Commit graph

533 commits

Author SHA1 Message Date
Patrick J Volkerding
9615afc308 Thu Sep 21 19:32:42 UTC 2023
patches/packages/bind-9.16.44-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and a security issue:
  Limit the amount of recursion that can be performed by isccc_cc_fromwire.
  For more information, see:
    https://kb.isc.org/docs/cve-2023-3341
    https://www.cve.org/CVERecord?id=CVE-2023-3341
  (* Security fix *)
patches/packages/cups-2.4.7-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and a security issue:
  Fixed Heap-based buffer overflow when reading Postscript in PPD files.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-4504
  (* Security fix *)
patches/packages/mozilla-thunderbird-115.2.3-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/115.2.3/releasenotes/
patches/packages/seamonkey-2.53.17.1-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.seamonkey-project.org/releases/seamonkey2.53.17.1
    https://www.cve.org/CVERecord?id=CVE-2023-4863
  (* Security fix *)
testing/packages/bind-9.18.19-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and security issues:
  Limit the amount of recursion that can be performed by isccc_cc_fromwire.
  Fix use-after-free error in TLS DNS code when sending data.
  For more information, see:
    https://kb.isc.org/docs/cve-2023-3341
    https://www.cve.org/CVERecord?id=CVE-2023-3341
    https://kb.isc.org/docs/cve-2023-4236
    https://www.cve.org/CVERecord?id=CVE-2023-4236
  (* Security fix *)
2023-09-22 13:30:41 +02:00
Patrick J Volkerding
79e6c8efb8 Fri Aug 4 20:17:36 UTC 2023
extra/php81/php81-8.1.22-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes a security issue:
  Libxml: Fixed bug GHSA-3qrf-m4j2-pcrr (Security issue with external entity
  loading in XML without enabling it).
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-3823
  (* Security fix *)
extra/rust-for-mozilla/rust-1.70.0-x86_64-1_slack15.0.txz:  Upgraded.
  Upgraded the Rust compiler for Firefox 115.1.0 ESR and Thunderbird 115.1.0.
pasture/samba-4.15.13-x86_64-1_slack15.0.txz:  Added.
  We'll hang onto this just in case.
patches/packages/mozilla-firefox-115.1.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/115.1.0esr/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/
    https://www.cve.org/CVERecord?id=CVE-2023-4045
    https://www.cve.org/CVERecord?id=CVE-2023-4046
    https://www.cve.org/CVERecord?id=CVE-2023-4047
    https://www.cve.org/CVERecord?id=CVE-2023-4048
    https://www.cve.org/CVERecord?id=CVE-2023-4049
    https://www.cve.org/CVERecord?id=CVE-2023-4050
    https://www.cve.org/CVERecord?id=CVE-2023-4052
    https://www.cve.org/CVERecord?id=CVE-2023-4054
    https://www.cve.org/CVERecord?id=CVE-2023-4055
    https://www.cve.org/CVERecord?id=CVE-2023-4056
    https://www.cve.org/CVERecord?id=CVE-2023-4057
  (* Security fix *)
patches/packages/mozilla-thunderbird-115.1.0-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/115.1.0/releasenotes/
patches/packages/samba-4.18.5-x86_64-1_slack15.0.txz:  Upgraded.
  PLEASE NOTE: We are taking the unusual step of moving to the latest Samba
  branch because Windows has made changes that break Samba 4.15.x. The last
  4.15.x will be retained in /pasture as a fallback. There may be some
  required configuration changes with this, but we've kept using MIT Kerberos
  to try to have the behavior change as little as possible. Upgrade carefully.
  This update fixes security issues:
  When winbind is used for NTLM authentication, a maliciously crafted request
  can trigger an out-of-bounds read in winbind and possibly crash it.
  SMB2 packet signing is not enforced if an admin configured
  "server signing = required" or for SMB2 connections to Domain Controllers
  where SMB2 packet signing is mandatory.
  An infinite loop bug in Samba's mdssvc RPC service for Spotlight can be
  triggered by an unauthenticated attacker by issuing a malformed RPC request.
  Missing type validation in Samba's mdssvc RPC service for Spotlight can be
  used by an unauthenticated attacker to trigger a process crash in a shared
  RPC mdssvc worker process.
  As part of the Spotlight protocol Samba discloses the server-side absolute
  path of shares and files and directories in search results.
  For more information, see:
    https://www.samba.org/samba/security/CVE-2022-2127.html
    https://www.samba.org/samba/security/CVE-2023-3347.html
    https://www.samba.org/samba/security/CVE-2023-34966.html
    https://www.samba.org/samba/security/CVE-2023-34967.html
    https://www.samba.org/samba/security/CVE-2023-34968.html
    https://www.cve.org/CVERecord?id=CVE-2022-2127
    https://www.cve.org/CVERecord?id=CVE-2023-3347
    https://www.cve.org/CVERecord?id=CVE-2023-34966
    https://www.cve.org/CVERecord?id=CVE-2023-34967
    https://www.cve.org/CVERecord?id=CVE-2023-34968
  (* Security fix *)
2023-08-05 13:30:38 +02:00
Patrick J Volkerding
b64d3ecbf3 Mon Jul 31 21:52:46 UTC 2023
patches/packages/mozilla-thunderbird-102.13.1-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/102.13.1/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2023-28/
    https://www.cve.org/CVERecord?id=CVE-2023-3417
  (* Security fix *)
patches/packages/seamonkey-2.53.17-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.seamonkey-project.org/releases/seamonkey2.53.17
  (* Security fix *)
2023-08-01 13:30:32 +02:00
Patrick J Volkerding
57f9e5505b Mon Jun 26 19:44:44 UTC 2023
patches/packages/network-scripts-15.0-noarch-19_slack15.0.txz:  Rebuilt.
  This update fixes a bug and adds a new feature:
  Re-add support for the DHCP_IPADDR parameter from rc.inet1.conf.
  Expand the help text for DHCP_IPADDR in rc.inet1.conf.
  Add support for a DHCP_OPTS parameter.
  Thanks to ljb643 and Darren 'Tadgy' Austin.
patches/packages/vim-9.0.1667-x86_64-1_slack15.0.txz:  Upgraded.
  This fixes a rare divide-by-zero bug that could cause vim to crash. In an
  interactive program such as vim, I can't really see this qualifying as a
  security issue, but since it was brought up as such on LQ we'll just go
  along with it this time. :)
  Thanks to marav for the heads-up.
  (* Security fix *)
patches/packages/vim-gvim-9.0.1667-x86_64-1_slack15.0.txz:  Upgraded.
2023-06-27 13:30:30 +02:00
Patrick J Volkerding
da0323f6eb Wed Jun 7 21:12:41 UTC 2023
patches/packages/cups-2.4.4-x86_64-1_slack15.0.txz:  Upgraded.
  This update is a hotfix for a segfault in cupsGetNamedDest(), when caller
  tries to find the default destination and the default destination is not set
  on the machine.
patches/packages/ksh93-1.0.5_20230607_9b251344-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix and robustness enhancement release.
  Thanks to McDutchie for the great work!
  Thanks to pghvlaans for improvements to the build script.
2023-06-08 13:30:33 +02:00
Patrick J Volkerding
d839987e86 Sun Jun 4 19:16:13 UTC 2023
extra/sendmail/sendmail-8.17.2-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
extra/sendmail/sendmail-cf-8.17.2-noarch-1_slack15.0.txz:  Upgraded.
patches/packages/libmilter-8.17.2-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
2023-06-05 13:39:22 +02:00
Patrick J Volkerding
3f544e903a Fri Jun 2 20:56:35 UTC 2023
patches/packages/cups-2.4.3-x86_64-1_slack15.0.txz:  Upgraded.
  Fixed a heap buffer overflow in _cups_strlcpy(), when the configuration file
  cupsd.conf sets the value of loglevel to DEBUG, that could allow a remote
  attacker to launch a denial of service (DoS) attack, or possibly execute
  arbirary code.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-32324
  (* Security fix *)
patches/packages/ntp-4.2.8p16-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and security issues.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-26551
    https://www.cve.org/CVERecord?id=CVE-2023-26552
    https://www.cve.org/CVERecord?id=CVE-2023-26553
    https://www.cve.org/CVERecord?id=CVE-2023-26554
    https://www.cve.org/CVERecord?id=CVE-2023-26555
  (* Security fix *)
2023-06-03 13:30:32 +02:00
Patrick J Volkerding
73b668742a Thu May 25 00:24:33 UTC 2023
patches/packages/curl-8.1.1-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
patches/packages/texlive-2023.230322-x86_64-1_slack15.0.txz:  Upgraded.
  This update patches a security issue:
  LuaTeX before 1.17.0 allows execution of arbitrary shell commands when
  compiling a TeX file obtained from an untrusted source. This occurs
  because luatex-core.lua lets the original io.popen be accessed. This also
  affects TeX Live before 2023 r66984 and MiKTeX before 23.5.
  Thanks to Johannes Schoepfer.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-32700
  (* Security fix *)
2023-05-25 13:30:31 +02:00
Patrick J Volkerding
837ec54cfe Fri May 19 18:59:24 UTC 2023
patches/packages/cups-filters-1.28.17-x86_64-1_slack15.0.txz:  Upgraded.
  [PATCH] Merge pull request from GHSA-gpxc-v2m8-fr3x.
  With execv() command line arguments are passed as separate strings and
  not the full command line in a single string. This prevents arbitrary
  command execution by escaping the quoting of the arguments in a job
  with forged job title.
  Thanks to marav.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-24805
  (* Security fix *)
2023-05-20 13:39:15 +02:00
Patrick J Volkerding
3ec3cf58c9 Wed Apr 5 18:31:03 UTC 2023
patches/packages/zstd-1.5.5-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release. The primary focus is to correct a rare corruption
  bug in high compression mode. While the probability might be very small,
  corruption issues are nonetheless very serious, so an update to this version
  is highly recommended, especially if you employ high compression modes
  (levels 16+).
2023-04-06 13:39:05 +02:00
Patrick J Volkerding
b4079a7f22 Sun Apr 2 18:33:01 UTC 2023
patches/packages/irssi-1.4.4-x86_64-1_slack15.0.txz:  Upgraded.
  Do not crash Irssi when one line is printed as the result of another line
  being printed.
  Also solve a memory leak while printing unformatted lines.
  (* Security fix *)
2023-04-03 13:30:33 +02:00
Patrick J Volkerding
39f697baee Fri Mar 31 18:01:09 UTC 2023
patches/packages/ruby-3.0.6-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  ReDoS vulnerability in URI.
  ReDoS vulnerability in Time.
  For more information, see:
    https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/
    https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756/
    https://www.cve.org/CVERecord?id=CVE-2023-28755
    https://www.cve.org/CVERecord?id=CVE-2023-28756
  (* Security fix *)
patches/packages/seamonkey-2.53.16-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.seamonkey-project.org/releases/seamonkey2.53.16
  (* Security fix *)
2023-04-01 13:30:36 +02:00
Patrick J Volkerding
5b606a9169 Wed Mar 29 20:56:21 UTC 2023
patches/packages/glibc-zoneinfo-2023c-noarch-1_slack15.0.txz:  Upgraded.
  This package provides the latest timezone updates.
patches/packages/mozilla-thunderbird-102.9.1-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/102.9.1/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2023-12/
    https://www.cve.org/CVERecord?id=CVE-2023-28427
  (* Security fix *)
patches/packages/xorg-server-1.20.14-x86_64-8_slack15.0.txz:  Rebuilt.
  [PATCH] composite: Fix use-after-free of the COW.
  Fix use-after-free that can lead to local privileges elevation on systems
  where the X server is running privileged and remote code execution for ssh
  X forwarding sessions.
  For more information, see:
    https://lists.x.org/archives/xorg-announce/2023-March/003374.html
    https://www.cve.org/CVERecord?id=CVE-2023-1393
  (* Security fix *)
patches/packages/xorg-server-xephyr-1.20.14-x86_64-8_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-8_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-8_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xwayland-21.1.4-x86_64-7_slack15.0.txz:  Rebuilt.
  [PATCH] composite: Fix use-after-free of the COW.
  Fix use-after-free that can lead to local privileges elevation on systems
  where the X server is running privileged and remote code execution for ssh
  X forwarding sessions.
  For more information, see:
    https://lists.x.org/archives/xorg-announce/2023-March/003374.html
    https://www.cve.org/CVERecord?id=CVE-2023-1393
  (* Security fix *)
2023-03-30 13:30:41 +02:00
Patrick J Volkerding
694953a024 Fri Mar 24 19:42:46 UTC 2023
patches/packages/glibc-zoneinfo-2023b-noarch-1_slack15.0.txz:  Upgraded.
  This package provides the latest timezone updates.
patches/packages/tar-1.34-x86_64-2_slack15.0.txz:  Rebuilt.
  GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use
  of uninitialized memory for a conditional jump. Exploitation to change the
  flow of control has not been demonstrated. The issue occurs in from_header
  in list.c via a V7 archive in which mtime has approximately 11 whitespace
  characters.
  Thanks to marav for the heads-up.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-48303
  (* Security fix *)
2023-03-25 13:30:35 +01:00
Patrick J Volkerding
78c0119973 Mon Mar 6 02:21:57 UTC 2023
patches/packages/xscreensaver-6.06-x86_64-1_slack15.0.txz:  Upgraded.
  Here's an upgrade to the latest xscreensaver.
2023-03-06 13:30:35 +01:00
Patrick J Volkerding
ad9ea8bf78 Wed Feb 15 03:05:40 UTC 2023
extra/php80/php80-8.0.28-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  Core: Password_verify() always return true with some hash.
  Core: 1-byte array overrun in common path resolve code.
  SAPI: DOS vulnerability when parsing multipart request body.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-0567
    https://www.cve.org/CVERecord?id=CVE-2023-0568
    https://www.cve.org/CVERecord?id=CVE-2023-0662
  (* Security fix *)
extra/php81/php81-8.1.16-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  Core: Password_verify() always return true with some hash.
  Core: 1-byte array overrun in common path resolve code.
  SAPI: DOS vulnerability when parsing multipart request body.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-0567
    https://www.cve.org/CVERecord?id=CVE-2023-0568
    https://www.cve.org/CVERecord?id=CVE-2023-0662
  (* Security fix *)
patches/packages/hwdata-0.367-noarch-1_slack15.0.txz:  Upgraded.
  Upgraded to get information for newer hardware.
  Requested by kingbeowulf on LQ.
patches/packages/mozilla-firefox-102.8.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/102.8.0/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2023-06/
    https://www.cve.org/CVERecord?id=CVE-2023-25728
    https://www.cve.org/CVERecord?id=CVE-2023-25730
    https://www.cve.org/CVERecord?id=CVE-2023-25743
    https://www.cve.org/CVERecord?id=CVE-2023-0767
    https://www.cve.org/CVERecord?id=CVE-2023-25735
    https://www.cve.org/CVERecord?id=CVE-2023-25737
    https://www.cve.org/CVERecord?id=CVE-2023-25738
    https://www.cve.org/CVERecord?id=CVE-2023-25739
    https://www.cve.org/CVERecord?id=CVE-2023-25729
    https://www.cve.org/CVERecord?id=CVE-2023-25732
    https://www.cve.org/CVERecord?id=CVE-2023-25734
    https://www.cve.org/CVERecord?id=CVE-2023-25742
    https://www.cve.org/CVERecord?id=CVE-2023-25746
  (* Security fix *)
patches/packages/php-7.4.33-x86_64-3_slack15.0.txz:  Rebuilt.
  This update fixes security issues:
  Core: Password_verify() always return true with some hash.
  Core: 1-byte array overrun in common path resolve code.
  SAPI: DOS vulnerability when parsing multipart request body.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-0567
    https://www.cve.org/CVERecord?id=CVE-2023-0568
    https://www.cve.org/CVERecord?id=CVE-2023-0662
  (* Security fix *)
2023-02-16 01:30:36 +01:00
Patrick J Volkerding
4b5e1863bb Tue Feb 7 20:48:57 UTC 2023
patches/packages/openssl-1.1.1t-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  X.400 address type confusion in X.509 GeneralName.
  Timing Oracle in RSA Decryption.
  Use-after-free following BIO_new_NDEF.
  Double free after calling PEM_read_bio_ex.
  For more information, see:
    https://www.openssl.org/news/secadv/20230207.txt
    https://www.cve.org/CVERecord?id=CVE-2023-0286
    https://www.cve.org/CVERecord?id=CVE-2022-4304
    https://www.cve.org/CVERecord?id=CVE-2023-0215
    https://www.cve.org/CVERecord?id=CVE-2022-4450
  (* Security fix *)
patches/packages/openssl-solibs-1.1.1t-x86_64-1_slack15.0.txz:  Upgraded.
patches/packages/xorg-server-1.20.14-x86_64-7_slack15.0.txz:  Rebuilt.
  [PATCH] Xi: fix potential use-after-free in DeepCopyPointerClasses.
  Also merged another patch to prevent crashes when using a compositor with
  the NVIDIA blob. Thanks to mdinslage, willysr, and Daedra.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-0494
  (* Security fix *)
patches/packages/xorg-server-xephyr-1.20.14-x86_64-7_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-7_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-7_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xwayland-21.1.4-x86_64-6_slack15.0.txz:  Rebuilt.
  [PATCH] Xi: fix potential use-after-free in DeepCopyPointerClasses.
  Also merged another patch to prevent crashes when using a compositor with
  the NVIDIA blob. Thanks to mdinslage, willysr, and Daedra.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-0494
  (* Security fix *)
2023-02-08 13:30:32 +01:00
Patrick J Volkerding
ad40d2a62a Thu Feb 2 22:52:48 UTC 2023
patches/packages/openssh-9.2p1-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains fixes for two security problems and a memory safety
  problem. The memory safety problem is not believed to be exploitable, but
  upstream reports most network-reachable memory faults as security bugs.
  This update contains some potentially incompatible changes regarding the
  scp utility. For more information, see:
    https://www.openssh.com/releasenotes.html#9.0
  For more information, see:
    https://www.openssh.com/releasenotes.html#9.2
  (* Security fix *)
2023-02-03 13:30:32 +01:00
Patrick J Volkerding
7793836a6d Fri Jan 13 20:29:55 UTC 2023
patches/packages/netatalk-3.1.14-x86_64-1_slack15.0.txz:  Upgraded.
  Netatalk through 3.1.13 has an afp_getappl heap-based buffer overflow
  resulting in code execution via a crafted .appl file.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-45188
  (* Security fix *)
2023-01-14 13:30:29 +01:00
Patrick J Volkerding
585883b9b5 Sat Jan 7 01:50:00 UTC 2023
extra/php80/php80-8.0.27-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes a security issue:
  PDO::quote() may return unquoted string.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-31631
  (* Security fix *)
extra/php81/php81-8.1.14-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and a security issue:
  PDO::quote() may return unquoted string.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-31631
  (* Security fix *)
patches/packages/mozilla-nss-3.87-x86_64-1_slack15.0.txz:  Upgraded.
  Fixed memory corruption in NSS via DER-encoded DSA and RSA-PSS signatures.
  For more information, see:
    https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/
    https://www.cve.org/CVERecord?id=CVE-2021-43527
  (* Security fix *)
patches/packages/php-7.4.33-x86_64-2_slack15.0.txz:  Rebuilt.
  This update fixes a security issue:
  PDO::quote() may return unquoted string.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-31631
  (* Security fix *)
2023-01-07 13:30:29 +01:00
Patrick J Volkerding
e054e8d54f Wed Jan 4 02:18:08 UTC 2023
patches/packages/libtiff-4.4.0-x86_64-1_slack15.0.txz:  Upgraded.
  Patched various security bugs.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-2056
    https://www.cve.org/CVERecord?id=CVE-2022-2057
    https://www.cve.org/CVERecord?id=CVE-2022-2058
    https://www.cve.org/CVERecord?id=CVE-2022-3970
    https://www.cve.org/CVERecord?id=CVE-2022-34526
  (* Security fix *)
patches/packages/rxvt-unicode-9.26-x86_64-3_slack15.0.txz:  Rebuilt.
  When the "background" extension was loaded, an attacker able to control the
  data written to the terminal would be able to execute arbitrary code as the
  terminal's user. Thanks to David Leadbeater and Ben Collver.
  For more information, see:
    https://www.openwall.com/lists/oss-security/2022/12/05/1
    https://www.cve.org/CVERecord?id=CVE-2022-4170
  (* Security fix *)
patches/packages/whois-5.5.15-x86_64-1_slack15.0.txz:  Upgraded.
  Updated the .bd, .nz and .tv TLD servers.
  Added the .llyw.cymru, .gov.scot and .gov.wales SLD servers.
  Updated the .ac.uk and .gov.uk SLD servers.
  Recursion has been enabled for whois.nic.tv.
  Updated the list of new gTLDs with four generic TLDs assigned in October 2013
  which were missing due to a bug.
  Removed 4 new gTLDs which are no longer active.
  Added the Georgian translation, contributed by Temuri Doghonadze.
  Updated the Finnish translation, contributed by Lauri Nurmi.
2023-01-04 13:30:28 +01:00
Patrick J Volkerding
a5dc0f82be Tue Dec 20 20:40:18 UTC 2022
patches/packages/libksba-1.6.3-x86_64-1_slack15.0.txz:  Upgraded.
  Fix another integer overflow in the CRL's signature parser.
  (* Security fix *)
patches/packages/sdl-1.2.15-x86_64-13_slack15.0.txz:  Rebuilt.
  This update fixes a heap overflow problem in video/SDL_pixels.c in SDL.
  By crafting a malicious .BMP file, an attacker can cause the application
  using this library to crash, denial of service, or code execution.
  Thanks to marav for the heads-up.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2021-33657
  (* Security fix *)
2022-12-21 13:30:32 +01:00
Patrick J Volkerding
15705ea3bc Mon Dec 19 21:18:22 UTC 2022
patches/packages/xorg-server-1.20.14-x86_64-6_slack15.0.txz:  Rebuilt.
  This release fixes an invalid event type mask in XTestSwapFakeInput which
  was inadvertently changed from octal 0177 to hexadecimal 0x177 in the fix
  for CVE-2022-46340.
patches/packages/xorg-server-xephyr-1.20.14-x86_64-6_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-6_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-6_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xwayland-21.1.4-x86_64-5_slack15.0.txz:  Rebuilt.
  This release fixes an invalid event type mask in XTestSwapFakeInput which
  was inadvertently changed from octal 0177 to hexadecimal 0x177 in the fix
  for CVE-2022-46340.
2022-12-20 13:30:29 +01:00
Patrick J Volkerding
b5eac9957b Wed Dec 14 21:19:34 UTC 2022
patches/packages/mozilla-firefox-102.6.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/102.6.0/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2022-52/
    https://www.cve.org/CVERecord?id=CVE-2022-46880
    https://www.cve.org/CVERecord?id=CVE-2022-46872
    https://www.cve.org/CVERecord?id=CVE-2022-46881
    https://www.cve.org/CVERecord?id=CVE-2022-46874
    https://www.cve.org/CVERecord?id=CVE-2022-46875
    https://www.cve.org/CVERecord?id=CVE-2022-46882
    https://www.cve.org/CVERecord?id=CVE-2022-46878
  (* Security fix *)
patches/packages/mozilla-thunderbird-102.6.0-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/102.6.0/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2022-53/
    https://www.cve.org/CVERecord?id=CVE-2022-46880
    https://www.cve.org/CVERecord?id=CVE-2022-46872
    https://www.cve.org/CVERecord?id=CVE-2022-46881
    https://www.cve.org/CVERecord?id=CVE-2022-46874
    https://www.cve.org/CVERecord?id=CVE-2022-46875
    https://www.cve.org/CVERecord?id=CVE-2022-46882
    https://www.cve.org/CVERecord?id=CVE-2022-46878
  (* Security fix *)
patches/packages/xorg-server-1.20.14-x86_64-5_slack15.0.txz:  Rebuilt.
  This release fixes 6 recently reported security vulnerabilities in
  various extensions.
  For more information, see:
    https://lists.x.org/archives/xorg-announce/2022-December/003302.html
    https://www.cve.org/CVERecord?id=CVE-2022-46340
    https://www.cve.org/CVERecord?id=CVE-2022-46341
    https://www.cve.org/CVERecord?id=CVE-2022-46342
    https://www.cve.org/CVERecord?id=CVE-2022-46343
    https://www.cve.org/CVERecord?id=CVE-2022-46344
    https://www.cve.org/CVERecord?id=CVE-2022-4283
  (* Security fix *)
patches/packages/xorg-server-xephyr-1.20.14-x86_64-5_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-5_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-5_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xwayland-21.1.4-x86_64-4_slack15.0.txz:  Rebuilt.
  This release fixes 6 recently reported security vulnerabilities in
  various extensions.
  For more information, see:
    https://lists.x.org/archives/xorg-announce/2022-December/003302.html
    https://www.cve.org/CVERecord?id=CVE-2022-46340
    https://www.cve.org/CVERecord?id=CVE-2022-46341
    https://www.cve.org/CVERecord?id=CVE-2022-46342
    https://www.cve.org/CVERecord?id=CVE-2022-46343
    https://www.cve.org/CVERecord?id=CVE-2022-46344
    https://www.cve.org/CVERecord?id=CVE-2022-4283
  (* Security fix *)
2022-12-15 13:30:52 +01:00
Patrick J Volkerding
d17567f359 Thu Dec 8 22:48:34 UTC 2022
patches/packages/emacs-27.2-x86_64-2_slack15.0.txz:  Rebuilt.
  GNU Emacs through 28.2 allows attackers to execute commands via shell
  metacharacters in the name of a source-code file, because lib-src/etags.c
  uses the system C library function in its implementation of the ctags
  program. For example, a victim may use the "ctags *" command (suggested in
  the ctags documentation) in a situation where the current working directory
  has contents that depend on untrusted input.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-45939
  (* Security fix *)
patches/packages/vim-9.0.1034-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes various security issues such as a heap-based buffer
  overflow and use after free.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-4141
    https://www.cve.org/CVERecord?id=CVE-2022-3591
    https://www.cve.org/CVERecord?id=CVE-2022-3520
    https://www.cve.org/CVERecord?id=CVE-2022-3491
    https://www.cve.org/CVERecord?id=CVE-2022-4292
    https://www.cve.org/CVERecord?id=CVE-2022-4293
  (* Security fix *)
patches/packages/vim-gvim-9.0.1034-x86_64-1_slack15.0.txz:  Upgraded.
2022-12-09 13:30:05 +01:00
Patrick J Volkerding
45ec128def Thu Nov 17 01:49:28 UTC 2022
patches/packages/krb5-1.19.2-x86_64-3_slack15.0.txz:  Rebuilt.
  Fixed integer overflows in PAC parsing.
  Fixed memory leak in OTP kdcpreauth module.
  Fixed PKCS11 module path search.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-42898
  (* Security fix *)
patches/packages/mozilla-firefox-102.5.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/102.5.0/releasenotes/
    https://www.mozilla.org/security/advisories/mfsa2022-48/
    https://www.cve.org/CVERecord?id=CVE-2022-45403
    https://www.cve.org/CVERecord?id=CVE-2022-45404
    https://www.cve.org/CVERecord?id=CVE-2022-45405
    https://www.cve.org/CVERecord?id=CVE-2022-45406
    https://www.cve.org/CVERecord?id=CVE-2022-45408
    https://www.cve.org/CVERecord?id=CVE-2022-45409
    https://www.cve.org/CVERecord?id=CVE-2022-45410
    https://www.cve.org/CVERecord?id=CVE-2022-45411
    https://www.cve.org/CVERecord?id=CVE-2022-45412
    https://www.cve.org/CVERecord?id=CVE-2022-45416
    https://www.cve.org/CVERecord?id=CVE-2022-45418
    https://www.cve.org/CVERecord?id=CVE-2022-45420
    https://www.cve.org/CVERecord?id=CVE-2022-45421
  (* Security fix *)
patches/packages/mozilla-thunderbird-102.5.0-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/102.5.0/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2022-49/
    https://www.cve.org/CVERecord?id=CVE-2022-45403
    https://www.cve.org/CVERecord?id=CVE-2022-45404
    https://www.cve.org/CVERecord?id=CVE-2022-45405
    https://www.cve.org/CVERecord?id=CVE-2022-45406
    https://www.cve.org/CVERecord?id=CVE-2022-45408
    https://www.cve.org/CVERecord?id=CVE-2022-45409
    https://www.cve.org/CVERecord?id=CVE-2022-45410
    https://www.cve.org/CVERecord?id=CVE-2022-45411
    https://www.cve.org/CVERecord?id=CVE-2022-45412
    https://www.cve.org/CVERecord?id=CVE-2022-45416
    https://www.cve.org/CVERecord?id=CVE-2022-45418
    https://www.cve.org/CVERecord?id=CVE-2022-45420
    https://www.cve.org/CVERecord?id=CVE-2022-45421
  (* Security fix *)
patches/packages/samba-4.15.12-x86_64-1_slack15.0.txz:  Upgraded.
  Fixed a security issue where Samba's Kerberos libraries and AD DC failed
  to guard against integer overflows when parsing a PAC on a 32-bit system,
  which allowed an attacker with a forged PAC to corrupt the heap.
  For more information, see:
    https://www.samba.org/samba/security/CVE-2022-42898.html
    https://www.cve.org/CVERecord?id=CVE-2022-42898
  (* Security fix *)
patches/packages/xfce4-settings-4.16.5-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes regressions in the previous security fix:
  mime-settings: Properly quote command parameters.
  Revert "Escape characters which do not belong into an URI/URL (Issue #390)."
2022-11-17 13:30:31 +01:00
Patrick J Volkerding
ff521ad792 Wed Nov 9 22:16:30 UTC 2022
patches/packages/sysstat-12.7.1-x86_64-1_slack15.0.txz:  Upgraded.
  On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1,
  allocate_structures contains a size_t overflow in sa_common.c. The
  allocate_structures function insufficiently checks bounds before arithmetic
  multiplication, allowing for an overflow in the size allocated for the
  buffer representing system activities.
  This issue may lead to Remote Code Execution (RCE).
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-39377
  (* Security fix *)
patches/packages/xfce4-settings-4.16.4-x86_64-1_slack15.0.txz:  Upgraded.
  Fixed an argument injection vulnerability in xfce4-mime-helper.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-45062
  (* Security fix *)
2022-11-10 13:30:32 +01:00
Patrick J Volkerding
2d3e95aa33 Sat Nov 5 19:18:19 UTC 2022
patches/packages/sudo-1.9.12p1-x86_64-1_slack15.0.txz:  Upgraded.
  Fixed a potential out-of-bounds write for passwords smaller than 8
  characters when passwd authentication is enabled.
  This does not affect configurations that use other authentication
  methods such as PAM, AIX authentication or BSD authentication.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-43995
  (* Security fix *)
2022-11-06 13:30:38 +01:00
Patrick J Volkerding
44df9c66d8 Fri Nov 4 19:29:28 UTC 2022
patches/packages/mozilla-thunderbird-102.4.2-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/102.4.2/releasenotes/
2022-11-05 13:30:36 +01:00
Patrick J Volkerding
2559feca78 Mon Oct 17 19:31:45 UTC 2022
patches/packages/xorg-server-1.20.14-x86_64-4_slack15.0.txz:  Rebuilt.
  xkb: proof GetCountedString against request length attacks.
  xkb: fix some possible memleaks in XkbGetKbdByName.
  xquartz: Fix a possible crash when editing the Application menu due
  to mutating immutable arrays.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3550
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3551
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3553
  (* Security fix *)
patches/packages/xorg-server-xephyr-1.20.14-x86_64-4_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-4_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-4_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xwayland-21.1.4-x86_64-3_slack15.0.txz:  Rebuilt.
  xkb: proof GetCountedString against request length attacks.
  xkb: fix some possible memleaks in XkbGetKbdByName.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3550
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3551
  (* Security fix *)
2022-10-18 13:30:33 +02:00
Patrick J Volkerding
153ac9bb20 Wed Oct 5 18:55:36 UTC 2022
patches/packages/dhcp-4.4.3_P1-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes two security issues:
  Corrected a reference count leak that occurs when the server builds
  responses to leasequery packets.
  Corrected a memory leak that occurs when unpacking a packet that has an
  FQDN option (81) that contains a label with length greater than 63 bytes.
  Thanks to VictorV of Cyber Kunlun Lab for reporting these issues.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2928
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2929
  (* Security fix *)
2022-10-06 13:30:32 +02:00
Patrick J Volkerding
ef823d82ca Wed Sep 28 18:59:51 UTC 2022
patches/packages/xorg-server-xwayland-21.1.4-x86_64-2_slack15.0.txz:  Rebuilt.
  xkb: switch to array index loops to moving pointers.
  xkb: add request length validation for XkbSetGeometry.
  xkb: swap XkbSetDeviceInfo and XkbSetDeviceInfoCheck.
  I hadn't realized that the xorg-server patches were needed (or applied
  cleanly) to Xwayland. Thanks to LuckyCyborg for the kind reminder. :-)
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2319
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2320
  (* Security fix *)
2022-09-29 13:30:05 +02:00
Patrick J Volkerding
0ab769ac69 Mon Sep 26 19:43:54 UTC 2022
patches/packages/dnsmasq-2.87-x86_64-1_slack15.0.txz:  Upgraded.
  Fix write-after-free error in DHCPv6 server code.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0934
  (* Security fix *)
patches/packages/vim-9.0.0594-x86_64-1_slack15.0.txz:  Upgraded.
  Fixed stack-based buffer overflow.
  Thanks to marav for the heads-up.
  In addition, Mig21 pointed out an issue where the defaults.vim file might
  need to be edited for some purposes as its contents will override the
  settings in the system-wide vimrc. Usually this file is replaced whenever
  vim is upgraded, which in those situations would be inconvenient for the
  admin. So, I've added support for a file named defaults.vim.custom which
  (if it exists) will be used instead of the defaults.vim file shipped in
  the package and will persist through upgrades.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3296
  (* Security fix *)
patches/packages/vim-gvim-9.0.0594-x86_64-1_slack15.0.txz:  Upgraded.
2022-09-27 13:30:30 +02:00
Patrick J Volkerding
8f546e8375 Wed Sep 21 19:19:07 UTC 2022
patches/packages/cups-2.4.2-x86_64-3_slack15.0.txz:  Rebuilt.
  Fixed crash when using the CUPS web setup interface:
  [PATCH] Fix OpenSSL crash bug - "tls" pointer wasn't cleared after freeing
  it (Issue #409).
  Thanks to MisterL, bryjen, and kjhambrick.
  Fixed an OpenSSL certificate loading issue:
  [PATCH] The OpenSSL code path wasn't loading the full certificate
  chain (Issue #465).
  Thanks to tmmukunn.
2022-09-22 13:30:28 +02:00
Patrick J Volkerding
23a0b53a62 Tue Sep 6 20:21:24 UTC 2022
extra/rust-for-mozilla/rust-1.60.0-x86_64-1_slack15.0.txz:  Upgraded.
  Upgraded the Rust compiler for Firefox 102.2.0 and Thunderbird 102.2.1.
patches/packages/mozilla-firefox-102.2.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/102.2.0/releasenotes/
    https://www.mozilla.org/security/advisories/mfsa2022-34/
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38473
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38476
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38477
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38478
  (* Security fix *)
patches/packages/mozilla-thunderbird-102.2.1-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  Some accounts may need to be reconfigured after moving from
  Thunderbird 91.13.0 to Thunderbird 102.2.1.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/102.2.1/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2022-38/
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3033
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3032
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3034
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36059
  (* Security fix *)
patches/packages/vim-9.0.0396-x86_64-1_slack15.0.txz:  Upgraded.
  Fixed use after free.
  Thanks to marav for the heads-up.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3099
  (* Security fix *)
patches/packages/vim-gvim-9.0.0396-x86_64-1_slack15.0.txz:  Upgraded.
2022-09-07 13:30:33 +02:00
Patrick J Volkerding
ca8c1d3c22 Thu Sep 1 20:01:13 UTC 2022
patches/packages/poppler-21.12.0-x86_64-2_slack15.0.txz:  Rebuilt.
  [PATCH] JBIG2Stream: Fix crash on broken file.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30860
  (* Security fix *)
2022-09-02 13:30:06 +02:00
Patrick J Volkerding
1393bd0f4f Tue Aug 30 19:39:30 UTC 2022
extra/sendmail/sendmail-8.17.1-x86_64-4_slack15.0.txz:  Rebuilt.
  Patched sendmail.h to fix SASL auth. Thanks to af7567.
  Build without -DUSE_EAI (which is evidently considered experimental) since
  the option breaks the vacation binary. Thanks to bitfuzzy and HQuest.
  It is possible that this could work but requires additional options. I found
  this in the ChangeLog for the SUSE rpm:
    Experimental support for SMTPUTF8 (EAI, see RFC 6530-6533) is available
    when using the compile time option USE_EAI (see also
    devtools/Site/site.config.m4.sample for other required settings) and the cf
    option SMTPUTF8.  If a mail submission via the command line requires the
    use of SMTPUTF8, e.g., because a header uses UTF-8 encoding, but the
    addresses on the command line are all ASCII, then the new option -U must be
    used, and the cf option SMTPUTF8 must be set in submit.cf.
  Any assistance with getting -DUSE_EAI working properly would be appreciated.
extra/sendmail/sendmail-cf-8.17.1-noarch-4_slack15.0.txz:  Rebuilt.
patches/packages/vim-9.0.0334-x86_64-1_slack15.0.txz:  Upgraded.
  Fixed use after free.
  Thanks to marav for the heads-up.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3016
  (* Security fix *)
patches/packages/vim-gvim-9.0.0334-x86_64-1_slack15.0.txz:  Upgraded.
2022-08-31 13:30:01 +02:00
Patrick J Volkerding
71a81b7408 Fri Aug 26 04:02:20 UTC 2022
patches/packages/linux-5.15.63/*:  Upgraded.
  These updates fix various bugs and security issues.
  Be sure to upgrade your initrd after upgrading the kernel packages.
  If you use lilo to boot your machine, be sure lilo.conf points to the correct
  kernel and initrd and run lilo as root to update the bootloader.
  If you use elilo to boot your machine, you should run eliloconfig to copy the
  kernel and initrd to the EFI System Partition.
  For more information, see:
    Fixed in 5.15.39:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1974
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1975
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1734
    Fixed in 5.15.40:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1943
    Fixed in 5.15.41:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28893
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32296
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1012
    Fixed in 5.15.42:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1652
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1729
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21499
    Fixed in 5.15.44:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1789
    Fixed in 5.15.45:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2873
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1966
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32250
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2078
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1852
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1972
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2503
    Fixed in 5.15.46:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1184
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1973
    Fixed in 5.15.47:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34494
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34495
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32981
    Fixed in 5.15.48:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21125
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21166
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21123
    Fixed in 5.15.53:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2318
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33743
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33742
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33741
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33740
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26365
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33744
    Fixed in 5.15.54:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33655
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34918
    Fixed in 5.15.56:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36123
    Fixed in 5.15.57:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29900
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29901
    Fixed in 5.15.58:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21505
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1462
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36879
    Fixed in 5.15.59:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36946
    Fixed in 5.15.60:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26373
    Fixed in 5.15.61:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2586
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2585
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1679
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2588
  (* Security fix *)
patches/packages/vim-9.0.0270-x86_64-1_slack15.0.txz:  Upgraded.
  We're just going to move to vim-9 instead of continuing to backport patches
  to the vim-8 branch. Most users will be better served by this.
  Fixed use after free and null pointer dereference.
  Thanks to marav for the heads-up.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2946
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2923
  (* Security fix *)
patches/packages/vim-gvim-9.0.0270-x86_64-1_slack15.0.txz:  Upgraded.
2022-08-27 13:30:28 +02:00
Patrick J Volkerding
44e993e802 Sat Aug 20 20:04:15 UTC 2022
patches/packages/vim-8.2.4649-x86_64-3_slack15.0.txz:  Rebuilt.
  Fix use after free.
  Thanks to marav for the heads-up.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2889
  (* Security fix *)
patches/packages/vim-gvim-8.2.4649-x86_64-3_slack15.0.txz:  Rebuilt.
2022-08-21 13:30:26 +02:00
Patrick J Volkerding
821b8a94bf Wed Aug 17 20:41:53 UTC 2022
patches/packages/vim-8.2.4649-x86_64-2_slack15.0.txz:  Rebuilt.
  Fix use after free, out-of-bounds read, and heap based buffer overflow.
  Thanks to marav for the heads-up.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2816
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2817
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2819
  (* Security fix *)
patches/packages/vim-gvim-8.2.4649-x86_64-2_slack15.0.txz:  Rebuilt.
2022-08-18 13:30:02 +02:00
Patrick J Volkerding
bfbbd63f28 Mon Jul 25 20:53:49 UTC 2022
patches/packages/mozilla-firefox-91.12.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/91.12.0/releasenotes/
  (* Security fix *)
patches/packages/perl-5.34.0-x86_64-2_slack15.0.txz:  Rebuilt.
  This is a bugfix release.
  Upgraded: Devel-CheckLib-1.16, IO-Socket-SSL-2.074, Net-SSLeay-1.92,
  Path-Tiny-0.122, Template-Toolkit-3.100, URI-5.12, libnet-3.14.
  Added a symlink to libperl.so in /usr/${LIBDIRSUFFIX} since net-snmp (and
  possibly other programs) might have trouble linking with it since it's not
  in the LD_LIBRARY_PATH. Thanks to oneforall.
2022-07-26 13:30:29 +02:00
Patrick J Volkerding
7e93037632 Thu Jul 21 18:13:18 UTC 2022
patches/packages/net-snmp-5.9.3-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  A buffer overflow in the handling of the INDEX of NET-SNMP-VACM-MIB can cause
  an out-of-bounds memory access.
  A malformed OID in a GET-NEXT to the nsVacmAccessTable can cause a NULL
  pointer dereference.
  Improper Input Validation when SETing malformed OIDs in master agent and
  subagent simultaneously.
  A malformed OID in a SET request to SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable
  can cause an out-of-bounds memory access.
  A malformed OID in a SET request to NET-SNMP-AGENT-MIB::nsLogTable can cause a
  NULL pointer dereference.
  A malformed OID in a SET to the nsVacmAccessTable can cause a NULL pointer
  dereference.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24805
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24809
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24806
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24807
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24808
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24810
  (* Security fix *)
2022-07-22 13:30:29 +02:00
Patrick J Volkerding
83e918a979 Wed Jul 13 19:56:59 UTC 2022
patches/packages/xorg-server-1.20.14-x86_64-3_slack15.0.txz:  Rebuilt.
  xkb: switch to array index loops to moving pointers.
  xkb: add request length validation for XkbSetGeometry.
  xkb: swap XkbSetDeviceInfo and XkbSetDeviceInfoCheck.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2319
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2320
  (* Security fix *)
patches/packages/xorg-server-xephyr-1.20.14-x86_64-3_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-3_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-3_slack15.0.txz:  Rebuilt.
2022-07-14 13:30:35 +02:00
Patrick J Volkerding
81f2355530 Thu May 26 18:27:32 UTC 2022
patches/packages/cups-2.4.2-x86_64-1_slack15.0.txz:  Upgraded.
  Fixed certificate strings comparison for Local authorization.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26691
  (* Security fix *)
2022-05-27 13:30:00 +02:00
Patrick J Volkerding
3c08cf6792 Mon May 9 21:33:25 UTC 2022
patches/packages/linux-5.15.38/*:  Upgraded.
  These updates fix various bugs and security issues.
  Be sure to upgrade your initrd after upgrading the kernel packages.
  If you use lilo to boot your machine, be sure lilo.conf points to the correct
  kernel and initrd and run lilo as root to update the bootloader.
  If you use elilo to boot your machine, you should run eliloconfig to copy the
  kernel and initrd to the EFI System Partition.
  For more information, see:
    Fixed in 5.15.27:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0742
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24958
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0494
    Fixed in 5.15.28:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23038
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23039
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23960
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23036
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23037
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0001
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0002
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23041
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23040
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23042
    Fixed in 5.15.29:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1199
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27666
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1011
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0995
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0854
    Fixed in 5.15.32:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1015
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26490
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1048
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1016
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28356
    Fixed in 5.15.33:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28390
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0168
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1158
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1353
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1198
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28389
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28388
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1516
    Fixed in 5.15.34:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1263
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29582
    Fixed in 5.15.35:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1204
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1205
    Fixed in 5.15.37:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0500
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23222
  (* Security fix *)
2022-05-10 13:30:03 +02:00
Patrick J Volkerding
d88c750381 Mon May 2 20:02:49 UTC 2022
patches/packages/libxml2-2.9.14-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and the following security issues:
  Fix integer overflow in xmlBuf and xmlBuffer.
  Fix potential double-free in xmlXPtrStringRangeFunction.
  Fix memory leak in xmlFindCharEncodingHandler.
  Normalize XPath strings in-place.
  Prevent integer-overflow in htmlSkipBlankChars() and xmlSkipBlankChars().
  Fix leak of xmlElementContent.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29824
  (* Security fix *)
patches/packages/mozilla-firefox-91.9.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/91.9.0/releasenotes/
patches/packages/samba-4.15.7-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
  For more information, see:
    https://www.samba.org/samba/history/samba-4.15.7.html
2022-05-03 13:29:53 +02:00
Patrick J Volkerding
7d2523ede3 Sat Apr 30 21:18:47 UTC 2022
patches/packages/pidgin-2.14.9-x86_64-1_slack15.0.txz:  Upgraded.
  Mitigate the potential for a man in the middle attack via DNS spoofing by
  removing the code that supported the _xmppconnect DNS TXT record.
  For more information, see:
    https://www.pidgin.im/about/security/advisories/cve-2022-26491/
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26491
  (* Security fix *)
2022-05-01 13:30:01 +02:00
Patrick J Volkerding
287bf2688a Wed Mar 30 22:37:05 UTC 2022
patches/packages/vim-8.2.4649-x86_64-1_slack15.0.txz:  Upgraded.
  Fixes a use-after-free in utf_ptr2char in vim/vim prior to 8.2.4646.
  This vulnerability is capable of crashing software, bypassing protection
  mechanisms, modifying memory, and possibly execution of arbitrary code.
  Thanks to marav for the heads-up.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1154
    https://huntr.dev/bounties/7f0ec6bc-ea0e-45b0-8128-caac72d23425
    b55986c52d
  (* Security fix *)
patches/packages/vim-gvim-8.2.4649-x86_64-1_slack15.0.txz:  Upgraded.
2022-03-31 13:29:48 +02:00
Patrick J Volkerding
8e056e9406 Sat Mar 19 20:28:16 UTC 2022
patches/packages/glibc-zoneinfo-2022a-noarch-1_slack15.0.txz:  Upgraded.
  This package provides the latest timezone updates.
2022-03-20 13:29:57 +01:00
Patrick J Volkerding
5d5dc01569 Fri Mar 18 20:16:12 UTC 2022
patches/packages/python3-3.9.11-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and security issues:
  libexpat upgraded from 2.4.1 to 2.4.7
  bundled pip upgraded from 21.2.4 to 22.0.4
  authorization bypass fixed in urllib.request
  REDoS avoided in importlib.metadata
  For more information, see:
    https://pythoninsider.blogspot.com/2022/03/python-3103-3911-3813-and-3713-are-now.html
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28363
  (* Security fix *)
2022-03-19 13:29:58 +01:00