User Tools

Site Tools


changelog_14.2

This is an old revision of the document!


Table of Contents

ChangeLog 14.2

Slackware upstream ChangeLog entries are courtesy of Patrick Volkerding.

2021-05-23

expat-2.4.1: Upgraded. This update provides new mitigations against the “billion laughs” denial of service attack. For more information, see:

(Security fix)

2021-05-19

libX11-1.7.1: Upgraded. This update fixes missing request length checks in libX11 that can lead to the emission of extra X protocol requests to the X server. For more information, see:

(Security fix)

2021-05-15

libxml2-2.9.12: Upgraded. This update fixes a denial-of-service security issue. For more information, see:

(Security fix)

2021-04-29

bind-9.11.31: Upgraded. This update fixes bugs and the following security issues: A specially crafted GSS-TSIG query could cause a buffer overflow in the ISC implementation of SPNEGO. named crashed when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query. Insufficient IXFR checks could result in named serving a zone without an SOA record at the apex, leading to a RUNTIME_CHECK assertion failure when the zone was subsequently refreshed. This has been fixed by adding an owner name check for all SOA records which are included in a zone transfer. For more information, see:

(Security fix)

2021-04-12

dnsmasq-2.85: Upgraded. Use random source ports where possible if source addresses/interfaces in use. For more information, see:

(Security fix)

irssi-1.2.3: Upgraded. This update fixes bugs and security issues. See the NEWS file for details. (Security fix)

2021-03-31

curl-7.76.0: Upgraded. This update fixes security issues: Authentication Bypass by Spoofing. Exposure of Private Personal Information to an Unauthorized Actor. For more information, see:

(Security fix)

2021-03-28

xterm-367: Upgraded. This update fixes a security issue: xterm before Patch #366 allows remote attackers to execute arbitrary code or cause a denial of service (segmentation fault) via a crafted UTF-8 combining character sequence. For more information, see:

(Security fix)

2021-03-14

linux-libre-*-4.4.261: Upgraded. These updates fix various bugs and security issues, including the recently announced iSCSI vulnerabilities allowing local privilege escalation. Be sure to upgrade your initrd after upgrading the kernel packages. If you use lilo to boot your machine, be sure lilo.conf points to the correct kernel and initrd and run lilo as root to update the bootloader. If you use elilo to boot your machine, you should run eliloconfig to copy the kernel and initrd to the EFI System Partition. For more information, see:

(Security fix)

git-2.17.6: Upgraded. This update fixes a security issue: On case-insensitive file systems with support for symbolic links, if Git is configured globally to apply delay-capable clean/smudge filters (such as Git LFS), Git could be fooled into running remote code during a clone. Credit for finding and fixing this vulnerability goes to Matheus Tavares, helped by Johannes Schindelin. For more information, see:

(Security fix)

ca-certificates-20210308: Upgraded. This update provides the latest CA certificates to check for the authenticity of SSL connections.

2021-02-09

dnsmasq-2.84: Upgraded. This update fixes bugs and remotely exploitable security issues:

  • Use the values of –min-port and –max-port in outgoing TCP connections to upstream DNS servers.
  • Fix a remote buffer overflow problem in the DNSSEC code. Any dnsmasq with DNSSEC compiled in and enabled is vulnerable to this, referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687.
  • Be sure to only accept UDP DNS query replies at the address from which the query was originated. This keeps as much entropy in the {query-ID, random-port} tuple as possible, to help defeat cache poisoning attacks. Refer: CVE-2020-25684.
  • Use the SHA-256 hash function to verify that DNS answers received are for the questions originally asked. This replaces the slightly insecure SHA-1 (when compiled with DNSSEC) or the very insecure CRC32 (otherwise). Refer: CVE-2020-25685.
  • Handle multiple identical near simultaneous DNS queries better. Previously, such queries would all be forwarded independently. This is, in theory, inefficent but in practise not a problem, _except_ that is means that an answer for any of the forwarded queries will be accepted and cached. An attacker can send a query multiple times, and for each repeat, another {port, ID} becomes capable of accepting the answer he is sending in the blind, to random IDs and ports. The chance of a succesful attack is therefore multiplied by the number of repeats of the query. The new behaviour detects repeated queries and merely stores the clients sending repeats so that when the first query completes, the answer can be sent to all the clients who asked. Refer: CVE-2020-25686.

For more information, see:

(Security fix)

2021-01-26

sudo-1.9.5p2: Upgraded. When invoked as sudoedit, the same set of command line options are now accepted as for “sudo -e”. The -H and -P options are now rejected for sudoedit and “sudo -e” which matches the sudo 1.7 behavior. This is part of the fix for CVE-2021-3156. Fixed a potential buffer overflow when unescaping backslashes in the command's arguments. Normally, sudo escapes special characters when running a command via a shell (sudo -s or sudo -i). However, it was also possible to run sudoedit with the -s or -i flags in which case no escaping had actually been done, making a buffer overflow possible. This fixes CVE-2021-3156. For more information, see:

(Security fix)

glibc-zoneinfo-2021a: Upgraded. This package provides the latest timezone updates.

2021-01-14

wavpack-5.4.0: Upgraded. WavPack 5.4.0 fixes an issue where a specially crafted WAV file could cause the wavpack command-line program to crash with an out-of-bounds write. For more information, see:

(Security fix)

xscreensaver-5.45: Upgraded. Here's an upgrade to the latest xscreensaver. Thanks to drumz for the compile fix.

sudo-1.9.5p1: Upgraded. Fixed a regression introduced in sudo 1.9.5 where the editor run by sudoedit was set-user-ID root unless SELinux RBAC was in use. The editor is now run with the user's real and effective user-IDs.

2021-01-11

sudo-1.9.5: Upgraded. This update fixes security issues: Potential information leak in sudoedit that could be used to test for the existence of directories not normally accessible to the user. Flaw in the temporary file handling of sudoedit's SELinux RBAC support. For more information, see:

(Security fix)

glibc-zoneinfo-2020f: Upgraded. This package provides the latest timezone updates.

ca-certificates-20201219: Upgraded. This update provides the latest CA certificates to check for the authenticity of SSL connections.

2020-12-12

p11-kit-0.23.22: Upgraded. Fix memory-safety issues that affect the RPC protocol. For more information, see:

(Security fix)

2020-12-09

curl-7.74.0: Upgraded. This release includes the following security related bugfixes:

  • Inferior OCSP verification [93]
  • FTP wildcard stack overflow [95]
  • Trusting FTP PASV responses [97]

For more information, see:

(Security fix)

2020-11-28

bind-9.11.25: Upgraded. This update fixes bugs, including a denial-of-service security issue: After a Negative Trust Anchor (NTA) is added, BIND performs periodic checks to see if it is still necessary. If BIND encountered a failure while creating a query to perform such a check, it attempted to dereference a NULL pointer, resulting in a crash. [GL #2244] (Security fix)

2020-11-25

mutt-1.10.1: Rebuilt. Mutt had incorrect error handling when initially connecting to an IMAP server, which could result in an attempt to authenticate without enabling TLS. For more information, see:

(Security fix)

ca-certificates-20201105: Upgraded. This update provides the latest CA certificates to check for the authenticity of SSL connections.

glibc-zoneinfo-2020d: Upgraded. This package provides the latest timezone updates.

linux-libre-*-4.4.240: Upgraded. These updates fix various bugs and security issues, including the recently discovered “Bleeding Tooth” vulnerability in the Bluetooth subsystem (CVE-2020-12351, CVE-2020-12352, and CVE-2020-24490). Be sure to upgrade your initrd after upgrading the kernel packages. If you use lilo to boot your machine, be sure lilo.conf points to the correct kernel and initrd and run lilo as root to update the bootloader. If you use elilo to boot your machine, you should run eliloconfig to copy the kernel and initrd to the EFI System Partition. For more information, see:

Fixed in 4.4.228:

Fixed in 4.4.229:

Fixed in 4.4.230:

Fixed in 4.4.232:

Fixed in 4.4.233:

Fixed in 4.4.234:

Fixed in 4.4.236:

Fixed in 4.4.237:

Fixed in 4.4.238:

Fixed in 4.4.239:

Fixed in 4.4.240:

(Security fix)

2020-10-20

freetype-2.6.3: Rebuilt. Fix heap buffer overflow in embedded PNG bitmap handling. For more information, see

(Security fix)

glibc-zoneinfo-2020c: Upgraded. This package provides the latest timezone updates.

ca-certificates-20201016: Upgraded. This update provides the latest CA certificates to check for the authenticity of SSL connections.

rust-1.46.0: Upgraded.

2020-09-23

linux-libre-image-4.4.27: Removed (FXP). From now on, custom kernels will be distributed via Web.

xonotic-0.8.2: Removed (FXP). This low-quality package will be refactored before coming back.

2020-09-18

avahi-0.7: Added (FXP)

libdaemon-0.14: Added (FXP)

libreoffice-6.2.8.2: Rebuilt (FXP). Run freepkg ir avahi and then freepkg u libreoffice to upgrade.

2020-09-05

gnutls-3.6.15: Upgraded. libgnutls: Fixed “no_renegotiation” alert handling at incorrect timing, which could lead to an application crash. [GNUTLS-SA-2020-09-04, CVSS: medium] (Security fix)

2020-08-21

bind-9.11.22: Upgraded. This update fixes three security issues: “update-policy” rules of type “subdomain” were incorrectly treated as “zonesub” rules, which allowed keys used in “subdomain” rules to update names outside of the specified subdomains. The problem was fixed by making sure “subdomain” rules are again processed as described in the ARM. When BIND 9 was compiled with native PKCS#11 support, it was possible to trigger an assertion failure in code determining the number of bits in the PKCS#11 RSA public key with a specially crafted packet. It was possible to trigger an assertion failure when verifying the response to a TSIG-signed request. For more information, see:

(Security fix)

2020-08-19

curl-7.72.0: Upgraded. This update fixes a security issue: libcurl: wrong connect-only connection [98] For more information, see:

(Security fix)

httpd-2.4.46: Upgraded. This is the latest release from the Apache HTTP Server 2.4.x stable branch.

2020-07-23

libreoffice-6.2.8.2: Upgraded (FXP). The full collection of language packs and help packs is not supplied, but they can be installed via libreoffice extension manager.

2020-07-06

libvorbis-1.3.7: Upgraded. Fix out-of-bounds read encoding very low sample rates. For more information, see:

(Security fix)

ca-certificates-20200630: Upgraded. This update provides the latest CA certificates to check for the authenticity of SSL connections.

2020-06-24

curl-7.71.0: Upgraded. This update fixes security issues: curl overwrite local file with -J [111] Partial password leak over DNS on HTTP redirect [48] For more information, see:

(Security fix)

libjpeg-turbo-2.0.5: Upgraded. This update fixes bugs and a security issue: Fixed an issue in the PPM reader that caused a buffer overrun in cjpeg, TJBench, or the `tjLoadImage()` function if one of the values in a binary PPM/PGM input file exceeded the maximum value defined in the file's header and that maximum value was less than 255. For more information, see:

(Security fix)

2020-06-23

ntp-4.2.8p15: Upgraded. This release fixes one vulnerability: Associations that use CMAC authentication between ntpd from versions 4.2.8p11/4.3.97 and 4.2.8p14/4.3.100 will leak a small amount of memory for each packet. Eventually, ntpd will run out of memory and abort. (Security fix)

sudo-1.8.31p2: Upgraded. This is a bugfix release. For more information, see:

2020-06-18

bind-9.11.20: Upgraded. This update fixes a security issue: It was possible to trigger an INSIST in lib/dns/rbtdb.c:new_reference() with a particular zone content and query patterns. For more information, see:

(Security fix)

2020-06-14

R-4.0.1: upgraded (FXP).

pcre2-10.35: added (FXP) as a new requirement for R.

fuse-exfat-1.3.0: added (FXP).

linux-libre-*-4.4.227: Upgraded. These updates fix various bugs and security issues, including a mitigation for SRBDS (Special Register Buffer Data Sampling). SRBDS is an MDS-like speculative side channel that can leak bits from the random number generator (RNG) across cores and threads. Be sure to upgrade your initrd after upgrading the kernel packages. If you use lilo to boot your machine, be sure lilo.conf points to the correct kernel and initrd and run lilo as root to update the bootloader. If you use elilo to boot your machine, you should run eliloconfig to copy the kernel and initrd to the EFI System Partition. For more information, see:

Fixed in 4.4.218:

Fixed in 4.4.219:

Fixed in 4.4.220:

Fixed in 4.4.221:

Fixed in 4.4.222:

Fixed in 4.4.224:

Fixed in 4.4.225:

Fixed in 4.4.226:

Fixed in 4.4.227:

(Security fix)

gnutls-3.6.14: Upgraded. Fixed insecure session ticket key construction, since 3.6.4. The TLS server would not bind the session ticket encryption key with a value supplied by the application until the initial key rotation, allowing attacker to bypass authentication in TLS 1.3 and recover previous conversations in TLS 1.2. [GNUTLS-SA-2020-06-03, CVSS: high] (Security fix)

ca-certificates-20200602: Upgraded. This update provides the latest CA certificates to check for the authenticity of SSL connections.

proftpd-1.3.6d: Upgraded. This is a bugfix release: Fixed issue with FTPS uploads of large files using TLSv1.3 (Issue #959).

2020-05-19

bind-9.11.19: Upgraded. This update fixes security issues: A malicious actor who intentionally exploits the lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral. This has at least two potential effects: The performance of the recursing server can potentially be degraded by the additional work required to perform these fetches, and the attacker can exploit this behavior to use the recursing server as a reflector in a reflection attack with a high amplification factor. Replaying a TSIG BADTIME response as a request could trigger an assertion failure. For more information, see:

(Security fix)

libexif-0.6.22: Upgraded. This update fixes bugs and security issues:

  • CVE-2018-20030: Fix for recursion DoS
  • CVE-2020-13114: Time consumption DoS when parsing canon array markers
  • CVE-2020-13113: Potential use of uninitialized memory
  • CVE-2020-13112: Various buffer overread fixes due to integer overflows in maker notes
  • CVE-2020-0093: read overflow
  • CVE-2019-9278: replaced integer overflow checks the compiler could optimize away by safer constructs
  • CVE-2020-12767: fixed division by zero
  • CVE-2016-6328: fixed integer overflow when parsing maker notes
  • CVE-2017-7544: fixed buffer overread

For more information, see:

(Security fix)

2020-05-18

2020-04-21

git-2.17.5: Upgraded. This update fixes a security issue: With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the credentials are not for a host of the attacker's choosing; instead, they are for some unspecified host (based on how the configured credential helper handles an absent “host” parameter). For more information, see:

(Security fix)

2020-04-17

openvpn-2.4.9: Upgraded. This update fixes a security issue: Fix illegal client float. Thanks to Lev Stipakov. For more information, see:

(Security fix)

2020-04-15

bind-9.11.18: Upgraded. This update fixes a security issue: DNS rebinding protection was ineffective when BIND 9 is configured as a forwarding DNS server. Found and responsibly reported by Tobias Klein. [GL #1574] (Security fix)

2020-04-14

git-2.17.4: Upgraded. This update fixes a security issue: With a crafted URL that contains a newline in it, the credential helper machinery can be fooled to give credential information for a wrong host. The attack has been made impossible by forbidding a newline character in any value passed via the credential protocol. Credit for finding the vulnerability goes to Felix Wilhelm of Google Project Zero. For more information, see:

(Security fix)

2020-03-31

gnutls-3.6.13: Upgraded. This update fixes a security issue: libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3 support), since 3.6.3. The DTLS client would not contribute any randomness to the DTLS negotiation, breaking the security guarantees of the DTLS protocol. [GNUTLS-SA-2020-03-31, CVSS: high] (Security fix)

httpd-2.4.43: Upgraded. This release contains security fixes (since 2.4.39) and improvements. For more information, see:

(Security fix)

2020-03-27

linux-libre-*-4.4.217: Upgraded. These updates fix various bugs and security issues. Be sure to upgrade your initrd after upgrading the kernel packages. If you use lilo to boot your machine, be sure lilo.conf points to the correct kernel and initrd and run lilo as root to update the bootloader. If you use elilo to boot your machine, you should run eliloconfig to copy the kernel and initrd to the EFI System Partition. For more information, see:

Fixed in 4.4.209:

Fixed in 4.4.210:

Fixed in 4.4.211:

Fixed in 4.4.212:

Fixed in 4.4.215:

Fixed in 4.4.216:

Fixed in 4.4.217:

(Security fix)

2020-03-23

gd-2.3.0: Upgraded. This update fixes bugs and security issues:

  • Potential double-free in gdImage*Ptr().
  • gdImageColorMatch() out of bounds write on heap.
  • Uninitialized read in gdImageCreateFromXbm().
  • Double-free in gdImageBmp.
  • Potential NULL pointer dereference in gdImageClone().
  • Potential infinite loop in gdImageCreateFromGifCtx().

For more information, see:

(Security fix)

NetworkManager-1.8.4: Rebuilt. Recompiled to get PPP working again with the new pppd. Thanks to longus.

sudo-1.8.31p1: Upgraded. This is a bugfix release: Sudo once again ignores a failure to restore the RLIMIT_CORE resource limit, as it did prior to version 1.8.29. Linux containers don't allow RLIMIT_CORE to be set back to RLIM_INFINITY if we set the limit to zero, even for root, which resulted in a warning from sudo.

rp-pppoe-3.13: Upgraded. This needed a rebuild for ppp-2.4.8. Thanks to regdub.

2020-03-04

ppp-2.4.8: Upgraded. This update fixes a security issue: By sending an unsolicited EAP packet to a vulnerable ppp client or server, an unauthenticated remote attacker could cause memory corruption in the pppd process, which may allow for arbitrary code execution. For more information, see:

(Security fix)

2020-02-20

proftpd-1.3.6c: Upgraded. No CVEs assigned, but this sure looks like a security issue: Use-after-free vulnerability in memory pools during data transfer. (Security fix)

2020-02-14

libarchive-3.4.2: Upgraded. This update includes security fixes in the RAR5 reader. (Security fix)

2020-01-31

sudo-1.8.31: Upgraded. This update fixes a security issue: In Sudo before 1.8.31, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in some Linux distributions; however, it is not the default for upstream or in Slackware, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c. For more information, see:

(Security fix)

bind-9.11.15: Upgraded. This is a bugfix release: With some libmaxminddb versions, named could erroneously match an IP address not belonging to any subnet defined in a given GeoIP2 database to one of the existing entries in that database. [GL #1552] Fix line spacing in `rndc secroots`. Thanks to Tony Finch. [GL #2478]

2020-01-11

p7zip-16.02: Added (FXP)

2020-01-09

linux-libre-*-4.4.208: Upgraded.

 IPV6_MULTIPLE_TABLES n -> y
+IPV6_SUBTREES y

These updates fix various bugs and security issues. Be sure to upgrade your initrd after upgrading the kernel packages. If you use lilo to boot your machine, be sure lilo.conf points to the correct kernel and initrd and run lilo as root to update the bootloader. If you use elilo to boot your machine, you should run eliloconfig to copy the kernel and initrd to the EFI System Partition. For more information, see:

Fixed in 4.4.203:

Fixed in 4.4.204:

Fixed in 4.4.206:

Fixed in 4.4.207:

Fixed in 4.4.208:

(Security fix)

xfce4-weather-plugin-0.8.11: Upgraded. Bugfix release to address the upcoming obsolescence of the locationforecastLTS API from met.no. Thanks to Robby Workman.

libwmf-0.2.8.4: Rebuilt. This is a bugfix release to correct the path for the GDK_PIXBUF_DIR. Thanks to B. Watson and Robby Workman.

2019-12-21

openssl-1.0.2u: Upgraded. This update fixes a low severity security issue: Fixed an an overflow bug in the x86_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. For more information, see:

(Security fix)

openssl-solibs-1.0.2u: Upgraded.

tigervnc-1.10.1: Upgraded. From tigervnc.org: “This is a security release to fix a number of issues that were found by Kaspersky Lab. These issues affect both the client and server and could theoretically allow a malicious peer to take control over the software on the other side. No working exploit is known at this time, and the issues require the peer to first be authenticated. We still urge users to upgrade when possible.” (Security fix)

2019-12-19

bind-9.11.14: Upgraded. This is a bugfix release: Fixed a bug that caused named to leak memory on reconfiguration when any GeoIP2 database was in use. [GL #1445] Fixed several possible race conditions discovered by Thread Sanitizer.

wavpack-5.2.0: Upgraded. Fixed denial-of-service and other potential security issues. For more information, see:

(Security fix)

ca-certificates-20191130: Upgraded. This update provides the latest CA certificates to check for the authenticity of SSL connections.

2019-11-21

bind-9.11.13: Upgraded. This update fixes a security issue: Set a limit on the number of concurrently served pipelined TCP queries. For more information, see:

(Security fix)

2019-11-17

linux-libre-*-4.4.202: Upgraded.

  • CRYPTO_CRC32C_INTEL m → y
  • +X86_INTEL_TSX_MODE_AUTO n
  • +X86_INTEL_TSX_MODE_OFF y
  • +X86_INTEL_TSX_MODE_ON n

These updates fix various bugs and security issues, including mitigation for the TSX Asynchronous Abort condition on some CPUs. Be sure to upgrade your initrd after upgrading the kernel packages. If you use lilo to boot your machine, be sure lilo.conf points to the correct kernel and initrd and run lilo as root to update the bootloader. If you use elilo to boot your machine, you should run eliloconfig to copy the kernel and initrd to the EFI System Partition. For more information, see:

Fixed in 4.4.201:

Fixed in 4.4.202:

(Security fix)

2019-11-12

kdelibs-4.14.38: Rebuilt. Remove hardcoded TLSv1 allowing TLSv1.1 and TLSv1.2. Thanks to PJ Beers.

kdepim-4.14.10: Rebuilt. Remove hardcoded TLSv1 allowing TLSv1.1 and TLSv1.2. Thanks to PJ Beers.

kdepimlibs-4.14.10: Rebuilt. Remove hardcoded TLSv1 allowing TLSv1.1 and TLSv1.2. Thanks to PJ Beers.

linux-libre-*-4.4.199: Upgraded. These updates fix various bugs and security issues. Be sure to upgrade your initrd after upgrading the kernel packages. If you use lilo to boot your machine, be sure lilo.conf points to the correct kernel and initrd and run lilo as root to update the bootloader. If you use elilo to boot your machine, you should run eliloconfig to copy the kernel and initrd to the EFI System Partition. For more information, see:

Fixed in 4.4.191:

Fixed in 4.4.193:

Fixed in 4.4.194:

Fixed in 4.4.195:

Fixed in 4.4.196:

Fixed in 4.4.197:

Fixed in 4.4.198:

Fixed in 4.4.199:

(Security fix)

2019-11-04

libtiff-4.1.0: Upgraded. libtiff: fix integer overflow in _TIFFCheckMalloc() that could cause a crash. tif_dir: unset transferfunction field if necessary. pal2rgb: failed to free memory on a few errors. For more information, see:

(Security fix)

2019-10-21

python-2.7.17: Upgraded. This update fixes bugs and security issues: Update vendorized expat library version to 2.2.8. Disallow URL paths with embedded whitespace or control characters into the underlying http client request. Such potentially malicious header injection URLs now cause an httplib.InvalidURL exception to be raised. Avoid file reading by disallowing ``local-file:`` and ``local_file:`` URL schemes in :func:`urllib.urlopen`, :meth:`urllib.URLopener.open` and :meth:`urllib.URLopener.retrieve`. For more information, see:

(Security fix)

ca-certificates-20191018: Upgraded. This update provides the latest CA certificates to check for the authenticity of SSL connections.

sudo-1.8.28p1: Rebuilt. This is a bugfix release: Ensure that /etc/environment exists to prevent complaints from “sudo -i”.

2019-10-14

sudo-1.8.28: Upgraded. Fixed a bug where an sudo user may be able to run a command as root when the Runas specification explicitly disallows root access as long as the ALL keyword is listed first. For more information, see:

(Security fix)

2019-10-02

libpcap-1.9.1: Upgraded. This update is required for the new version of tcpdump.

tcpdump-4.9.3: Upgraded. Fix buffer overflow/overread vulnerabilities and command line argument/local issues. For more information, see:

(Security fix)

2019-09-16

expat-2.2.8: Upgraded. Fix heap overflow triggered by XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber), and deny internal entities closing the doctype. For more information, see:

(Security fix)

2019-09-12

curl-7.66.0: Upgraded. This update fixes security issues: FTP-KRB double-free TFTP small blocksize heap buffer overflow For more information, see:

(Security fix)

glibc-zoneinfo-2019c: Upgraded. This package provides the latest timezone updates.

openssl-1.0.2t: Upgraded. This update fixes low severity security issues: Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey Compute ECC cofactors if not provided during EC_GROUP construction For more information, see:

(Security fix)

openssl-solibs-1.0.2t: Upgraded.

emacs-26.3: Upgraded. This is a bugfix release.

2019-08-27

linux-libre-*-4.4.190: Upgraded. These updates fix various bugs and a minor local denial-of-service security issue. They also change this option:

  • FANOTIFY_ACCESS_PERMISSIONS n → y

This is needed by on-access virus scanning software. Be sure to upgrade your initrd after upgrading the kernel packages. If you use lilo to boot your machine, be sure lilo.conf points to the correct kernel and initrd and run lilo as root to update the bootloader. If you use elilo to boot your machine, you should run eliloconfig to copy the kernel and initrd to the EFI System Partition. For more information, see: Fixed in 4.4.190:

(Security fix)

ca-certificates-20190826: Upgraded. This update provides the latest CA certificates to check for the authenticity of SSL connections.

bind-9.11.9: Upgraded. This update fixes various bugs and also updates the named.root file in the caching-example configuration to the latest version.

2019-08-14

linux-libre-*-4.4.189: Upgraded. These updates fix various bugs and many security issues, and include the Spectre v1 SWAPGS mitigations. Be sure to upgrade your initrd after upgrading the kernel packages. If you use lilo to boot your machine, be sure lilo.conf points to the correct kernel and initrd and run lilo as root to update the bootloader. If you use elilo to boot your machine, you should run eliloconfig to copy the kernel and initrd to the EFI System Partition. For more information, see:

Fixed in 4.4.187:

Fixed in 4.4.189:

(Security fix)

2019-08-08

kdelibs-4.14.38: Upgraded. kconfig: malicious .desktop files (and others) would execute code. For more information, see:

(Security fix)

2019-07-25

R-3.6.1: Upgraded (FXP)

2019-07-22

linux-libre-*-4.4.186: Upgraded. These updates fix various bugs and many minor security issues. Be sure to upgrade your initrd after upgrading the kernel packages. If you use lilo to boot your machine, be sure lilo.conf points to the correct kernel and initrd and run lilo as root to update the bootloader. If you use elilo to boot your machine, you should run eliloconfig to copy the kernel and initrd to the EFI System Partition. For more information, see:

(Security fix)

curl-7.65.3: Upgraded. This is a bugfix release: Fix a regression that caused the progress meter not to appear. For more information, see:

emacs-26.2: Upgraded. This is a bugfix release. Patched package.el to obey buffer-file-coding-system (bug #35739), fixing bad signature from GNU ELPA for archive-contents. Thanks to Stefan Monnier and Eric Lindblad.

2019-07-14

bzip2-1.0.8: Upgraded. Fixes security issues: bzip2recover: Fix use after free issue with outFile. Make sure nSelectors is not out of range. For more information, see:

(Security fix)

glibc-zoneinfo-2019b: Upgraded. This package provides the latest timezone updates.

rust-1.36.0: Upgraded. Upgraded to the latest Rust compiler for Firefox 68.0.

xscreensaver-5.43: Upgraded. Here's an upgrade to the latest xscreensaver.

2019-07-13

lincity-ng-2.0: added (FXP). LinCity-NG is a city simulation game. It is a polished and improved version of the classic LinCity game. In the game,you are required to build and maintain a city. You can win the game either by building a sustainable economy or by evacuating all citizens with spaceships.

SDL_gfx-2.0.25: added (FXP). SDL graphics drawing primitives and other support functions. The SDL_gfx library evolved out of the SDL_gfxPrimitives code which provided basic drawing routines such as lines, circles or polygons and SDL_rotozoom which implemented a interpolating rotozoomer for SDL surfaces.

jam-2.5: added (FXP). Jam is a program construction tool, like make(1). Jam recursively builds target files from source files, using dependency information and updating actions expressed in the Jambase file, which is written in jam's own interpreted language. The default Jambase is compiled into jam and provides a boilerplate for common use, relying on a user-provide file “Jamfile” to enumerate actual targets and sources.

2019-07-02

icecat-60.7.0: Upgraded (FXP). This update includes upstream features and patches.

(Security fix)

2019-07-01

linux-libre-*-4.4.182: Upgraded. These updates fix various bugs and many security issues, including the “SACK Panic” remote denial-of-service issue. Be sure to upgrade your initrd after upgrading the kernel packages. If you use lilo to boot your machine, be sure lilo.conf points to the correct kernel and initrd and run lilo as root to update the bootloader. If you use elilo to boot your machine, you should run eliloconfig to copy the kernel and initrd to the EFI System Partition. For more information, see:

Fixed in 4.4.174:

Fixed in 4.4.175:

Fixed in 4.4.176:

Fixed in 4.4.177:

Fixed in 4.4.178:

Fixed in 4.4.179:

Fixed in 4.4.180:

Fixed in 4.4.181:

Fixed in 4.4.182:

(Security fix)

irssi-1.1.3: Upgraded. This update fixes a security issue: Use after free when sending SASL login to the server found by ilbelkyr. May affect the stability of Irssi. SASL logins may fail, especially during (manual and automated) reconnect. For more information, see:

(Security fix)

2019-06-20

bind-9.11.8: Upgraded. Fixed a race condition in dns_dispatch_getnext() that could cause an assertion failure if a significant number of incoming packets were rejected. For more information, see:

(Security fix)

ca-certificates-20190617: Upgraded. This update provides the latest CA certificates to check for the authenticity of SSL connections.

2019-06-16

curl-7.65.1: Upgraded. This is a bugfix release. For more information, see:

openssl-1.0.2s: Upgraded. This is a bugfix release: Change the default RSA, DSA and DH size to 2048 bit instead of 1024. This changes the size when using the genpkey app when no size is given. It fixes an omission in earlier changes that changed all RSA, DSA and DH generation apps to use 2048 bits by default. [Kurt Roeckx]

openssl-solibs-1.0.2s: Upgraded.

rdesktop-1.8.6: Upgraded. This is a small bug fix release for rdesktop 1.8.5. An issue was discovered soon after release where it was impossible to connect to some servers. This issue has now been fixed, but otherwise this release is identical to 1.8.5.

2019-05-23

curl-7.65.0: Upgraded. This release fixes the following security issues: Integer overflows in curl_url_set tftp: use the current blksize for recvfrom() For more information, see:

(Security fix)

2019-05-16

rdesktop-1.8.5: Upgraded. This update fixes security issues: Add bounds checking to protocol handling in order to fix many security problems when communicating with a malicious server. (Security fix)

2019-04-26

bind-9.11.6_P1: Upgraded. This update fixes a security issue: The TCP client quota set using the tcp-clients option could be exceeded in some cases. This could lead to exhaustion of file descriptors. For more information, see:

(Security fix)

curl-7.64.1: Upgraded. This update fixes a regression in curl-7.64.0 which could lead to 100% CPU usage. Thanks to arcctgx.

2019-04-17

libpng-1.6.37: Upgraded. This update fixes security issues:

  • Fixed a use-after-free vulnerability (CVE-2019-7317) in png_image_free.
  • Fixed a memory leak in the ARM NEON implementation of png_do_expand_palette.
  • Fixed a memory leak in pngtest.c.
  • Fixed two vulnerabilities (CVE-2018-14048, CVE-2018-14550) in contrib/pngminus; refactor.

For more information, see:

(Security fix)

libssh2-1.8.2: Upgraded. This update fixes a misapplied userauth patch that broke 1.8.1. Thanks to Ook.

glibc-zoneinfo-2019a: Upgraded. This package provides the latest timezone updates.

2019-04-06

httpd-2.4.39: Upgraded. This release contains security fixes and improvements. In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process by manipulating the scoreboard. For more information, see:

(Security fix)

2019-04-06

openjpeg-2.3.1: Upgraded. Includes many bug fixes (including security fixes). (Security fix)

wget-1.20.3: Upgraded. Fixed a buffer overflow vulnerability: src/iri.c(do_conversion): Reallocate the output buffer to a larger size if it is already full. For more information, see:

(Security fix)

2019-04-02

ghostscript-9.26: Upgraded. Fixes security issues: A specially crafted PostScript file could have access to the file system outside of the constrains imposed by -dSAFER. Transient procedures can allow access to system operators, leading to remote code execution. For more information, see:

(Security fix)

wget-1.20.2: Upgraded. Fixed an unspecified buffer overflow vulnerability. (Security fix)

2019-03-27

gnutls-3.6.7: Upgraded. Fixes security issues:

  • libgnutls, gnutls tools: Every gnutls_free() will automatically set the free'd pointer to NULL. This prevents possible use-after-free and double free issues. Use-after-free will be turned into NULL dereference. The counter-measure does not extend to applications using gnutls_free().
  • libgnutls: Fixed a memory corruption (double free) vulnerability in the certificate verification API. Reported by Tavis Ormandy; addressed with the change above. [GNUTLS-SA-2019-03-27, #694]
  • libgnutls: Fixed an invalid pointer access via malformed TLS1.3 async messages; Found using tlsfuzzer. [GNUTLS-SA-2019-03-27, #704]
  • libgnutls: enforce key usage limitations on certificates more actively. Previously we would enforce it for TLS1.2 protocol, now we enforce it even when TLS1.3 is negotiated, or on client certificates as well. When an inappropriate for TLS1.3 certificate is seen on the credentials structure GnuTLS will disable TLS1.3 support for that session (#690).
  • libgnutls: enforce the equality of the two signature parameters fields in a certificate. We were already enforcing the signature algorithm, but there was a bug in parameter checking code.

(Security fix)

2019-03-19

2019-03-08

ca-certificates-20190308 Upgraded. This update provides the latest CA certificates to check for the authenticity of SSL connections.

ntp-4.2.8p13: Upgraded. This release fixes a bug that allows an attacker with access to an explicitly trusted source to send a crafted malicious mode 6 (ntpq) packet that can trigger a NULL pointer dereference, crashing ntpd. It also provides 17 other bugfixes and 1 other improvement. For more information, see:

(Security fix)

2019-03-03

python-2.7.16: Upgraded. Updated to the latest 2.7.x release, which fixes a few security issues. For more information, see:

(Security fix)

2019-03-01

infozip-6.0: Rebuilt. Added some patches that should fix extracting archives with non-latin characters in the filenames. Thanks to saahriktu. This update also fixes various security issues in zip and unzip. For more information, see:

(Security fix)

curl-7.64.0: Rebuilt. Applied upstream patch to fix log spam: [PATCH] multi: remove verbose “Expire in” … messages Thanks to compassnet.

2019-02-27

ca-certificates-20181210: Upgraded. This update provides the latest CA certificates to check for the authenticity of SSL connections.

openssl-1.0.2r: Upgraded. Go into the error state if a fatal alert is sent or received. If an application calls SSL_shutdown after a fatal alert has occured and then behaves different based on error codes from that function then the application may be vulnerable to a padding oracle. For more information, see:

(Security fix)

openssl-solibs-1.0.2r: Upgraded.

2019-02-23

file-5.36: Upgraded. Fix out-of-bounds read and denial-of-service security issues. For more information, see:

(Security fix)

2019-02-12

lxc-2.0.9_d3a03247: Upgraded. This update fixes a security issue where a malicious privileged container could overwrite the host binary and thus gain root-level code execution on the host. As the LXC project considers privileged containers to be unsafe no CVE has been assigned for this issue for LXC. To prevent this attack, LXC has been patched to create a temporary copy of the calling binary itself when it starts or attaches to containers. To do this LXC creates an anonymous, in-memory file using the memfd_create() system call and copies itself into the temporary in-memory file, which is then sealed to prevent further modifications. LXC then executes this sealed, in-memory file instead of the original on-disk binary. For more information, see:

(Security fix)

2019-02-12

xonotic-0.8.2: added (FXP). A fast-paced first-person shooter geared towards providing addictive arena gameplay. Xonotic is a direct successor of the Nexuiz, which was a fork of DarkPlaces, which was a fork of Quake engine.

2019-02-07

php-5.6.40: Upgraded. Several security bugs have been fixed in this release:

GD:

  • Fixed bug #77269 (efree() on uninitialized Heap data in imagescale leads to use-after-free).
  • Fixed bug #77270 (imagecolormatch Out Of Bounds Write on Heap).

Mbstring:

  • Fixed bug #77370 (Buffer overflow on mb regex functions - fetch_token).
  • Fixed bug #77371 (heap buffer overflow in mb regex functions - compile_string_node).
  • Fixed bug #77381 (heap buffer overflow in multibyte match_at).
  • Fixed bug #77382 (heap buffer overflow due to incorrect length in expand_case_fold_string).
  • Fixed bug #77385 (buffer overflow in fetch_token).
  • Fixed bug #77394 (Buffer overflow in multibyte case folding - unicode).
  • Fixed bug #77418 (Heap overflow in utf32be_mbc_to_code).

Phar:

  • Fixed bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext).

Xmlrpc:

  • Fixed bug #77242 (heap out of bounds read in xmlrpc_decode()).
  • Fixed bug #77380 (Global out of bounds read in xmlrpc base64 code).

For more information, see:

(Security fix)

2019-02-07

curl-7.64.0: Upgraded. This release fixes the following security issues:

  • NTLM type-2 out-of-bounds buffer read.
  • NTLMv2 type-3 header stack buffer overflow.
  • SMTP end-of-response out-of-bounds read.

For more information, see:

(Security fix)

2019-02-02

freealut-1.1.0: added (FXP). freealut is a free implementation of OpenAL's ALUT standard.

plib-1.8.5: added (FXP). plib (Steve's Portable Game Library).

PLIB includes sound effects, music, a complete 3D engine, font rendering, a simple Windowing library, a game scripting language, a GUI, networking, 3D math library and a collection of handy utility functions.

torcs-1.3.7: added (FXP). TORCS, The Open Racing Car Simulator is a highly portable multi platform car racing simulation. It is used as ordinary car racing game, as AI racing game and as research platform. It runs on Linux (x86, AMD64 and PPC), FreeBSD, MacOSX and Windows. TORCS features more than 50 different cars, more than 20 tracks, and 50 opponents to race against.

mariadb-10.0.38: Upgraded. This update fixes bugs and security issues. For more information, see:

(Security fix)

2019-02-01

linux-libre-*-4.4.172: Upgraded. These updates fix various bugs and many (mostly minor) security issues. Be sure to upgrade your initrd after upgrading the kernel packages. If you use lilo to boot your machine, be sure lilo.conf points to the correct kernel and initrd and run lilo as root to update the bootloader. If you use elilo to boot your machine, you should run eliloconfig to copy the kernel and initrd to the EFI System Partition. For more information, see:

Fixed in 4.4.159:

Fixed in 4.4.160:

Fixed in 4.4.163:

Fixed in 4.4.164:

Fixed in 4.4.167:

Fixed in 4.4.168:

Fixed in 4.4.169:

Fixed in 4.4.170:

Fixed in 4.4.171:

Fixed in 4.4.172:

(Security fix)

2019-01-23

httpd-2.4.38: Upgraded. This release contains security fixes and improvements.

  • mod_session: mod_session_cookie does not respect expiry time allowing sessions to be reused. [Hank Ibell]
  • mod_http2: fixes a DoS attack vector. By sending slow request bodies to resources not consuming them, httpd cleanup code occupies a server thread unnecessarily. This was changed to an immediate stream reset which discards all stream state and incoming data. [Stefan Eissing]
  • mod_ssl: Fix infinite loop triggered by a client-initiated renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and later. PR 63052. [Joe Orton]

For more information, see:

(Security fix)

2019-01-14

2019-01-11

glibc-zoneinfo-2018i: Upgraded. This package provides the latest timezone updates.

irssi-1.1.2: Upgraded. This update addresses bugs including security and stability issues:

  • A NULL pointer dereference occurs for an “empty” nick.
  • Certain nick names could result in out-of-bounds access when printing theme strings.
  • Crash due to a NULL pointer dereference w hen the number of windows exceeds the available space.
  • Use-after-free when SASL messages are received in an unexpected order.
  • Use-after-free when a server is disconnected during netsplits.
  • Use-after-free when hidden lines were expired from the scroll buffer.

For more information, see:

(Security fix)

xscreensaver-5.42: Upgraded. Here's an upgrade to the latest xscreensaver.

2018-12-22

netatalk-3.1.12: Upgraded. Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution. For more information, see:

(Security fix)

2018-12-08

php-5.6.39: Upgraded. Several security bugs have been fixed in this release:

  • Segfault when using convert.quoted-printable-encode filter.
  • Null pointer dereference in imap_mail.
  • imap_open allows to run arbitrary shell commands via mailbox parameter.
  • PharData always creates new files with mode 0666.
  • Heap Buffer Overflow (READ: 4) in phar_parse_pharfile.

For more information, see:

(Security fix)

2018-12-05

gnutls-3.6.5: Upgraded. This update fixes a security issue: Bleichenbacher-like side channel leakage in PKCS#1 1.5 verification and padding oracle verification. For more information, see:

(Security fix)

nettle-3.4.1: Upgraded. This update fixes a security issue: A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw to extract plaintext or in some cases downgrade any TLS connections to a vulnerable server. For more information, see:

(Security fix)

2018-12-03

mozilla-nss-3.40.1: Upgraded. Upgraded to nss-3.40.1 and nspr-4.20. Mitigate cache side-channel variant of the Bleichenbacher attack. For more information, see:

(Security fix)

2018-11-29

samba-4.6.16: Rebuilt. This update patches some security issues:

  • CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server
  • CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT
  • CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server
  • CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers
  • CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported)
  • CVE-2018-16857: Bad password count in AD DC not always effective

For more information, see:

(Security fix)

2018-11-22

openssl-1.0.2q: Upgraded. This update fixes a timing side-channel flaw on processors which implement SMT/Hyper-Threading architectures, and a side channel attack on DSA signature generation that could allow an attacker to recover the private key. For more information, see:

(Security fix)

openssl-solibs-1.0.2q: Upgraded.

2018-11-15

icecat-60.3.0: Upgraded (FXP). This update includes upstream features and patches.

(Security fix)

2018-11-12

2018-11-05

2018-10-31

curl-7.62.0: Upgraded. This release fixes the following security issues: SASL password overflow via integer overflow. Use-after-free in handle close. Warning message out-of-buffer read. For more information, see:

(Security fix)

glibc-zoneinfo-2018g: Upgraded. This package provides the latest timezone updates.

httpd-2.4.37: Upgraded. This is the latest release from the Apache HTTP Server 2.4.x stable branch.

2018-10-27

libssh-0.7.6: Upgraded. Fixed authentication bypass vulnerability. For more information, see:

(Security fix)

2018-10-10

git-2.14.5: Upgraded. This update fixes a security issue: Submodules' “URL“s come from the untrusted .gitmodules file, but we blindly gave it to “git clone” to clone submodules when “git clone –recurse-submodules” was used to clone a project that has such a submodule. The code has been hardened to reject such malformed URLs (e.g. one that begins with a dash). Credit for finding and fixing this vulnerability goes to joernchen and Jeff King, respectively. For more information, see:

(Security fix)

httpd-2.4.35: Upgraded. This release fixes bugs and regressions in httpd-2.4.34, adds an apache2ctl → apachectl symlink, and no longer automatically overwrites rc.httpd when upgraded.

extra/llvm/llvm-6.0.1: Upgraded. Moved this package from /patches, since it is not really a required patch. Unless you're planning to rebuild Firefox or Thunderbird (or have some other use-case for a more recent LLVM than was shipped with Slackware 14.2) you probably don't need to upgrade to this package, and it was reported that doing so impacted at least one package provided by slackbuilds.org. So, /extra seems like a better place for this package.

2018-09-22

linux-libre-*-4.4.157: Upgraded. This kernel removes the unnecessary vmacache_flush_all code which could have led to a use-after-free situation and potentially local privilege escalation. In addition, it fixes some regressions which may have led to diminished X performance. Be sure to upgrade your initrd after upgrading the kernel packages. If you use lilo to boot your machine, be sure lilo.conf points to the correct kernel and initrd and run lilo as root to update the bootloader. If you use elilo to boot your machine, you should run eliloconfig to copy the kernel and initrd to the EFI System Partition. For more information, see:

(Security fix)

2018-09-15

php-5.6.38: Upgraded. One security bug has been fixed in this release: Apache2: XSS due to the header Transfer-Encoding: chunked For more information, see:

(Security fix)

2018-09-13

ghostscript-9.25: Upgraded. This release fixes problems with argument handling, some unintended results of the security fixes to the SAFER file access restrictions (specifically accessing ICC profile files), and some additional security issues over the recent 9.24 release. For more information, see:

(Security fix)

lxc-2.0.1: Rebuilt. Added libunistring to the list of initial packages in the Slackware template since it is now required by wget, and without it slackpkg will not function properly. Thanks to mralk3.

2018-09-06

FXP: Mozilla products were purged from FXP, but we still pass on the free+libre dependencies supplied by the upstream, along with their message.

PV: Hey folks, in light of Firefox 52.x ESR reaching EOL a few hours ago, I'm providing some updates. This required adding Rust and a newer version of LLVM as optional updates for Slackware 14.2. And in case it doesn't work for you (perhaps there's an extension you need that's not supported by 60.x ESR), the last Firefox and Thunderbird 52.x EST have been moved to /pasture as a fallback. If there are any more updates to those (but I don't think there will be), I'll make those updates in /pasture as well.

llvm-6.0.1: Upgraded. This upgrade to LLVM is provided because Firefox and Thunderbird require a newer version than what was shipped with Slackware 14.2. The libLLVM shared library from llvm-3.8.0 is also included in this package, so it should be safe to upgrade on Slackware 14.2 systems without breaking anything, but unless you are planning to recompile Firefox or Thunderbird, or you need a newer version of LLVM for some reason, it is optional.

rust-1.28.0: Added. Since Rust is now a requirement to compile Firefox and Thunderbird we are adding it here. Unless you will need to recompile those (or need to compile other code written in Rust), it is an optional addition.

curl-7.61.1: Upgraded. This update fixes an NTLM password overflow via integer overflow. For more information, see:

(Security fix)

ghostscript-9.24: Upgraded. Patched multiple -dSAFER sandbox bypass vulnerabilities. Thanks to Tavis Ormandy. For more information, see:

(Security fix)

2018-08-29

linux-libre-*-4.4.153: Upgraded. This kernel update enables mitigations for L1 Terminal Fault aka Foreshadow and Foreshadow-NG vulnerabilities. Thanks to Bernhard Kaindl for bisecting the boot issue that was preventing us from upgrading to earlier 4.4.x kernels that contained this fix. To see the status of CPU vulnerability mitigations on your system, look at the files in: /sys/devices/system/cpu/vulnerabilities Be sure to upgrade your initrd after upgrading the kernel packages. If you use lilo to boot your machine, be sure lilo.conf points to the correct kernel and initrd and run lilo as root to update the bootloader. If you use elilo to boot your machine, you should run eliloconfig to copy the kernel and initrd to the EFI System Partition. For more information, see:

(Security fix)

2018-08-21

libX11-1.6.6: Upgraded. This update fixes some security issues:

  • Fixed crash on invalid reply (CVE-2018-14598).
  • Fixed off-by-one writes (CVE-2018-14599).
  • Fixed out of boundary write (CVE-2018-14600).

For more information, see:

(Security fix)

2018-08-17

ntp-4.2.8p12: Upgraded. This release improves on one security fix in ntpd:

  • LOW/MEDIUM: Sec 3012: Sybil vulnerability: ephemeral association attack

While fixed in ntp-4.2.8p7 and with significant additional protections for this issue in 4.2.8p11, ntp-4.2.8p12 includes a fix for an edge case in the new noepeer support. Originally reported by Matt Van Gundy of Cisco. Edge-case hole reported by Martin Burnicki of Meinberg. And fixes another security issue in ntpq and ntpdc:

  • LOW: Sec 3505:

The openhost() function used during command-line hostname processing by ntpq and ntpdc can write beyond its buffer limit, which could allow an attacker to achieve code execution or escalate to higher privileges via a long string as the argument for an IPv4 or IPv6 command-line parameter. NOTE: It is unclear whether there are any common situations in which ntpq or ntpdc is used with a command line from an untrusted source. Reported by Fakhri Zulkifli. For more information, see:

(Security fix)

samba-4.6.16: Upgraded. This is a security release in order to address the following defects:

  • Insufficient input validation on client directory listing in libsmbclient.
  • A malicious server could return a directory entry that could corrupt libsmbclient memory.
  • Confidential attribute disclosure from the AD LDAP server.
  • Missing access control checks allow discovery of confidential attribute values via authenticated LDAP search expressions.

For more information, see:

(Security fix)

2018-08-14

blueman-2.0.6: Rebuilt.

  • Fixed install script to rename config file from .new.
  • Allow users in the netdev group to make changes. Thanks to voleg, kgha, and zakame.

openssl-1.0.2p: Upgraded. This update fixes two low severity security issues:

  • Client DoS due to large DH parameter.
  • Cache timing vulnerability in RSA Key Generation.

For more information, see:

(Security fix)

openssl-solibs-1.0.2p: Upgraded.

xscreensaver-5.40: Upgraded. Here's an upgrade to the latest xscreensaver.

2018-08-10

bind-9.10.8_P1: Upgraded. Fixed a security issue where named could crash during recursive processing of DNAME records when “deny-answer-aliases” was in use resulting in a denial of service. Note that “deny-answer-aliases” is rarely used. For more information, see:

(Security fix)

2018-08-02

lftp-4.8.4: Upgraded. It has been discovered that lftp up to and including version 4.8.3 does not properly sanitize remote file names, leading to a loss of integrity on the local system when reverse mirroring is used. A remote attacker may trick a user to use reverse mirroring on an attacker controlled FTP server, resulting in the removal of all files in the current working directory of the victim's system. For more information, see:

(Security fix)

blueman-2.0.6: Upgraded. This update fixes an issue where blueman-mechanism did not enforce the polkit action 'org.blueman.network.setup' for which a polkit policy is shipped. This meant that any user with access to the D-Bus system bus was able to access the related API without authentication. The result was an unspecified impact on the networking stack. Thanks to Matthias Gerstner for discovering this issue.

(Security fix)

2018-07-31

file-5.34: Upgraded. Fixed a denial of service crash when processing a crafted ELF file. For more information, see:

(Security fix)

2018-07-28

linux-libre-*-4.4.144: Upgraded. This kernel update enables additional mitigations for spectre_v2 (IBPB and IBRS_FW). It also enables reporting on the Speculative Store Bypass vulnerability (aka GPZ Variant 4) which affects Intel processors and must be patched with a microcode update. To see the status of CPU vulnerability mitigations on your system, look at the files in: /sys/devices/system/cpu/vulnerabilities In addition, these kernels enable SMB2. Here's the complete list of kernel config changes from the previous 4.4.132:

  • -X86_DEBUG_STATIC_CPU_HAS n
  • CIFS_SMB2 n → y
  • +CC_OPTIMIZE_FOR_PERFORMANCE y
  • +CIFS_SMB311 n
  • +X86_FAST_FEATURE_TESTS y

Be sure to upgrade your initrd after upgrading the kernel packages. If you use lilo to boot your machine, be sure lilo.conf points to the correct kernel and initrd and run lilo as root to update the bootloader. If you use elilo to boot your machine, you should run eliloconfig to copy the kernel and initrd to the EFI System Partition. For more information, see:

(Security fix)

2018-07-21

php-5.6.37: Upgraded. Several security bugs have been fixed in this release, including:

  • Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c
  • heap-buffer-overflow (READ of size 48) while reading exif data

(Security fix)

2018-07-18

httpd-2.4.34: Upgraded. This update fixes two denial of service issues:

  • mod_md: DoS via Coredumps on specially crafted requests
  • mod_http2: DoS for HTTP/2 connections by specially crafted requests

For more information, see:

(Security fix)

R-3.5.1: Upgraded (FXP)

2018-07-17

mutt-1.10.1: Upgraded. This update fixes bugs and security issues. Upstream strongly recommends that all IMAP and POP users upgrade as soon as possible.

(Security fix)

2018-07-12

bind-9.10.8: Upgraded. This update fixes security issues: Fixed a bug where extraordinarily large zone transfers caused several problems, with possible outcomes including corrupted journal files or server exit due to assertion failure. Don't permit recursive query service to unauthorized clients. For more information, see:

(Security fix)

curl-7.61.0: Upgraded. This update fixes a buffer overflow in SMTP send. For more information, see:

(Security fix)

zlib-1.2.11: Upgraded. This is a bugfix package update to fix decompression errors when zlib is used with recent versions of Node.js. Thanks to Ken Zalewski for the report.

2018-06-19

gnupg-1.4.23: Upgraded. Sanitize the diagnostic output of the original file name in verbose mode. By using a made up file name in the message it was possible to fake status messages. Using this technique it was for example possible to fake the verification status of a signed mail. For more information, see:

(Security fix)

libcgroup-0.41: Rebuilt. This is a bugfix package update.

  • Make cgexec setgid root (setuid root is an unnecessarily large hammer).
  • Added /etc/cgconfig.d/ directory.
  • Added “LANG=C” in build script to avoid a bug where rc.cgred reports syntax errors at start.

These changes are tested here, and work with unprivileged containers. Thanks to chris.willing.

libcgroup-0.41: Rebuilt. This is a bugfix package update. Make cgexec setuid root, since the cgred group doesn't exist on 14.2. This is how the -2 build was, but the change was inadvertently dropped in the previous update.

libgcrypt-1.7.10: Upgraded. Use blinding for ECDSA signing to mitigate a novel side-channel attack. For more information, see:

(Security fix)

libcgroup-0.41: Rebuilt. This is a bugfix package update. Apply all post 0.41 patches from git, including one for an infinite loop bug that causes 100% CPU usage on one core. Thanks to chris.willing.

2018-06-08

gnupg2-2.0.31: Upgraded. Sanitize the diagnostic output of the original file name in verbose mode. By using a made up file name in the message it was possible to fake status messages. Using this technique it was for example possible to fake the verification status of a signed mail. For more information, see:

(Security fix)

elilo-3.16: Rebuilt. Patched and rebuilt to fix issues with larger kernels.

2018-06-01

git-2.14.4: Upgraded. This update fixes security issues: Submodule “names” come from the untrusted .gitmodules file, but we blindly append them to $GIT_DIR/modules to create our on-disk repo paths. This means you can do bad things by putting ”../” into the name. We now enforce some rules for submodule names which will cause Git to ignore these malicious names (CVE-2018-11235). Credit for finding this vulnerability and the proof of concept from which the test script was adapted goes to Etienne Stalmans. It was possible to trick the code that sanity-checks paths on NTFS into reading random piece of memory (CVE-2018-11233). Credit for fixing for these bugs goes to Jeff King, Johannes Schindelin and others. For more information, see:

(Security fix)

glibc-zoneinfo-2018e: Rebuilt. Handle removal of US/Pacific-New timezone. If we see that the machine is using this, it will be automatically switched to US/Pacific.

2018-05-23

linux-libre-4.4.132: Upgraded. This kernel upgrade is being provided primarily to fix a regression in the getsockopt() function, but it also contains fixes for two denial-of-service security issues. Be sure to upgrade your initrd after upgrading the kernel packages. If you use lilo to boot your machine, be sure lilo.conf points to the correct kernel and initrd and run lilo as root to update the bootloader. If you use elilo to boot your machine, you should run eliloconfig to copy the kernel and initrd to the EFI System Partition. For more information, see:

(Security fix)

procps-ng-3.3.15: Upgraded. Shared library .so-version bump. This update fixes bugs and security issues:

  • library: Fix integer overflow and LPE in file2strvec
  • library: Use size_t for alloc functions
  • pgrep: Fix stack-based buffer overflow
  • ps: Fix buffer overflow in output buffer, causing DOS
  • top: Don't use cwd for location of config

For more information, see:

(Security fix)

2018-05-17

curl-7.60.0: Upgraded. This release contains security fixes:

  • FTP: shutdown response buffer overflow
  • RTSP: bad headers buffer over-read

For more information, see:

(Security fix)

php-5.6.36: Upgraded. This fixes many bugs, including some security issues:

  • Heap Buffer Overflow (READ: 1786) in exif_iif_add_value
  • stream filter convert.iconv leads to infinite loop on invalid sequence
  • Malicious LDAP-Server Response causes crash
  • fix for CVE-2018-5712 may not be complete

For more information, see:

(Security fix)

2018-05-11

2018-05-09

glibc-zoneinfo-2018e: Upgraded. This package provides the latest timezone updates.

wget-1.19.5: Upgraded. Fixed a security issue where a malicious web server could inject arbitrary cookies into the cookie jar file. For more information, see:

(Security fix)

2018-05-04

2018-05-01

2018-04-30

openvpn-2.4.6: Upgraded. This is a security update fixing a potential double-free() in Interactive Service. This usually only leads to a process crash (DoS by an unprivileged local account) but since it could possibly lead to memory corruption if happening while multiple other threads are active at the same time, CVE-2018-9336 has been assigned to acknowledge this risk. For more information, see:

(Security fix)

2018-04-28

R-3.5.0: Upgraded (FXP)

2018-04-18

gd-2.2.5: Upgraded. This update fixes two security issues: Double-free in gdImagePngPtr() (denial of service). Buffer over-read into uninitialized memory (information leak). For more information, see:

(Security fix)

2018-04-06

patch-2.7.6: Upgraded. Fix arbitrary shell execution possible with obsolete ed format patches. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000156

(Security fix)

libidn-1.34: Upgraded. This update fixes security issues:

  • Fix integer overflow in combine_hangul()
  • Fix integer overflow in punycode decoder
  • Fix NULL pointer dereference in g_utf8_normalize()
  • Fix NULL pointer dereference in stringprep_ucs4_nfkc_normalize()

(Security fix)

2018-04-03

puddletag-1.2.0: Upgraded (FXP)

2018-04-01

php-5.6.35: Upgraded. This update fixes a security issue where sensitive data belonging to other accounts might be accessed by a local user. For more information, see: http://bugs.php.net/75605

(Security fix)

2018-03-29

ruby-2.2.10: Upgraded. This release includes some bug fixes and some security fixes:

  • HTTP response splitting in WEBrick.
  • Unintentional file and directory creation with directory traversal in tempfile and tmpdir.
  • DoS by large request in WEBrick.
  • Buffer under-read in String#unpack.
  • Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket.
  • Unintentional directory traversal by poisoned NUL byte in Dir.
  • Multiple vulnerabilities in RubyGems.

For more information, see:

(Security fix)

openssl-1.0.2o: Upgraded. This update fixes a security issue: Constructed ASN.1 types with a recursive definition could exceed the stack. For more information, see:

(Security fix)

openssl-solibs-1.0.2o: Upgraded.

glibc-zoneinfo-2018d: Upgraded. This package provides the latest timezone updates.

2018-03-20

New FXP packages: ftgl-2.1.3_rc5, projectM-2.1.0

2018-03-18

2018-03-16

curl-7.59.0: Upgraded. This update fixes security issues: FTP path trickery leads to NIL byte out of bounds write LDAP NULL pointer dereference RTSP RTP buffer over-read For more information, see:

(Security fix)

R-3.4.4: Upgraded (FXP)

2018-03-13

samba-4.4.16: Rebuilt. This is a security update in order to patch the following defect: On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 onwards incorrectly validates permissions to modify passwords over LDAP allowing authenticated users to change any other users` passwords, including administrative users. For more information, see:

(Security fix)

libtool-2.4.6: Rebuilt. Rebuilt to fix the embedded GCC version number. Thanks to David Spencer.

openssh-7.4p1: Rebuilt. sftp-server: in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski. Thanks to arny (of Bluewhite64 fame) for the heads-up. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15906

(Security fix)

php-5.6.34: Upgraded. This update fixes a stack buffer overflow vulnerability. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7584

(Security fix)

2018-03-04

icecat-52.6.0: Upgraded (FXP). This update includes upstream features and patches. https://www.mozilla.org/en-US/firefox/52.6.0/releasenotes/

(Security fix)

linux-libre-*-4.4.118: Upgraded. This kernel includes __user pointer sanitization mitigation for the Spectre (variant 1) speculative side channel attack. Be sure to upgrade your initrd after upgrading the kernel packages. If you use lilo to boot your machine, be sure lilo.conf points to the correct kernel and initrd and run lilo as root to update the bootloader. If you use elilo to boot your machine, you should run eliloconfig to copy the kernel and initrd to the EFI System Partition. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753

(Security fix)

You may have to force slackpkg to load the files, even though ChangeLog hasn't changed.

2018-03-01

dhcp-4.4.1: Upgraded. This update fixes two security issues:

(Security fix)

ntp-4.2.8p11: Upgraded. This release addresses five security issues in ntpd:

(Security fix)

wget-1.19.4: Rebuilt. Applied upstream patch to fix logging in background mode. Thanks to Willy Sudiarto Raharjo.

2018-02-23

compton-316eac0613bf342ff91cc645a6c3c80e6b9083fb: Upgraded.

New FXP package: gtklife-5.2

2018-02-15

2018-02-11

New FXP package: unrar-5.5.8

2018-02-09

linux-libre-*-4.4.115: Upgraded. This kernel includes full retpoline mitigation for the Spectre (variant 2) speculative side channel attack. Please note that this kernel was compiled with gcc-5.5.0, also provided as an update for Slackware FreeSlack 14.2. You'll need to install the updated gcc in order to compile kernel modules that will load into this updated kernel. Be sure to upgrade your initrd after upgrading the kernel packages. If you use lilo to boot your machine, be sure lilo.conf points to the correct kernel and initrd and run lilo as root to update the bootloader. If you use elilo to boot your machine, you should run eliloconfig to copy the kernel and initrd to the EFI System Partition. For more information, see:

(Security fix)

You may have to force slackpkg to load the files, even though ChangeLog hasn't changed.

2018-02-08

New FXP package: ghc-7.10.3

2018-02-07

gcc-5.5.0: Upgraded. Upgraded to the latest gcc-5 release, with patches to support -mindirect-branch=thunk-extern, allowing full mitigation of Spectre v2 in the kernel (when CONFIG_RETPOLINE is used).

  • gcc-g++-5.5.0: Upgraded.
  • gcc-gfortran-5.5.0: Upgraded.
  • gcc-gnat-5.5.0: Upgraded.
  • gcc-go-5.5.0: Upgraded.
  • gcc-java-5.5.0: Upgraded.
  • gcc-objc-5.5.0: Upgraded.

2018-02-04

php-5.6.33: Upgraded. This update fixes bugs and security issues, including: Potential infinite loop in gdImageCreateFromGifCtx. Reflected XSS in .phar 404 page. For more information, see:

(Security fix)

mariadb-10.0.34: Upgraded. This update fixes bugs and security issues. For more information, see:

(Security fix)

rsync-3.1.3: Upgraded. This update fixes two security issues: Fixed a buffer overrun in the protocol's handling of xattr names and ensure that the received name is null terminated. Fix an issue with –protect-args where the user could specify the arg in the protected-arg list and short-circuit some of the arg-sanitizing code. For more information, see:

(Security fix)

curl-7.58.0: Rebuilt. Recompiled using –with-libssh2, which is evidently no longer a default option. Thanks to Markus Wiesner.

2018-01-24

curl-7.58.0: Upgraded. This update fixes security issues: HTTP authentication leak in redirects HTTP/2 trailer out-of-bounds read For more information, see:

(Security fix)

glibc-zoneinfo: Upgraded. This package provides the latest timezone updates.

wget-1.19.4: Upgraded. More bug fixes: A major bug that caused GZip'ed pages to never be decompressed has been fixed Support for Content-Encoding and Transfer-Encoding have been marked as experimental and disabled by default

2018-01-18

bind-9.10.6_P1: Upgraded. This update fixes a high severity security issue: Improper sequencing during cleanup can lead to a use-after-free error, triggering an assertion failure and crash in named. For more information, see:

(Security fix)

2018-01-17

linux-libre-*-4.4.111: Upgraded. This kernel includes mitigations for the Spectre (variant 2) and Meltdown speculative side channel attacks. Be sure to upgrade your initrd after upgrading the kernel packages. If you use lilo to boot your machine, be sure lilo.conf points to the correct kernel and initrd and run lilo as root to update the bootloader. If you use elilo to boot your machine, you should run eliloconfig to copy the kernel and initrd to the EFI System Partition. For more information, see:

(Security fix)

2018-01-09

irssi-1.0.6: Upgraded. This update fixes multiple security vulnerabilities. For more information, see:

(Security fix)

xscreensaver-5.38: Upgraded. Here's an upgrade to the latest xscreensaver.

2018-01-05

R-3.4.3: Upgraded (FXP)

2017-12-20

ruby-2.2.9: Upgraded. This update fixes a security issue: Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the pipe character “|”, the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution. For more information, see:

(Security fix)

2017-12-08

openssl-1.0.2n: Upgraded. This update fixes security issues: Read/write after SSL object in error state rsaz_1024_mul_avx2 overflow bug on x86_64 For more information, see:

(Security fix)

openssl-solibs-1.0.2n: Upgraded.

curl-7.57.0: Upgraded. This update fixes security issues: SSL out of buffer access FTP wildcard out of bounds read NTLM buffer overflow via integer overflow For more information, see:

(Security fix)

libXcursor-1.1.15: Upgraded. Fix heap overflows when parsing malicious files. (CVE-2017-16612) It is possible to trigger heap overflows due to an integer overflow while parsing images and a signedness issue while parsing comments. The integer overflow occurs because the chosen limit 0x10000 for dimensions is too large for 32 bit systems, because each pixel takes 4 bytes. Properly chosen values allow an overflow which in turn will lead to less allocated memory than needed for subsequent reads. The signedness bug is triggered by reading the length of a comment as unsigned int, but casting it to int when calling the function XcursorCommentCreate. Turning length into a negative value allows the check against XCURSOR_COMMENT_MAX_LEN to pass, and the following addition of sizeof (XcursorComment) + 1 makes it possible to allocate less memory than needed for subsequent reads. For more information, see:

(Security fix)

libXfont-1.5.1: Rebuilt. Open files with O_NOFOLLOW. (CVE-2017-16611) A non-privileged X client can instruct X server running under root to open any file by creating own directory with “fonts.dir”, “fonts.alias” or any font file being a symbolic link to any other file in the system. X server will then open it. This can be issue with special files such as /dev/watchdog (which could then reboot the system). For more information, see:

(Security fix)

2017-11-28

samba-4.4.16: Rebuilt. This is a security update in order to patch the following defects:

  • CVE-2017-14746 (Use-after-free vulnerability.)

All versions of Samba from 4.0.0 onwards are vulnerable to a use after free vulnerability, where a malicious SMB1 request can be used to control the contents of heap memory via a deallocated heap pointer. It is possible this may be used to compromise the SMB server.

  • CVE-2017-15275 (Server heap memory information leak.)

All versions of Samba from 3.6.0 onwards are vulnerable to a heap memory information leak, where server allocated heap memory may be returned to the client without being cleared.

For more information, see:

(Security fix)

2017-11-21

libtiff-4.0.9: Upgraded. This release contains security fixes and improvements. For more information, see:

(Security fix)

2017-11-16

2017-11-04

New FXP packages:

  • gnucash-2.6.13 and its pre-requisites
  • goffice0.8-0.8.17
  • libgnomecanvas
  • libofx-0.9.11
  • libwebp-0.6.0
  • webkitgtk-2.4.11

2017-11-03

mariadb-10.0.33: Upgraded. This update fixes bugs and security issues. For more information, see:

(Security fix)

openssl-1.0.2m: Upgraded. This update fixes a security issue: There is a carry propagating bug in the x64 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen. For more information, see:

(Security fix)

openssl-solibs-1.0.2m: Upgraded.

2017-10-27

NetworkManager-1.8.4: Upgraded. This update is provided to address issues with wifi scanning when using the new wpa_supplicant with certain hardware drivers. If you're not having problems, you don't need this update (but it probably won't hurt).

network-manager-applet-1.8.4: Upgraded. This package goes along with the optional NetworkManager update.

php-5.6.32: Upgraded. Several security bugs were fixed in this release: Out of bounds read in timelib_meridian(). The arcfour encryption stream filter crashes PHP. Applied upstream patch for PCRE (CVE-2016-1283). For more information, see:

(Security fix)

wget-1.19.2: Upgraded. This update fixes stack and heap overflows in in HTTP protocol handling. For more information, see:

(Security fix)

2017-10-26

glibc-zoneinfo-2017c: Upgraded. This package provides the latest timezone updates.

httpd-2.4.29: Upgraded. This is a bugfix release.

irssi-1.0.5: Upgraded. This update fixes some remote denial of service issues. For more information, see:

(Security fix)

xfce4-weather-plugin-0.8.10: Upgraded. This has a bugfix related to setting the location: https://bugzilla.xfce.org/show_bug.cgi?id=13877

2017-10-24

curl-7.56.1: Upgraded. This update fixes a security issue: IMAP FETCH response out of bounds read may cause a crash or information leak. For more information, see:

(Security fix)

2017-10-06

libXres-1.2.0: Upgraded. Integer overflows may allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XResQueryClients and (2) XResQueryClientResources functions. For more information, see:

(Security fix)

wpa_supplicant-2.6: Upgraded. This update includes patches to mitigate the WPA2 protocol issues known as “KRACK” (Key Reinstallation AttaCK), which may be used to decrypt data, hijack TCP connections, and to forge and inject packets. This is the list of vulnerabilities that are addressed here:

(Security fix)

xorg-server-1.18.3: Rebuilt. This update fixes integer overflows and other possible security issues. For more information, see:

(Security fix)

xorg-server-xephyr-1.18.3: Rebuilt.

xorg-server-xnest-1.18.3: Rebuilt.

xorg-server-xvfb-1.18.3: Rebuilt.

2017-10-06

curl-7.56.0: Upgraded. This update fixes a security issue: libcurl may read outside of a heap allocated buffer when doing FTP. For more information, see:

(Security fix)

openjpeg-2.3.0: Upgraded. This update fixes security issues which may lead to a denial of service or possibly remote code execution. For more information, see:

(Security fix)

xorg-server-1.18.3: Rebuilt. This update fixes two security issues: Xext/shm: Validate shmseg resource id, otherwise it can belong to a non-existing client and abort X server with FatalError “client not in use”, or overwrite existing segment of another existing client. Generating strings for XKB data used a single shared static buffer, which offered several opportunities for errors. Use a ring of resizable buffers instead, to avoid problems when strings end up longer than anticipated. For more information, see:

(Security fix)

xorg-server-xephyr-1.18.3: Rebuilt.

xorg-server-xnest-1.18.3: Rebuilt.

xorg-server-xvfb-1.18.3: Rebuilt.

2017-10-02

dnsmasq-2.78: Upgraded. This update fixes bugs and remotely exploitable security issues that may have impacts including denial of service, information leak, and execution of arbitrary code. Thanks to Felix Wilhelm, Fermin J. Serna, Gabriel Campana, Kevin Hamacher, Ron Bowes, and Gynvael Coldwind of the Google Security Team. For more information, see:

(Security fix)

2017-10-01

2017-09-28

gegl-0.2.0: Rebuilt. Patched integer overflows in operations/external/ppm-load.c that could allow a denial of service (application crash) or possibly the execution of arbitrary code via a large width or height value in a ppm image. For more information, see:

(Security fix)

2017-09-23

libxml2-2.9.5: Upgraded. This release fixes some security issues: Detect infinite recursion in parameter entities (Nick Wellnhofer), Fix handling of parameter-entity references (Nick Wellnhofer), Disallow namespace nodes in XPointer ranges (Nick Wellnhofer), Fix XPointer paths beginning with range-to (Nick Wellnhofer). (Security fix)

python-2.7.14: Upgraded. Updated to the latest 2.7.x release. This fixes some security issues related to the bundled expat library. For more information, see:

(Security fix)

2017-09-21

samba-4.4.16: Upgraded. This is a security release in order to address the following defects: SMB1/2/3 connections may not require signing where they should. A man in the middle attack may hijack client connections. SMB3 connections don't keep encryption across DFS redirects. A man in the middle attack can read and may alter confidential documents transferred via a client connection, which are reached via DFS redirect when the original connection used SMB3. Server memory information leak over SMB1. Client with write access to a share can cause server memory contents to be written into a file or printer. For more information, see:

(Security fix)

2017-09-18

httpd-2.4.27: Rebuilt. This update patches a security issue (“Optionsbleed”) with the OPTIONS http method which may leak arbitrary pieces of memory to a potential attacker. Thanks to Hanno Bo:ck. For more information, see:

(Security fix)

libgcrypt-1.7.9: Upgraded. Mitigate a local side-channel attack on Curve25519 dubbed “May the Fourth be With You”. For more information, see:

(Security fix)

ruby-2.2.8: Upgraded. This release includes several security fixes. For more information, see:

(Security fix)

2017-09-16

bluez-5.47: Upgraded. Fixed an information disclosure vulnerability which allows remote attackers to obtain sensitive information from the bluetoothd process memory. This vulnerability lies in the processing of SDP search attribute requests. For more information, see:

(Security fix)

linux-libre-*-4.4.88: Upgraded. This update fixes the security vulnerability known as “BlueBorne”. The native Bluetooth stack in the Linux Kernel (BlueZ), starting at Linux kernel version 3.3-rc1 is vulnerable to a stack overflow in the processing of L2CAP configuration responses resulting in remote code execution in kernel space. Be sure to upgrade your initrd after upgrading the kernel packages. If you use lilo to boot your machine, be sure lilo.conf points to the correct kernel and initrd and run lilo as root to update the bootloader. If you use elilo to boot your machine, you should run eliloconfig to copy the kernel and initrd to the EFI System Partition. For more information, see:

(Security fix)

2017-09-12

emacs-25.3: Upgraded. This update fixes a security vulnerability in Emacs. Gnus no longer supports “richtext” and “enriched” inline MIME objects. This support was disabled to avoid evaluation of arbitrary Lisp code contained in email messages and news articles. For more information, see:

(Security fix)

libzip-1.0.1: Rebuilt. Fix a denial of service security issue. For more information, see:

(Security fix)

2017-09-08

bash-4.3.048: Upgraded. This update fixes two security issues found in bash before 4.4: The expansion of '\h' in the prompt string allows remote authenticated users to execute arbitrary code via shell metacharacters placed in 'hostname' of a machine. The theoretical attack vector is a hostile DHCP server providing a crafted hostname, but this is unlikely to occur in a normal Slackware configuration as we ignore the hostname provided by DHCP. Specially crafted SHELLOPTS+PS4 environment variables used against bogus setuid binaries using system()/popen() allowed local attackers to execute arbitrary code as root. For more information, see:

(Security fix)

mariadb-10.0.32: Upgraded. This update fixes bugs and security issues. For more information, see:

(Security fix)

mozilla-nss-3.31.1: Upgraded. Upgraded to nss-3.31.1 and nspr-4.16. This is a bugfix release.

tcpdump-4.9.2: Upgraded. This update fixes bugs and many security issues (see the included CHANGES file). For more information, see:

(Security fix)

2017-09-03

icecat-52.3.0: Upgraded. This update includes upstream features and patches. https://www.mozilla.org/en-US/security/advisories/mfsa2017-19/ (Security fix)

2017-08-12

xorg-server-1.18.3: Rebuilt. This update fixes two security issues: a user authenticated to an X Session could crash or execute code in the context of the X Server by exploiting a stack overflow in the endianness conversion of X Events. Uninitialized data in endianness conversion in the XEvent handling of the X.Org X Server allowed authenticated malicious users to access potentially privileged data from the X server. For more information, see:

(Security fix)

xorg-server-xephyr-1.18.3: Rebuilt.

xorg-server-xnest-1.18.3: Rebuilt.

xorg-server-xvfb-1.18.3: Rebuilt.

2017-08-12

git-2.14.1: Upgraded. Fixes security issues: A "ssh://..." URL can result in a “ssh” command line with a hostname that begins with a dash “-”, which would cause the “ssh” command to instead (mis)treat it as an option. This is now prevented by forbidding such a hostname (which should not impact any real-world usage). Similarly, when GIT_PROXY_COMMAND is configured, the command is run with host and port that are parsed out from "ssh://..." URL; a poorly written GIT_PROXY_COMMAND could be tricked into treating a string that begins with a dash “-” as an option. This is now prevented by forbidding such a hostname and port number (again, which should not impact any real-world usage). For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000117 (Security fix)

libsoup-2.52.2: Rebuilt. Fixed a chunked decoding buffer overrun that could be exploited against either clients or servers. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2885 (Security fix)

mercurial-4.3.1: Upgraded. Fixes security issues: Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository. Mercurial was not sanitizing hostnames passed to ssh, allowing shell injection attacks on clients by specifying a hostname starting with -oProxyCommand. For more information, see:

(Security fix)

subversion-1.9.7: Upgraded. Fixed client side arbitrary code execution vulnerability. For more information, see:

(Security fix)

2017-08-11

curl-7.55.0: Upgraded. This update fixes three security issues:

  • URL globbing out of bounds read
  • TFTP sends more than buffer size
  • FILE buffer read out of bounds

For more information, see:

(Security fix)

glibc-2.23: Rebuilt. Fixed a regression with the recent glibc patch packages: Don't clobber the libm.so linker script with a symlink. Thanks to guanx.

glibc-i18n-2.23: Rebuilt.

glibc-profile-2.23: Rebuilt.

glibc-solibs-2.23: Rebuilt.

2017-08-20

gnupg-1.4.22: Upgraded. Mitigate a flush+reload side-channel attack on RSA secret keys dubbed “Sliding right into disaster”. For more information, see:

(Security fix)

2017-07-28

squashfs-tools-4.3: Rebuilt. Patched a couple of denial of service issues and other bugs. For more information, see:

(Security fix)

dbus-1.10.8: Rebuilt. Don't demand high-quality entropy from expat-2.2.2+ because 1) dbus doesn't need it and 2) it can cause the boot process to hang if dbus times out. Thanks to SeB for a link to the bug report and patch.

bind-9.10.5_P3: Upgraded. Fix a regression in the previous BIND release that broke verification of TSIG signed TCP message sequences where not all the messages contain TSIG records. Compiled to use libidn rather than the deprecated (and broken) idnkit.

2017-07-14

tcpdump-4.9.1: Upgraded. This update fixes an issue where tcpdump 4.9.0 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via crafted packet data. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11108 (Security fix)

expat-2.2.2: Upgraded. Fixes security issues including: external entity infinite loop DoS. For more information, see:

(Security fix)

gd-2.2.4: Upgraded. Fixes security issues: gdImageCreate() doesn't check for oversized images and as such is prone to

  • DoS vulnerabilities. (CVE-2016-9317)
  • double-free in gdImageWebPtr() (CVE-2016-6912)
  • potential unsigned underflow in gd_interpolation.c (CVE-2016-10166)
  • DOS vulnerability in gdImageCreateFromGd2Ctx() (CVE-2016-10167)
  • Signed Integer Overflow gd_io.c (CVE-2016-10168)

For more information, see:

(Security fix)

libtirpc-1.0.2: Upgraded. This is a bugfix release.

rpcbind-0.2.4: Rebuilt. Fixed a bug in a previous patch where a svc_freeargs() call ended up freeing a static pointer causing rpcbind to crash. Thanks to Jonathan Woithe, Rafael Jorge Csura Szendrodi, and Robby Workman for identifying the problem and helping to test a fix.

2017-07-14

mariadb-10.0.31: Upgraded. This update fixes bugs and security issues. For more information, see:

(Security fix)

samba-4.4.15 Upgraded. This update fixes an authentication validation bypass security issue: “Orpheus' Lyre mutual authentication validation bypass” All versions of Samba from 4.0.0 onwards using embedded Heimdal Kerberos are vulnerable to a man-in-the-middle attack impersonating a trusted server, who may gain elevated access to the domain by returning malicious replication or authorization data. Samba binaries built against MIT Kerberos are not vulnerable. For more information, see:

(Security fix)

httpd-2.4.27 Upgraded. This update fixes two security issues: Read after free in mod_http2 (CVE-2017-9789) Uninitialized memory reflection in mod_auth_digest (CVE-2017-9788) Thanks to Robert Swiecki for reporting these issues. For more information, see:

(Security fix)

2017-07-10

libtirpc-1.0.1: Rebuilt. Patched a bug which can cause a denial of service through memory exhaustion. Thanks to Robby Workman. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779 (Security fix)

rpcbind-0.2.4: Upgraded. Patched a bug which can cause a denial of service through memory exhaustion. Thanks to Robby Workman. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779 (Security fix)

2017-07-09

irssi-1.0.4: Upgraded. This release fixes two remote crash issues as well as a few bugs. For more information, see:

(Security fix)

2017-07-07

ca-certificates-20161130: Upgraded. This update provides the latest CA certificates to check for the authenticity of SSL connections.

php-5.6.31: Upgraded. This release fixes bugs and security issues. For more information, see:

(Security fix)

glibc-2.23: Rebuilt. Recompiled with upstream patch from git: “[PATCH] X86: Don't assert on older Intel CPUs [BZ #20647]” This fixes an ldconfig failure on older Intel CPUs including Pentium MMX.

glibc-i18n-2.23: Rebuilt.

glibc-profile-2.23: Rebuilt.

glibc-solibs-2.23: Rebuilt.

xscreensaver-5.37: Upgraded. Here's an upgrade to the latest xscreensaver.

2017-07-02

linux-libre-*-4.4.75: Upgraded. This kernel fixes security issues that include possible stack exhaustion, memory corruption, and arbitrary code execution. Be sure to upgrade your initrd after upgrading the kernel packages. If you use lilo to boot your machine, be sure lilo.conf points to the correct kernel and initrd and run lilo as root to update the bootloader. If you use elilo to boot your machine, you should run eliloconfig to copy the kernel and initrd to the EFI System Partition. For more information, see:

(Security fix)

2017-07-01

2017-06-29

bind-9.10.5_P2: Upgraded. This update fixes a high severity security issue: an error in TSIG handling could permit unauthorized zone transfers or zone updates. For more information, see:

(Security fix)

httpd-2.4.26: Upgraded. This update fixes security issues which may lead to an authentication bypass or a denial of service:

  • important: ap_get_basic_auth_pw() Authentication Bypass CVE-2017-3167
  • important: mod_ssl Null Pointer Dereference CVE-2017-3169
  • important: mod_http2 Null Pointer Dereference CVE-2017-7659
  • important: ap_find_token() Buffer Overread CVE-2017-7668
  • important: mod_mime Buffer Overread CVE-2017-7679

For more information, see:

(Security fix)

libgcrypt-1.7.8: Upgraded. Mitigate a local flush+reload side-channel attack on RSA secret keys dubbed “Sliding right into disaster”. For more information, see:

(Security fix)

mkinitrd-1.4.10: Upgraded. Added support for -P option and MICROCODE_ARCH in mkinitrd.conf to specify a microcode archive to be prepended to the initrd for early CPU microcode patching by the kernel. Thanks to SeB.

2017-06-27

linux-libre-*-4.4.74: Upgraded. This kernel fixes two “Stack Clash” vulnerabilities reported by Qualys. The first issue may allow attackers to execute arbitrary code with elevated privileges. Failed attack attempts will likely result in denial-of-service conditions. The second issue can be exploited to bypass certain security restrictions and perform unauthorized actions.

Be sure to upgrade your initrd after upgrading the kernel packages. If you use lilo to boot your machine, be sure lilo.conf points to the correct kernel and initrd and run lilo as root to update the bootloader. If you use elilo to boot your machine, you should run eliloconfig to copy the kernel and initrd to the EFI System Partition. For more information, see:

(Security fix)

nasm-2.13.01: Upgraded. This update is needed for some newer projects to compile properly.

2017-06-21

2017-06-15

bind-9.10.5_P1: Upgraded. Fixed denial of service security issue: some RPZ configurations could go into an infinite query loop when encountering responses with TTL=0. For more information, see:

(Security fix)

pkg-config-0.29.2: Upgraded. This is a bugfix release, and is needed for some updates on slackbuilds.org to compile properly. Thanks to Willy Sudiarto Raharjo.

2017-06-08

irssi-1.0.3: Upgraded. Fixed security issues that may result in a denial of service. For more information, see:

(Security fix)

sudo-1.8.20p2: Upgraded. This is a bugfix release: Fixed a bug parsing /proc/pid/stat when the process name contains a newline. This is not exploitable due to the /dev traversal changes made in sudo 1.8.20p1.

2017-05-30

lynx-2.8.8rel.2: Rebuilt. Fixed lynx startup without a URL by correcting STARTFILE in lynx.cfg to use the new URL for the Lynx homepage. Thanks to John David Yost.

sudo-1.8.20p1: Upgraded. This update fixes a potential overwrite of arbitrary system files. This bug was discovered and analyzed by Qualys, Inc. For more information, see:

(Security fix)

2017-05-25

icecat-52.1.0: Upgraded. This marks a switch to a repackaged binary build by Gnuzilla. (Security fix)

2017-05-24

samba-4.4.14: Upgraded. This update fixes a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it. For more information, see https://www.samba.org/samba/security/CVE-2017-7494.html and http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7494 (Security fix)

gkrellm-2.3.10: Upgraded. This is a bugfix release to fix a broken gkrellm.pc.

2017-05-16

freetype-2.6.3: Rebuilt. This update fixes an out-of-bounds write caused by a heap-based buffer overflow related to the t1_builder_close_contour function in psaux/psobjs.c. For more information, see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8287 (Security fix)

kdelibs-4.14.32: Upgraded. This update fixes a security issue with KAuth that can lead to gaining root from an unprivileged account. For more information, see:

(Security fix)

2017-05-01

rxvt-2.7.10: Rebuilt. Patched an integer overflow that can crash rxvt with an escape sequence, or possibly have unspecified other impact. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7483 (Security fix)

xfce4-weather-plugin-0.8.9: Upgraded. Package upgraded to fix the API used to fetch weather data. Thanks to Robby Workman.

2017-04-23

getmail-4.54.0: Upgraded. This is a bugfix release to fix a failure to retrieve HTML formatted emails that contain a line longer than 1024 characters. Thanks to Edward Trumbo.

ntp-4.2.8p10: Upgraded. In addition to bug fixes and enhancements, this release fixes security issues of medium and low severity:

  • Denial of Service via Malformed Config (Medium)
  • Authenticated DoS via Malicious Config Option (Medium)
  • Potential Overflows in ctl_put() functions (Medium)
  • Buffer Overflow in ntpq when fetching reslist from a malicious ntpd (Medium)
  • 0rigin DoS (Medium)
  • Buffer Overflow in DPTS Clock (Low)
  • Improper use of snprintf() in mx4200_send() (Low)
  • The following issues do not apply to Linux systems:
  • Privileged execution of User Library code (WINDOWS PPSAPI ONLY) (Low)
  • Stack Buffer Overflow from Command Line (WINDOWS installer ONLY) (Low)
  • Data Structure terminated insufficiently (WINDOWS installer ONLY) (Low)

For more information, see:

(Security fix)

proftpd-1.3.5e: Upgraded. This release fixes a security issue: AllowChrootSymlinks off does not check entire DefaultRoot path for symlinks. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7418 (Security fix)

2017-04-19

minicom-2.7.1: Upgraded. Fix an out of bounds data access that can lead to remote code execution. This issue was found by Solar Designer of Openwall during a security audit of the Virtuozzo 7 product, which contains derived downstream code in its prl-vzvncserver component. For more information, see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7467 (Security fix)

2017-04-14

2017-04-08

2017-04-01

samba-4.4.13: Upgraded. This is a bug fix release to address a regression introduced by the security fixes for CVE-2017-2619 (Symlink race allows access outside share definition). Please see https://bugzilla.samba.org/show_bug.cgi?id=12721 for details.

2017-03-28

mariadb-10.0.30: Upgraded. This update fixes security issues: Crash in libmysqlclient.so. Difficult to exploit vulnerability allows low privileged attacker with logon to compromise the server. Successful attacks of this vulnerability can result in unauthorized access to data. For more information, see:

(Security fix)

2017-03-24

glibc-zoneinfo-2017b: Upgraded. This package provides the latest timezone updates.

mcabber-1.0.5: Upgraded. This update fixes a security issue: An incorrect implementation of XEP-0280: Message Carbons in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5604 (Security fix)

samba-4.4.12: Upgraded. This update fixes a security issue: All versions of Samba prior to 4.6.1, 4.5.7, 4.4.12 are vulnerable to a malicious client using a symlink race to allow access to areas of the server file system not exported under the share definition. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2619 (Security fix)

2017-03-15

glibc-zoneinfo-2017a: Upgraded. This package provides the latest timezone updates.

libcgroup-0.41: Rebuilt. This is a bugfix package update. Fixed rc.cgred to source the correct config file. Don't remove the entire cgroup file system with “rc.cgconfig stop”. Thanks to chris.willing. NOTE: Be sure to install any .new config files.

pidgin-2.12.0: Upgraded. This update fixes a minor security issue (out of bounds memory read in purple_markup_unescape_entity). For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2640 (Security fix)

2017-03-08

R-3.3.3, icecat-45.7.0: Upgraded.

2017-02-05

murrine, murrine-themes: Added to FXP.

2017-02-04

libreoffice-5.3.0: Added to FXP.

2017-01-29

nted (NoteEdit): Added to FXP.

2017-01-14

SDL2, SDL2_image, physfs, supertux: Added to FXP.

2017-01-09

nethack-3.6.0, fontforge-20150824: Added to FXP.

2016-12-17

Fixed up output formatting in freepkg, which is now ready for testing; please let us know if you have comments, feature requests, or package requests.

2016-12-15

meld3, gtksourceview3, glade: Added to FXP.

2016-12-13

Kernel upgrade 4.4.29 → 4.4.38

2016-12-05

icecat-45.5.1: Upgraded.

2016-11-03

Kernel upgrade 4.4.19 → 4.4.29

2016-10-26

linux-libre-image 4.4.27 fixes Dirty COW (CVE-2016-5195)

2016-08-26

Kernel upgrade 4.4.14 → 4.4.19

2016-08-09

Purged non-free font-bh-ttf and font-bh-type1 from the main repository.

2016-08-09

icecat-38.8.0: Rebuilt to avoid unidentified crashes on some CPUs.

changelog_14.2.1621811329.txt.gz · Last modified: 2021/05/23 19:08 by connie