Commit graph

1381 commits

Author SHA1 Message Date
Patrick J Volkerding
fb146f18cf Thu May 16 02:31:40 UTC 2024
patches/packages/gdk-pixbuf2-2.42.12-x86_64-1_slack15.0.txz:  Upgraded.
  ani: Reject files with multiple INA or IART chunks.
  ani: Reject files with multiple anih chunks.
  ani: validate chunk size.
  Thanks to 0xvhp, pedrib, and Benjamin Gilbert.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-48622
  (* Security fix *)
patches/packages/git-2.39.4-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  Recursive clones on case-insensitive filesystems that support symbolic
  links are susceptible to case confusion that can be exploited to
  execute just-cloned code during the clone operation.
  Repositories can be configured to execute arbitrary code during local
  clones. To address this, the ownership checks introduced in v2.30.3
  are now extended to cover cloning local repositories.
  Local clones may end up hardlinking files into the target repository's
  object database when source and target repository reside on the same
  disk. If the source repository is owned by a different user, then
  those hardlinked files may be rewritten at any point in time by the
  untrusted user.
  When cloning a local source repository that contains symlinks via the
  filesystem, Git may create hardlinks to arbitrary user-readable files
  on the same filesystem as the target repository in the objects/
  directory.
  It is supposed to be safe to clone untrusted repositories, even those
  unpacked from zip archives or tarballs originating from untrusted
  sources, but Git can be tricked to run arbitrary code as part of the
  clone.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-32002
    https://www.cve.org/CVERecord?id=CVE-2024-32004
    https://www.cve.org/CVERecord?id=CVE-2024-32020
    https://www.cve.org/CVERecord?id=CVE-2024-32021
    https://www.cve.org/CVERecord?id=CVE-2024-32465
  (* Security fix *)
patches/packages/popa3d-1.0.3-x86_64-7_slack15.0.txz:  Rebuilt.
  This is a bugfix release:
  Build with AUTH_PAM, not AUTH_SHADOW.
  Thanks to jayjwa.
testing/packages/bind-9.18.27-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
2024-05-17 13:40:17 +02:00
Patrick J Volkerding
a86246c0dd Tue May 14 19:07:51 UTC 2024
patches/packages/mozilla-firefox-115.11.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/115.11.0/releasenotes/
    https://www.mozilla.org/security/advisories/mfsa2024-22/
    https://www.cve.org/CVERecord?id=CVE-2024-4367
    https://www.cve.org/CVERecord?id=CVE-2024-4767
    https://www.cve.org/CVERecord?id=CVE-2024-4768
    https://www.cve.org/CVERecord?id=CVE-2024-4769
    https://www.cve.org/CVERecord?id=CVE-2024-4770
    https://www.cve.org/CVERecord?id=CVE-2024-4777
  (* Security fix *)
2024-05-15 13:30:44 +02:00
Patrick J Volkerding
e00e146d20 Mon May 13 18:22:20 UTC 2024
patches/packages/libxml2-2.11.8-x86_64-1_slack15.0.txz:  Upgraded.
  Fix buffer overread with "xmllint --htmlout".
  xmllint: Fix --pedantic option.
  save: Handle invalid parent pointers in xhtmlNodeDumpOutput.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-34459
  (* Security fix *)
2024-05-14 13:40:19 +02:00
Patrick J Volkerding
39da3ef43f Sun May 12 19:10:12 UTC 2024
patches/packages/whois-5.5.23-x86_64-1_slack15.0.txz:  Upgraded.
  Updated the .sc, .********* (.xn--yfro4i67o, Singapore)
  and .********************************* (.xn--clchc0ea0b2g2a9gcd, Singapore)
  TLD servers.
2024-05-13 13:30:45 +02:00
Patrick J Volkerding
bc6a73dcbb Thu May 9 19:26:51 UTC 2024
patches/packages/sg3_utils-1.47-x86_64-2_slack15.0.txz:  Rebuilt.
  This is a bugfix release to fix a regression in rescan-scsi-bus.sh that
  causes all SCSI devices to be removed from the system when the '-r'
  option is used. Thanks to jwoithe for the link to the upstream patch.
2024-05-10 13:30:43 +02:00
Patrick J Volkerding
1163276b19 Thu Apr 25 17:58:17 UTC 2024
patches/packages/libarchive-3.7.3-x86_64-2_slack15.0.txz:  Rebuilt.
  Patched an out-of-bound error in the rar e8 filter that could allow for
  the execution of arbitrary code.
  Thanks to gmgf for the heads-up.
  For more information, see:
    https://github.com/advisories/GHSA-2jc9-36w4-pmqw
    https://www.cve.org/CVERecord?id=CVE-2024-26256
  (* Security fix *)
2024-04-26 13:30:48 +02:00
Patrick J Volkerding
88c375df6b Tue Apr 23 22:24:03 UTC 2024
patches/packages/ruby-3.0.7-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  Arbitrary memory address read vulnerability with Regex search.
  RCE vulnerability with .rdoc_options in RDoc.
  Buffer overread vulnerability in StringIO.
  For more information, see:
    https://www.ruby-lang.org/en/news/2024/04/23/arbitrary-memory-address-read-regexp-cve-2024-27282/
    https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/
    https://www.ruby-lang.org/en/news/2024/03/21/buffer-overread-cve-2024-27280/
    https://www.cve.org/CVERecord?id=CVE-2024-27282
    https://www.cve.org/CVERecord?id=CVE-2024-27281
    https://www.cve.org/CVERecord?id=CVE-2024-27280
  (* Security fix *)
2024-04-24 13:30:50 +02:00
Patrick J Volkerding
9e65079da6 Mon Apr 22 19:36:38 UTC 2024
patches/packages/freerdp-2.11.7-x86_64-1_slack15.0.txz:  Upgraded.
  This release eliminates a bunch of issues detected during oss-fuzz runs.
  (* Security fix *)
2024-04-23 13:30:50 +02:00
Patrick J Volkerding
54a8f66b49 Fri Apr 19 19:36:17 UTC 2024
patches/packages/freerdp-2.11.6-x86_64-1_slack15.0.txz:  Upgraded.
  This release is a security release and addresses multiple issues:
  [Low] OutOfBound Read in zgfx_decompress_segment.
  [Moderate] Integer overflow & OutOfBound Write in
  clear_decompress_residual_data.
  [Low] integer underflow in nsc_rle_decode.
  [Low] OutOfBound Read in planar_skip_plane_rle.
  [Low] OutOfBound Read in ncrush_decompress.
  [Low] OutOfBound Read in interleaved_decompress.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-32041
    https://www.cve.org/CVERecord?id=CVE-2024-32039
    https://www.cve.org/CVERecord?id=CVE-2024-32040
    https://www.cve.org/CVERecord?id=CVE-2024-32458
    https://www.cve.org/CVERecord?id=CVE-2024-32459
    https://www.cve.org/CVERecord?id=CVE-2024-32460
  (* Security fix *)
2024-04-20 13:30:46 +02:00
Patrick J Volkerding
d3c452d720 Thu Apr 18 19:17:30 UTC 2024
patches/packages/bind-9.16.50-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
patches/packages/aaa_glibc-solibs-2.33-x86_64-6_slack15.0.txz:  Rebuilt.
patches/packages/glibc-2.33-x86_64-6_slack15.0.txz:  Rebuilt.
  This update fixes a security issue:
  The iconv() function in the GNU C Library versions 2.39 and older may
  overflow the output buffer passed to it by up to 4 bytes when converting
  strings to the ISO-2022-CN-EXT character set, which may be used to crash
  an application or overwrite a neighbouring variable.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-2961
  (* Security fix *)
patches/packages/glibc-i18n-2.33-x86_64-6_slack15.0.txz:  Rebuilt.
patches/packages/glibc-profile-2.33-x86_64-6_slack15.0.txz:  Rebuilt.
testing/packages/bind-9.18.26-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
2024-04-19 13:30:41 +02:00
Patrick J Volkerding
2a933a7e4f Wed Apr 17 20:35:48 UTC 2024
patches/packages/mozilla-thunderbird-115.10.0-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/115.10.0/releasenotes/
    https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird115.10
  (* Security fix *)
2024-04-18 13:30:45 +02:00
Patrick J Volkerding
7165f6f4db Tue Apr 16 18:50:13 UTC 2024
patches/packages/mozilla-firefox-115.10.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/115.10.0/releasenotes/
    https://www.mozilla.org/security/advisories/mfsa2024-19/
    https://www.cve.org/CVERecord?id=CVE-2024-3852
    https://www.cve.org/CVERecord?id=CVE-2024-3854
    https://www.cve.org/CVERecord?id=CVE-2024-3857
    https://www.cve.org/CVERecord?id=CVE-2024-2609
    https://www.cve.org/CVERecord?id=CVE-2024-3859
    https://www.cve.org/CVERecord?id=CVE-2024-3861
    https://www.cve.org/CVERecord?id=CVE-2024-3863
    https://www.cve.org/CVERecord?id=CVE-2024-3302
    https://www.cve.org/CVERecord?id=CVE-2024-3864
  (* Security fix *)
2024-04-17 13:30:44 +02:00
Patrick J Volkerding
1d9ca96a22 Sun Apr 14 18:35:32 UTC 2024
patches/packages/less-653-x86_64-1_slack15.0.txz:  Upgraded.
  This update patches a security issue:
  less through 653 allows OS command execution via a newline character in the
  name of a file, because quoting is mishandled in filename.c. Exploitation
  typically requires use with attacker-controlled file names, such as the files
  extracted from an untrusted archive. Exploitation also requires the LESSOPEN
  environment variable, but this is set by default in many common cases.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-32487
  (* Security fix *)
2024-04-15 13:30:43 +02:00
Patrick J Volkerding
47084e3f2f Fri Apr 12 19:08:59 UTC 2024
extra/php81/php81-8.1.28-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  Command injection via array-ish $command parameter of proc_open.
  __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix.
  Password_verify can erroneously return true, opening ATO risk.
  For more information, see:
    https://www.php.net/ChangeLog-8.php#8.1.28
    https://www.cve.org/CVERecord?id=CVE-2024-1874
    https://www.cve.org/CVERecord?id=CVE-2024-2756
    https://www.cve.org/CVERecord?id=CVE-2024-3096
  (* Security fix *)
2024-04-13 13:30:41 +02:00
Patrick J Volkerding
971e161e46 Mon Apr 8 18:44:37 UTC 2024
patches/packages/libarchive-3.7.3-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes a security issue:
  Fix possible vulnerability in tar error reporting introduced in f27c173
  by JiaT75.
  For more information, see:
    f27c173d17
    https://github.com/libarchive/libarchive/pull/2101
  (* Security fix *)
2024-04-09 13:30:46 +02:00
Patrick J Volkerding
d5ca6849f8 Fri Apr 5 20:11:23 UTC 2024
extra/tigervnc/tigervnc-1.12.0-x86_64-6_slack15.0.txz:  Rebuilt.
  Recompiled against xorg-server-1.20.14, including the latest patches for
  several security issues:
  Heap buffer overread/data leakage in ProcXIGetSelectedEvents.
  Heap buffer overread/data leakage in ProcXIPassiveGrabDevice.
  Heap buffer overread/data leakage in ProcAppleDRICreatePixmap.
  Use-after-free in ProcRenderAddGlyphs.
  For more information, see:
    https://lists.x.org/archives/xorg-announce/2024-April/003497.html
    https://www.cve.org/CVERecord?id=CVE-2024-31080
    https://www.cve.org/CVERecord?id=CVE-2024-31081
    https://www.cve.org/CVERecord?id=CVE-2024-31082
    https://www.cve.org/CVERecord?id=CVE-2024-31083
  (* Security fix *)
2024-04-06 13:30:47 +02:00
Patrick J Volkerding
1e2fa38645 Thu Apr 4 20:49:23 UTC 2024
patches/packages/httpd-2.4.59-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  HTTP/2 DoS by memory exhaustion on endless continuation frames.
  HTTP Response Splitting in multiple modules.
  HTTP response splitting.
  For more information, see:
    https://downloads.apache.org/httpd/CHANGES_2.4.59
    https://www.cve.org/CVERecord?id=CVE-2024-27316
    https://www.cve.org/CVERecord?id=CVE-2024-24795
    https://www.cve.org/CVERecord?id=CVE-2023-38709
  (* Security fix *)
patches/packages/nghttp2-1.61.0-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  nghttp2 library keeps reading the unbounded number of HTTP/2 CONTINUATION
  frames even after a stream is reset to keep HPACK context in sync. This
  causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates
  this vulnerability by limiting the number of CONTINUATION frames it can
  accept after a HEADERS frame.
  For more information, see:
    https://github.com/nghttp2/nghttp2/security/advisories/GHSA-x6x3-gv8h-m57q
    https://www.kb.cert.org/vuls/id/421644
    https://www.cve.org/CVERecord?id=CVE-2024-28182
  (* Security fix *)
2024-04-05 13:30:57 +02:00
Patrick J Volkerding
d6e7dd0417 Wed Apr 3 22:22:06 UTC 2024
patches/packages/xorg-server-1.20.14-x86_64-12_slack15.0.txz:  Rebuilt.
  This update fixes security issues:
  Heap buffer overread/data leakage in ProcXIGetSelectedEvents.
  Heap buffer overread/data leakage in ProcXIPassiveGrabDevice.
  Heap buffer overread/data leakage in ProcAppleDRICreatePixmap.
  Use-after-free in ProcRenderAddGlyphs.
  For more information, see:
    https://lists.x.org/archives/xorg-announce/2024-April/003497.html
    https://www.cve.org/CVERecord?id=CVE-2024-31080
    https://www.cve.org/CVERecord?id=CVE-2024-31081
    https://www.cve.org/CVERecord?id=CVE-2024-31082
    https://www.cve.org/CVERecord?id=CVE-2024-31083
  (* Security fix *)
patches/packages/xorg-server-xephyr-1.20.14-x86_64-12_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-12_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-12_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xwayland-21.1.4-x86_64-11_slack15.0.txz:  Rebuilt.
  This update fixes security issues:
  Heap buffer overread/data leakage in ProcXIGetSelectedEvents.
  Heap buffer overread/data leakage in ProcXIPassiveGrabDevice.
  Use-after-free in ProcRenderAddGlyphs.
  For more information, see:
    https://lists.x.org/archives/xorg-announce/2024-April/003497.html
    https://www.cve.org/CVERecord?id=CVE-2024-31080
    https://www.cve.org/CVERecord?id=CVE-2024-31081
    https://www.cve.org/CVERecord?id=CVE-2024-31083
  (* Security fix *)
2024-04-04 13:30:42 +02:00
Patrick J Volkerding
3874039d9c Fri Mar 29 02:25:21 UTC 2024
patches/packages/coreutils-9.5-x86_64-1_slack15.0.txz:  Upgraded.
  chmod -R now avoids a race where an attacker may replace a traversed file
  with a symlink, causing chmod to operate on an unintended file.
  [This bug was present in "the beginning".]
  split --line-bytes with a mixture of very long and short lines no longer
  overwrites the heap.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-0684
  (* Security fix *)
2024-03-29 13:30:42 +01:00
Patrick J Volkerding
9146b9762b Wed Mar 27 19:16:09 UTC 2024
patches/packages/curl-8.7.1-x86_64-1_slack15.0.txz:  Upgraded.
  This release fixes the following security issues:
  TLS certificate check bypass with mbedTLS.
  HTTP/2 push headers memory-leak.
  QUIC certificate check bypass with wolfSSL.
  Usage of disabled protocol.
  For more information, see:
    https://curl.se/docs/CVE-2024-2466.html
    https://curl.se/docs/CVE-2024-2398.html
    https://curl.se/docs/CVE-2024-2379.html
    https://curl.se/docs/CVE-2024-2004.html
    https://www.cve.org/CVERecord?id=CVE-2024-2466
    https://www.cve.org/CVERecord?id=CVE-2024-2398
    https://www.cve.org/CVERecord?id=CVE-2024-2379
    https://www.cve.org/CVERecord?id=CVE-2024-2004
  (* Security fix *)
2024-03-28 13:30:39 +01:00
Patrick J Volkerding
9543d326f2 Sun Mar 24 18:21:46 UTC 2024
patches/packages/emacs-29.3-x86_64-1_slack15.0.txz:  Upgraded.
  GNU Emacs through 28.2 allows attackers to execute commands via shell
  metacharacters in the name of a source-code file, because lib-src/etags.c
  uses the system C library function in its implementation of the ctags
  program. For example, a victim may use the "ctags *" command (suggested in
  the ctags documentation) in a situation where the current working directory
  has contents that depend on untrusted input.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-45939
  (* Security fix *)
2024-03-25 13:30:45 +01:00
Patrick J Volkerding
fca48db86c Sat Mar 23 19:34:02 UTC 2024
patches/packages/mozilla-firefox-115.9.1esr-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes a critical security issue:
  An attacker was able to inject an event handler into a privileged object
  that would allow arbitrary JavaScript execution in the parent process.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/115.9.1esr/releasenotes/
    https://www.mozilla.org/security/advisories/mfsa2024-16/
    https://www.cve.org/CVERecord?id=CVE-2024-29944
  (* Security fix *)
2024-03-24 13:30:44 +01:00
Patrick J Volkerding
7fee55d3d8 Wed Mar 20 21:10:30 UTC 2024
patches/packages/bind-9.16.49-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
patches/packages/python3-3.9.19-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  bundled libexpat was updated to 2.6.0.
  zipfile is now protected from the "quoted-overlap" zipbomb.
  tempfile.TemporaryDirectory cleanup no longer dereferences symlinks when
  working around file system permission errors.
  For more information, see:
    https://pythoninsider.blogspot.com/2024/03/python-31014-3919-and-3819-is-now.html
    https://www.cve.org/CVERecord?id=CVE-2023-52425
    https://www.cve.org/CVERecord?id=CVE-2024-0450
    https://www.cve.org/CVERecord?id=CVE-2023-6597
  (* Security fix *)
testing/packages/bind-9.18.25-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
2024-03-21 13:30:40 +01:00
Patrick J Volkerding
56c5869402 Wed Mar 20 00:08:59 UTC 2024
patches/packages/gnutls-3.8.4-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes two medium severity security issues:
  libgnutls: Fix side-channel in the deterministic ECDSA.
  Reported by George Pantelakis (#1516).
  libgnutls: Fixed a bug where certtool crashed when verifying a certificate
  chain with more than 16 certificates. Reported by William Woodruff (#1525)
  and yixiangzhike (#1527).
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-28834
    https://www.cve.org/CVERecord?id=CVE-2024-28835
  (* Security fix *)
patches/packages/mozilla-firefox-115.9.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/115.9.0/releasenotes/
    https://www.mozilla.org/security/advisories/mfsa2024-13/
    https://www.cve.org/CVERecord?id=CVE-2024-0743
    https://www.cve.org/CVERecord?id=CVE-2024-2605
    https://www.cve.org/CVERecord?id=CVE-2024-2607
    https://www.cve.org/CVERecord?id=CVE-2024-2608
    https://www.cve.org/CVERecord?id=CVE-2024-2616
    https://www.cve.org/CVERecord?id=CVE-2023-5388
    https://www.cve.org/CVERecord?id=CVE-2024-2610
    https://www.cve.org/CVERecord?id=CVE-2024-2611
    https://www.cve.org/CVERecord?id=CVE-2024-2612
    https://www.cve.org/CVERecord?id=CVE-2024-2614
  (* Security fix *)
patches/packages/mozilla-thunderbird-115.9.0-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/115.9.0/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2024-14/
    https://www.cve.org/CVERecord?id=CVE-2024-0743
    https://www.cve.org/CVERecord?id=CVE-2024-2605
    https://www.cve.org/CVERecord?id=CVE-2024-2607
    https://www.cve.org/CVERecord?id=CVE-2024-2608
    https://www.cve.org/CVERecord?id=CVE-2024-2616
    https://www.cve.org/CVERecord?id=CVE-2023-5388
    https://www.cve.org/CVERecord?id=CVE-2024-2610
    https://www.cve.org/CVERecord?id=CVE-2024-2611
    https://www.cve.org/CVERecord?id=CVE-2024-2612
    https://www.cve.org/CVERecord?id=CVE-2024-2614
  (* Security fix *)
2024-03-20 13:30:42 +01:00
Patrick J Volkerding
735bb1f74b Wed Mar 13 19:46:48 UTC 2024
patches/packages/expat-2.6.2-x86_64-1_slack15.0.txz:  Upgraded.
  Prevent billion laughs attacks with isolated use of external parsers.
  For more information, see:
    1d50b80cf3
    https://www.cve.org/CVERecord?id=CVE-2024-28757
  (* Security fix *)
2024-03-14 13:30:42 +01:00
Patrick J Volkerding
c131b21d96 Fri Mar 8 19:20:11 UTC 2024
patches/packages/xfce4-weather-plugin-0.11.2-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
2024-03-09 13:30:47 +01:00
Patrick J Volkerding
9f285815b9 Thu Mar 7 20:40:08 UTC 2024
patches/packages/ghostscript-9.55.0-x86_64-2_slack15.0.txz:  Rebuilt.
  Fixes security issues:
  A vulnerability was identified in the way Ghostscript/GhostPDL called
  tesseract for the OCR devices, which could allow arbitrary code execution.
  Thanks to J_W for the heads-up.
  Mishandling of permission validation for pipe devices could allow arbitrary
  code execution.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36664
  (* Security fix *)
2024-03-08 13:30:42 +01:00
Patrick J Volkerding
f4d1d3ac7d Tue Mar 5 21:16:50 UTC 2024
patches/packages/mozilla-thunderbird-115.8.1-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/115.8.1/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2024-11/
    https://www.cve.org/CVERecord?id=CVE-2024-1936
  (* Security fix *)
patches/packages/postfix-3.6.15-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
  For more information, see:
    https://www.postfix.org/announcements/postfix-3.8.6.html
2024-03-06 13:30:42 +01:00
Patrick J Volkerding
ce64f0a935 Fri Mar 1 22:13:28 UTC 2024
patches/packages/expat-2.6.1-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
2024-03-02 13:31:26 +01:00
Patrick J Volkerding
cec16b4f7e Thu Feb 29 19:11:19 UTC 2024
patches/packages/openjpeg-2.5.2-x86_64-1_slack15.0.txz:  Upgraded.
  Fixed a regression in openjpeg-2.5.1:
  API breakage / openjpeg version no longer detected (openjpeg.h no longer
  includes opj_config.h).
2024-03-01 13:30:44 +01:00
Patrick J Volkerding
970e55afb6 Wed Feb 28 18:36:48 UTC 2024
patches/packages/wpa_supplicant-2.10-x86_64-2_slack15.0.txz:  Rebuilt.
  Patched the implementation of PEAP in wpa_supplicant to prevent an
  authentication bypass. For a successful attack, wpa_supplicant must be
  configured to not verify the network's TLS certificate during Phase 1
  authentication, and an eap_peap_decrypt vulnerability can then be abused
  to skip Phase 2 authentication. The attack vector is sending an EAP-TLV
  Success packet instead of starting Phase 2. This allows an adversary to
  impersonate Enterprise Wi-Fi networks.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-52160
  (* Security fix *)
2024-02-29 13:30:42 +01:00
Patrick J Volkerding
6008910371 Mon Feb 26 20:09:43 UTC 2024
patches/packages/openjpeg-2.5.1-x86_64-1_slack15.0.txz:  Upgraded.
  Fixed a heap-based buffer overflow in openjpeg in color.c:379:42 in
  sycc420_to_rgb when decompressing a crafted .j2k file. An attacker could use
  this to execute arbitrary code with the permissions of the application
  compiled against openjpeg.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2021-3575
  (* Security fix *)
2024-02-27 13:30:41 +01:00
Patrick J Volkerding
76371c76c5 Sun Feb 25 19:16:52 UTC 2024
patches/packages/whois-5.5.21-x86_64-1_slack15.0.txz:  Upgraded.
  Updated the .cv and .sd TLD servers.
  Removed 4 new gTLDs which are no longer active.
2024-02-26 13:30:47 +01:00
Patrick J Volkerding
c33fb28229 Fri Feb 23 20:37:29 UTC 2024
patches/packages/dcron-4.5-x86_64-13_slack15.0.txz:  Rebuilt.
  This is a bugfix release.
  run-parts.8: document skiping *.orig files. Thanks to metaed.
2024-02-24 13:30:44 +01:00
Patrick J Volkerding
14f2469b12 Wed Feb 21 20:00:08 UTC 2024
patches/packages/dcron-4.5-x86_64-12_slack15.0.txz:  Rebuilt.
  This is a bugfix release.
  run-parts: skip *.orig files. Thanks to metaed.
patches/packages/mozilla-thunderbird-115.8.0-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/115.8.0/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2024-07/
    https://www.cve.org/CVERecord?id=CVE-2024-1546
    https://www.cve.org/CVERecord?id=CVE-2024-1547
    https://www.cve.org/CVERecord?id=CVE-2024-1548
    https://www.cve.org/CVERecord?id=CVE-2024-1549
    https://www.cve.org/CVERecord?id=CVE-2024-1550
    https://www.cve.org/CVERecord?id=CVE-2024-1551
    https://www.cve.org/CVERecord?id=CVE-2024-1552
    https://www.cve.org/CVERecord?id=CVE-2024-1553
  (* Security fix *)
2024-02-22 13:39:58 +01:00
Patrick J Volkerding
bdfa16c82f Tue Feb 20 21:08:27 UTC 2024
patches/packages/libuv-1.48.0-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes a server-side request forgery (SSRF) flaw.
  Thanks to alex2grad for the heads-up.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-24806
  (* Security fix *)
2024-02-21 13:30:43 +01:00
Patrick J Volkerding
b9cc8f3425 Sun Feb 18 21:03:57 UTC 2024
extra/llvm-17.0.6-x86_64-1_slack15.0.txz:  Added.
  In case anyone needs a newer compiler.
extra/llvm13-compat-13.0.0-x86_64-1_slack15.0.txz:  Added.
  In case anyone needs to run binaries linked to the old compiler.
2024-02-19 13:30:46 +01:00
Patrick J Volkerding
bdd6ac9360 Fri Feb 16 20:18:59 UTC 2024
patches/packages/ca-certificates-20240216-noarch-1_slack15.0.txz:  Upgraded.
  This update provides the latest CA certificates to check for the
  authenticity of SSL connections.
2024-02-17 13:30:46 +01:00
Patrick J Volkerding
9847738ba0 Wed Feb 14 04:18:12 UTC 2024
patches/packages/dnsmasq-2.90-x86_64-1_slack15.0.txz:  Upgraded.
  Add limits on the resources used to do DNSSEC validation.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-50387
    https://www.cve.org/CVERecord?id=CVE-2023-50868
  (* Security fix *)
2024-02-15 13:30:47 +01:00
Patrick J Volkerding
cd44edc237 Tue Feb 13 19:19:24 UTC 2024
patches/packages/bind-9.16.48-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and security issues:
  Specific DNS answers could cause a denial-of-service condition due to DNS
  validation taking a long time.
  Query patterns that continuously triggered cache database maintenance could
  exhaust all available memory on the host running named.
  Restore DNS64 state when handling a serve-stale timeout.
  Specific queries could trigger an assertion check with nxdomain-redirect
  enabled.
  Speed up parsing of DNS messages with many different names.
  For more information, see:
    https://kb.isc.org/docs/cve-2023-50387
    https://www.cve.org/CVERecord?id=CVE-2023-50387
    https://kb.isc.org/docs/cve-2023-6516
    https://www.cve.org/CVERecord?id=CVE-2023-6516
    https://kb.isc.org/docs/cve-2023-5679
    https://www.cve.org/CVERecord?id=CVE-2023-5679
    https://kb.isc.org/docs/cve-2023-5517
    https://www.cve.org/CVERecord?id=CVE-2023-5517
    https://kb.isc.org/docs/cve-2023-4408
    https://www.cve.org/CVERecord?id=CVE-2023-4408
  (* Security fix *)
testing/packages/bind-9.18.24-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and security issues:
  Specific DNS answers could cause a denial-of-service condition due to DNS
  validation taking a long time.
  Restore DNS64 state when handling a serve-stale timeout.
  Specific queries could trigger an assertion check with nxdomain-redirect
  enabled.
  Speed up parsing of DNS messages with many different names.
  For more information, see:
    https://kb.isc.org/docs/cve-2023-50387
    https://www.cve.org/CVERecord?id=CVE-2023-50387
    https://kb.isc.org/docs/cve-2023-5679
    https://www.cve.org/CVERecord?id=CVE-2023-5679
    https://kb.isc.org/docs/cve-2023-5517
    https://www.cve.org/CVERecord?id=CVE-2023-5517
    https://kb.isc.org/docs/cve-2023-4408
    https://www.cve.org/CVERecord?id=CVE-2023-4408
  (* Security fix *)
2024-02-14 13:30:43 +01:00
Patrick J Volkerding
4f3857a3d1 Sun Feb 11 22:11:59 UTC 2024
patches/packages/mariadb-10.5.24-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
  For more information, see:
    https://mariadb.com/kb/en/mariadb-10-5-24-release-notes/
2024-02-12 13:30:40 +01:00
Patrick J Volkerding
639c931a2b Fri Feb 9 21:48:09 UTC 2024
patches/packages/xpdf-4.05-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  Fixed a bug in the ICCBased color space parser that was allowing the number
  of components to be zero. Thanks to huckleberry for the bug report.
  Fixed a bug in the ICCBased color space parser that was allowing the number
  of components to be zero. Thanks to huckleberry for the bug report.
  Added checks for PDF object loops in AcroForm::scanField(),
  Catalog::readPageLabelTree2(), and Catalog::readEmbeddedFileTree().
  The zero-width character problem can also happen if the page size is very
  large -- that needs to be limited too, the same way as character position
  coordinates. Thanks to jlinliu for the bug report.
  Add some missing bounds check code in DCTStream. Thanks to Jiahao Liu for
  the bug report.
  Fix a deadlock when an object stream's length field is contained in another
  object stream. Thanks to Jiahao Liu for the bug report.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-2662
    https://www.cve.org/CVERecord?id=CVE-2023-2662
    https://www.cve.org/CVERecord?id=CVE-2018-7453
    https://www.cve.org/CVERecord?id=CVE-2018-16369
    https://www.cve.org/CVERecord?id=CVE-2022-36561
    https://www.cve.org/CVERecord?id=CVE-2022-41844
    https://www.cve.org/CVERecord?id=CVE-2023-2663
    https://www.cve.org/CVERecord?id=CVE-2023-2664
    https://www.cve.org/CVERecord?id=CVE-2023-3044
    https://www.cve.org/CVERecord?id=CVE-2023-3436
  (* Security fix *)
2024-02-10 13:30:40 +01:00
Patrick J Volkerding
2fac477c48 Thu Feb 8 22:17:18 UTC 2024
patches/packages/dehydrated-0.7.1-noarch-1_slack15.0.txz:  Upgraded.
  This is a bugfix release that addresses (among other things) an
  "unbound variable" error if the signing server is not available.
  Thanks to metaed for the heads-up.
2024-02-09 13:30:41 +01:00
Patrick J Volkerding
edf4df250a Wed Feb 7 20:07:29 UTC 2024
patches/packages/expat-2.6.0-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  Fix quadratic runtime issues with big tokens that can cause
  denial of service.
  Fix billion laughs attacks for users compiling *without* XML_DTD
  defined (which is not common).
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-52425
    https://www.cve.org/CVERecord?id=CVE-2023-52426
  (* Security fix *)
2024-02-08 13:30:44 +01:00
Patrick J Volkerding
bc19f3bbd2 Sun Feb 4 19:37:40 UTC 2024
patches/packages/libxml2-2.11.7-x86_64-1_slack15.0.txz:  Upgraded.
  Fix the following security issue:
  xmlreader: Don't expand XIncludes when backtracking.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-25062
  (* Security fix *)
2024-02-05 13:30:39 +01:00
Patrick J Volkerding
285b51e992 Sat Feb 3 20:54:00 UTC 2024
patches/packages/ca-certificates-20240203-noarch-1_slack15.0.txz:  Upgraded.
  This update provides the latest CA certificates to check for the
  authenticity of SSL connections.
patches/packages/glibc-zoneinfo-2024a-noarch-1_slack15.0.txz:  Upgraded.
  This package provides the latest timezone updates.
2024-02-04 13:30:41 +01:00
Patrick J Volkerding
4af705d201 Wed Jan 31 21:19:19 UTC 2024
extra/sendmail/sendmail-8.18.1-x86_64-1_slack15.0.txz:  Upgraded.
  sendmail through 8.17.2 allows SMTP smuggling in certain configurations.
  Remote attackers can use a published exploitation technique to inject e-mail
  messages with a spoofed MAIL FROM address, allowing bypass of an SPF
  protection mechanism. This occurs because sendmail supports <LF>.<CR><LF>
  but some other popular e-mail servers do not. This is resolved in 8.18 and
  later versions with 'o' in srv_features.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-51765
  (* Security fix *)
extra/sendmail/sendmail-cf-8.18.1-noarch-1_slack15.0.txz:  Upgraded.
patches/packages/curl-8.6.0-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
patches/packages/libmilter-8.18.1-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
2024-02-01 13:30:49 +01:00
Patrick J Volkerding
71cfddeb9f Fri Jan 26 20:59:27 UTC 2024
patches/packages/pam-1.6.0-x86_64-1_slack15.0.txz:  Upgraded.
  pam_namespace.so: fixed a possible local denial-of-service vulnerability.
  For more information, see:
    https://seclists.org/oss-sec/2024/q1/31
    https://www.cve.org/CVERecord?id=CVE-2024-22365
  (* Security fix *)
2024-01-27 13:30:38 +01:00
Patrick J Volkerding
36d337af73 Wed Jan 24 04:53:38 UTC 2024
patches/packages/mozilla-thunderbird-115.7.0-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/115.7.0/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/
    https://www.cve.org/CVERecord?id=CVE-2024-0741
    https://www.cve.org/CVERecord?id=CVE-2024-0742
    https://www.cve.org/CVERecord?id=CVE-2024-0746
    https://www.cve.org/CVERecord?id=CVE-2024-0747
    https://www.cve.org/CVERecord?id=CVE-2024-0749
    https://www.cve.org/CVERecord?id=CVE-2024-0750
    https://www.cve.org/CVERecord?id=CVE-2024-0751
    https://www.cve.org/CVERecord?id=CVE-2024-0753
    https://www.cve.org/CVERecord?id=CVE-2024-0755
  (* Security fix *)
2024-01-25 13:30:41 +01:00
Patrick J Volkerding
57dd8bdc60 Tue Jan 23 20:08:07 UTC 2024
patches/packages/mozilla-firefox-115.7.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/115.7.0/releasenotes/
    https://www.mozilla.org/security/advisories/mfsa2024-02/
    https://www.cve.org/CVERecord?id=CVE-2024-0741
    https://www.cve.org/CVERecord?id=CVE-2024-0742
    https://www.cve.org/CVERecord?id=CVE-2024-0746
    https://www.cve.org/CVERecord?id=CVE-2024-0747
    https://www.cve.org/CVERecord?id=CVE-2024-0749
    https://www.cve.org/CVERecord?id=CVE-2024-0750
    https://www.cve.org/CVERecord?id=CVE-2024-0751
    https://www.cve.org/CVERecord?id=CVE-2024-0753
    https://www.cve.org/CVERecord?id=CVE-2024-0755
  (* Security fix *)
2024-01-24 13:30:39 +01:00