Moderatore: Staff
Codice: Seleziona tutto
Thu Sep 25 19:55:13 UTC 2014
patches/packages/bash-4.2.048-x86_64-2_slack14.1.txz: Rebuilt.
Patched an additional trailing string processing vulnerability discovered
by Tavis Ormandy.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
(* Security fix *)
+--------------------------+Codice: Seleziona tutto
Fri Sep 26 22:23:32 UTC 2014
patches/packages/bash-4.2.049-x86_64-1_slack14.1.txz: Upgraded.
This is essentially a rebuild as the preliminary patch for CVE-2014-7169
has been accepted by upstream and is now signed. This also bumps the
patchlevel, making it easy to tell this is the fixed version.
Possibly more changes to come, given the ongoing discussions on oss-sec.
+--------------------------+Codice: Seleziona tutto
Sun Sep 28 23:07:39 UTC 2014
patches/packages/mozilla-firefox-24.8.1esr-x86_64-1_slack14.1.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:
http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
(* Security fix *)
patches/packages/mozilla-thunderbird-24.8.1-x86_64-1_slack14.1.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:
http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html
(* Security fix *)
patches/packages/seamonkey-2.29.1-x86_64-1_slack14.1.txz: Upgraded.
This update contains security fixes and improvements.
For more information, see:
http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html
(* Security fix *)
patches/packages/seamonkey-solibs-2.29.1-x86_64-1_slack14.1.txz: Upgraded.
+--------------------------+Codice: Seleziona tutto
Mon Sep 29 18:41:23 UTC 2014
patches/packages/bash-4.2.050-x86_64-1_slack14.1.txz: Upgraded.
Another bash update. Here's some information included with the patch:
"This patch changes the encoding bash uses for exported functions to avoid
clashes with shell variables and to avoid depending only on an environment
variable's contents to determine whether or not to interpret it as a shell
function."
After this update, an environment variable will not go through the parser
unless it follows this naming structure: BASH_FUNC_*%%
Most scripts never expected to import functions from environment variables,
so this change (although not backwards compatible) is not likely to break
many existing scripts. It will, however, close off access to the parser as
an attack surface in the vast majority of cases. There's already another
vulnerability similar to CVE-2014-6271 for which there is not yet a fix,
but this hardening patch prevents it (and likely many more similar ones).
Thanks to Florian Weimer and Chet Ramey.
(* Security fix *)
+--------------------------+Codice: Seleziona tutto
Wed Oct 15 17:28:59 UTC 2014
patches/packages/openssl-solibs-1.0.1j-x86_64-1_slack14.1.txz: Upgraded.
(* Security fix *)
patches/packages/openssl-1.0.1j-x86_64-1_slack14.1.txz: Upgraded.
This update fixes several security issues:
SRTP Memory Leak (CVE-2014-3513):
A flaw in the DTLS SRTP extension parsing code allows an attacker, who
sends a carefully crafted handshake message, to cause OpenSSL to fail
to free up to 64k of memory causing a memory leak. This could be
exploited in a Denial Of Service attack.
Session Ticket Memory Leak (CVE-2014-3567):
When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
integrity of that ticket is first verified. In the event of a session
ticket integrity check failing, OpenSSL will fail to free memory
causing a memory leak. By sending a large number of invalid session
tickets an attacker could exploit this issue in a Denial Of Service
attack.
SSL 3.0 Fallback protection:
OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications
to block the ability for a MITM attacker to force a protocol
downgrade.
Some client applications (such as browsers) will reconnect using a
downgraded protocol to work around interoperability bugs in older
servers. This could be exploited by an active man-in-the-middle to
downgrade connections to SSL 3.0 even if both sides of the connection
support higher protocols. SSL 3.0 contains a number of weaknesses
including POODLE (CVE-2014-3566).
Build option no-ssl3 is incomplete (CVE-2014-3568):
When OpenSSL is configured with "no-ssl3" as a build option, servers
could accept and complete a SSL 3.0 handshake, and clients could be
configured to send them.
For more information, see:
https://www.openssl.org/news/secadv_20141015.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3513
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3567
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3568
(* Security fix *)
+--------------------------+Codice: Seleziona tutto
Mon Oct 20 22:21:45 UTC 2014
patches/packages/openssh-6.7p1-x86_64-1_slack14.1.txz: Upgraded.
This update fixes a security issue that allows remote servers to trigger
the skipping of SSHFP DNS RR checking by presenting an unacceptable
HostCertificate.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2653
(* Security fix *)
+--------------------------+Codice: Seleziona tutto
Fri Oct 24 21:11:15 UTC 2014
patches/packages/glibc-2.17-x86_64-9_slack14.1.txz: Rebuilt.
Rebuilt using --enable-kernel=2.6.32 for better compatibility with
host kernels when running Slackware in a VM or container.
Thanks to Vincent Batts and Eric Hameleers.
patches/packages/glibc-i18n-2.17-x86_64-9_slack14.1.txz: Rebuilt.
patches/packages/glibc-profile-2.17-x86_64-9_slack14.1.txz: Rebuilt.
patches/packages/glibc-solibs-2.17-x86_64-9_slack14.1.txz: Rebuilt.
+--------------------------+
Fri Oct 24 04:55:44 UTC 2014
patches/packages/glibc-2.17-x86_64-8_slack14.1.txz: Rebuilt.
This update fixes several security issues, and adds an extra security
hardening patch from Florian Weimer. Thanks to mancha for help with
tracking and backporting patches.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4424
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4412
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4237
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4788
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4458
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4043
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0475
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5119
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6040
(* Security fix *)
patches/packages/glibc-i18n-2.17-x86_64-8_slack14.1.txz: Rebuilt.
patches/packages/glibc-profile-2.17-x86_64-8_slack14.1.txz: Rebuilt.
patches/packages/glibc-solibs-2.17-x86_64-8_slack14.1.txz: Rebuilt.
patches/packages/glibc-zoneinfo-2014i-noarch-1_slack14.1.txz: Rebuilt.
Upgraded to tzcode2014i and tzdata2014i.
pidgin-2.10.10-x86_64-1_slack14.1.txz: Upgraded.
This update fixes several security issues:
Insufficient SSL certificate validation (CVE-2014-3694)
Remote crash parsing malformed MXit emoticon (CVE-2014-3695)
Remote crash parsing malformed Groupwise message (CVE-2014-3696)
Malicious smiley themes could alter arbitrary files (CVE-2014-3697)
Potential information leak from XMPP (CVE-2014-3698)
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3694
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3695
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3696
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3697
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3698
(* Security fix *)
+--------------------------+Codice: Seleziona tutto
Wed Oct 29 18:21:12 UTC 2014
patches/packages/wget-1.14-x86_64-3_slack14.1.txz: Rebuilt.
This update fixes a symlink vulnerability that could allow an attacker
to write outside of the expected directory.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4877
(* Security fix *)
+--------------------------+Codice: Seleziona tutto
Tue Nov 4 00:05:23 UTC 2014
patches/packages/mariadb-5.5.40-x86_64-1_slack14.1.txz: Upgraded.
This update contains security fixes and improvements.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6507
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6491
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6500
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6469
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6555
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6559
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6494
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6496
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6464
(* Security fix *)
patches/packages/mozilla-firefox-31.2.0esr-x86_64-1_slack14.1.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:
http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
(* Security fix *)
patches/packages/php-5.4.34-x86_64-1_slack14.1.txz: Upgraded.
This update fixes bugs and security issues.
#68044 (Integer overflow in unserialize() (32-bits only)). (CVE-2014-3669)
#68113 (Heap corruption in exif_thumbnail()). (CVE-2014-3670)
#68027 (Global buffer overflow in mkgmtime() function). (CVE-2014-3668)
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3669
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3670
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3668
(* Security fix *)
patches/packages/seamonkey-2.30-x86_64-1_slack14.1.txz: Upgraded.
This update contains security fixes and improvements.
For more information, see:
http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html
(* Security fix *)
patches/packages/seamonkey-solibs-2.30-x86_64-1_slack14.1.txz: Upgraded.
+--------------------------+Codice: Seleziona tutto
Fri Nov 7 21:02:55 UTC 2014
patches/packages/bash-4.2.053-x86_64-1_slack14.1.txz: Upgraded.
Applied all upstream patches. The previously applied patch requiring
a specific prefix/suffix in order to parse variables for functions
closed all of the known vulnerabilities anyway, but it's clear that
until all the patches were applied that the "is this still vulnerable"
questions were not going to end...
patches/packages/xfce4-weather-plugin-0.8.4-x86_64-1_slack14.1.txz: Upgraded.
Package upgraded to fix the API used to fetch weather data.
+--------------------------+Codice: Seleziona tutto
Thu Nov 13 20:45:54 UTC 2014
patches/packages/mariadb-5.5.40-x86_64-2_slack14.1.txz: Rebuilt.
Reverted change to my_config.h that breaks compiling many applications
that link against the MariaDB libraries.
Thanks to Willy Sudiarto Raharjo.
patches/packages/pidgin-2.10.10-x86_64-2_slack14.1.txz: Rebuilt.
Fix Gadu-Gadu protocol when GnuTLS is not used. Thanks to mancha.
+--------------------------+Codice: Seleziona tutto
Sun Nov 16 22:41:20 UTC 2014
patches/packages/mozilla-thunderbird-31.2.0-x86_64-1_slack14.1.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:
http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html
(* Security fix *)
+--------------------------+Codice: Seleziona tutto
Wed Dec 3 07:03:12 UTC 2014
patches/packages/mozilla-thunderbird-31.3.0-x86_64-1_slack14.1.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:
http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html
(* Security fix *)
+--------------------------+Codice: Seleziona tutto
Thu Dec 11 01:18:35 UTC 2014
patches/packages/bind-9.9.6_P1-x86_64-1_slack14.1.txz: Upgraded.
This update fixes a security issue where a failure to place limits on
delegation chaining can allow an attacker to crash BIND or cause memory
exhaustion.
For more information, see:
https://kb.isc.org/article/AA-01216
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8500
(* Security fix *)
patches/packages/mozilla-firefox-31.3.0esr-x86_64-1_slack14.1.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:
http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
(* Security fix *)
patches/packages/openssh-6.7p1-x86_64-2_slack14.1.txz: Rebuilt.
Restored support for tcpwrappers that was dropped by upstream.
Thanks to mancha.
patches/packages/openvpn-2.3.6-x86_64-1_slack14.1.txz: Upgraded.
This update fixes a security issue that allows remote authenticated
users to cause a denial of service (server crash) via a small control
channel packet.
For more information, see:
https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8104
(* Security fix *)
patches/packages/pidgin-2.10.11-x86_64-1_slack14.1.txz: Upgraded.
This update contains login fixes for MSN and some XMPP servers.
patches/packages/seamonkey-2.31-x86_64-1_slack14.1.txz: Upgraded.
This update contains security fixes and improvements.
For more information, see:
http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html
(* Security fix *)
patches/packages/seamonkey-solibs-2.31-x86_64-1_slack14.1.txz: Upgraded.
patches/packages/wpa_supplicant-2.3-x86_64-1_slack14.1.txz: Upgraded.
This update fixes a remote command-execution vulnerability caused by a
failure to adequately sanitize user-supplied input.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3686
(* Security fix *)
+--------------------------+Codice: Seleziona tutto
Tue Dec 23 00:05:23 UTC 2014
patches/packages/ntp-4.2.8-x86_64-1_slack14.1.txz: Upgraded.
In addition to bug fixes and enhancements, this release fixes
several high-severity vulnerabilities discovered by Neel Mehta
and Stephen Roettger of the Google Security Team.
For more information, see:
https://www.kb.cert.org/vuls/id/852879
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9293
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9294
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9295
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9296
(* Security fix *)
patches/packages/php-5.4.36-x86_64-1_slack14.1.txz: Upgraded.
This update fixes bugs and security issues.
#68545 (NULL pointer dereference in unserialize.c).
#68594 (Use after free vulnerability in unserialize()). (CVE-2014-8142)
#68283 (fileinfo: out-of-bounds read in elf note headers). (CVE-2014-3710)
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3710
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8142
(* Security fix *)
patches/packages/xorg-server-1.14.3-x86_64-3_slack14.1.txz: Rebuilt.
This update fixes many security issues discovered by Ilja van Sprundel,
a security researcher with IOActive.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8091
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8092
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8093
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8094
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8096
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8097
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8098
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8099
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8100
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8101
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8102
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8103
(* Security fix *)
patches/packages/xorg-server-xephyr-1.14.3-x86_64-3_slack14.1.txz: Rebuilt.
patches/packages/xorg-server-xnest-1.14.3-x86_64-3_slack14.1.txz: Rebuilt.
patches/packages/xorg-server-xvfb-1.14.3-x86_64-3_slack14.1.txz: Rebuilt.
+--------------------------+