User Tools

Site Tools


changelog_14.2

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
changelog_14.2 [2021/05/25 22:25] – [2021-05-23] conniechangelog_14.2 [2023/12/23 13:40] (current) – [2023-12-20] connie
Line 3: Line 3:
 Slackware upstream ChangeLog entries are courtesy of Patrick Volkerding. Slackware upstream ChangeLog entries are courtesy of Patrick Volkerding.
  
 +
 +==== 2023-12-23 ====
 +
 +**proftpd-1.3.8b**:  Upgraded.
 +This update fixes a security issue:
 +mod_sftp: implemented mitigations for "Terrapin" SSH attack.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-48795
 +(**Security fix**)
 +
 +
 +==== 2023-12-20 ====
 +
 +**libssh-0.10.6**:  Upgraded.
 +This update fixes security issues:
 +Command injection using proxycommand.
 +Potential downgrade attack using strict kex.
 +Missing checks for return values of MD functions.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-6004
 +  * https://www.cve.org/CVERecord?id=CVE-2023-48795
 +  * https://www.cve.org/CVERecord?id=CVE-2023-6918
 +(**Security fix**)
 +
 +**sudo-1.9.15p4**:  Upgraded.
 +This is a bugfix release.
 +
 +**libxml2-2.11.6**:  Upgraded.
 +We're going to drop back to the 2.11 branch here on the stable releases
 +since it has all of the relevant security fixes and better compatibility.
 +
 +**sudo-1.9.15p3**:  Upgraded.
 +This is a bugfix release.
 +
 +
 +==== 2023-12-13 ====
 +
 +**libxml2-2.12.3**:  Upgraded.
 +This update addresses regressions when building against libxml2 that were
 +due to header file refactoring.
 +
 +**libxml2-2.12.2**:  Upgraded.
 +Add --sysconfdir=/etc option so that this can find the xml catalog.
 +Thanks to SpiderTux.
 +Fix the following security issues:
 +Fix integer overflows with XML_PARSE_HUGE.
 +Fix dict corruption caused by entity reference cycles.
 +Hashing of empty dict strings isn't deterministic.
 +Fix null deref in xmlSchemaFixupComplexType.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2022-40303
 +  * https://www.cve.org/CVERecord?id=CVE-2022-40304
 +  * https://www.cve.org/CVERecord?id=CVE-2023-29469
 +  * https://www.cve.org/CVERecord?id=CVE-2023-28484
 +(**Security fix**)
 +
 +**ca-certificates-20231117**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +**sudo-1.9.15p1**:  Upgraded.
 +This is a bugfix release:
 +Fixed a bug introduced in sudo 1.9.15 that prevented LDAP-based sudoers
 +from being able to read the ldap.conf file.
 +
 +==== 2023-11-08 ====
 +
 +**sudo-1.9.15**:  Upgraded.
 +The sudoers plugin has been modified to make it more resilient to ROWHAMMER
 +attacks on authentication and policy matching.
 +The sudoers plugin now constructs the user time stamp file path name using
 +the user-ID instead of the user name. This avoids a potential problem with
 +user names that contain a path separator ('/') being interpreted as part of
 +the path name.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-42465
 +  * https://www.cve.org/CVERecord?id=CVE-2023-42456
 +(**Security fix**)
 +
 +
 +==== 2023-10-20 ====
 +
 +**httpd-2.4.58**:  Upgraded.
 +This update fixes bugs and security issues:
 +moderate: Apache HTTP Server: HTTP/2 stream memory not reclaimed
 +right away on RST.
 +low: mod_macro buffer over-read.
 +low: Apache HTTP Server: DoS in HTTP/2 with initial windows size 0.
 +For more information, see:
 +  * https://downloads.apache.org/httpd/CHANGES_2.4.58
 +  * https://www.cve.org/CVERecord?id=CVE-2023-45802
 +  * https://www.cve.org/CVERecord?id=CVE-2023-31122
 +  * https://www.cve.org/CVERecord?id=CVE-2023-43622
 +(**Security fix**)
 +
 +==== 2023-10-16 ====
 +
 +**curl-8.4.0**:  Upgraded.
 +This update fixes security issues:
 +Cookie injection with none file.
 +SOCKS5 heap buffer overflow.
 +For more information, see:
 +  * https://curl.se/docs/CVE-2023-38546.html
 +  * https://curl.se/docs/CVE-2023-38545.html
 +  * https://www.cve.org/CVERecord?id=CVE-2023-38546
 +  * https://www.cve.org/CVERecord?id=CVE-2023-38545
 +(**Security fix**)
 +
 +<code>
 +Mon Oct  9 18:10:01 UTC 2023
 +####################################################################
 +# NOTICE OF INPENDING EOL (END OF LIFE) FOR OLD SLACKWARE VERSIONS #
 +#                                                                  #
 +# Effective January 1, 2024, security patches will no longer be    #
 +# provided for the following versions of Slackware (which will all #
 +# be more than 7 years old at that time):                          #
 +#   Slackware 14.0, Slackware 14.1, Slackware 14.2.                #
 +# If you are still running these versions you should consider      #
 +# migrating to a newer version (preferably as recent as possible). #
 +# Alternately, you may make arrangements to handle your own        #
 +# security patches.                                                #
 +####################################################################
 +</code>
 +
 +==== 2023-10-04 ====
 +
 +**libX11-1.8.7**:  Upgraded.
 +This update fixes security issues:
 +libX11: out-of-bounds memory access in _XkbReadKeySyms().
 +libX11: stack exhaustion from infinite recursion in PutSubImage().
 +libX11: integer overflow in XCreateImage() leading to a heap overflow.
 +For more information, see:
 +  * https://lists.x.org/archives/xorg-announce/2023-October/003424.html
 +  * https://www.cve.org/CVERecord?id=CVE-2023-43785
 +  * https://www.cve.org/CVERecord?id=CVE-2023-43786
 +  * https://www.cve.org/CVERecord?id=CVE-2023-43787
 +(**Security fix**)
 +
 +**libXpm-3.5.17**:  Upgraded.
 +This update fixes security issues:
 +libXpm: out of bounds read in XpmCreateXpmImageFromBuffer().
 +libXpm: out of bounds read on XPM with corrupted colormap.
 +For more information, see:
 +  * https://lists.x.org/archives/xorg-announce/2023-October/003424.html
 +  * https://www.cve.org/CVERecord?id=CVE-2023-43788
 +  * https://www.cve.org/CVERecord?id=CVE-2023-43789
 +(**Security fix**)
 +
 +**cups-2.1.4**:  Rebuilt.
 +This update fixes bugs and a security issue:
 +Fixed Heap-based buffer overflow when reading Postscript in PPD files.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-4504
 +(**Security fix**)
 +
 +**netatalk-3.1.17**:  Upgraded.
 +This update fixes bugs and a security issue:
 +Validate data type in dalloc_value_for_key(). This flaw could allow a
 +malicious actor to cause Netatalk's afpd daemon to crash, or possibly to
 +execute arbitrary code.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-42464
 +(**Security fix**)
 +
 +**curl-8.3.0**:  Upgraded.
 +This update fixes a security issue:
 +HTTP headers eat all memory.
 +  * https://curl.se/docs/CVE-2023-38039.html
 +  * https://www.cve.org/CVERecord?id=CVE-2023-38039
 +(**Security fix**)
 +
 +**libarchive-3.7.2**:  Upgraded.
 +This update fixes multiple security vulnerabilities in the PAX writer:
 +Heap overflow in url_encode() in archive_write_set_format_pax.c.
 +NULL dereference in archive_write_pax_header_xattrs().
 +Another NULL dereference in archive_write_pax_header_xattrs().
 +NULL dereference in archive_write_pax_header_xattr().
 +(**Security fix**)
 +
 +**netatalk-3.1.16**:  Upgraded.
 +This update fixes bugs and security issues.
 +Shared library .so-version bump.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2022-23121
 +  * https://www.cve.org/CVERecord?id=CVE-2022-23123
 +(**Security fix**)
 +
 +**curl-8.2.1**:  Upgraded.
 +This is a bugfix release.
 +
 +**whois-5.5.18**:  Upgraded.
 +Updated the .ga TLD server.
 +Added new recovered IPv4 allocations.
 +Removed the delegation of 43.0.0.0/8 to JPNIC.
 +Removed 12 new gTLDs which are no longer active.
 +Improved the man page source, courtesy of Bjarni Ingi Gislason.
 +Added the .edu.za SLD server.
 +Updated the .alt.za SLD server.
 +Added the -ru and -su NIC handles servers.
 +
 +**ca-certificates-20230721**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +**curl-8.2.0**:  Upgraded.
 +This update fixes a security issue:
 +fopen race condition.
 +For more information, see:
 +  * https://curl.se/docs/CVE-2023-32001.html
 +  * https://www.cve.org/CVERecord?id=CVE-2023-32001
 +(**Security fix**)
 +
 +**sudo-1.9.14p2**:  Upgraded.
 +This is a bugfix release.
 +
 +**sudo-1.9.14p1**:  Upgraded.
 +This is a bugfix release.
 +
 +**cups-2.1.4**:  Rebuilt.
 +Fixed use-after-free when logging warnings in case of failures
 +in cupsdAcceptClient().
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-34241
 +(**Security fix**)
 +
 +==== 2023-06-15 ====
 +
 +**libX11-1.8.6**:  Upgraded.
 +This update fixes buffer overflows in InitExt.c that could at least cause
 +the client to crash due to memory corruption.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-3138
 +(**Security fix**)
 +
 +**ntp-4.2.8p17**:  Upgraded.
 +This is a bugfix release.
 +
 +
 +==== 2023-06-06 ====
 +
 +**cups-2.1.4**:  Rebuilt.
 +Fixed a heap buffer overflow in _cups_strlcpy(), when the configuration file
 +cupsd.conf sets the value of loglevel to DEBUG, that could allow a remote
 +attacker to launch a denial of service (DoS) attack, or possibly execute
 +arbirary code.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-32324
 +(**Security fix**)
 +
 +**ntp-4.2.8p16**:  Upgraded.
 +This update fixes bugs and security issues.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-26551
 +  * https://www.cve.org/CVERecord?id=CVE-2023-26552
 +  * https://www.cve.org/CVERecord?id=CVE-2023-26553
 +  * https://www.cve.org/CVERecord?id=CVE-2023-26554
 +  * https://www.cve.org/CVERecord?id=CVE-2023-26555
 +(**Security fix**)
 +
 +**curl-8.1.2**:  Upgraded.
 +This is a bugfix release.
 +
 +==== 2023-05-26 ====
 +
 +**ntfs-3g-2022.10.3**:  Upgraded.
 +Fixed vulnerabilities that may allow an attacker using a maliciously
 +crafted NTFS-formatted image file or external storage to potentially
 +execute arbitrary privileged code or cause a denial of service.
 +Thanks to opty.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40284
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30789
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30788
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30787
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30786
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30785
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30784
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30783
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46790
 +(**Security fix**)
 +
 +**curl-8.1.1**:  Upgraded.
 +This is a bugfix release.
 +
 +
 +==== 2023-05-18 ====
 +
 +**curl-8.1.0**:  Upgraded.
 +This update fixes security issues:
 +more POST-after-PUT confusion.
 +IDN wildcard match.
 +siglongjmp race condition.
 +UAF in SSH sha256 fingerprint check.
 +For more information, see:
 +  * https://curl.se/docs/CVE-2023-28322.html
 +  * https://curl.se/docs/CVE-2023-28321.html
 +  * https://curl.se/docs/CVE-2023-28320.html
 +  * https://curl.se/docs/CVE-2023-28319.html
 +  * https://www.cve.org/CVERecord?id=CVE-2023-28322
 +  * https://www.cve.org/CVERecord?id=CVE-2023-28321
 +  * https://www.cve.org/CVERecord?id=CVE-2023-28320
 +  * https://www.cve.org/CVERecord?id=CVE-2023-28319
 +(**Security fix**)
 +
 +**ca-certificates-20230506**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +==== 2023-05-05 ====
 +
 +**libssh-0.10.5**:  Upgraded.
 +This update fixes security issues:
 +A NULL dereference during rekeying with algorithm guessing.
 +A possible authorization bypass in pki_verify_data_signature under
 +low-memory conditions.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-1667
 +  * https://www.cve.org/CVERecord?id=CVE-2023-2283
 +(**Security fix**)
 +
 +**whois-5.5.17**:  Upgraded.
 +Added the .cd TLD server.
 +Updated the -kg NIC handles server name.
 +Removed 2 new gTLDs which are no longer active.
 +
 +
 +==== 2023-05-01 ====
 +
 +**netatalk-3.1.15**:  Upgraded.
 +This update fixes security issues, including a critical vulnerability that
 +allows remote attackers to execute arbitrary code on affected installations
 +of Netatalk. Authentication is not required to exploit this vulnerability.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2022-43634
 +  * https://www.cve.org/CVERecord?id=CVE-2022-45188
 +(**Security fix**)
 +
 +==== 2023-04-25 ====
 +
 +**git-2.30.9**:  Upgraded.
 +This update fixes security issues:
 +By feeding specially crafted input to `git apply --reject`, a
 +path outside the working tree can be overwritten with partially
 +controlled contents (corresponding to the rejected hunk(s) from
 +the given patch).
 +When Git is compiled with runtime prefix support and runs without
 +translated messages, it still used the gettext machinery to
 +display messages, which subsequently potentially looked for
 +translated messages in unexpected places. This allowed for
 +malicious placement of crafted messages.
 +When renaming or deleting a section from a configuration file,
 +certain malicious configuration values may be misinterpreted as
 +the beginning of a new configuration section, leading to arbitrary
 +configuration injection.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-25652
 +  * https://www.cve.org/CVERecord?id=CVE-2023-25815
 +  * https://www.cve.org/CVERecord?id=CVE-2023-29007
 +(**Security fix**)
 +
 +**httpd-2.4.57**:  Upgraded.
 +This is a bugfix release.
 +For more information, see:
 +  * https://downloads.apache.org/httpd/CHANGES_2.4.57
 +
 +==== 2023-04-03 ====
 +
 +**irssi-1.4.4**:  Upgraded.
 +Do not crash Irssi when one line is printed as the result of another line
 +being printed.
 +Also solve a memory leak while printing unformatted lines.
 +(**Security fix**)
 +
 +**glibc-zoneinfo-2023c**:  Upgraded.
 +This package provides the latest timezone updates.
 +
 +**tar-1.29**:  Rebuilt.
 +GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use
 +of uninitialized memory for a conditional jump. Exploitation to change the
 +flow of control has not been demonstrated. The issue occurs in from_header
 +in list.c via a V7 archive in which mtime has approximately 11 whitespace
 +characters.
 +Thanks to marav for the heads-up.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2022-48303
 +(**Security fix**)
 +
 +
 +==== 2023-03-22 ====
 +
 +**curl-8.0.1**:  Upgraded.
 +  * This update fixes security issues:
 +  * SSH connection too eager reuse still.
 +  * HSTS double-free.
 +  * GSS delegation too eager connection re-use.
 +  * FTP too eager connection reuse.
 +  * SFTP path ~ resolving discrepancy.
 +  * TELNET option IAC injection.
 +For more information, see:
 +  * https://curl.se/docs/CVE-2023-27538.html
 +  * https://curl.se/docs/CVE-2023-27537.html
 +  * https://curl.se/docs/CVE-2023-27536.html
 +  * https://curl.se/docs/CVE-2023-27535.html
 +  * https://curl.se/docs/CVE-2023-27534.html
 +  * https://curl.se/docs/CVE-2023-27533.html
 +  * https://www.cve.org/CVERecord?id=CVE-2023-27538
 +  * https://www.cve.org/CVERecord?id=CVE-2023-27537
 +  * https://www.cve.org/CVERecord?id=CVE-2023-27536
 +  * https://www.cve.org/CVERecord?id=CVE-2023-27535
 +  * https://www.cve.org/CVERecord?id=CVE-2023-27534
 +  * https://www.cve.org/CVERecord?id=CVE-2023-27533
 +(**Security fix**)
 +
 +==== 2023-03-08 ====
 +
 +**httpd-2.4.56**:  Upgraded.
 +This update fixes two security issues:
 +HTTP Response Smuggling vulnerability via mod_proxy_uwsgi.
 +HTTP Request Smuggling attack via mod_rewrite and mod_proxy.
 +For more information, see:
 +  * https://downloads.apache.org/httpd/CHANGES_2.4.56
 +  * https://www.cve.org/CVERecord?id=CVE-2023-27522
 +  * https://www.cve.org/CVERecord?id=CVE-2023-25690
 +(**Security fix**)
 +
 +**sudo-1.9.13p3**:  Upgraded.
 +This is a bugfix release.
 +
 +**whois-5.5.16**:  Upgraded.
 +Add bash completion support, courtesy of Ville Skytta.
 +Updated the .tr TLD server.
 +Removed support for -metu NIC handles.
 +
 +**curl-7.88.1**:  Upgraded.
 +This is a bugfix release.
 +
 +==== 2023-02-16 ====
 +
 +**curl-7.88.0**:  Upgraded.
 +This update fixes security issues:
 +HTTP multi-header compression denial of service.
 +HSTS amnesia with --parallel.
 +HSTS ignored on multiple requests.
 +For more information, see:
 +  * https://curl.se/docs/CVE-2023-23916.html
 +  * https://curl.se/docs/CVE-2023-23915.html
 +  * https://curl.se/docs/CVE-2023-23914.html
 +  * https://www.cve.org/CVERecord?id=CVE-2023-23916
 +  * https://www.cve.org/CVERecord?id=CVE-2023-23915
 +  * https://www.cve.org/CVERecord?id=CVE-2023-23914
 +(**Security fix**)
 +
 +**git-2.30.8**:  Upgraded.
 +This update fixes security issues:
 +Using a specially-crafted repository, Git can be tricked into using
 +its local clone optimization even when using a non-local transport.
 +Though Git will abort local clones whose source $GIT_DIR/objects
 +directory contains symbolic links (c.f., CVE-2022-39253), the objects
 +directory itself may still be a symbolic link.
 +These two may be combined to include arbitrary files based on known
 +paths on the victim's filesystem within the malicious repository's
 +working copy, allowing for data exfiltration in a similar manner as
 +CVE-2022-39253.
 +By feeding a crafted input to "git apply", a path outside the
 +working tree can be overwritten as the user who is running "git
 +apply".
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-22490
 +  * https://www.cve.org/CVERecord?id=CVE-2023-23946
 +(**Security fix**)
 +
 +==== 2023-01-19 ====
 +
 +**sudo-1.9.12p2**:  Upgraded.
 +This update fixes a flaw in sudo's -e option (aka sudoedit) that could allow
 +a malicious user with sudoedit privileges to edit arbitrary files.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2023-22809
 +(**Security fix**)
 +
 +==== 2023-01-18 ====
 +
 +**git-2.30.7**:  Upgraded.
 +This release fixes two security issues:
 +  * CVE-2022-41903:
 +git log has the ability to display commits using an arbitrary
 +format with its --format specifiers. This functionality is also
 +exposed to git archive via the export-subst gitattribute.
 +When processing the padding operators (e.g., %<(, %<|(, %>(,
 +%>>(, or %><( ), an integer overflow can occur in
 +pretty.c::format_and_pad_commit() where a size_t is improperly
 +stored as an int, and then added as an offset to a subsequent
 +memcpy() call.
 +This overflow can be triggered directly by a user running a
 +command which invokes the commit formatting machinery (e.g., git
 +log --format=...). It may also be triggered indirectly through
 +git archive via the export-subst mechanism, which expands format
 +specifiers inside of files within the repository during a git
 +archive.
 +This integer overflow can result in arbitrary heap writes, which
 +may result in remote code execution.
 +  * CVE-2022-23521:
 +gitattributes are a mechanism to allow defining attributes for
 +paths. These attributes can be defined by adding a `.gitattributes`
 +file to the repository, which contains a set of file patterns and
 +the attributes that should be set for paths matching this pattern.
 +When parsing gitattributes, multiple integer overflows can occur
 +when there is a huge number of path patterns, a huge number of
 +attributes for a single pattern, or when the declared attribute
 +names are huge.
 +These overflows can be triggered via a crafted `.gitattributes` file
 +that may be part of the commit history. Git silently splits lines
 +longer than 2KB when parsing gitattributes from a file, but not when
 +parsing them from the index. Consequentially, the failure mode
 +depends on whether the file exists in the working tree, the index or
 +both.
 +This integer overflow can result in arbitrary heap reads and writes,
 +which may result in remote code execution.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2022-41903
 +  * https://www.cve.org/CVERecord?id=CVE-2022-23521
 +(**Security fix**)
 +
 +**httpd-2.4.55**:  Upgraded.
 +This update fixes bugs and the following security issues:
 +mod_proxy allows a backend to trigger HTTP response splitting.
 +mod_proxy_ajp possible request smuggling.
 +mod_dav out of bounds read, or write of zero byte.
 +For more information, see:
 +  * https://downloads.apache.org/httpd/CHANGES_2.4.55
 +  * https://www.cve.org/CVERecord?id=CVE-2022-37436
 +  * https://www.cve.org/CVERecord?id=CVE-2022-36760
 +  * https://www.cve.org/CVERecord?id=CVE-2006-20001
 +(**Security fix**)
 +
 +**libXpm-3.5.15**:  Upgraded.
 +This update fixes security issues:
 +Infinite loop on unclosed comments.
 +Runaway loop with width of 0 and enormous height.
 +Compression commands depend on $PATH.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2022-46285
 +  * https://www.cve.org/CVERecord?id=CVE-2022-44617
 +  * https://www.cve.org/CVERecord?id=CVE-2022-4883
 +(**Security fix**)
 +
 +==== 2023-01-15 ====
 +
 +**netatalk-3.1.14**:  Upgraded.
 +Netatalk through 3.1.13 has an afp_getappl heap-based buffer overflow
 +resulting in code execution via a crafted .appl file.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2022-45188
 +(**Security fix**)
 +
 +**ca-certificates-20221205**:  Rebuilt.
 +Make sure that if we're installing this package on another partition (such as
 +when using installpkg with a --root parameter) that the updates are done on
 +that partition. Thanks to fulalas.
 +
 +
 +==== 2023-01-04 ====
 +
 +**libtiff-4.4.0**:  Upgraded.
 +Patched various security bugs.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2022-2056
 +  * https://www.cve.org/CVERecord?id=CVE-2022-2057
 +  * https://www.cve.org/CVERecord?id=CVE-2022-2058
 +  * https://www.cve.org/CVERecord?id=CVE-2022-3970
 +  * https://www.cve.org/CVERecord?id=CVE-2022-34526
 +(**Security fix**)
 +
 +**whois-5.5.15**:  Upgraded.
 +Updated the .bd, .nz and .tv TLD servers.
 +Added the .llyw.cymru, .gov.scot and .gov.wales SLD servers.
 +Updated the .ac.uk and .gov.uk SLD servers.
 +Recursion has been enabled for whois.nic.tv.
 +Updated the list of new gTLDs with four generic TLDs assigned in October 2013
 +which were missing due to a bug.
 +Removed 4 new gTLDs which are no longer active.
 +Added the Georgian translation, contributed by Temuri Doghonadze.
 +Updated the Finnish translation, contributed by Lauri Nurmi.
 +
 +==== 2022-12-22 ====
 +
 +**curl-7.87.0**:  Upgraded.
 +This is a bugfix release.
 +
 +**libksba-1.6.3**:  Upgraded.
 +Fix another integer overflow in the CRL's signature parser.
 +(**Security fix**)
 +
 +**sdl-1.2.15**:  Rebuilt.
 +This update fixes a heap overflow problem in video/SDL_pixels.c in SDL.
 +By crafting a malicious .BMP file, an attacker can cause the application
 +using this library to crash, denial of service, or code execution.
 +Thanks to marav for the heads-up.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2021-33657
 +(**Security fix**)
 +
 +**libarchive-3.6.2**:  Rebuilt.
 +This update fixes a regression causing a failure to compile against
 +libarchive: don't include iconv in libarchive.pc.
 +
 +**libarchive-3.6.2**:  Upgraded.
 +This is a bugfix and security release.
 +Relevant bugfixes:
 +  * rar5 reader: fix possible garbled output with bsdtar -O (#1745)
 +  * mtree reader: support reading mtree files with tabs (#1783)
 +Security fixes:
 +  * various small fixes for issues found by CodeQL
 +(**Security fix**)
 +
 +**ca-certificates-20221205**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +**glibc-zoneinfo-2022g**:  Upgraded.
 +This package provides the latest timezone updates.
 +
 +==== 2022-11-09 ====
 +
 +**sysstat-12.7.1**:  Upgraded.
 +On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1,
 +allocate_structures contains a size_t overflow in sa_common.c. The
 +allocate_structures function insufficiently checks bounds before arithmetic
 +multiplication, allowing for an overflow in the size allocated for the
 +buffer representing system activities.
 +This issue may lead to Remote Code Execution (RCE).
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2022-39377
 +(**Security fix**)
 +
 +**glibc-zoneinfo-2022f**:  Upgraded.
 +This package provides the latest timezone updates.
 +
 +**sudo-1.9.12p1**:  Upgraded.
 +Fixed a potential out-of-bounds write for passwords smaller than 8
 +characters when passwd authentication is enabled.
 +This does not affect configurations that use other authentication
 +methods such as PAM, AIX authentication or BSD authentication.
 +For more information, see:
 +  * https://www.cve.org/CVERecord?id=CVE-2022-43995
 +(**Security fix**)
 +
 +**curl-7.86.0**:  Upgraded.
 +This update fixes security issues:
 +HSTS bypass via IDN.
 +HTTP proxy double-free.
 +.netrc parser out-of-bounds access.
 +POST following PUT confusion. 
 +For more information, see:
 +  * https://curl.se/docs/CVE-2022-42916.html
 +  * https://curl.se/docs/CVE-2022-42915.html
 +  * https://curl.se/docs/CVE-2022-35260.html
 +  * https://curl.se/docs/CVE-2022-32221.html
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42916
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42915
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35260
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32221
 +(**Security fix**)
 +
 +**expat-2.4.3**:  Rebuilt.
 +This update fixes a security issue:
 +Fix heap use-after-free after overeager destruction of a shared DTD in
 +function XML_ExternalEntityParserCreate in out-of-memory situations.
 +Expected impact is denial of service or potentially arbitrary code
 +execution.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43680
 +(**Security fix**)
 +
 +**rsync-3.2.7**:  Rebuilt.
 +This is a bugfix release, fixing the list of supported auth checksums when
 +rsync is built against 1.0.x.
 +Thanks to niksoggia.
 +
 +**rsync-3.2.7**:  Upgraded.
 +This is a bugfix release.
 +Notably, this addresses some regressions caused by the file-list validation
 +fix in rsync-3.2.5.
 +Thanks to llgar.
 +
 +**whois-5.5.14**:  Upgraded.
 +This update adds the .bf and .sd TLD servers, removes the .gu TLD server,
 +updates the .dm, .fj, .mt and .pk TLD servers, updates the charset for
 +whois.nic.tr, updates the list of new gTLDs, removes whois.nic.fr from the
 +list of RIPE-like servers (because it is not one anymore), renames
 +whois.arnes.si to whois.register.si in the list of RIPE-like servers, and
 +adds the hiding string for whois.auda.org.au.
 +
 +**git-2.30.6**:  Upgraded.
 +This release fixes two security issues:
 +  * CVE-2022-39253:
 +When relying on the `--local` clone optimization, Git dereferences
 +symbolic links in the source repository before creating hardlinks
 +(or copies) of the dereferenced link in the destination repository.
 +This can lead to surprising behavior where arbitrary files are
 +present in a repository's `$GIT_DIR` when cloning from a malicious
 +repository.
 +Git will no longer dereference symbolic links via the `--local`
 +clone mechanism, and will instead refuse to clone repositories that
 +have symbolic links present in the `$GIT_DIR/objects` directory.
 +Additionally, the value of `protocol.file.allow` is changed to be
 +"user" by default.
 +  * CVE-2022-39260:
 +An overly-long command string given to `git shell` can result in
 +overflow in `split_cmdline()`, leading to arbitrary heap writes and
 +remote code execution when `git shell` is exposed and the directory
 +`$HOME/git-shell-commands` exists.
 +`git shell` is taught to refuse interactive commands that are
 +longer than 4MiB in size. `split_cmdline()` is hardened to reject
 +inputs larger than 2GiB.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39253
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39260
 +(**Security fix**)
 +
 +==== 2022-10-17 ====
 +
 +**glibc-zoneinfo-2022e**:  Upgraded.
 +This package provides the latest timezone updates.
 +
 +**zlib-1.2.13**:  Upgraded.
 +Fixed a bug when getting a gzip header extra field with inflateGetHeader().
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37434
 +(**Security fix**)
 +
 +**libksba-1.6.2**:  Upgraded.
 +Detect a possible overflow directly in the TLV parser.
 +This patch detects possible integer overflows immmediately when creating
 +the TI object.
 +Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929
 +(**Security fix**)
 +
 +
 +==== 2022-10-05 ====
 +
 +**dhcp-4.4.3_P1**:  Upgraded.
 +This update fixes two security issues:
 +Corrected a reference count leak that occurs when the server builds
 +responses to leasequery packets.
 +Corrected a memory leak that occurs when unpacking a packet that has an
 +FQDN option (81) that contains a label with length greater than 63 bytes.
 +Thanks to VictorV of Cyber Kunlun Lab for reporting these issues.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2928
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2929
 +(**Security fix**)
 +
 +**glibc-zoneinfo-2022d**:  Upgraded.
 +This package provides the latest timezone updates.
 +
 +**dnsmasq-2.87**:  Upgraded.
 +Fix write-after-free error in DHCPv6 server code.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0934
 +(**Security fix**)
 +
 +**ca-certificates-20220922**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +**expat-2.4.3**:  Rebuilt.
 +This update fixes a security issue:
 +Heap use-after-free vulnerability in function doContent. Expected impact is
 +denial of service or potentially arbitrary code execution.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40674
 +(**Security fix**)
 +
 +
 +==== 2022-09-01 ====
 +
 +**curl-7.85.0**:  Upgraded.
 +This update fixes a security issue:
 +control code in cookie denial of service.
 +For more information, see:
 +  * https://curl.se/docs/CVE-2022-35252.html
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35252
 +(**Security fix**)
 +
 +**glibc-zoneinfo-2022c**:  Upgraded.
 +This package provides the latest timezone updates.
 +
 +==== 2022-08-15 ====
 +
 +**rsync-3.2.5**:  Upgraded.
 +Added some file-list safety checking that helps to ensure that a rogue
 +sending rsync can't add unrequested top-level names and/or include recursive
 +names that should have been excluded by the sender. These extra safety
 +checks only require the receiver rsync to be updated. When dealing with an
 +untrusted sending host, it is safest to copy into a dedicated destination
 +directory for the remote content (i.e. don't copy into a destination
 +directory that contains files that aren't from the remote host unless you
 +trust the remote host).
 +For more information, see:
 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29154
 +(**Security fix**)
 +
 +**glibc-zoneinfo-2022b**:  Upgraded.
 +This package provides the latest timezone updates.
 +
 +**zlib-1.2.12**:  Rebuilt.
 +This is a bugfix update.
 +Applied an upstream patch to restore the handling of CRC inputs to be the
 +same as in previous releases of zlib. This fixes an issue with OpenJDK.
 +Thanks to alienBOB.
 +
 +
 +==== 2022-07-10 ====
 +
 +**wavpack-5.5.0**:  Upgraded.
 +WavPack 5.5.0 contains a fix for CVE-2021-44269 wherein encoding a specially
 +crafted DSD file causes an out-of-bounds read exception.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44269
 +(**Security fix**)
 +
 +==== 2022-06-30 ====
 +
 +**curl-7.84.0**:  Upgraded.
 +This update fixes security issues:
 +Set-Cookie denial of service.
 +HTTP compression denial of service.
 +Unpreserved file permissions.
 +FTP-KRB bad message verification.
 +For more information, see:
 +  * https://curl.se/docs/CVE-2022-32205.html
 +  * https://curl.se/docs/CVE-2022-32206.html
 +  * https://curl.se/docs/CVE-2022-32207.html
 +  * https://curl.se/docs/CVE-2022-32208.html
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32205
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32206
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32207
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32208
 +(**Security fix**)
 +
 +**openssl-1.0.2u**:  Rebuilt.
 +We're sending out the Slackware 14.2 updates again because the package
 +build number wasn't incremented which caused slackpkg to not pick up the
 +updates. It's been bumped and the packages rebuilt - otherwise there are
 +no new changes. Thanks to John Jenkins for the report.
 +For reference, here's the information from the previous advisory:
 +In addition to the c_rehash shell command injection identified in
 +CVE-2022-1292, further circumstances where the c_rehash script does not
 +properly sanitise shell metacharacters to prevent command injection were
 +found by code review.
 +When the CVE-2022-1292 was fixed it was not discovered that there
 +are other places in the script where the file names of certificates
 +being hashed were possibly passed to a command executed through the shell.
 +For more information, see:
 +  * https://www.openssl.org/news/secadv/20220621.txt
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2068
 +(**Security fix**)
 +
 +**openssl-solibs-1.0.2u**:  Rebuilt.
 +
 +
 +==== 2022-06-28 ====
 +
 +**ca-certificates-20220622**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +**openssl-1.0.2u**:  Rebuilt.
 +In addition to the c_rehash shell command injection identified in
 +CVE-2022-1292, further circumstances where the c_rehash script does not
 +properly sanitise shell metacharacters to prevent command injection were
 +found by code review.
 +When the CVE-2022-1292 was fixed it was not discovered that there
 +are other places in the script where the file names of certificates
 +being hashed were possibly passed to a command executed through the shell.
 +For more information, see:
 +  * https://www.openssl.org/news/secadv/20220621.txt
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2068
 +(**Security fix**)
 +
 +**openssl-solibs-1.0.2u**:  Rebuilt.
 +
 +
 +==== 2022-06-09 ====
 +
 +**httpd-2.4.54**:  Upgraded.
 +This update fixes bugs and the following security issues:
 +mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism.
 +Information Disclosure in mod_lua with websockets.
 +mod_sed denial of service.
 +Denial of service in mod_lua r:parsebody.
 +Read beyond bounds in ap_strcmp_match().
 +Read beyond bounds via ap_rwrite().
 +Read beyond bounds in mod_isapi.
 +mod_proxy_ajp: Possible request smuggling.
 +For more information, see:
 +  * https://downloads.apache.org/httpd/CHANGES_2.4.54
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31813
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30556
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30522
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29404
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28615
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28614
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28330
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26377
 +(**Security fix**)
 +
 +==== 2022-05-26 ====
 +
 +**cups-2.1.4**:  Rebuilt.
 +Fixed certificate strings comparison for Local authorization.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26691
 +(**Security fix**)
 +
 +
 +==== 2022-05-11 ====
 +
 +**curl-7.83.1**:  Upgraded.
 +This update fixes security issues:
 +HSTS bypass via trailing dot.
 +TLS and SSH connection too eager reuse.
 +CERTINFO never-ending busy-loop.
 +percent-encoded path separator in URL host.
 +cookie for trailing dot TLD.
 +curl removes wrong file on error.
 +For more information, see:
 +  * https://curl.se/docs/CVE-2022-30115.html
 +  * https://curl.se/docs/CVE-2022-27782.html
 +  * https://curl.se/docs/CVE-2022-27781.html
 +  * https://curl.se/docs/CVE-2022-27780.html
 +  * https://curl.se/docs/CVE-2022-27779.html
 +  * https://curl.se/docs/CVE-2022-27778.html
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30115
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27782
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27781
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27780
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27779
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27778
 +(**Security fix**)
 +
 +==== 2022-05-03 ====
 +
 +**openssl-1.0.2u**:  Rebuilt.
 +Fixed a bug in the c_rehash script which was not properly sanitising shell
 +metacharacters to prevent command injection.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1292
 +(**Security fix**)
 +
 +**openssl-solibs-1.0.2u**:  Rebuilt.
 +
 +==== 2022-05-03 ====
 +
 +**libxml2-2.9.14**:  Upgraded.
 +This update fixes bugs and the following security issues:
 +Fix integer overflow in xmlBuf and xmlBuffer.
 +Fix potential double-free in xmlXPtrStringRangeFunction.
 +Fix memory leak in xmlFindCharEncodingHandler.
 +Normalize XPath strings in-place.
 +Prevent integer-overflow in htmlSkipBlankChars() and xmlSkipBlankChars().
 +Fix leak of xmlElementContent.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29824
 +(**Security fix**)
 +
 +==== 2022-04-02 ====
 +
 +**pidgin-2.12.0**:  Rebuilt.
 +Mitigate the potential for a man in the middle attack via DNS spoofing by
 +removing the code that supported the _xmppconnect DNS TXT record.
 +For more information, see:
 +  * https://www.pidgin.im/about/security/advisories/cve-2022-26491/
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26491
 +(**Security fix**)
 +
 +**xz-5.2.5**:  Rebuilt.
 +This update fixes a regression with the previous package leading to compile
 +failures due to a missing liblzma.la. Thanks to csking.
 +
 +==== 2022-04-27 ====
 +
 +**curl-7.83.0**:  Upgraded.
 +This update fixes security issues:
 +OAUTH2 bearer bypass in connection re-use.
 +Credential leak on redirect.
 +Bad local IPv6 connection reuse.
 +Auth/cookie leak on redirect.
 +For more information, see:
 +  * https://curl.se/docs/CVE-2022-22576.html
 +  * https://curl.se/docs/CVE-2022-27774.html
 +  * https://curl.se/docs/CVE-2022-27775.html
 +  * https://curl.se/docs/CVE-2022-27776.html
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22576
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27774
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27775
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27776
 +(**Security fix**)
 +
 +
 +==== 2022-04-15 ====
 +
 +**git-2.30.4**:  Upgraded.
 +This update fixes a security issue where a Git worktree created by another
 +user might be able to execute arbitrary code.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765
 +(**Security fix**)
 +
 +**gzip-1.12**:  Upgraded.
 +This update fixes a security issue:
 +zgrep applied to a crafted file name with two or more newlines can no
 +longer overwrite an arbitrary, attacker-selected file.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1271
 +(**Security fix**)
 +
 +**xz-5.2.5**:  Upgraded.
 +This update fixes a security issue:
 +xzgrep applied to a crafted file name with two or more newlines can no
 +longer overwrite an arbitrary, attacker-selected file.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1271
 +(**Security fix**)
 +
 +**whois-5.5.13**:  Upgraded.
 +This update adds the .sd TLD server, updates the list of new gTLDs, and adds
 +a Turkish translation.
 +
 +==== 2022-04-08 ====
 +
 +**libarchive-3.6.1**:  Upgraded.
 +This is a bugfix and security release.
 +Security fixes:
 +  * 7zip reader: fix PPMD read beyond boundary.
 +  * ZIP reader: fix possible out of bounds read.
 +  * ISO reader: fix possible heap buffer overflow in read_children().
 +  * RARv4 redaer: fix multiple issues in RARv4 filter code (introduced in libarchive 3.6.0).
 +  * Fix heap use after free in archive_read_format_rar_read_data().
 +  * Fix null dereference in read_data_compressed().
 +  * Fix heap user after free in run_filters().
 +(**Security fix**)
 +
 +**ca-certificates-20220403**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +**whois-5.5.12**:  Upgraded.
 +This is a bugfix release. Thanks to Nobby6.
 +
 +**zlib-1.2.12**:  Upgraded.
 +This update fixes memory corruption when deflating (i.e., when compressing)
 +if the input has many distant matches. Thanks to marav.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25032
 +(**Security fix**)
 +
 +**glibc-zoneinfo-2022a**:  Upgraded.
 +This package provides the latest timezone updates.
 +
 +==== 2022-03-17 ====
 +
 +**bind-9.11.37**:  Upgraded.
 +This update fixes bugs and the following security issue:
 +The rules for acceptance of records into the cache have been tightened to
 +prevent the possibility of poisoning if forwarders send records outside
 +the configured bailiwick.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25220
 +(**Security fix**)
 +
 +**openssl-1.0.2u**:  Rebuilt.
 +This update fixes a high severity security issue:
 +The BN_mod_sqrt() function, which computes a modular square root, contains
 +a bug that can cause it to loop forever for non-prime moduli.
 +For more information, see:
 +  * https://www.openssl.org/news/secadv/20220315.txt
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0778
 +(**Security fix**)
 +
 +**openssl-solibs-1.0.2u**:  Rebuilt.
 +
 +==== 2022-03-15 ====
 +
 +**httpd-2.4.53**:  Upgraded.
 +This update fixes bugs and the following security issues:
 +mod_sed: Read/write beyond bounds
 +core: Possible buffer overflow with very large or unlimited
 +LimitXMLRequestBody
 +HTTP request smuggling vulnerability
 +mod_lua: Use of uninitialized value in r:parsebody
 +For more information, see:
 +  * https://downloads.apache.org/httpd/CHANGES_2.4.53
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23943
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22721
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22720
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22719
 +(**Security fix**)
 +
 +**ca-certificates-20220309**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +**expat-2.4.3**:  Rebuilt.
 +This is a bugfix release:
 +Relax fix to CVE-2022-25236 (introduced with release 2.4.5) with regard to
 +all valid URI characters (RFC 3986).
 +
 +==== 2022-03-01 ====
 +
 +**libxml2-2.9.13**:  Upgraded.
 +This update fixes bugs and the following security issues:
 +Use-after-free of ID and IDREF attributes
 +(Thanks to Shinji Sato for the report)
 +Use-after-free in xmlXIncludeCopyRange (David Kilzer)
 +Fix Null-deref-in-xmlSchemaGetComponentTargetNs (huangduirong)
 +Fix memory leak in xmlXPathCompNodeTest
 +Fix null pointer deref in xmlStringGetNodeList
 +Fix several memory leaks found by Coverity (David King)
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23308
 +(**Security fix**)
 +
 +**libxslt-1.1.35**:  Upgraded.
 +This update fixes bugs and the following security issues:
 +Fix use-after-free in xsltApplyTemplates
 +Fix memory leak in xsltDocumentElem (David King)
 +Fix memory leak in xsltCompileIdKeyPattern (David King)
 +Fix double-free with stylesheets containing entity nodes
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30560
 +(**Security fix**)
 +
 +**cyrus-sasl-2.1.28**:  Upgraded.
 +This update fixes bugs and security issues.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19906
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24407
 +(**Security fix**)
 +
 +==== 2022-02-22 ====
 +
 +**expat-2.4.3**:  Rebuilt.
 +Fixed a regression introduced by the fix for CVE-2022-25313 that affects
 +applications that (1) call function XML_SetElementDeclHandler and (2) are
 +parsing XML that contains nested element declarations, e.g.
 +  "<!ELEMENT junk ((bar|foo|xyz+), zebra*)>"
 +
 +**flac-1.3.4**:  Upgraded.
 +This update fixes overflow issues with encoding and decoding.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0499
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0561
 +(**Security fix**)
 +
 +==== 2022-02-01 ====
 +
 +**linux-libre-4.4.301**:  Upgraded.
 +These updates fix various bugs and security issues, including the recently
 +announced i915 issue that could lead to user-space gaining access to random
 +memory pages (CVE-2022-0330).
 +Be sure to upgrade your initrd after upgrading the kernel packages.
 +If you use lilo to boot your machine, be sure lilo.conf points to the correct
 +kernel and initrd and run lilo as root to update the bootloader.
 +If you use elilo to boot your machine, you should run eliloconfig to copy the
 +kernel and initrd to the EFI System Partition.
 +For more information, see:
 +  * https://seclists.org/oss-sec/2022/q1/81
 +  Fixed in 4.4.277:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38204
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3679
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37576
 +  Fixed in 4.4.278:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0920
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21781
 +  Fixed in 4.4.281:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38205
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3732
 +  Fixed in 4.4.282:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3653
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42008
 +  Fixed in 4.4.283:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3753
 +  Fixed in 4.4.284:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40490
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3702
 +  Fixed in 4.4.285:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20320
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3655
 +  Fixed in 4.4.288:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4203
 +  Fixed in 4.4.289:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29374
 +  Fixed in 4.4.290:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3896
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20321
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3760
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43389
 +  Fixed in 4.4.291:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3772
 +  Fixed in 4.4.292:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37159
 +  Fixed in 4.4.293:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4202
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3752
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3640
 +  Fixed in 4.4.294:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4002
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4083
 +  Fixed in 4.4.295:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39685
 +  Fixed in 4.4.296:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28715
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28713
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28712
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28711
 +  Fixed in 4.4.299:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45095
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4155
 +  Fixed in 4.4.300:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43976
 +  Fixed in 4.4.301:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0330
 +(**Security fix**)
 +
 +
 +==== 2022-01-27 ====
 +**expat-2.4.3**:  Rebuilt.
 +Prevent integer overflow in doProlog.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23990
 +(**Security fix**)
 +
 +==== 2022-01-26 ====
 +**polkit-0.113**:  Rebuilt.
 +[PATCH] pkexec: local privilege escalation.
 +Thanks to Qualys Research Labs for reporting this issue.
 +For more information, see:
 +  * https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034
 +(**Security fix**)
 +
 +==== 2022-01-25 ====
 +
 +**expat-2.4.3**:  Rebuilt.
 +Fix signed integer overflow in function XML_GetBuffer for when
 +XML_CONTEXT_BYTES is defined to >0 (which is both common and
 +default). Impact is denial of service or other undefined behavior.
 +While we're here, also patch a memory leak on output file opening error.
 +Thanks to marav.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23852
 +(**Security fix**)
 +
 +==== 2022-01-19 ====
 +**wpa_supplicant-2.9**:  Rebuilt.
 +This update contains patches for these security issues:
 +The implementations of EAP-pwd in hostapd before 2.10 and wpa_supplicant
 +before 2.10 are vulnerable to side-channel attacks as a result of cache
 +access patterns.
 +NOTE: this issue exists because of an incomplete fix for CVE-2019-9495.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23303
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23304
 +(**Security fix**)
 +
 +==== 2022-01-16 ====
 +**expat-2.4.3**:  Upgraded.
 +Fix issues with left shifts by >=29 places resulting in:
 +  a) realloc acting as free
 +  b) realloc allocating too few bytes
 +  c) undefined behavior
 +Fix integer overflow on variable m_groupSize in function doProlog leading
 +to realloc acting as free. Impact is denial of service or other undefined
 +behavior.
 +Prevent integer overflows near memory allocation at multiple places.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45960
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46143
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22822
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22823
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22824
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22825
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22826
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22827
 +(**Security fix**)
 +
 +
 +==== 2021-12-29 ====
 +
 +**wpa_supplicant-2.9**:  Upgraded.
 +This update fixes the following security issues:
 +AP mode PMF disconnection protection bypass.
 +UPnP SUBSCRIBE misbehavior in hostapd WPS AP.
 +P2P group information processing vulnerability.
 +P2P provision discovery processing vulnerability.
 +ASN.1: Validate DigestAlgorithmIdentifier parameters.
 +Flush pending control interface message for an interface to be removed.
 +These issues could result in a denial-of-service, privilege escalation,
 +arbitrary code execution, or other unexpected behavior.
 +Thanks to nobodino for pointing out the patches.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0326
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0535
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12695
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16275
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27803
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30004
 +(**Security fix**)
 +
 +==== 2021-12-20 ====
 +
 +**httpd-2.4.52**:  Upgraded.
 +SECURITY: CVE-2021-44790: Possible buffer overflow when parsing
 +multipart content in mod_lua of Apache HTTP Server 2.4.51 and
 +earlier (cve.mitre.org)
 +A carefully crafted request body can cause a buffer overflow in
 +the mod_lua multipart parser (r:parsebody() called from Lua
 +scripts).
 +The Apache httpd team is not aware of an exploit for the
 +vulnerabilty though it might be possible to craft one.
 +This issue affects Apache HTTP Server 2.4.51 and earlier.
 +Credits: Chamal
 +SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in
 +forward proxy configurations in Apache HTTP Server 2.4.51 and
 +earlier (cve.mitre.org)
 +A crafted URI sent to httpd configured as a forward proxy
 +(ProxyRequests on) can cause a crash (NULL pointer dereference)
 +or, for configurations mixing forward and reverse proxy
 +declarations, can allow for requests to be directed to a
 +declared Unix Domain Socket endpoint (Server Side Request
 +Forgery).
 +This issue affects Apache HTTP Server 2.4.7 up to 2.4.51
 +(included).
 +Credits: ae 1/4*a-o(R)e 1/4
 +TengMA(@Te3t123)
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44790
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44224
 +(**Security fix**)
 +
 +**ca-certificates-20211216**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +
 +==== 2021-12-16 ====
 +
 +**xorg-server-1.18.3**:  Rebuilt.
 +Fixes for multiple input validation failures in X server extensions:
 +render: Fix out of bounds access in SProcRenderCompositeGlyphs()
 +xfixes: Fix out of bounds access in *ProcXFixesCreatePointerBarrier()
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4008
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4009
 +(**Security fix**)
 +
 +**xorg-server-xephyr-1.18.3**:  Rebuilt.
 +
 +**xorg-server-xnest-1.18.3**:  Rebuilt.
 +
 +**xorg-server-xvfb-1.18.3**:  Rebuilt.
 +
 +==== 2021-12-03 ====
 +
 +**mozilla-nss-3.40.1**:  Rebuilt.
 +This update fixes a critical security issue:
 +NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are
 +vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS
 +signatures. Applications using NSS for handling signatures encoded within
 +CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be impacted. Applications
 +using NSS for certificate validation or other TLS, X.509, OCSP or CRL
 +functionality may be impacted, depending on how they configure NSS.
 +Note: This vulnerability does NOT impact Mozilla Firefox. However, email
 +clients and PDF viewers that use NSS for signature verification, such as
 +Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted.
 +Thanks to Tavis Ormandy of Google Project Zero.
 +For more information, see:
 +  * https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43527
 +(**Security fix**)
 +
 +**mailx-12.5**:  Rebuilt.
 +Patched a bug where Heirloom mailx produces a "Date:" header that is
 +incorrect when the system is in the Europe/Dublin timezone (email appears
 +to have been sent 2 hours earlier).
 +Thanks to Andrea Biardi.
 +
 +==== 2021-10-28 ====
 +
 +**bind-9.11.36**:  Upgraded.
 +This update fixes bugs and the following security issue:
 +The "lame-ttl" option is now forcibly set to 0. This effectively disables
 +the lame server cache, as it could previously be abused by an attacker to
 +significantly degrade resolver performance.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25219
 +(**Security fix**)
 +
 +**glibc-zoneinfo-2021e**:  Upgraded.
 +This package provides the latest timezone updates.
 +
 +==== 2021-10-10 ====
 +
 +**httpd-2.4.51**:  Upgraded.
 +SECURITY: CVE-2021-42013: Path Traversal and Remote Code
 +Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete
 +fix of CVE-2021-41773) (cve.mitre.org)
 +It was found that the fix for CVE-2021-41773 in Apache HTTP
 +Server 2.4.50 was insufficient.  An attacker could use a path
 +traversal attack to map URLs to files outside the directories
 +configured by Alias-like directives.
 +If files outside of these directories are not protected by the
 +usual default configuration "require all denied", these requests
 +can succeed. If CGI scripts are also enabled for these aliased
 +pathes, this could allow for remote code execution.
 +This issue only affects Apache 2.4.49 and Apache 2.4.50 and not
 +earlier versions.
 +Credits: Reported by Juan Escobar from Dreamlab Technologies,
 +Fernando MuA+-oz from NULL Life CTF Team, and Shungo Kumasaka
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42013
 +(**Security fix**)
 +
 +==== 2021-10-05 ====
 +
 +**httpd-2.4.50**:  Upgraded.
 +This release contains security fixes and improvements.
 +Fixed null pointer dereference in h2 fuzzing.
 +Fixed path traversal and file disclosure vulnerability.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41524
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773
 +(**Security fix**)
 +
 +**ca-certificates-20211005**  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +Don't install /etc/ca-certificates.conf as a .new file - it's an auto-
 +generated list that will just end up suffering a mismatch with the files
 +included in the package. Thanks to Weber Kai.
 +
 +**glibc-zoneinfo-2021**  Upgraded.
 +This package provides the latest timezone updates.
 +
 +==== 2021-09-21 ====
 +
 +**alpine-2.25**:  Upgraded.
 +Fixed a denial-of-service security issue where untagged responses from an
 +IMAP server are accepted before STARTTLS.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38370
 +(**Security fix**)
 +
 +==== 2021-09-17 ====
 +
 +**httpd-2.4.49**:  Upgraded.
 +This release contains security fixes and improvements.
 +mod_proxy: Server Side Request Forgery (SSRF) vulnerabilty [Yann Ylavic]
 +core: ap_escape_quotes buffer overflow
 +mod_proxy_uwsgi: Out of bound read vulnerability [Yann Ylavic]
 +core: null pointer dereference on malformed request
 +mod_http2: Request splitting vulnerability with mod_proxy [Stefan Eissing]
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40438
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39275
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36160
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34798
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33193
 +(**Security fix**)
 +
 +==== 2021-09-16 ====
 +
 +**curl-7.79.0**:  Upgraded.
 +This update fixes security issues:
 +clear the leftovers pointer when sending succeeds.
 +do not ignore --ssl-reqd.
 +reject STARTTLS server response pipelining.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22945
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22946
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22947
 +(**Security fix**)
 +
 +==== 2021-09-01 ====
 +
 +**ntfs-3g-2021.8.22**:  Upgraded.
 +Shared library .so-version bump.
 +Fixed vulnerabilities that may allow an attacker using a maliciously
 +crafted NTFS-formatted image file or external storage to potentially
 +execute arbitrary privileged code.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33285
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35269
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35268
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33289
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33286
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35266
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33287
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35267
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39251
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39252
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39253
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39254
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39255
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39256
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39257
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39258
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39259
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39260
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39261
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39262
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39263
 +(**Security fix**)
 +
 +==== 2021-07-21 ====
 +
 +**curl-7.78.0**:  Upgraded.
 +This update fixes security issues:
 +CURLOPT_SSLCERT mixup with Secure Transport
 +TELNET stack contents disclosure again
 +Bad connection reuse due to flawed path name checks
 +Metalink download sends credentials
 +Wrong content via metalink not discarded
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22926
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22925
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22924
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22923
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22922
 +(**Security fix**)
 +
 +**linux-libre**:  Upgraded.
 +These updates fix various bugs and security issues, including the recently
 +announced local privilege escalation vulnerability in the filesystem layer
 +(CVE-2021-33909).
 +Be sure to upgrade your initrd after upgrading the kernel packages.
 +If you use lilo to boot your machine, be sure lilo.conf points to the correct
 +kernel and initrd and run lilo as root to update the bootloader.
 +If you use elilo to boot your machine, you should run eliloconfig to copy the
 +kernel and initrd to the EFI System Partition.
 +For more information, see:
 +  * https://www.qualys.com/2021/07/20/cve-2021-33909/sequoia-local-privilege-escalation-linux.txt
 +Fixed in 4.4.262:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19060
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19061
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28660
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20261
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29265
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16232
 +Fixed in 4.4.263:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28964
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28972
 +Fixed in 4.4.264:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28688
 +Fixed in 4.4.265:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3483
 +Fixed in 4.4.266:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29154
 +Fixed in 4.4.267:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22555
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25672
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25673
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25670
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25671
 +Fixed in 4.4.269:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33034
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0605
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31916
 +Fixed in 4.4.270:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26558
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0129
 +Fixed in 4.4.271:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24587
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24586
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24588
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26139
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26147
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29650
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32399
 +Fixed in 4.4.272:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3564
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3573
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3587
 +Fixed in 4.4.274:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34693
 +Fixed in 4.4.276:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33909
 +(**Security fix**)
 +
 +==== 2021-06-07 ====
 +
 +**httpd-2.4.48**:  Upgraded.
 +This release contains security fixes and improvements.
 +mod_http2: Fix a potential NULL pointer dereference.
 +Unexpected <Location> section matching with 'MergeSlashes OFF'.
 +mod_auth_digest: possible stack overflow by one nul byte while validating
 +the Digest nonce.
 +mod_session: Fix possible crash due to NULL pointer dereference, which
 +could be used to cause a Denial of Service with a malicious backend
 +server and SessionHeader.
 +mod_session: Fix possible crash due to NULL pointer dereference, which
 +could be used to cause a Denial of Service.
 +mod_proxy_http: Fix possible crash due to NULL pointer dereference, which
 +could be used to cause a Denial of Service.
 +mod_proxy_wstunnel, mod_proxy_http: Handle Upgradable protocols end-to-end
 +negotiation.
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31618
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30641
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35452
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26691
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26690
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13950
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17567
 +(**Security fix**)
 +
 +**libX11-1.7.2**:  Upgraded.
 +This is a bug fix release, correcting a regression introduced by and
 +improving the checks from the fix for CVE-2021-31535.
 +
 +**polkit-0.113**:  Rebuilt.
 +This update includes a mitigation for local privilege escalation using
 +polkit_system_bus_name_get_creds_sync().
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3560
 +(**Security fix**)
 +
 +**dhcp-4.4.2_P1**:  Upgraded.
 +This update fixes a security issue:
 +Corrected a buffer overwrite possible when parsing hexadecimal
 +literals with more than 1024 octets. Reported by Jon Franklin from Dell,
 +and also by Pawel Wieczorkiewicz from Amazon Web Services. [Gitlab #182]
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25217
 +(**Security fix**)
 +
 +==== 2021-05-26 ====
 +
 +**ca-certificates-20210526**:  Upgraded.
 +This update provides the latest CA certificates to check for the
 +authenticity of SSL connections.
 +
 +**curl-7.77.0**:  Upgraded.
 +This update fixes security issues:
 +schannel cipher selection surprise
 +TELNET stack contents disclosure
 +TLS session caching disaster
 +For more information, see:
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22297
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22298
 +  * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22901
 +(**Security fix**)
  
 ==== 2021-05-25 ==== ==== 2021-05-25 ====
changelog_14.2.1621995921.txt.gz · Last modified: 2021/05/25 22:25 by connie