User Tools

Site Tools


changelog_14.2

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
changelog_14.2 [2021/10/06 00:13] – [2021-09-21] conniechangelog_14.2 [2023/12/23 13:40] (current) – [2023-12-20] connie
Line 3: Line 3:
 Slackware upstream ChangeLog entries are courtesy of Patrick Volkerding. Slackware upstream ChangeLog entries are courtesy of Patrick Volkerding.
  
-==== 2021=10-05 ====+ 
 +==== 2023-12-23 ==== 
 + 
 +**proftpd-1.3.8b**:  Upgraded. 
 +This update fixes a security issue: 
 +mod_sftp: implemented mitigations for "Terrapin" SSH attack. 
 +For more information, see: 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-48795 
 +(**Security fix**) 
 + 
 + 
 +==== 2023-12-20 ==== 
 + 
 +**libssh-0.10.6**:  Upgraded. 
 +This update fixes security issues: 
 +Command injection using proxycommand. 
 +Potential downgrade attack using strict kex. 
 +Missing checks for return values of MD functions. 
 +For more information, see: 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-6004 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-48795 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-6918 
 +(**Security fix**) 
 + 
 +**sudo-1.9.15p4**:  Upgraded. 
 +This is a bugfix release. 
 + 
 +**libxml2-2.11.6**:  Upgraded. 
 +We're going to drop back to the 2.11 branch here on the stable releases 
 +since it has all of the relevant security fixes and better compatibility. 
 + 
 +**sudo-1.9.15p3**:  Upgraded. 
 +This is a bugfix release. 
 + 
 + 
 +==== 2023-12-13 ==== 
 + 
 +**libxml2-2.12.3**:  Upgraded. 
 +This update addresses regressions when building against libxml2 that were 
 +due to header file refactoring. 
 + 
 +**libxml2-2.12.2**:  Upgraded. 
 +Add --sysconfdir=/etc option so that this can find the xml catalog. 
 +Thanks to SpiderTux. 
 +Fix the following security issues: 
 +Fix integer overflows with XML_PARSE_HUGE. 
 +Fix dict corruption caused by entity reference cycles. 
 +Hashing of empty dict strings isn't deterministic. 
 +Fix null deref in xmlSchemaFixupComplexType. 
 +For more information, see: 
 +  * https://www.cve.org/CVERecord?id=CVE-2022-40303 
 +  * https://www.cve.org/CVERecord?id=CVE-2022-40304 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-29469 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-28484 
 +(**Security fix**) 
 + 
 +**ca-certificates-20231117**:  Upgraded. 
 +This update provides the latest CA certificates to check for the 
 +authenticity of SSL connections. 
 + 
 +**sudo-1.9.15p1**:  Upgraded. 
 +This is a bugfix release: 
 +Fixed a bug introduced in sudo 1.9.15 that prevented LDAP-based sudoers 
 +from being able to read the ldap.conf file. 
 + 
 +==== 2023-11-08 ==== 
 + 
 +**sudo-1.9.15**:  Upgraded. 
 +The sudoers plugin has been modified to make it more resilient to ROWHAMMER 
 +attacks on authentication and policy matching. 
 +The sudoers plugin now constructs the user time stamp file path name using 
 +the user-ID instead of the user name. This avoids a potential problem with 
 +user names that contain a path separator ('/') being interpreted as part of 
 +the path name. 
 +For more information, see: 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-42465 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-42456 
 +(**Security fix**) 
 + 
 + 
 +==== 2023-10-20 ==== 
 + 
 +**httpd-2.4.58**:  Upgraded. 
 +This update fixes bugs and security issues: 
 +moderate: Apache HTTP Server: HTTP/2 stream memory not reclaimed 
 +right away on RST. 
 +low: mod_macro buffer over-read. 
 +low: Apache HTTP Server: DoS in HTTP/2 with initial windows size 0. 
 +For more information, see: 
 +  * https://downloads.apache.org/httpd/CHANGES_2.4.58 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-45802 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-31122 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-43622 
 +(**Security fix**) 
 + 
 +==== 2023-10-16 ==== 
 + 
 +**curl-8.4.0**:  Upgraded. 
 +This update fixes security issues: 
 +Cookie injection with none file. 
 +SOCKS5 heap buffer overflow. 
 +For more information, see: 
 +  * https://curl.se/docs/CVE-2023-38546.html 
 +  * https://curl.se/docs/CVE-2023-38545.html 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-38546 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-38545 
 +(**Security fix**) 
 + 
 +<code> 
 +Mon Oct  9 18:10:01 UTC 2023 
 +#################################################################### 
 +# NOTICE OF INPENDING EOL (END OF LIFE) FOR OLD SLACKWARE VERSIONS # 
 +#                                                                  # 
 +# Effective January 1, 2024, security patches will no longer be    # 
 +# provided for the following versions of Slackware (which will all # 
 +# be more than 7 years old at that time):                          # 
 +#   Slackware 14.0, Slackware 14.1, Slackware 14.2.                # 
 +# If you are still running these versions you should consider      # 
 +# migrating to a newer version (preferably as recent as possible). # 
 +# Alternately, you may make arrangements to handle your own        # 
 +# security patches.                                                # 
 +#################################################################### 
 +</code> 
 + 
 +==== 2023-10-04 ==== 
 + 
 +**libX11-1.8.7**:  Upgraded. 
 +This update fixes security issues: 
 +libX11: out-of-bounds memory access in _XkbReadKeySyms(). 
 +libX11: stack exhaustion from infinite recursion in PutSubImage(). 
 +libX11: integer overflow in XCreateImage() leading to a heap overflow. 
 +For more information, see: 
 +  * https://lists.x.org/archives/xorg-announce/2023-October/003424.html 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-43785 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-43786 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-43787 
 +(**Security fix**) 
 + 
 +**libXpm-3.5.17**:  Upgraded. 
 +This update fixes security issues: 
 +libXpm: out of bounds read in XpmCreateXpmImageFromBuffer(). 
 +libXpm: out of bounds read on XPM with corrupted colormap. 
 +For more information, see: 
 +  * https://lists.x.org/archives/xorg-announce/2023-October/003424.html 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-43788 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-43789 
 +(**Security fix**) 
 + 
 +**cups-2.1.4**:  Rebuilt. 
 +This update fixes bugs and a security issue: 
 +Fixed Heap-based buffer overflow when reading Postscript in PPD files. 
 +For more information, see: 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-4504 
 +(**Security fix**) 
 + 
 +**netatalk-3.1.17**:  Upgraded. 
 +This update fixes bugs and a security issue: 
 +Validate data type in dalloc_value_for_key(). This flaw could allow a 
 +malicious actor to cause Netatalk's afpd daemon to crash, or possibly to 
 +execute arbitrary code. 
 +For more information, see: 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-42464 
 +(**Security fix**) 
 + 
 +**curl-8.3.0**:  Upgraded. 
 +This update fixes a security issue: 
 +HTTP headers eat all memory. 
 +  * https://curl.se/docs/CVE-2023-38039.html 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-38039 
 +(**Security fix**) 
 + 
 +**libarchive-3.7.2**:  Upgraded. 
 +This update fixes multiple security vulnerabilities in the PAX writer: 
 +Heap overflow in url_encode() in archive_write_set_format_pax.c. 
 +NULL dereference in archive_write_pax_header_xattrs(). 
 +Another NULL dereference in archive_write_pax_header_xattrs(). 
 +NULL dereference in archive_write_pax_header_xattr(). 
 +(**Security fix**) 
 + 
 +**netatalk-3.1.16**:  Upgraded. 
 +This update fixes bugs and security issues. 
 +Shared library .so-version bump. 
 +For more information, see: 
 +  * https://www.cve.org/CVERecord?id=CVE-2022-23121 
 +  * https://www.cve.org/CVERecord?id=CVE-2022-23123 
 +(**Security fix**) 
 + 
 +**curl-8.2.1**:  Upgraded. 
 +This is a bugfix release. 
 + 
 +**whois-5.5.18**:  Upgraded. 
 +Updated the .ga TLD server. 
 +Added new recovered IPv4 allocations. 
 +Removed the delegation of 43.0.0.0/8 to JPNIC. 
 +Removed 12 new gTLDs which are no longer active. 
 +Improved the man page source, courtesy of Bjarni Ingi Gislason. 
 +Added the .edu.za SLD server. 
 +Updated the .alt.za SLD server. 
 +Added the -ru and -su NIC handles servers. 
 + 
 +**ca-certificates-20230721**:  Upgraded. 
 +This update provides the latest CA certificates to check for the 
 +authenticity of SSL connections. 
 + 
 +**curl-8.2.0**:  Upgraded. 
 +This update fixes a security issue: 
 +fopen race condition. 
 +For more information, see: 
 +  * https://curl.se/docs/CVE-2023-32001.html 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-32001 
 +(**Security fix**) 
 + 
 +**sudo-1.9.14p2**:  Upgraded. 
 +This is a bugfix release. 
 + 
 +**sudo-1.9.14p1**:  Upgraded. 
 +This is a bugfix release. 
 + 
 +**cups-2.1.4**:  Rebuilt. 
 +Fixed use-after-free when logging warnings in case of failures 
 +in cupsdAcceptClient(). 
 +For more information, see: 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-34241 
 +(**Security fix**) 
 + 
 +==== 2023-06-15 ==== 
 + 
 +**libX11-1.8.6**:  Upgraded. 
 +This update fixes buffer overflows in InitExt.c that could at least cause 
 +the client to crash due to memory corruption. 
 +For more information, see: 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-3138 
 +(**Security fix**) 
 + 
 +**ntp-4.2.8p17**:  Upgraded. 
 +This is a bugfix release. 
 + 
 + 
 +==== 2023-06-06 ==== 
 + 
 +**cups-2.1.4**:  Rebuilt. 
 +Fixed a heap buffer overflow in _cups_strlcpy(), when the configuration file 
 +cupsd.conf sets the value of loglevel to DEBUG, that could allow a remote 
 +attacker to launch a denial of service (DoS) attack, or possibly execute 
 +arbirary code. 
 +For more information, see: 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-32324 
 +(**Security fix**) 
 + 
 +**ntp-4.2.8p16**:  Upgraded. 
 +This update fixes bugs and security issues. 
 +For more information, see: 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-26551 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-26552 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-26553 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-26554 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-26555 
 +(**Security fix**) 
 + 
 +**curl-8.1.2**:  Upgraded. 
 +This is a bugfix release. 
 + 
 +==== 2023-05-26 ==== 
 + 
 +**ntfs-3g-2022.10.3**:  Upgraded. 
 +Fixed vulnerabilities that may allow an attacker using a maliciously 
 +crafted NTFS-formatted image file or external storage to potentially 
 +execute arbitrary privileged code or cause a denial of service. 
 +Thanks to opty. 
 +For more information, see: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40284 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30789 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30788 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30787 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30786 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30785 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30784 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30783 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46790 
 +(**Security fix**) 
 + 
 +**curl-8.1.1**:  Upgraded. 
 +This is a bugfix release. 
 + 
 + 
 +==== 2023-05-18 ==== 
 + 
 +**curl-8.1.0**:  Upgraded. 
 +This update fixes security issues: 
 +more POST-after-PUT confusion. 
 +IDN wildcard match. 
 +siglongjmp race condition. 
 +UAF in SSH sha256 fingerprint check. 
 +For more information, see: 
 +  * https://curl.se/docs/CVE-2023-28322.html 
 +  * https://curl.se/docs/CVE-2023-28321.html 
 +  * https://curl.se/docs/CVE-2023-28320.html 
 +  * https://curl.se/docs/CVE-2023-28319.html 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-28322 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-28321 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-28320 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-28319 
 +(**Security fix**) 
 + 
 +**ca-certificates-20230506**:  Upgraded. 
 +This update provides the latest CA certificates to check for the 
 +authenticity of SSL connections. 
 + 
 +==== 2023-05-05 ==== 
 + 
 +**libssh-0.10.5**:  Upgraded. 
 +This update fixes security issues: 
 +A NULL dereference during rekeying with algorithm guessing. 
 +A possible authorization bypass in pki_verify_data_signature under 
 +low-memory conditions. 
 +For more information, see: 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-1667 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-2283 
 +(**Security fix**) 
 + 
 +**whois-5.5.17**:  Upgraded. 
 +Added the .cd TLD server. 
 +Updated the -kg NIC handles server name. 
 +Removed 2 new gTLDs which are no longer active. 
 + 
 + 
 +==== 2023-05-01 ==== 
 + 
 +**netatalk-3.1.15**:  Upgraded. 
 +This update fixes security issues, including a critical vulnerability that 
 +allows remote attackers to execute arbitrary code on affected installations 
 +of Netatalk. Authentication is not required to exploit this vulnerability. 
 +For more information, see: 
 +  * https://www.cve.org/CVERecord?id=CVE-2022-43634 
 +  * https://www.cve.org/CVERecord?id=CVE-2022-45188 
 +(**Security fix**) 
 + 
 +==== 2023-04-25 ==== 
 + 
 +**git-2.30.9**:  Upgraded. 
 +This update fixes security issues: 
 +By feeding specially crafted input to `git apply --reject`, a 
 +path outside the working tree can be overwritten with partially 
 +controlled contents (corresponding to the rejected hunk(s) from 
 +the given patch). 
 +When Git is compiled with runtime prefix support and runs without 
 +translated messages, it still used the gettext machinery to 
 +display messages, which subsequently potentially looked for 
 +translated messages in unexpected places. This allowed for 
 +malicious placement of crafted messages. 
 +When renaming or deleting a section from a configuration file, 
 +certain malicious configuration values may be misinterpreted as 
 +the beginning of a new configuration section, leading to arbitrary 
 +configuration injection. 
 +For more information, see: 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-25652 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-25815 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-29007 
 +(**Security fix**) 
 + 
 +**httpd-2.4.57**:  Upgraded. 
 +This is a bugfix release. 
 +For more information, see: 
 +  * https://downloads.apache.org/httpd/CHANGES_2.4.57 
 + 
 +==== 2023-04-03 ==== 
 + 
 +**irssi-1.4.4**:  Upgraded. 
 +Do not crash Irssi when one line is printed as the result of another line 
 +being printed. 
 +Also solve a memory leak while printing unformatted lines. 
 +(**Security fix**) 
 + 
 +**glibc-zoneinfo-2023c**:  Upgraded. 
 +This package provides the latest timezone updates. 
 + 
 +**tar-1.29**:  Rebuilt. 
 +GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use 
 +of uninitialized memory for a conditional jump. Exploitation to change the 
 +flow of control has not been demonstrated. The issue occurs in from_header 
 +in list.c via a V7 archive in which mtime has approximately 11 whitespace 
 +characters. 
 +Thanks to marav for the heads-up. 
 +For more information, see: 
 +  * https://www.cve.org/CVERecord?id=CVE-2022-48303 
 +(**Security fix**) 
 + 
 + 
 +==== 2023-03-22 ==== 
 + 
 +**curl-8.0.1**:  Upgraded. 
 +  * This update fixes security issues: 
 +  * SSH connection too eager reuse still. 
 +  * HSTS double-free. 
 +  * GSS delegation too eager connection re-use. 
 +  * FTP too eager connection reuse. 
 +  * SFTP path ~ resolving discrepancy. 
 +  * TELNET option IAC injection. 
 +For more information, see: 
 +  * https://curl.se/docs/CVE-2023-27538.html 
 +  * https://curl.se/docs/CVE-2023-27537.html 
 +  * https://curl.se/docs/CVE-2023-27536.html 
 +  * https://curl.se/docs/CVE-2023-27535.html 
 +  * https://curl.se/docs/CVE-2023-27534.html 
 +  * https://curl.se/docs/CVE-2023-27533.html 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-27538 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-27537 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-27536 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-27535 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-27534 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-27533 
 +(**Security fix**) 
 + 
 +==== 2023-03-08 ==== 
 + 
 +**httpd-2.4.56**:  Upgraded. 
 +This update fixes two security issues: 
 +HTTP Response Smuggling vulnerability via mod_proxy_uwsgi. 
 +HTTP Request Smuggling attack via mod_rewrite and mod_proxy. 
 +For more information, see: 
 +  * https://downloads.apache.org/httpd/CHANGES_2.4.56 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-27522 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-25690 
 +(**Security fix**) 
 + 
 +**sudo-1.9.13p3**:  Upgraded. 
 +This is a bugfix release. 
 + 
 +**whois-5.5.16**:  Upgraded. 
 +Add bash completion support, courtesy of Ville Skytta. 
 +Updated the .tr TLD server. 
 +Removed support for -metu NIC handles. 
 + 
 +**curl-7.88.1**:  Upgraded. 
 +This is a bugfix release. 
 + 
 +==== 2023-02-16 ==== 
 + 
 +**curl-7.88.0**:  Upgraded. 
 +This update fixes security issues: 
 +HTTP multi-header compression denial of service. 
 +HSTS amnesia with --parallel. 
 +HSTS ignored on multiple requests. 
 +For more information, see: 
 +  * https://curl.se/docs/CVE-2023-23916.html 
 +  * https://curl.se/docs/CVE-2023-23915.html 
 +  * https://curl.se/docs/CVE-2023-23914.html 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-23916 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-23915 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-23914 
 +(**Security fix**) 
 + 
 +**git-2.30.8**:  Upgraded. 
 +This update fixes security issues: 
 +Using a specially-crafted repository, Git can be tricked into using 
 +its local clone optimization even when using a non-local transport. 
 +Though Git will abort local clones whose source $GIT_DIR/objects 
 +directory contains symbolic links (c.f., CVE-2022-39253), the objects 
 +directory itself may still be a symbolic link. 
 +These two may be combined to include arbitrary files based on known 
 +paths on the victim's filesystem within the malicious repository'
 +working copy, allowing for data exfiltration in a similar manner as 
 +CVE-2022-39253. 
 +By feeding a crafted input to "git apply", a path outside the 
 +working tree can be overwritten as the user who is running "git 
 +apply"
 +For more information, see: 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-22490 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-23946 
 +(**Security fix**) 
 + 
 +==== 2023-01-19 ==== 
 + 
 +**sudo-1.9.12p2**:  Upgraded. 
 +This update fixes a flaw in sudo's -e option (aka sudoedit) that could allow 
 +a malicious user with sudoedit privileges to edit arbitrary files. 
 +For more information, see: 
 +  * https://www.cve.org/CVERecord?id=CVE-2023-22809 
 +(**Security fix**) 
 + 
 +==== 2023-01-18 ==== 
 + 
 +**git-2.30.7**:  Upgraded. 
 +This release fixes two security issues: 
 +  * CVE-2022-41903: 
 +git log has the ability to display commits using an arbitrary 
 +format with its --format specifiers. This functionality is also 
 +exposed to git archive via the export-subst gitattribute. 
 +When processing the padding operators (e.g., %<(, %<|(, %>(, 
 +%>>(, or %><( ), an integer overflow can occur in 
 +pretty.c::format_and_pad_commit() where a size_t is improperly 
 +stored as an int, and then added as an offset to a subsequent 
 +memcpy() call. 
 +This overflow can be triggered directly by a user running a 
 +command which invokes the commit formatting machinery (e.g., git 
 +log --format=...). It may also be triggered indirectly through 
 +git archive via the export-subst mechanism, which expands format 
 +specifiers inside of files within the repository during a git 
 +archive. 
 +This integer overflow can result in arbitrary heap writes, which 
 +may result in remote code execution. 
 +  * CVE-2022-23521: 
 +gitattributes are a mechanism to allow defining attributes for 
 +paths. These attributes can be defined by adding a `.gitattributes` 
 +file to the repository, which contains a set of file patterns and 
 +the attributes that should be set for paths matching this pattern. 
 +When parsing gitattributes, multiple integer overflows can occur 
 +when there is a huge number of path patterns, a huge number of 
 +attributes for a single pattern, or when the declared attribute 
 +names are huge. 
 +These overflows can be triggered via a crafted `.gitattributes` file 
 +that may be part of the commit history. Git silently splits lines 
 +longer than 2KB when parsing gitattributes from a file, but not when 
 +parsing them from the index. Consequentially, the failure mode 
 +depends on whether the file exists in the working tree, the index or 
 +both. 
 +This integer overflow can result in arbitrary heap reads and writes, 
 +which may result in remote code execution. 
 +For more information, see: 
 +  * https://www.cve.org/CVERecord?id=CVE-2022-41903 
 +  * https://www.cve.org/CVERecord?id=CVE-2022-23521 
 +(**Security fix**) 
 + 
 +**httpd-2.4.55**:  Upgraded. 
 +This update fixes bugs and the following security issues: 
 +mod_proxy allows a backend to trigger HTTP response splitting. 
 +mod_proxy_ajp possible request smuggling. 
 +mod_dav out of bounds read, or write of zero byte. 
 +For more information, see: 
 +  * https://downloads.apache.org/httpd/CHANGES_2.4.55 
 +  * https://www.cve.org/CVERecord?id=CVE-2022-37436 
 +  * https://www.cve.org/CVERecord?id=CVE-2022-36760 
 +  * https://www.cve.org/CVERecord?id=CVE-2006-20001 
 +(**Security fix**) 
 + 
 +**libXpm-3.5.15**:  Upgraded. 
 +This update fixes security issues: 
 +Infinite loop on unclosed comments. 
 +Runaway loop with width of 0 and enormous height. 
 +Compression commands depend on $PATH. 
 +For more information, see: 
 +  * https://www.cve.org/CVERecord?id=CVE-2022-46285 
 +  * https://www.cve.org/CVERecord?id=CVE-2022-44617 
 +  * https://www.cve.org/CVERecord?id=CVE-2022-4883 
 +(**Security fix**) 
 + 
 +==== 2023-01-15 ==== 
 + 
 +**netatalk-3.1.14**:  Upgraded. 
 +Netatalk through 3.1.13 has an afp_getappl heap-based buffer overflow 
 +resulting in code execution via a crafted .appl file. 
 +For more information, see: 
 +  * https://www.cve.org/CVERecord?id=CVE-2022-45188 
 +(**Security fix**) 
 + 
 +**ca-certificates-20221205**:  Rebuilt. 
 +Make sure that if we're installing this package on another partition (such as 
 +when using installpkg with a --root parameter) that the updates are done on 
 +that partition. Thanks to fulalas. 
 + 
 + 
 +==== 2023-01-04 ==== 
 + 
 +**libtiff-4.4.0**:  Upgraded. 
 +Patched various security bugs. 
 +For more information, see: 
 +  * https://www.cve.org/CVERecord?id=CVE-2022-2056 
 +  * https://www.cve.org/CVERecord?id=CVE-2022-2057 
 +  * https://www.cve.org/CVERecord?id=CVE-2022-2058 
 +  * https://www.cve.org/CVERecord?id=CVE-2022-3970 
 +  * https://www.cve.org/CVERecord?id=CVE-2022-34526 
 +(**Security fix**) 
 + 
 +**whois-5.5.15**:  Upgraded. 
 +Updated the .bd, .nz and .tv TLD servers. 
 +Added the .llyw.cymru, .gov.scot and .gov.wales SLD servers. 
 +Updated the .ac.uk and .gov.uk SLD servers. 
 +Recursion has been enabled for whois.nic.tv. 
 +Updated the list of new gTLDs with four generic TLDs assigned in October 2013 
 +which were missing due to a bug. 
 +Removed 4 new gTLDs which are no longer active. 
 +Added the Georgian translation, contributed by Temuri Doghonadze. 
 +Updated the Finnish translation, contributed by Lauri Nurmi. 
 + 
 +==== 2022-12-22 ==== 
 + 
 +**curl-7.87.0**:  Upgraded. 
 +This is a bugfix release. 
 + 
 +**libksba-1.6.3**:  Upgraded. 
 +Fix another integer overflow in the CRL's signature parser. 
 +(**Security fix**) 
 + 
 +**sdl-1.2.15**:  Rebuilt. 
 +This update fixes a heap overflow problem in video/SDL_pixels.c in SDL. 
 +By crafting a malicious .BMP file, an attacker can cause the application 
 +using this library to crash, denial of service, or code execution. 
 +Thanks to marav for the heads-up. 
 +For more information, see: 
 +  * https://www.cve.org/CVERecord?id=CVE-2021-33657 
 +(**Security fix**) 
 + 
 +**libarchive-3.6.2**:  Rebuilt. 
 +This update fixes a regression causing a failure to compile against 
 +libarchive: don't include iconv in libarchive.pc. 
 + 
 +**libarchive-3.6.2**:  Upgraded. 
 +This is a bugfix and security release. 
 +Relevant bugfixes: 
 +  * rar5 reader: fix possible garbled output with bsdtar -O (#1745) 
 +  * mtree reader: support reading mtree files with tabs (#1783) 
 +Security fixes: 
 +  * various small fixes for issues found by CodeQL 
 +(**Security fix**) 
 + 
 +**ca-certificates-20221205**:  Upgraded. 
 +This update provides the latest CA certificates to check for the 
 +authenticity of SSL connections. 
 + 
 +**glibc-zoneinfo-2022g**:  Upgraded. 
 +This package provides the latest timezone updates. 
 + 
 +==== 2022-11-09 ==== 
 + 
 +**sysstat-12.7.1**:  Upgraded. 
 +On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, 
 +allocate_structures contains a size_t overflow in sa_common.c. The 
 +allocate_structures function insufficiently checks bounds before arithmetic 
 +multiplication, allowing for an overflow in the size allocated for the 
 +buffer representing system activities. 
 +This issue may lead to Remote Code Execution (RCE). 
 +For more information, see: 
 +  * https://www.cve.org/CVERecord?id=CVE-2022-39377 
 +(**Security fix**) 
 + 
 +**glibc-zoneinfo-2022f**:  Upgraded. 
 +This package provides the latest timezone updates. 
 + 
 +**sudo-1.9.12p1**:  Upgraded. 
 +Fixed a potential out-of-bounds write for passwords smaller than 8 
 +characters when passwd authentication is enabled. 
 +This does not affect configurations that use other authentication 
 +methods such as PAM, AIX authentication or BSD authentication. 
 +For more information, see: 
 +  * https://www.cve.org/CVERecord?id=CVE-2022-43995 
 +(**Security fix**) 
 + 
 +**curl-7.86.0**:  Upgraded. 
 +This update fixes security issues: 
 +HSTS bypass via IDN. 
 +HTTP proxy double-free. 
 +.netrc parser out-of-bounds access. 
 +POST following PUT confusion.  
 +For more information, see: 
 +  * https://curl.se/docs/CVE-2022-42916.html 
 +  * https://curl.se/docs/CVE-2022-42915.html 
 +  * https://curl.se/docs/CVE-2022-35260.html 
 +  * https://curl.se/docs/CVE-2022-32221.html 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42916 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42915 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35260 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32221 
 +(**Security fix**) 
 + 
 +**expat-2.4.3**:  Rebuilt. 
 +This update fixes a security issue: 
 +Fix heap use-after-free after overeager destruction of a shared DTD in 
 +function XML_ExternalEntityParserCreate in out-of-memory situations. 
 +Expected impact is denial of service or potentially arbitrary code 
 +execution. 
 +For more information, see: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43680 
 +(**Security fix**) 
 + 
 +**rsync-3.2.7**:  Rebuilt. 
 +This is a bugfix release, fixing the list of supported auth checksums when 
 +rsync is built against 1.0.x. 
 +Thanks to niksoggia. 
 + 
 +**rsync-3.2.7**:  Upgraded. 
 +This is a bugfix release. 
 +Notably, this addresses some regressions caused by the file-list validation 
 +fix in rsync-3.2.5. 
 +Thanks to llgar. 
 + 
 +**whois-5.5.14**:  Upgraded. 
 +This update adds the .bf and .sd TLD servers, removes the .gu TLD server, 
 +updates the .dm, .fj, .mt and .pk TLD servers, updates the charset for 
 +whois.nic.tr, updates the list of new gTLDs, removes whois.nic.fr from the 
 +list of RIPE-like servers (because it is not one anymore), renames 
 +whois.arnes.si to whois.register.si in the list of RIPE-like servers, and 
 +adds the hiding string for whois.auda.org.au. 
 + 
 +**git-2.30.6**:  Upgraded. 
 +This release fixes two security issues: 
 +  * CVE-2022-39253: 
 +When relying on the `--local` clone optimization, Git dereferences 
 +symbolic links in the source repository before creating hardlinks 
 +(or copies) of the dereferenced link in the destination repository. 
 +This can lead to surprising behavior where arbitrary files are 
 +present in a repository's `$GIT_DIR` when cloning from a malicious 
 +repository. 
 +Git will no longer dereference symbolic links via the `--local` 
 +clone mechanism, and will instead refuse to clone repositories that 
 +have symbolic links present in the `$GIT_DIR/objects` directory. 
 +Additionally, the value of `protocol.file.allow` is changed to be 
 +"user" by default. 
 +  * CVE-2022-39260: 
 +An overly-long command string given to `git shell` can result in 
 +overflow in `split_cmdline()`, leading to arbitrary heap writes and 
 +remote code execution when `git shell` is exposed and the directory 
 +`$HOME/git-shell-commands` exists. 
 +`git shell` is taught to refuse interactive commands that are 
 +longer than 4MiB in size. `split_cmdline()` is hardened to reject 
 +inputs larger than 2GiB. 
 +For more information, see: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39253 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39260 
 +(**Security fix**) 
 + 
 +==== 2022-10-17 ==== 
 + 
 +**glibc-zoneinfo-2022e**:  Upgraded. 
 +This package provides the latest timezone updates. 
 + 
 +**zlib-1.2.13**:  Upgraded. 
 +Fixed a bug when getting a gzip header extra field with inflateGetHeader(). 
 +For more information, see: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37434 
 +(**Security fix**) 
 + 
 +**libksba-1.6.2**:  Upgraded. 
 +Detect a possible overflow directly in the TLV parser. 
 +This patch detects possible integer overflows immmediately when creating 
 +the TI object. 
 +Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929 
 +(**Security fix**) 
 + 
 + 
 +==== 2022-10-05 ==== 
 + 
 +**dhcp-4.4.3_P1**:  Upgraded. 
 +This update fixes two security issues: 
 +Corrected a reference count leak that occurs when the server builds 
 +responses to leasequery packets. 
 +Corrected a memory leak that occurs when unpacking a packet that has an 
 +FQDN option (81) that contains a label with length greater than 63 bytes. 
 +Thanks to VictorV of Cyber Kunlun Lab for reporting these issues. 
 +For more information, see: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2928 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2929 
 +(**Security fix**) 
 + 
 +**glibc-zoneinfo-2022d**:  Upgraded. 
 +This package provides the latest timezone updates. 
 + 
 +**dnsmasq-2.87**:  Upgraded. 
 +Fix write-after-free error in DHCPv6 server code. 
 +For more information, see: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0934 
 +(**Security fix**) 
 + 
 +**ca-certificates-20220922**:  Upgraded. 
 +This update provides the latest CA certificates to check for the 
 +authenticity of SSL connections. 
 + 
 +**expat-2.4.3**:  Rebuilt. 
 +This update fixes a security issue: 
 +Heap use-after-free vulnerability in function doContent. Expected impact is 
 +denial of service or potentially arbitrary code execution. 
 +For more information, see: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40674 
 +(**Security fix**) 
 + 
 + 
 +==== 2022-09-01 ==== 
 + 
 +**curl-7.85.0**:  Upgraded. 
 +This update fixes a security issue: 
 +control code in cookie denial of service. 
 +For more information, see: 
 +  * https://curl.se/docs/CVE-2022-35252.html 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35252 
 +(**Security fix**) 
 + 
 +**glibc-zoneinfo-2022c**:  Upgraded. 
 +This package provides the latest timezone updates. 
 + 
 +==== 2022-08-15 ==== 
 + 
 +**rsync-3.2.5**:  Upgraded. 
 +Added some file-list safety checking that helps to ensure that a rogue 
 +sending rsync can't add unrequested top-level names and/or include recursive 
 +names that should have been excluded by the sender. These extra safety 
 +checks only require the receiver rsync to be updated. When dealing with an 
 +untrusted sending host, it is safest to copy into a dedicated destination 
 +directory for the remote content (i.e. don't copy into a destination 
 +directory that contains files that aren't from the remote host unless you 
 +trust the remote host). 
 +For more information, see: 
 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29154 
 +(**Security fix**) 
 + 
 +**glibc-zoneinfo-2022b**:  Upgraded. 
 +This package provides the latest timezone updates. 
 + 
 +**zlib-1.2.12**:  Rebuilt. 
 +This is a bugfix update. 
 +Applied an upstream patch to restore the handling of CRC inputs to be the 
 +same as in previous releases of zlib. This fixes an issue with OpenJDK. 
 +Thanks to alienBOB. 
 + 
 + 
 +==== 2022-07-10 ==== 
 + 
 +**wavpack-5.5.0**:  Upgraded. 
 +WavPack 5.5.0 contains a fix for CVE-2021-44269 wherein encoding a specially 
 +crafted DSD file causes an out-of-bounds read exception. 
 +For more information, see: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44269 
 +(**Security fix**) 
 + 
 +==== 2022-06-30 ==== 
 + 
 +**curl-7.84.0**:  Upgraded. 
 +This update fixes security issues: 
 +Set-Cookie denial of service. 
 +HTTP compression denial of service. 
 +Unpreserved file permissions. 
 +FTP-KRB bad message verification. 
 +For more information, see: 
 +  * https://curl.se/docs/CVE-2022-32205.html 
 +  * https://curl.se/docs/CVE-2022-32206.html 
 +  * https://curl.se/docs/CVE-2022-32207.html 
 +  * https://curl.se/docs/CVE-2022-32208.html 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32205 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32206 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32207 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32208 
 +(**Security fix**) 
 + 
 +**openssl-1.0.2u**:  Rebuilt. 
 +We're sending out the Slackware 14.2 updates again because the package 
 +build number wasn't incremented which caused slackpkg to not pick up the 
 +updates. It's been bumped and the packages rebuilt - otherwise there are 
 +no new changes. Thanks to John Jenkins for the report. 
 +For reference, here's the information from the previous advisory: 
 +In addition to the c_rehash shell command injection identified in 
 +CVE-2022-1292, further circumstances where the c_rehash script does not 
 +properly sanitise shell metacharacters to prevent command injection were 
 +found by code review. 
 +When the CVE-2022-1292 was fixed it was not discovered that there 
 +are other places in the script where the file names of certificates 
 +being hashed were possibly passed to a command executed through the shell. 
 +For more information, see: 
 +  * https://www.openssl.org/news/secadv/20220621.txt 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2068 
 +(**Security fix**) 
 + 
 +**openssl-solibs-1.0.2u**:  Rebuilt. 
 + 
 + 
 +==== 2022-06-28 ==== 
 + 
 +**ca-certificates-20220622**:  Upgraded. 
 +This update provides the latest CA certificates to check for the 
 +authenticity of SSL connections. 
 + 
 +**openssl-1.0.2u**:  Rebuilt. 
 +In addition to the c_rehash shell command injection identified in 
 +CVE-2022-1292, further circumstances where the c_rehash script does not 
 +properly sanitise shell metacharacters to prevent command injection were 
 +found by code review. 
 +When the CVE-2022-1292 was fixed it was not discovered that there 
 +are other places in the script where the file names of certificates 
 +being hashed were possibly passed to a command executed through the shell. 
 +For more information, see: 
 +  * https://www.openssl.org/news/secadv/20220621.txt 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2068 
 +(**Security fix**) 
 + 
 +**openssl-solibs-1.0.2u**:  Rebuilt. 
 + 
 + 
 +==== 2022-06-09 ==== 
 + 
 +**httpd-2.4.54**:  Upgraded. 
 +This update fixes bugs and the following security issues: 
 +mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism. 
 +Information Disclosure in mod_lua with websockets. 
 +mod_sed denial of service. 
 +Denial of service in mod_lua r:parsebody. 
 +Read beyond bounds in ap_strcmp_match(). 
 +Read beyond bounds via ap_rwrite(). 
 +Read beyond bounds in mod_isapi. 
 +mod_proxy_ajp: Possible request smuggling. 
 +For more information, see: 
 +  * https://downloads.apache.org/httpd/CHANGES_2.4.54 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31813 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30556 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30522 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29404 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28615 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28614 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28330 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26377 
 +(**Security fix**) 
 + 
 +==== 2022-05-26 ==== 
 + 
 +**cups-2.1.4**:  Rebuilt. 
 +Fixed certificate strings comparison for Local authorization. 
 +For more information, see: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26691 
 +(**Security fix**) 
 + 
 + 
 +==== 2022-05-11 ==== 
 + 
 +**curl-7.83.1**:  Upgraded. 
 +This update fixes security issues: 
 +HSTS bypass via trailing dot. 
 +TLS and SSH connection too eager reuse. 
 +CERTINFO never-ending busy-loop. 
 +percent-encoded path separator in URL host. 
 +cookie for trailing dot TLD. 
 +curl removes wrong file on error. 
 +For more information, see: 
 +  * https://curl.se/docs/CVE-2022-30115.html 
 +  * https://curl.se/docs/CVE-2022-27782.html 
 +  * https://curl.se/docs/CVE-2022-27781.html 
 +  * https://curl.se/docs/CVE-2022-27780.html 
 +  * https://curl.se/docs/CVE-2022-27779.html 
 +  * https://curl.se/docs/CVE-2022-27778.html 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30115 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27782 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27781 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27780 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27779 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27778 
 +(**Security fix**) 
 + 
 +==== 2022-05-03 ==== 
 + 
 +**openssl-1.0.2u**:  Rebuilt. 
 +Fixed a bug in the c_rehash script which was not properly sanitising shell 
 +metacharacters to prevent command injection. 
 +For more information, see: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1292 
 +(**Security fix**) 
 + 
 +**openssl-solibs-1.0.2u**:  Rebuilt. 
 + 
 +==== 2022-05-03 ==== 
 + 
 +**libxml2-2.9.14**:  Upgraded. 
 +This update fixes bugs and the following security issues: 
 +Fix integer overflow in xmlBuf and xmlBuffer. 
 +Fix potential double-free in xmlXPtrStringRangeFunction. 
 +Fix memory leak in xmlFindCharEncodingHandler. 
 +Normalize XPath strings in-place. 
 +Prevent integer-overflow in htmlSkipBlankChars() and xmlSkipBlankChars(). 
 +Fix leak of xmlElementContent. 
 +For more information, see: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29824 
 +(**Security fix**) 
 + 
 +==== 2022-04-02 ==== 
 + 
 +**pidgin-2.12.0**:  Rebuilt. 
 +Mitigate the potential for a man in the middle attack via DNS spoofing by 
 +removing the code that supported the _xmppconnect DNS TXT record. 
 +For more information, see: 
 +  * https://www.pidgin.im/about/security/advisories/cve-2022-26491/ 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26491 
 +(**Security fix**) 
 + 
 +**xz-5.2.5**:  Rebuilt. 
 +This update fixes a regression with the previous package leading to compile 
 +failures due to a missing liblzma.la. Thanks to csking. 
 + 
 +==== 2022-04-27 ==== 
 + 
 +**curl-7.83.0**:  Upgraded. 
 +This update fixes security issues: 
 +OAUTH2 bearer bypass in connection re-use. 
 +Credential leak on redirect. 
 +Bad local IPv6 connection reuse. 
 +Auth/cookie leak on redirect. 
 +For more information, see: 
 +  * https://curl.se/docs/CVE-2022-22576.html 
 +  * https://curl.se/docs/CVE-2022-27774.html 
 +  * https://curl.se/docs/CVE-2022-27775.html 
 +  * https://curl.se/docs/CVE-2022-27776.html 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22576 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27774 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27775 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27776 
 +(**Security fix**) 
 + 
 + 
 +==== 2022-04-15 ==== 
 + 
 +**git-2.30.4**:  Upgraded. 
 +This update fixes a security issue where a Git worktree created by another 
 +user might be able to execute arbitrary code. 
 +For more information, see: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765 
 +(**Security fix**) 
 + 
 +**gzip-1.12**:  Upgraded. 
 +This update fixes a security issue: 
 +zgrep applied to a crafted file name with two or more newlines can no 
 +longer overwrite an arbitrary, attacker-selected file. 
 +For more information, see: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1271 
 +(**Security fix**) 
 + 
 +**xz-5.2.5**:  Upgraded. 
 +This update fixes a security issue: 
 +xzgrep applied to a crafted file name with two or more newlines can no 
 +longer overwrite an arbitrary, attacker-selected file. 
 +For more information, see: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1271 
 +(**Security fix**) 
 + 
 +**whois-5.5.13**:  Upgraded. 
 +This update adds the .sd TLD server, updates the list of new gTLDs, and adds 
 +a Turkish translation. 
 + 
 +==== 2022-04-08 ==== 
 + 
 +**libarchive-3.6.1**:  Upgraded. 
 +This is a bugfix and security release. 
 +Security fixes: 
 +  * 7zip reader: fix PPMD read beyond boundary. 
 +  * ZIP reader: fix possible out of bounds read. 
 +  * ISO reader: fix possible heap buffer overflow in read_children(). 
 +  * RARv4 redaer: fix multiple issues in RARv4 filter code (introduced in libarchive 3.6.0). 
 +  * Fix heap use after free in archive_read_format_rar_read_data(). 
 +  * Fix null dereference in read_data_compressed(). 
 +  * Fix heap user after free in run_filters(). 
 +(**Security fix**) 
 + 
 +**ca-certificates-20220403**:  Upgraded. 
 +This update provides the latest CA certificates to check for the 
 +authenticity of SSL connections. 
 + 
 +**whois-5.5.12**:  Upgraded. 
 +This is a bugfix release. Thanks to Nobby6. 
 + 
 +**zlib-1.2.12**:  Upgraded. 
 +This update fixes memory corruption when deflating (i.e., when compressing) 
 +if the input has many distant matches. Thanks to marav. 
 +For more information, see: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25032 
 +(**Security fix**) 
 + 
 +**glibc-zoneinfo-2022a**:  Upgraded. 
 +This package provides the latest timezone updates. 
 + 
 +==== 2022-03-17 ==== 
 + 
 +**bind-9.11.37**:  Upgraded. 
 +This update fixes bugs and the following security issue: 
 +The rules for acceptance of records into the cache have been tightened to 
 +prevent the possibility of poisoning if forwarders send records outside 
 +the configured bailiwick. 
 +For more information, see: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25220 
 +(**Security fix**) 
 + 
 +**openssl-1.0.2u**:  Rebuilt. 
 +This update fixes a high severity security issue: 
 +The BN_mod_sqrt() function, which computes a modular square root, contains 
 +a bug that can cause it to loop forever for non-prime moduli. 
 +For more information, see: 
 +  * https://www.openssl.org/news/secadv/20220315.txt 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0778 
 +(**Security fix**) 
 + 
 +**openssl-solibs-1.0.2u**:  Rebuilt. 
 + 
 +==== 2022-03-15 ==== 
 + 
 +**httpd-2.4.53**:  Upgraded. 
 +This update fixes bugs and the following security issues: 
 +mod_sed: Read/write beyond bounds 
 +core: Possible buffer overflow with very large or unlimited 
 +LimitXMLRequestBody 
 +HTTP request smuggling vulnerability 
 +mod_lua: Use of uninitialized value in r:parsebody 
 +For more information, see: 
 +  * https://downloads.apache.org/httpd/CHANGES_2.4.53 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23943 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22721 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22720 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22719 
 +(**Security fix**) 
 + 
 +**ca-certificates-20220309**:  Upgraded. 
 +This update provides the latest CA certificates to check for the 
 +authenticity of SSL connections. 
 + 
 +**expat-2.4.3**:  Rebuilt. 
 +This is a bugfix release: 
 +Relax fix to CVE-2022-25236 (introduced with release 2.4.5) with regard to 
 +all valid URI characters (RFC 3986). 
 + 
 +==== 2022-03-01 ==== 
 + 
 +**libxml2-2.9.13**:  Upgraded. 
 +This update fixes bugs and the following security issues: 
 +Use-after-free of ID and IDREF attributes 
 +(Thanks to Shinji Sato for the report) 
 +Use-after-free in xmlXIncludeCopyRange (David Kilzer) 
 +Fix Null-deref-in-xmlSchemaGetComponentTargetNs (huangduirong) 
 +Fix memory leak in xmlXPathCompNodeTest 
 +Fix null pointer deref in xmlStringGetNodeList 
 +Fix several memory leaks found by Coverity (David King) 
 +For more information, see: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23308 
 +(**Security fix**) 
 + 
 +**libxslt-1.1.35**:  Upgraded. 
 +This update fixes bugs and the following security issues: 
 +Fix use-after-free in xsltApplyTemplates 
 +Fix memory leak in xsltDocumentElem (David King) 
 +Fix memory leak in xsltCompileIdKeyPattern (David King) 
 +Fix double-free with stylesheets containing entity nodes 
 +For more information, see: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30560 
 +(**Security fix**) 
 + 
 +**cyrus-sasl-2.1.28**:  Upgraded. 
 +This update fixes bugs and security issues. 
 +For more information, see: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19906 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24407 
 +(**Security fix**) 
 + 
 +==== 2022-02-22 ==== 
 + 
 +**expat-2.4.3**:  Rebuilt. 
 +Fixed a regression introduced by the fix for CVE-2022-25313 that affects 
 +applications that (1) call function XML_SetElementDeclHandler and (2) are 
 +parsing XML that contains nested element declarations, e.g. 
 +  "<!ELEMENT junk ((bar|foo|xyz+), zebra*)>" 
 + 
 +**flac-1.3.4**:  Upgraded. 
 +This update fixes overflow issues with encoding and decoding. 
 +For more information, see: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0499 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0561 
 +(**Security fix**) 
 + 
 +==== 2022-02-01 ==== 
 + 
 +**linux-libre-4.4.301**:  Upgraded. 
 +These updates fix various bugs and security issues, including the recently 
 +announced i915 issue that could lead to user-space gaining access to random 
 +memory pages (CVE-2022-0330). 
 +Be sure to upgrade your initrd after upgrading the kernel packages. 
 +If you use lilo to boot your machine, be sure lilo.conf points to the correct 
 +kernel and initrd and run lilo as root to update the bootloader. 
 +If you use elilo to boot your machine, you should run eliloconfig to copy the 
 +kernel and initrd to the EFI System Partition. 
 +For more information, see: 
 +  * https://seclists.org/oss-sec/2022/q1/81 
 +  Fixed in 4.4.277: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38204 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3679 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37576 
 +  Fixed in 4.4.278: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0920 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21781 
 +  Fixed in 4.4.281: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38205 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3732 
 +  Fixed in 4.4.282: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3653 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42008 
 +  Fixed in 4.4.283: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3753 
 +  Fixed in 4.4.284: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40490 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3702 
 +  Fixed in 4.4.285: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20320 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3655 
 +  Fixed in 4.4.288: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4203 
 +  Fixed in 4.4.289: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29374 
 +  Fixed in 4.4.290: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3896 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20321 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3760 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43389 
 +  Fixed in 4.4.291: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3772 
 +  Fixed in 4.4.292: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37159 
 +  Fixed in 4.4.293: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4202 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3752 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3640 
 +  Fixed in 4.4.294: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4002 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4083 
 +  Fixed in 4.4.295: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39685 
 +  Fixed in 4.4.296: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28715 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28713 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28712 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28711 
 +  Fixed in 4.4.299: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45095 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4155 
 +  Fixed in 4.4.300: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43976 
 +  Fixed in 4.4.301: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0330 
 +(**Security fix**) 
 + 
 + 
 +==== 2022-01-27 ==== 
 +**expat-2.4.3**:  Rebuilt. 
 +Prevent integer overflow in doProlog. 
 +For more information, see: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23990 
 +(**Security fix**) 
 + 
 +==== 2022-01-26 ==== 
 +**polkit-0.113**:  Rebuilt. 
 +[PATCH] pkexec: local privilege escalation. 
 +Thanks to Qualys Research Labs for reporting this issue. 
 +For more information, see: 
 +  * https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034 
 +(**Security fix**) 
 + 
 +==== 2022-01-25 ==== 
 + 
 +**expat-2.4.3**:  Rebuilt. 
 +Fix signed integer overflow in function XML_GetBuffer for when 
 +XML_CONTEXT_BYTES is defined to >0 (which is both common and 
 +default). Impact is denial of service or other undefined behavior. 
 +While we're here, also patch a memory leak on output file opening error. 
 +Thanks to marav. 
 +For more information, see: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23852 
 +(**Security fix**) 
 + 
 +==== 2022-01-19 ==== 
 +**wpa_supplicant-2.9**:  Rebuilt. 
 +This update contains patches for these security issues: 
 +The implementations of EAP-pwd in hostapd before 2.10 and wpa_supplicant 
 +before 2.10 are vulnerable to side-channel attacks as a result of cache 
 +access patterns. 
 +NOTE: this issue exists because of an incomplete fix for CVE-2019-9495. 
 +For more information, see: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23303 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23304 
 +(**Security fix**) 
 + 
 +==== 2022-01-16 ==== 
 +**expat-2.4.3**:  Upgraded. 
 +Fix issues with left shifts by >=29 places resulting in: 
 +  a) realloc acting as free 
 +  b) realloc allocating too few bytes 
 +  c) undefined behavior 
 +Fix integer overflow on variable m_groupSize in function doProlog leading 
 +to realloc acting as free. Impact is denial of service or other undefined 
 +behavior. 
 +Prevent integer overflows near memory allocation at multiple places. 
 +For more information, see: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45960 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46143 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22822 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22823 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22824 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22825 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22826 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22827 
 +(**Security fix**) 
 + 
 + 
 +==== 2021-12-29 ==== 
 + 
 +**wpa_supplicant-2.9**:  Upgraded. 
 +This update fixes the following security issues: 
 +AP mode PMF disconnection protection bypass. 
 +UPnP SUBSCRIBE misbehavior in hostapd WPS AP. 
 +P2P group information processing vulnerability. 
 +P2P provision discovery processing vulnerability. 
 +ASN.1: Validate DigestAlgorithmIdentifier parameters. 
 +Flush pending control interface message for an interface to be removed. 
 +These issues could result in a denial-of-service, privilege escalation, 
 +arbitrary code execution, or other unexpected behavior. 
 +Thanks to nobodino for pointing out the patches. 
 +For more information, see: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0326 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0535 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12695 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16275 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27803 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30004 
 +(**Security fix**) 
 + 
 +==== 2021-12-20 ==== 
 + 
 +**httpd-2.4.52**:  Upgraded. 
 +SECURITY: CVE-2021-44790: Possible buffer overflow when parsing 
 +multipart content in mod_lua of Apache HTTP Server 2.4.51 and 
 +earlier (cve.mitre.org) 
 +A carefully crafted request body can cause a buffer overflow in 
 +the mod_lua multipart parser (r:parsebody() called from Lua 
 +scripts). 
 +The Apache httpd team is not aware of an exploit for the 
 +vulnerabilty though it might be possible to craft one. 
 +This issue affects Apache HTTP Server 2.4.51 and earlier. 
 +Credits: Chamal 
 +SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in 
 +forward proxy configurations in Apache HTTP Server 2.4.51 and 
 +earlier (cve.mitre.org) 
 +A crafted URI sent to httpd configured as a forward proxy 
 +(ProxyRequests on) can cause a crash (NULL pointer dereference) 
 +or, for configurations mixing forward and reverse proxy 
 +declarations, can allow for requests to be directed to a 
 +declared Unix Domain Socket endpoint (Server Side Request 
 +Forgery). 
 +This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 
 +(included). 
 +Credits: ae 1/4*a-o(R)e 1/4 
 +TengMA(@Te3t123) 
 +For more information, see: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44790 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44224 
 +(**Security fix**) 
 + 
 +**ca-certificates-20211216**:  Upgraded. 
 +This update provides the latest CA certificates to check for the 
 +authenticity of SSL connections. 
 + 
 + 
 +==== 2021-12-16 ==== 
 + 
 +**xorg-server-1.18.3**:  Rebuilt. 
 +Fixes for multiple input validation failures in X server extensions: 
 +render: Fix out of bounds access in SProcRenderCompositeGlyphs() 
 +xfixes: Fix out of bounds access in *ProcXFixesCreatePointerBarrier() 
 +For more information, see: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4008 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4009 
 +(**Security fix**) 
 + 
 +**xorg-server-xephyr-1.18.3**:  Rebuilt. 
 + 
 +**xorg-server-xnest-1.18.3**:  Rebuilt. 
 + 
 +**xorg-server-xvfb-1.18.3**:  Rebuilt. 
 + 
 +==== 2021-12-03 ==== 
 + 
 +**mozilla-nss-3.40.1**:  Rebuilt. 
 +This update fixes a critical security issue: 
 +NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are 
 +vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS 
 +signatures. Applications using NSS for handling signatures encoded within 
 +CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be impacted. Applications 
 +using NSS for certificate validation or other TLS, X.509, OCSP or CRL 
 +functionality may be impacted, depending on how they configure NSS. 
 +Note: This vulnerability does NOT impact Mozilla Firefox. However, email 
 +clients and PDF viewers that use NSS for signature verification, such as 
 +Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted. 
 +Thanks to Tavis Ormandy of Google Project Zero. 
 +For more information, see: 
 +  * https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/ 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43527 
 +(**Security fix**) 
 + 
 +**mailx-12.5**:  Rebuilt. 
 +Patched a bug where Heirloom mailx produces a "Date:" header that is 
 +incorrect when the system is in the Europe/Dublin timezone (email appears 
 +to have been sent 2 hours earlier). 
 +Thanks to Andrea Biardi. 
 + 
 +==== 2021-10-28 ==== 
 + 
 +**bind-9.11.36**:  Upgraded. 
 +This update fixes bugs and the following security issue: 
 +The "lame-ttl" option is now forcibly set to 0. This effectively disables 
 +the lame server cache, as it could previously be abused by an attacker to 
 +significantly degrade resolver performance. 
 +For more information, see: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25219 
 +(**Security fix**) 
 + 
 +**glibc-zoneinfo-2021e**:  Upgraded. 
 +This package provides the latest timezone updates. 
 + 
 +==== 2021-10-10 ==== 
 + 
 +**httpd-2.4.51**:  Upgraded. 
 +SECURITY: CVE-2021-42013: Path Traversal and Remote Code 
 +Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete 
 +fix of CVE-2021-41773) (cve.mitre.org) 
 +It was found that the fix for CVE-2021-41773 in Apache HTTP 
 +Server 2.4.50 was insufficient.  An attacker could use a path 
 +traversal attack to map URLs to files outside the directories 
 +configured by Alias-like directives. 
 +If files outside of these directories are not protected by the 
 +usual default configuration "require all denied", these requests 
 +can succeed. If CGI scripts are also enabled for these aliased 
 +pathes, this could allow for remote code execution. 
 +This issue only affects Apache 2.4.49 and Apache 2.4.50 and not 
 +earlier versions. 
 +Credits: Reported by Juan Escobar from Dreamlab Technologies, 
 +Fernando MuA+-oz from NULL Life CTF Team, and Shungo Kumasaka 
 +For more information, see: 
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42013 
 +(**Security fix**) 
 + 
 +==== 2021-10-05 ====
  
 **httpd-2.4.50**:  Upgraded. **httpd-2.4.50**:  Upgraded.
Line 13: Line 1438:
   * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773   * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773
 (**Security fix**) (**Security fix**)
-+--------------------------+ 
-Wed Oct  6 00:02:15 UTC 2021 
  
 **ca-certificates-20211005**  Upgraded. **ca-certificates-20211005**  Upgraded.
changelog_14.2.1633493609.txt.gz · Last modified: 2021/10/06 00:13 by connie