upgraded.
+ This update fixes a security issue: Integer overflow in the
+ gdk_cairo_set_source_pixbuf function in gdk/gdkcairo.c allows remote
+ attackers to cause a denial of service (crash) via a large image file,
+ which triggers a large memory allocation.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7447
+ (* Security fix *)
++--------------------------+
+Thu Sep 8 21:35:02 UTC 2016
+patches/packages/php-5.6.25-x86_64-1_slack14.2.txz: Upgraded.
+ This release fixes bugs and security issues.
+ For more information, see:
+ http://php.net/ChangeLog-5.php#5.6.25
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7125
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7126
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7127
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7128
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7129
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7130
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7131
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7132
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7133
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7134
+ (* Security fix *)
++--------------------------+
+Wed Aug 31 20:43:10 UTC 2016
+patches/packages/mozilla-thunderbird-45.3.0-x86_64-1_slack14.2.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html
+ (* Security fix *)
++--------------------------+
+Tue Aug 23 19:45:33 UTC 2016
+patches/packages/gnupg-1.4.21-x86_64-1_slack14.2.txz: Upgraded.
+ Fix critical security bug in the RNG [CVE-2016-6313]. An attacker who
+ obtains 580 bytes from the standard RNG can trivially predict the next
+ 20 bytes of output. (This is according to the NEWS file included in the
+ source. According to the annoucement linked below, an attacker who obtains
+ 4640 bits from the RNG can trivially predict the next 160 bits of output.)
+ Problem detected by Felix Doerre and Vladimir Klebanov, KIT.
+ For more information, see:
+ https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6313
+ (* Security fix *)
+patches/packages/glib2-2.46.2-x86_64-3_slack14.2.txz: Rebuilt.
+ Applied upstream patch to fix a use-before-allocate bug in libgio. Without
+ this fix, Thunar will crash if $HOME is on an NFS volume.
+ Thanks to Jonathan Woithe.
+patches/packages/libgcrypt-1.7.3-x86_64-1_slack14.2.txz: Upgraded.
+ Fix critical security bug in the RNG [CVE-2016-6313]. An attacker who
+ obtains 580 bytes from the standard RNG can trivially predict the next
+ 20 bytes of output. (This is according to the NEWS file included in the
+ source. According to the annoucement linked below, an attacker who obtains
+ 4640 bits from the RNG can trivially predict the next 160 bits of output.)
+ Problem detected by Felix Doerre and Vladimir Klebanov, KIT.
+ For more information, see:
+ https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6313
+ (* Security fix *)
+patches/packages/linux-4.4.19/*: Upgraded.
+ A flaw was found in the implementation of the Linux kernels handling of
+ networking challenge ack where an attacker is able to determine the shared
+ counter. This may allow an attacker located on different subnet to inject
+ or take over a TCP connection between a server and client without having to
+ be a traditional Man In the Middle (MITM) style attack.
+ Be sure to upgrade your initrd after upgrading the kernel packages.
+ If you use lilo to boot your machine, be sure lilo.conf points to the correct
+ kernel and initrd and run lilo as root to update the bootloader.
+ If you use elilo to boot your machine, you should run eliloconfig to copy the
+ kernel and initrd to the EFI System Partition.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5389
+ (* Security fix *)
+patches/packages/screen-4.4.0-x86_64-2_slack14.2.txz: Rebuilt.
+ Reverted a change to /etc/screenrc.new that prevented the console from being
+ cleared when a screen session was detached. Thanks to Stuart Winter.
+patches/packages/stunnel-5.35-x86_64-2_slack14.2.txz: Rebuilt.
+ Fixed incorrect config file name in generate-stunnel-key.sh.
+ Thanks to Ebben Aries.
++--------------------------+
+Thu Aug 11 18:55:48 UTC 2016
+patches/packages/glibc-zoneinfo-2016f-noarch-1_slack14.2.txz: Upgraded.
+ This package provides the latest timezone updates.
++--------------------------+
+Sat Aug 6 19:29:16 UTC 2016
+patches/packages/curl-7.50.1-x86_64-1_slack14.2.txz: Upgraded.
+ This release fixes security issues:
+ TLS: switch off SSL session id when client cert is used
+ TLS: only reuse connections with the same client cert
+ curl_multi_cleanup: clear connection pointer for easy handles
+ For more information, see:
+ https://curl.haxx.se/docs/adv_20160803A.html
+ https://curl.haxx.se/docs/adv_20160803B.html
+ https://curl.haxx.se/docs/adv_20160803C.html
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5419
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5420
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5421
+ (* Security fix *)
+patches/packages/mozilla-firefox-45.3.0esr-x86_64-1_slack14.2.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
+ (* Security fix *)
+patches/packages/openssh-7.3p1-x86_64-1_slack14.2.txz: Upgraded.
+ This is primarily a bugfix release, and also addresses security issues.
+ sshd(8): Mitigate a potential denial-of-service attack against the system's
+ crypt(3) function via sshd(8).
+ sshd(8): Mitigate timing differences in password authentication that could
+ be used to discern valid from invalid account names when long passwords were
+ sent and particular password hashing algorithms are in use on the server.
+ ssh(1), sshd(8): Fix observable timing weakness in the CBC padding oracle
+ countermeasures.
+ ssh(1), sshd(8): Improve operation ordering of MAC verification for
+ Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the MAC
+ before decrypting any ciphertext.
+ sshd(8): (portable only) Ignore PAM environment vars when UseLogin=yes.
+ For more information, see:
+ http://www.openssh.com/txt/release-7.3
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6210
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8325
+ (* Security fix *)
+patches/packages/stunnel-5.35-x86_64-1_slack14.2.txz: Upgraded.
+ Fixes security issues:
+ Fixed malfunctioning "verify = 4".
+ Fixed incorrectly enforced client certificate requests.
+ (* Security fix *)
++--------------------------+
+Thu Jul 28 18:17:17 UTC 2016
+patches/packages/libidn-1.33-x86_64-1_slack14.2.txz: Upgraded.
+ Fixed out-of-bounds read bugs. Fixed crashes on invalid UTF-8.
+ Thanks to Hanno Böck.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8948
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6261
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6262
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6263
+ (* Security fix *)
++--------------------------+
+Fri Jul 22 20:51:23 UTC 2016
+patches/packages/bind-9.10.4_P2-x86_64-1_slack14.2.txz: Upgraded.
+ Fixed a security issue:
+ getrrsetbyname with a non absolute name could trigger an infinite
+ recursion bug in lwresd and named with lwres configured if when
+ combined with a search list entry the resulting name is too long.
+ (CVE-2016-2775) [RT #42694]
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2775
+ (* Security fix *)
++--------------------------+
+Thu Jul 21 23:25:54 UTC 2016
+patches/packages/gimp-2.8.18-x86_64-1_slack14.2.txz: Upgraded.
+ This release fixes a security issue:
+ Use-after-free vulnerability in the xcf_load_image function in
+ app/xcf/xcf-load.c in GIMP allows remote attackers to cause a denial of
+ service (program crash) or possibly execute arbitrary code via a crafted
+ XCF file.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4994
+ (* Security fix *)
+patches/packages/php-5.6.24-x86_64-1_slack14.2.txz: Upgraded.
+ This release fixes bugs and security issues.
+ For more information, see:
+ http://php.net/ChangeLog-5.php#5.6.24
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5385
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6207
+ (* Security fix *)
++--------------------------+
+Thu Jul 7 19:52:36 UTC 2016
+patches/packages/samba-4.4.5-x86_64-1_slack14.2.txz: Upgraded.
+ This release fixes a security issue:
+ Client side SMB2/3 required signing can be downgraded.
+ It's possible for an attacker to downgrade the required signing for an
+ SMB2/3 client connection, by injecting the SMB2_SESSION_FLAG_IS_GUEST or
+ SMB2_SESSION_FLAG_IS_NULL flags. This means that the attacker can
+ impersonate a server being connected to by Samba, and return malicious
+ results.
+ For more information, see:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2119
+ (* Security fix *)
++--------------------------+
+Tue Jul 5 04:52:45 UTC 2016
+patches/packages/mozilla-thunderbird-45.2.0-x86_64-1_slack14.2.txz: Upgraded.
+ This release contains security fixes and improvements.
+ For more information, see:
+ http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html
+ (* Security fix *)
++--------------------------+
Thu Jun 30 20:26:57 UTC 2016
Slackware 14.2 x86_64 stable is released!