a/bcachefs-tools-1.7.0-x86_64-1.txz: Added.
a/kernel-generic-6.9.0-x86_64-2.txz: Upgraded.
a/kernel-huge-6.9.0-x86_64-2.txz: Upgraded.
a/kernel-modules-6.9.0-x86_64-2.txz: Upgraded.
d/git-2.45.1-x86_64-1.txz: Upgraded.
This update fixes security issues:
Recursive clones on case-insensitive filesystems that support symbolic
links are susceptible to case confusion that can be exploited to
execute just-cloned code during the clone operation.
Repositories can be configured to execute arbitrary code during local
clones. To address this, the ownership checks introduced in v2.30.3
are now extended to cover cloning local repositories.
Local clones may end up hardlinking files into the target repository's
object database when source and target repository reside on the same
disk. If the source repository is owned by a different user, then
those hardlinked files may be rewritten at any point in time by the
untrusted user.
When cloning a local source repository that contains symlinks via the
filesystem, Git may create hardlinks to arbitrary user-readable files
on the same filesystem as the target repository in the objects/
directory.
It is supposed to be safe to clone untrusted repositories, even those
unpacked from zip archives or tarballs originating from untrusted
sources, but Git can be tricked to run arbitrary code as part of the
clone.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2024-32002https://www.cve.org/CVERecord?id=CVE-2024-32004https://www.cve.org/CVERecord?id=CVE-2024-32020https://www.cve.org/CVERecord?id=CVE-2024-32021https://www.cve.org/CVERecord?id=CVE-2024-32465
(* Security fix *)
d/kernel-headers-6.9.0-x86-2.txz: Upgraded.
d/strace-6.9-x86_64-1.txz: Upgraded.
k/kernel-source-6.9.0-noarch-2.txz: Upgraded.
BCACHEFS_FS m -> y
CRYPTO_CHACHA20 m -> y
CRYPTO_LIB_CHACHA_GENERIC m -> y
CRYPTO_LIB_POLY1305_GENERIC m -> y
CRYPTO_POLY1305 m -> y
MITIGATION_GDS_FORCE y -> n
kde/wcslib-8.3-x86_64-1.txz: Upgraded.
l/gdk-pixbuf2-2.42.12-x86_64-1.txz: Upgraded.
ani: Reject files with multiple INA or IART chunks.
ani: Reject files with multiple anih chunks.
ani: validate chunk size.
Thanks to 0xvhp, pedrib, and Benjamin Gilbert.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-48622
(* Security fix *)
l/gtk+3-3.24.42-x86_64-1.txz: Upgraded.
n/bind-9.18.27-x86_64-1.txz: Upgraded.
This is a bugfix release.
n/popa3d-1.0.3-x86_64-8.txz: Rebuilt.
This is a bugfix release:
Build with AUTH_PAM, not AUTH_SHADOW.
Thanks to jayjwa.
x/xorg-server-xwayland-23.2.7-x86_64-1.txz: Upgraded.
isolinux/initrd.img: Rebuilt.
kernels/*: Upgraded.
usb-and-pxe-installers/usbboot.img: Rebuilt.
a/dialog-1.3_20240307-x86_64-1.txz: Upgraded.
l/libpaper-2.2.3-x86_64-1.txz: Upgraded.
l/libqalculate-5.0.0-x86_64-1.txz: Upgraded.
l/pyparsing-3.1.2-x86_64-1.txz: Upgraded.
l/python-packaging-24.0-x86_64-1.txz: Upgraded.
n/openssh-9.7p1-x86_64-1.txz: Upgraded.
Future deprecation notice
OpenSSH plans to remove support for the DSA signature algorithm in
early 2025 and compile-time disable it later this year.
n/wget-1.24.5-x86_64-1.txz: Upgraded.
x/iceauth-1.0.10-x86_64-1.txz: Upgraded.
x/libXaw-1.0.16-x86_64-1.txz: Upgraded.
xap/xaos-4.3.2-x86_64-1.txz: Upgraded.
a/gettext-0.22.2-x86_64-1.txz: Upgraded.
ap/cups-2.4.7-x86_64-1.txz: Upgraded.
This update fixes bugs and a security issue:
Fixed Heap-based buffer overflow when reading Postscript in PPD files.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-4504
(* Security fix *)
d/cmake-3.27.6-x86_64-1.txz: Upgraded.
d/gettext-tools-0.22.2-x86_64-1.txz: Upgraded.
l/dconf-editor-45.0.1-x86_64-1.txz: Upgraded.
l/gst-plugins-bad-free-1.22.6-x86_64-1.txz: Upgraded.
l/gst-plugins-base-1.22.6-x86_64-1.txz: Upgraded.
l/gst-plugins-good-1.22.6-x86_64-1.txz: Upgraded.
l/gst-plugins-libav-1.22.6-x86_64-1.txz: Upgraded.
l/gstreamer-1.22.6-x86_64-1.txz: Upgraded.
l/gtk4-4.12.2-x86_64-1.txz: Upgraded.
l/imagemagick-7.1.1_17-x86_64-1.txz: Upgraded.
n/bind-9.18.19-x86_64-1.txz: Upgraded.
This update fixes bugs and security issues:
Limit the amount of recursion that can be performed by isccc_cc_fromwire.
Fix use-after-free error in TLS DNS code when sending data.
For more information, see:
https://kb.isc.org/docs/cve-2023-3341https://www.cve.org/CVERecord?id=CVE-2023-3341https://kb.isc.org/docs/cve-2023-4236https://www.cve.org/CVERecord?id=CVE-2023-4236
(* Security fix *)
n/stunnel-5.71-x86_64-1.txz: Upgraded.
x/mesa-23.1.8-x86_64-1.txz: Upgraded.
x/xorg-server-xwayland-23.2.1-x86_64-1.txz: Upgraded.
xap/freerdp-2.11.2-x86_64-1.txz: Upgraded.
xap/mozilla-thunderbird-115.2.3-x86_64-1.txz: Upgraded.
This is a bugfix release.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/115.2.3/releasenotes/
xap/seamonkey-2.53.17.1-x86_64-1.txz: Upgraded.
This update contains security fixes and improvements.
For more information, see:
https://www.seamonkey-project.org/releases/seamonkey2.53.17.1https://www.cve.org/CVERecord?id=CVE-2023-4863
(* Security fix *)
a/bash-5.2.000-x86_64-1.txz: Upgraded.
ap/vim-9.0.0594-x86_64-1.txz: Upgraded.
Fixed stack-based buffer overflow.
Thanks to marav for the heads-up.
In addition, Mig21 pointed out an issue where the defaults.vim file might
need to be edited for some purposes as its contents will override the
settings in the system-wide vimrc. Usually this file is replaced whenever
vim is upgraded, which in those situations would be inconvenient for the
admin. So, I've added support for a file named defaults.vim.custom which
(if it exists) will be used instead of the defaults.vim file shipped in
the package and will persist through upgrades.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3296
(* Security fix *)
l/fluidsynth-2.3.0-x86_64-1.txz: Upgraded.
l/imagemagick-7.1.0_49-x86_64-1.txz: Upgraded.
l/libcap-2.66-x86_64-1.txz: Upgraded.
l/netpbm-10.99.03-x86_64-1.txz: Upgraded.
l/readline-8.2.000-x86_64-1.txz: Upgraded.
l/xapian-core-1.4.21-x86_64-1.txz: Upgraded.
n/dnsmasq-2.87-x86_64-1.txz: Upgraded.
Fix write-after-free error in DHCPv6 server code.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0934
(* Security fix *)
x/xterm-373-x86_64-1.txz: Upgraded.
xap/vim-gvim-9.0.0594-x86_64-1.txz: Upgraded.
a/kernel-firmware-20211216_f682ecb-noarch-1.txz: Upgraded.
a/kernel-generic-5.15.9-x86_64-1.txz: Upgraded.
a/kernel-huge-5.15.9-x86_64-1.txz: Upgraded.
a/kernel-modules-5.15.9-x86_64-1.txz: Upgraded.
a/openssl-solibs-1.1.1m-x86_64-1.txz: Upgraded.
ap/inxi-3.3.10_1-noarch-1.txz: Upgraded.
Thanks to h2-1.
d/kernel-headers-5.15.9-x86-1.txz: Upgraded.
d/vala-0.54.5-x86_64-1.txz: Upgraded.
k/kernel-source-5.15.9-noarch-1.txz: Upgraded.
SUNRPC_DEBUG n -> y
+NFS_DEBUG y
Thanks to bassmadrigal.
kde/latte-dock-0.10.5-x86_64-1.txz: Upgraded.
l/mozilla-nss-3.73.1-x86_64-1.txz: Upgraded.
l/pipewire-0.3.42-x86_64-1.txz: Upgraded.
n/iputils-20211215-x86_64-1.txz: Upgraded.
n/openssl-1.1.1m-x86_64-1.txz: Upgraded.
n/php-7.4.27-x86_64-1.txz: Upgraded.
x/xorg-server-1.20.14-x86_64-1.txz: Upgraded.
Built using --enable-systemd-logind to use elogind for device setup.
Some code changes would be required in xorg-server, xinit, and various login
managers to make rootless X work out of the box or to fall back in cases
where elogind isn't supported, and those changes aren't appropriate here in
the RC stage, but you can try it without recompiling:
chmod 755 /usr/libexec/Xorg*
Thanks to LuckyCyborg.
x/xorg-server-xephyr-1.20.14-x86_64-1.txz: Upgraded.
x/xorg-server-xnest-1.20.14-x86_64-1.txz: Upgraded.
x/xorg-server-xvfb-1.20.14-x86_64-1.txz: Upgraded.
xap/mozilla-firefox-91.4.1esr-x86_64-1.txz: Upgraded.
This is a bugfix release.
For more information, see:
https://www.mozilla.org/en-US/firefox/91.4.1/releasenotes/
isolinux/initrd.img: Rebuilt.
kernels/*: Upgraded.
usb-and-pxe-installers/usbboot.img: Rebuilt.
a/sysvinit-scripts-2.1-noarch-40.txz: Rebuilt.
Drop old /sbin/rescan-scsi-bus as the most recent version is already present
in the sg3_utils package as /usr/bin/rescan-scsi-bus.sh.
d/meson-0.57.1-x86_64-1.txz: Upgraded.
l/mozilla-nss-3.62-x86_64-1.txz: Upgraded.
l/sg3_utils-1.45-x86_64-4.txz: Rebuilt.
Make a symlink /sbin/rescan-scsi-bus -> /usr/bin/rescan-scsi-bus.sh in case
anyone depends on the old path / name from the sysvinit-scripts package.
n/ipset-7.11-x86_64-1.txz: Upgraded.
n/krb5-1.19.1-x86_64-1.txz: Upgraded.
n/s-nail-14.9.21-x86_64-4.txz: Rebuilt.
If there's no mail, exit. Thanks to ardya.
testing/packages/linux-5.11/kernel-generic-5.11.0-x86_64-1.txz: Added.
testing/packages/linux-5.11/kernel-headers-5.11.0-x86-1.txz: Added.
testing/packages/linux-5.11/kernel-huge-5.11.0-x86_64-1.txz: Added.
testing/packages/linux-5.11/kernel-modules-5.11.0-x86_64-1.txz: Added.
testing/packages/linux-5.11/kernel-source-5.11.0-noarch-1.txz: Added.
a/kernel-generic-4.19.17-x86_64-1.txz: Upgraded.
a/kernel-huge-4.19.17-x86_64-1.txz: Upgraded.
a/kernel-modules-4.19.17-x86_64-1.txz: Upgraded.
d/kernel-headers-4.19.17-x86-1.txz: Upgraded.
d/scons-3.0.4-x86_64-1.txz: Upgraded.
d/vala-0.42.5-x86_64-1.txz: Upgraded.
k/kernel-source-4.19.17-noarch-1.txz: Upgraded.
n/httpd-2.4.38-x86_64-1.txz: Upgraded.
This release contains security fixes and improvements.
mod_session: mod_session_cookie does not respect expiry time allowing
sessions to be reused. [Hank Ibell]
mod_http2: fixes a DoS attack vector. By sending slow request bodies
to resources not consuming them, httpd cleanup code occupies a server
thread unnecessarily. This was changed to an immediate stream reset
which discards all stream state and incoming data. [Stefan Eissing]
mod_ssl: Fix infinite loop triggered by a client-initiated
renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and
later. PR 63052. [Joe Orton]
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17199https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17189https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0190
(* Security fix *)
x/libdrm-2.4.97-x86_64-1.txz: Upgraded.
isolinux/initrd.img: Rebuilt.
kernels/*: Upgraded.
usb-and-pxe-installers/usbboot.img: Rebuilt.
a/bash-4.4.023-x86_64-1.txz: Upgraded.
a/kernel-firmware-20180604_1fa9ce3-noarch-1.txz: Upgraded.
a/kernel-generic-4.14.48-x86_64-1.txz: Upgraded.
a/kernel-huge-4.14.48-x86_64-1.txz: Upgraded.
a/kernel-modules-4.14.48-x86_64-1.txz: Upgraded.
ap/cups-2.2.8-x86_64-1.txz: Upgraded.
ap/ghostscript-fonts-std-8.11-noarch-3.txz: Rebuilt.
Rebuilt this and many other font packages or packages with build scripts
that call mkfontdir or mkfontscale to suppress any error messages caused
by collisions if another package installation is writing files to the
same font directories when those utilities are run. In that case, the
other package will also be running mkfontdir/mkfontscale after the files
are installed, so any issues will be cleaned up then. Last one out turn
off the lights, so to speak.
ap/sqlite-3.24.0-x86_64-1.txz: Upgraded.
ap/terminus-font-4.40-noarch-3.txz: Rebuilt.
d/kernel-headers-4.14.48-x86-1.txz: Upgraded.
d/rust-1.26.2-x86_64-1.txz: Upgraded.
k/kernel-source-4.14.48-noarch-1.txz: Upgraded.
l/elfutils-0.171-x86_64-1.txz: Upgraded.
l/harfbuzz-1.7.7-x86_64-1.txz: Upgraded.
l/mozilla-nss-3.37.3-x86_64-1.txz: Upgraded.
l/readline-7.0.005-x86_64-1.txz: Upgraded.
x/dejavu-fonts-ttf-2.37-noarch-4.txz: Rebuilt.
x/font-adobe-100dpi-1.0.3-noarch-3.txz: Rebuilt.
x/font-adobe-75dpi-1.0.3-noarch-3.txz: Rebuilt.
x/font-adobe-utopia-100dpi-1.0.4-noarch-3.txz: Rebuilt.
x/font-adobe-utopia-75dpi-1.0.4-noarch-3.txz: Rebuilt.
x/font-adobe-utopia-type1-1.0.4-noarch-3.txz: Rebuilt.
x/font-arabic-misc-1.0.3-noarch-3.txz: Rebuilt.
x/font-bh-100dpi-1.0.3-noarch-3.txz: Rebuilt.
x/font-bh-75dpi-1.0.3-noarch-3.txz: Rebuilt.
x/font-bh-lucidatypewriter-100dpi-1.0.3-noarch-3.txz: Rebuilt.
x/font-bh-lucidatypewriter-75dpi-1.0.3-noarch-3.txz: Rebuilt.
x/font-bh-ttf-1.0.3-noarch-3.txz: Rebuilt.
x/font-bh-type1-1.0.3-noarch-3.txz: Rebuilt.
x/font-bitstream-100dpi-1.0.3-noarch-3.txz: Rebuilt.
x/font-bitstream-75dpi-1.0.3-noarch-3.txz: Rebuilt.
x/font-bitstream-speedo-1.0.2-noarch-3.txz: Rebuilt.
x/font-bitstream-type1-1.0.3-noarch-3.txz: Rebuilt.
x/font-cronyx-cyrillic-1.0.3-noarch-3.txz: Rebuilt.
x/font-cursor-misc-1.0.3-noarch-3.txz: Rebuilt.
x/font-daewoo-misc-1.0.3-noarch-3.txz: Rebuilt.
x/font-dec-misc-1.0.3-noarch-3.txz: Rebuilt.
x/font-ibm-type1-1.0.3-noarch-3.txz: Rebuilt.
x/font-isas-misc-1.0.3-noarch-3.txz: Rebuilt.
x/font-jis-misc-1.0.3-noarch-3.txz: Rebuilt.
x/font-micro-misc-1.0.3-noarch-3.txz: Rebuilt.
x/font-misc-cyrillic-1.0.3-noarch-3.txz: Rebuilt.
x/font-misc-ethiopic-1.0.3-noarch-3.txz: Rebuilt.
x/font-misc-meltho-1.0.3-noarch-3.txz: Rebuilt.
x/font-misc-misc-1.1.2-noarch-3.txz: Rebuilt.
x/font-mutt-misc-1.0.3-noarch-3.txz: Rebuilt.
x/font-schumacher-misc-1.1.2-noarch-3.txz: Rebuilt.
x/font-screen-cyrillic-1.0.4-noarch-3.txz: Rebuilt.
x/font-sony-misc-1.0.3-noarch-3.txz: Rebuilt.
x/font-sun-misc-1.0.3-noarch-3.txz: Rebuilt.
x/font-winitzki-cyrillic-1.0.3-noarch-3.txz: Rebuilt.
x/font-xfree86-type1-1.0.4-noarch-3.txz: Rebuilt.
x/liberation-fonts-ttf-2.00.1-noarch-3.txz: Rebuilt.
x/libinput-1.11.0-x86_64-1.txz: Upgraded.
x/sazanami-fonts-ttf-20040629-noarch-3.txz: Rebuilt.
x/sinhala_lklug-font-ttf-20060929-noarch-3.txz: Rebuilt.
x/tibmachuni-font-ttf-1.901b-noarch-3.txz: Rebuilt.
x/ttf-indic-fonts-0.5.14-noarch-3.txz: Rebuilt.
x/ttf-tlwg-0.6.4-noarch-3.txz: Rebuilt.
x/urw-core35-fonts-otf-20170801_91edd6e_git-noarch-2.txz: Rebuilt.
x/wqy-zenhei-font-ttf-0.8.38_1-noarch-6.txz: Rebuilt.
xap/mozilla-firefox-60.0.2-x86_64-1.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/security/known-vulnerabilities/firefox.html
(* Security fix *)
xap/x3270-3.3.12ga7-x86_64-5.txz: Rebuilt.
isolinux/initrd.img: Rebuilt.
kernels/*: Upgraded.
usb-and-pxe-installers/usbboot.img: Rebuilt.
