Commit graph

1444 commits

Author SHA1 Message Date
Patrick J Volkerding
af81c69cb8 Mon Oct 21 21:23:46 UTC 2024
patches/packages/openssl-1.1.1zb-x86_64-1_slack15.0.txz:  Upgraded.
  Apply patch to fix a security issue:
  Harden BN_GF2m_poly2arr against misuse.
  This CVE was fixed by the 1.1.1zb release that is only available to
  subscribers to OpenSSL's premium extended support. The patch was prepared
  by backporting from the OpenSSL-3.0 repo. The reported version number has
  been updated so that vulnerability scanners calm down.
  Thanks to Ken Zalewski for the patch!
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-9143
  (* Security fix *)
patches/packages/openssl-solibs-1.1.1zb-x86_64-1_slack15.0.txz:  Upgraded.
2024-10-22 13:30:40 +02:00
Patrick J Volkerding
72f412a04a Sun Oct 20 23:42:23 UTC 2024
testing/packages/rust-1.82.0-x86_64-1_slack15.0.txz:  Upgraded.
2024-10-21 13:30:40 +02:00
Patrick J Volkerding
251d060cc5 Fri Oct 18 22:51:09 UTC 2024
testing/packages/llvm-19.1.2-x86_64-1_slack15.0.txz:  Upgraded.
  Shared library .so-version bump.
  Chromium requires either a patched LLVM18, or LLVM19, so we're upgrading.
  Thanks to alienBOB.
2024-10-19 13:30:41 +02:00
Patrick J Volkerding
cbadbff78d Wed Oct 16 19:11:30 UTC 2024
patches/packages/libssh2-1.11.1-x86_64-1_slack15.0.txz:  Upgraded.
  src: add 'strict KEX' to fix CVE-2023-48795 "Terrapin Attack."
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-48795
  (* Security fix *)
patches/packages/mozilla-thunderbird-115.16.1-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/115.16.1esr/releasenotes/
  (* Security fix *)
2024-10-17 13:30:41 +02:00
Patrick J Volkerding
61509941c5 Sun Oct 13 19:49:05 UTC 2024
patches/packages/libarchive-3.7.7-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bug and the following security issues:
  gzip: prevent a hang when processing a malformed gzip inside a gzip.
  tar: don't crash on truncated tar archives.
  tar: fix two leaks in tar header parsing.
  (* Security fix *)
patches/packages/openssh-9.9p1-x86_64-1_slack15.0.txz:  Upgraded.
  This update is primarily to address a regression that prevents using
  inetd or xinetd with sshd. Thanks to a_biardi for the bug report.
  Future deprecation notice: OpenSSH plans to remove support for the DSA
  signature algorithm in early 2025. For now, this package retains DSA
  support, but plan accordingly.
2024-10-14 13:30:40 +02:00
Patrick J Volkerding
bf5634b29d Sat Oct 12 19:16:04 UTC 2024
testing/packages/mozilla-firefox-128.3.1esr-x86_64-1_slack15.0.txz:  Added.
testing/packages/mozilla-thunderbird-128.3.1esr-x86_64-1_slack15.0.txz:  Added.
patches/packages/perl-5.34.0-x86_64-3_slack15.0.txz:  Rebuilt.
  This is a bugfix release.
  Upgraded: DBI-1.645, URI-5.30, XML-Parser-2.47, Authen-SASL-2.1700,
  IO-Socket-SSL-2.089, Net-SSLeay-1.94, libnet-3.15, Path-Tiny-0.146,
  Template-Toolkit-3.102, Moo-2.005005, Sub-Quote-2.006008.
  Added: Path-Tiny-0.146. (Needed by Moo, thanks to Andypoo)
2024-10-13 13:30:42 +02:00
Patrick J Volkerding
ae90f32e03 Thu Oct 10 22:42:17 UTC 2024
patches/packages/mozilla-thunderbird-115.16.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/115.16.0esr/releasenotes/
  (* Security fix *)
2024-10-11 13:30:52 +02:00
Patrick J Volkerding
c29a1ed636 Wed Oct 9 21:09:16 UTC 2024
patches/packages/mozilla-firefox-115.16.1esr-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains a critical security fix:
  Use-after-free in Animation timeline.
  "An attacker was able to achieve code execution in the content process by
  exploiting a use-after-free in Animation timelines. We have had reports of
  this vulnerability being exploited in the wild."
  For more information, see:
    https://www.mozilla.org/en-US/firefox/115.16.1/releasenotes/
    https://www.mozilla.org/security/advisories/mfsa2024-51/
    https://www.cve.org/CVERecord?id=CVE-2024-9680
  (* Security fix *)
2024-10-10 13:30:53 +02:00
Patrick J Volkerding
4657194ae3 Tue Oct 1 18:01:38 UTC 2024
Several ELF objects were found to have rpaths pointing into /tmp, a world
writable directory. This could have allowed a local attacker to launch denial
of service attacks or execute arbitrary code when the affected binaries are
run by placing crafted ELF objects in the /tmp rpath location. All rpaths with
an embedded /tmp path have been scrubbed from the binaries, and makepkg has
gained a lint feature to detect these so that they won't creep back in.
extra/llvm-17.0.6-x86_64-2_slack15.0.txz:  Rebuilt.
  Remove rpaths from binaries.
  (* Security fix *)
patches/packages/cryfs-0.10.3-x86_64-5_slack15.0.txz:  Rebuilt.
  Remove rpaths from binaries.
  (* Security fix *)
patches/packages/cups-filters-1.28.17-x86_64-2_slack15.0.txz:  Rebuilt.
  Mitigate security issue that could lead to a denial of service or
  the execution of arbitrary code.
  Rebuilt with --with-browseremoteprotocols=none to disable incoming
  connections, since this daemon has been shown to be insecure. If you
  actually use cups-browsed, be sure to install the new
  /etc/cups/cups-browsed.conf.new containing this line:
  BrowseRemoteProtocols none
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-47176
  (* Security fix *)
patches/packages/espeak-ng-1.50-x86_64-4_slack15.0.txz:  Rebuilt.
  Remove rpaths from binaries.
  (* Security fix *)
patches/packages/libvncserver-0.9.13-x86_64-4_slack15.0.txz:  Rebuilt.
  Remove rpaths from binaries.
  (* Security fix *)
patches/packages/marisa-0.2.6-x86_64-5_slack15.0.txz:  Rebuilt.
  Remove rpaths from binaries.
  (* Security fix *)
patches/packages/mlt-7.4.0-x86_64-2_slack15.0.txz:  Rebuilt.
  Remove rpaths from binaries.
  (* Security fix *)
patches/packages/mozilla-firefox-115.16.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/115.16.0/releasenotes/
    https://www.mozilla.org/security/advisories/mfsa2024-48
    https://www.cve.org/CVERecord?id=CVE-2024-9392
    https://www.cve.org/CVERecord?id=CVE-2024-9393
    https://www.cve.org/CVERecord?id=CVE-2024-9394
    https://www.cve.org/CVERecord?id=CVE-2024-9401
  (* Security fix *)
patches/packages/openobex-1.7.2-x86_64-6_slack15.0.txz:  Rebuilt.
  Remove rpaths from binaries.
  (* Security fix *)
patches/packages/pkgtools-15.0-noarch-44_slack15.0.txz:  Rebuilt.
  makepkg: when looking for ELF objects with --remove-rpaths or
  --remove-tmp-rpaths, avoid false hits on files containing 'ELF' as part
  of the directory or filename.
  Also warn about /tmp rpaths after the package is built.
patches/packages/spirv-llvm-translator-13.0.0-x86_64-2_slack15.0.txz:  Rebuilt.
  Remove rpaths from binaries.
  (* Security fix *)
testing/packages/llvm-18.1.8-x86_64-2_slack15.0.txz:  Rebuilt.
  Remove rpaths from binaries.
  (* Security fix *)
2024-10-02 13:30:38 +02:00
Patrick J Volkerding
10f65d4bf6 Fri Sep 27 21:10:23 UTC 2024
patches/packages/pkgtools-15.0-noarch-43_slack15.0.txz:  Rebuilt.
  This update adds new makepkg options and fixes a bug:
  makepkg: added options --remove-rpaths, --remove-tmp-rpaths.
  Thanks to Petri Kaukasoina for code examples.
  makepkg: chown root:root, not root.root.
2024-09-28 13:30:33 +02:00
Patrick J Volkerding
3dc8ac7064 Thu Sep 26 18:28:55 UTC 2024
patches/packages/boost-1.78.0-x86_64-3_slack15.0.txz:  Rebuilt.
  Get rid of hardcoded temporary paths in the cmake files.
  Since these paths point to a location that an unprivileged user could
  create and populate with files that could be picked up during a build,
  it's possible this bug could be used for malicious purposes.
  Thanks to jmacloue.
  (* Security fix *)
2024-09-27 13:30:42 +02:00
Patrick J Volkerding
993216ab39 Wed Sep 25 18:40:09 UTC 2024
patches/packages/git-2.46.2-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
  Some projects are requiring newer git features than git-2.39.4 provides,
  so have an upgrade. Thanks to lancsuk for the suggestion.
2024-09-26 13:30:40 +02:00
Patrick J Volkerding
9809668267 Tue Sep 24 18:42:58 UTC 2024
patches/packages/netatalk-3.2.10-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
2024-09-25 13:30:40 +02:00
Patrick J Volkerding
53f7d421db Mon Sep 23 20:01:35 UTC 2024
patches/packages/libarchive-3.7.6-x86_64-1_slack15.0.txz:  Upgraded.
  This release fixes a tar regression introduced in libarchive 3.7.5.
2024-09-24 13:30:38 +02:00
Patrick J Volkerding
d1483d2e62 Fri Sep 20 19:25:40 UTC 2024
patches/packages/bind-9.18.30-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
2024-09-21 13:30:35 +02:00
Patrick J Volkerding
cf77f89919 Wed Sep 18 21:23:19 UTC 2024
patches/packages/curl-8.10.1-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
2024-09-19 13:30:42 +02:00
Patrick J Volkerding
02beedc910 Mon Sep 16 19:58:49 UTC 2024
patches/packages/netatalk-3.2.9-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
2024-09-17 13:30:44 +02:00
Patrick J Volkerding
52e9abcddc Sat Sep 14 18:15:34 UTC 2024
patches/packages/libarchive-3.7.5-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes the following security issues:
  fix multiple vulnerabilities identified by SAST (#2251, #2256)
  cpio: ignore out-of-range gid/uid/size/ino and harden AFIO parsing (#2258)
  lzop: prevent integer overflow (#2174)
  rar4: protect copy_from_lzss_window_to_unp() (#2172, CVE-2024-20696)
  rar4: fix CVE-2024-26256 (#2269)
  rar4: fix OOB in delta and audio filter (#2148, #2149)
  rar4: fix out of boundary access with large files (#2179)
  rar4: add boundary checks to rgb filter (#2210)
  rar4: fix OOB access with unicode filenames (#2203)
  rar5: clear 'data ready' cache on window buffer reallocs (#2265)
  rpm: calculate huge header sizes correctly (#2158)
  unzip: unify EOF handling (#2175)
  util: fix out of boundary access in mktemp functions (#2160)
  uu: stop processing if lines are too long (#2168)
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-20696
    https://www.cve.org/CVERecord?id=CVE-2024-26256
  (* Security fix *)
2024-09-15 13:30:43 +02:00
Patrick J Volkerding
ced6fa47ab Fri Sep 13 01:32:33 UTC 2024
patches/packages/libssh2-1.11.0-x86_64-1_slack15.0.txz:  Upgraded.
  This update adds support for rsa-sha2-512 and rsa-sha2-256, which are needed
  to connect to servers that use a recent version of OpenSSH.
  Thanks to Jonathan Woithe.
2024-09-13 13:30:46 +02:00
Patrick J Volkerding
6b496a06b1 Wed Sep 11 17:47:14 UTC 2024
patches/packages/curl-8.10.0-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
2024-09-12 13:30:43 +02:00
Patrick J Volkerding
c438a3c0d9 Mon Sep 9 17:27:00 UTC 2024
patches/packages/netatalk-3.2.8-x86_64-1_slack15.0.txz:  Upgraded.
  Bump bundled WolfSSL library to stable version 5.7.2, GitHub #1433.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-1544
    https://www.cve.org/CVERecord?id=CVE-2024-5288
    https://www.cve.org/CVERecord?id=CVE-2024-5991
    https://www.cve.org/CVERecord?id=CVE-2024-5814
  (* Security fix *)
2024-09-10 13:30:45 +02:00
Patrick J Volkerding
8039a5b124 Mon Sep 9 00:53:17 UTC 2024
patches/packages/python3-3.9.20-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  Bundled libexpat was updated to 2.6.3.
  Fix quadratic complexity in parsing "-quoted cookie values with backslashes
  by http.cookies.
  Fixed various false positives and false negatives in IPv4Address.is_private,
  IPv4Address.is_global, IPv6Address.is_private, IPv6Address.is_global.
  Fix urllib.parse.urlunparse() and urllib.parse.urlunsplit() for URIs with
  path starting with multiple slashes and no authority.
  Remove backtracking from tarfile header parsing for hdrcharset, PAX, and
  GNU sparse headers.
  email.utils.getaddresses() and email.utils.parseaddr() now return ('', '')
  2-tuples in more situations where invalid email addresses are encountered
  instead of potentially inaccurate values. Add optional strict parameter to
  these two functions: use strict=False to get the old behavior, accept
  malformed inputs. getattr(email.utils, 'supports_strict_parsing', False) can
  be used to check if the strict paramater is available.
  Sanitize names in zipfile.Path to avoid infinite loops (gh-122905) without
  breaking contents using legitimate characters.
  Email headers with embedded newlines are now quoted on output. The generator
  will now refuse to serialize (write) headers that are unsafely folded or
  delimited; see verify_generated_headers.
  For more information, see:
    https://pythoninsider.blogspot.com/2024/09/python-3130rc2-3126-31110-31015-3920.html
    https://www.cve.org/CVERecord?id=CVE-2024-28757
    https://www.cve.org/CVERecord?id=CVE-2024-45490
    https://www.cve.org/CVERecord?id=CVE-2024-45491
    https://www.cve.org/CVERecord?id=CVE-2024-45492
    https://www.cve.org/CVERecord?id=CVE-2024-7592
    https://www.cve.org/CVERecord?id=CVE-2024-4032
    https://www.cve.org/CVERecord?id=CVE-2015-2104
    https://www.cve.org/CVERecord?id=CVE-2024-6232
    https://www.cve.org/CVERecord?id=CVE-2023-27043
    https://www.cve.org/CVERecord?id=CVE-2024-8088
    https://www.cve.org/CVERecord?id=CVE-2024-6923
  (* Security fix *)
2024-09-09 13:30:45 +02:00
Patrick J Volkerding
382f07b69c Sat Sep 7 18:16:12 UTC 2024
patches/packages/glibc-zoneinfo-2024b-noarch-1_slack15.0.txz:  Upgraded.
  This package provides the latest timezone updates.
2024-09-08 13:30:53 +02:00
Patrick J Volkerding
a782e78272 Fri Sep 6 19:22:57 UTC 2024
testing/packages/rust-1.81.0-x86_64-1_slack15.0.txz:  Upgraded.
2024-09-07 13:30:46 +02:00
Patrick J Volkerding
b684b4dc4a Thu Sep 5 22:14:23 UTC 2024
patches/packages/mozilla-thunderbird-115.15.0-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/115.15.0esr/releasenotes/
  (* Security fix *)
2024-09-06 13:30:49 +02:00
Patrick J Volkerding
91fbde5fb9 Wed Sep 4 23:37:27 UTC 2024
patches/packages/expat-2.6.3-x86_64-1_slack15.0.txz:  Upgraded.
  This update addresses security issues with impact ranging from denial of
  service to potentially artitrary code execution.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-45490
    https://www.cve.org/CVERecord?id=CVE-2024-45491
    https://www.cve.org/CVERecord?id=CVE-2024-45492
  (* Security fix *)
2024-09-05 13:30:37 +02:00
Patrick J Volkerding
3637e85ebe Tue Sep 3 21:07:09 UTC 2024
patches/packages/mozilla-firefox-115.15.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/115.15.0/releasenotes/
    https://www.mozilla.org/security/advisories/mfsa2024-41/
    https://www.cve.org/CVERecord?id=CVE-2024-8381
    https://www.cve.org/CVERecord?id=CVE-2024-8382
    https://www.cve.org/CVERecord?id=CVE-2024-8383
    https://www.cve.org/CVERecord?id=CVE-2024-8384
  (* Security fix *)
patches/packages/seamonkey-2.53.19-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.seamonkey-project.org/releases/seamonkey2.53.19
  (* Security fix *)
2024-09-04 13:39:55 +02:00
Patrick J Volkerding
a55d5c5151 Sat Aug 31 18:26:20 UTC 2024
patches/packages/libpcap-1.10.5-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  Clean up sock_initaddress() and its callers to avoid double frees
  in some cases.
  Fix pcap_findalldevs_ex() not to crash if passed a file:// URL with a
  path to a directory that cannot be opened.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-7256
    https://www.cve.org/CVERecord?id=CVE-2024-8006
  (* Security fix *)
2024-09-01 13:31:05 +02:00
Patrick J Volkerding
b13ab22fec Fri Aug 30 17:52:19 UTC 2024
patches/packages/ca-certificates-20240830-noarch-1_slack15.0.txz:  Upgraded.
  This update provides the latest CA certificates to check for the
  authenticity of SSL connections.
2024-08-31 13:30:59 +02:00
Patrick J Volkerding
e472158ace Tue Aug 27 19:24:48 UTC 2024
patches/packages/kcron-21.12.3-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes a security issue:
  kcron: Invalid temporary file handling.
  Thanks to pbslxw for the heads-up.
  For more information, see:
    https://kde.org/info/security/advisory-20220216-1.txt
    https://www.cve.org/CVERecord?id=CVE-2022-24986
  (* Security fix *)
patches/packages/plasma-workspace-5.23.5-x86_64-4_slack15.0.txz:  Rebuilt.
  This update patches a security issue:
  ksmserver: Unauthorized users can access session manager.
  Thanks to pbslxw for the heads-up.
  For more information, see:
    https://kde.org/info/security/advisory-20240531-1.txt
    https://www.cve.org/CVERecord?id=CVE-2024-36041
  (* Security fix *)
2024-08-28 13:30:50 +02:00
Patrick J Volkerding
1246cf6d34 Thu Aug 22 19:10:18 UTC 2024
patches/packages/bind-9.18.29-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
patches/packages/ffmpeg-4.4.5-x86_64-1_slack15.0.txz:  Upgraded.
  This update addresses several vulnerabilities in FFmpeg which could result
  in denial of service, or potentially the execution of arbitrary code if
  malformed files/streams are processed.
  Thanks to pbslxw for the heads-up.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-1475
    https://www.cve.org/CVERecord?id=CVE-2022-48434
    https://www.cve.org/CVERecord?id=CVE-2022-3109
    https://www.cve.org/CVERecord?id=CVE-2022-3341
    https://www.cve.org/CVERecord?id=CVE-2022-3964
    https://www.cve.org/CVERecord?id=CVE-2024-7055
    https://www.cve.org/CVERecord?id=CVE-2023-47342
  (* Security fix *)
2024-08-23 13:31:07 +02:00
Patrick J Volkerding
20718db5e4 Thu Aug 15 20:07:37 UTC 2024
patches/packages/libX11-1.8.10-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bug fix release, correcting an empty XKeysymDB file.
  Thanks to Jonathan Woithe for the bug report.
2024-08-16 13:31:00 +02:00
Patrick J Volkerding
5edf138e9c Wed Aug 14 19:36:01 UTC 2024
patches/packages/dovecot-2.3.21.1-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  A large number of address headers in email resulted in excessive CPU usage.
  Abnormally large email headers are now truncated or discarded, with a limit
  of 10MB on a single header and 50MB for all the headers of all the parts of
  an email.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-23184
    https://www.cve.org/CVERecord?id=CVE-2024-23185
  (* Security fix *)
2024-08-15 13:30:54 +02:00
Patrick J Volkerding
690d923d27 Sun Aug 11 19:00:08 UTC 2024
These are needed to build Chromium. Thanks to alienBOB.
We'll probably move them to /extra once the Mozilla stuff needs it.
Please note that if upgrading to the new llvm, you'll need the llvm13-compat
package from /extra.
testing/packages/llvm-18.1.8-x86_64-1_slack15.0.txz:  Added.
testing/packages/rust-1.80.1-x86_64-1_slack15.0.txz:  Added.
testing/packages/rust-bindgen-0.69.4-x86_64-1_slack15.0.txz:  Added.
2024-08-12 13:30:50 +02:00
Patrick J Volkerding
a2bba28e56 Fri Aug 9 21:22:03 UTC 2024
patches/packages/mariadb-10.5.26-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
  For more information, see:
    https://mariadb.com/kb/en/mariadb-10-5-26-release-notes/
2024-08-10 13:30:53 +02:00
Patrick J Volkerding
d6bbed4a7d Wed Aug 7 04:03:09 UTC 2024
patches/packages/curl-8.9.1-x86_64-2_slack15.0.txz:  Rebuilt.
  This is a bugfix release.
  [PATCH] sigpipe: init the struct so that first apply ignores.
  Thanks to ponce.
patches/packages/mozilla-firefox-115.14.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/115.14.0/releasenotes/
    https://www.mozilla.org/security/advisories/mfsa2024-34/
    https://www.cve.org/CVERecord?id=CVE-2024-7519
    https://www.cve.org/CVERecord?id=CVE-2024-7521
    https://www.cve.org/CVERecord?id=CVE-2024-7522
    https://www.cve.org/CVERecord?id=CVE-2024-7524
    https://www.cve.org/CVERecord?id=CVE-2024-7525
    https://www.cve.org/CVERecord?id=CVE-2024-7526
    https://www.cve.org/CVERecord?id=CVE-2024-7527
    https://www.cve.org/CVERecord?id=CVE-2024-7529
    https://www.cve.org/CVERecord?id=CVE-2024-7531
  (* Security fix *)
patches/packages/mozilla-thunderbird-115.14.0-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/115.14.0esr/releasenotes/
2024-08-08 13:30:52 +02:00
Patrick J Volkerding
56b509117f Mon Aug 5 21:58:24 UTC 2024
patches/packages/ksh93-1.0.10-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
2024-08-06 13:30:53 +02:00
Patrick J Volkerding
c6614b91d7 Wed Jul 31 18:35:06 UTC 2024
patches/packages/curl-8.9.1-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes a security issue:
  ASN.1 date parser overread.
  For more information, see:
    https://curl.se/docs/CVE-2024-7264.html
    https://www.cve.org/CVERecord?id=CVE-2024-7264
  (* Security fix *)
2024-08-01 13:30:48 +02:00
Patrick J Volkerding
a44e6a9f0b Thu Jul 25 02:39:18 UTC 2024
patches/packages/curl-8.9.0-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
patches/packages/htdig-3.2.0b6-x86_64-10_slack15.0.txz:  Rebuilt.
  Patch XSS vulnerability. Thanks to jayjwa.
  Get this out of cgi-bin. Thanks to LuckyCyborg.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2007-6110
  (* Security fix *)
patches/packages/libxml2-2.11.9-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes a security issue:
  Fix XXE protection in downstream code.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-40896
  (* Security fix *)
2024-07-26 13:30:58 +02:00
Patrick J Volkerding
75a92ded1e Tue Jul 23 18:54:25 UTC 2024
patches/packages/bind-9.18.28-x86_64-1_slack15.0.txz:  Upgraded.
  Please note that we have moved to the 9.18 branch, as 9.16 is EOL.
  This update fixes security issues:
  Remove SIG(0) support from named as a countermeasure for CVE-2024-1975.
  qctx-zversion was not being cleared when it should have been leading to
  an assertion failure if it needed to be reused.
  An excessively large number of rrtypes per owner can slow down database query
  processing, so a limit has been placed on the number of rrtypes that can be
  stored per owner (node) in a cache or zone database. This is configured with
  the new "max-rrtypes-per-name" option, and defaults to 100.
  Excessively large rdatasets can slow down database query processing, so a
  limit has been placed on the number of records that can be stored per
  rdataset in a cache or zone database. This is configured with the new
  "max-records-per-type" option, and defaults to 100.
  Malicious DNS client that sends many queries over TCP but never reads
  responses can cause server to respond slowly or not respond at all for other
  clients.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-1975
    https://www.cve.org/CVERecord?id=CVE-2024-4076
    https://www.cve.org/CVERecord?id=CVE-2024-1737
    https://www.cve.org/CVERecord?id=CVE-2024-0760
  (* Security fix *)
patches/packages/aaa_glibc-solibs-2.33-x86_64-7_slack15.0.txz:  Rebuilt.
patches/packages/glibc-2.33-x86_64-7_slack15.0.txz:  Rebuilt.
  This update fixes security issues:
  nscd: Stack-based buffer overflow in netgroup cache.
  nscd: Null pointer crash after notfound response.
  nscd: netgroup cache may terminate daemon on memory allocation failure.
  nscd: netgroup cache assumes NSS callback uses in-buffer strings.
  These vulnerabilities were only present in the nscd binary.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-33599
    https://www.cve.org/CVERecord?id=CVE-2024-33600
    https://www.cve.org/CVERecord?id=CVE-2024-33601
    https://www.cve.org/CVERecord?id=CVE-2024-33602
  (* Security fix *)
patches/packages/glibc-i18n-2.33-x86_64-7_slack15.0.txz:  Rebuilt.
patches/packages/glibc-profile-2.33-x86_64-7_slack15.0.txz:  Rebuilt.
patches/packages/mozilla-thunderbird-115.13.0-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/115.13.0/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2024-31/
    https://www.cve.org/CVERecord?id=CVE-2024-6600
    https://www.cve.org/CVERecord?id=CVE-2024-6601
    https://www.cve.org/CVERecord?id=CVE-2024-6602
    https://www.cve.org/CVERecord?id=CVE-2024-6603
    https://www.cve.org/CVERecord?id=CVE-2024-6604
  (* Security fix *)
2024-07-24 13:31:01 +02:00
Patrick J Volkerding
39cc109e67 Thu Jul 18 20:01:18 UTC 2024
patches/packages/httpd-2.4.62-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  The first CVE is for Windows, but the second one is an additional fix for
  the source code disclosure regression when using AddType.
  Users are recommended to upgrade to version 2.4.62 which fixes this issue.
  For more information, see:
    https://downloads.apache.org/httpd/CHANGES_2.4.62
    https://www.cve.org/CVERecord?id=CVE-2024-40898
    https://www.cve.org/CVERecord?id=CVE-2024-40725
  (* Security fix *)
2024-07-19 13:31:06 +02:00
Patrick J Volkerding
0e307de269 Wed Jul 17 19:29:24 UTC 2024
patches/packages/openssl-1.1.1za-x86_64-1_slack15.0.txz:  Upgraded.
  Apply patches to fix CVEs that were fixed by the 1.1.1{x,y,za} releases that
  were only available to subscribers to OpenSSL's premium extended support.
  These patches were prepared by backporting commits from the OpenSSL-3.0 repo.
  The reported version number has been updated so that vulnerability scanners
  calm down. All of these issues were considered to be of low severity.
  Thanks to Ken Zalewski for the patches!
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-5678
    https://www.cve.org/CVERecord?id=CVE-2024-0727
    https://www.cve.org/CVERecord?id=CVE-2024-2511
    https://www.cve.org/CVERecord?id=CVE-2024-4741
    https://www.cve.org/CVERecord?id=CVE-2024-5535
  (* Security fix *)
patches/packages/openssl-solibs-1.1.1za-x86_64-1_slack15.0.txz:  Upgraded.
2024-07-18 13:31:00 +02:00
Patrick J Volkerding
b4086e535f Sun Jul 14 18:22:30 UTC 2024
patches/packages/netatalk-3.2.3-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
2024-07-15 13:30:51 +02:00
Patrick J Volkerding
0656746e99 Sat Jul 13 20:26:06 UTC 2024
patches/packages/mozilla-thunderbird-115.12.2-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/115.12.2/releasenotes/
2024-07-14 13:30:55 +02:00
Patrick J Volkerding
93bc5ad87d Wed Jul 10 21:02:41 UTC 2024
patches/packages/xorg-server-1.20.14-x86_64-13_slack15.0.txz:  Rebuilt.
  This is a bugfix update to fix X server crashes:
  [PATCH] render: Avoid possible double-free in ProcRenderAddGlyphs()
  Thanks to typbigoh and Petri Kaukasoina.
patches/packages/xorg-server-xephyr-1.20.14-x86_64-13_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-13_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-13_slack15.0.txz:  Rebuilt.
2024-07-11 13:30:37 +02:00
Patrick J Volkerding
343c8c7b5e Mon Jul 8 18:00:35 UTC 2024
patches/packages/netatalk-3.2.2-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
patches/packages/openssh-9.8p1-x86_64-3_slack15.0.txz:  Rebuilt.
  As upstream refactors this into smaller binaries, we could easily run into
  another update that causes an sshd lockout if the listener process isn't
  restarted. So, let's try to prevent that. After the package is upgraded,
  we'll use "sshd -t" to make sure that we have a sane configuration, and if
  so then we'll restart the listener process automatically.
  If you don't like this idea, you may turn it off in /etc/default/sshd.
2024-07-09 13:30:39 +02:00
Patrick J Volkerding
7b9fb4996b Wed Jul 3 22:27:28 UTC 2024
patches/packages/openssh-9.8p1-x86_64-2_slack15.0.txz:  Rebuilt.
  rc.sshd: also shut down sshd-session processes with "stop" function.
  This shuts down connections cleanly instead of them having to time out.
  Thanks to Petri Kaukasoina.
2024-07-04 13:30:57 +02:00
Patrick J Volkerding
b9a3a17045 Tue Jul 2 19:31:00 UTC 2024
patches/packages/httpd-2.4.60-x86_64-2_slack15.0.txz:  Rebuilt.
  This update is to fix a regression and to note security issues that were not
  listed in the CHANGES file included with the source code.
  Fixed a regression where a config file using AddType rather than AddHandler
  could cause raw PHP files to be downloaded rather than processed.
  Thanks to Nobby6.
  For more information, see:
    https://downloads.apache.org/httpd/CHANGES_2.4.60
    https://www.cve.org/CVERecord?id=CVE-2024-39573
    https://www.cve.org/CVERecord?id=CVE-2024-38477
    https://www.cve.org/CVERecord?id=CVE-2024-38476
    https://www.cve.org/CVERecord?id=CVE-2024-38475
    https://www.cve.org/CVERecord?id=CVE-2024-38474
    https://www.cve.org/CVERecord?id=CVE-2024-38473
    https://www.cve.org/CVERecord?id=CVE-2024-38472
    https://www.cve.org/CVERecord?id=CVE-2024-36387
  (* Security fix *)
patches/packages/ksh93-1.0.9-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
2024-07-03 13:30:51 +02:00
Patrick J Volkerding
6c760751d7 Mon Jul 1 20:12:46 UTC 2024
patches/packages/httpd-2.4.60-x86_64-1_slack15.0.txz:  Upgraded.
  This is the latest release from the Apache HTTP Server 2.4.x stable branch.
patches/packages/openssh-9.8p1-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes a security issue:
  Fix race condition resulting in potential remote code execution.
  For more information, see:
    https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
    https://www.cve.org/CVERecord?id=CVE-2024-6387
  (* Security fix *)
2024-07-02 13:30:50 +02:00
Patrick J Volkerding
2ad12f43bc Wed Jun 26 20:06:09 UTC 2024
patches/packages/bluez-5.71-x86_64-3_slack15.0.txz:  Rebuilt.
  Fix a regression in bluez-5.71:
  [PATCH] audio: transport: Fix crash on A2DP suspend.
  Thanks to coltfire.
patches/packages/xcb-util-cursor-0.1.5-x86_64-1.txz:  Upgraded.
  This is a bugfix release.
  Thanks to Lockywolf.
2024-06-27 13:30:48 +02:00