diff options
Diffstat (limited to 'ChangeLog.txt')
-rw-r--r-- | ChangeLog.txt | 2622 |
1 files changed, 2622 insertions, 0 deletions
diff --git a/ChangeLog.txt b/ChangeLog.txt index f603590b..19acb233 100644 --- a/ChangeLog.txt +++ b/ChangeLog.txt @@ -1,3 +1,2625 @@ +Fri May 25 23:29:36 UTC 2018 +patches/packages/glibc-zoneinfo-2018e-noarch-2_slack14.2.txz: Rebuilt. + Handle removal of US/Pacific-New timezone. If we see that the machine is + using this, it will be automatically switched to US/Pacific. ++--------------------------+ +Wed May 23 04:42:29 UTC 2018 +patches/packages/linux-4.4.132/*: Upgraded. + This kernel upgrade is being provided primarily to fix a regression in the + getsockopt() function, but it also contains fixes for two denial-of-service + security issues. + Be sure to upgrade your initrd after upgrading the kernel packages. + If you use lilo to boot your machine, be sure lilo.conf points to the correct + kernel and initrd and run lilo as root to update the bootloader. + If you use elilo to boot your machine, you should run eliloconfig to copy the + kernel and initrd to the EFI System Partition. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000004 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1092 + (* Security fix *) +patches/packages/mozilla-thunderbird-52.8.0-x86_64-1_slack14.2.txz: Upgraded. + This release contains security fixes and improvements. + For more information, see: + https://www.mozilla.org/en-US/thunderbird/52.8.0/releasenotes/ + https://www.mozilla.org/en-US/security/advisories/mfsa2018-13/ + (* Security fix *) +patches/packages/procps-ng-3.3.15-x86_64-1_slack14.2.txz: Upgraded. + Shared library .so-version bump. + This update fixes bugs and security issues: + library: Fix integer overflow and LPE in file2strvec + library: Use size_t for alloc functions + pgrep: Fix stack-based buffer overflow + ps: Fix buffer overflow in output buffer, causing DOS + top: Don't use cwd for location of config + For more information, see: + https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1124 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1126 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1125 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1123 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1122 + (* Security fix *) ++--------------------------+ +Thu May 17 04:13:16 UTC 2018 +patches/packages/curl-7.60.0-x86_64-1_slack14.2.txz: Upgraded. + This release contains security fixes: + FTP: shutdown response buffer overflow + RTSP: bad headers buffer over-read + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000300 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000301 + (* Security fix *) +patches/packages/php-5.6.36-x86_64-1_slack14.2.txz: Upgraded. + This fixes many bugs, including some security issues: + Heap Buffer Overflow (READ: 1786) in exif_iif_add_value + stream filter convert.iconv leads to infinite loop on invalid sequence + Malicious LDAP-Server Response causes crash + fix for CVE-2018-5712 may not be complete + For more information, see: + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10549 + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10546 + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10548 + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10547 + (* Security fix *) ++--------------------------+ +Thu May 10 21:01:11 UTC 2018 +patches/packages/mariadb-10.0.35-x86_64-1_slack14.2.txz: Upgraded. + This update fixes bugs and security issues. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2782 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2784 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2787 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2766 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2755 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2819 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2817 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2761 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2781 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2771 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2813 + (* Security fix *) ++--------------------------+ +Thu May 10 01:24:19 UTC 2018 +patches/packages/glibc-zoneinfo-2018e-noarch-1_slack14.2.txz: Upgraded. + This package provides the latest timezone updates. +patches/packages/mozilla-firefox-52.8.0esr-x86_64-1_slack14.2.txz: Upgraded. + This release contains security fixes and improvements. + For more information, see: + https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html + https://www.mozilla.org/en-US/security/advisories/mfsa2018-12/ + (* Security fix *) +patches/packages/wget-1.19.5-x86_64-1_slack14.2.txz: Upgraded. + Fixed a security issue where a malicious web server could inject arbitrary + cookies into the cookie jar file. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0494 + (* Security fix *) ++--------------------------+ +Fri May 4 19:40:52 UTC 2018 +patches/packages/python-2.7.15-x86_64-1_slack14.2.txz: Upgraded. + Updated to the latest 2.7.x release. + This fixes some security issues in difflib and poplib (regexes vulnerable + to denial of service attacks), as well as security issues with the bundled + expat library. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0876 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4472 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5300 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9063 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9233 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1061 + (* Security fix *) ++--------------------------+ +Thu May 3 22:42:35 UTC 2018 +patches/packages/seamonkey-2.49.3-x86_64-1_slack14.2.txz: Upgraded. + This update contains security fixes and improvements. + For more information (when it appears), see: + http://www.seamonkey-project.org/releases/seamonkey2.49.3 + (* Security fix *) +patches/packages/seamonkey-solibs-2.49.3-x86_64-1_slack14.2.txz: Upgraded. ++--------------------------+ +Tue May 1 06:24:40 UTC 2018 +patches/packages/libwmf-0.2.8.4-x86_64-7_slack14.2.txz: Rebuilt. + Renamed package to fix wrong package tag (was slack14.1, should be + slack14.2). Thanks to rworkman for the heads-up. ++--------------------------+ +Mon Apr 30 22:35:43 UTC 2018 +patches/packages/libwmf-0.2.8.4-x86_64-7_slack14.1.txz: Rebuilt. + Patched denial of service and possible execution of arbitrary code + security issues. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0941 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3376 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0455 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2756 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3472 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3473 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3477 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3546 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0848 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4588 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4695 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4696 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10167 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10168 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9011 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9317 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6362 + (* Security fix *) +patches/packages/mozilla-firefox-52.7.4esr-x86_64-1_slack14.2.txz: Upgraded. + This release contains security fixes and improvements. + For more information, see: + https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html + (* Security fix *) ++--------------------------+ +Fri Apr 27 03:58:48 UTC 2018 +patches/packages/openvpn-2.4.6-x86_64-1_slack14.2.txz: Upgraded. + This is a security update fixing a potential double-free() in Interactive + Service. This usually only leads to a process crash (DoS by an unprivileged + local account) but since it could possibly lead to memory corruption if + happening while multiple other threads are active at the same time, + CVE-2018-9336 has been assigned to acknowledge this risk. + For more information, see: + https://github.com/OpenVPN/openvpn/commit/1394192b210cb3c6624a7419bcf3ff966742e79b + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9336 + (* Security fix *) ++--------------------------+ +Thu Apr 19 01:04:06 UTC 2018 +patches/packages/gd-2.2.5-x86_64-1_slack14.2.txz: Upgraded. + This update fixes two security issues: + Double-free in gdImagePngPtr() (denial of service). + Buffer over-read into uninitialized memory (information leak). + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6362 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7890 + (* Security fix *) ++--------------------------+ +Fri Apr 6 20:47:43 UTC 2018 +patches/packages/patch-2.7.6-x86_64-1_slack14.2.txz: Upgraded. + Fix arbitrary shell execution possible with obsolete ed format patches. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000156 + (* Security fix *) ++--------------------------+ +Sun Apr 1 19:45:12 UTC 2018 +patches/packages/libidn-1.34-x86_64-1_slack14.2.txz: Upgraded. + This update fixes security issues: + Fix integer overflow in combine_hangul() + Fix integer overflow in punycode decoder + Fix NULL pointer dereference in g_utf8_normalize() + Fix NULL pointer dereference in stringprep_ucs4_nfkc_normalize() + (* Security fix *) ++--------------------------+ +Sun Apr 1 02:53:26 UTC 2018 +patches/packages/php-5.6.35-x86_64-1_slack14.2.txz: Upgraded. + This update fixes a security issue where sensitive data belonging to other + accounts might be accessed by a local user. + For more information, see: + http://bugs.php.net/75605 + (* Security fix *) ++--------------------------+ +Thu Mar 29 20:48:28 UTC 2018 +patches/packages/ruby-2.2.10-x86_64-1_slack14.2.txz: Upgraded. + This release includes some bug fixes and some security fixes: + HTTP response splitting in WEBrick. + Unintentional file and directory creation with directory traversal in + tempfile and tmpdir. + DoS by large request in WEBrick. + Buffer under-read in String#unpack. + Unintentional socket creation by poisoned NUL byte in UNIXServer + and UNIXSocket. + Unintentional directory traversal by poisoned NUL byte in Dir. + Multiple vulnerabilities in RubyGems. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17742 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6914 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8777 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8778 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8779 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8780 + (* Security fix *) ++--------------------------+ +Thu Mar 29 01:02:50 UTC 2018 +patches/packages/openssl-1.0.2o-x86_64-1_slack14.2.txz: Upgraded. + This update fixes a security issue: + Constructed ASN.1 types with a recursive definition could exceed the stack. + For more information, see: + https://www.openssl.org/news/secadv/20180327.txt + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0739 + (* Security fix *) +patches/packages/openssl-solibs-1.0.2o-x86_64-1_slack14.2.txz: Upgraded. ++--------------------------+ +Mon Mar 26 22:06:38 UTC 2018 +patches/packages/mozilla-firefox-52.7.3esr-x86_64-1_slack14.2.txz: Upgraded. + This release contains security fixes and improvements. + For more information, see: + https://www.mozilla.org/en-US/security/advisories/mfsa2018-10/ + https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html + (* Security fix *) ++--------------------------+ +Fri Mar 23 22:28:20 UTC 2018 +patches/packages/glibc-zoneinfo-2018d-noarch-1_slack14.2.txz: Upgraded. + This package provides the latest timezone updates. +patches/packages/mozilla-thunderbird-52.7.0-x86_64-1_slack14.2.txz: Upgraded. + This release contains security fixes and improvements. + For more information, see: + https://www.mozilla.org/en-US/thunderbird/52.7.0/releasenotes/ + (* Security fix *) ++--------------------------+ +Sun Mar 18 00:55:39 UTC 2018 +patches/packages/libvorbis-1.3.6-x86_64-1_slack14.2.txz: Upgraded. + This release fixes security issues. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14632 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14633 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5146 + (* Security fix *) ++--------------------------+ +Sat Mar 17 03:25:26 UTC 2018 +patches/packages/mozilla-firefox-52.7.2esr-x86_64-1_slack14.2.txz: Upgraded. + This release contains security fixes and improvements. + For more information, see: + https://www.mozilla.org/en-US/security/advisories/mfsa2018-08/ + https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html + (* Security fix *) ++--------------------------+ +Fri Mar 16 02:29:29 UTC 2018 +patches/packages/curl-7.59.0-x86_64-1_slack14.2.txz: Upgraded. + This update fixes security issues: + FTP path trickery leads to NIL byte out of bounds write + LDAP NULL pointer dereference + RTSP RTP buffer over-read + For more information, see: + https://curl.haxx.se/docs/adv_2018-9cd6.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000120 + https://curl.haxx.se/docs/adv_2018-97a2.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000121 + https://curl.haxx.se/docs/adv_2018-b047.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000122 + (* Security fix *) ++--------------------------+ +Tue Mar 13 21:12:51 UTC 2018 +patches/packages/mozilla-firefox-52.7.0esr-x86_64-1_slack14.2.txz: Upgraded. + This release contains security fixes and improvements. + For more information, see: + https://www.mozilla.org/en-US/security/advisories/mfsa2018-07/ + https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html + (* Security fix *) +patches/packages/samba-4.4.16-x86_64-3_slack14.2.txz: Rebuilt. + This is a security update in order to patch the following defect: + On a Samba 4 AD DC the LDAP server in all versions of Samba from + 4.0.0 onwards incorrectly validates permissions to modify passwords + over LDAP allowing authenticated users to change any other users` + passwords, including administrative users. + For more information, see: + https://www.samba.org/samba/security/CVE-2018-1057.html + https://wiki.samba.org/index.php/CVE-2018-1057 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1057 + (* Security fix *) ++--------------------------+ +Thu Mar 8 07:07:45 UTC 2018 +patches/packages/libtool-2.4.6-x86_64-5_slack14.2.txz: Rebuilt. + Rebuilt to fix the embedded GCC version number. Thanks to David Spencer. +patches/packages/openssh-7.4p1-x86_64-2_slack14.2.txz: Rebuilt. + sftp-server: in read-only mode, sftp-server was incorrectly permitting + creation of zero-length files. Reported by Michal Zalewski. + Thanks to arny (of Bluewhite64 fame) for the heads-up. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15906 + (* Security fix *) +patches/packages/php-5.6.34-x86_64-1_slack14.2.txz: Upgraded. + This update fixes a stack buffer overflow vulnerability. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7584 + (* Security fix *) ++--------------------------+ +Thu Mar 1 23:24:54 UTC 2018 +patches/packages/dhcp-4.4.1-x86_64-1_slack14.2.txz: Upgraded. + This update fixes two security issues: + Corrected an issue where large sized 'X/x' format options were causing + option handling logic to overwrite memory when expanding them to human + readable form. Reported by Felix Wilhelm, Google Security Team. + Option reference count was not correctly decremented in error path + when parsing buffer for options. Reported by Felix Wilhelm, Google + Security Team. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5732 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5733 + (* Security fix *) +patches/packages/ntp-4.2.8p11-x86_64-1_slack14.2.txz: Upgraded. + This release addresses five security issues in ntpd: + * LOW/MEDIUM: Sec 3012 / CVE-2016-1549 / VU#961909: Sybil vulnerability: + ephemeral association attack. While fixed in ntp-4.2.8p7, there are + significant additional protections for this issue in 4.2.8p11. + Reported by Matt Van Gundy of Cisco. + * INFO/MEDIUM: Sec 3412 / CVE-2018-7182 / VU#961909: ctl_getitem(): buffer + read overrun leads to undefined behavior and information leak. + Reported by Yihan Lian of Qihoo 360. + * LOW: Sec 3415 / CVE-2018-7170 / VU#961909: Multiple authenticated + ephemeral associations. Reported on the questions@ list. + * LOW: Sec 3453 / CVE-2018-7184 / VU#961909: Interleaved symmetric mode + cannot recover from bad state. Reported by Miroslav Lichvar of Red Hat. + * LOW/MEDIUM: Sec 3454 / CVE-2018-7185 / VU#961909: Unauthenticated packet + can reset authenticated interleaved association. + Reported by Miroslav Lichvar of Red Hat. + For more information, see: + http://support.ntp.org/bin/view/Main/SecurityNotice#February_2018_ntp_4_2_8p11_NTP_S + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7182 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7170 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7184 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7185 + (* Security fix *) ++--------------------------+ +Mon Feb 26 21:32:03 UTC 2018 +patches/packages/linux-4.4.118/*: Upgraded. + This kernel includes __user pointer sanitization mitigation for the Spectre + (variant 1) speculative side channel attack. + Be sure to upgrade your initrd after upgrading the kernel packages. + If you use lilo to boot your machine, be sure lilo.conf points to the correct + kernel and initrd and run lilo as root to update the bootloader. + If you use elilo to boot your machine, you should run eliloconfig to copy the + kernel and initrd to the EFI System Partition. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753 + (* Security fix *) ++--------------------------+ +Sat Feb 24 07:41:40 UTC 2018 +patches/packages/wget-1.19.4-x86_64-2_slack14.2.txz: Rebuilt. + Applied upstream patch to fix logging in background mode. + Thanks to Willy Sudiarto Raharjo. ++--------------------------+ +Fri Feb 16 03:19:36 UTC 2018 +patches/packages/irssi-1.0.7-x86_64-1_slack14.2.txz: Upgraded. + This update fixes bugs and security issues. + For more information, see: + https://irssi.org/security/html/irssi_sa_2018_02 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7054 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7053 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7050 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7052 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7051 + (* Security fix *) ++--------------------------+ +Wed Feb 14 19:48:51 UTC 2018 +patches/packages/seamonkey-2.49.2-x86_64-1_slack14.2.txz: Upgraded. + This is a bugfix release. +patches/packages/seamonkey-solibs-2.49.2-x86_64-1_slack14.2.txz: Upgraded. ++--------------------------+ +Wed Feb 7 04:28:48 UTC 2018 +patches/packages/gcc-5.5.0-x86_64-1_slack14.2.txz: Upgraded. + Upgraded to the latest gcc-5 release, with patches to support + -mindirect-branch=thunk-extern, allowing full mitigation of Spectre v2 + in the kernel (when CONFIG_RETPOLINE is used). +patches/packages/gcc-g++-5.5.0-x86_64-1_slack14.2.txz: Upgraded. +patches/packages/gcc-gfortran-5.5.0-x86_64-1_slack14.2.txz: Upgraded. +patches/packages/gcc-gnat-5.5.0-x86_64-1_slack14.2.txz: Upgraded. +patches/packages/gcc-go-5.5.0-x86_64-1_slack14.2.txz: Upgraded. +patches/packages/gcc-java-5.5.0-x86_64-1_slack14.2.txz: Upgraded. +patches/packages/gcc-objc-5.5.0-x86_64-1_slack14.2.txz: Upgraded. +patches/packages/linux-4.4.115/*: Upgraded. + This kernel includes full retpoline mitigation for the Spectre (variant 2) + speculative side channel attack. + Please note that this kernel was compiled with gcc-5.5.0, also provided as + an update for Slackware 14.2. You'll need to install the updated gcc in order + to compile kernel modules that will load into this updated kernel. + Be sure to upgrade your initrd after upgrading the kernel packages. + If you use lilo to boot your machine, be sure lilo.conf points to the correct + kernel and initrd and run lilo as root to update the bootloader. + If you use elilo to boot your machine, you should run eliloconfig to copy the + kernel and initrd to the EFI System Partition. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715 + (* Security fix *) ++--------------------------+ +Sun Feb 4 05:13:27 UTC 2018 +patches/packages/php-5.6.33-x86_64-1_slack14.2.txz: Upgraded. + This update fixes bugs and security issues, including: + Potential infinite loop in gdImageCreateFromGifCtx. + Reflected XSS in .phar 404 page. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5711 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5712 + (* Security fix *) ++--------------------------+ +Thu Feb 1 18:24:15 UTC 2018 +patches/packages/mariadb-10.0.34-x86_64-1_slack14.2.txz: Upgraded. + This update fixes bugs and security issues. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2562 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2622 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2640 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2665 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2668 + (* Security fix *) +patches/packages/rsync-3.1.3-x86_64-1_slack14.2.txz: Upgraded. + This update fixes two security issues: + Fixed a buffer overrun in the protocol's handling of xattr names and + ensure that the received name is null terminated. + Fix an issue with --protect-args where the user could specify the arg in + the protected-arg list and short-circuit some of the arg-sanitizing code. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16548 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5764 + (* Security fix *) ++--------------------------+ +Fri Jan 26 03:46:16 UTC 2018 +patches/packages/curl-7.58.0-x86_64-2_slack14.2.txz: Rebuilt. + Recompiled using --with-libssh2, which is evidently no longer a default + option. Thanks to Markus Wiesner. +patches/packages/mozilla-thunderbird-52.6.0-x86_64-1_slack14.2.txz: Upgraded. + This release contains security fixes and improvements. + For more information, see: + https://www.mozilla.org/en-US/thunderbird/52.6.0/releasenotes/ + (* Security fix *) ++--------------------------+ +Thu Jan 25 02:24:04 UTC 2018 +patches/packages/curl-7.58.0-x86_64-1_slack14.2.txz: Upgraded. + This update fixes security issues: + HTTP authentication leak in redirects + HTTP/2 trailer out-of-bounds read + For more information, see: + https://curl.haxx.se/docs/adv_2018-b3bf.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000007 + https://curl.haxx.se/docs/adv_2018-824a.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000005 + (* Security fix *) ++--------------------------+ +Wed Jan 24 04:21:44 UTC 2018 +patches/packages/glibc-zoneinfo-2018c-noarch-1_slack14.2.txz: Upgraded. + This package provides the latest timezone updates. ++--------------------------+ +Mon Jan 22 22:47:47 UTC 2018 +patches/packages/wget-1.19.4-x86_64-1_slack14.2.txz: Upgraded. + More bug fixes: + A major bug that caused GZip'ed pages to never be decompressed has been fixed + Support for Content-Encoding and Transfer-Encoding have been marked as + experimental and disabled by default ++--------------------------+ +Sat Jan 20 16:00:51 UTC 2018 +patches/packages/mozilla-firefox-52.6.0esr-x86_64-1_slack14.2.txz: Upgraded. + This release contains security fixes and improvements. + Specifically, this update contains performance.now() mitigations for Spectre. + For more information, see: + https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ + http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html + (* Security fix *) +patches/packages/wget-1.19.3-x86_64-1_slack14.2.txz: Upgraded. + This update fixes various non-security bugs, including this one: + Prevent erroneous decompression of .gz and .tgz files with broken servers. ++--------------------------+ +Wed Jan 17 21:36:23 UTC 2018 +patches/packages/bind-9.10.6_P1-x86_64-1_slack14.2.txz: Upgraded. + This update fixes a high severity security issue: + Improper sequencing during cleanup can lead to a use-after-free error, + triggering an assertion failure and crash in named. + For more information, see: + https://kb.isc.org/article/AA-01542 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3145 + (* Security fix *) ++--------------------------+ +Mon Jan 15 23:13:01 UTC 2018 +patches/packages/linux-4.4.111/*: Upgraded. + This kernel includes mitigations for the Spectre (variant 2) and Meltdown + speculative side channel attacks. + Be sure to upgrade your initrd after upgrading the kernel packages. + If you use lilo to boot your machine, be sure lilo.conf points to the correct + kernel and initrd and run lilo as root to update the bootloader. + If you use elilo to boot your machine, you should run eliloconfig to copy the + kernel and initrd to the EFI System Partition. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754 + (* Security fix *) ++--------------------------+ +Tue Jan 9 00:54:19 UTC 2018 +patches/packages/irssi-1.0.6-x86_64-1_slack14.2.txz: Upgraded. + This update fixes multiple security vulnerabilities. + For more information, see: + https://irssi.org/security/irssi_sa_2018_01.txt + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5205 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5206 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5207 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5208 + (* Security fix *) ++--------------------------+ +Fri Dec 29 23:09:14 UTC 2017 +patches/packages/mozilla-firefox-52.5.3esr-x86_64-1_slack14.2.txz: Upgraded. + This is a bugfix release. ++--------------------------+ +Mon Dec 25 00:00:16 UTC 2017 +patches/packages/xscreensaver-5.38-x86_64-1_slack14.2.txz: Upgraded. + Here's an upgrade to the latest xscreensaver. ++--------------------------+ +Fri Dec 22 21:49:01 UTC 2017 +patches/packages/mozilla-thunderbird-52.5.2-x86_64-1_slack14.2.txz: Upgraded. + This release contains security fixes and improvements. + For more information, see: + https://www.mozilla.org/en-US/thunderbird/52.5.2/releasenotes/ + (* Security fix *) ++--------------------------+ +Wed Dec 20 03:05:58 UTC 2017 +patches/packages/ruby-2.2.9-x86_64-1_slack14.2.txz: Upgraded. + This update fixes a security issue: + Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile + use Kernel#open to open a local file. If the localfile argument starts with + the pipe character "|", the command following the pipe character is executed. + The default value of localfile is File.basename(remotefile), so malicious FTP + servers could cause arbitrary command execution. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17405 + (* Security fix *) ++--------------------------+ +Sat Dec 9 00:02:28 UTC 2017 +patches/packages/openssl-1.0.2n-x86_64-1_slack14.2.txz: Upgraded. + This update fixes security issues: + Read/write after SSL object in error state + rsaz_1024_mul_avx2 overflow bug on x86_64 + For more information, see: + https://www.openssl.org/news/secadv/20171207.txt + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3737 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3738 + (* Security fix *) +patches/packages/openssl-solibs-1.0.2n-x86_64-1_slack14.2.txz: Upgraded. ++--------------------------+ +Fri Dec 8 05:54:21 UTC 2017 +patches/packages/mozilla-firefox-52.5.2esr-x86_64-1_slack14.2.txz: Upgraded. + This is a bugfix release. ++--------------------------+ +Sat Dec 2 20:32:45 UTC 2017 +patches/packages/mozilla-firefox-52.5.1esr-x86_64-1_slack14.2.txz: Upgraded. + This is a bugfix release. ++--------------------------+ +Wed Nov 29 21:48:33 UTC 2017 +patches/packages/curl-7.57.0-x86_64-1_slack14.2.txz: Upgraded. + This update fixes security issues: + SSL out of buffer access + FTP wildcard out of bounds read + NTLM buffer overflow via integer overflow + For more information, see: + https://curl.haxx.se/docs/adv_2017-af0a.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8818 + https://curl.haxx.se/docs/adv_2017-ae72.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8817 + https://curl.haxx.se/docs/adv_2017-12e7.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8816 + (* Security fix *) ++--------------------------+ +Wed Nov 29 08:15:09 UTC 2017 +patches/packages/libXcursor-1.1.15-x86_64-1_slack14.2.txz: Upgraded. + Fix heap overflows when parsing malicious files. (CVE-2017-16612) + It is possible to trigger heap overflows due to an integer overflow + while parsing images and a signedness issue while parsing comments. + The integer overflow occurs because the chosen limit 0x10000 for + dimensions is too large for 32 bit systems, because each pixel takes + 4 bytes. Properly chosen values allow an overflow which in turn will + lead to less allocated memory than needed for subsequent reads. + The signedness bug is triggered by reading the length of a comment + as unsigned int, but casting it to int when calling the function + XcursorCommentCreate. Turning length into a negative value allows the + check against XCURSOR_COMMENT_MAX_LEN to pass, and the following + addition of sizeof (XcursorComment) + 1 makes it possible to allocate + less memory than needed for subsequent reads. + For more information, see: + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16612 + (* Security fix *) +patches/packages/libXfont-1.5.1-x86_64-2_slack14.2.txz: Rebuilt. + Open files with O_NOFOLLOW. (CVE-2017-16611) + A non-privileged X client can instruct X server running under root + to open any file by creating own directory with "fonts.dir", + "fonts.alias" or any font file being a symbolic link to any other + file in the system. X server will then open it. This can be issue + with special files such as /dev/watchdog (which could then reboot + the system). + For more information, see: + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16611 + (* Security fix *) ++--------------------------+ +Tue Nov 28 06:20:03 UTC 2017 +patches/packages/samba-4.4.16-x86_64-2_slack14.2.txz: Rebuilt. + This is a security update in order to patch the following defects: + CVE-2017-14746 (Use-after-free vulnerability.) + All versions of Samba from 4.0.0 onwards are vulnerable to a use after + free vulnerability, where a malicious SMB1 request can be used to + control the contents of heap memory via a deallocated heap pointer. It + is possible this may be used to compromise the SMB server. + CVE-2017-15275 (Server heap memory information leak.) + All versions of Samba from 3.6.0 onwards are vulnerable to a heap + memory information leak, where server allocated heap memory may be + returned to the client without being cleared. + For more information, see: + https://www.samba.org/samba/security/CVE-2017-14746.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14746 + https://www.samba.org/samba/security/CVE-2017-15275.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15275 + (* Security fix *) ++--------------------------+ +Sat Nov 25 07:44:07 UTC 2017 +patches/packages/mozilla-thunderbird-52.5.0-x86_64-1_slack14.2.txz: Upgraded. + This is a bugfix release. ++--------------------------+ +Tue Nov 21 05:05:41 UTC 2017 +patches/packages/libtiff-4.0.9-x86_64-1_slack14.2.txz: Upgraded. + This release contains security fixes and improvements. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8128 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5318 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10095 + (* Security fix *) ++--------------------------+ +Fri Nov 17 00:56:25 UTC 2017 +patches/packages/libplist-2.0.0-x86_64-1_slack14.2.txz: Upgraded. + This update fixes several security issues. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6440 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6439 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6438 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6437 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6436 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6435 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5836 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5835 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5834 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5545 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5209 + (* Security fix *) +patches/packages/mozilla-firefox-52.5.0esr-x86_64-1_slack14.2.txz: Upgraded. + This release contains security fixes and improvements. + For more information, see: + https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html + (* Security fix *) ++--------------------------+ +Fri Nov 3 03:31:56 UTC 2017 +patches/packages/mariadb-10.0.33-x86_64-1_slack14.2.txz: Upgraded. + This update fixes bugs and security issues. + For more information, see: + https://jira.mariadb.org/browse/MDEV-13819 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10268 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10378 + (* Security fix *) +patches/packages/openssl-1.0.2m-x86_64-1_slack14.2.txz: Upgraded. + This update fixes a security issue: + There is a carry propagating bug in the x64 Montgomery squaring procedure. + No EC algorithms are affected. Analysis suggests that attacks against RSA + and DSA as a result of this defect would be very difficult to perform and + are not believed likely. Attacks against DH are considered just feasible + (although very difficult) because most of the work necessary to deduce + information about a private key may be performed offline. The amount of + resources required for such an attack would be very significant and likely + only accessible to a limited number of attackers. An attacker would + additionally need online access to an unpatched system using the target + private key in a scenario with persistent DH parameters and a private + key that is shared between multiple clients. + This only affects processors that support the BMI1, BMI2 and ADX extensions + like Intel Broadwell (5th generation) and later or AMD Ryzen. + For more information, see: + https://www.openssl.org/news/secadv/20171102.txt + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3736 + (* Security fix *) +patches/packages/openssl-solibs-1.0.2m-x86_64-1_slack14.2.txz: Upgraded. ++--------------------------+ +Fri Oct 27 20:34:35 UTC 2017 +patches/packages/NetworkManager-1.8.4-x86_64-1_slack14.2.txz: Upgraded. + This update is provided to address issues with wifi scanning when using the + new wpa_supplicant with certain hardware drivers. If you're not having + problems, you don't need this update (but it probably won't hurt). +patches/packages/network-manager-applet-1.8.4-x86_64-1_slack14.2.txz: Upgraded. + This package goes along with the optional NetworkManager update. +patches/packages/php-5.6.32-x86_64-1_slack14.2.txz: Upgraded. + Several security bugs were fixed in this release: + Out of bounds read in timelib_meridian(). + The arcfour encryption stream filter crashes PHP. + Applied upstream patch for PCRE (CVE-2016-1283). + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1283 + (* Security fix *) +patches/packages/wget-1.19.2-x86_64-1_slack14.2.txz: Upgraded. + This update fixes stack and heap overflows in in HTTP protocol handling. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13089 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13090 + (* Security fix *) ++--------------------------+ +Wed Oct 25 19:09:26 UTC 2017 +patches/packages/glibc-zoneinfo-2017c-noarch-1_slack14.2.txz: Upgraded. + This package provides the latest timezone updates. +patches/packages/httpd-2.4.29-x86_64-1_slack14.2.txz: Upgraded. + This is a bugfix release. +patches/packages/irssi-1.0.5-x86_64-1_slack14.2.txz: Upgraded. + This update fixes some remote denial of service issues. + For more information, see: + https://irssi.org/security/irssi_sa_2017_10.txt + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15228 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15227 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15721 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15723 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15722 + (* Security fix *) +patches/packages/xfce4-weather-plugin-0.8.10-x86_64-1_slack14.2.txz: Upgraded. + This has a bugfix related to setting the location: + https://bugzilla.xfce.org/show_bug.cgi?id=13877 ++--------------------------+ +Tue Oct 24 05:31:18 UTC 2017 +patches/packages/curl-7.56.1-x86_64-1_slack14.2.txz: Upgraded. + This update fixes a security issue: + IMAP FETCH response out of bounds read may cause a crash or information leak. + For more information, see: + https://curl.haxx.se/docs/adv_20171023.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000257 + (* Security fix *) +patches/packages/seamonkey-2.49.1-x86_64-1_slack14.2.txz: Upgraded. + This is a bugfix release. +patches/packages/seamonkey-solibs-2.49.1-x86_64-1_slack14.2.txz: Upgraded. ++--------------------------+ +Wed Oct 18 18:21:18 UTC 2017 +patches/packages/libXres-1.2.0-x86_64-1_slack14.2.txz: Upgraded. + Integer overflows may allow X servers to trigger allocation of insufficient + memory and a buffer overflow via vectors related to the (1) + XResQueryClients and (2) XResQueryClientResources functions. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1988 + (* Security fix *) +patches/packages/wpa_supplicant-2.6-x86_64-1_slack14.2.txz: Upgraded. + This update includes patches to mitigate the WPA2 protocol issues known + as "KRACK" (Key Reinstallation AttaCK), which may be used to decrypt data, + hijack TCP connections, and to forge and inject packets. This is the + list of vulnerabilities that are addressed here: + CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the + 4-way handshake. + CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake. + CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way + handshake. + CVE-2017-13080: Reinstallation of the group key (GTK) in the group key + handshake. + CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group + key handshake. + CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) + Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) + while processing it. + CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake. + CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) + PeerKey (TPK) key in the TDLS handshake. + CVE-2017-13087: reinstallation of the group key (GTK) when processing a + Wireless Network Management (WNM) Sleep Mode Response frame. + CVE-2017-13088: reinstallation of the integrity group key (IGTK) when + processing a Wireless Network Management (WNM) Sleep Mode Response frame. + For more information, see: + https://www.krackattacks.com/ + https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13077 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13078 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13079 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13080 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13081 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13082 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13084 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13086 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13087 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13088 + (* Security fix *) +patches/packages/xorg-server-1.18.3-x86_64-5_slack14.2.txz: Rebuilt. + This update fixes integer overflows and other possible security issues. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12176 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12177 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12178 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12179 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12180 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12181 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12182 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12183 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12184 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12185 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12186 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12187 + (* Security fix *) +patches/packages/xorg-server-xephyr-1.18.3-x86_64-5_slack14.2.txz: Rebuilt. +patches/packages/xorg-server-xnest-1.18.3-x86_64-5_slack14.2.txz: Rebuilt. +patches/packages/xorg-server-xvfb-1.18.3-x86_64-5_slack14.2.txz: Rebuilt. ++--------------------------+ +Sat Oct 7 02:53:31 UTC 2017 +patches/packages/mozilla-thunderbird-52.4.0-x86_64-1_slack14.2.txz: Upgraded. + This is a bugfix release. ++--------------------------+ +Fri Oct 6 06:32:32 UTC 2017 +patches/packages/curl-7.56.0-x86_64-1_slack14.2.txz: Upgraded. + This update fixes a security issue: + libcurl may read outside of a heap allocated buffer when doing FTP. + For more information, see: + https://curl.haxx.se/docs/adv_20171004.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000254 + (* Security fix *) +patches/packages/openjpeg-2.3.0-x86_64-1_slack14.2.txz: Upgraded. + This update fixes security issues which may lead to a denial of service + or possibly remote code execution. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9572 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9573 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9580 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9581 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12982 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14039 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14040 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14041 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14151 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14152 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14164 + (* Security fix *) +patches/packages/xorg-server-1.18.3-x86_64-4_slack14.2.txz: Rebuilt. + This update fixes two security issues: + Xext/shm: Validate shmseg resource id, otherwise it can belong to a + non-existing client and abort X server with FatalError "client not + in use", or overwrite existing segment of another existing client. + Generating strings for XKB data used a single shared static buffer, + which offered several opportunities for errors. Use a ring of + resizable buffers instead, to avoid problems when strings end up + longer than anticipated. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13721 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13723 + (* Security fix *) +patches/packages/xorg-server-xephyr-1.18.3-x86_64-4_slack14.2.txz: Rebuilt. +patches/packages/xorg-server-xnest-1.18.3-x86_64-4_slack14.2.txz: Rebuilt. +patches/packages/xorg-server-xvfb-1.18.3-x86_64-4_slack14.2.txz: Rebuilt. ++--------------------------+ +Mon Oct 2 17:16:06 UTC 2017 +patches/packages/dnsmasq-2.78-x86_64-1_slack14.2.txz: Upgraded. + This update fixes bugs and remotely exploitable security issues that may + have impacts including denial of service, information leak, and execution + of arbitrary code. Thanks to Felix Wilhelm, Fermin J. Serna, Gabriel Campana, + Kevin Hamacher, Ron Bowes, and Gynvael Coldwind of the Google Security Team. + For more information, see: + https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13704 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14491 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14492 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14493 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14494 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14495 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14496 + (* Security fix *) ++--------------------------+ +Sun Oct 1 19:19:08 UTC 2017 +patches/packages/openexr-2.2.0-x86_64-2_slack14.2.txz: Rebuilt. + Patched bugs that may lead to program crashes or possibly execution of + arbitrary code. Thanks to Thomas Choi for the patch. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9110 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9111 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9112 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9113 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9114 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9115 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9116 + (* Security fix *) ++--------------------------+ +Thu Sep 28 21:03:26 UTC 2017 +patches/packages/mozilla-firefox-52.4.0esr-x86_64-1_slack14.2.txz: Upgraded. + This release contains security fixes and improvements. + For more information, see: + https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html + (* Security fix *) ++--------------------------+ +Thu Sep 28 05:31:20 UTC 2017 +patches/packages/gegl-0.2.0-x86_64-4_slack14.2.txz: Rebuilt. + Patched integer overflows in operations/external/ppm-load.c that could allow + a denial of service (application crash) or possibly the execution of + arbitrary code via a large width or height value in a ppm image. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4433 + (* Security fix *) ++--------------------------+ +Sat Sep 23 01:02:32 UTC 2017 +patches/packages/libxml2-2.9.5-x86_64-1_slack14.2.txz: Upgraded. + This release fixes some security issues: + Detect infinite recursion in parameter entities (Nick Wellnhofer), + Fix handling of parameter-entity references (Nick Wellnhofer), + Disallow namespace nodes in XPointer ranges (Nick Wellnhofer), + Fix XPointer paths beginning with range-to (Nick Wellnhofer). + (* Security fix *) +patches/packages/python-2.7.14-x86_64-1_slack14.2.txz: Upgraded. + Updated to the latest 2.7.x release. + This fixes some security issues related to the bundled expat library. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4472 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9063 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9233 + (* Security fix *) ++--------------------------+ +Thu Sep 21 01:23:24 UTC 2017 +patches/packages/samba-4.4.16-x86_64-1_slack14.2.txz: Upgraded. + This is a security release in order to address the following defects: + SMB1/2/3 connections may not require signing where they should. A man in the + middle attack may hijack client connections. + SMB3 connections don't keep encryption across DFS redirects. A man in the + middle attack can read and may alter confidential documents transferred via + a client connection, which are reached via DFS redirect when the original + connection used SMB3. + Server memory information leak over SMB1. Client with write access to a share + can cause server memory contents to be written into a file or printer. + For more information, see: + https://www.samba.org/samba/security/CVE-2017-12150.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12150 + https://www.samba.org/samba/security/CVE-2017-12151.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12151 + https://www.samba.org/samba/security/CVE-2017-12163.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12163 + (* Security fix *) ++--------------------------+ +Mon Sep 18 19:15:03 UTC 2017 +patches/packages/httpd-2.4.27-x86_64-2_slack14.2.txz: Rebuilt. + This update patches a security issue ("Optionsbleed") with the OPTIONS http + method which may leak arbitrary pieces of memory to a potential attacker. + Thanks to Hanno Bo:ck. + For more information, see: + http://seclists.org/oss-sec/2017/q3/477 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9798 + (* Security fix *) +patches/packages/libgcrypt-1.7.9-x86_64-1_slack14.2.txz: Upgraded. + Mitigate a local side-channel attack on Curve25519 dubbed "May + the Fourth be With You". + For more information, see: + https://eprint.iacr.org/2017/806 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0379 + (* Security fix *) +patches/packages/ruby-2.2.8-x86_64-1_slack14.2.txz: Upgraded. + This release includes several security fixes. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0898 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0899 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0900 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0901 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0902 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10784 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14033 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14064 + (* Security fix *) ++--------------------------+ +Fri Sep 15 17:31:57 UTC 2017 +patches/packages/bluez-5.47-x86_64-1_slack14.2.txz: Upgraded. + Fixed an information disclosure vulnerability which allows remote attackers + to obtain sensitive information from the bluetoothd process memory. This + vulnerability lies in the processing of SDP search attribute requests. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000250 + (* Security fix *) +patches/packages/linux-4.4.88/*: Upgraded. + This update fixes the security vulnerability known as "BlueBorne". + The native Bluetooth stack in the Linux Kernel (BlueZ), starting at + Linux kernel version 3.3-rc1 is vulnerable to a stack overflow in + the processing of L2CAP configuration responses resulting in remote + code execution in kernel space. + Be sure to upgrade your initrd after upgrading the kernel packages. + If you use lilo to boot your machine, be sure lilo.conf points to the correct + kernel and initrd and run lilo as root to update the bootloader. + If you use elilo to boot your machine, you should run eliloconfig to copy the + kernel and initrd to the EFI System Partition. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000251 + https://www.armis.com/blueborne + (* Security fix *) ++--------------------------+ +Tue Sep 12 22:18:51 UTC 2017 +patches/packages/emacs-25.3-x86_64-1_slack14.2.txz: Upgraded. + This update fixes a security vulnerability in Emacs. Gnus no longer + supports "richtext" and "enriched" inline MIME objects. This support + was disabled to avoid evaluation of arbitrary Lisp code contained in + email messages and news articles. + For more information, see: + http://seclists.org/oss-sec/2017/q3/422 + https://bugs.gnu.org/28350 + (* Security fix *) +patches/packages/libzip-1.0.1-x86_64-3_slack14.2.txz: Rebuilt. + Fix a denial of service security issue. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14107 + (* Security fix *) ++--------------------------+ +Fri Sep 8 17:56:01 UTC 2017 +patches/packages/bash-4.3.048-x86_64-1_slack14.2.txz: Upgraded. + This update fixes two security issues found in bash before 4.4: + The expansion of '\h' in the prompt string allows remote authenticated users + to execute arbitrary code via shell metacharacters placed in 'hostname' of a + machine. The theoretical attack vector is a hostile DHCP server providing a + crafted hostname, but this is unlikely to occur in a normal Slackware + configuration as we ignore the hostname provided by DHCP. + Specially crafted SHELLOPTS+PS4 environment variables used against bogus + setuid binaries using system()/popen() allowed local attackers to execute + arbitrary code as root. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0634 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7543 + (* Security fix *) +patches/packages/mariadb-10.0.32-x86_64-1_slack14.2.txz: Upgraded. + This update fixes bugs and security issues. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3636 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3641 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3653 + (* Security fix *) +patches/packages/mozilla-nss-3.31.1-x86_64-1_slack14.2.txz: Upgraded. + Upgraded to nss-3.31.1 and nspr-4.16. + This is a bugfix release. +patches/packages/tcpdump-4.9.2-x86_64-1_slack14.2.txz: Upgraded. + This update fixes bugs and many security issues (see the included + CHANGES file). + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11541 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11541 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11542 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11542 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11543 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11543 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12893 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12894 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12895 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12896 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12897 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12898 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12899 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12900 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12901 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12902 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12985 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12986 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12987 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12988 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12989 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12990 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12991 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12992 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12993 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12994 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12995 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12996 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12997 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12998 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12999 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13000 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13001 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13002 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13003 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13004 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13005 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13006 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13007 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13008 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13009 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13010 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13011 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13012 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13013 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13014 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13015 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13016 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13017 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13018 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13019 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13020 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13021 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13022 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13023 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13024 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13025 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13026 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13027 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13028 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13029 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13030 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13031 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13032 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13033 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13034 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13035 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13036 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13037 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13038 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13039 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13040 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13041 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13042 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13043 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13044 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13045 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13046 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13047 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13048 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13049 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13050 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13051 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13052 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13053 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13054 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13055 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13687 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13688 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13689 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13690 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13725 + (* Security fix *) ++--------------------------+ +Thu Aug 17 05:36:28 UTC 2017 +patches/packages/mozilla-thunderbird-52.3.0-x86_64-1_slack14.2.txz: Upgraded. + This is a bugfix release. ++--------------------------+ +Tue Aug 15 22:16:12 UTC 2017 +patches/packages/xorg-server-1.18.3-x86_64-3_slack14.2.txz: Rebuilt. + This update fixes two security issues: + A user authenticated to an X Session could crash or execute code in the + context of the X Server by exploiting a stack overflow in the endianness + conversion of X Events. + Uninitialized data in endianness conversion in the XEvent handling of the + X.Org X Server allowed authenticated malicious users to access potentially + privileged data from the X server. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10971 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10972 + (* Security fix *) +patches/packages/xorg-server-xephyr-1.18.3-x86_64-3_slack14.2.txz: Rebuilt. +patches/packages/xorg-server-xnest-1.18.3-x86_64-3_slack14.2.txz: Rebuilt. +patches/packages/xorg-server-xvfb-1.18.3-x86_64-3_slack14.2.txz: Rebuilt. ++--------------------------+ +Fri Aug 11 23:02:43 UTC 2017 +patches/packages/git-2.14.1-x86_64-1_slack14.2.txz: Upgraded. + Fixes security issues: + A "ssh://..." URL can result in a "ssh" command line with a hostname that + begins with a dash "-", which would cause the "ssh" command to instead + (mis)treat it as an option. This is now prevented by forbidding such a + hostname (which should not impact any real-world usage). + Similarly, when GIT_PROXY_COMMAND is configured, the command is run with + host and port that are parsed out from "ssh://..." URL; a poorly written + GIT_PROXY_COMMAND could be tricked into treating a string that begins with a + dash "-" as an option. This is now prevented by forbidding such a hostname + and port number (again, which should not impact any real-world usage). + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000117 + (* Security fix *) +patches/packages/libsoup-2.52.2-x86_64-3_slack14.2.txz: Rebuilt. + Fixed a chunked decoding buffer overrun that could be exploited against + either clients or servers. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2885 + (* Security fix *) +patches/packages/mercurial-4.3.1-x86_64-1_slack14.2.txz: Upgraded. + Fixes security issues: + Mercurial's symlink auditing was incomplete prior to 4.3, and could + be abused to write to files outside the repository. + Mercurial was not sanitizing hostnames passed to ssh, allowing + shell injection attacks on clients by specifying a hostname starting + with -oProxyCommand. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000115 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000116 + (* Security fix *) +patches/packages/subversion-1.9.7-x86_64-1_slack14.2.txz: Upgraded. + Fixed client side arbitrary code execution vulnerability. + For more information, see: + https://subversion.apache.org/security/CVE-2017-9800-advisory.txt + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9800 + (* Security fix *) ++--------------------------+ +Wed Aug 9 20:23:16 UTC 2017 +patches/packages/curl-7.55.0-x86_64-1_slack14.2.txz: Upgraded. + This update fixes three security issues: + URL globbing out of bounds read + TFTP sends more than buffer size + FILE buffer read out of bounds + For more information, see: + https://curl.haxx.se/docs/adv_20170809A.html + https://curl.haxx.se/docs/adv_20170809B.html + https://curl.haxx.se/docs/adv_20170809C.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000101 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000100 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000099 + (* Security fix *) +patches/packages/glibc-2.23-x86_64-4_slack14.2.txz: Rebuilt. + Fixed a regression with the recent glibc patch packages: + Don't clobber the libm.so linker script with a symlink. + Thanks to guanx. +patches/packages/glibc-i18n-2.23-x86_64-4_slack14.2.txz: Rebuilt. +patches/packages/glibc-profile-2.23-x86_64-4_slack14.2.txz: Rebuilt. +patches/packages/glibc-solibs-2.23-x86_64-4_slack14.2.txz: Rebuilt. +patches/packages/mozilla-firefox-52.3.0esr-x86_64-1_slack14.2.txz: Upgraded. + This release contains security fixes and improvements. + For more information, see: + https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html + (* Security fix *) ++--------------------------+ +Wed Aug 2 03:43:51 UTC 2017 +patches/packages/gnupg-1.4.22-x86_64-1_slack14.2.txz: Upgraded. + Mitigate a flush+reload side-channel attack on RSA secret keys dubbed + "Sliding right into disaster". + For more information, see: + https://eprint.iacr.org/2017/627 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7526 + (* Security fix *) ++--------------------------+ +Fri Jul 28 20:29:47 UTC 2017 +patches/packages/squashfs-tools-4.3-x86_64-2_slack14.2.txz: Rebuilt. + Patched a couple of denial of service issues and other bugs. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4645 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4646 + (* Security fix *) ++--------------------------+ +Thu Jul 27 01:03:02 UTC 2017 +patches/packages/dbus-1.10.8-x86_64-2_slack14.2.txz: Rebuilt. + Don't demand high-quality entropy from expat-2.2.2+ because 1) dbus doesn't + need it and 2) it can cause the boot process to hang if dbus times out. + Thanks to SeB for a link to the bug report and patch. ++--------------------------+ +Tue Jul 25 21:09:42 UTC 2017 +patches/packages/bind-9.10.5_P3-x86_64-1_slack14.2.txz: Upgraded. + Fix a regression in the previous BIND release that broke verification + of TSIG signed TCP message sequences where not all the messages contain + TSIG records. + Compiled to use libidn rather than the deprecated (and broken) idnkit. ++--------------------------+ +Mon Jul 24 19:59:34 UTC 2017 +patches/packages/tcpdump-4.9.1-x86_64-1_slack14.2.txz: Upgraded. + This update fixes an issue where tcpdump 4.9.0 allows remote attackers + to cause a denial of service (heap-based buffer over-read and application + crash) via crafted packet data. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11108 + (* Security fix *) ++--------------------------+ +Fri Jul 21 20:09:49 UTC 2017 +patches/packages/seamonkey-2.48-x86_64-1_slack14.2.txz: Upgraded. + This update contains security fixes and improvements. + For more information, see: + http://www.seamonkey-project.org/releases/seamonkey2.48 + (* Security fix *) +patches/packages/seamonkey-solibs-2.48-x86_64-1_slack14.2.txz: Upgraded. ++--------------------------+ +Tue Jul 18 23:10:25 UTC 2017 +patches/packages/expat-2.2.2-x86_64-1_slack14.2.txz: Upgraded. + Fixes security issues including: + External entity infinite loop DoS + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9233 + https://libexpat.github.io/doc/cve-2017-9233/ + (* Security fix *) +patches/packages/gd-2.2.4-x86_64-1_slack14.2.txz: Upgraded. + Fixes security issues: + gdImageCreate() doesn't check for oversized images and as such is prone to + DoS vulnerabilities. (CVE-2016-9317) + double-free in gdImageWebPtr() (CVE-2016-6912) + potential unsigned underflow in gd_interpolation.c (CVE-2016-10166) + DOS vulnerability in gdImageCreateFromGd2Ctx() (CVE-2016-10167) + Signed Integer Overflow gd_io.c (CVE-2016-10168) + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9317 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6912 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10166 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10167 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10168 + (* Security fix *) +patches/packages/libtirpc-1.0.2-x86_64-1_slack14.2.txz: Upgraded. + This is a bugfix release. +patches/packages/rpcbind-0.2.4-x86_64-2_slack14.2.txz: Rebuilt. + Fixed a bug in a previous patch where a svc_freeargs() call ended up freeing + a static pointer causing rpcbind to crash. Thanks to Jonathan Woithe, + Rafael Jorge Csura Szendrodi, and Robby Workman for identifying the problem + and helping to test a fix. ++--------------------------+ +Fri Jul 14 22:11:58 UTC 2017 +patches/packages/mariadb-10.0.31-x86_64-1_slack14.2.txz: Upgraded. + This update fixes bugs and security issues. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3308 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3309 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3453 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3456 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3464 + (* Security fix *) +patches/packages/samba-4.4.15-x86_64-1_slack14.2.txz: Upgraded. + This update fixes an authentication validation bypass security issue: + "Orpheus' Lyre mutual authentication validation bypass" + All versions of Samba from 4.0.0 onwards using embedded Heimdal + Kerberos are vulnerable to a man-in-the-middle attack impersonating + a trusted server, who may gain elevated access to the domain by + returning malicious replication or authorization data. + Samba binaries built against MIT Kerberos are not vulnerable. + For more information, see: + https://www.samba.org/samba/security/CVE-2017-11103.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103 + (* Security fix *) ++--------------------------+ +Thu Jul 13 18:19:01 UTC 2017 +patches/packages/httpd-2.4.27-x86_64-1_slack14.2.txz: Upgraded. + This update fixes two security issues: + Read after free in mod_http2 (CVE-2017-9789) + Uninitialized memory reflection in mod_auth_digest (CVE-2017-9788) + Thanks to Robert Swiecki for reporting these issues. + For more information, see: + https://httpd.apache.org/security/vulnerabilities_24.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9789 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9788 + (* Security fix *) ++--------------------------+ +Mon Jul 10 21:43:37 UTC 2017 +patches/packages/libtirpc-1.0.1-x86_64-3_slack14.2.txz: Rebuilt. + Patched a bug which can cause a denial of service through memory exhaustion. + Thanks to Robby Workman. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779 + (* Security fix *) +patches/packages/rpcbind-0.2.4-x86_64-1_slack14.2.txz: Upgraded. + Patched a bug which can cause a denial of service through memory exhaustion. + Thanks to Robby Workman. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779 + (* Security fix *) ++--------------------------+ +Sun Jul 9 20:38:08 UTC 2017 +patches/packages/irssi-1.0.4-x86_64-1_slack14.2.txz: Upgraded. + This release fixes two remote crash issues as well as a few bugs. + For more information, see: + https://irssi.org/security/irssi_sa_2017_07.txt + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10965 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10966 + (* Security fix *) ++--------------------------+ +Sat Jul 8 00:11:34 UTC 2017 +patches/packages/ca-certificates-20161130-noarch-1_slack14.2.txz: Upgraded. + This update provides the latest CA certificates to check for the + authenticity of SSL connections. +patches/packages/php-5.6.31-x86_64-1_slack14.2.txz: Upgraded. + This release fixes bugs and security issues. + For more information, see: + https://php.net/ChangeLog-5.php#5.6.31 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9224 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9226 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9227 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9228 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9229 + (* Security fix *) ++--------------------------+ +Thu Jul 6 00:57:41 UTC 2017 +patches/packages/glibc-2.23-x86_64-3_slack14.2.txz: Rebuilt. + Recompiled with upstream patch from git: + "[PATCH] X86: Don't assert on older Intel CPUs [BZ #20647]" + This fixes an ldconfig failure on older Intel CPUs including Pentium MMX. +patches/packages/glibc-i18n-2.23-x86_64-3_slack14.2.txz: Rebuilt. +patches/packages/glibc-profile-2.23-x86_64-3_slack14.2.txz: Rebuilt. +patches/packages/glibc-solibs-2.23-x86_64-3_slack14.2.txz: Rebuilt. +patches/packages/xscreensaver-5.37-x86_64-1_slack14.2.txz: Upgraded. + Here's an upgrade to the latest xscreensaver. ++--------------------------+ +Fri Jun 30 21:14:15 UTC 2017 +patches/packages/glibc-2.23-x86_64-2_slack14.2.txz: Rebuilt. + Applied upstream security hardening patches from git. + For more information, see: + https://sourceware.org/git/?p=glibc.git;a=commit;h=3c7cd21290cabdadd72984fb69bc51e64ff1002d + https://sourceware.org/git/?p=glibc.git;a=commit;h=46703a3995aa3ca2b816814aa4ad05ed524194dd + https://sourceware.org/git/?p=glibc.git;a=commit;h=c69d4a0f680a24fdbe323764a50382ad324041e9 + https://sourceware.org/git/?p=glibc.git;a=commit;h=3776f38fcd267c127ba5eb222e2c614c191744aa + https://sourceware.org/git/?p=glibc.git;a=commit;h=adc7e06fb412a2a1ee52f8cb788caf436335b9f3 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000366 + (* Security fix *) +patches/packages/glibc-i18n-2.23-x86_64-2_slack14.2.txz: Rebuilt. +patches/packages/glibc-profile-2.23-x86_64-2_slack14.2.txz: Rebuilt. + (* Security fix *) +patches/packages/glibc-solibs-2.23-x86_64-2_slack14.2.txz: Rebuilt. + (* Security fix *) +patches/packages/linux-4.4.75/*: Upgraded. + This kernel fixes security issues that include possible stack exhaustion, + memory corruption, and arbitrary code execution. + Be sure to upgrade your initrd after upgrading the kernel packages. + If you use lilo to boot your machine, be sure lilo.conf points to the correct + kernel and initrd and run lilo as root to update the bootloader. + If you use elilo to boot your machine, you should run eliloconfig to copy the + kernel and initrd to the EFI System Partition. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7482 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000365 + (* Security fix *) ++--------------------------+ +Thu Jun 29 20:55:09 UTC 2017 +patches/packages/bind-9.10.5_P2-x86_64-1_slack14.2.txz: Upgraded. + This update fixes a high severity security issue: + An error in TSIG handling could permit unauthorized zone transfers + or zone updates. + For more information, see: + https://kb.isc.org/article/AA-01503/0 + https://kb.isc.org/article/AA-01504/0 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3142 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3143 + (* Security fix *) +patches/packages/httpd-2.4.26-x86_64-1_slack14.2.txz: Upgraded. + This update fixes security issues which may lead to an authentication bypass + or a denial of service: + important: ap_get_basic_auth_pw() Authentication Bypass CVE-2017-3167 + important: mod_ssl Null Pointer Dereference CVE-2017-3169 + important: mod_http2 Null Pointer Dereference CVE-2017-7659 + important: ap_find_token() Buffer Overread CVE-2017-7668 + important: mod_mime Buffer Overread CVE-2017-7679 + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3167 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3169 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7659 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7668 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7679 + (* Security fix *) +patches/packages/libgcrypt-1.7.8-x86_64-1_slack14.2.txz: Upgraded. + Mitigate a local flush+reload side-channel attack on RSA secret keys + dubbed "Sliding right into disaster". + For more information, see: + https://eprint.iacr.org/2017/627 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7526 + (* Security fix *) +patches/packages/mkinitrd-1.4.10-x86_64-1_slack14.2.txz: Upgraded. + Added support for -P option and MICROCODE_ARCH in mkinitrd.conf to specify + a microcode archive to be prepended to the initrd for early CPU microcode + patching by the kernel. Thanks to SeB. ++--------------------------+ +Mon Jun 26 20:36:18 UTC 2017 +patches/packages/linux-4.4.74/*: Upgraded. + This kernel fixes two "Stack Clash" vulnerabilities reported by Qualys. + The first issue may allow attackers to execute arbitrary code with elevated + privileges. Failed attack attempts will likely result in denial-of-service + conditions. The second issue can be exploited to bypass certain security + restrictions and perform unauthorized actions. + Be sure to upgrade your initrd after upgrading the kernel packages. + If you use lilo to boot your machine, be sure lilo.conf points to the correct + kernel and initrd and run lilo as root to update the bootloader. + If you use elilo to boot your machine, you should run eliloconfig to copy the + kernel and initrd to the EFI System Partition. + For more information, see: + https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000364 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000365 + (* Security fix *) +patches/packages/mozilla-thunderbird-52.2.1-x86_64-1_slack14.2.txz: Upgraded. + This is a bugfix release. ++--------------------------+ +Fri Jun 23 20:11:00 UTC 2017 +patches/packages/nasm-2.13.01-x86_64-1_slack14.2.txz: Upgraded. + This update is needed for some newer projects to compile properly. ++--------------------------+ +Wed Jun 21 18:38:46 UTC 2017 +patches/packages/openvpn-2.3.17-x86_64-1_slack14.2.txz: Upgraded. + This update fixes several denial of service issues discovered + by Guido Vranken. + For more information, see: + https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7508 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7520 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7521 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7512 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7522 + (* Security fix *) ++--------------------------+ +Thu Jun 15 02:08:28 UTC 2017 +patches/packages/bind-9.10.5_P1-x86_64-1_slack14.2.txz: Upgraded. + Fixed denial of service security issue: + Some RPZ configurations could go into an infinite query loop when + encountering responses with TTL=0. + For more information, see: + https://kb.isc.org/article/AA-01495 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3140 + (* Security fix *) +patches/packages/mozilla-firefox-52.2.0esr-x86_64-1_slack14.2.txz: Upgraded. + This release contains security fixes and improvements. + For more information, see: + https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html + (* Security fix *) +patches/packages/mozilla-thunderbird-52.2.0-x86_64-1_slack14.2.txz: Upgraded. + This is a bugfix release. ++--------------------------+ +Tue Jun 13 19:54:24 UTC 2017 +patches/packages/pkg-config-0.29.2-x86_64-1_slack14.2.txz: Upgraded. + This is a bugfix release, and is needed for some updates on slackbuilds.org + to compile properly. Thanks to Willy Sudiarto Raharjo. ++--------------------------+ +Wed Jun 7 22:42:04 UTC 2017 +patches/packages/irssi-1.0.3-x86_64-1_slack14.2.txz: Upgraded. + Fixed security issues that may result in a denial of service. + For more information, see: + https://irssi.org/security/irssi_sa_2017_06.txt + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9468 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9469 + (* Security fix *) ++--------------------------+ +Wed May 31 23:07:23 UTC 2017 +patches/packages/sudo-1.8.20p2-x86_64-1_slack14.2.txz: Upgraded. + This is a bugfix release: + Fixed a bug parsing /proc/pid/stat when the process name contains + a newline. This is not exploitable due to the /dev traversal changes + made in sudo 1.8.20p1. ++--------------------------+ +Tue May 30 17:39:17 UTC 2017 +patches/packages/lynx-2.8.8rel.2-x86_64-3_slack14.2.txz: Rebuilt. + Fixed lynx startup without a URL by correcting STARTFILE in lynx.cfg to use + the new URL for the Lynx homepage. Thanks to John David Yost. +patches/packages/sudo-1.8.20p1-x86_64-1_slack14.2.txz: Upgraded. + This update fixes a potential overwrite of arbitrary system files. + This bug was discovered and analyzed by Qualys, Inc. + For more information, see: + https://www.sudo.ws/alerts/linux_tty.html + http://www.openwall.com/lists/oss-security/2017/05/30/16 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000367 + (* Security fix *) ++--------------------------+ +Wed May 24 19:38:59 UTC 2017 +patches/packages/samba-4.4.14-x86_64-1_slack14.2.txz: Upgraded. + This update fixes a remote code execution vulnerability, allowing a + malicious client to upload a shared library to a writable share, and + then cause the server to load and execute it. + For more information, see: + https://www.samba.org/samba/security/CVE-2017-7494.html + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7494 + (* Security fix *) ++--------------------------+ +Mon May 22 20:58:20 UTC 2017 +patches/packages/gkrellm-2.3.10-x86_64-1_slack14.2.txz: Upgraded. + This is a bugfix release to fix a broken gkrellm.pc. +patches/packages/mozilla-firefox-52.1.2esr-x86_64-1_slack14.2.txz: Upgraded. + This is a bugfix release. ++--------------------------+ +Tue May 16 20:11:03 UTC 2017 +patches/packages/freetype-2.6.3-x86_64-2_slack14.2.txz: Rebuilt. + This update fixes an out-of-bounds write caused by a heap-based buffer + overflow related to the t1_builder_close_contour function in psaux/psobjs.c. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8287 + (* Security fix *) +patches/packages/kdelibs-4.14.32-x86_64-1_slack14.2.txz: Upgraded. + This update fixes a security issue with KAuth that can lead to gaining + root from an unprivileged account. + For more information, see: + http://www.openwall.com/lists/oss-security/2017/05/10/3 + https://www.kde.org/info/security/advisory-20170510-1.txt + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8422 + (* Security fix *) +patches/packages/mozilla-thunderbird-52.1.1-x86_64-1_slack14.2.txz: Upgraded. + This is a bugfix release. ++--------------------------+ +Mon May 1 23:31:02 UTC 2017 +patches/packages/mozilla-thunderbird-52.1.0-x86_64-1_slack14.2.txz: Upgraded. + This is a bugfix release. +patches/packages/rxvt-2.7.10-x86_64-5_slack14.2.txz: Rebuilt. + Patched an integer overflow that can crash rxvt with an escape sequence, + or possibly have unspecified other impact. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7483 + (* Security fix *) ++--------------------------+ +Wed Apr 26 23:09:45 UTC 2017 +patches/packages/xfce4-weather-plugin-0.8.9-x86_64-1_slack14.2.txz: Upgraded. + Package upgraded to fix the API used to fetch weather data. + Thanks to Robby Workman. ++--------------------------+ +Mon Apr 24 18:06:06 UTC 2017 +patches/packages/mozilla-firefox-52.1.0esr-x86_64-1_slack14.2.txz: Upgraded. + This release contains security fixes and improvements. + For more information, see: + https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html + (* Security fix *) ++--------------------------+ +Fri Apr 21 22:40:12 UTC 2017 +patches/packages/getmail-4.54.0-x86_64-1_slack14.2.txz: Upgraded. + This is a bugfix release to fix a failure to retrieve HTML formatted emails + that contain a line longer than 1024 characters. Thanks to Edward Trumbo. +patches/packages/ntp-4.2.8p10-x86_64-1_slack14.2.txz: Upgraded. + In addition to bug fixes and enhancements, this release fixes security + issues of medium and low severity: + Denial of Service via Malformed Config (Medium) + Authenticated DoS via Malicious Config Option (Medium) + Potential Overflows in ctl_put() functions (Medium) + Buffer Overflow in ntpq when fetching reslist from a malicious ntpd (Medium) + 0rigin DoS (Medium) + Buffer Overflow in DPTS Clock (Low) + Improper use of snprintf() in mx4200_send() (Low) + The following issues do not apply to Linux systems: + Privileged execution of User Library code (WINDOWS PPSAPI ONLY) (Low) + Stack Buffer Overflow from Command Line (WINDOWS installer ONLY) (Low) + Data Structure terminated insufficiently (WINDOWS installer ONLY) (Low) + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6464 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6463 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6458 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6460 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9042 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6462 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6451 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6455 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6452 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6459 + (* Security fix *) +patches/packages/proftpd-1.3.5e-x86_64-1_slack14.2.txz: Upgraded. + This release fixes a security issue: + AllowChrootSymlinks off does not check entire DefaultRoot path for symlinks. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7418 + (* Security fix *) ++--------------------------+ +Wed Apr 19 04:46:45 UTC 2017 +patches/packages/minicom-2.7.1-x86_64-1_slack14.2.txz: Upgraded. + Fix an out of bounds data access that can lead to remote code execution. + This issue was found by Solar Designer of Openwall during a security audit + of the Virtuozzo 7 product, which contains derived downstream code in its + prl-vzvncserver component. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7467 + (* Security fix *) ++--------------------------+ +Tue Apr 18 04:21:33 UTC 2017 +patches/packages/mozilla-thunderbird-52.0.1-x86_64-1_slack14.2.txz: Upgraded. + This is a bugfix release. ++--------------------------+ +Thu Apr 13 21:19:45 UTC 2017 +patches/packages/bind-9.10.4_P8-x86_64-1_slack14.2.txz: Upgraded. + Fixed denial of service security issues. + For more information, see: + https://kb.isc.org/article/AA-01465 + https://kb.isc.org/article/AA-01466 + https://kb.isc.org/article/AA-01471 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3136 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3137 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3138 + (* Security fix *) ++--------------------------+ +Sat Apr 8 16:24:35 UTC 2017 +patches/packages/libtiff-4.0.7-x86_64-1_slack14.2.txz: Upgraded. + This release contains security fixes and improvements. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8127 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8665 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8683 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3622 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3623 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3658 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5321 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5323 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5652 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5875 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9273 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9448 + (* Security fix *) +patches/packages/mozilla-thunderbird-52.0-x86_64-1_slack14.2.txz: Upgraded. ++--------------------------+ +Sat Apr 1 05:16:59 UTC 2017 +patches/packages/samba-4.4.13-x86_64-1_slack14.2.txz: Upgraded. + This is a bug fix release to address a regression introduced by the security + fixes for CVE-2017-2619 (Symlink race allows access outside share definition). + Please see https://bugzilla.samba.org/show_bug.cgi?id=12721 for details. ++--------------------------+ +Tue Mar 28 20:30:50 UTC 2017 +patches/packages/mariadb-10.0.30-x86_64-1_slack14.2.txz: Upgraded. + This update fixes security issues: + Crash in libmysqlclient.so. + Difficult to exploit vulnerability allows low privileged attacker with + logon to compromise the server. Successful attacks of this vulnerability + can result in unauthorized access to data. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3302 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3313 + (* Security fix *) +patches/packages/mozilla-firefox-52.0.2esr-x86_64-1_slack14.2.txz: Upgraded. + Upgraded to new Firefox 52.x ESR branch. ++--------------------------+ +Thu Mar 23 21:38:23 UTC 2017 +patches/packages/glibc-zoneinfo-2017b-noarch-1_slack14.2.txz: Upgraded. + This package provides the latest timezone updates. +patches/packages/mcabber-1.0.5-x86_64-1_slack14.2.txz: Upgraded. + This update fixes a security issue: + An incorrect implementation of XEP-0280: Message Carbons in multiple XMPP + clients allows a remote attacker to impersonate any user, including + contacts, in the vulnerable application's display. This allows for various + kinds of social engineering attacks. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5604 + (* Security fix *) +patches/packages/samba-4.4.12-x86_64-1_slack14.2.txz: Upgraded. + This update fixes a security issue: + All versions of Samba prior to 4.6.1, 4.5.7, 4.4.12 are vulnerable to + a malicious client using a symlink race to allow access to areas of + the server file system not exported under the share definition. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2619 + (* Security fix *) ++--------------------------+ +Thu Mar 16 01:37:05 UTC 2017 +patches/packages/pidgin-2.12.0-x86_64-1_slack14.2.txz: Upgraded. + This update fixes a minor security issue (out of bounds memory read in + purple_markup_unescape_entity). + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2640 + (* Security fix *) ++--------------------------+ +Wed Mar 8 00:17:36 UTC 2017 +patches/packages/mozilla-firefox-45.8.0esr-x86_64-1_slack14.2.txz: Upgraded. + This release contains security fixes and improvements. + For more information, see: + https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html + (* Security fix *) +patches/packages/mozilla-thunderbird-45.8.0-x86_64-1_slack14.2.txz: Upgraded. + This release contains security fixes and improvements. + For more information, see: + https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html + (* Security fix *) ++--------------------------+ +Wed Mar 1 19:09:44 UTC 2017 +patches/packages/libcgroup-0.41-x86_64-2_slack14.2.txz: Rebuilt. + This is a bugfix package update. + Fixed rc.cgred to source the correct config file. + Don't remove the entire cgroup file system with "rc.cgconfig stop". + Thanks to chris.willing. + NOTE: Be sure to install any .new config files. ++--------------------------+ +Tue Feb 28 23:51:55 UTC 2017 +patches/packages/glibc-zoneinfo-2017a-noarch-1_slack14.2.txz: Upgraded. + This package provides the latest timezone updates. ++--------------------------+ +Fri Feb 10 21:07:35 UTC 2017 +patches/packages/bind-9.10.4_P6-x86_64-1_slack14.2.txz: Upgraded. + This update fixes a denial-of-service vulnerability. Under some conditions + when using both DNS64 and RPZ to rewrite query responses, query processing + can resume in an inconsistent state leading to either an INSIST assertion + failure or an attempt to read through a NULL pointer. + For more information, see: + https://kb.isc.org/article/AA-01453 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3135 + (* Security fix *) +patches/packages/libpcap-1.8.1-x86_64-1_slack14.2.txz: Upgraded. + This update is required for the new version of tcpdump. +patches/packages/mozilla-thunderbird-45.7.1-x86_64-1_slack14.2.txz: Upgraded. + Fixed crash when viewing certain IMAP messages (introduced in 45.7.0) +patches/packages/openssl-1.0.2k-x86_64-1_slack14.2.txz: Upgraded. + This update fixes security issues: + Truncated packet could crash via OOB read (CVE-2017-3731) + BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732) + Montgomery multiplication may produce incorrect results (CVE-2016-7055) + For more information, see: + https://www.openssl.org/news/secadv/20170126.txt + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3731 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3732 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7055 + (* Security fix *) +patches/packages/openssl-solibs-1.0.2k-x86_64-1_slack14.2.txz: Upgraded. +patches/packages/php-5.6.30-x86_64-1_slack14.2.txz: Upgraded. + This release fixes bugs and security issues. + For more information, see: + https://php.net/ChangeLog-5.php#5.6.30 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10158 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10167 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10168 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10159 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10160 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10161 + (* Security fix *) +patches/packages/tcpdump-4.9.0-x86_64-1_slack14.2.txz: Upgraded. + Fixed bugs which allow an attacker to crash tcpdump (denial of service). + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7922 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7923 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7924 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7925 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7926 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7927 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7928 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7929 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7930 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7931 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7932 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7933 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7934 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7935 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7936 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7937 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7938 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7939 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7940 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7973 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7974 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7975 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7983 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7984 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7985 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7986 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7992 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7993 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8574 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8575 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5202 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5203 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5204 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5205 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5341 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5342 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5482 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5483 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5484 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5485 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5486 + (* Security fix *) ++--------------------------+ +Thu Jan 26 18:42:29 UTC 2017 +patches/packages/mozilla-thunderbird-45.7.0-x86_64-1_slack14.2.txz: Upgraded. + This release contains security fixes and improvements. + For more information, see: + https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5375 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5376 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5378 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5380 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5390 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5396 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5383 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5386 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5373 + (* Security fix *) ++--------------------------+ +Mon Jan 23 21:30:13 UTC 2017 +patches/packages/mozilla-firefox-45.7.0esr-x86_64-1_slack14.2.txz: Upgraded. + This release contains security fixes and improvements. + For more information, see: + https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html + (* Security fix *) ++--------------------------+ +Fri Jan 20 04:18:02 UTC 2017 +patches/packages/seamonkey-2.46-x86_64-3_slack14.2.txz: Rebuilt. + Recompiled with less aggressive optimization (-Os) to fix crashes. +patches/packages/seamonkey-solibs-2.46-x86_64-3_slack14.2.txz: Rebuilt. ++--------------------------+ +Wed Jan 18 20:39:17 UTC 2017 +patches/packages/mariadb-10.0.29-x86_64-1_slack14.2.txz: Upgraded. + This update fixes several security issues. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6664 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3238 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3243 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3244 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3257 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3258 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3265 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3291 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3312 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3317 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3318 + (* Security fix *) ++--------------------------+ +Wed Jan 18 01:02:19 UTC 2017 +patches/packages/seamonkey-2.46-x86_64-2_slack14.2.txz: Rebuilt. + Restored missing nspr/obsolete headers. +patches/packages/seamonkey-solibs-2.46-x86_64-2_slack14.2.txz: Rebuilt. ++--------------------------+ +Sat Jan 14 05:34:32 UTC 2017 +patches/packages/scim-1.4.17-x86_64-1_slack14.2.txz: Upgraded. + This is a bugfix package update. ++--------------------------+ +Thu Jan 12 01:15:52 UTC 2017 +patches/packages/bind-9.10.4_P5-x86_64-1_slack14.2.txz: Upgraded. + This update fixes a denial-of-service vulnerability. An error in handling + certain queries can cause an assertion failure when a server is using the + nxdomain-redirect feature to cover a zone for which it is also providing + authoritative service. A vulnerable server could be intentionally stopped + by an attacker if it was using a configuration that met the criteria for + the vulnerability and if the attacker could cause it to accept a query + that possessed the required attributes. + Please note: This vulnerability affects the "nxdomain-redirect" feature, + which is one of two methods of handling NXDOMAIN redirection, and is only + available in certain versions of BIND. Redirection using zones of type + "redirect" is not affected by this vulnerability. + For more information, see: + https://kb.isc.org/article/AA-01442 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9778 + (* Security fix *) +patches/packages/gnutls-3.5.8-x86_64-1_slack14.2.txz: Upgraded. + This update fixes some bugs and security issues. + For more information, see: + https://gnutls.org/security.html#GNUTLS-SA-2017-1 + https://gnutls.org/security.html#GNUTLS-SA-2017-2 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5334 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5335 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5336 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5337 + (* Security fix *) +patches/packages/irssi-0.8.21-x86_64-1_slack14.2.txz: Upgraded. + Fixed security issues that may result in a denial of service. + For more information, see: + https://irssi.org/security/irssi_sa_2017_01.txt + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5193 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5194 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5195 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5196 + (* Security fix *) +patches/packages/python-2.7.13-x86_64-2_slack14.2.txz: Rebuilt. + This is a rebuilt package to fix a build-time regression with the + multiprocessing.synchronize module. + Thanks to Damien Goutte-Gattat for the bug report. ++--------------------------+ +Fri Dec 30 19:29:13 UTC 2016 +patches/packages/libpng-1.6.27-x86_64-1_slack14.2.txz: Upgraded. + This release fixes an old NULL pointer dereference bug in png_set_text_2() + discovered and patched by Patrick Keshishian. The potential "NULL + dereference" bug has existed in libpng since version 0.71 of June 26, 1995. + To be vulnerable, an application has to load a text chunk into the png + structure, then delete all text, then add another text chunk to the same + png structure, which seems to be an unlikely sequence, but it has happened. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10087 + (* Security fix *) +patches/packages/mozilla-thunderbird-45.6.0-x86_64-1_slack14.2.txz: Upgraded. + This release contains security fixes and improvements. + For more information, see: + https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9899 + (* Security fix *) +patches/packages/seamonkey-2.46-x86_64-1_slack14.2.txz: Upgraded. + This update contains security fixes and improvements. + For more information, see: + http://www.seamonkey-project.org/releases/seamonkey2.46 + (* Security fix *) +patches/packages/seamonkey-solibs-2.46-x86_64-1_slack14.2.txz: Upgraded. ++--------------------------+ +Wed Dec 28 21:05:19 UTC 2016 +patches/packages/python-2.7.13-x86_64-1_slack14.2.txz: Upgraded. + This release fixes security issues: + Issue #27850: Remove 3DES from ssl module's default cipher list to counter + measure sweet32 attack (CVE-2016-2183). + Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the + HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates + that the script is in CGI mode. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2183 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000110 + (* Security fix *) +patches/packages/samba-4.4.8-x86_64-1_slack14.2.txz: Upgraded. + This release fixes security issues: + CVE-2016-2123 (Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer + Overflow Remote Code Execution Vulnerability). + CVE-2016-2125 (Unconditional privilege delegation to Kerberos servers + in trusted realms). + CVE-2016-2126 (Flaws in Kerberos PAC validation can trigger privilege + elevation). + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2123 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2125 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2126 + (* Security fix *) ++--------------------------+ +Sat Dec 24 18:14:51 UTC 2016 +patches/packages/expat-2.2.0-x86_64-1_slack14.2.txz: Upgraded. + This update fixes bugs and security issues: + Multiple integer overflows in XML_GetBuffer. + Fix crash on malformed input. + Improve insufficient fix to CVE-2015-1283 / CVE-2015-2716. + Use more entropy for hash initialization. + Resolve troublesome internal call to srand. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1283 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4472 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5300 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6702 + (* Security fix *) ++--------------------------+ +Sat Dec 24 02:36:05 UTC 2016 +patches/packages/httpd-2.4.25-x86_64-1_slack14.2.txz: Upgraded. + This update fixes the following security issues: + * CVE-2016-8740: mod_http2: Mitigate DoS memory exhaustion via endless + CONTINUATION frames. + * CVE-2016-5387: core: Mitigate [f]cgi "httpoxy" issues. + * CVE-2016-2161: mod_auth_digest: Prevent segfaults during client entry + allocation when the shared memory space is exhausted. + * CVE-2016-0736: mod_session_crypto: Authenticate the session data/cookie + with a MAC (SipHash) to prevent deciphering or tampering with a padding + oracle attack. + * CVE-2016-8743: Enforce HTTP request grammar corresponding to RFC7230 for + request lines and request headers, to prevent response splitting and + cache pollution by malicious clients or downstream proxies. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8740 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5387 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2161 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0736 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743 + (* Security fix *) +patches/packages/openssh-7.4p1-x86_64-1_slack14.2.txz: Upgraded. + This is primarily a bugfix release, and also addresses security issues. + ssh-agent(1): Will now refuse to load PKCS#11 modules from paths outside + a trusted whitelist. + sshd(8): When privilege separation is disabled, forwarded Unix-domain + sockets would be created by sshd(8) with the privileges of 'root'. + sshd(8): Avoid theoretical leak of host private key material to + privilege-separated child processes via realloc(). + sshd(8): The shared memory manager used by pre-authentication compression + support had a bounds checks that could be elided by some optimising + compilers to potentially allow attacks against the privileged monitor. + process from the sandboxed privilege-separation process. + sshd(8): Validate address ranges for AllowUser and DenyUsers directives at + configuration load time and refuse to accept invalid ones. It was + previously possible to specify invalid CIDR address ranges + (e.g. user@127.1.2.3/55) and these would always match, possibly resulting + in granting access where it was not intended. + For more information, see: + https://www.openssh.com/txt/release-7.4 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10009 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10010 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10011 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10012 + (* Security fix *) +patches/packages/xfce4-weather-plugin-0.8.8-x86_64-1_slack14.2.txz: Upgraded. + Package upgraded to fix the API used to fetch weather data. + Thanks to Robby Workman. ++--------------------------+ +Sun Dec 18 05:20:25 UTC 2016 +patches/packages/glibc-zoneinfo-2016j-noarch-1_slack14.2.txz: Upgraded. + This package provides the latest timezone updates. ++--------------------------+ +Tue Dec 13 22:14:13 UTC 2016 +patches/packages/mozilla-firefox-45.6.0esr-x86_64-1_slack14.2.txz: Upgraded. + This release contains security fixes and improvements. + For more information, see: + https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html + (* Security fix *) ++--------------------------+ +Mon Dec 12 21:25:50 UTC 2016 +patches/packages/linux-4.4.38/*: Upgraded. + This kernel fixes a security issue with a race condition in + net/packet/af_packet.c that can be exploited to gain kernel code execution + from unprivileged processes. + Thanks to Philip Pettersson for discovering the bug and providing a patch. + Be sure to upgrade your initrd after upgrading the kernel packages. + If you use lilo to boot your machine, be sure lilo.conf points to the correct + kernel and initrd and run lilo as root to update the bootloader. + If you use elilo to boot your machine, you should run eliloconfig to copy the + kernel and initrd to the EFI System Partition. + For more information, see: + https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0c + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8655 + (* Security fix *) +patches/packages/loudmouth-1.5.3-x86_64-1_slack14.2.txz: Upgraded. + This update is needed for the mcabber security update. +patches/packages/mcabber-1.0.4-x86_64-1_slack14.2.txz: Upgraded. + This update fixes a security issue which can lead to a malicious actor + MITMing a conversation, or adding themselves as an entity on a third + parties roster (thereby granting themselves the associated priviledges + such as observing when the user is online). + For more information, see: + https://gultsch.de/gajim_roster_push_and_message_interception.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9928 + (* Security fix *) +patches/packages/php-5.6.29-x86_64-1_slack14.2.txz: Upgraded. + This release fixes bugs and security issues. + For more information, see: + https://php.net/ChangeLog-5.php#5.6.29 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9933 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9934 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9935 + (* Security fix *) ++--------------------------+ +Thu Dec 1 08:49:20 UTC 2016 +patches/packages/intltool-0.51.0-x86_64-3_slack14.2.txz: Rebuilt. + Added a patch to fix issues when $(builddir) != $(srcdir). This avoids + possible build failures when intltool is used with automake >= 1.15. + Thanks to Willy Sudiarto Raharjo. +patches/packages/mozilla-firefox-45.5.1esr-x86_64-1_slack14.2.txz: Upgraded. + This release contains security fixes and improvements. + For more information, see: + https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9079 + (* Security fix *) +patches/packages/mozilla-thunderbird-45.5.1-x86_64-1_slack14.2.txz: Upgraded. + This release contains security fixes and improvements. + For more information, see: + https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9079 + (* Security fix *) ++--------------------------+ +Mon Nov 21 19:21:22 UTC 2016 +patches/packages/ntp-4.2.8p9-x86_64-1_slack14.2.txz: Upgraded. + In addition to bug fixes and enhancements, this release fixes the + following 1 high- (Windows only :-), 2 medium-, 2 medium-/low, and + 5 low-severity vulnerabilities, and provides 28 other non-security + fixes and improvements. + CVE-2016-9311: Trap crash + CVE-2016-9310: Mode 6 unauthenticated trap info disclosure and DDoS vector + CVE-2016-7427: Broadcast Mode Replay Prevention DoS + CVE-2016-7428: Broadcast Mode Poll Interval Enforcement DoS + CVE-2016-9312: Windows: ntpd DoS by oversized UDP packet + CVE-2016-7431: Regression: 010-origin: Zero Origin Timestamp Bypass + CVE-2016-7434: Null pointer dereference in _IO_str_init_static_internal() + CVE-2016-7429: Interface selection attack + CVE-2016-7426: Client rate limiting and server responses + CVE-2016-7433: Reboot sync calculation problem + For more information, see: + https://www.kb.cert.org/vuls/id/633847 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9311 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9310 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7427 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7428 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9312 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7431 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7434 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7429 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7426 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7433 + (* Security fix *) ++--------------------------+ +Fri Nov 18 22:49:40 UTC 2016 +patches/packages/mozilla-firefox-45.5.0esr-x86_64-1_slack14.2.txz: Upgraded. + This release contains security fixes and improvements. + For more information, see: + http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html + (* Security fix *) ++--------------------------+ +Fri Nov 4 03:31:38 UTC 2016 +patches/packages/bind-9.10.4_P4-x86_64-1_slack14.2.txz: Upgraded. + This update fixes a denial-of-service vulnerability. A defect in BIND's + handling of responses containing a DNAME answer can cause a resolver to exit + after encountering an assertion failure in db.c or resolver.c. A server + encountering either of these error conditions will stop, resulting in denial + of service to clients. The risk to authoritative servers is minimal; + recursive servers are chiefly at risk. + For more information, see: + https://kb.isc.org/article/AA-01434 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8864 + (* Security fix *) +patches/packages/curl-7.51.0-x86_64-1_slack14.2.txz: Upgraded. + This release fixes security issues: + CVE-2016-8615: cookie injection for other servers + CVE-2016-8616: case insensitive password comparison + CVE-2016-8617: OOB write via unchecked multiplication + CVE-2016-8618: double-free in curl_maprintf + CVE-2016-8619: double-free in krb5 code + CVE-2016-8620: glob parser write/read out of bounds + CVE-2016-8621: curl_getdate read out of bounds + CVE-2016-8622: URL unescape heap overflow via integer truncation + CVE-2016-8623: Use-after-free via shared cookies + CVE-2016-8624: invalid URL parsing with '#' + CVE-2016-8625: IDNA 2003 makes curl use wrong host + For more information, see: + https://curl.haxx.se/docs/adv_20161102A.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8615 + https://curl.haxx.se/docs/adv_20161102B.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8616 + https://curl.haxx.se/docs/adv_20161102C.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8617 + https://curl.haxx.se/docs/adv_20161102D.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8618 + https://curl.haxx.se/docs/adv_20161102E.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8619 + https://curl.haxx.se/docs/adv_20161102F.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8620 + https://curl.haxx.se/docs/adv_20161102G.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8621 + https://curl.haxx.se/docs/adv_20161102H.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8622 + https://curl.haxx.se/docs/adv_20161102I.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8623 + https://curl.haxx.se/docs/adv_20161102J.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8624 + https://curl.haxx.se/docs/adv_20161102K.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8625 + (* Security fix *) +patches/packages/glibc-zoneinfo-2016i-noarch-1_slack14.2.txz: Upgraded. + This package provides the latest timezone updates. ++--------------------------+ +Mon Oct 31 23:38:24 UTC 2016 +patches/packages/libX11-1.6.4-x86_64-1_slack14.2.txz: Upgraded. + Insufficient validation of data from the X server can cause out of boundary + memory read in XGetImage() or write in XListFonts(). + Affected versions libX11 <= 1.6.3. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7942 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7943 + (* Security fix *) +patches/packages/libXfixes-5.0.3-x86_64-1_slack14.2.txz: Upgraded. + Insufficient validation of data from the X server can cause an integer + overflow on 32 bit architectures. + Affected versions : libXfixes <= 5.0.2. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7944 + (* Security fix *) +patches/packages/libXi-1.7.8-x86_64-1_slack14.2.txz: Upgraded. + Insufficient validation of data from the X server can cause out of boundary + memory access or endless loops (Denial of Service). + Affected versions libXi <= 1.7.6. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7945 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7946 + (* Security fix *) +patches/packages/libXrandr-1.5.1-x86_64-1_slack14.2.txz: Upgraded. + Insufficient validation of data from the X server can cause out of boundary + memory writes. + Affected versions: libXrandr <= 1.5.0. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7947 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948 + (* Security fix *) +patches/packages/libXrender-0.9.10-x86_64-1_slack14.2.txz: Upgraded. + Insufficient validation of data from the X server can cause out of boundary + memory writes. + Affected version: libXrender <= 0.9.9. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7949 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7950 + (* Security fix *) +patches/packages/libXtst-1.2.3-x86_64-1_slack14.2.txz: Upgraded. + Insufficient validation of data from the X server can cause out of boundary + memory access or endless loops (Denial of Service). + Affected version libXtst <= 1.2.2. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7951 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7952 + (* Security fix *) +patches/packages/libXv-1.0.11-x86_64-1_slack14.2.txz: Upgraded. + Insufficient validation of data from the X server can cause out of boundary + memory and memory corruption. + Affected version libXv <= 1.0.10. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5407 + (* Security fix *) +patches/packages/libXvMC-1.0.10-x86_64-1_slack14.2.txz: Upgraded. + Insufficient validation of data from the X server can cause a one byte buffer + read underrun. + Affected version: libXvMC <= 1.0.9. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7953 + (* Security fix *) +patches/packages/linux-4.4.29/*: Upgraded. + This kernel fixes a security issue known as "Dirty COW". A race condition + was found in the way the Linux kernel's memory subsystem handled the + copy-on-write (COW) breakage of private read-only memory mappings. An + unprivileged local user could use this flaw to gain write access to + otherwise read-only memory mappings and thus increase their privileges on + the system. + Be sure to upgrade your initrd after upgrading the kernel packages. + If you use lilo to boot your machine, be sure lilo.conf points to the correct + kernel and initrd and run lilo as root to update the bootloader. + If you use elilo to boot your machine, you should run eliloconfig to copy the + kernel and initrd to the EFI System Partition. + For more information, see: + https://dirtycow.ninja/ + https://www.kb.cert.org/vuls/id/243144 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195 + (* Security fix *) +patches/packages/mariadb-10.0.28-x86_64-1_slack14.2.txz: Upgraded. + This update fixes several security issues. + For more information, see: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5616 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5624 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5626 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3492 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5629 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8283 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7440 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5584 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6663 + (* Security fix *) +patches/packages/php-5.6.27-x86_64-1_slack14.2.txz: Upgraded. + This release fixes bugs and security issues. + For more information, see: + https://php.net/ChangeLog-5.php#5.6.27 + (* Security fix *) +patches/packages/xscreensaver-5.36-x86_64-1_slack14.2.txz: Upgraded. + Here's an upgrade to the latest xscreensaver. ++--------------------------+ +Sat Oct 1 17:11:13 UTC 2016 +patches/packages/mozilla-thunderbird-45.4.0-x86_64-1_slack14.2.txz: Upgraded. + This release contains security fixes and improvements. + For more information, see: + http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html + (* Security fix *) ++--------------------------+ +Wed Sep 28 23:24:37 UTC 2016 +patches/packages/glibc-zoneinfo-2016g-noarch-1_slack14.2.txz: Upgraded. + This package provides the latest timezone updates. ++--------------------------+ +Tue Sep 27 19:16:56 UTC 2016 +patches/packages/bind-9.10.4_P3-x86_64-1_slack14.2.txz: Upgraded. + This update fixes a denial-of-service vulnerability. Testing by ISC has + uncovered a critical error condition which can occur when a nameserver is + constructing a response. A defect in the rendering of messages into + packets can cause named to exit with an assertion failure in buffer.c while + constructing a response to a query that meets certain criteria. + For more information, see: + https://kb.isc.org/article/AA-01419/0 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2776 + (* Security fix *) ++--------------------------+ +Mon Sep 26 18:14:08 UTC 2016 +patches/packages/openssl-1.0.2j-x86_64-1_slack14.2.txz: Upgraded. + This update fixes a security issue: + Missing CRL sanity check (CVE-2016-7052) + For more information, see: + https://www.openssl.org/news/secadv/20160926.txt + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7052 + (* Security fix *) +patches/packages/openssl-solibs-1.0.2j-x86_64-1_slack14.2.txz: Upgraded. ++--------------------------+ +Fri Sep 23 23:30:53 UTC 2016 +patches/packages/php-5.6.26-x86_64-1_slack14.2.txz: Upgraded. + This release fixes bugs and security issues. + For more information, see: + https://php.net/ChangeLog-5.php#5.6.26 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7416 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7412 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7414 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7417 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7411 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7413 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7418 + (* Security fix *) ++--------------------------+ +Thu Sep 22 18:38:07 UTC 2016 +patches/packages/openssl-1.0.2i-x86_64-1_slack14.2.txz: Upgraded. + This update fixes denial-of-service and other security issues. + For more information, see: + https://www.openssl.org/news/secadv/20160922.txt + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6305 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2183 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6303 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6302 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2182 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2180 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2177 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2178 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2179 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2181 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6306 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6307 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6308 + (* Security fix *) +patches/packages/openssl-solibs-1.0.2i-x86_64-1_slack14.2.txz: Upgraded. ++--------------------------+ +Wed Sep 21 21:10:52 UTC 2016 +patches/packages/irssi-0.8.20-x86_64-1_slack14.2.txz: Upgraded. + This update fixes two remote crash and heap corruption vulnerabilites + in Irssi's format parsing code. Impact: Remote crash and heap + corruption. Remote code execution seems difficult since only Nuls are + written. Bugs discovered by, and patches provided by Gabriel Campana + and Adrien Guinet from Quarkslab. + For more information, see: + https://irssi.org/security/irssi_sa_2016.txt + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7044 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7045 + (* Security fix *) ++--------------------------+ +Wed Sep 21 15:54:06 UTC 2016 +patches/packages/mozilla-firefox-45.4.0esr-x86_64-1_slack14.2.txz: Upgraded. + This release contains security fixes and improvements. + For more information, see: + http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html + (* Security fix *) +patches/packages/pidgin-2.11.0-x86_64-1_slack14.2.txz: Upgraded. + This release fixes bugs and security issues. + For more information, see: + https://www.pidgin.im/news/security/ + (* Security fix *) ++--------------------------+ +Thu Sep 15 22:54:52 UTC 2016 +patches/packages/curl-7.50.3-x86_64-1_slack14.2.txz: Upgraded. + Fixed heap overflows in four libcurl functions: curl_escape(), + curl_easy_escape(), curl_unescape() and curl_easy_unescape(). + For more information, see: + https://curl.haxx.se/docs/adv_20160914.html + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7167 + (* Security fix *) ++--------------------------+ +Tue Sep 13 18:13:32 UTC 2016 +patches/packages/mariadb-10.0.27-x86_64-1_slack14.2.txz: Upgraded. + This update fixes a critical vulnerability which can allow local and + remote attackers to inject malicious settings into MySQL configuration + files (my.cnf). A successful exploitation could allow attackers to + execute arbitrary code with root privileges which would then allow them + to fully compromise the server. + This issue was discovered and reported by Dawid Golunski. + For more information, see: + http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html + https://jira.mariadb.org/browse/MDEV-10465 + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6662 + (* Security fix *) ++--------------------------+ +Mon Sep 12 18:39:03 UTC 2016 +patches/packages/sdl-1.2.15-x86_64-5_slack14.2.txz: Rebuilt. + Fixed a regression that broke MOD support. Thanks to B Watson. ++--------------------------+ +Sat Sep 10 18:04:42 UTC 2016 +patches/packages/gnutls-3.4.15-x86_64-1_slack14.2.txz: Upgraded. + This update fixes some bugs and security issues. + For more information, see: + http://www.gnutls.org/security.html#GNUTLS-SA-2015-2 + http://www.gnutls.org/security.html#GNUTLS-SA-2015-3 + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6251 + (* Security fix *) +patches/packages/gtk+2-2.24.31-x86_64-1_slack14.2.txz: Upgraded. + This update fixes a security issue: Integer overflow in the + gdk_cairo_set_source_pixbuf function in gdk/gdkcairo.c allows remote + attackers to cause a denial of service (crash) via a large image file, + which triggers a large memory allocation. + For more information, see: + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7447 + (* Security fix *) ++--------------------------+ +Thu Sep 8 21:35:02 UTC 2016 +patches/packages/php-5.6.25-x86_64-1_slack14.2.txz: Upgraded. + This release fixes bugs and security issues. + For more information, see: + http://php.net/ChangeLog-5.php#5.6.25 + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7125 + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7126 + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7127 + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7128 + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7129 + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7130 + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7131 + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7132 + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7133 + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7134 + (* Security fix *) ++--------------------------+ +Wed Aug 31 20:43:10 UTC 2016 +patches/packages/mozilla-thunderbird-45.3.0-x86_64-1_slack14.2.txz: Upgraded. + This release contains security fixes and improvements. + For more information, see: + http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html + (* Security fix *) ++--------------------------+ +Tue Aug 23 19:45:33 UTC 2016 +patches/packages/gnupg-1.4.21-x86_64-1_slack14.2.txz: Upgraded. + Fix critical security bug in the RNG [CVE-2016-6313]. An attacker who + obtains 580 bytes from the standard RNG can trivially predict the next + 20 bytes of output. (This is according to the NEWS file included in the + source. According to the annoucement linked below, an attacker who obtains + 4640 bits from the RNG can trivially predict the next 160 bits of output.) + Problem detected by Felix Doerre and Vladimir Klebanov, KIT. + For more information, see: + https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6313 + (* Security fix *) +patches/packages/glib2-2.46.2-x86_64-3_slack14.2.txz: Rebuilt. + Applied upstream patch to fix a use-before-allocate bug in libgio. Without + this fix, Thunar will crash if $HOME is on an NFS volume. + Thanks to Jonathan Woithe. +patches/packages/libgcrypt-1.7.3-x86_64-1_slack14.2.txz: Upgraded. + Fix critical security bug in the RNG [CVE-2016-6313]. An attacker who + obtains 580 bytes from the standard RNG can trivially predict the next + 20 bytes of output. (This is according to the NEWS file included in the + source. According to the annoucement linked below, an attacker who obtains + 4640 bits from the RNG can trivially predict the next 160 bits of output.) + Problem detected by Felix Doerre and Vladimir Klebanov, KIT. + For more information, see: + https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6313 + (* Security fix *) +patches/packages/linux-4.4.19/*: Upgraded. + A flaw was found in the implementation of the Linux kernels handling of + networking challenge ack where an attacker is able to determine the shared + counter. This may allow an attacker located on different subnet to inject + or take over a TCP connection between a server and client without having to + be a traditional Man In the Middle (MITM) style attack. + Be sure to upgrade your initrd after upgrading the kernel packages. + If you use lilo to boot your machine, be sure lilo.conf points to the correct + kernel and initrd and run lilo as root to update the bootloader. + If you use elilo to boot your machine, you should run eliloconfig to copy the + kernel and initrd to the EFI System Partition. + For more information, see: + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5389 + (* Security fix *) +patches/packages/screen-4.4.0-x86_64-2_slack14.2.txz: Rebuilt. + Reverted a change to /etc/screenrc.new that prevented the console from being + cleared when a screen session was detached. Thanks to Stuart Winter. +patches/packages/stunnel-5.35-x86_64-2_slack14.2.txz: Rebuilt. + Fixed incorrect config file name in generate-stunnel-key.sh. + Thanks to Ebben Aries. ++--------------------------+ +Thu Aug 11 18:55:48 UTC 2016 +patches/packages/glibc-zoneinfo-2016f-noarch-1_slack14.2.txz: Upgraded. + This package provides the latest timezone updates. ++--------------------------+ +Sat Aug 6 19:29:16 UTC 2016 +patches/packages/curl-7.50.1-x86_64-1_slack14.2.txz: Upgraded. + This release fixes security issues: + TLS: switch off SSL session id when client cert is used + TLS: only reuse connections with the same client cert + curl_multi_cleanup: clear connection pointer for easy handles + For more information, see: + https://curl.haxx.se/docs/adv_20160803A.html + https://curl.haxx.se/docs/adv_20160803B.html + https://curl.haxx.se/docs/adv_20160803C.html + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5419 + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5420 + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5421 + (* Security fix *) +patches/packages/mozilla-firefox-45.3.0esr-x86_64-1_slack14.2.txz: Upgraded. + This release contains security fixes and improvements. + For more information, see: + http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html + (* Security fix *) +patches/packages/openssh-7.3p1-x86_64-1_slack14.2.txz: Upgraded. + This is primarily a bugfix release, and also addresses security issues. + sshd(8): Mitigate a potential denial-of-service attack against the system's + crypt(3) function via sshd(8). + sshd(8): Mitigate timing differences in password authentication that could + be used to discern valid from invalid account names when long passwords were + sent and particular password hashing algorithms are in use on the server. + ssh(1), sshd(8): Fix observable timing weakness in the CBC padding oracle + countermeasures. + ssh(1), sshd(8): Improve operation ordering of MAC verification for + Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the MAC + before decrypting any ciphertext. + sshd(8): (portable only) Ignore PAM environment vars when UseLogin=yes. + For more information, see: + http://www.openssh.com/txt/release-7.3 + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6210 + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8325 + (* Security fix *) +patches/packages/stunnel-5.35-x86_64-1_slack14.2.txz: Upgraded. + Fixes security issues: + Fixed malfunctioning "verify = 4". + Fixed incorrectly enforced client certificate requests. + (* Security fix *) ++--------------------------+ +Thu Jul 28 18:17:17 UTC 2016 +patches/packages/libidn-1.33-x86_64-1_slack14.2.txz: Upgraded. + Fixed out-of-bounds read bugs. Fixed crashes on invalid UTF-8. + Thanks to Hanno Böck. + For more information, see: + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8948 + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6261 + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6262 + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6263 + (* Security fix *) ++--------------------------+ +Fri Jul 22 20:51:23 UTC 2016 +patches/packages/bind-9.10.4_P2-x86_64-1_slack14.2.txz: Upgraded. + Fixed a security issue: + getrrsetbyname with a non absolute name could trigger an infinite + recursion bug in lwresd and named with lwres configured if when + combined with a search list entry the resulting name is too long. + (CVE-2016-2775) [RT #42694] + For more information, see: + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2775 + (* Security fix *) ++--------------------------+ +Thu Jul 21 23:25:54 UTC 2016 +patches/packages/gimp-2.8.18-x86_64-1_slack14.2.txz: Upgraded. + This release fixes a security issue: + Use-after-free vulnerability in the xcf_load_image function in + app/xcf/xcf-load.c in GIMP allows remote attackers to cause a denial of + service (program crash) or possibly execute arbitrary code via a crafted + XCF file. + For more information, see: + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4994 + (* Security fix *) +patches/packages/php-5.6.24-x86_64-1_slack14.2.txz: Upgraded. + This release fixes bugs and security issues. + For more information, see: + http://php.net/ChangeLog-5.php#5.6.24 + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5385 + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6207 + (* Security fix *) ++--------------------------+ +Thu Jul 7 19:52:36 UTC 2016 +patches/packages/samba-4.4.5-x86_64-1_slack14.2.txz: Upgraded. + This release fixes a security issue: + Client side SMB2/3 required signing can be downgraded. + It's possible for an attacker to downgrade the required signing for an + SMB2/3 client connection, by injecting the SMB2_SESSION_FLAG_IS_GUEST or + SMB2_SESSION_FLAG_IS_NULL flags. This means that the attacker can + impersonate a server being connected to by Samba, and return malicious + results. + For more information, see: + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2119 + (* Security fix *) ++--------------------------+ +Tue Jul 5 04:52:45 UTC 2016 +patches/packages/mozilla-thunderbird-45.2.0-x86_64-1_slack14.2.txz: Upgraded. + This release contains security fixes and improvements. + For more information, see: + http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html + (* Security fix *) ++--------------------------+ Thu Jun 30 20:26:57 UTC 2016 Slackware 14.2 x86_64 stable is released! |