patches/packages/bind-9.18.32-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
patches/packages/proftpd-1.3.8c-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release:
Fixed segfault when TLSOptions StdEnvVars is used in conjunction with
an FTPS session.
Properly use all configured ECDSA SSH hostkeys, not just the first
configured ECSA SSH hostkey.
Fixed issue with RADIUS authentication when using mod_radius and newer
FreeRADIUS, due to BlastRadius mitigation.
patches/packages/python3-3.9.21-x86_64-1_slack15.0.txz: Upgraded.
This update fixes security issues:
gh-126623: Upgraded libexpat to 2.6.4 to fix CVE-2024-50602.
gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to consistently use the
mapped IPv4 address value for deciding properties. Properties which have
their behavior fixed are is_multicast, is_reserved, is_link_local, is_global,
and is_unspecified.
gh-124651: Properly quote template strings in venv activation scripts.
gh-103848: Added checks to ensure that [ bracketed ] hosts found by
urllib.parse.urlsplit() are of IPv6 or IPvFuture format.
gh-95588: Clarified the conflicting advice given in the ast documentation
about ast.literal_eval() being safe for use on untrusted input while at the
same time warning that it can crash the process. The latter statement is true
and is deemed unfixable without a large amount of work unsuitable for a
bugfix. So we keep the warning and no longer claim that literal_eval is safe.
For more information, see:
https://pythoninsider.blogspot.com/2024/12/python-3131-3128-31111-31016-and-3921.htmlhttps://www.cve.org/CVERecord?id=CVE-2024-50602
(* Security fix *)
patches/packages/ca-certificates-20241120-noarch-1_slack15.0.txz: Upgraded.
This update provides the latest CA certificates to check for the
authenticity of SSL connections.
patches/packages/mozilla-thunderbird-128.4.4esr-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/128.4.4esr/releasenotes/
extra/llvm-19.1.4-x86_64-1_slack15.0.txz: Upgraded.
patches/packages/pam-1.6.1-x86_64-1_slack15.0.txz: Upgraded.
This update fixes a regression in pam-1.6.0. When password aging is disabled,
this warning would occur at login:
"Warning: your password will expire in 0 days."
Thanks to Jonathan Woithe for the bug report.
patches/packages/dovecot-2.3.21.1-x86_64-2_slack15.0.txz: Rebuilt.
This update adds support for tcp_wrappers:
Build with option --with-libwrap. Patch configure to add -lnsl to -lwrap.
Thanks to Jonathan Woithe.
patches/packages/wget-1.25.0-x86_64-1_slack15.0.txz: Upgraded.
[Breaking change] Drop support for shorthand FTP URLs (CVE-2024-10524)
[Breaking change] Switch to continuous reading from stdin pipes
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2024-10524
(* Security fix *)
patches/packages/curl-8.11.0-x86_64-2_slack15.0.txz: Rebuilt.
Adjust libcurl.pc to remove ldap from Requires.private.
This fixes building PHP. Thanks to Thom1b.
patches/packages/expat-2.6.4-x86_64-1_slack15.0.txz: Upgraded.
This update fixes bugs and a security issue:
Fix crash within function XML_ResumeParser from a NULL pointer dereference
by disallowing function XML_StopParser to (stop or) suspend an unstarted
parser. A new error code XML_ERROR_NOT_STARTED was introduced to properly
communicate this situation.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2024-50602
(* Security fix *)
patches/packages/mozilla-thunderbird-128.4.2esr-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/128.4.2esr/releasenotes/
patches/packages/dhcpcd-9.5.2-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release, primarily to address the broken --dumplease option.
Thanks to slackwhere.
patches/packages/mariadb-10.5.27-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
For more information, see:
https://mariadb.com/kb/en/mariadb-10-5-27-release-notes/
patches/packages/openssl-1.1.1zb-x86_64-1_slack15.0.txz: Upgraded.
Apply patch to fix a security issue:
Harden BN_GF2m_poly2arr against misuse.
This CVE was fixed by the 1.1.1zb release that is only available to
subscribers to OpenSSL's premium extended support. The patch was prepared
by backporting from the OpenSSL-3.0 repo. The reported version number has
been updated so that vulnerability scanners calm down.
Thanks to Ken Zalewski for the patch!
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2024-9143
(* Security fix *)
patches/packages/openssl-solibs-1.1.1zb-x86_64-1_slack15.0.txz: Upgraded.
testing/packages/llvm-19.1.2-x86_64-1_slack15.0.txz: Upgraded.
Shared library .so-version bump.
Chromium requires either a patched LLVM18, or LLVM19, so we're upgrading.
Thanks to alienBOB.
patches/packages/libarchive-3.7.7-x86_64-1_slack15.0.txz: Upgraded.
This update fixes bug and the following security issues:
gzip: prevent a hang when processing a malformed gzip inside a gzip.
tar: don't crash on truncated tar archives.
tar: fix two leaks in tar header parsing.
(* Security fix *)
patches/packages/openssh-9.9p1-x86_64-1_slack15.0.txz: Upgraded.
This update is primarily to address a regression that prevents using
inetd or xinetd with sshd. Thanks to a_biardi for the bug report.
Future deprecation notice: OpenSSH plans to remove support for the DSA
signature algorithm in early 2025. For now, this package retains DSA
support, but plan accordingly.
Several ELF objects were found to have rpaths pointing into /tmp, a world
writable directory. This could have allowed a local attacker to launch denial
of service attacks or execute arbitrary code when the affected binaries are
run by placing crafted ELF objects in the /tmp rpath location. All rpaths with
an embedded /tmp path have been scrubbed from the binaries, and makepkg has
gained a lint feature to detect these so that they won't creep back in.
extra/llvm-17.0.6-x86_64-2_slack15.0.txz: Rebuilt.
Remove rpaths from binaries.
(* Security fix *)
patches/packages/cryfs-0.10.3-x86_64-5_slack15.0.txz: Rebuilt.
Remove rpaths from binaries.
(* Security fix *)
patches/packages/cups-filters-1.28.17-x86_64-2_slack15.0.txz: Rebuilt.
Mitigate security issue that could lead to a denial of service or
the execution of arbitrary code.
Rebuilt with --with-browseremoteprotocols=none to disable incoming
connections, since this daemon has been shown to be insecure. If you
actually use cups-browsed, be sure to install the new
/etc/cups/cups-browsed.conf.new containing this line:
BrowseRemoteProtocols none
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2024-47176
(* Security fix *)
patches/packages/espeak-ng-1.50-x86_64-4_slack15.0.txz: Rebuilt.
Remove rpaths from binaries.
(* Security fix *)
patches/packages/libvncserver-0.9.13-x86_64-4_slack15.0.txz: Rebuilt.
Remove rpaths from binaries.
(* Security fix *)
patches/packages/marisa-0.2.6-x86_64-5_slack15.0.txz: Rebuilt.
Remove rpaths from binaries.
(* Security fix *)
patches/packages/mlt-7.4.0-x86_64-2_slack15.0.txz: Rebuilt.
Remove rpaths from binaries.
(* Security fix *)
patches/packages/mozilla-firefox-115.16.0esr-x86_64-1_slack15.0.txz: Upgraded.
This update contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/firefox/115.16.0/releasenotes/https://www.mozilla.org/security/advisories/mfsa2024-48https://www.cve.org/CVERecord?id=CVE-2024-9392https://www.cve.org/CVERecord?id=CVE-2024-9393https://www.cve.org/CVERecord?id=CVE-2024-9394https://www.cve.org/CVERecord?id=CVE-2024-9401
(* Security fix *)
patches/packages/openobex-1.7.2-x86_64-6_slack15.0.txz: Rebuilt.
Remove rpaths from binaries.
(* Security fix *)
patches/packages/pkgtools-15.0-noarch-44_slack15.0.txz: Rebuilt.
makepkg: when looking for ELF objects with --remove-rpaths or
--remove-tmp-rpaths, avoid false hits on files containing 'ELF' as part
of the directory or filename.
Also warn about /tmp rpaths after the package is built.
patches/packages/spirv-llvm-translator-13.0.0-x86_64-2_slack15.0.txz: Rebuilt.
Remove rpaths from binaries.
(* Security fix *)
testing/packages/llvm-18.1.8-x86_64-2_slack15.0.txz: Rebuilt.
Remove rpaths from binaries.
(* Security fix *)
patches/packages/pkgtools-15.0-noarch-43_slack15.0.txz: Rebuilt.
This update adds new makepkg options and fixes a bug:
makepkg: added options --remove-rpaths, --remove-tmp-rpaths.
Thanks to Petri Kaukasoina for code examples.
makepkg: chown root:root, not root.root.
patches/packages/boost-1.78.0-x86_64-3_slack15.0.txz: Rebuilt.
Get rid of hardcoded temporary paths in the cmake files.
Since these paths point to a location that an unprivileged user could
create and populate with files that could be picked up during a build,
it's possible this bug could be used for malicious purposes.
Thanks to jmacloue.
(* Security fix *)
patches/packages/git-2.46.2-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
Some projects are requiring newer git features than git-2.39.4 provides,
so have an upgrade. Thanks to lancsuk for the suggestion.
patches/packages/libssh2-1.11.0-x86_64-1_slack15.0.txz: Upgraded.
This update adds support for rsa-sha2-512 and rsa-sha2-256, which are needed
to connect to servers that use a recent version of OpenSSH.
Thanks to Jonathan Woithe.
patches/packages/libpcap-1.10.5-x86_64-1_slack15.0.txz: Upgraded.
This update fixes security issues:
Clean up sock_initaddress() and its callers to avoid double frees
in some cases.
Fix pcap_findalldevs_ex() not to crash if passed a file:// URL with a
path to a directory that cannot be opened.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-7256https://www.cve.org/CVERecord?id=CVE-2024-8006
(* Security fix *)
