Differences

This shows you the differences between two versions of the page.

--- changelog_14.2 [2021/10/06 00:13] – [2021=10-05] connie
+++ changelog_14.2 [2021/10/28 13:59] – [2021-10-10] connie
@@ Line 3: / Line 3: @@
 Slackware upstream ChangeLog entries are courtesy of Patrick Volkerding.
-==== 2021=10-05 ====
+==== 2021-10-28 ====
+**bind-9.11.36**:  Upgraded.
+This update fixes bugs and the following security issue:
+The "lame-ttl" option is now forcibly set to 0. This effectively disables
+the lame server cache, as it could previously be abused by an attacker to
+significantly degrade resolver performance.
+For more information, see:
+  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25219
+(**Security fix**)
+**glibc-zoneinfo-2021e**:  Upgraded.
+This package provides the latest timezone updates.
+==== 2021-10-10 ====
+**httpd-2.4.51**:  Upgraded.
+SECURITY: CVE-2021-42013: Path Traversal and Remote Code
+Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete
+fix of CVE-2021-41773) (cve.mitre.org)
+It was found that the fix for CVE-2021-41773 in Apache HTTP
+Server 2.4.50 was insufficient.  An attacker could use a path
+traversal attack to map URLs to files outside the directories
+configured by Alias-like directives.
+If files outside of these directories are not protected by the
+usual default configuration "require all denied", these requests
+can succeed. If CGI scripts are also enabled for these aliased
+pathes, this could allow for remote code execution.
+This issue only affects Apache 2.4.49 and Apache 2.4.50 and not
+earlier versions.
+Credits: Reported by Juan Escobar from Dreamlab Technologies,
+Fernando MuA+-oz from NULL Life CTF Team, and Shungo Kumasaka
+For more information, see:
+  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42013
+(**Security fix**)
+==== 2021-10-05 ====
 **httpd-2.4.50**:  Upgraded.