Commit graph

243 commits

Author SHA1 Message Date
Patrick J Volkerding
8ea2d78564 Mon Mar 20 18:26:23 UTC 2023
patches/packages/curl-8.0.1-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  SSH connection too eager reuse still.
  HSTS double-free.
  GSS delegation too eager connection re-use.
  FTP too eager connection reuse.
  SFTP path ~ resolving discrepancy.
  TELNET option IAC injection.
  For more information, see:
    https://curl.se/docs/CVE-2023-27538.html
    https://curl.se/docs/CVE-2023-27537.html
    https://curl.se/docs/CVE-2023-27536.html
    https://curl.se/docs/CVE-2023-27535.html
    https://curl.se/docs/CVE-2023-27534.html
    https://curl.se/docs/CVE-2023-27533.html
    https://www.cve.org/CVERecord?id=CVE-2023-27538
    https://www.cve.org/CVERecord?id=CVE-2023-27537
    https://www.cve.org/CVERecord?id=CVE-2023-27536
    https://www.cve.org/CVERecord?id=CVE-2023-27535
    https://www.cve.org/CVERecord?id=CVE-2023-27534
    https://www.cve.org/CVERecord?id=CVE-2023-27533
  (* Security fix *)
patches/packages/vim-9.0.1418-x86_64-1_slack15.0.txz:  Upgraded.
  Fixed security issues:
  NULL pointer dereference issue in utfc_ptr2len.
  Incorrect Calculation of Buffer Size.
  Heap-based Buffer Overflow.
  Thanks to marav for the heads-up.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-1264
    https://www.cve.org/CVERecord?id=CVE-2023-1175
    https://www.cve.org/CVERecord?id=CVE-2023-1170
  (* Security fix *)
patches/packages/vim-gvim-9.0.1418-x86_64-1_slack15.0.txz:  Upgraded.
2023-03-21 13:30:37 +01:00
Patrick J Volkerding
db72bca364 Thu Mar 16 23:34:56 UTC 2023
patches/packages/bind-9.16.39-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
patches/packages/mozilla-thunderbird-102.9.0-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/102.9.0/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2023-11/
    https://www.cve.org/CVERecord?id=CVE-2023-25751
    https://www.cve.org/CVERecord?id=CVE-2023-28164
    https://www.cve.org/CVERecord?id=CVE-2023-28162
    https://www.cve.org/CVERecord?id=CVE-2023-25752
    https://www.cve.org/CVERecord?id=CVE-2023-28163
    https://www.cve.org/CVERecord?id=CVE-2023-28176
  (* Security fix *)
patches/packages/openssh-9.3p1-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains fixes for a security problem and a memory
  safety problem. The memory safety problem is not believed to be
  exploitable, but we report most network-reachable memory faults as
  security bugs.
  For more information, see:
    https://www.openssh.com/txt/release-9.3
  (* Security fix *)
testing/packages/bind-9.18.13-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
2023-03-17 13:30:41 +01:00
Patrick J Volkerding
0c961905d2 Tue Mar 14 20:42:47 UTC 2023
patches/packages/mozilla-firefox-102.9.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/102.9.0/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2023-10
    https://www.cve.org/CVERecord?id=CVE-2023-25751
    https://www.cve.org/CVERecord?id=CVE-2023-28164
    https://www.cve.org/CVERecord?id=CVE-2023-28162
    https://www.cve.org/CVERecord?id=CVE-2023-25752
    https://www.cve.org/CVERecord?id=CVE-2023-28163
    https://www.cve.org/CVERecord?id=CVE-2023-28176
  (* Security fix *)
2023-03-15 13:30:41 +01:00
Patrick J Volkerding
5dc0394bc0 Wed Mar 8 20:26:54 UTC 2023
patches/packages/httpd-2.4.56-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes two security issues:
  HTTP Response Smuggling vulnerability via mod_proxy_uwsgi.
  HTTP Request Smuggling attack via mod_rewrite and mod_proxy.
  For more information, see:
    https://downloads.apache.org/httpd/CHANGES_2.4.56
    https://www.cve.org/CVERecord?id=CVE-2023-27522
    https://www.cve.org/CVERecord?id=CVE-2023-25690
  (* Security fix *)
2023-03-09 13:30:42 +01:00
Patrick J Volkerding
354174cc64 Mon Mar 6 20:18:10 UTC 2023
patches/packages/sudo-1.9.13p3-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
2023-03-07 13:30:45 +01:00
Patrick J Volkerding
78c0119973 Mon Mar 6 02:21:57 UTC 2023
patches/packages/xscreensaver-6.06-x86_64-1_slack15.0.txz:  Upgraded.
  Here's an upgrade to the latest xscreensaver.
2023-03-06 13:30:35 +01:00
Patrick J Volkerding
61e0126fa3 Tue Feb 28 21:33:32 UTC 2023
patches/packages/whois-5.5.16-x86_64-1_slack15.0.txz:  Upgraded.
  Add bash completion support, courtesy of Ville Skytta.
  Updated the .tr TLD server.
  Removed support for -metu NIC handles.
2023-03-01 13:30:39 +01:00
Patrick J Volkerding
f27add7577 Mon Feb 20 19:41:06 UTC 2023
patches/packages/curl-7.88.1-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
2023-02-21 13:30:37 +01:00
Patrick J Volkerding
f3eb859afc Sat Feb 18 02:04:34 UTC 2023
patches/packages/kernel-firmware-20230214_a253a37-noarch-1.txz:  Upgraded.
patches/packages/linux-5.15.80/*:  Upgraded.
  These updates fix various bugs and security issues.
  Be sure to upgrade your initrd after upgrading the kernel packages.
  If you use lilo to boot your machine, be sure lilo.conf points to the correct
  kernel and initrd and run lilo as root to update the bootloader.
  If you use elilo to boot your machine, you should run eliloconfig to copy the
  kernel and initrd to the EFI System Partition.
  For more information, see:
    Fixed in 5.15.81:
    https://www.cve.org/CVERecord?id=CVE-2022-47519
    https://www.cve.org/CVERecord?id=CVE-2022-47518
    https://www.cve.org/CVERecord?id=CVE-2022-47520
    https://www.cve.org/CVERecord?id=CVE-2022-47521
    https://www.cve.org/CVERecord?id=CVE-2022-3344
    Fixed in 5.15.82:
    https://www.cve.org/CVERecord?id=CVE-2022-45869
    https://www.cve.org/CVERecord?id=CVE-2022-4378
    Fixed in 5.15.83:
    https://www.cve.org/CVERecord?id=CVE-2022-3643
    Fixed in 5.15.84:
    https://www.cve.org/CVERecord?id=CVE-2022-3545
    Fixed in 5.15.85:
    https://www.cve.org/CVERecord?id=CVE-2022-45934
    Fixed in 5.15.86:
    https://www.cve.org/CVERecord?id=CVE-2022-3534
    https://www.cve.org/CVERecord?id=CVE-2022-3424
    Fixed in 5.15.87:
    https://www.cve.org/CVERecord?id=CVE-2022-41218
    https://www.cve.org/CVERecord?id=CVE-2023-23455
    https://www.cve.org/CVERecord?id=CVE-2023-23454
    https://www.cve.org/CVERecord?id=CVE-2023-0045
    https://www.cve.org/CVERecord?id=CVE-2023-0210
    https://www.cve.org/CVERecord?id=CVE-2022-36280
    Fixed in 5.15.88:
    https://www.cve.org/CVERecord?id=CVE-2023-0266
    https://www.cve.org/CVERecord?id=CVE-2022-47929
    Fixed in 5.15.89:
    https://www.cve.org/CVERecord?id=CVE-2023-0179
    https://www.cve.org/CVERecord?id=CVE-2023-0394
    Fixed in 5.15.90:
    https://www.cve.org/CVERecord?id=CVE-2022-4382
    https://www.cve.org/CVERecord?id=CVE-2022-4842
    Fixed in 5.15.91:
    https://www.cve.org/CVERecord?id=CVE-2022-4129
    https://www.cve.org/CVERecord?id=CVE-2023-23559
  (* Security fix *)
2023-02-18 13:30:11 +01:00
Patrick J Volkerding
1ae65ae489 Thu Feb 16 22:07:06 UTC 2023
patches/packages/mozilla-thunderbird-102.8.0-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/102.8.0/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2023-07/
    https://www.cve.org/CVERecord?id=CVE-2023-0616
    https://www.cve.org/CVERecord?id=CVE-2023-25728
    https://www.cve.org/CVERecord?id=CVE-2023-25730
    https://www.cve.org/CVERecord?id=CVE-2023-0767
    https://www.cve.org/CVERecord?id=CVE-2023-25735
    https://www.cve.org/CVERecord?id=CVE-2023-25737
    https://www.cve.org/CVERecord?id=CVE-2023-25738
    https://www.cve.org/CVERecord?id=CVE-2023-25739
    https://www.cve.org/CVERecord?id=CVE-2023-25729
    https://www.cve.org/CVERecord?id=CVE-2023-25732
    https://www.cve.org/CVERecord?id=CVE-2023-25734
    https://www.cve.org/CVERecord?id=CVE-2023-25742
    https://www.cve.org/CVERecord?id=CVE-2023-25746
  (* Security fix *)
2023-02-17 13:30:05 +01:00
Patrick J Volkerding
9b5b70af5b Wed Feb 15 19:48:10 UTC 2023
patches/packages/curl-7.88.0-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  HTTP multi-header compression denial of service.
  HSTS amnesia with --parallel.
  HSTS ignored on multiple requests.
  For more information, see:
    https://curl.se/docs/CVE-2023-23916.html
    https://curl.se/docs/CVE-2023-23915.html
    https://curl.se/docs/CVE-2023-23914.html
    https://www.cve.org/CVERecord?id=CVE-2023-23916
    https://www.cve.org/CVERecord?id=CVE-2023-23915
    https://www.cve.org/CVERecord?id=CVE-2023-23914
  (* Security fix *)
patches/packages/git-2.35.7-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  Using a specially-crafted repository, Git can be tricked into using
  its local clone optimization even when using a non-local transport.
  Though Git will abort local clones whose source $GIT_DIR/objects
  directory contains symbolic links (c.f., CVE-2022-39253), the objects
  directory itself may still be a symbolic link.
  These two may be combined to include arbitrary files based on known
  paths on the victim's filesystem within the malicious repository's
  working copy, allowing for data exfiltration in a similar manner as
  CVE-2022-39253.
  By feeding a crafted input to "git apply", a path outside the
  working tree can be overwritten as the user who is running "git
  apply".
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-22490
    https://www.cve.org/CVERecord?id=CVE-2023-23946
  (* Security fix *)
2023-02-16 13:30:35 +01:00
Patrick J Volkerding
ad9ea8bf78 Wed Feb 15 03:05:40 UTC 2023
extra/php80/php80-8.0.28-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  Core: Password_verify() always return true with some hash.
  Core: 1-byte array overrun in common path resolve code.
  SAPI: DOS vulnerability when parsing multipart request body.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-0567
    https://www.cve.org/CVERecord?id=CVE-2023-0568
    https://www.cve.org/CVERecord?id=CVE-2023-0662
  (* Security fix *)
extra/php81/php81-8.1.16-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  Core: Password_verify() always return true with some hash.
  Core: 1-byte array overrun in common path resolve code.
  SAPI: DOS vulnerability when parsing multipart request body.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-0567
    https://www.cve.org/CVERecord?id=CVE-2023-0568
    https://www.cve.org/CVERecord?id=CVE-2023-0662
  (* Security fix *)
patches/packages/hwdata-0.367-noarch-1_slack15.0.txz:  Upgraded.
  Upgraded to get information for newer hardware.
  Requested by kingbeowulf on LQ.
patches/packages/mozilla-firefox-102.8.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/102.8.0/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2023-06/
    https://www.cve.org/CVERecord?id=CVE-2023-25728
    https://www.cve.org/CVERecord?id=CVE-2023-25730
    https://www.cve.org/CVERecord?id=CVE-2023-25743
    https://www.cve.org/CVERecord?id=CVE-2023-0767
    https://www.cve.org/CVERecord?id=CVE-2023-25735
    https://www.cve.org/CVERecord?id=CVE-2023-25737
    https://www.cve.org/CVERecord?id=CVE-2023-25738
    https://www.cve.org/CVERecord?id=CVE-2023-25739
    https://www.cve.org/CVERecord?id=CVE-2023-25729
    https://www.cve.org/CVERecord?id=CVE-2023-25732
    https://www.cve.org/CVERecord?id=CVE-2023-25734
    https://www.cve.org/CVERecord?id=CVE-2023-25742
    https://www.cve.org/CVERecord?id=CVE-2023-25746
  (* Security fix *)
patches/packages/php-7.4.33-x86_64-3_slack15.0.txz:  Rebuilt.
  This update fixes security issues:
  Core: Password_verify() always return true with some hash.
  Core: 1-byte array overrun in common path resolve code.
  SAPI: DOS vulnerability when parsing multipart request body.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-0567
    https://www.cve.org/CVERecord?id=CVE-2023-0568
    https://www.cve.org/CVERecord?id=CVE-2023-0662
  (* Security fix *)
2023-02-16 01:30:36 +01:00
Patrick J Volkerding
57c03ef31c Fri Feb 10 20:08:41 UTC 2023
patches/packages/gnutls-3.7.9-x86_64-1_slack15.0.txz:  Upgraded.
  libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key exchange.
  Reported by Hubert Kario (#1050). Fix developed by Alexander Sosedkin.
  [GNUTLS-SA-2020-07-14, CVSS: medium] [CVE-2023-0361]
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-0361
  (* Security fix *)
2023-02-11 13:30:32 +01:00
Patrick J Volkerding
5951c7a965 Thu Feb 9 00:59:27 UTC 2023
patches/packages/mozilla-thunderbird-102.7.2-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/102.7.2/releasenotes/
2023-02-09 13:30:28 +01:00
Patrick J Volkerding
4b5e1863bb Tue Feb 7 20:48:57 UTC 2023
patches/packages/openssl-1.1.1t-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  X.400 address type confusion in X.509 GeneralName.
  Timing Oracle in RSA Decryption.
  Use-after-free following BIO_new_NDEF.
  Double free after calling PEM_read_bio_ex.
  For more information, see:
    https://www.openssl.org/news/secadv/20230207.txt
    https://www.cve.org/CVERecord?id=CVE-2023-0286
    https://www.cve.org/CVERecord?id=CVE-2022-4304
    https://www.cve.org/CVERecord?id=CVE-2023-0215
    https://www.cve.org/CVERecord?id=CVE-2022-4450
  (* Security fix *)
patches/packages/openssl-solibs-1.1.1t-x86_64-1_slack15.0.txz:  Upgraded.
patches/packages/xorg-server-1.20.14-x86_64-7_slack15.0.txz:  Rebuilt.
  [PATCH] Xi: fix potential use-after-free in DeepCopyPointerClasses.
  Also merged another patch to prevent crashes when using a compositor with
  the NVIDIA blob. Thanks to mdinslage, willysr, and Daedra.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-0494
  (* Security fix *)
patches/packages/xorg-server-xephyr-1.20.14-x86_64-7_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-7_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-7_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xwayland-21.1.4-x86_64-6_slack15.0.txz:  Rebuilt.
  [PATCH] Xi: fix potential use-after-free in DeepCopyPointerClasses.
  Also merged another patch to prevent crashes when using a compositor with
  the NVIDIA blob. Thanks to mdinslage, willysr, and Daedra.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-0494
  (* Security fix *)
2023-02-08 13:30:32 +01:00
Patrick J Volkerding
ad40d2a62a Thu Feb 2 22:52:48 UTC 2023
patches/packages/openssh-9.2p1-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains fixes for two security problems and a memory safety
  problem. The memory safety problem is not believed to be exploitable, but
  upstream reports most network-reachable memory faults as security bugs.
  This update contains some potentially incompatible changes regarding the
  scp utility. For more information, see:
    https://www.openssh.com/releasenotes.html#9.0
  For more information, see:
    https://www.openssh.com/releasenotes.html#9.2
  (* Security fix *)
2023-02-03 13:30:32 +01:00
Patrick J Volkerding
7453cf8b30 Wed Feb 1 22:27:31 UTC 2023
patches/packages/apr-1.7.2-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  Integer Overflow or Wraparound vulnerability in apr_encode functions of
  Apache Portable Runtime (APR) allows an attacker to write beyond bounds
  of a buffer. (CVE-2022-24963)
  Restore fix for out-of-bounds array dereference in apr_time_exp*() functions.
  (This issue was addressed as CVE-2017-12613 in APR 1.6.3 and
  later 1.6.x releases, but was missing in 1.7.0.) (CVE-2021-35940)
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-24963
    https://www.cve.org/CVERecord?id=CVE-2021-35940
    https://www.cve.org/CVERecord?id=CVE-2017-12613
  (* Security fix *)
patches/packages/apr-util-1.6.3-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes a security issue:
  Integer Overflow or Wraparound vulnerability in apr_base64 functions
  of Apache Portable Runtime Utility (APR-util) allows an attacker to
  write beyond bounds of a buffer. (CVE-2022-25147)
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-25147
  (* Security fix *)
patches/packages/mozilla-thunderbird-102.7.1-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/102.7.1/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2023-04/
    https://www.cve.org/CVERecord?id=CVE-2023-0430
  (* Security fix *)
2023-02-02 13:30:30 +01:00
Patrick J Volkerding
139b76eee4 Thu Jan 26 00:34:41 UTC 2023
patches/packages/bind-9.16.37-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and the following security issues:
  An UPDATE message flood could cause :iscman:`named` to exhaust all
  available memory. This flaw was addressed by adding a new
  :any:`update-quota` option that controls the maximum number of
  outstanding DNS UPDATE messages that :iscman:`named` can hold in a
  queue at any given time (default: 100).
  :iscman:`named` could crash with an assertion failure when an RRSIG
  query was received and :any:`stale-answer-client-timeout` was set to a
  non-zero value. This has been fixed.
  :iscman:`named` running as a resolver with the
  :any:`stale-answer-client-timeout` option set to any value greater
  than ``0`` could crash with an assertion failure, when the
  :any:`recursive-clients` soft quota was reached. This has been fixed.
  For more information, see:
    https://kb.isc.org/docs/cve-2022-3094
    https://kb.isc.org/docs/cve-2022-3736
    https://kb.isc.org/docs/cve-2022-3924
    https://www.cve.org/CVERecord?id=CVE-2022-3094
    https://www.cve.org/CVERecord?id=CVE-2022-3736
    https://www.cve.org/CVERecord?id=CVE-2022-3924
  (* Security fix *)
patches/packages/vim-9.0.1241-x86_64-1_slack15.0.txz:  Upgraded.
  Fixed a security issue:
  Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1225.
  Thanks to marav for the heads-up.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-0433
  (* Security fix *)
patches/packages/vim-gvim-9.0.1241-x86_64-1_slack15.0.txz:  Upgraded.
testing/packages/bind-9.18.11-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and the following security issues:
  An UPDATE message flood could cause :iscman:`named` to exhaust all
  available memory. This flaw was addressed by adding a new
  :any:`update-quota` option that controls the maximum number of
  outstanding DNS UPDATE messages that :iscman:`named` can hold in a
  queue at any given time (default: 100).
  :iscman:`named` could crash with an assertion failure when an RRSIG
  query was received and :any:`stale-answer-client-timeout` was set to a
  non-zero value. This has been fixed.
  :iscman:`named` running as a resolver with the
  :any:`stale-answer-client-timeout` option set to any value greater
  than ``0`` could crash with an assertion failure, when the
  :any:`recursive-clients` soft quota was reached. This has been fixed.
  For more information, see:
    https://kb.isc.org/docs/cve-2022-3094
    https://kb.isc.org/docs/cve-2022-3736
    https://kb.isc.org/docs/cve-2022-3924
    https://www.cve.org/CVERecord?id=CVE-2022-3094
    https://www.cve.org/CVERecord?id=CVE-2022-3736
    https://www.cve.org/CVERecord?id=CVE-2022-3924
  (* Security fix *)
2023-01-26 13:30:28 +01:00
Patrick J Volkerding
3a08b95c50 Fri Jan 20 23:58:24 UTC 2023
patches/packages/mozilla-thunderbird-102.7.0-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/102.7.0/releasenotes/
    https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird102.7
  (* Security fix *)
patches/packages/seamonkey-2.53.15-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.seamonkey-project.org/releases/seamonkey2.53.15
  (* Security fix *)
2023-01-21 13:30:30 +01:00
Patrick J Volkerding
19e28b847b Thu Jan 19 00:40:12 UTC 2023
patches/packages/sudo-1.9.12p2-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes a flaw in sudo's -e option (aka sudoedit) that could allow
  a malicious user with sudoedit privileges to edit arbitrary files.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-22809
  (* Security fix *)
2023-01-19 13:30:28 +01:00
Patrick J Volkerding
7793836a6d Fri Jan 13 20:29:55 UTC 2023
patches/packages/netatalk-3.1.14-x86_64-1_slack15.0.txz:  Upgraded.
  Netatalk through 3.1.13 has an afp_getappl heap-based buffer overflow
  resulting in code execution via a crafted .appl file.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-45188
  (* Security fix *)
2023-01-14 13:30:29 +01:00
Patrick J Volkerding
4c8bd06faa Tue Jan 10 21:32:00 UTC 2023
patches/packages/ca-certificates-20221205-noarch-2_slack15.0.txz:  Rebuilt.
  Make sure that if we're installing this package on another partition (such as
  when using installpkg with a --root parameter) that the updates are done on
  that partition. Thanks to fulalas.
2023-01-11 13:30:25 +01:00
Patrick J Volkerding
585883b9b5 Sat Jan 7 01:50:00 UTC 2023
extra/php80/php80-8.0.27-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes a security issue:
  PDO::quote() may return unquoted string.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-31631
  (* Security fix *)
extra/php81/php81-8.1.14-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and a security issue:
  PDO::quote() may return unquoted string.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-31631
  (* Security fix *)
patches/packages/mozilla-nss-3.87-x86_64-1_slack15.0.txz:  Upgraded.
  Fixed memory corruption in NSS via DER-encoded DSA and RSA-PSS signatures.
  For more information, see:
    https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/
    https://www.cve.org/CVERecord?id=CVE-2021-43527
  (* Security fix *)
patches/packages/php-7.4.33-x86_64-2_slack15.0.txz:  Rebuilt.
  This update fixes a security issue:
  PDO::quote() may return unquoted string.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-31631
  (* Security fix *)
2023-01-07 13:30:29 +01:00
Patrick J Volkerding
7920ad758b Thu Jan 5 03:09:24 UTC 2023
patches/packages/vim-9.0.1146-x86_64-1_slack15.0.txz:  Upgraded.
  Fixed security issues:
  Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.1143.
  Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1144.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-0049
    https://www.cve.org/CVERecord?id=CVE-2023-0051
  (* Security fix *)
patches/packages/vim-gvim-9.0.1146-x86_64-1_slack15.0.txz:  Upgraded.
2023-01-06 13:30:24 +01:00
Patrick J Volkerding
e054e8d54f Wed Jan 4 02:18:08 UTC 2023
patches/packages/libtiff-4.4.0-x86_64-1_slack15.0.txz:  Upgraded.
  Patched various security bugs.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-2056
    https://www.cve.org/CVERecord?id=CVE-2022-2057
    https://www.cve.org/CVERecord?id=CVE-2022-2058
    https://www.cve.org/CVERecord?id=CVE-2022-3970
    https://www.cve.org/CVERecord?id=CVE-2022-34526
  (* Security fix *)
patches/packages/rxvt-unicode-9.26-x86_64-3_slack15.0.txz:  Rebuilt.
  When the "background" extension was loaded, an attacker able to control the
  data written to the terminal would be able to execute arbitrary code as the
  terminal's user. Thanks to David Leadbeater and Ben Collver.
  For more information, see:
    https://www.openwall.com/lists/oss-security/2022/12/05/1
    https://www.cve.org/CVERecord?id=CVE-2022-4170
  (* Security fix *)
patches/packages/whois-5.5.15-x86_64-1_slack15.0.txz:  Upgraded.
  Updated the .bd, .nz and .tv TLD servers.
  Added the .llyw.cymru, .gov.scot and .gov.wales SLD servers.
  Updated the .ac.uk and .gov.uk SLD servers.
  Recursion has been enabled for whois.nic.tv.
  Updated the list of new gTLDs with four generic TLDs assigned in October 2013
  which were missing due to a bug.
  Removed 4 new gTLDs which are no longer active.
  Added the Georgian translation, contributed by Temuri Doghonadze.
  Updated the Finnish translation, contributed by Lauri Nurmi.
2023-01-04 13:30:28 +01:00
Patrick J Volkerding
d404417adc Fri Dec 23 02:37:47 UTC 2022
testing/packages/bind-9.18.10-x86_64-1_slack15.0.txz:  Upgraded.
2022-12-23 13:30:29 +01:00
Patrick J Volkerding
a5dc0f82be Tue Dec 20 20:40:18 UTC 2022
patches/packages/libksba-1.6.3-x86_64-1_slack15.0.txz:  Upgraded.
  Fix another integer overflow in the CRL's signature parser.
  (* Security fix *)
patches/packages/sdl-1.2.15-x86_64-13_slack15.0.txz:  Rebuilt.
  This update fixes a heap overflow problem in video/SDL_pixels.c in SDL.
  By crafting a malicious .BMP file, an attacker can cause the application
  using this library to crash, denial of service, or code execution.
  Thanks to marav for the heads-up.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2021-33657
  (* Security fix *)
2022-12-21 13:30:32 +01:00
Patrick J Volkerding
15705ea3bc Mon Dec 19 21:18:22 UTC 2022
patches/packages/xorg-server-1.20.14-x86_64-6_slack15.0.txz:  Rebuilt.
  This release fixes an invalid event type mask in XTestSwapFakeInput which
  was inadvertently changed from octal 0177 to hexadecimal 0x177 in the fix
  for CVE-2022-46340.
patches/packages/xorg-server-xephyr-1.20.14-x86_64-6_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-6_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-6_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xwayland-21.1.4-x86_64-5_slack15.0.txz:  Rebuilt.
  This release fixes an invalid event type mask in XTestSwapFakeInput which
  was inadvertently changed from octal 0177 to hexadecimal 0x177 in the fix
  for CVE-2022-46340.
2022-12-20 13:30:29 +01:00
Patrick J Volkerding
3c02d6f8a1 Sun Dec 18 20:28:03 UTC 2022
patches/packages/libarchive-3.6.2-x86_64-2_slack15.0.txz:  Rebuilt.
  This update fixes a regression causing a failure to compile against
  libarchive: don't include iconv in libarchive.pc.
2022-12-19 13:30:36 +01:00
Patrick J Volkerding
373b059753 Sat Dec 17 21:14:11 UTC 2022
patches/packages/samba-4.15.13-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  This is the Samba CVE for the Windows Kerberos RC4-HMAC Elevation of
  Privilege Vulnerability disclosed by Microsoft on Nov 8 2022.
  A Samba Active Directory DC will issue weak rc4-hmac session keys for
  use between modern clients and servers despite all modern Kerberos
  implementations supporting the aes256-cts-hmac-sha1-96 cipher.
  On Samba Active Directory DCs and members
  'kerberos encryption types = legacy'
  would force rc4-hmac as a client even if the server supports
  aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.
  This is the Samba CVE for the Windows Kerberos Elevation of Privilege
  Vulnerability disclosed by Microsoft on Nov 8 2022.
  A service account with the special constrained delegation permission
  could forge a more powerful ticket than the one it was presented with.
  The "RC4" protection of the NetLogon Secure channel uses the same
  algorithms as rc4-hmac cryptography in Kerberos, and so must also be
  assumed to be weak.
  Since the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability
  was disclosed by Microsoft on Nov 8 2022 and per RFC8429 it is assumed
  that rc4-hmac is weak, Vulnerable Samba Active Directory DCs will issue
  rc4-hmac encrypted tickets despite the target server supporting better
  encryption (eg aes256-cts-hmac-sha1-96).
  Note that there are several important behavior changes included in this
  release, which may cause compatibility problems interacting with system
  still expecting the former behavior.
  Please read the advisories of CVE-2022-37966, CVE-2022-37967 and
  CVE-2022-38023 carefully!
  For more information, see:
    https://www.samba.org/samba/security/CVE-2022-37966.html
    https://www.samba.org/samba/security/CVE-2022-37967.html
    https://www.samba.org/samba/security/CVE-2022-38023.html
    https://www.samba.org/samba/security/CVE-2022-45141.html
    https://www.cve.org/CVERecord?id=CVE-2022-37966
    https://www.cve.org/CVERecord?id=CVE-2022-37967
    https://www.cve.org/CVERecord?id=CVE-2022-38023
    https://www.cve.org/CVERecord?id=CVE-2022-45141
  (* Security fix *)
2022-12-18 13:30:08 +01:00
Patrick J Volkerding
b5eac9957b Wed Dec 14 21:19:34 UTC 2022
patches/packages/mozilla-firefox-102.6.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/102.6.0/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2022-52/
    https://www.cve.org/CVERecord?id=CVE-2022-46880
    https://www.cve.org/CVERecord?id=CVE-2022-46872
    https://www.cve.org/CVERecord?id=CVE-2022-46881
    https://www.cve.org/CVERecord?id=CVE-2022-46874
    https://www.cve.org/CVERecord?id=CVE-2022-46875
    https://www.cve.org/CVERecord?id=CVE-2022-46882
    https://www.cve.org/CVERecord?id=CVE-2022-46878
  (* Security fix *)
patches/packages/mozilla-thunderbird-102.6.0-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/102.6.0/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2022-53/
    https://www.cve.org/CVERecord?id=CVE-2022-46880
    https://www.cve.org/CVERecord?id=CVE-2022-46872
    https://www.cve.org/CVERecord?id=CVE-2022-46881
    https://www.cve.org/CVERecord?id=CVE-2022-46874
    https://www.cve.org/CVERecord?id=CVE-2022-46875
    https://www.cve.org/CVERecord?id=CVE-2022-46882
    https://www.cve.org/CVERecord?id=CVE-2022-46878
  (* Security fix *)
patches/packages/xorg-server-1.20.14-x86_64-5_slack15.0.txz:  Rebuilt.
  This release fixes 6 recently reported security vulnerabilities in
  various extensions.
  For more information, see:
    https://lists.x.org/archives/xorg-announce/2022-December/003302.html
    https://www.cve.org/CVERecord?id=CVE-2022-46340
    https://www.cve.org/CVERecord?id=CVE-2022-46341
    https://www.cve.org/CVERecord?id=CVE-2022-46342
    https://www.cve.org/CVERecord?id=CVE-2022-46343
    https://www.cve.org/CVERecord?id=CVE-2022-46344
    https://www.cve.org/CVERecord?id=CVE-2022-4283
  (* Security fix *)
patches/packages/xorg-server-xephyr-1.20.14-x86_64-5_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-5_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-5_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xwayland-21.1.4-x86_64-4_slack15.0.txz:  Rebuilt.
  This release fixes 6 recently reported security vulnerabilities in
  various extensions.
  For more information, see:
    https://lists.x.org/archives/xorg-announce/2022-December/003302.html
    https://www.cve.org/CVERecord?id=CVE-2022-46340
    https://www.cve.org/CVERecord?id=CVE-2022-46341
    https://www.cve.org/CVERecord?id=CVE-2022-46342
    https://www.cve.org/CVERecord?id=CVE-2022-46343
    https://www.cve.org/CVERecord?id=CVE-2022-46344
    https://www.cve.org/CVERecord?id=CVE-2022-4283
  (* Security fix *)
2022-12-15 13:30:52 +01:00
Patrick J Volkerding
012399c1c5 Fri Dec 9 19:43:46 UTC 2022
patches/packages/libarchive-3.6.2-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix and security release.
  Relevant bugfixes:
    rar5 reader: fix possible garbled output with bsdtar -O (#1745)
    mtree reader: support reading mtree files with tabs (#1783)
  Security fixes:
    various small fixes for issues found by CodeQL
  (* Security fix *)
2022-12-10 13:30:31 +01:00
Patrick J Volkerding
d17567f359 Thu Dec 8 22:48:34 UTC 2022
patches/packages/emacs-27.2-x86_64-2_slack15.0.txz:  Rebuilt.
  GNU Emacs through 28.2 allows attackers to execute commands via shell
  metacharacters in the name of a source-code file, because lib-src/etags.c
  uses the system C library function in its implementation of the ctags
  program. For example, a victim may use the "ctags *" command (suggested in
  the ctags documentation) in a situation where the current working directory
  has contents that depend on untrusted input.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-45939
  (* Security fix *)
patches/packages/vim-9.0.1034-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes various security issues such as a heap-based buffer
  overflow and use after free.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-4141
    https://www.cve.org/CVERecord?id=CVE-2022-3591
    https://www.cve.org/CVERecord?id=CVE-2022-3520
    https://www.cve.org/CVERecord?id=CVE-2022-3491
    https://www.cve.org/CVERecord?id=CVE-2022-4292
    https://www.cve.org/CVERecord?id=CVE-2022-4293
  (* Security fix *)
patches/packages/vim-gvim-9.0.1034-x86_64-1_slack15.0.txz:  Upgraded.
2022-12-09 13:30:05 +01:00
Patrick J Volkerding
7add5d2865 Wed Dec 7 18:48:07 UTC 2022
patches/packages/python3-3.9.16-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  gh-98739: Updated bundled libexpat to 2.5.0 to fix CVE-2022-43680
  (heap use-after-free).
  gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio
  related name resolution functions no longer involves a quadratic algorithm
  to fix CVE-2022-45061. This prevents a potential CPU denial of service if an
  out-of-spec excessive length hostname involving bidirectional characters were
  decoded. Some protocols such as urllib http 3xx redirects potentially allow
  for an attacker to supply such a name.
  gh-100001: python -m http.server no longer allows terminal control characters
  sent within a garbage request to be printed to the stderr server log.
  gh-87604: Avoid publishing list of active per-interpreter audit hooks via the
  gc module.
  gh-97514: On Linux the multiprocessing module returns to using filesystem
  backed unix domain sockets for communication with the forkserver process
  instead of the Linux abstract socket namespace. Only code that chooses to use
  the "forkserver" start method is affected. This prevents Linux CVE-2022-42919
  (potential privilege escalation) as abstract sockets have no permissions and
  could allow any user on the system in the same network namespace (often the
  whole system) to inject code into the multiprocessing forkserver process.
  Filesystem based socket permissions restrict this to the forkserver process
  user as was the default in Python 3.8 and earlier.
  gh-98517: Port XKCP's fix for the buffer overflows in SHA-3 to fix
  CVE-2022-37454.
  gh-68966: The deprecated mailcap module now refuses to inject unsafe text
  (filenames, MIME types, parameters) into shell commands to address
  CVE-2015-20107. Instead of using such text, it will warn and act as if a
  match was not found (or for test commands, as if the test failed).
  For more information, see:
    https://pythoninsider.blogspot.com/2022/12/python-3111-3109-3916-3816-3716-and.html
    https://www.cve.org/CVERecord?id=CVE-2022-43680
    https://www.cve.org/CVERecord?id=CVE-2022-45061
    https://www.cve.org/CVERecord?id=CVE-2022-42919
    https://www.cve.org/CVERecord?id=CVE-2022-37454
    https://www.cve.org/CVERecord?id=CVE-2015-20107
  (* Security fix *)
2022-12-08 13:30:30 +01:00
Patrick J Volkerding
c3b931c533 Mon Dec 5 21:00:46 UTC 2022
patches/packages/ca-certificates-20221205-noarch-1_slack15.0.txz:  Upgraded.
  This update provides the latest CA certificates to check for the
  authenticity of SSL connections.
patches/packages/glibc-zoneinfo-2022g-noarch-1_slack15.0.txz:  Upgraded.
  This package provides the latest timezone updates.
2022-12-06 13:30:35 +01:00
Patrick J Volkerding
f2cf8c475b Fri Dec 2 20:58:24 UTC 2022
patches/packages/krusader-2.8.0-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
patches/packages/mozilla-thunderbird-102.5.1-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/102.5.1/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2022-50/
    https://www.cve.org/CVERecord?id=CVE-2022-45414
  (* Security fix *)
2022-12-03 13:30:20 +01:00
Patrick J Volkerding
cd369db342 Tue Nov 29 20:56:03 UTC 2022
patches/packages/kernel-firmware-20221123_cdf9499-noarch-1.txz:  Upgraded.
patches/packages/linux-5.15.80/*:  Upgraded.
  These updates fix various bugs and security issues.
  Be sure to upgrade your initrd after upgrading the kernel packages.
  If you use lilo to boot your machine, be sure lilo.conf points to the correct
  kernel and initrd and run lilo as root to update the bootloader.
  If you use elilo to boot your machine, you should run eliloconfig to copy the
  kernel and initrd to the EFI System Partition.
  For more information, see:
    Fixed in 5.15.63:
    https://www.cve.org/CVERecord?id=CVE-2022-3629
    https://www.cve.org/CVERecord?id=CVE-2022-3635
    https://www.cve.org/CVERecord?id=CVE-2022-3633
    https://www.cve.org/CVERecord?id=CVE-2022-3625
    Fixed in 5.15.64:
    https://www.cve.org/CVERecord?id=CVE-2022-39190
    https://www.cve.org/CVERecord?id=CVE-2022-3028
    https://www.cve.org/CVERecord?id=CVE-2022-2905
    Fixed in 5.15.65:
    https://www.cve.org/CVERecord?id=CVE-2022-42703
    https://www.cve.org/CVERecord?id=CVE-2022-3176
    Fixed in 5.15.66:
    https://www.cve.org/CVERecord?id=CVE-2022-4095
    https://www.cve.org/CVERecord?id=CVE-2022-20421
    Fixed in 5.15.68:
    https://www.cve.org/CVERecord?id=CVE-2022-3303
    https://www.cve.org/CVERecord?id=CVE-2022-2663
    https://www.cve.org/CVERecord?id=CVE-2022-40307
    https://www.cve.org/CVERecord?id=CVE-2022-3586
    Fixed in 5.15.70:
    https://www.cve.org/CVERecord?id=CVE-2022-0171
    https://www.cve.org/CVERecord?id=CVE-2022-39842
    https://www.cve.org/CVERecord?id=CVE-2022-3061
    Fixed in 5.15.72:
    https://www.cve.org/CVERecord?id=CVE-2022-2308
    Fixed in 5.15.73:
    https://www.cve.org/CVERecord?id=CVE-2022-2978
    https://www.cve.org/CVERecord?id=CVE-2022-43750
    Fixed in 5.15.74:
    https://www.cve.org/CVERecord?id=CVE-2022-40768
    https://www.cve.org/CVERecord?id=CVE-2022-42721
    https://www.cve.org/CVERecord?id=CVE-2022-3621
    https://www.cve.org/CVERecord?id=CVE-2022-42722
    https://www.cve.org/CVERecord?id=CVE-2022-42719
    https://www.cve.org/CVERecord?id=CVE-2022-41674
    https://www.cve.org/CVERecord?id=CVE-2022-3649
    https://www.cve.org/CVERecord?id=CVE-2022-3646
    https://www.cve.org/CVERecord?id=CVE-2022-42720
    Fixed in 5.15.75:
    https://www.cve.org/CVERecord?id=CVE-2022-43945
    https://www.cve.org/CVERecord?id=CVE-2022-41849
    https://www.cve.org/CVERecord?id=CVE-2022-3535
    https://www.cve.org/CVERecord?id=CVE-2022-3594
    https://www.cve.org/CVERecord?id=CVE-2022-2602
    https://www.cve.org/CVERecord?id=CVE-2022-41850
    https://www.cve.org/CVERecord?id=CVE-2022-3565
    https://www.cve.org/CVERecord?id=CVE-2022-3542
    Fixed in 5.15.77:
    https://www.cve.org/CVERecord?id=CVE-2022-3524
    Fixed in 5.15.78:
    https://www.cve.org/CVERecord?id=CVE-2022-3628
    https://www.cve.org/CVERecord?id=CVE-2022-3623
    https://www.cve.org/CVERecord?id=CVE-2022-42896
    https://www.cve.org/CVERecord?id=CVE-2022-42895
    https://www.cve.org/CVERecord?id=CVE-2022-3543
    https://www.cve.org/CVERecord?id=CVE-2022-3564
    https://www.cve.org/CVERecord?id=CVE-2022-3619
    Fixed in 5.15.80:
    https://www.cve.org/CVERecord?id=CVE-2022-3521
    https://www.cve.org/CVERecord?id=CVE-2022-3169
  (* Security fix *)
patches/packages/openssl-1.1.1s-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
patches/packages/openssl-solibs-1.1.1s-x86_64-1_slack15.0.txz:  Upgraded.
2022-11-30 13:30:31 +01:00
Patrick J Volkerding
52b2b8f314 Thu Nov 24 20:55:37 UTC 2022
patches/packages/ruby-3.0.5-x86_64-1_slack15.0.txz:  Upgraded.
  This release includes a security fix:
  HTTP response splitting in CGI.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2021-33621
  (* Security fix *)
2022-11-25 13:30:58 +01:00
Patrick J Volkerding
860213618e Thu Nov 17 20:02:33 UTC 2022
patches/packages/freerdp-2.9.0-x86_64-1_slack15.0.txz:  Upgraded.
  Fixed multiple client side input validation issues.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-39316
    https://www.cve.org/CVERecord?id=CVE-2022-39317
    https://www.cve.org/CVERecord?id=CVE-2022-39318
    https://www.cve.org/CVERecord?id=CVE-2022-39319
    https://www.cve.org/CVERecord?id=CVE-2022-39320
    https://www.cve.org/CVERecord?id=CVE-2022-41877
    https://www.cve.org/CVERecord?id=CVE-2022-39347
  (* Security fix *)
2022-11-18 13:30:33 +01:00
Patrick J Volkerding
45ec128def Thu Nov 17 01:49:28 UTC 2022
patches/packages/krb5-1.19.2-x86_64-3_slack15.0.txz:  Rebuilt.
  Fixed integer overflows in PAC parsing.
  Fixed memory leak in OTP kdcpreauth module.
  Fixed PKCS11 module path search.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-42898
  (* Security fix *)
patches/packages/mozilla-firefox-102.5.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/102.5.0/releasenotes/
    https://www.mozilla.org/security/advisories/mfsa2022-48/
    https://www.cve.org/CVERecord?id=CVE-2022-45403
    https://www.cve.org/CVERecord?id=CVE-2022-45404
    https://www.cve.org/CVERecord?id=CVE-2022-45405
    https://www.cve.org/CVERecord?id=CVE-2022-45406
    https://www.cve.org/CVERecord?id=CVE-2022-45408
    https://www.cve.org/CVERecord?id=CVE-2022-45409
    https://www.cve.org/CVERecord?id=CVE-2022-45410
    https://www.cve.org/CVERecord?id=CVE-2022-45411
    https://www.cve.org/CVERecord?id=CVE-2022-45412
    https://www.cve.org/CVERecord?id=CVE-2022-45416
    https://www.cve.org/CVERecord?id=CVE-2022-45418
    https://www.cve.org/CVERecord?id=CVE-2022-45420
    https://www.cve.org/CVERecord?id=CVE-2022-45421
  (* Security fix *)
patches/packages/mozilla-thunderbird-102.5.0-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/102.5.0/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2022-49/
    https://www.cve.org/CVERecord?id=CVE-2022-45403
    https://www.cve.org/CVERecord?id=CVE-2022-45404
    https://www.cve.org/CVERecord?id=CVE-2022-45405
    https://www.cve.org/CVERecord?id=CVE-2022-45406
    https://www.cve.org/CVERecord?id=CVE-2022-45408
    https://www.cve.org/CVERecord?id=CVE-2022-45409
    https://www.cve.org/CVERecord?id=CVE-2022-45410
    https://www.cve.org/CVERecord?id=CVE-2022-45411
    https://www.cve.org/CVERecord?id=CVE-2022-45412
    https://www.cve.org/CVERecord?id=CVE-2022-45416
    https://www.cve.org/CVERecord?id=CVE-2022-45418
    https://www.cve.org/CVERecord?id=CVE-2022-45420
    https://www.cve.org/CVERecord?id=CVE-2022-45421
  (* Security fix *)
patches/packages/samba-4.15.12-x86_64-1_slack15.0.txz:  Upgraded.
  Fixed a security issue where Samba's Kerberos libraries and AD DC failed
  to guard against integer overflows when parsing a PAC on a 32-bit system,
  which allowed an attacker with a forged PAC to corrupt the heap.
  For more information, see:
    https://www.samba.org/samba/security/CVE-2022-42898.html
    https://www.cve.org/CVERecord?id=CVE-2022-42898
  (* Security fix *)
patches/packages/xfce4-settings-4.16.5-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes regressions in the previous security fix:
  mime-settings: Properly quote command parameters.
  Revert "Escape characters which do not belong into an URI/URL (Issue #390)."
2022-11-17 13:30:31 +01:00
Patrick J Volkerding
68513bbb1b Thu Nov 10 19:47:59 UTC 2022
patches/packages/php-7.4.33-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and security issues:
  GD: OOB read due to insufficient input validation in imageloadfont().
  Hash: buffer overflow in hash_update() on long parameter.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-31630
    https://www.cve.org/CVERecord?id=CVE-2022-37454
  (* Security fix *)
2022-11-11 13:30:28 +01:00
Patrick J Volkerding
ff521ad792 Wed Nov 9 22:16:30 UTC 2022
patches/packages/sysstat-12.7.1-x86_64-1_slack15.0.txz:  Upgraded.
  On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1,
  allocate_structures contains a size_t overflow in sa_common.c. The
  allocate_structures function insufficiently checks bounds before arithmetic
  multiplication, allowing for an overflow in the size allocated for the
  buffer representing system activities.
  This issue may lead to Remote Code Execution (RCE).
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-39377
  (* Security fix *)
patches/packages/xfce4-settings-4.16.4-x86_64-1_slack15.0.txz:  Upgraded.
  Fixed an argument injection vulnerability in xfce4-mime-helper.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-45062
  (* Security fix *)
2022-11-10 13:30:32 +01:00
Patrick J Volkerding
9cbb8ffdbc Tue Nov 8 22:21:43 UTC 2022
patches/packages/glibc-zoneinfo-2022f-noarch-1_slack15.0.txz:  Upgraded.
  This package provides the latest timezone updates.
patches/packages/mariadb-10.5.18-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
  For more information, see:
    https://mariadb.com/kb/en/mariadb-10-5-18-release-notes
2022-11-09 13:30:19 +01:00
Patrick J Volkerding
2d3e95aa33 Sat Nov 5 19:18:19 UTC 2022
patches/packages/sudo-1.9.12p1-x86_64-1_slack15.0.txz:  Upgraded.
  Fixed a potential out-of-bounds write for passwords smaller than 8
  characters when passwd authentication is enabled.
  This does not affect configurations that use other authentication
  methods such as PAM, AIX authentication or BSD authentication.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-43995
  (* Security fix *)
2022-11-06 13:30:38 +01:00
Patrick J Volkerding
44df9c66d8 Fri Nov 4 19:29:28 UTC 2022
patches/packages/mozilla-thunderbird-102.4.2-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/102.4.2/releasenotes/
2022-11-05 13:30:36 +01:00
Patrick J Volkerding
bcdf30a8fe Mon Oct 31 23:31:36 UTC 2022
extra/php80/php80-8.0.25-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  GD: OOB read due to insufficient input validation in imageloadfont().
  Hash: buffer overflow in hash_update() on long parameter.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-31630
    https://www.cve.org/CVERecord?id=CVE-2022-37454
  (* Security fix *)
extra/php81/php81-8.1.12-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  GD: OOB read due to insufficient input validation in imageloadfont().
  Hash: buffer overflow in hash_update() on long parameter.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-31630
    https://www.cve.org/CVERecord?id=CVE-2022-37454
  (* Security fix *)
patches/packages/mozilla-thunderbird-102.4.1-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/102.4.1/releasenotes/
patches/packages/vim-9.0.0814-x86_64-1_slack15.0.txz:  Upgraded.
  A vulnerability was found in vim and classified as problematic. Affected by
  this issue is the function qf_update_buffer of the file quickfix.c of the
  component autocmd Handler. The manipulation leads to use after free. The
  attack may be launched remotely. Upgrading to version 9.0.0805 is able to
  address this issue.
  Thanks to marav for the heads-up.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-3705
  (* Security fix *)
patches/packages/vim-gvim-9.0.0814-x86_64-1_slack15.0.txz:  Upgraded.
2022-11-01 13:30:36 +01:00
Patrick J Volkerding
af0a59722c Thu Oct 27 02:30:15 UTC 2022
patches/packages/curl-7.86.0-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  HSTS bypass via IDN.
  HTTP proxy double-free.
  .netrc parser out-of-bounds access.
  POST following PUT confusion.
  For more information, see:
    https://curl.se/docs/CVE-2022-42916.html
    https://curl.se/docs/CVE-2022-42915.html
    https://curl.se/docs/CVE-2022-35260.html
    https://curl.se/docs/CVE-2022-32221.html
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42916
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42915
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35260
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32221
  (* Security fix *)
2022-10-28 13:30:09 +02:00
Patrick J Volkerding
6e7a178c9a Tue Oct 25 18:38:58 UTC 2022
patches/packages/expat-2.5.0-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes a security issue:
  Fix heap use-after-free after overeager destruction of a shared DTD in
  function XML_ExternalEntityParserCreate in out-of-memory situations.
  Expected impact is denial of service or potentially arbitrary code
  execution.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43680
  (* Security fix *)
patches/packages/samba-4.15.11-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes the following security issue:
  There is a limited write heap buffer overflow in the GSSAPI unwrap_des()
  and unwrap_des3() routines of Heimdal (included in Samba).
  For more information, see:
    https://www.samba.org/samba/security/CVE-2022-3437.html
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3437
  (* Security fix *)
2022-10-26 13:30:34 +02:00
Patrick J Volkerding
f9f39a199c Fri Oct 21 18:19:00 UTC 2022
patches/packages/rsync-3.2.7-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
  Notably, this addresses some regressions caused by the file-list validation
  fix in rsync-3.2.5.
  Thanks to llgar.
2022-10-22 13:30:46 +02:00
Patrick J Volkerding
1f4633ae9c Thu Oct 20 18:39:03 UTC 2022
patches/packages/mozilla-thunderbird-102.4.0-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/102.4.0/releasenotes/
patches/packages/whois-5.5.14-x86_64-1_slack15.0.txz:  Upgraded.
  This update adds the .bf and .sd TLD servers, removes the .gu TLD server,
  updates the .dm, .fj, .mt and .pk TLD servers, updates the charset for
  whois.nic.tr, updates the list of new gTLDs, removes whois.nic.fr from the
  list of RIPE-like servers (because it is not one anymore), renames
  whois.arnes.si to whois.register.si in the list of RIPE-like servers, and
  adds the hiding string for whois.auda.org.au.
2022-10-21 13:30:04 +02:00
Patrick J Volkerding
58fac6b4a4 Wed Oct 19 20:06:33 UTC 2022
patches/packages/samba-4.15.10-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
  For more information, see:
    https://www.samba.org/samba/history/samba-4.15.10.html
2022-10-20 13:30:54 +02:00
Patrick J Volkerding
f6bba8a1d2 Tue Oct 18 20:29:54 UTC 2022
patches/packages/git-2.35.5-x86_64-1_slack15.0.txz:  Upgraded.
  This release fixes two security issues:
  * CVE-2022-39253:
  When relying on the `--local` clone optimization, Git dereferences
  symbolic links in the source repository before creating hardlinks
  (or copies) of the dereferenced link in the destination repository.
  This can lead to surprising behavior where arbitrary files are
  present in a repository's `$GIT_DIR` when cloning from a malicious
  repository.
  Git will no longer dereference symbolic links via the `--local`
  clone mechanism, and will instead refuse to clone repositories that
  have symbolic links present in the `$GIT_DIR/objects` directory.
  Additionally, the value of `protocol.file.allow` is changed to be
  "user" by default.
  * CVE-2022-39260:
  An overly-long command string given to `git shell` can result in
  overflow in `split_cmdline()`, leading to arbitrary heap writes and
  remote code execution when `git shell` is exposed and the directory
  `$HOME/git-shell-commands` exists.
  `git shell` is taught to refuse interactive commands that are
  longer than 4MiB in size. `split_cmdline()` is hardened to reject
  inputs larger than 2GiB.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39253
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39260
  (* Security fix *)
patches/packages/mozilla-firefox-102.4.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/102.4.0/releasenotes/
    https://www.mozilla.org/security/advisories/mfsa2022-45/
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42927
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42928
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42929
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42932
  (* Security fix *)
2022-10-19 13:30:12 +02:00
Patrick J Volkerding
2559feca78 Mon Oct 17 19:31:45 UTC 2022
patches/packages/xorg-server-1.20.14-x86_64-4_slack15.0.txz:  Rebuilt.
  xkb: proof GetCountedString against request length attacks.
  xkb: fix some possible memleaks in XkbGetKbdByName.
  xquartz: Fix a possible crash when editing the Application menu due
  to mutating immutable arrays.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3550
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3551
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3553
  (* Security fix *)
patches/packages/xorg-server-xephyr-1.20.14-x86_64-4_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-4_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-4_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xwayland-21.1.4-x86_64-3_slack15.0.txz:  Rebuilt.
  xkb: proof GetCountedString against request length attacks.
  xkb: fix some possible memleaks in XkbGetKbdByName.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3550
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3551
  (* Security fix *)
2022-10-18 13:30:33 +02:00
Patrick J Volkerding
a37e7d6f03 Mon Oct 17 00:42:43 UTC 2022
patches/packages/glibc-zoneinfo-2022e-noarch-1_slack15.0.txz:  Upgraded.
  This package provides the latest timezone updates.
2022-10-17 13:30:32 +02:00
Patrick J Volkerding
da8b549669 Sat Oct 15 20:28:34 UTC 2022
patches/packages/zlib-1.2.13-x86_64-1_slack15.0.txz:  Upgraded.
  Fixed a bug when getting a gzip header extra field with inflateGetHeader().
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37434
  (* Security fix *)
2022-10-16 13:30:55 +02:00
Patrick J Volkerding
00cb38d107 Fri Oct 14 01:39:37 UTC 2022
patches/packages/mozilla-thunderbird-102.3.3-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/102.3.3/releasenotes/
patches/packages/python3-3.9.15-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  Bundled libexpat was upgraded from 2.4.7 to 2.4.9 which fixes a heap
  use-after-free vulnerability in function doContent.
  gh-97616: a fix for a possible buffer overflow in list *= int.
  gh-97612: a fix for possible shell injection in the example script
  get-remote-certificate.py.
  gh-96577: a fix for a potential buffer overrun in msilib.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40674
  (* Security fix *)
2022-10-14 13:30:41 +02:00
Patrick J Volkerding
46235d1ce0 Sat Oct 8 19:23:31 UTC 2022
patches/packages/libksba-1.6.2-x86_64-1_slack15.0.txz:  Upgraded.
  Detect a possible overflow directly in the TLV parser.
  This patch detects possible integer overflows immmediately when creating
  the TI object.
  Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929
  (* Security fix *)
2022-10-09 13:31:06 +02:00
Patrick J Volkerding
d0aaad7d2b Fri Oct 7 20:32:18 UTC 2022
patches/packages/mozilla-thunderbird-102.3.2-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/102.3.2/releasenotes/
2022-10-08 13:30:33 +02:00
Patrick J Volkerding
153ac9bb20 Wed Oct 5 18:55:36 UTC 2022
patches/packages/dhcp-4.4.3_P1-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes two security issues:
  Corrected a reference count leak that occurs when the server builds
  responses to leasequery packets.
  Corrected a memory leak that occurs when unpacking a packet that has an
  FQDN option (81) that contains a label with length greater than 63 bytes.
  Thanks to VictorV of Cyber Kunlun Lab for reporting these issues.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2928
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2929
  (* Security fix *)
2022-10-06 13:30:32 +02:00
Patrick J Volkerding
a96a6a61e4 Sat Oct 1 18:38:27 UTC 2022
patches/packages/glibc-zoneinfo-2022d-noarch-1_slack15.0.txz:  Upgraded.
  This package provides the latest timezone updates.
2022-10-02 13:30:33 +02:00
Patrick J Volkerding
3087018ea7 Fri Sep 30 17:52:21 UTC 2022
extra/php80/php80-8.0.24-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and security issues:
  phar wrapper: DOS when using quine gzip file.
  Don't mangle HTTP variable names that clash with ones that have a specific
  semantic meaning.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31628
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31629
  (* Security fix *)
extra/php81/php81-8.1.11-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and security issues:
  phar wrapper: DOS when using quine gzip file.
  Don't mangle HTTP variable names that clash with ones that have a specific
  semantic meaning.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31628
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31629
  (* Security fix *)
patches/packages/mozilla-thunderbird-102.3.1-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/102.3.1/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2022-43/
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39249
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39250
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39251
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39236
  (* Security fix *)
patches/packages/php-7.4.32-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and security issues:
  phar wrapper: DOS when using quine gzip file.
  Don't mangle HTTP variable names that clash with ones that have a specific
  semantic meaning.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31628
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31629
  (* Security fix *)
patches/packages/seamonkey-2.53.14-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.seamonkey-project.org/releases/seamonkey2.53.14
  (* Security fix *)
patches/packages/vim-9.0.0623-x86_64-1_slack15.0.txz:  Upgraded.
  Fixed use-after-free and stack-based buffer overflow.
  Thanks to marav for the heads-up.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-3352
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-3324
  (* Security fix *)
patches/packages/vim-gvim-9.0.0623-x86_64-1_slack15.0.txz:  Upgraded.
2022-10-01 13:30:35 +02:00
Patrick J Volkerding
ef823d82ca Wed Sep 28 18:59:51 UTC 2022
patches/packages/xorg-server-xwayland-21.1.4-x86_64-2_slack15.0.txz:  Rebuilt.
  xkb: switch to array index loops to moving pointers.
  xkb: add request length validation for XkbSetGeometry.
  xkb: swap XkbSetDeviceInfo and XkbSetDeviceInfoCheck.
  I hadn't realized that the xorg-server patches were needed (or applied
  cleanly) to Xwayland. Thanks to LuckyCyborg for the kind reminder. :-)
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2319
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2320
  (* Security fix *)
2022-09-29 13:30:05 +02:00
Patrick J Volkerding
0ab769ac69 Mon Sep 26 19:43:54 UTC 2022
patches/packages/dnsmasq-2.87-x86_64-1_slack15.0.txz:  Upgraded.
  Fix write-after-free error in DHCPv6 server code.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0934
  (* Security fix *)
patches/packages/vim-9.0.0594-x86_64-1_slack15.0.txz:  Upgraded.
  Fixed stack-based buffer overflow.
  Thanks to marav for the heads-up.
  In addition, Mig21 pointed out an issue where the defaults.vim file might
  need to be edited for some purposes as its contents will override the
  settings in the system-wide vimrc. Usually this file is replaced whenever
  vim is upgraded, which in those situations would be inconvenient for the
  admin. So, I've added support for a file named defaults.vim.custom which
  (if it exists) will be used instead of the defaults.vim file shipped in
  the package and will persist through upgrades.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3296
  (* Security fix *)
patches/packages/vim-gvim-9.0.0594-x86_64-1_slack15.0.txz:  Upgraded.
2022-09-27 13:30:30 +02:00
Patrick J Volkerding
1730200e5d Fri Sep 23 23:51:02 UTC 2022
patches/packages/vim-9.0.0558-x86_64-1_slack15.0.txz:  Upgraded.
  Fixed use after free.
  Thanks to marav for the heads-up.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3256
  (* Security fix *)
patches/packages/vim-gvim-9.0.0558-x86_64-1_slack15.0.txz:  Upgraded.
2022-09-24 13:30:28 +02:00
Patrick J Volkerding
d22a8a6524 Thu Sep 22 19:50:20 UTC 2022
patches/packages/ca-certificates-20220922-noarch-1_slack15.0.txz:  Upgraded.
  This update provides the latest CA certificates to check for the
  authenticity of SSL connections.
2022-09-23 13:30:28 +02:00
Patrick J Volkerding
8f546e8375 Wed Sep 21 19:19:07 UTC 2022
patches/packages/cups-2.4.2-x86_64-3_slack15.0.txz:  Rebuilt.
  Fixed crash when using the CUPS web setup interface:
  [PATCH] Fix OpenSSL crash bug - "tls" pointer wasn't cleared after freeing
  it (Issue #409).
  Thanks to MisterL, bryjen, and kjhambrick.
  Fixed an OpenSSL certificate loading issue:
  [PATCH] The OpenSSL code path wasn't loading the full certificate
  chain (Issue #465).
  Thanks to tmmukunn.
2022-09-22 13:30:28 +02:00
Patrick J Volkerding
b9facc142f Tue Sep 20 22:50:28 UTC 2022
patches/packages/expat-2.4.9-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes a security issue:
  Heap use-after-free vulnerability in function doContent. Expected impact is
  denial of service or potentially arbitrary code execution.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40674
  (* Security fix *)
patches/packages/mozilla-firefox-102.3.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/102.3.0/releasenotes/
    https://www.mozilla.org/security/advisories/mfsa2022-41/
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40959
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40960
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40958
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40956
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40957
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40962
  (* Security fix *)
patches/packages/mozilla-thunderbird-102.3.0-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/102.3.0/releasenotes/
2022-09-21 13:30:31 +02:00
Patrick J Volkerding
ed751ebff5 Sun Sep 18 19:02:14 UTC 2022
patches/packages/vim-9.0.0500-x86_64-1_slack15.0.txz:  Upgraded.
  Fixed heap-based buffer overflow.
  Thanks to marav for the heads-up.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3234
  (* Security fix *)
patches/packages/vim-gvim-9.0.0500-x86_64-1_slack15.0.txz:  Upgraded.
2022-09-19 13:30:28 +02:00
Patrick J Volkerding
b6bae52b64 Sat Sep 10 01:51:43 UTC 2022
patches/packages/vim-9.0.0417-x86_64-1_slack15.0.txz:  Upgraded.
  Fixed null pointer dereference.
  Thanks to marav for the heads-up.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3153
  (* Security fix *)
patches/packages/vim-gvim-9.0.0417-x86_64-1_slack15.0.txz:  Upgraded.
2022-09-11 13:30:27 +02:00
Patrick J Volkerding
dfdaa16c05 Thu Sep 8 01:33:19 UTC 2022
patches/packages/mozilla-thunderbird-102.2.2-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/102.2.2/releasenotes/
2022-09-08 13:30:28 +02:00
Patrick J Volkerding
23a0b53a62 Tue Sep 6 20:21:24 UTC 2022
extra/rust-for-mozilla/rust-1.60.0-x86_64-1_slack15.0.txz:  Upgraded.
  Upgraded the Rust compiler for Firefox 102.2.0 and Thunderbird 102.2.1.
patches/packages/mozilla-firefox-102.2.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/102.2.0/releasenotes/
    https://www.mozilla.org/security/advisories/mfsa2022-34/
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38473
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38476
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38477
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38478
  (* Security fix *)
patches/packages/mozilla-thunderbird-102.2.1-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  Some accounts may need to be reconfigured after moving from
  Thunderbird 91.13.0 to Thunderbird 102.2.1.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/102.2.1/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2022-38/
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3033
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3032
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3034
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36059
  (* Security fix *)
patches/packages/vim-9.0.0396-x86_64-1_slack15.0.txz:  Upgraded.
  Fixed use after free.
  Thanks to marav for the heads-up.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3099
  (* Security fix *)
patches/packages/vim-gvim-9.0.0396-x86_64-1_slack15.0.txz:  Upgraded.
2022-09-07 13:30:33 +02:00
Patrick J Volkerding
ca8c1d3c22 Thu Sep 1 20:01:13 UTC 2022
patches/packages/poppler-21.12.0-x86_64-2_slack15.0.txz:  Rebuilt.
  [PATCH] JBIG2Stream: Fix crash on broken file.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30860
  (* Security fix *)
2022-09-02 13:30:06 +02:00
Patrick J Volkerding
1393bd0f4f Tue Aug 30 19:39:30 UTC 2022
extra/sendmail/sendmail-8.17.1-x86_64-4_slack15.0.txz:  Rebuilt.
  Patched sendmail.h to fix SASL auth. Thanks to af7567.
  Build without -DUSE_EAI (which is evidently considered experimental) since
  the option breaks the vacation binary. Thanks to bitfuzzy and HQuest.
  It is possible that this could work but requires additional options. I found
  this in the ChangeLog for the SUSE rpm:
    Experimental support for SMTPUTF8 (EAI, see RFC 6530-6533) is available
    when using the compile time option USE_EAI (see also
    devtools/Site/site.config.m4.sample for other required settings) and the cf
    option SMTPUTF8.  If a mail submission via the command line requires the
    use of SMTPUTF8, e.g., because a header uses UTF-8 encoding, but the
    addresses on the command line are all ASCII, then the new option -U must be
    used, and the cf option SMTPUTF8 must be set in submit.cf.
  Any assistance with getting -DUSE_EAI working properly would be appreciated.
extra/sendmail/sendmail-cf-8.17.1-noarch-4_slack15.0.txz:  Rebuilt.
patches/packages/vim-9.0.0334-x86_64-1_slack15.0.txz:  Upgraded.
  Fixed use after free.
  Thanks to marav for the heads-up.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3016
  (* Security fix *)
patches/packages/vim-gvim-9.0.0334-x86_64-1_slack15.0.txz:  Upgraded.
2022-08-31 13:30:01 +02:00
Patrick J Volkerding
71a81b7408 Fri Aug 26 04:02:20 UTC 2022
patches/packages/linux-5.15.63/*:  Upgraded.
  These updates fix various bugs and security issues.
  Be sure to upgrade your initrd after upgrading the kernel packages.
  If you use lilo to boot your machine, be sure lilo.conf points to the correct
  kernel and initrd and run lilo as root to update the bootloader.
  If you use elilo to boot your machine, you should run eliloconfig to copy the
  kernel and initrd to the EFI System Partition.
  For more information, see:
    Fixed in 5.15.39:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1974
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1975
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1734
    Fixed in 5.15.40:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1943
    Fixed in 5.15.41:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28893
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32296
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1012
    Fixed in 5.15.42:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1652
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1729
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21499
    Fixed in 5.15.44:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1789
    Fixed in 5.15.45:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2873
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1966
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32250
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2078
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1852
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1972
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2503
    Fixed in 5.15.46:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1184
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1973
    Fixed in 5.15.47:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34494
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34495
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32981
    Fixed in 5.15.48:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21125
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21166
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21123
    Fixed in 5.15.53:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2318
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33743
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33742
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33741
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33740
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26365
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33744
    Fixed in 5.15.54:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33655
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34918
    Fixed in 5.15.56:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36123
    Fixed in 5.15.57:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29900
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29901
    Fixed in 5.15.58:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21505
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1462
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36879
    Fixed in 5.15.59:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36946
    Fixed in 5.15.60:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26373
    Fixed in 5.15.61:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2586
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2585
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1679
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2588
  (* Security fix *)
patches/packages/vim-9.0.0270-x86_64-1_slack15.0.txz:  Upgraded.
  We're just going to move to vim-9 instead of continuing to backport patches
  to the vim-8 branch. Most users will be better served by this.
  Fixed use after free and null pointer dereference.
  Thanks to marav for the heads-up.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2946
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2923
  (* Security fix *)
patches/packages/vim-gvim-9.0.0270-x86_64-1_slack15.0.txz:  Upgraded.
2022-08-27 13:30:28 +02:00
Patrick J Volkerding
d96560a977 Tue Aug 23 19:27:56 UTC 2022
extra/sendmail/sendmail-8.17.1-x86_64-3_slack15.0.txz:  Rebuilt.
  In recent versions of glibc, USE_INET6 has been removed which caused sendmail
  to reject mail from IPv6 addresses. Adding -DHAS_GETHOSTBYNNAME2=1 to the
  site.config.m4 allows the reverse lookups to work again fixing this issue.
  Thanks to talo.
extra/sendmail/sendmail-cf-8.17.1-noarch-3_slack15.0.txz:  Rebuilt.
patches/packages/hunspell-1.7.1-x86_64-1_slack15.0.txz:  Upgraded.
  Fixed invalid read operation in SuggestMgr::leftcommonsubstring
  in suggestmgr.cxx.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16707
  (* Security fix *)
patches/packages/mozilla-firefox-91.13.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/91.13.0/releasenotes/
    https://www.mozilla.org/security/advisories/mfsa2022-35/
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38472
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38473
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38478
  (* Security fix *)
patches/packages/mozilla-thunderbird-91.13.0-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/91.13.0/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2022-37/
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38472
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38473
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38478
  (* Security fix *)
2022-08-24 13:30:27 +02:00
Patrick J Volkerding
44e993e802 Sat Aug 20 20:04:15 UTC 2022
patches/packages/vim-8.2.4649-x86_64-3_slack15.0.txz:  Rebuilt.
  Fix use after free.
  Thanks to marav for the heads-up.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2889
  (* Security fix *)
patches/packages/vim-gvim-8.2.4649-x86_64-3_slack15.0.txz:  Rebuilt.
2022-08-21 13:30:26 +02:00
Patrick J Volkerding
77a67ac465 Thu Aug 18 23:19:52 UTC 2022
patches/packages/glibc-zoneinfo-2022c-noarch-1_slack15.0.txz:  Upgraded.
  This package provides the latest timezone updates.
2022-08-19 13:29:58 +02:00
Patrick J Volkerding
821b8a94bf Wed Aug 17 20:41:53 UTC 2022
patches/packages/vim-8.2.4649-x86_64-2_slack15.0.txz:  Rebuilt.
  Fix use after free, out-of-bounds read, and heap based buffer overflow.
  Thanks to marav for the heads-up.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2816
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2817
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2819
  (* Security fix *)
patches/packages/vim-gvim-8.2.4649-x86_64-2_slack15.0.txz:  Rebuilt.
2022-08-18 13:30:02 +02:00
Patrick J Volkerding
834b3a5fc2 Tue Aug 16 18:51:34 UTC 2022
patches/packages/mariadb-10.5.17-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and several security issues.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32082
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32089
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32081
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25032
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32091
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32084
  (* Security fix *)
2022-08-17 13:30:28 +02:00
Patrick J Volkerding
cffeb680aa Mon Aug 15 20:23:47 UTC 2022
patches/packages/rsync-3.2.5-x86_64-1_slack15.0.txz:  Upgraded.
  Added some file-list safety checking that helps to ensure that a rogue
  sending rsync can't add unrequested top-level names and/or include recursive
  names that should have been excluded by the sender. These extra safety
  checks only require the receiver rsync to be updated. When dealing with an
  untrusted sending host, it is safest to copy into a dedicated destination
  directory for the remote content (i.e. don't copy into a destination
  directory that contains files that aren't from the remote host unless you
  trust the remote host).
  For more information, see:
   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29154
  (* Security fix *)
2022-08-16 13:30:28 +02:00
Patrick J Volkerding
24a4907817 Sat Aug 13 19:12:40 UTC 2022
patches/packages/glibc-zoneinfo-2022b-noarch-1_slack15.0.txz:  Upgraded.
  This package provides the latest timezone updates.
2022-08-14 13:30:29 +02:00
Patrick J Volkerding
5dd1410e22 Tue Aug 9 19:25:22 UTC 2022
patches/packages/zlib-1.2.12-x86_64-2_slack15.0.txz:  Rebuilt.
  This is a bugfix update.
  Applied an upstream patch to restore the handling of CRC inputs to be the
  same as in previous releases of zlib. This fixes an issue with OpenJDK.
  Thanks to alienBOB.
2022-08-10 13:30:27 +02:00
Patrick J Volkerding
e8686ed7fd Fri Jul 29 19:59:03 UTC 2022
patches/packages/gnutls-3.7.7-x86_64-1_slack15.0.txz:  Upgraded.
  libgnutls: Fixed double free during verification of pkcs7 signatures.
  Reported by Jaak Ristioja.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2509
  (* Security fix *)
2022-07-30 13:30:32 +02:00
Patrick J Volkerding
0648599e6d Thu Jul 28 23:48:36 UTC 2022
patches/packages/mozilla-thunderbird-91.12.0-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/91.12.0/releasenotes/
    https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird91.12
  (* Security fix *)
2022-07-29 13:31:04 +02:00
Patrick J Volkerding
ad19766c1e Wed Jul 27 19:17:38 UTC 2022
patches/packages/samba-4.15.9-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes the following security issues:
  Samba AD users can bypass certain restrictions associated with changing
  passwords.
  Samba AD users can forge password change requests for any user.
  Samba AD users can crash the server process with an LDAP add or modify
  request.
  Samba AD users can induce a use-after-free in the server process with an
  LDAP add or modify request.
  Server memory information leak via SMB1.
  For more information, see:
    https://www.samba.org/samba/security/CVE-2022-2031.html
    https://www.samba.org/samba/security/CVE-2022-32744.html
    https://www.samba.org/samba/security/CVE-2022-32745.html
    https://www.samba.org/samba/security/CVE-2022-32746.html
    https://www.samba.org/samba/security/CVE-2022-32742.html
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2031
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32744
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32745
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32746
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32742
  (* Security fix *)
2022-07-28 13:30:29 +02:00
Patrick J Volkerding
bfbbd63f28 Mon Jul 25 20:53:49 UTC 2022
patches/packages/mozilla-firefox-91.12.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/91.12.0/releasenotes/
  (* Security fix *)
patches/packages/perl-5.34.0-x86_64-2_slack15.0.txz:  Rebuilt.
  This is a bugfix release.
  Upgraded: Devel-CheckLib-1.16, IO-Socket-SSL-2.074, Net-SSLeay-1.92,
  Path-Tiny-0.122, Template-Toolkit-3.100, URI-5.12, libnet-3.14.
  Added a symlink to libperl.so in /usr/${LIBDIRSUFFIX} since net-snmp (and
  possibly other programs) might have trouble linking with it since it's not
  in the LD_LIBRARY_PATH. Thanks to oneforall.
2022-07-26 13:30:29 +02:00
Patrick J Volkerding
7e93037632 Thu Jul 21 18:13:18 UTC 2022
patches/packages/net-snmp-5.9.3-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  A buffer overflow in the handling of the INDEX of NET-SNMP-VACM-MIB can cause
  an out-of-bounds memory access.
  A malformed OID in a GET-NEXT to the nsVacmAccessTable can cause a NULL
  pointer dereference.
  Improper Input Validation when SETing malformed OIDs in master agent and
  subagent simultaneously.
  A malformed OID in a SET request to SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable
  can cause an out-of-bounds memory access.
  A malformed OID in a SET request to NET-SNMP-AGENT-MIB::nsLogTable can cause a
  NULL pointer dereference.
  A malformed OID in a SET to the nsVacmAccessTable can cause a NULL pointer
  dereference.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24805
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24809
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24806
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24807
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24808
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24810
  (* Security fix *)
2022-07-22 13:30:29 +02:00
Patrick J Volkerding
83e918a979 Wed Jul 13 19:56:59 UTC 2022
patches/packages/xorg-server-1.20.14-x86_64-3_slack15.0.txz:  Rebuilt.
  xkb: switch to array index loops to moving pointers.
  xkb: add request length validation for XkbSetGeometry.
  xkb: swap XkbSetDeviceInfo and XkbSetDeviceInfoCheck.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2319
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2320
  (* Security fix *)
patches/packages/xorg-server-xephyr-1.20.14-x86_64-3_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-3_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-3_slack15.0.txz:  Rebuilt.
2022-07-14 13:30:35 +02:00
Patrick J Volkerding
86cbc47746 Mon Jul 11 19:22:52 UTC 2022
patches/packages/seamonkey-2.53.13-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.seamonkey-project.org/releases/seamonkey2.53.13
  (* Security fix *)
2022-07-12 13:30:28 +02:00
Patrick J Volkerding
5cd37beaa8 Sun Jul 10 18:49:34 UTC 2022
patches/packages/wavpack-5.5.0-x86_64-1_slack15.0.txz:  Upgraded.
  WavPack 5.5.0 contains a fix for CVE-2021-44269 wherein encoding a specially
  crafted DSD file causes an out-of-bounds read exception.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44269
  (* Security fix *)
2022-07-11 13:30:28 +02:00
Patrick J Volkerding
9edcc6c242 Thu Jul 7 23:03:01 UTC 2022
patches/packages/gnupg2-2.2.36-x86_64-1_slack15.0.txz:  Upgraded.
  g10: Fix possibly garbled status messages in NOTATION_DATA.  This bug could
  trick GPGME and other parsers to accept faked status lines.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34903
  (* Security fix *)
extra/php81/php81-8.1.8-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and a security issue:
  Fileinfo: Fixed bug #81723 (Heap buffer overflow in finfo_buffer).
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31627
  (* Security fix *)
2022-07-08 13:30:29 +02:00
Patrick J Volkerding
4338767300 Tue Jul 5 20:17:00 UTC 2022
patches/packages/openssl-1.1.1q-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  Heap memory corruption with RSA private key operation.
  AES OCB fails to encrypt some bytes.
  For more information, see:
    https://www.openssl.org/news/secadv/20220705.txt
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2274
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2097
  (* Security fix *)
patches/packages/openssl-solibs-1.1.1q-x86_64-1_slack15.0.txz:  Upgraded.
2022-07-06 13:30:42 +02:00
Patrick J Volkerding
d01c4c7b84 Fri Jul 1 01:23:50 UTC 2022
patches/packages/mozilla-thunderbird-91.11.0-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/91.11.0/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2022-26/
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34479
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34470
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34468
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2226
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34481
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31744
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34472
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34478
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2200
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34484
  (* Security fix *)
2022-07-01 13:30:27 +02:00
Patrick J Volkerding
7a6788c35a Tue Jun 28 19:16:08 UTC 2022
patches/packages/curl-7.84.0-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  Set-Cookie denial of service.
  HTTP compression denial of service.
  Unpreserved file permissions.
  FTP-KRB bad message verification.
  For more information, see:
    https://curl.se/docs/CVE-2022-32205.html
    https://curl.se/docs/CVE-2022-32206.html
    https://curl.se/docs/CVE-2022-32207.html
    https://curl.se/docs/CVE-2022-32208.html
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32205
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32206
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32207
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32208
  (* Security fix *)
patches/packages/mozilla-firefox-91.11.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/91.11.0/releasenotes/
    https://www.mozilla.org/security/advisories/mfsa2022-25/
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34479
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34470
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34468
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34481
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31744
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34472
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34478
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2200
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34484
  (* Security fix *)
2022-06-29 13:30:31 +02:00
Patrick J Volkerding
40bf9bf864 Thu Jun 23 05:30:51 UTC 2022
patches/packages/ca-certificates-20220622-noarch-1_slack15.0.txz:  Upgraded.
  This update provides the latest CA certificates to check for the
  authenticity of SSL connections.
patches/packages/openssl-1.1.1p-x86_64-1_slack15.0.txz:  Upgraded.
  In addition to the c_rehash shell command injection identified in
  CVE-2022-1292, further circumstances where the c_rehash script does not
  properly sanitise shell metacharacters to prevent command injection were
  found by code review.
  When the CVE-2022-1292 was fixed it was not discovered that there
  are other places in the script where the file names of certificates
  being hashed were possibly passed to a command executed through the shell.
  For more information, see:
    https://www.openssl.org/news/secadv/20220621.txt
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2068
  (* Security fix *)
patches/packages/openssl-solibs-1.1.1p-x86_64-1_slack15.0.txz:  Upgraded.
2022-06-24 01:30:06 +02:00
Patrick J Volkerding
7809bcc762 Mon Jun 13 21:02:58 UTC 2022
patches/packages/php-7.4.30-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and security issues:
  mysqlnd/pdo password buffer overflow.
  Uninitialized array in pg_query_params().
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31626
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31625
  (* Security fix *)
extra/php80/php80-8.0.20-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and security issues:
  mysqlnd/pdo password buffer overflow.
  Uninitialized array in pg_query_params().
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31626
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31625
  (* Security fix *)
extra/php81/php81-8.1.7-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and security issues:
  mysqlnd/pdo password buffer overflow.
  Uninitialized array in pg_query_params().
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31626
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31625
  (* Security fix *)
2022-06-14 13:30:26 +02:00
Patrick J Volkerding
348dffe043 Wed Jun 8 19:15:34 UTC 2022
patches/packages/httpd-2.4.54-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and the following security issues:
  mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism.
  Information Disclosure in mod_lua with websockets.
  mod_sed denial of service.
  Denial of service in mod_lua r:parsebody.
  Read beyond bounds in ap_strcmp_match().
  Read beyond bounds via ap_rwrite().
  Read beyond bounds in mod_isapi.
  mod_proxy_ajp: Possible request smuggling.
  For more information, see:
    https://downloads.apache.org/httpd/CHANGES_2.4.54
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31813
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30556
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30522
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29404
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28615
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28614
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28330
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26377
  (* Security fix *)
2022-06-09 13:30:28 +02:00
Patrick J Volkerding
b9f4e8dc0e Sat Jun 4 18:43:17 UTC 2022
patches/packages/pidgin-2.14.10-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and several security issues.
  For more information, see:
    https://www.pidgin.im/posts/2022-06-2.14.10-released/
  (* Security fix *)
2022-06-05 13:30:26 +02:00
Patrick J Volkerding
a9dc1aa8fa Thu Jun 2 19:42:06 UTC 2022
patches/packages/mozilla-thunderbird-91.10.0-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/91.10.0/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2022-22/
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31736
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31737
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31738
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31739
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31740
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31741
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1834
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31742
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31747
  (* Security fix *)
2022-06-03 13:30:29 +02:00
Patrick J Volkerding
f6bd13c472 Wed Jun 1 00:49:45 UTC 2022
patches/packages/mozilla-firefox-91.10.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/91.10.0/releasenotes/
    https://www.mozilla.org/security/advisories/mfsa2022-21/
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31736
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31737
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31738
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31739
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31740
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31741
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31742
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31747
  (* Security fix *)
2022-06-01 13:30:20 +02:00
Patrick J Volkerding
81f2355530 Thu May 26 18:27:32 UTC 2022
patches/packages/cups-2.4.2-x86_64-1_slack15.0.txz:  Upgraded.
  Fixed certificate strings comparison for Local authorization.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26691
  (* Security fix *)
2022-05-27 13:30:00 +02:00
Patrick J Volkerding
590bfd3df8 Sat May 21 19:30:02 UTC 2022
patches/packages/mariadb-10.5.16-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and several security issues.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27376
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27377
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27378
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27379
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27380
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27381
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27382
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27383
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27384
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27386
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27387
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27444
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27445
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27446
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27447
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27448
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27449
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27451
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27452
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27455
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27456
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27457
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27458
  (* Security fix *)
2022-05-22 13:30:03 +02:00
Patrick J Volkerding
e9f027ce23 Sat May 21 01:35:40 UTC 2022
patches/packages/mozilla-firefox-91.9.1esr-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/91.9.1/releasenotes/
    https://www.mozilla.org/security/advisories/mfsa2022-19/
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1802
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1529
  (* Security fix *)
patches/packages/mozilla-thunderbird-91.9.1-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/91.9.1/releasenotes/
    https://www.mozilla.org/security/advisories/mfsa2022-19/
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1802
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1529
  (* Security fix *)
2022-05-21 13:30:05 +02:00
Patrick J Volkerding
341dffdb1a Thu May 19 23:07:59 UTC 2022
patches/packages/bind-9.16.29-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
testing/packages/bind-9.18.3-x86_64-1_slack15.0.txz:  Upgraded.
  Fixed a crash in DNS-over-HTTPS (DoH) code caused by premature TLS stream
  socket object deletion.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1183
  (* Security fix *)
2022-05-20 13:30:01 +02:00
Patrick J Volkerding
96bf53e55d Wed May 11 19:01:59 UTC 2022
patches/packages/curl-7.83.1-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  HSTS bypass via trailing dot.
  TLS and SSH connection too eager reuse.
  CERTINFO never-ending busy-loop.
  percent-encoded path separator in URL host.
  cookie for trailing dot TLD.
  curl removes wrong file on error.
  For more information, see:
    https://curl.se/docs/CVE-2022-30115.html
    https://curl.se/docs/CVE-2022-27782.html
    https://curl.se/docs/CVE-2022-27781.html
    https://curl.se/docs/CVE-2022-27780.html
    https://curl.se/docs/CVE-2022-27779.html
    https://curl.se/docs/CVE-2022-27778.html
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30115
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27782
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27781
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27780
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27779
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27778
  (* Security fix *)
2022-05-12 13:29:51 +02:00
Patrick J Volkerding
3c08cf6792 Mon May 9 21:33:25 UTC 2022
patches/packages/linux-5.15.38/*:  Upgraded.
  These updates fix various bugs and security issues.
  Be sure to upgrade your initrd after upgrading the kernel packages.
  If you use lilo to boot your machine, be sure lilo.conf points to the correct
  kernel and initrd and run lilo as root to update the bootloader.
  If you use elilo to boot your machine, you should run eliloconfig to copy the
  kernel and initrd to the EFI System Partition.
  For more information, see:
    Fixed in 5.15.27:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0742
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24958
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0494
    Fixed in 5.15.28:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23038
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23039
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23960
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23036
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23037
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0001
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0002
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23041
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23040
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23042
    Fixed in 5.15.29:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1199
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27666
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1011
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0995
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0854
    Fixed in 5.15.32:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1015
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26490
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1048
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1016
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28356
    Fixed in 5.15.33:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28390
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0168
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1158
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1353
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1198
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28389
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28388
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1516
    Fixed in 5.15.34:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1263
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29582
    Fixed in 5.15.35:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1204
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1205
    Fixed in 5.15.37:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0500
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23222
  (* Security fix *)
2022-05-10 13:30:03 +02:00
Patrick J Volkerding
2971d84285 Wed May 4 21:24:57 UTC 2022
patches/packages/mozilla-thunderbird-91.9.0-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/91.9.0/releasenotes/
  (* Security fix *)
patches/packages/openssl-1.1.1o-x86_64-1_slack15.0.txz:  Upgraded.
  Fixed a bug in the c_rehash script which was not properly sanitising shell
  metacharacters to prevent command injection.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1292
  (* Security fix *)
patches/packages/openssl-solibs-1.1.1o-x86_64-1_slack15.0.txz:  Upgraded.
patches/packages/seamonkey-2.53.12-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.seamonkey-project.org/releases/seamonkey2.53.12
  (* Security fix *)
2022-05-05 13:30:04 +02:00
Patrick J Volkerding
d88c750381 Mon May 2 20:02:49 UTC 2022
patches/packages/libxml2-2.9.14-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and the following security issues:
  Fix integer overflow in xmlBuf and xmlBuffer.
  Fix potential double-free in xmlXPtrStringRangeFunction.
  Fix memory leak in xmlFindCharEncodingHandler.
  Normalize XPath strings in-place.
  Prevent integer-overflow in htmlSkipBlankChars() and xmlSkipBlankChars().
  Fix leak of xmlElementContent.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29824
  (* Security fix *)
patches/packages/mozilla-firefox-91.9.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/91.9.0/releasenotes/
patches/packages/samba-4.15.7-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
  For more information, see:
    https://www.samba.org/samba/history/samba-4.15.7.html
2022-05-03 13:29:53 +02:00
Patrick J Volkerding
7d2523ede3 Sat Apr 30 21:18:47 UTC 2022
patches/packages/pidgin-2.14.9-x86_64-1_slack15.0.txz:  Upgraded.
  Mitigate the potential for a man in the middle attack via DNS spoofing by
  removing the code that supported the _xmppconnect DNS TXT record.
  For more information, see:
    https://www.pidgin.im/about/security/advisories/cve-2022-26491/
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26491
  (* Security fix *)
2022-05-01 13:30:01 +02:00
Patrick J Volkerding
cf5d757506 Wed Apr 27 21:43:51 UTC 2022
patches/packages/curl-7.83.0-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  OAUTH2 bearer bypass in connection re-use.
  Credential leak on redirect.
  Bad local IPv6 connection reuse.
  Auth/cookie leak on redirect.
  For more information, see:
    https://curl.se/docs/CVE-2022-22576.html
    https://curl.se/docs/CVE-2022-27774.html
    https://curl.se/docs/CVE-2022-27775.html
    https://curl.se/docs/CVE-2022-27776.html
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22576
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27774
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27775
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27776
  (* Security fix *)
2022-04-28 13:29:49 +02:00
Patrick J Volkerding
dfafa37940 Mon Apr 25 20:55:17 UTC 2022
patches/packages/freerdp-2.7.0-x86_64-1_slack15.0.txz:  Upgraded.
  This update is a security and maintenance release.
  For more information, see:
    https://github.com/FreeRDP/FreeRDP/blob/2.7.0/ChangeLog
  (* Security fix *)
2022-04-26 13:30:04 +02:00
Patrick J Volkerding
a08f3ec912 Thu Apr 21 19:11:10 UTC 2022
patches/packages/mozilla-thunderbird-91.8.1-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/91.8.1/releasenotes/
2022-04-22 13:29:59 +02:00
Patrick J Volkerding
9e2efe650c Thu Apr 14 21:14:21 UTC 2022
patches/packages/git-2.35.3-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes a security issue where a Git worktree created by another
  user might be able to execute arbitrary code.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765
  (* Security fix *)
patches/packages/gzip-1.12-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes a security issue:
  zgrep applied to a crafted file name with two or more newlines can no
  longer overwrite an arbitrary, attacker-selected file.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1271
  (* Security fix *)
patches/packages/xz-5.2.5-x86_64-4_slack15.0.txz:  Rebuilt.
  This update fixes a security issue:
  xzgrep applied to a crafted file name with two or more newlines can no
  longer overwrite an arbitrary, attacker-selected file.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1271
  (* Security fix *)
2022-04-15 13:29:52 +02:00
Patrick J Volkerding
799fadd352 Wed Apr 13 20:51:01 UTC 2022
patches/packages/ruby-3.0.4-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and security issues:
  Double free in Regexp compilation.
  Buffer overrun in String-to-Float conversion.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28738
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28739
  (* Security fix *)
2022-04-14 13:30:03 +02:00
Patrick J Volkerding
c0c70f97c2 Tue Apr 12 21:56:14 UTC 2022
patches/packages/whois-5.5.13-x86_64-1_slack15.0.txz:  Upgraded.
  This update adds the .sd TLD server, updates the list of new gTLDs, and adds
  a Turkish translation.
2022-04-13 13:29:47 +02:00
Patrick J Volkerding
c023bce19a Fri Apr 8 20:03:36 UTC 2022
patches/packages/libarchive-3.6.1-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix and security release.
  Security fixes:
    7zip reader: fix PPMD read beyond boundary.
    ZIP reader: fix possible out of bounds read.
    ISO reader: fix possible heap buffer overflow in read_children().
    RARv4 redaer: fix multiple issues in RARv4 filter code (introduced in
    libarchive 3.6.0).
    Fix heap use after free in archive_read_format_rar_read_data().
    Fix null dereference in read_data_compressed().
    Fix heap user after free in run_filters().
  (* Security fix *)
2022-04-09 13:29:59 +02:00
Patrick J Volkerding
d9ca4d1a16 Wed Apr 6 20:23:46 UTC 2022
patches/packages/mozilla-thunderbird-91.8.0-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/91.8.0/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2022-15/
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1097
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28281
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1197
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1196
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28282
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28285
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28286
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24713
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28289
  (* Security fix *)
2022-04-07 13:29:46 +02:00
Patrick J Volkerding
a32f923a16 Tue Apr 5 19:16:30 UTC 2022
patches/packages/mozilla-firefox-91.8.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/91.8.0/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2022-14/
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1097
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28281
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1196
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28282
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28285
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24713
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28289
  (* Security fix *)
2022-04-06 13:29:41 +02:00
Patrick J Volkerding
f37bd9fb49 Sun Apr 3 19:57:16 UTC 2022
patches/packages/ca-certificates-20220403-noarch-1_slack15.0.txz:  Upgraded.
  This update provides the latest CA certificates to check for the
  authenticity of SSL connections.
2022-04-04 13:29:59 +02:00
Patrick J Volkerding
287bf2688a Wed Mar 30 22:37:05 UTC 2022
patches/packages/vim-8.2.4649-x86_64-1_slack15.0.txz:  Upgraded.
  Fixes a use-after-free in utf_ptr2char in vim/vim prior to 8.2.4646.
  This vulnerability is capable of crashing software, bypassing protection
  mechanisms, modifying memory, and possibly execution of arbitrary code.
  Thanks to marav for the heads-up.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1154
    https://huntr.dev/bounties/7f0ec6bc-ea0e-45b0-8128-caac72d23425
    b55986c52d
  (* Security fix *)
patches/packages/vim-gvim-8.2.4649-x86_64-1_slack15.0.txz:  Upgraded.
2022-03-31 13:29:48 +02:00
Patrick J Volkerding
64d851e17a Mon Mar 28 19:33:46 UTC 2022
patches/packages/whois-5.5.12-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release. Thanks to Nobby6.
patches/packages/zlib-1.2.12-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes memory corruption when deflating (i.e., when compressing)
  if the input has many distant matches. Thanks to marav.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25032
  (* Security fix *)
2022-03-29 13:29:47 +02:00
Patrick J Volkerding
54997ae6c7 Fri Mar 25 19:18:41 UTC 2022
patches/packages/seamonkey-2.53.11.1-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.seamonkey-project.org/releases/seamonkey2.53.11.1
  (* Security fix *)
2022-03-26 13:30:02 +01:00
Patrick J Volkerding
545dfeeec3 Thu Mar 24 20:59:09 UTC 2022
patches/packages/python3-3.9.12-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
  For more information, see:
    https://pythoninsider.blogspot.com/2022/03/python-3104-and-3912-are-now-available.html
usb-and-pxe-installers/usbimg2disk.sh:  Upgraded.
  Calculate the space requirement by checking the size of the packages in the
  Slackware directory tree.
2022-03-25 13:29:47 +01:00
Patrick J Volkerding
29c65b6804 Mon Mar 21 20:24:16 UTC 2022
patches/packages/bind-9.16.27-x86_64-1_slack15.0.txz:  Upgraded.
  Sorry folks, I had not meant to bump BIND to the newer branch. I've moved
  the other packages into /testing. Thanks to Nobby6 for pointing this out.
  This update fixes bugs and the following security issues:
  A synchronous call to closehandle_cb() caused isc__nm_process_sock_buffer()
  to be called recursively, which in turn left TCP connections hanging in the
  CLOSE_WAIT state blocking indefinitely when out-of-order processing was
  disabled.
  The rules for acceptance of records into the cache have been tightened to
  prevent the possibility of poisoning if forwarders send records outside
  the configured bailiwick.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0396
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25220
  (* Security fix *)
testing/packages/bind-9.18.1-x86_64-1_slack15.0.txz:  Moved.
2022-03-22 13:30:01 +01:00
Patrick J Volkerding
8e056e9406 Sat Mar 19 20:28:16 UTC 2022
patches/packages/glibc-zoneinfo-2022a-noarch-1_slack15.0.txz:  Upgraded.
  This package provides the latest timezone updates.
2022-03-20 13:29:57 +01:00
Patrick J Volkerding
5d5dc01569 Fri Mar 18 20:16:12 UTC 2022
patches/packages/python3-3.9.11-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and security issues:
  libexpat upgraded from 2.4.1 to 2.4.7
  bundled pip upgraded from 21.2.4 to 22.0.4
  authorization bypass fixed in urllib.request
  REDoS avoided in importlib.metadata
  For more information, see:
    https://pythoninsider.blogspot.com/2022/03/python-3103-3911-3813-and-3713-are-now.html
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28363
  (* Security fix *)
2022-03-19 13:29:58 +01:00
Patrick J Volkerding
fcc29dbb40 Thu Mar 17 19:46:28 UTC 2022
patches/packages/bind-9.18.1-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and the following security issues:
  An assertion could occur in resume_dslookup() if the fetch had been shut
  down earlier.
  Lookups involving a DNAME could trigger an INSIST when "synth-from-dnssec"
  was enabled.
  A synchronous call to closehandle_cb() caused isc__nm_process_sock_buffer()
  to be called recursively, which in turn left TCP connections hanging in the
  CLOSE_WAIT state blocking indefinitely when out-of-order processing was
  disabled.
  The rules for acceptance of records into the cache have been tightened to
  prevent the possibility of poisoning if forwarders send records outside
  the configured bailiwick.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0667
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0635
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0396
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25220
  (* Security fix *)
patches/packages/bluez-5.64-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release:
  Fix issue with handling A2DP discover procedure.
  Fix issue with media endpoint replies and SetConfiguration.
  Fix issue with HoG queuing events before report map is read.
  Fix issue with HoG and read order of GATT attributes.
  Fix issue with HoG and not using UHID_CREATE2 interface.
  Fix issue with failed scanning for 5 minutes after reboot.
patches/packages/openssl-1.1.1n-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes a high severity security issue:
  The BN_mod_sqrt() function, which computes a modular square root, contains
  a bug that can cause it to loop forever for non-prime moduli.
  For more information, see:
    https://www.openssl.org/news/secadv/20220315.txt
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0778
  (* Security fix *)
patches/packages/openssl-solibs-1.1.1n-x86_64-1_slack15.0.txz:  Upgraded.
patches/packages/qt5-5.15.3_20220312_33a3f16f-x86_64-1_slack15.0.txz:  Upgraded.
  Thanks to Heinz Wiesinger for updating the fetch_sources.sh script to make
  sure that the QtWebEngine version matches the rest of Qt, which got the
  latest git pull compiling again.
  If a 32-bit userspace is detected, then:
  export QTWEBENGINE_CHROMIUM_FLAGS="--disable-seccomp-filter-sandbox"
  This works around crashes occuring with 32-bit QtWebEngine applications.
  Thanks to alienBOB.
2022-03-18 13:29:58 +01:00
Patrick J Volkerding
44c9fcd877 Tue Mar 15 00:13:59 UTC 2022
patches/packages/httpd-2.4.53-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and the following security issues:
  mod_sed: Read/write beyond bounds
  core: Possible buffer overflow with very large or unlimited
  LimitXMLRequestBody
  HTTP request smuggling vulnerability
  mod_lua: Use of uninitialized value in r:parsebody
  For more information, see:
    https://downloads.apache.org/httpd/CHANGES_2.4.53
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23943
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22721
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22720
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22719
  (* Security fix *)
patches/packages/mozilla-firefox-91.7.1esr-x86_64-1_slack15.0.txz:  Upgraded.
  This release makes the following change:
  Yandex and Mail.ru have been removed as optional search providers in the
  drop-down search menu in Firefox.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/91.7.1/releasenotes/
  (* Security fix *)
2022-03-15 13:30:00 +01:00
Patrick J Volkerding
477bd290fa Sat Mar 12 20:57:35 UTC 2022
patches/packages/polkit-0.120-x86_64-3_slack15.0.txz:  Rebuilt.
  Patched to fix a security issue where an unprivileged user could cause a
  denial of service due to process file descriptor exhaustion.
  Thanks to marav.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4115
  (* Security fix *)
2022-03-13 13:29:55 +01:00
Patrick J Volkerding
9ebdf8edc0 Thu Mar 10 02:30:54 UTC 2022
patches/packages/ca-certificates-20220309-noarch-1_slack15.0.txz:  Upgraded.
  This update provides the latest CA certificates to check for the
  authenticity of SSL connections.
2022-03-10 13:29:56 +01:00
Patrick J Volkerding
ead45c4c66 Wed Mar 9 04:14:08 UTC 2022
patches/packages/linux-5.15.27/*:  Upgraded.
  These updates fix various bugs and security issues, including the recently
  announced "Dirty Pipe" vulnerability which allows overwriting data in
  arbitrary read-only files (CVE-2022-0847).
  Be sure to upgrade your initrd after upgrading the kernel packages.
  If you use lilo to boot your machine, be sure lilo.conf points to the correct
  kernel and initrd and run lilo as root to update the bootloader.
  If you use elilo to boot your machine, you should run eliloconfig to copy the
  kernel and initrd to the EFI System Partition.
  For more information, see:
    Fixed in 5.15.20:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0492
    Fixed in 5.15.23:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0516
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0435
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0487
    Fixed in 5.15.24:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25375
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25258
    Fixed in 5.15.25:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0847
    Fixed in 5.15.26:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25636
  (* Security fix *)
2022-03-09 19:15:03 +01:00
Patrick J Volkerding
013aa123f3 Tue Mar 8 04:39:53 UTC 2022
patches/packages/boost-1.78.0-x86_64-2_slack15.0.txz:  Rebuilt.
  This update has been patched to fix a regression:
  Boost.Build silently skips installation of library headers and binaries in
  some cases.
  Thanks to Willy Sudiarto Raharjo.
2022-03-09 13:29:58 +01:00
Patrick J Volkerding
83d9a46441 Tue Mar 8 00:52:43 UTC 2022
patches/packages/mozilla-firefox-91.7.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/91.7.0/releasenotes/
  (* Security fix *)
2022-03-08 13:29:55 +01:00
Patrick J Volkerding
3ec92b50f1 Sat Mar 5 19:56:26 UTC 2022
patches/packages/expat-2.4.7-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release:
  Relax fix to CVE-2022-25236 (introduced with release 2.4.5) with regard to
  all valid URI characters (RFC 3986).
patches/packages/mozilla-firefox-91.6.1esr-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/91.6.1/releasenotes/
    https://www.mozilla.org/security/advisories/mfsa2022-09/
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26485
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26486
  (* Security fix *)
patches/packages/mozilla-thunderbird-91.6.2-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/91.6.2/releasenotes/
  (* Security fix *)
2022-03-06 13:29:55 +01:00
Patrick J Volkerding
43560cb6f4 Wed Mar 2 21:39:57 UTC 2022
patches/packages/seamonkey-2.53.11-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.seamonkey-project.org/releases/seamonkey2.53.11
  (* Security fix *)
2022-03-03 13:29:43 +01:00
Patrick J Volkerding
87f850786e Tue Mar 1 05:05:48 UTC 2022
patches/packages/libxml2-2.9.13-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and the following security issues:
  Use-after-free of ID and IDREF attributes
  (Thanks to Shinji Sato for the report)
  Use-after-free in xmlXIncludeCopyRange (David Kilzer)
  Fix Null-deref-in-xmlSchemaGetComponentTargetNs (huangduirong)
  Fix memory leak in xmlXPathCompNodeTest
  Fix null pointer deref in xmlStringGetNodeList
  Fix several memory leaks found by Coverity (David King)
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23308
  (* Security fix *)
patches/packages/libxslt-1.1.35-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and the following security issues:
  Fix use-after-free in xsltApplyTemplates
  Fix memory leak in xsltDocumentElem (David King)
  Fix memory leak in xsltCompileIdKeyPattern (David King)
  Fix double-free with stylesheets containing entity nodes
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30560
  (* Security fix *)
2022-03-02 13:30:01 +01:00
Patrick J Volkerding
a737ba20e2 Fri Feb 25 00:03:28 UTC 2022
patches/packages/cyrus-sasl-2.1.28-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and security issues.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19906
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24407
  (* Security fix *)
2022-02-25 13:29:56 +01:00
Patrick J Volkerding
2858060a50 Mon Feb 21 20:21:38 UTC 2022
patches/packages/expat-2.4.6-x86_64-1_slack15.0.txz:  Upgraded.
  Fixed a regression introduced by the fix for CVE-2022-25313 that affects
  applications that (1) call function XML_SetElementDeclHandler and (2) are
  parsing XML that contains nested element declarations:
  (e.g. "<!ELEMENT junk ((bar|foo|xyz+), zebra*)>").
patches/packages/flac-1.3.4-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes overflow issues with encoding and decoding.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0499
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0561
  (* Security fix *)
patches/packages/mariadb-10.5.15-x86_64-2_slack15.0.txz:  Rebuilt.
  Removed dangling symlink.
2022-02-22 13:29:56 +01:00
Patrick J Volkerding
6d57f3ac47 Sun Feb 20 05:13:20 UTC 2022
patches/packages/expat-2.4.5-x86_64-1_slack15.0.txz:  Upgraded.
  Fixed security issues that could lead to denial of service or potentially
  arbitrary code execution.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25235
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25236
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25313
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25314
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25315
  (* Security fix *)
2022-02-21 13:29:58 +01:00
Patrick J Volkerding
a019271253 Fri Feb 18 05:29:00 UTC 2022
patches/packages/mozilla-thunderbird-91.6.1-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/91.6.1/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2022-07/
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0566
  (* Security fix *)
patches/packages/php-7.4.28-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and a security issue:
  UAF due to php_filter_float() failing for ints.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21708
  (* Security fix *)
extra/php80/php80-8.0.16-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and a security issue:
  UAF due to php_filter_float() failing for ints.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21708
  (* Security fix *)
extra/php81/php81-8.1.3-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and a security issue:
  UAF due to php_filter_float() failing for ints.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21708
  (* Security fix *)
2022-02-19 13:30:02 +01:00
Patrick J Volkerding
c9881ad979 Tue Feb 15 20:00:48 UTC 2022
patches/packages/aaa_base-15.0-x86_64-4_slack15.0.txz:  Rebuilt.
  If root's mailbox did not already exist, it would be created with insecure
  permissions leading to possible local information disclosure. This update
  ensures that a new mailbox will be created with proper permissions and
  ownership, and corrects the permissions on an existing mailbox if they are
  found to be incorrect. Thanks to Martin for the bug report.
  (* Security fix *)
patches/packages/util-linux-2.37.4-x86_64-1_slack15.0.txz:  Upgraded.
  This release fixes a security issue in chsh(1) and chfn(8):
  By default, these utilities had been linked with libreadline, which allows
  the INPUTRC environment variable to be abused to produce an error message
  containing data from an arbitrary file. So, don't link these utilities with
  libreadline as it does not use secure_getenv() (or a similar concept), or
  sanitize the config file path to avoid vulnerabilities that could occur in
  set-user-ID or set-group-ID programs.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0563
  (* Security fix *)
2022-02-16 13:29:58 +01:00
Patrick J Volkerding
9a5f4fd634 Mon Feb 14 00:10:38 UTC 2022
patches/packages/mariadb-10.5.15-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes potential denial-of-service vulnerabilities.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46665
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46664
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46661
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46668
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46663
  (* Security fix *)
2022-02-14 13:29:59 +01:00
Patrick J Volkerding
eb19d64569 Thu Feb 10 01:46:55 UTC 2022
patches/packages/at-3.2.3-x86_64-1_slack15.0.txz:  Upgraded.
  Switched to at-3.2.3 since version 3.2.4 has a regression that causes
  queued jobs to not always run on time when atd is run as a standalone
  daemon. Thanks to Cesare.
patches/packages/mozilla-firefox-91.6.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/91.6.0/releasenotes/
    https://www.mozilla.org/security/advisories/mfsa2022-05/
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22753
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22754
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22756
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22759
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22760
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22761
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22763
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22764
  (* Security fix *)
patches/packages/mozilla-thunderbird-91.6.0-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/91.6.0/releasenotes/
    https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird91.6
  (* Security fix *)
2022-02-10 05:00:00 +01:00