l/imagemagick-7.1.1_30-x86_64-1.txz: Upgraded.
l/libarchive-3.7.3-x86_64-1.txz: Upgraded.
This update fixes a security issue:
Fix possible vulnerability in tar error reporting introduced in f27c173
by JiaT75.
For more information, see:
f27c173d17https://github.com/libarchive/libarchive/pull/2101
(* Security fix *)
n/net-snmp-5.9.4-x86_64-3.txz: Rebuilt.
[PATCH] Add Linux 6.7 compatibility parsing /proc/net/snmp.
Thanks to walecha.
n/rsync-3.3.0-x86_64-1.txz: Upgraded.
x/xorg-sgml-doctools-1.12.1-x86_64-1.txz: Upgraded.
xap/gimp-2.10.36-x86_64-3.txz: Rebuilt.
[PATCH] QuitDialog: disconnect signal handler on dialog destroy.
This fixes a crash on quit.
Thanks to USUARIONUEVO.
xap/xlockmore-5.77-x86_64-1.txz: Upgraded.
a/hwdata-0.381-noarch-1.txz: Upgraded.
a/kernel-generic-6.6.25-x86_64-1.txz: Upgraded.
a/kernel-huge-6.6.25-x86_64-1.txz: Upgraded.
a/kernel-modules-6.6.25-x86_64-1.txz: Upgraded.
d/cmake-3.29.1-x86_64-1.txz: Upgraded.
d/kernel-headers-6.6.25-x86-1.txz: Upgraded.
d/llvm-18.1.3-x86_64-1.txz: Upgraded.
k/kernel-source-6.6.25-noarch-1.txz: Upgraded.
kde/kstars-3.7.0-x86_64-1.txz: Upgraded.
l/enchant-2.6.9-x86_64-1.txz: Upgraded.
l/libclc-18.1.3-x86_64-1.txz: Upgraded.
l/sof-firmware-2024.03-noarch-1.txz: Upgraded.
n/gnutls-3.8.5-x86_64-1.txz: Upgraded.
n/httpd-2.4.59-x86_64-1.txz: Upgraded.
This update fixes security issues:
HTTP/2 DoS by memory exhaustion on endless continuation frames.
HTTP Response Splitting in multiple modules.
HTTP response splitting.
For more information, see:
https://downloads.apache.org/httpd/CHANGES_2.4.59https://www.cve.org/CVERecord?id=CVE-2024-27316https://www.cve.org/CVERecord?id=CVE-2024-24795https://www.cve.org/CVERecord?id=CVE-2023-38709
(* Security fix *)
n/nghttp2-1.61.0-x86_64-1.txz: Upgraded.
This update fixes security issues:
nghttp2 library keeps reading the unbounded number of HTTP/2 CONTINUATION
frames even after a stream is reset to keep HPACK context in sync. This
causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates
this vulnerability by limiting the number of CONTINUATION frames it can
accept after a HEADERS frame.
For more information, see:
https://github.com/nghttp2/nghttp2/security/advisories/GHSA-x6x3-gv8h-m57qhttps://www.kb.cert.org/vuls/id/421644https://www.cve.org/CVERecord?id=CVE-2024-28182
(* Security fix *)
x/xdg-desktop-portal-1.18.3-x86_64-1.txz: Upgraded.
isolinux/initrd.img: Rebuilt.
kernels/*: Upgraded.
usb-and-pxe-installers/usbboot.img: Rebuilt.
a/btrfs-progs-6.8-x86_64-1.txz: Upgraded.
a/gpm-1.20.7-x86_64-10.txz: Rebuilt.
Clean up the compile fix patch omitting the Emacs Lisp file.
Clean up and apply the weak-wgetch patch.
Build using the option --without-curses.
Thanks to qunying.
a/util-linux-2.40-x86_64-1.txz: Upgraded.
This release fixes a vulnerability where the wall command did not filter
escape sequences from command line arguments, allowing unprivileged users
to put arbitrary text on other users terminals.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2024-28085
(* Security fix *)
d/rust-1.77.1-x86_64-1.txz: Upgraded.
l/fluidsynth-2.3.5-x86_64-1.txz: Upgraded.
l/protobuf-26.1-x86_64-1.txz: Upgraded.
l/python-build-1.2.1-x86_64-1.txz: Upgraded.
n/samba-4.20.0-x86_64-1.txz: Upgraded.
x/mesa-24.0.4-x86_64-1.txz: Upgraded.
xap/seamonkey-2.53.18.2-x86_64-1.txz: Upgraded.
This update contains security fixes and improvements.
For more information, see:
https://www.seamonkey-project.org/releases/seamonkey2.53.18.2
(* Security fix *)
d/mercurial-6.7.1-x86_64-1.txz: Upgraded.
d/rust-1.77.0-x86_64-1.txz: Upgraded.
l/cairomm1-1.18.0-x86_64-1.txz: Added.
Thanks to jloco.
l/glibmm2-2.78.1-x86_64-1.txz: Added.
Thanks to jloco.
l/gtkmm4-4.12.0-x86_64-1.txz: Added.
Thanks to jloco.
l/libclc-18.1.2-x86_64-1.txz: Upgraded.
l/pangomm-2.46.4-x86_64-1.txz: Upgraded.
l/pangomm2-2.50.2-x86_64-1.txz: Added.
Thanks to jloco.
n/openvpn-2.6.10-x86_64-1.txz: Upgraded.
x/libkkc-0.3.5-x86_64-5.txz: Rebuilt.
Use python for the build, not python2.
x/libkkc-data-0.2.7-x86_64-5.txz: Rebuilt.
Use python for the build, not python2.
x/marisa-0.2.6-x86_64-8.txz: Rebuilt.
Drop python2 support and rebuild marisa module for python3.
x/wayland-protocols-1.34-noarch-1.txz: Upgraded.
a/libblockdev-2.28-x86_64-2.txz: Rebuilt.
Drop python2 support.
a/sysvinit-scripts-15.1-noarch-15.txz: Rebuilt.
rc.M: start rc.iceccd and rc.icecc-scheduler earlier.
a/util-linux-2.39.3-x86_64-2.txz: Rebuilt.
Drop python2 support.
a/volume_key-0.3.12-x86_64-6.txz: Rebuilt.
Drop python2 support.
ap/man-pages-6.7-noarch-1.txz: Upgraded.
d/cmake-3.28.4-x86_64-1.txz: Upgraded.
d/llvm-18.1.2-x86_64-1.txz: Upgraded.
d/python2-2.7.18-x86_64-7.txz: Rebuilt.
Bundle the final python2 versions of pip and setuptools.
Drop the /usr/bin/python symlink.
d/python3-3.9.19-x86_64-1.txz: Upgraded.
Point the /usr/bin/python symlink at python3.9.
PEP 394 says we can do this, and in a world of ambigious shebangs, this
is probably the best of the available options.
This update also fixes security issues:
bundled libexpat was updated to 2.6.0.
zipfile is now protected from the "quoted-overlap" zipbomb.
tempfile.TemporaryDirectory cleanup no longer dereferences symlinks when
working around file system permission errors.
For more information, see:
https://pythoninsider.blogspot.com/2024/03/python-31014-3919-and-3819-is-now.htmlhttps://www.cve.org/CVERecord?id=CVE-2023-52425https://www.cve.org/CVERecord?id=CVE-2024-0450https://www.cve.org/CVERecord?id=CVE-2023-6597
(* Security fix *)
d/strace-6.8-x86_64-1.txz: Upgraded.
kde/kross-interpreters-23.08.5-x86_64-2.txz: Rebuilt.
Drop python2 support.
l/libxml2-2.12.6-x86_64-2.txz: Rebuilt.
Drop python2 support.
l/mozjs115-115.9.0esr-x86_64-2.txz: Rebuilt.
Fixed installed library name. Thanks to reddog83.
Fixed slack-desc. Thanks to r1w1s1.
l/phonon-4.12.0-x86_64-1.txz: Upgraded.
l/pilot-link-0.12.5-x86_64-17.txz: Rebuilt.
Drop python2 support.
l/python2-module-collection-2.7.18-x86_64-6.txz: Removed.
Good bye!
l/python2-pycairo-1.18.2-x86_64-1.txz: Added.
We'll need this (along with pygtk and pygobject) until we get gimp3.
Well, we could build gimp without python support, but I really don't think
that's the route we want to take.
n/bind-9.18.25-x86_64-1.txz: Upgraded.
n/crda-4.15-x86_64-1.txz: Removed.
The kernel is able to load from wireless-regdb directly. Obsolete.
n/getmail-6.18.14-x86_64-1.txz: Upgraded.
n/gpgme-1.23.2-x86_64-2.txz: Rebuilt.
Drop python2 support.
n/obexftp-0.24.2-x86_64-11.txz: Rebuilt.
Drop python2 support.
n/wireless-regdb-2024.01.23-x86_64-1.txz: Added.
Wireless regulatory database, previously bundled with crda.
x/ibus-1.5.29-x86_64-2.txz: Rebuilt.
Drop python2 support.
x/libkkc-0.3.5-x86_64-4.txz: Rebuilt.
Still forcing python2 with this one, but perhaps a python3 marisa module
could work around this.
x/libkkc-data-0.2.7-x86_64-4.txz: Rebuilt.
Still forcing python2 with this one, but perhaps a python3 marisa module
could work around this.
x/xcb-proto-1.16.0-x86_64-2.txz: Rebuilt.
Drop python2 support.
x/xpyb-1.3.1-x86_64-7.txz: Removed.
Nothing uses it, and it was never updated for python3. Removed as obsolete.
d/perl-5.38.2-x86_64-2.txz: Rebuilt.
Added IO-Tty-1.20, needed by mosh.
Upgraded: DBD-mysql-4.051, URI-5.27, XML-Parser-2.47, IO-Socket-SSL-2.085,
and Net-SSLeay-1.94.
kde/cantor-23.08.5-x86_64-3.txz: Rebuilt.
Recompiled against libqalculate-5.0.0.
kde/plasma-workspace-5.27.11-x86_64-2.txz: Rebuilt.
Recompiled against libqalculate-5.0.0.
kde/step-23.08.5-x86_64-2.txz: Rebuilt.
Recompiled against libqalculate-5.0.0.
l/abseil-cpp-20240116.1-x86_64-1.txz: Added.
Needed for protobuf and mosh.
l/libgnt-2.14.3-x86_64-2.txz: Rebuilt.
Build with -Dpython2=false. Thanks to USUARIONUEVO.
l/libqalculate-5.0.0-x86_64-2.txz: Rebuilt.
Shared library .so-version bump.
Thanks to gmgf.
l/protobuf-26.0-x86_64-1.txz: Added.
Needed for mosh.
n/mosh-1.4.0-x86_64-1.txz: Added.
Thanks to unInstance for cueing me in on this one.
n/pinentry-1.3.0-x86_64-1.txz: Upgraded.
x/vulkan-sdk-1.3.275.0-x86_64-2.txz: Rebuilt.
Build glslang with -DENABLE_OPT=Off. Thanks to F0nix.
d/mercurial-6.7-x86_64-1.txz: Upgraded.
kde/digikam-8.3.0-x86_64-1.txz: Upgraded.
l/libxml2-2.12.6-x86_64-1.txz: Upgraded.
n/php-8.3.4-x86_64-1.txz: Upgraded.
This is a bugfix release.
For more information, see:
https://www.php.net/ChangeLog-8.php#8.3.4
n/proftpd-1.3.8b-x86_64-3.txz: Rebuilt.
Added mod_ldap. Thanks to Thom1b.
a/etc-15.1-x86_64-9.txz: Rebuilt.
Added proftpd user (97) and proftpd group (97).
Added nm-openvpn user (320) and nm-openvpn group (320).
Added openvpn user (443) and openvpn group (443).
Added overflowuid user (65534) and overflowgid group (65534).
Thanks to opty for encouraging us to think about nobody.
d/meson-1.4.0-x86_64-1.txz: Upgraded.
d/python-setuptools-69.2.0-x86_64-1.txz: Upgraded.
l/expat-2.6.2-x86_64-1.txz: Upgraded.
Prevent billion laughs attacks with isolated use of external parsers.
For more information, see:
1d50b80cf3https://www.cve.org/CVERecord?id=CVE-2024-28757
(* Security fix *)
l/pipewire-1.0.4-x86_64-1.txz: Upgraded.
l/python-zipp-3.18.0-x86_64-1.txz: Upgraded.
n/openvpn-2.6.9-x86_64-2.txz: Rebuilt.
Run as openvpn:openvpn. Thanks to rkelsen.
n/proftpd-1.3.8b-x86_64-2.txz: Rebuilt.
Run as proftpd:proftpd.
x/libva-2.21.0-x86_64-1.txz: Upgraded.
x/libva-utils-2.21.0-x86_64-1.txz: Upgraded.
xap/NetworkManager-openvpn-1.10.2-x86_64-2.txz: Rebuilt.
Run as nm-openvpn:nm-openvpn. Thanks to Markus Wiesner.
ap/ghostscript-10.03.0-x86_64-1.txz: Upgraded.
This update addresses a security issue:
A vulnerability was identified in the way Ghostscript/GhostPDL called
tesseract for the OCR devices, which could allow arbitrary code execution.
Thanks to J_W for the heads-up.
(* Security fix *)
ap/lxc-4.0.12-x86_64-3.txz: Rebuilt.
lxc-slackware.in: include gnupg2 (not gnupg) for slackpkg.
ap/slackpkg-15.0.10-noarch-3.txz: Rebuilt.
core-functions.sh: use gpg2, not gpg.
d/Cython-3.0.9-x86_64-1.txz: Upgraded.
d/git-2.44.0-x86_64-2.txz: Rebuilt.
Include git-subtree. Thanks to gwhl.
d/llvm-18.1.0-x86_64-1.txz: Upgraded.
Shared library .so-version bump.
kde/kdevelop-23.08.5-x86_64-2.txz: Rebuilt.
Recompiled against llvm-18.1.0.
l/openexr-3.2.3-x86_64-1.txz: Upgraded.
l/python-importlib_metadata-7.0.2-x86_64-1.txz: Upgraded.
l/python-trove-classifiers-2024.3.3-x86_64-1.txz: Upgraded.
l/qt5-5.15.12_20240228_6609503f-x86_64-1.txz: Upgraded.
Compiled against llvm-18.1.0.
l/qt6-6.6.2_20240210_15b7e743-x86_64-3.txz: Rebuilt.
Recompiled against llvm-18.1.0.
l/spirv-llvm-translator-18.1.0-x86_64-1.txz: Upgraded.
Shared library .so-version bump.
n/gnupg2-2.4.5-x86_64-1.txz: Upgraded.
n/libassuan-2.5.7-x86_64-1.txz: Upgraded.
n/postfix-3.9.0-x86_64-1.txz: Upgraded.
x/mesa-24.0.2-x86_64-2.txz: Rebuilt.
Recompiled against llvm-18.1.0 and spirv-llvm-translator-18.1.0.
isolinux/initrd.img: Rebuilt.
Fixed kernel version. Thanks to chrisVV.
usb-and-pxe-installers/usbboot.img: Rebuilt.
Fixed kernel version. Thanks to chrisVV.
d/parallel-20240222-noarch-1.txz: Upgraded.
kde/krita-5.2.2-x86_64-4.txz: Rebuilt.
Recompiled against libunibreak-6.0.
l/accountsservice-23.13.9-x86_64-1.txz: Upgraded.
Thanks to reddog83.
l/libass-0.17.1-x86_64-2.txz: Rebuilt.
Recompiled against libunibreak-6.0.
l/libunibreak-6.0-x86_64-1.txz: Upgraded.
Shared library .so-version bump.
l/orc-0.4.38-x86_64-1.txz: Upgraded.
l/python-requests-2.31.0-x86_64-1.txz: Upgraded.
l/python-urllib3-2.2.1-x86_64-1.txz: Upgraded.
l/qt6-6.6.2_20240210_15b7e743-x86_64-1.txz: Added.
n/wpa_supplicant-2.10-x86_64-3.txz: Rebuilt.
Patched the implementation of PEAP in wpa_supplicant to prevent an
authentication bypass. For a successful attack, wpa_supplicant must be
configured to not verify the network's TLS certificate during Phase 1
authentication, and an eap_peap_decrypt vulnerability can then be abused
to skip Phase 2 authentication. The attack vector is sending an EAP-TLV
Success packet instead of starting Phase 2. This allows an adversary to
impersonate Enterprise Wi-Fi networks.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-52160
(* Security fix *)
xap/gparted-1.6.0-x86_64-1.txz: Upgraded.
a/pkgtools-15.1-noarch-10.txz: Rebuilt.
setup.services: typo/syntax error fix. Thanks to gramaxo and pghvlaans.
a/xz-5.6.0-x86_64-1.txz: Upgraded.
ap/man-pages-6.06-noarch-2.txz: Rebuilt.
Restored the previously included posix pages, and added the posix "sh" page
since it's more correct than getting the ksh page for "sh".
Thanks to pghvlaans.
d/git-2.44.0-x86_64-1.txz: Upgraded.
kde/kdnssd-5.115.0-x86_64-2.txz: Rebuilt.
Recompiled to add Zeroconf support. (This one fooled me because it doesn't
actually link to any avahi libraries.)
Thanks to audriusk.
kde/kid3-3.9.5-x86_64-1.txz: Upgraded.
l/libpng-1.6.43-x86_64-1.txz: Upgraded.
l/libunistring-1.2-x86_64-1.txz: Upgraded.
n/libksba-1.6.6-x86_64-1.txz: Upgraded.
n/npth-1.7-x86_64-1.txz: Upgraded.
t/texlive-2023.230322-x86_64-7.txz: Rebuilt.
Use the bundled zlib to make the bundled lua happy. Thanks to sombragris.
a/dcron-4.5-x86_64-17.txz: Rebuilt.
run-parts.8: document skiping *.orig files. Thanks to metaed.
a/etc-15.1-x86_64-6.txz: Rebuilt.
Add support for nss-mdns to /etc/nsswitch.conf.
a/kernel-firmware-20240220_97b693d-noarch-1.txz: Upgraded.
a/kernel-generic-6.6.18-x86_64-1.txz: Upgraded.
a/kernel-huge-6.6.18-x86_64-1.txz: Upgraded.
a/kernel-modules-6.6.18-x86_64-1.txz: Upgraded.
ap/cups-filters-1.28.17-x86_64-5.txz: Rebuilt.
Don't specify --with-browseremoteprotocols=cups in order to get the default
values of cups and dnssd, which should enable discovering shared printers on
the network. We'll refrain from sharing your printer -- you'll need to change
that setting yourself. ;-)
Thanks to TurboBlaze.
ap/hplip-3.23.12-x86_64-2.txz: Rebuilt.
The new --disable-imageProcessor-build option doesn't do squat, so we'll hit
it with the good old patch again.
Thanks to Petri Kaukasoina and Stuart Winter.
d/kernel-headers-6.6.18-x86-1.txz: Upgraded.
k/kernel-source-6.6.18-noarch-1.txz: Upgraded.
l/gvfs-1.52.2-x86_64-2.txz: Rebuilt.
Added -Ddnssd=true option and recompiled against avahi.
l/libsecret-0.21.4-x86_64-1.txz: Upgraded.
n/c-ares-1.27.0-x86_64-1.txz: Upgraded.
n/libgpg-error-1.48-x86_64-1.txz: Upgraded.
n/nss-mdns-0.15.1-x86_64-1.txz: Added.
Needed for .local lookups. Thanks to Lockywolf.
xap/pidgin-2.14.13-x86_64-1.txz: Upgraded.
isolinux/initrd.img: Rebuilt.
kernels/*: Upgraded.
usb-and-pxe-installers/usbboot.img: Rebuilt.
a/aaa_libraries-15.1-x86_64-26.txz: Rebuilt.
Upgraded: libacl.so.1.1.2302, libattr.so.1.1.2502, liblzma.so.5.4.6,
libpcre2-8.so.0.12.0, libz.so.1.3.1, libcares.so.2.11.0,
libexpat.so.1.9.0, libffi.so.8.1.4, libglib-2.0.so.0.7800.4,
libgmodule-2.0.so.0.7800.4, libgobject-2.0.so.0.7800.4,
libgthread-2.0.so.0.7800.4, libidn.so.12.6.5, libidn2.so.0.4.0,
libpng16.so.16.41.0, libpsl.so.5.3.5, libtdb.so.1.4.10, libusb-1.0.so.0.4.0.
a/etc-15.1-x86_64-5.txz: Rebuilt.
Added UID 214 and GID 214 for avahi.
a/gettext-0.22.5-x86_64-1.txz: Upgraded.
a/pkgtools-15.1-noarch-9.txz: Rebuilt.
setup.services: support rc.avahidaemon and rc.avahidnsconfd.
a/sysvinit-scripts-15.1-noarch-13.txz: Rebuilt.
rc.M: start (if executable) rc.avahidaemon and rc.avahidnsconfd.
ap/cups-2.4.7-x86_64-2.txz: Rebuilt.
Recompiled against avahi.
ap/cups-filters-1.28.17-x86_64-4.txz: Rebuilt.
Recompiled against avahi.
ap/hplip-3.23.12-x86_64-1.txz: Upgraded.
Compiled against avahi.
ap/xmltoman-0.6-x86_64-1.txz: Added.
This is needed to generate manpages for avahi.
d/distcc-3.4-x86_64-4.txz: Rebuilt.
Recompiled against avahi.
d/gettext-tools-0.22.5-x86_64-1.txz: Upgraded.
l/avahi-20240220_dffd549-x86_64-1.txz: Added.
It was either this, or drop (or fork) hplip. We'll enjoy it in the long run.
Thanks to David Somero for the original build script, and to Robby Workman
for years of maintenance.
Signed-off-by: volkerdi
Acked-by: alienBOB
l/libdaemon-0.14-x86_64-1.txz: Added.
This is needed by avahi.
l/pipewire-1.0.3-x86_64-5.txz: Rebuilt.
Recompiled against avahi.
l/pulseaudio-17.0-x86_64-3.txz: Rebuilt.
Recompiled against avahi.
n/NetworkManager-1.46.0-x86_64-1.txz: Upgraded.
n/netatalk-3.1.18-x86_64-2.txz: Rebuilt.
Recompiled against avahi.
n/samba-4.19.5-x86_64-2.txz: Rebuilt.
Recompiled against avahi.
xap/pidgin-2.14.12-x86_64-3.txz: Rebuilt.
Recompiled against avahi.
xap/sane-1.2.1-x86_64-3.txz: Rebuilt.
Recompiled against avahi.
extra/bash-completion/bash-completion-2.12.0-noarch-1.txz: Upgraded.
ap/mariadb-10.11.7-x86_64-1.txz: Upgraded.
This is a bugfix release.
For more information, see:
https://mariadb.com/kb/en/mariadb-10-11-7-release-notes/
l/gjs-1.76.3-x86_64-1.txz: Upgraded.
l/imagemagick-7.1.1_28-x86_64-1.txz: Upgraded.
l/pipewire-1.0.3-x86_64-4.txz: Rebuilt.
Use cmp -s in doinst.sh. Thanks to Thom1b and Windu.
l/wireplumber-0.4.17-x86_64-2.txz: Rebuilt.
Use cmp -s in doinst.sh. Thanks to Thom1b and Windu.
n/dnsmasq-2.89-x86_64-2.txz: Rebuilt.
Added trust-anchors.conf and edited PREFIX in dnsmasq.conf to simplify
setting up DNSSEC. Thanks to marav.
xap/xsnow-3.7.8-x86_64-1.txz: Upgraded.
a/glibc-zoneinfo-2024a-noarch-1.txz: Upgraded.
This package provides the latest timezone updates.
n/ca-certificates-20240203-noarch-1.txz: Upgraded.
This update provides the latest CA certificates to check for the
authenticity of SSL connections.
x/ibus-libpinyin-1.15.7-x86_64-1.txz: Upgraded.
x/xdg-utils-1.2.0-noarch-1.txz: Upgraded.
ap/nvme-cli-2.7.1-x86_64-1.txz: Upgraded.
l/libnvme-1.7.1-x86_64-1.txz: Added.
This is required by nvme-cli.
l/pipewire-1.0.2-x86_64-1.txz: Upgraded.
n/curl-8.6.0-x86_64-1.txz: Upgraded.
n/libmilter-8.18.1-x86_64-1.txz: Upgraded.
extra/sendmail/sendmail-8.18.1-x86_64-1.txz: Upgraded.
sendmail through 8.17.2 allows SMTP smuggling in certain configurations.
Remote attackers can use a published exploitation technique to inject e-mail
messages with a spoofed MAIL FROM address, allowing bypass of an SPF
protection mechanism. This occurs because sendmail supports <LF>.<CR><LF>
but some other popular e-mail servers do not. This is resolved in 8.18 and
later versions with 'o' in srv_features.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-51765
(* Security fix *)
extra/sendmail/sendmail-cf-8.18.1-noarch-1.txz: Upgraded.
a/lzip-1.24-x86_64-1.txz: Upgraded.
a/openssl-solibs-3.2.1-x86_64-1.txz: Upgraded.
ap/alsa-utils-1.2.11-x86_64-1.txz: Upgraded.
ap/sqlite-3.45.1-x86_64-1.txz: Upgraded.
d/binutils-2.42-x86_64-1.txz: Upgraded.
Shared library .so-version bump.
d/cmake-3.28.2-x86_64-1.txz: Upgraded.
d/oprofile-1.4.0-x86_64-13.txz: Rebuilt.
Recompiled against binutils-2.42.
d/strace-6.7-x86_64-1.txz: Upgraded.
kde/digikam-8.2.0-x86_64-5.txz: Rebuilt.
Recompiled against libpng-1.6.42.
l/alsa-lib-1.2.11-x86_64-1.txz: Upgraded.
l/libpng-1.6.42-x86_64-1.txz: Upgraded.
Fixed the implementation of the macro function png_check_sig().
This was an API regression, introduced in libpng-1.6.41.
Reported by Matthieu Darbois.
l/lmdb-0.9.32-x86_64-1.txz: Upgraded.
l/neon-0.33.0-x86_64-1.txz: Upgraded.
l/opencv-4.9.0-x86_64-3.txz: Rebuilt.
Recompiled against libpng-1.6.42.
l/qt5-5.15.12_20240103_b8fd1448-x86_64-4.txz: Rebuilt.
Recompiled against libpng-1.6.42.
l/talloc-2.4.2-x86_64-1.txz: Upgraded.
l/tdb-1.4.10-x86_64-1.txz: Upgraded.
l/tevent-0.16.1-x86_64-1.txz: Upgraded.
n/openldap-2.6.7-x86_64-1.txz: Upgraded.
n/openssl-3.2.1-x86_64-1.txz: Upgraded.
This update fixes possible denial-of-service security issues:
A file in PKCS12 format can contain certificates and keys and may come from
an untrusted source. The PKCS12 specification allows certain fields to be
NULL, but OpenSSL did not correctly check for this case. A fix has been
applied to prevent a NULL pointer dereference that results in OpenSSL
crashing. If an application processes PKCS12 files from an untrusted source
using the OpenSSL APIs then that application will be vulnerable to this
issue prior to this fix.
OpenSSL APIs that were vulnerable to this are: PKCS12_parse(),
PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()
and PKCS12_newpass().
When function EVP_PKEY_public_check() is called on RSA public keys,
a computation is done to confirm that the RSA modulus, n, is composite.
For valid RSA keys, n is a product of two or more large primes and this
computation completes quickly. However, if n is an overly large prime,
then this computation would take a long time.
An application that calls EVP_PKEY_public_check() and supplies an RSA key
obtained from an untrusted source could be vulnerable to a Denial of Service
attack.
The function EVP_PKEY_public_check() is not called from other OpenSSL
functions however it is called from the OpenSSL pkey command line
application. For that reason that application is also vulnerable if used
with the "-pubin" and "-check" options on untrusted data.
To resolve this issue RSA keys larger than OPENSSL_RSA_MAX_MODULUS_BITS will
now fail the check immediately with an RSA_R_MODULUS_TOO_LARGE error reason.
Fix excessive time spent in DH check / generation with large Q parameter
value.
Applications that use the functions DH_generate_key() to generate an
X9.42 DH key may experience long delays. Likewise, applications that use
DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()
to check an X9.42 DH key or X9.42 DH parameters may experience long delays.
Where the key or parameters that are being checked have been obtained from
an untrusted source this may lead to a Denial of Service.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2024-0727https://www.cve.org/CVERecord?id=CVE-2023-6237https://www.cve.org/CVERecord?id=CVE-2023-5678
(* Security fix *)
xap/MPlayer-20240130-x86_64-1.txz: Upgraded.
Fixed build script to exit on errors.
Patched to build against gettext-0.22.4.
Thanks to Matteo Bernardini.
xap/xine-lib-1.2.13-x86_64-7.txz: Rebuilt.
Recompiled against libpng-1.6.42.
a/procps-ng-3.3.17-x86_64-3.txz: Rebuilt.
Add /etc/default/sysctl to support custom options for sysctl in rc.S.
Thanks to lostintime.
a/sysvinit-scripts-15.1-noarch-12.txz: Rebuilt.
rc.S: support /etc/default/sysctl for custom options.
Thanks to lostintime.
l/imagemagick-7.1.1_26-x86_64-1.txz: Upgraded.
l/qt5-5.15.12_20240103_b8fd1448-x86_64-1.txz: Upgraded.
n/samba-4.19.4-x86_64-1.txz: Upgraded.
x/imake-1.0.10-x86_64-1.txz: Upgraded.
a/glibc-zoneinfo-2023d-noarch-1.txz: Upgraded.
This package provides the latest timezone updates.
l/libsass-3.6.6-x86_64-1.txz: Upgraded.
n/postfix-3.8.4-x86_64-1.txz: Upgraded.
Security: this release adds support to defend against an email spoofing
attack (SMTP smuggling) on recipients at a Postfix server. Sites
concerned about SMTP smuggling attacks should enable this feature on
Internet-facing Postfix servers. For compatibility with non-standard
clients, Postfix by default excludes clients in mynetworks from this
countermeasure.
The recommended settings are:
# Optionally disconnect remote SMTP clients that send bare newlines,
# but allow local clients with non-standard SMTP implementations
# such as netcat, fax machines, or load balancer health checks.
#
smtpd_forbid_bare_newline = yes
smtpd_forbid_bare_newline_exclusions = $mynetworks
The smtpd_forbid_bare_newline feature is disabled by default.
For more information, see:
https://www.postfix.org/smtp-smuggling.html
(* Security fix *)
We've gone ahead and moved the 6.6 kernel into the main tree. As previously
mentioned when this branch first appeared in /testing, on the 32-bit side
there are no longer any -smp labeled kernel packages, so if you were using
those previously, you'll need to switch to using to kernel-generic or
kernel-huge kernel, including the changes needed to your bootloader setup to
load this instead of the -smp labeled kernel. Also, if you happen to be using
a first generation Pentium M chip, you will need to append forcepae to your
kernel command-line options. Enjoy! :-)
a/kernel-firmware-20231211_f2e52a1-noarch-1.txz: Upgraded.
a/kernel-generic-6.6.6-x86_64-1.txz: Upgraded.
a/kernel-huge-6.6.6-x86_64-1.txz: Upgraded.
a/kernel-modules-6.6.6-x86_64-1.txz: Upgraded.
ap/qpdf-11.6.4-x86_64-1.txz: Upgraded.
d/kernel-headers-6.6.6-x86-1.txz: Upgraded.
k/kernel-source-6.6.6-noarch-1.txz: Upgraded.
l/imagemagick-7.1.1_23-x86_64-1.txz: Upgraded.
l/libsecret-0.21.2-x86_64-1.txz: Upgraded.
Thanks to reddog83 and saxa.
l/zxing-cpp-2.2.1-x86_64-1.txz: Upgraded.
n/postfix-3.8.3-x86_64-2.txz: Rebuilt.
OpenSSL upstream says that major versions are ABI/API compatible, so stop
warning in the logs that they might not be.
Thanks to gildbg and Markus Wiesner.
isolinux/initrd.img: Rebuilt.
kernels/*: Upgraded.
usb-and-pxe-installers/usbboot.img: Rebuilt.
a/aaa_libraries-15.1-x86_64-23.txz: Rebuilt.
Upgraded: libelf-0.190.so, libcares.so.2.9.0, libglib-2.0.so.0.7800.2,
libgmodule-2.0.so.0.7800.2, libgobject-2.0.so.0.7800.2,
libgthread-2.0.so.0.7800.2.
Added: libtiff.so.6.0.2, libtiffxx.so.6.0.2.
a/util-linux-2.39.3-x86_64-1.txz: Upgraded.
ap/cups-filters-1.28.17-x86_64-3.txz: Rebuilt.
Recompiled against libtiff-4.6.0.
ap/ghostscript-10.02.1-x86_64-2.txz: Rebuilt.
Recompiled against libtiff-4.6.0.
ap/rpm-4.19.0-x86_64-1.txz: Upgraded.
Shared library .so-version bump.
e/emacs-29.1-x86_64-2.txz: Rebuilt.
Recompiled against libtiff-4.6.0.
kde/bluedevil-5.27.10-x86_64-1.txz: Upgraded.
kde/breeze-5.27.10-x86_64-1.txz: Upgraded.
kde/breeze-grub-5.27.10-x86_64-1.txz: Upgraded.
kde/breeze-gtk-5.27.10-x86_64-1.txz: Upgraded.
kde/digikam-8.2.0-x86_64-2.txz: Rebuilt.
Recompiled against libtiff-4.6.0.
kde/drkonqi-5.27.10-x86_64-1.txz: Upgraded.
kde/gwenview-23.08.3-x86_64-2.txz: Rebuilt.
Recompiled against libtiff-4.6.0.
kde/kactivitymanagerd-5.27.10-x86_64-1.txz: Upgraded.
kde/kde-cli-tools-5.27.10-x86_64-1.txz: Upgraded.
kde/kde-gtk-config-5.27.10-x86_64-1.txz: Upgraded.
kde/kdecoration-5.27.10-x86_64-1.txz: Upgraded.
kde/kdeplasma-addons-5.27.10-x86_64-1.txz: Upgraded.
kde/kgamma5-5.27.10-x86_64-1.txz: Upgraded.
kde/khotkeys-5.27.10-x86_64-1.txz: Upgraded.
kde/kinfocenter-5.27.10-x86_64-1.txz: Upgraded.
kde/kmenuedit-5.27.10-x86_64-1.txz: Upgraded.
kde/kpipewire-5.27.10-x86_64-1.txz: Upgraded.
kde/krita-5.2.1-x86_64-3.txz: Rebuilt.
Recompiled against libtiff-4.6.0.
kde/kscreen-5.27.10-x86_64-1.txz: Upgraded.
kde/kscreenlocker-5.27.10-x86_64-1.txz: Upgraded.
kde/ksshaskpass-5.27.10-x86_64-1.txz: Upgraded.
kde/ksystemstats-5.27.10-x86_64-1.txz: Upgraded.
kde/kwallet-pam-5.27.10-x86_64-1.txz: Upgraded.
kde/kwayland-integration-5.27.10-x86_64-1.txz: Upgraded.
kde/kwin-5.27.10-x86_64-1.txz: Upgraded.
kde/kwrited-5.27.10-x86_64-1.txz: Upgraded.
kde/layer-shell-qt-5.27.10-x86_64-1.txz: Upgraded.
kde/libkscreen-5.27.10-x86_64-1.txz: Upgraded.
kde/libksysguard-5.27.10-x86_64-1.txz: Upgraded.
kde/milou-5.27.10-x86_64-1.txz: Upgraded.
kde/okular-23.08.3-x86_64-2.txz: Rebuilt.
Recompiled against libtiff-4.6.0.
kde/oxygen-5.27.10-x86_64-1.txz: Upgraded.
kde/oxygen-sounds-5.27.10-x86_64-1.txz: Upgraded.
kde/plasma-browser-integration-5.27.10-x86_64-1.txz: Upgraded.
kde/plasma-desktop-5.27.10-x86_64-1.txz: Upgraded.
kde/plasma-disks-5.27.10-x86_64-1.txz: Upgraded.
kde/plasma-firewall-5.27.10-x86_64-1.txz: Upgraded.
kde/plasma-integration-5.27.10-x86_64-1.txz: Upgraded.
kde/plasma-nm-5.27.10-x86_64-1.txz: Upgraded.
kde/plasma-pa-5.27.10-x86_64-1.txz: Upgraded.
kde/plasma-sdk-5.27.10-x86_64-1.txz: Upgraded.
kde/plasma-systemmonitor-5.27.10-x86_64-1.txz: Upgraded.
kde/plasma-vault-5.27.10-x86_64-1.txz: Upgraded.
kde/plasma-workspace-5.27.10-x86_64-1.txz: Upgraded.
kde/plasma-workspace-wallpapers-5.27.10-noarch-1.txz: Upgraded.
kde/polkit-kde-agent-1-5.27.10-x86_64-1.txz: Upgraded.
kde/powerdevil-5.27.10-x86_64-1.txz: Upgraded.
kde/qqc2-breeze-style-5.27.10-x86_64-1.txz: Upgraded.
kde/sddm-kcm-5.27.10-x86_64-1.txz: Upgraded.
kde/systemsettings-5.27.10-x86_64-1.txz: Upgraded.
kde/xdg-desktop-portal-kde-5.27.10-x86_64-1.txz: Upgraded.
l/SDL2_image-2.6.3-x86_64-2.txz: Rebuilt.
Recompiled against libtiff-4.6.0.
l/djvulibre-3.5.28-x86_64-4.txz: Rebuilt.
Recompiled against libtiff-4.6.0.
l/gd-2.3.3-x86_64-3.txz: Rebuilt.
Recompiled against libtiff-4.6.0.
l/gdk-pixbuf2-2.42.10-x86_64-2.txz: Rebuilt.
Recompiled against libtiff-4.6.0.
l/gegl-0.4.46-x86_64-3.txz: Rebuilt.
Recompiled against libtiff-4.6.0.
l/glib2-2.78.2-x86_64-1.txz: Upgraded.
l/gtk4-4.12.4-x86_64-2.txz: Rebuilt.
Recompiled against libtiff-4.6.0.
l/imagemagick-7.1.1_22-x86_64-2.txz: Rebuilt.
Recompiled against libtiff-4.6.0.
l/lcms-1.19-x86_64-7.txz: Rebuilt.
Recompiled against libtiff-4.6.0.
l/lcms2-2.16-x86_64-2.txz: Rebuilt.
Recompiled against libtiff-4.6.0.
l/libtiff-4.6.0-x86_64-1.txz: Upgraded.
Probably best to get this one out of the way...
From the release announcement:
Pay attention to the following warning:
This version removes a big number of utilities that have suffered from lack
of maintenance over the years and were the source of various reported
security issues. See "Removed functionality" below for the list of removed
utilities. Starting with libtiff v4.6.0, their source code, at this time,
will still be available in the source distribution, but they will no longer
be built by default, and issues related to them will no longer be accepted
in the libtiff bug tracker. The only remaining supported TIFF tools are
tiffinfo, tiffdump, tiffcp, tiffset and tiffsplit.
Shared library .so-version bump.
l/libwebp-1.3.2-x86_64-2.txz: Rebuilt.
Recompiled against libtiff-4.6.0.
l/netpbm-11.04.04-x86_64-2.txz: Rebuilt.
Recompiled against libtiff-4.6.0.
l/opencv-4.8.1-x86_64-2.txz: Rebuilt.
Recompiled against libtiff-4.6.0.
l/poppler-23.12.0-x86_64-2.txz: Rebuilt.
Recompiled against libtiff-4.6.0.
l/python-pillow-8.4.0-x86_64-3.txz: Rebuilt.
Recompiled against libtiff-4.6.0.
l/qt5-5.15.11_20231125_4765fa1d-x86_64-1.txz: Upgraded.
Compiled against libtiff-4.6.0.
l/sdl-1.2.15-x86_64-15.txz: Rebuilt.
Recompiled against libtiff-4.6.0.
n/links-2.29-x86_64-2.txz: Rebuilt.
Recompiled against libtiff-4.6.0.
t/xfig-3.2.9-x86_64-2.txz: Rebuilt.
Recompiled against libtiff-4.6.0.
xap/geeqie-2.1-x86_64-4.txz: Rebuilt.
Recompiled against libtiff-4.6.0.
xap/gimp-2.10.36-x86_64-2.txz: Rebuilt.
Recompiled against libtiff-4.6.0.
xap/sane-1.2.1-x86_64-2.txz: Rebuilt.
Recompiled against libtiff-4.6.0.
xap/windowmaker-0.96.0-x86_64-2.txz: Rebuilt.
Recompiled against libtiff-4.6.0.
xap/xpaint-3.1.4-x86_64-2.txz: Rebuilt.
Recompiled against libtiff-4.6.0.
xap/xsane-0.999-x86_64-6.txz: Rebuilt.
Recompiled against libtiff-4.6.0.
l/libqalculate-4.9.0-x86_64-1.txz: Upgraded.
l/mozilla-nss-3.95-x86_64-1.txz: Upgraded.
l/v4l-utils-1.26.0-x86_64-2.txz: Rebuilt.
Do not overwrite gconv-modules from glibc - instead, install it to
gconv-modules.d/v4l-utils.conf.
If your /usr/lib{,64}/gconv/gconv-modules was overwritten causing character
conversion errors, reinstall the glibc package to fix this.
Thanks to glennmcc.
n/php-8.3.0-x86_64-1.txz: Upgraded.
n/samba-4.19.3-x86_64-1.txz: Upgraded.
This is a security release in order to address the following defect:
An information leak vulnerability was discovered in Samba's LDAP server.
Due to missing access control checks, an authenticated but unprivileged
attacker could discover the names and preserved attributes of deleted objects
in the LDAP store. Upgrading to this package will not prevent this
information leak - if you are using Samba as an Active Directory Domain
Controller, you will need to follow the instructions in the samba.org link
given below.
For more information, see:
https://www.samba.org/samba/security/CVE-2018-14628.htmlhttps://www.cve.org/CVERecord?id=CVE-2018-14628
(* Security fix *)
x/libwacom-2.9.0-x86_64-1.txz: Upgraded.
a/lvm2-2.03.23-x86_64-1.txz: Upgraded.
l/nodejs-20.10.0-x86_64-1.txz: Upgraded.
n/php-8.2.13-x86_64-1.txz: Upgraded.
This is a bugfix release.
For more information, see:
https://www.php.net/ChangeLog-8.php#8.2.13
We have fresh 6.6 kernels in /testing! You may notice that on the 32-bit side
we have done away with the -smp labeled kernel packages, but it's actually the
other kernels that were retired -- the non-SMP, non-PAE ones. If you were
previously using kernel-generic-smp or kernel-huge-smp, you'll need to make
some adjustments to your bootloader setup to load kernel-generic or kernel-huge
instead. About the only non-obsolete CPUs that may have an issue with this are
the first generation Pentium M chips, which supported PAE but unfortunately did
not advertise this in the CPU flags. But these will support PAE if the kernel
option "forcepae" is appended at boot time. Enjoy! :-)
a/gettext-0.22.4-x86_64-1.txz: Upgraded.
a/kbd-2.6.3-x86_64-3.txz: Rebuilt.
Installed extra console fonts.
a/kernel-firmware-20231120_9552083-noarch-1.txz: Upgraded.
a/kernel-generic-6.1.63-x86_64-1.txz: Upgraded.
a/kernel-huge-6.1.63-x86_64-1.txz: Upgraded.
a/kernel-modules-6.1.63-x86_64-1.txz: Upgraded.
a/mkinitrd-1.4.11-x86_64-34.txz: Rebuilt.
Fix tests for including jfs/xfs repair tools. Thanks to regdub.
a/pkgtools-15.1-noarch-8.txz: Rebuilt.
Make vim the default vi choice.
ap/vim-9.0.2116-x86_64-1.txz: Upgraded.
d/gettext-tools-0.22.4-x86_64-1.txz: Upgraded.
d/git-2.43.0-x86_64-1.txz: Upgraded.
d/kernel-headers-6.1.63-x86-1.txz: Upgraded.
d/mercurial-6.6-x86_64-1.txz: Upgraded.
d/meson-1.3.0-x86_64-1.txz: Upgraded.
d/scons-4.6.0-x86_64-1.txz: Upgraded.
k/kernel-source-6.1.63-noarch-1.txz: Upgraded.
l/readline-8.2.007-x86_64-1.txz: Upgraded.
n/c-ares-1.22.1-x86_64-1.txz: Upgraded.
n/nfs-utils-2.6.4-x86_64-1.txz: Upgraded.
x/libdrm-2.4.118-x86_64-1.txz: Upgraded.
xap/mozilla-firefox-115.5.0esr-x86_64-1.txz: Upgraded.
This update contains security fixes and improvements.
Thanks to zuriel for the taskbar icon fix on Wayland. :-)
For more information, see:
https://www.mozilla.org/en-US/firefox/115.5.0/releasenotes/https://www.mozilla.org/security/advisories/mfsa2023-50/https://www.cve.org/CVERecord?id=CVE-2023-6204https://www.cve.org/CVERecord?id=CVE-2023-6205https://www.cve.org/CVERecord?id=CVE-2023-6206https://www.cve.org/CVERecord?id=CVE-2023-6207https://www.cve.org/CVERecord?id=CVE-2023-6208https://www.cve.org/CVERecord?id=CVE-2023-6209https://www.cve.org/CVERecord?id=CVE-2023-6212
(* Security fix *)
xap/vim-gvim-9.0.2116-x86_64-1.txz: Upgraded.
xap/xsnow-3.7.6-x86_64-1.txz: Upgraded.
isolinux/initrd.img: Rebuilt.
kernels/*: Upgraded.
testing/packages/kernel-generic-6.6.2-x86_64-1.txz: Added.
testing/packages/kernel-headers-6.6.2-x86-1.txz: Added.
testing/packages/kernel-huge-6.6.2-x86_64-1.txz: Added.
testing/packages/kernel-modules-6.6.2-x86_64-1.txz: Added.
testing/packages/kernel-source-6.6.2-noarch-1.txz: Added.
usb-and-pxe-installers/usbboot.img: Rebuilt.
a/kernel-firmware-20231117_7124ce3-noarch-1.txz: Upgraded.
d/cargo-vendor-filterer-0.5.12-x86_64-1.txz: Upgraded.
kde/wcslib-8.2.1-x86_64-1.txz: Upgraded.
l/gtk4-4.12.4-x86_64-1.txz: Upgraded.
n/ca-certificates-20231117-noarch-1.txz: Upgraded.
This update provides the latest CA certificates to check for the
authenticity of SSL connections.
n/openvpn-2.6.8-x86_64-1.txz: Upgraded.
n/socat-1.8.0.0-x86_64-1.txz: Upgraded.
x/ibus-1.5.29-x86_64-1.txz: Upgraded.
a/pam-1.5.3-x86_64-2.txz: Rebuilt.
Relocated pkgconfig files.
a/userspace-rcu-0.14.0-x86_64-2.txz: Rebuilt.
Relocated pkgconfig files.
ap/mariadb-10.11.6-x86_64-1.txz: Upgraded.
This update fixes bugs and a security issue:
Vulnerability allows high privileged attacker with network access via
multiple protocols to compromise the server. Successful attacks of this
vulnerability can result in unauthorized ability to cause a hang or
frequently repeatable crash.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22084
(* Security fix *)
d/llvm-17.0.5-x86_64-1.txz: Upgraded.
kde/plasma-wayland-protocols-1.11.1-x86_64-1.txz: Upgraded.
n/nfs-utils-2.6.3-x86_64-3.txz: Rebuilt.
Only move the udev rule to /lib, don't grab libraries or pkgconfig files
from under /usr.
