User Tools

Site Tools


changelog_14.2

ChangeLog 14.2

Slackware upstream ChangeLog entries are courtesy of Patrick Volkerding.

2017-09-18

httpd-2.4.27: Rebuilt. This update patches a security issue (“Optionsbleed”) with the OPTIONS http method which may leak arbitrary pieces of memory to a potential attacker. Thanks to Hanno Bo:ck. For more information, see:

(Security fix)

libgcrypt-1.7.9: Upgraded. Mitigate a local side-channel attack on Curve25519 dubbed “May the Fourth be With You”. For more information, see:

(Security fix)

ruby-2.2.8: Upgraded. This release includes several security fixes. For more information, see:

(Security fix)

2017-09-16

bluez-5.47: Upgraded. Fixed an information disclosure vulnerability which allows remote attackers to obtain sensitive information from the bluetoothd process memory. This vulnerability lies in the processing of SDP search attribute requests. For more information, see:

(Security fix)

linux-libre-*-4.4.88: Upgraded. This update fixes the security vulnerability known as “BlueBorne”. The native Bluetooth stack in the Linux Kernel (BlueZ), starting at Linux kernel version 3.3-rc1 is vulnerable to a stack overflow in the processing of L2CAP configuration responses resulting in remote code execution in kernel space. Be sure to upgrade your initrd after upgrading the kernel packages. If you use lilo to boot your machine, be sure lilo.conf points to the correct kernel and initrd and run lilo as root to update the bootloader. If you use elilo to boot your machine, you should run eliloconfig to copy the kernel and initrd to the EFI System Partition. For more information, see:

(Security fix)

2017-09-12

emacs-25.3: Upgraded. This update fixes a security vulnerability in Emacs. Gnus no longer supports “richtext” and “enriched” inline MIME objects. This support was disabled to avoid evaluation of arbitrary Lisp code contained in email messages and news articles. For more information, see:

(Security fix)

libzip-1.0.1: Rebuilt. Fix a denial of service security issue. For more information, see:

(Security fix)

2017-09-08

bash-4.3.048: Upgraded. This update fixes two security issues found in bash before 4.4: The expansion of '\h' in the prompt string allows remote authenticated users to execute arbitrary code via shell metacharacters placed in 'hostname' of a machine. The theoretical attack vector is a hostile DHCP server providing a crafted hostname, but this is unlikely to occur in a normal Slackware configuration as we ignore the hostname provided by DHCP. Specially crafted SHELLOPTS+PS4 environment variables used against bogus setuid binaries using system()/popen() allowed local attackers to execute arbitrary code as root. For more information, see:

(Security fix)

mariadb-10.0.32: Upgraded. This update fixes bugs and security issues. For more information, see:

(Security fix)

mozilla-nss-3.31.1: Upgraded. Upgraded to nss-3.31.1 and nspr-4.16. This is a bugfix release.

tcpdump-4.9.2: Upgraded. This update fixes bugs and many security issues (see the included CHANGES file). For more information, see:

(Security fix)

2017-09-03

icecat-52.3.0: Upgraded. This update includes upstream features and patches. https://www.mozilla.org/en-US/security/advisories/mfsa2017-19/ (Security fix)

2017-08-12

xorg-server-1.18.3: Rebuilt. This update fixes two security issues: a user authenticated to an X Session could crash or execute code in the context of the X Server by exploiting a stack overflow in the endianness conversion of X Events. Uninitialized data in endianness conversion in the XEvent handling of the X.Org X Server allowed authenticated malicious users to access potentially privileged data from the X server. For more information, see:

(Security fix)

xorg-server-xephyr-1.18.3: Rebuilt.

xorg-server-xnest-1.18.3: Rebuilt.

xorg-server-xvfb-1.18.3: Rebuilt.

2017-08-12

git-2.14.1: Upgraded. Fixes security issues: A "ssh://..." URL can result in a “ssh” command line with a hostname that begins with a dash “-”, which would cause the “ssh” command to instead (mis)treat it as an option. This is now prevented by forbidding such a hostname (which should not impact any real-world usage). Similarly, when GIT_PROXY_COMMAND is configured, the command is run with host and port that are parsed out from "ssh://..." URL; a poorly written GIT_PROXY_COMMAND could be tricked into treating a string that begins with a dash “-” as an option. This is now prevented by forbidding such a hostname and port number (again, which should not impact any real-world usage). For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000117 (Security fix)

libsoup-2.52.2: Rebuilt. Fixed a chunked decoding buffer overrun that could be exploited against either clients or servers. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2885 (Security fix)

mercurial-4.3.1: Upgraded. Fixes security issues: Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository. Mercurial was not sanitizing hostnames passed to ssh, allowing shell injection attacks on clients by specifying a hostname starting with -oProxyCommand. For more information, see:

(Security fix)

subversion-1.9.7: Upgraded. Fixed client side arbitrary code execution vulnerability. For more information, see:

(Security fix)

2017-08-11

curl-7.55.0: Upgraded. This update fixes three security issues:

  • URL globbing out of bounds read
  • TFTP sends more than buffer size
  • FILE buffer read out of bounds

For more information, see:

(Security fix)

glibc-2.23: Rebuilt. Fixed a regression with the recent glibc patch packages: Don't clobber the libm.so linker script with a symlink. Thanks to guanx.

glibc-i18n-2.23: Rebuilt.

glibc-profile-2.23: Rebuilt.

glibc-solibs-2.23: Rebuilt.

2017-08-20

gnupg-1.4.22: Upgraded. Mitigate a flush+reload side-channel attack on RSA secret keys dubbed “Sliding right into disaster”. For more information, see:

(Security fix)

2017-07-28

squashfs-tools-4.3: Rebuilt. Patched a couple of denial of service issues and other bugs. For more information, see:

(Security fix)

dbus-1.10.8: Rebuilt. Don't demand high-quality entropy from expat-2.2.2+ because 1) dbus doesn't need it and 2) it can cause the boot process to hang if dbus times out. Thanks to SeB for a link to the bug report and patch.

bind-9.10.5_P3: Upgraded. Fix a regression in the previous BIND release that broke verification of TSIG signed TCP message sequences where not all the messages contain TSIG records. Compiled to use libidn rather than the deprecated (and broken) idnkit.

2017-07-14

tcpdump-4.9.1: Upgraded. This update fixes an issue where tcpdump 4.9.0 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via crafted packet data. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11108 (Security fix)

expat-2.2.2: Upgraded. Fixes security issues including: external entity infinite loop DoS. For more information, see:

(Security fix)

gd-2.2.4: Upgraded. Fixes security issues: gdImageCreate() doesn't check for oversized images and as such is prone to

  • DoS vulnerabilities. (CVE-2016-9317)
  • double-free in gdImageWebPtr() (CVE-2016-6912)
  • potential unsigned underflow in gd_interpolation.c (CVE-2016-10166)
  • DOS vulnerability in gdImageCreateFromGd2Ctx() (CVE-2016-10167)
  • Signed Integer Overflow gd_io.c (CVE-2016-10168)

For more information, see:

(Security fix)

libtirpc-1.0.2: Upgraded. This is a bugfix release.

rpcbind-0.2.4: Rebuilt. Fixed a bug in a previous patch where a svc_freeargs() call ended up freeing a static pointer causing rpcbind to crash. Thanks to Jonathan Woithe, Rafael Jorge Csura Szendrodi, and Robby Workman for identifying the problem and helping to test a fix.

2017-07-14

mariadb-10.0.31: Upgraded. This update fixes bugs and security issues. For more information, see:

(Security fix)

samba-4.4.15 Upgraded. This update fixes an authentication validation bypass security issue: “Orpheus' Lyre mutual authentication validation bypass” All versions of Samba from 4.0.0 onwards using embedded Heimdal Kerberos are vulnerable to a man-in-the-middle attack impersonating a trusted server, who may gain elevated access to the domain by returning malicious replication or authorization data. Samba binaries built against MIT Kerberos are not vulnerable. For more information, see:

(Security fix)

httpd-2.4.27 Upgraded. This update fixes two security issues: Read after free in mod_http2 (CVE-2017-9789) Uninitialized memory reflection in mod_auth_digest (CVE-2017-9788) Thanks to Robert Swiecki for reporting these issues. For more information, see:

(Security fix)

2017-07-10

libtirpc-1.0.1: Rebuilt. Patched a bug which can cause a denial of service through memory exhaustion. Thanks to Robby Workman. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779 (Security fix)

rpcbind-0.2.4: Upgraded. Patched a bug which can cause a denial of service through memory exhaustion. Thanks to Robby Workman. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779 (Security fix)

2017-07-09

irssi-1.0.4: Upgraded. This release fixes two remote crash issues as well as a few bugs. For more information, see:

(Security fix)

2017-07-07

ca-certificates-20161130: Upgraded. This update provides the latest CA certificates to check for the authenticity of SSL connections.

php-5.6.31: Upgraded. This release fixes bugs and security issues. For more information, see:

(Security fix)

glibc-2.23: Rebuilt. Recompiled with upstream patch from git: “[PATCH] X86: Don't assert on older Intel CPUs [BZ #20647]” This fixes an ldconfig failure on older Intel CPUs including Pentium MMX.

glibc-i18n-2.23: Rebuilt.

glibc-profile-2.23: Rebuilt.

glibc-solibs-2.23: Rebuilt.

xscreensaver-5.37: Upgraded. Here's an upgrade to the latest xscreensaver.

2017-07-02

linux-libre-*-4.4.75: Upgraded. This kernel fixes security issues that include possible stack exhaustion, memory corruption, and arbitrary code execution. Be sure to upgrade your initrd after upgrading the kernel packages. If you use lilo to boot your machine, be sure lilo.conf points to the correct kernel and initrd and run lilo as root to update the bootloader. If you use elilo to boot your machine, you should run eliloconfig to copy the kernel and initrd to the EFI System Partition. For more information, see:

(Security fix)

2017-07-01

2017-06-29

bind-9.10.5_P2: Upgraded. This update fixes a high severity security issue: an error in TSIG handling could permit unauthorized zone transfers or zone updates. For more information, see:

(Security fix)

httpd-2.4.26: Upgraded. This update fixes security issues which may lead to an authentication bypass or a denial of service:

  • important: ap_get_basic_auth_pw() Authentication Bypass CVE-2017-3167
  • important: mod_ssl Null Pointer Dereference CVE-2017-3169
  • important: mod_http2 Null Pointer Dereference CVE-2017-7659
  • important: ap_find_token() Buffer Overread CVE-2017-7668
  • important: mod_mime Buffer Overread CVE-2017-7679

For more information, see:

(Security fix)

libgcrypt-1.7.8: Upgraded. Mitigate a local flush+reload side-channel attack on RSA secret keys dubbed “Sliding right into disaster”. For more information, see:

(Security fix)

mkinitrd-1.4.10: Upgraded. Added support for -P option and MICROCODE_ARCH in mkinitrd.conf to specify a microcode archive to be prepended to the initrd for early CPU microcode patching by the kernel. Thanks to SeB.

2017-06-27

linux-libre-*-4.4.74: Upgraded. This kernel fixes two “Stack Clash” vulnerabilities reported by Qualys. The first issue may allow attackers to execute arbitrary code with elevated privileges. Failed attack attempts will likely result in denial-of-service conditions. The second issue can be exploited to bypass certain security restrictions and perform unauthorized actions.

Be sure to upgrade your initrd after upgrading the kernel packages. If you use lilo to boot your machine, be sure lilo.conf points to the correct kernel and initrd and run lilo as root to update the bootloader. If you use elilo to boot your machine, you should run eliloconfig to copy the kernel and initrd to the EFI System Partition. For more information, see:

(Security fix)

nasm-2.13.01: Upgraded. This update is needed for some newer projects to compile properly.

2017-06-21

2017-06-15

bind-9.10.5_P1: Upgraded. Fixed denial of service security issue: some RPZ configurations could go into an infinite query loop when encountering responses with TTL=0. For more information, see:

(Security fix)

pkg-config-0.29.2: Upgraded. This is a bugfix release, and is needed for some updates on slackbuilds.org to compile properly. Thanks to Willy Sudiarto Raharjo.

2017-06-08

irssi-1.0.3: Upgraded. Fixed security issues that may result in a denial of service. For more information, see:

(Security fix)

sudo-1.8.20p2: Upgraded. This is a bugfix release: Fixed a bug parsing /proc/pid/stat when the process name contains a newline. This is not exploitable due to the /dev traversal changes made in sudo 1.8.20p1.

2017-05-30

lynx-2.8.8rel.2: Rebuilt. Fixed lynx startup without a URL by correcting STARTFILE in lynx.cfg to use the new URL for the Lynx homepage. Thanks to John David Yost.

sudo-1.8.20p1: Upgraded. This update fixes a potential overwrite of arbitrary system files. This bug was discovered and analyzed by Qualys, Inc. For more information, see:

(Security fix)

2017-05-25

icecat-52.1.0: Upgraded. This marks a switch to a repackaged binary build by Gnuzilla. (Security fix)

2017-05-24

samba-4.4.14: Upgraded. This update fixes a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it. For more information, see https://www.samba.org/samba/security/CVE-2017-7494.html and http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7494 (Security fix)

gkrellm-2.3.10: Upgraded. This is a bugfix release to fix a broken gkrellm.pc.

2017-05-16

freetype-2.6.3: Rebuilt. This update fixes an out-of-bounds write caused by a heap-based buffer overflow related to the t1_builder_close_contour function in psaux/psobjs.c. For more information, see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8287 (Security fix)

kdelibs-4.14.32: Upgraded. This update fixes a security issue with KAuth that can lead to gaining root from an unprivileged account. For more information, see:

(Security fix)

2017-05-01

rxvt-2.7.10: Rebuilt. Patched an integer overflow that can crash rxvt with an escape sequence, or possibly have unspecified other impact. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7483 (Security fix)

xfce4-weather-plugin-0.8.9: Upgraded. Package upgraded to fix the API used to fetch weather data. Thanks to Robby Workman.

2017-04-23

getmail-4.54.0: Upgraded. This is a bugfix release to fix a failure to retrieve HTML formatted emails that contain a line longer than 1024 characters. Thanks to Edward Trumbo.

ntp-4.2.8p10: Upgraded. In addition to bug fixes and enhancements, this release fixes security issues of medium and low severity:

  • Denial of Service via Malformed Config (Medium)
  • Authenticated DoS via Malicious Config Option (Medium)
  • Potential Overflows in ctl_put() functions (Medium)
  • Buffer Overflow in ntpq when fetching reslist from a malicious ntpd (Medium)
  • 0rigin DoS (Medium)
  • Buffer Overflow in DPTS Clock (Low)
  • Improper use of snprintf() in mx4200_send() (Low)
  • The following issues do not apply to Linux systems:
  • Privileged execution of User Library code (WINDOWS PPSAPI ONLY) (Low)
  • Stack Buffer Overflow from Command Line (WINDOWS installer ONLY) (Low)
  • Data Structure terminated insufficiently (WINDOWS installer ONLY) (Low)

For more information, see:

(Security fix)

proftpd-1.3.5e: Upgraded. This release fixes a security issue: AllowChrootSymlinks off does not check entire DefaultRoot path for symlinks. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7418 (Security fix)

2017-04-19

minicom-2.7.1: Upgraded. Fix an out of bounds data access that can lead to remote code execution. This issue was found by Solar Designer of Openwall during a security audit of the Virtuozzo 7 product, which contains derived downstream code in its prl-vzvncserver component. For more information, see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7467 (Security fix)

2017-04-14

2017-04-08

2017-04-01

samba-4.4.13: Upgraded. This is a bug fix release to address a regression introduced by the security fixes for CVE-2017-2619 (Symlink race allows access outside share definition). Please see https://bugzilla.samba.org/show_bug.cgi?id=12721 for details.

2017-03-28

mariadb-10.0.30: Upgraded. This update fixes security issues: Crash in libmysqlclient.so. Difficult to exploit vulnerability allows low privileged attacker with logon to compromise the server. Successful attacks of this vulnerability can result in unauthorized access to data. For more information, see:

(Security fix)

2017-03-24

glibc-zoneinfo-2017b: Upgraded. This package provides the latest timezone updates.

mcabber-1.0.5: Upgraded. This update fixes a security issue: An incorrect implementation of XEP-0280: Message Carbons in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5604 (Security fix)

samba-4.4.12: Upgraded. This update fixes a security issue: All versions of Samba prior to 4.6.1, 4.5.7, 4.4.12 are vulnerable to a malicious client using a symlink race to allow access to areas of the server file system not exported under the share definition. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2619 (Security fix)

2017-03-15

glibc-zoneinfo-2017a: Upgraded. This package provides the latest timezone updates.

libcgroup-0.41: Rebuilt. This is a bugfix package update. Fixed rc.cgred to source the correct config file. Don't remove the entire cgroup file system with “rc.cgconfig stop”. Thanks to chris.willing. NOTE: Be sure to install any .new config files.

pidgin-2.12.0: Upgraded. This update fixes a minor security issue (out of bounds memory read in purple_markup_unescape_entity). For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2640 (Security fix)

2017-03-08

R-3.3.3, icecat-45.7.0: Upgraded.

2017-02-05

murrine, murrine-themes: Added to FXP.

2017-02-04

libreoffice-5.3.0: Added to FXP.

2017-01-29

nted (NoteEdit): Added to FXP.

2017-01-14

SDL2, SDL2_image, physfs, supertux: Added to FXP.

2017-01-09

nethack-3.6.0, fontforge-20150824: Added to FXP.

2016-12-17

Fixed up output formatting in freepkg, which is now ready for testing; please let us know if you have comments, feature requests, or package requests.

2016-12-15

meld3, gtksourceview3, glade: Added to FXP.

2016-12-13

Kernel upgrade 4.4.29 → 4.4.38

2016-12-05

icecat-45.5.1: Upgraded.

2016-11-03

Kernel upgrade 4.4.19 → 4.4.29

2016-10-26

linux-libre-image 4.4.27 fixes Dirty COW (CVE-2016-5195)

2016-08-26

Kernel upgrade 4.4.14 → 4.4.19

2016-08-09

Purged non-free font-bh-ttf and font-bh-type1 from the main repository.

2016-08-09

icecat-38.8.0: Rebuilt to avoid unidentified crashes on some CPUs.

changelog_14.2.txt · Last modified: 2017/09/19 01:16 by connie