Commit graph

568 commits

Author SHA1 Message Date
Patrick J Volkerding
4657194ae3 Tue Oct 1 18:01:38 UTC 2024
Several ELF objects were found to have rpaths pointing into /tmp, a world
writable directory. This could have allowed a local attacker to launch denial
of service attacks or execute arbitrary code when the affected binaries are
run by placing crafted ELF objects in the /tmp rpath location. All rpaths with
an embedded /tmp path have been scrubbed from the binaries, and makepkg has
gained a lint feature to detect these so that they won't creep back in.
extra/llvm-17.0.6-x86_64-2_slack15.0.txz:  Rebuilt.
  Remove rpaths from binaries.
  (* Security fix *)
patches/packages/cryfs-0.10.3-x86_64-5_slack15.0.txz:  Rebuilt.
  Remove rpaths from binaries.
  (* Security fix *)
patches/packages/cups-filters-1.28.17-x86_64-2_slack15.0.txz:  Rebuilt.
  Mitigate security issue that could lead to a denial of service or
  the execution of arbitrary code.
  Rebuilt with --with-browseremoteprotocols=none to disable incoming
  connections, since this daemon has been shown to be insecure. If you
  actually use cups-browsed, be sure to install the new
  /etc/cups/cups-browsed.conf.new containing this line:
  BrowseRemoteProtocols none
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-47176
  (* Security fix *)
patches/packages/espeak-ng-1.50-x86_64-4_slack15.0.txz:  Rebuilt.
  Remove rpaths from binaries.
  (* Security fix *)
patches/packages/libvncserver-0.9.13-x86_64-4_slack15.0.txz:  Rebuilt.
  Remove rpaths from binaries.
  (* Security fix *)
patches/packages/marisa-0.2.6-x86_64-5_slack15.0.txz:  Rebuilt.
  Remove rpaths from binaries.
  (* Security fix *)
patches/packages/mlt-7.4.0-x86_64-2_slack15.0.txz:  Rebuilt.
  Remove rpaths from binaries.
  (* Security fix *)
patches/packages/mozilla-firefox-115.16.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/115.16.0/releasenotes/
    https://www.mozilla.org/security/advisories/mfsa2024-48
    https://www.cve.org/CVERecord?id=CVE-2024-9392
    https://www.cve.org/CVERecord?id=CVE-2024-9393
    https://www.cve.org/CVERecord?id=CVE-2024-9394
    https://www.cve.org/CVERecord?id=CVE-2024-9401
  (* Security fix *)
patches/packages/openobex-1.7.2-x86_64-6_slack15.0.txz:  Rebuilt.
  Remove rpaths from binaries.
  (* Security fix *)
patches/packages/pkgtools-15.0-noarch-44_slack15.0.txz:  Rebuilt.
  makepkg: when looking for ELF objects with --remove-rpaths or
  --remove-tmp-rpaths, avoid false hits on files containing 'ELF' as part
  of the directory or filename.
  Also warn about /tmp rpaths after the package is built.
patches/packages/spirv-llvm-translator-13.0.0-x86_64-2_slack15.0.txz:  Rebuilt.
  Remove rpaths from binaries.
  (* Security fix *)
testing/packages/llvm-18.1.8-x86_64-2_slack15.0.txz:  Rebuilt.
  Remove rpaths from binaries.
  (* Security fix *)
2024-10-02 13:30:38 +02:00
Patrick J Volkerding
10f65d4bf6 Fri Sep 27 21:10:23 UTC 2024
patches/packages/pkgtools-15.0-noarch-43_slack15.0.txz:  Rebuilt.
  This update adds new makepkg options and fixes a bug:
  makepkg: added options --remove-rpaths, --remove-tmp-rpaths.
  Thanks to Petri Kaukasoina for code examples.
  makepkg: chown root:root, not root.root.
2024-09-28 13:30:33 +02:00
Patrick J Volkerding
20718db5e4 Thu Aug 15 20:07:37 UTC 2024
patches/packages/libX11-1.8.10-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bug fix release, correcting an empty XKeysymDB file.
  Thanks to Jonathan Woithe for the bug report.
2024-08-16 13:31:00 +02:00
Patrick J Volkerding
5edf138e9c Wed Aug 14 19:36:01 UTC 2024
patches/packages/dovecot-2.3.21.1-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  A large number of address headers in email resulted in excessive CPU usage.
  Abnormally large email headers are now truncated or discarded, with a limit
  of 10MB on a single header and 50MB for all the headers of all the parts of
  an email.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-23184
    https://www.cve.org/CVERecord?id=CVE-2024-23185
  (* Security fix *)
2024-08-15 13:30:54 +02:00
Patrick J Volkerding
a44e6a9f0b Thu Jul 25 02:39:18 UTC 2024
patches/packages/curl-8.9.0-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
patches/packages/htdig-3.2.0b6-x86_64-10_slack15.0.txz:  Rebuilt.
  Patch XSS vulnerability. Thanks to jayjwa.
  Get this out of cgi-bin. Thanks to LuckyCyborg.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2007-6110
  (* Security fix *)
patches/packages/libxml2-2.11.9-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes a security issue:
  Fix XXE protection in downstream code.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-40896
  (* Security fix *)
2024-07-26 13:30:58 +02:00
Patrick J Volkerding
75a92ded1e Tue Jul 23 18:54:25 UTC 2024
patches/packages/bind-9.18.28-x86_64-1_slack15.0.txz:  Upgraded.
  Please note that we have moved to the 9.18 branch, as 9.16 is EOL.
  This update fixes security issues:
  Remove SIG(0) support from named as a countermeasure for CVE-2024-1975.
  qctx-zversion was not being cleared when it should have been leading to
  an assertion failure if it needed to be reused.
  An excessively large number of rrtypes per owner can slow down database query
  processing, so a limit has been placed on the number of rrtypes that can be
  stored per owner (node) in a cache or zone database. This is configured with
  the new "max-rrtypes-per-name" option, and defaults to 100.
  Excessively large rdatasets can slow down database query processing, so a
  limit has been placed on the number of records that can be stored per
  rdataset in a cache or zone database. This is configured with the new
  "max-records-per-type" option, and defaults to 100.
  Malicious DNS client that sends many queries over TCP but never reads
  responses can cause server to respond slowly or not respond at all for other
  clients.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-1975
    https://www.cve.org/CVERecord?id=CVE-2024-4076
    https://www.cve.org/CVERecord?id=CVE-2024-1737
    https://www.cve.org/CVERecord?id=CVE-2024-0760
  (* Security fix *)
patches/packages/aaa_glibc-solibs-2.33-x86_64-7_slack15.0.txz:  Rebuilt.
patches/packages/glibc-2.33-x86_64-7_slack15.0.txz:  Rebuilt.
  This update fixes security issues:
  nscd: Stack-based buffer overflow in netgroup cache.
  nscd: Null pointer crash after notfound response.
  nscd: netgroup cache may terminate daemon on memory allocation failure.
  nscd: netgroup cache assumes NSS callback uses in-buffer strings.
  These vulnerabilities were only present in the nscd binary.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-33599
    https://www.cve.org/CVERecord?id=CVE-2024-33600
    https://www.cve.org/CVERecord?id=CVE-2024-33601
    https://www.cve.org/CVERecord?id=CVE-2024-33602
  (* Security fix *)
patches/packages/glibc-i18n-2.33-x86_64-7_slack15.0.txz:  Rebuilt.
patches/packages/glibc-profile-2.33-x86_64-7_slack15.0.txz:  Rebuilt.
patches/packages/mozilla-thunderbird-115.13.0-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/115.13.0/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2024-31/
    https://www.cve.org/CVERecord?id=CVE-2024-6600
    https://www.cve.org/CVERecord?id=CVE-2024-6601
    https://www.cve.org/CVERecord?id=CVE-2024-6602
    https://www.cve.org/CVERecord?id=CVE-2024-6603
    https://www.cve.org/CVERecord?id=CVE-2024-6604
  (* Security fix *)
2024-07-24 13:31:01 +02:00
Patrick J Volkerding
93bc5ad87d Wed Jul 10 21:02:41 UTC 2024
patches/packages/xorg-server-1.20.14-x86_64-13_slack15.0.txz:  Rebuilt.
  This is a bugfix update to fix X server crashes:
  [PATCH] render: Avoid possible double-free in ProcRenderAddGlyphs()
  Thanks to typbigoh and Petri Kaukasoina.
patches/packages/xorg-server-xephyr-1.20.14-x86_64-13_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-13_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-13_slack15.0.txz:  Rebuilt.
2024-07-11 13:30:37 +02:00
Patrick J Volkerding
343c8c7b5e Mon Jul 8 18:00:35 UTC 2024
patches/packages/netatalk-3.2.2-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
patches/packages/openssh-9.8p1-x86_64-3_slack15.0.txz:  Rebuilt.
  As upstream refactors this into smaller binaries, we could easily run into
  another update that causes an sshd lockout if the listener process isn't
  restarted. So, let's try to prevent that. After the package is upgraded,
  we'll use "sshd -t" to make sure that we have a sane configuration, and if
  so then we'll restart the listener process automatically.
  If you don't like this idea, you may turn it off in /etc/default/sshd.
2024-07-09 13:30:39 +02:00
Patrick J Volkerding
8b116857fe Sun Jun 16 21:32:49 UTC 2024
patches/packages/linux-5.15.161/*:  Upgraded.
  These updates fix regressions with the 5.15.160 packages.
  Hopefully we do not get any new ones. :-)
  Be sure to upgrade your initrd after upgrading the kernel packages.
  If you use lilo to boot your machine, be sure lilo.conf points to the correct
  kernel and initrd and run lilo as root to update the bootloader.
  If you use elilo to boot your machine, you should run eliloconfig to copy the
  kernel and initrd to the EFI System Partition.
2024-06-17 13:30:48 +02:00
Patrick J Volkerding
61eadccb16 Sat Jun 8 19:42:03 UTC 2024
patches/packages/kernel-firmware-20240606_90df68d-noarch-1.txz:  Upgraded.
  Updated to the latest kernel firmware.
patches/packages/linux-5.15.160/*:  Upgraded.
  These updates fix a regression with the first 5.15.160 packages:
  Subject: [PATCH] Revert "drm/amdgpu: init iommu after amdkfd device init"
  This reverts commit 56b522f4668167096a50c39446d6263c96219f5f.
  A user reported that this commit breaks the integrated gpu of his
  notebook, causing a black screen. He was able to bisect the problematic
  commit and verified that by reverting it the notebook works again.
  He also confirmed that kernel 6.8.1 also works on his device, so the
  upstream commit itself seems to be ok.
  An amdgpu developer (Alex Deucher) confirmed that this patch should
  have never been ported to 5.15 in the first place, so revert this
  commit from the 5.15 stable series.
  Thanks to fsLeg.
  Be sure to upgrade your initrd after upgrading the kernel packages.
  If you use lilo to boot your machine, be sure lilo.conf points to the correct
  kernel and initrd and run lilo as root to update the bootloader.
  If you use elilo to boot your machine, you should run eliloconfig to copy the
  kernel and initrd to the EFI System Partition.
2024-06-09 13:30:34 +02:00
Patrick J Volkerding
dd5b1ba2c4 Sun May 26 00:07:39 UTC 2024
patches/packages/ntp-4.2.8p18-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
2024-05-26 13:30:49 +02:00
Patrick J Volkerding
fb146f18cf Thu May 16 02:31:40 UTC 2024
patches/packages/gdk-pixbuf2-2.42.12-x86_64-1_slack15.0.txz:  Upgraded.
  ani: Reject files with multiple INA or IART chunks.
  ani: Reject files with multiple anih chunks.
  ani: validate chunk size.
  Thanks to 0xvhp, pedrib, and Benjamin Gilbert.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-48622
  (* Security fix *)
patches/packages/git-2.39.4-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  Recursive clones on case-insensitive filesystems that support symbolic
  links are susceptible to case confusion that can be exploited to
  execute just-cloned code during the clone operation.
  Repositories can be configured to execute arbitrary code during local
  clones. To address this, the ownership checks introduced in v2.30.3
  are now extended to cover cloning local repositories.
  Local clones may end up hardlinking files into the target repository's
  object database when source and target repository reside on the same
  disk. If the source repository is owned by a different user, then
  those hardlinked files may be rewritten at any point in time by the
  untrusted user.
  When cloning a local source repository that contains symlinks via the
  filesystem, Git may create hardlinks to arbitrary user-readable files
  on the same filesystem as the target repository in the objects/
  directory.
  It is supposed to be safe to clone untrusted repositories, even those
  unpacked from zip archives or tarballs originating from untrusted
  sources, but Git can be tricked to run arbitrary code as part of the
  clone.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-32002
    https://www.cve.org/CVERecord?id=CVE-2024-32004
    https://www.cve.org/CVERecord?id=CVE-2024-32020
    https://www.cve.org/CVERecord?id=CVE-2024-32021
    https://www.cve.org/CVERecord?id=CVE-2024-32465
  (* Security fix *)
patches/packages/popa3d-1.0.3-x86_64-7_slack15.0.txz:  Rebuilt.
  This is a bugfix release:
  Build with AUTH_PAM, not AUTH_SHADOW.
  Thanks to jayjwa.
testing/packages/bind-9.18.27-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
2024-05-17 13:40:17 +02:00
Patrick J Volkerding
d3c452d720 Thu Apr 18 19:17:30 UTC 2024
patches/packages/bind-9.16.50-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
patches/packages/aaa_glibc-solibs-2.33-x86_64-6_slack15.0.txz:  Rebuilt.
patches/packages/glibc-2.33-x86_64-6_slack15.0.txz:  Rebuilt.
  This update fixes a security issue:
  The iconv() function in the GNU C Library versions 2.39 and older may
  overflow the output buffer passed to it by up to 4 bytes when converting
  strings to the ISO-2022-CN-EXT character set, which may be used to crash
  an application or overwrite a neighbouring variable.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-2961
  (* Security fix *)
patches/packages/glibc-i18n-2.33-x86_64-6_slack15.0.txz:  Rebuilt.
patches/packages/glibc-profile-2.33-x86_64-6_slack15.0.txz:  Rebuilt.
testing/packages/bind-9.18.26-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
2024-04-19 13:30:41 +02:00
Patrick J Volkerding
1d9ca96a22 Sun Apr 14 18:35:32 UTC 2024
patches/packages/less-653-x86_64-1_slack15.0.txz:  Upgraded.
  This update patches a security issue:
  less through 653 allows OS command execution via a newline character in the
  name of a file, because quoting is mishandled in filename.c. Exploitation
  typically requires use with attacker-controlled file names, such as the files
  extracted from an untrusted archive. Exploitation also requires the LESSOPEN
  environment variable, but this is set by default in many common cases.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-32487
  (* Security fix *)
2024-04-15 13:30:43 +02:00
Patrick J Volkerding
d5ca6849f8 Fri Apr 5 20:11:23 UTC 2024
extra/tigervnc/tigervnc-1.12.0-x86_64-6_slack15.0.txz:  Rebuilt.
  Recompiled against xorg-server-1.20.14, including the latest patches for
  several security issues:
  Heap buffer overread/data leakage in ProcXIGetSelectedEvents.
  Heap buffer overread/data leakage in ProcXIPassiveGrabDevice.
  Heap buffer overread/data leakage in ProcAppleDRICreatePixmap.
  Use-after-free in ProcRenderAddGlyphs.
  For more information, see:
    https://lists.x.org/archives/xorg-announce/2024-April/003497.html
    https://www.cve.org/CVERecord?id=CVE-2024-31080
    https://www.cve.org/CVERecord?id=CVE-2024-31081
    https://www.cve.org/CVERecord?id=CVE-2024-31082
    https://www.cve.org/CVERecord?id=CVE-2024-31083
  (* Security fix *)
2024-04-06 13:30:47 +02:00
Patrick J Volkerding
d6e7dd0417 Wed Apr 3 22:22:06 UTC 2024
patches/packages/xorg-server-1.20.14-x86_64-12_slack15.0.txz:  Rebuilt.
  This update fixes security issues:
  Heap buffer overread/data leakage in ProcXIGetSelectedEvents.
  Heap buffer overread/data leakage in ProcXIPassiveGrabDevice.
  Heap buffer overread/data leakage in ProcAppleDRICreatePixmap.
  Use-after-free in ProcRenderAddGlyphs.
  For more information, see:
    https://lists.x.org/archives/xorg-announce/2024-April/003497.html
    https://www.cve.org/CVERecord?id=CVE-2024-31080
    https://www.cve.org/CVERecord?id=CVE-2024-31081
    https://www.cve.org/CVERecord?id=CVE-2024-31082
    https://www.cve.org/CVERecord?id=CVE-2024-31083
  (* Security fix *)
patches/packages/xorg-server-xephyr-1.20.14-x86_64-12_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-12_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-12_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xwayland-21.1.4-x86_64-11_slack15.0.txz:  Rebuilt.
  This update fixes security issues:
  Heap buffer overread/data leakage in ProcXIGetSelectedEvents.
  Heap buffer overread/data leakage in ProcXIPassiveGrabDevice.
  Use-after-free in ProcRenderAddGlyphs.
  For more information, see:
    https://lists.x.org/archives/xorg-announce/2024-April/003497.html
    https://www.cve.org/CVERecord?id=CVE-2024-31080
    https://www.cve.org/CVERecord?id=CVE-2024-31081
    https://www.cve.org/CVERecord?id=CVE-2024-31083
  (* Security fix *)
2024-04-04 13:30:42 +02:00
Patrick J Volkerding
3874039d9c Fri Mar 29 02:25:21 UTC 2024
patches/packages/coreutils-9.5-x86_64-1_slack15.0.txz:  Upgraded.
  chmod -R now avoids a race where an attacker may replace a traversed file
  with a symlink, causing chmod to operate on an unintended file.
  [This bug was present in "the beginning".]
  split --line-bytes with a mixture of very long and short lines no longer
  overwrites the heap.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-0684
  (* Security fix *)
2024-03-29 13:30:42 +01:00
Patrick J Volkerding
9543d326f2 Sun Mar 24 18:21:46 UTC 2024
patches/packages/emacs-29.3-x86_64-1_slack15.0.txz:  Upgraded.
  GNU Emacs through 28.2 allows attackers to execute commands via shell
  metacharacters in the name of a source-code file, because lib-src/etags.c
  uses the system C library function in its implementation of the ctags
  program. For example, a victim may use the "ctags *" command (suggested in
  the ctags documentation) in a situation where the current working directory
  has contents that depend on untrusted input.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-45939
  (* Security fix *)
2024-03-25 13:30:45 +01:00
Patrick J Volkerding
9f285815b9 Thu Mar 7 20:40:08 UTC 2024
patches/packages/ghostscript-9.55.0-x86_64-2_slack15.0.txz:  Rebuilt.
  Fixes security issues:
  A vulnerability was identified in the way Ghostscript/GhostPDL called
  tesseract for the OCR devices, which could allow arbitrary code execution.
  Thanks to J_W for the heads-up.
  Mishandling of permission validation for pipe devices could allow arbitrary
  code execution.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36664
  (* Security fix *)
2024-03-08 13:30:42 +01:00
Patrick J Volkerding
970e55afb6 Wed Feb 28 18:36:48 UTC 2024
patches/packages/wpa_supplicant-2.10-x86_64-2_slack15.0.txz:  Rebuilt.
  Patched the implementation of PEAP in wpa_supplicant to prevent an
  authentication bypass. For a successful attack, wpa_supplicant must be
  configured to not verify the network's TLS certificate during Phase 1
  authentication, and an eap_peap_decrypt vulnerability can then be abused
  to skip Phase 2 authentication. The attack vector is sending an EAP-TLV
  Success packet instead of starting Phase 2. This allows an adversary to
  impersonate Enterprise Wi-Fi networks.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-52160
  (* Security fix *)
2024-02-29 13:30:42 +01:00
Patrick J Volkerding
6008910371 Mon Feb 26 20:09:43 UTC 2024
patches/packages/openjpeg-2.5.1-x86_64-1_slack15.0.txz:  Upgraded.
  Fixed a heap-based buffer overflow in openjpeg in color.c:379:42 in
  sycc420_to_rgb when decompressing a crafted .j2k file. An attacker could use
  this to execute arbitrary code with the permissions of the application
  compiled against openjpeg.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2021-3575
  (* Security fix *)
2024-02-27 13:30:41 +01:00
Patrick J Volkerding
14f2469b12 Wed Feb 21 20:00:08 UTC 2024
patches/packages/dcron-4.5-x86_64-12_slack15.0.txz:  Rebuilt.
  This is a bugfix release.
  run-parts: skip *.orig files. Thanks to metaed.
patches/packages/mozilla-thunderbird-115.8.0-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/115.8.0/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2024-07/
    https://www.cve.org/CVERecord?id=CVE-2024-1546
    https://www.cve.org/CVERecord?id=CVE-2024-1547
    https://www.cve.org/CVERecord?id=CVE-2024-1548
    https://www.cve.org/CVERecord?id=CVE-2024-1549
    https://www.cve.org/CVERecord?id=CVE-2024-1550
    https://www.cve.org/CVERecord?id=CVE-2024-1551
    https://www.cve.org/CVERecord?id=CVE-2024-1552
    https://www.cve.org/CVERecord?id=CVE-2024-1553
  (* Security fix *)
2024-02-22 13:39:58 +01:00
Patrick J Volkerding
b9cc8f3425 Sun Feb 18 21:03:57 UTC 2024
extra/llvm-17.0.6-x86_64-1_slack15.0.txz:  Added.
  In case anyone needs a newer compiler.
extra/llvm13-compat-13.0.0-x86_64-1_slack15.0.txz:  Added.
  In case anyone needs to run binaries linked to the old compiler.
2024-02-19 13:30:46 +01:00
Patrick J Volkerding
639c931a2b Fri Feb 9 21:48:09 UTC 2024
patches/packages/xpdf-4.05-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  Fixed a bug in the ICCBased color space parser that was allowing the number
  of components to be zero. Thanks to huckleberry for the bug report.
  Fixed a bug in the ICCBased color space parser that was allowing the number
  of components to be zero. Thanks to huckleberry for the bug report.
  Added checks for PDF object loops in AcroForm::scanField(),
  Catalog::readPageLabelTree2(), and Catalog::readEmbeddedFileTree().
  The zero-width character problem can also happen if the page size is very
  large -- that needs to be limited too, the same way as character position
  coordinates. Thanks to jlinliu for the bug report.
  Add some missing bounds check code in DCTStream. Thanks to Jiahao Liu for
  the bug report.
  Fix a deadlock when an object stream's length field is contained in another
  object stream. Thanks to Jiahao Liu for the bug report.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-2662
    https://www.cve.org/CVERecord?id=CVE-2023-2662
    https://www.cve.org/CVERecord?id=CVE-2018-7453
    https://www.cve.org/CVERecord?id=CVE-2018-16369
    https://www.cve.org/CVERecord?id=CVE-2022-36561
    https://www.cve.org/CVERecord?id=CVE-2022-41844
    https://www.cve.org/CVERecord?id=CVE-2023-2663
    https://www.cve.org/CVERecord?id=CVE-2023-2664
    https://www.cve.org/CVERecord?id=CVE-2023-3044
    https://www.cve.org/CVERecord?id=CVE-2023-3436
  (* Security fix *)
2024-02-10 13:30:40 +01:00
Patrick J Volkerding
2fac477c48 Thu Feb 8 22:17:18 UTC 2024
patches/packages/dehydrated-0.7.1-noarch-1_slack15.0.txz:  Upgraded.
  This is a bugfix release that addresses (among other things) an
  "unbound variable" error if the signing server is not available.
  Thanks to metaed for the heads-up.
2024-02-09 13:30:41 +01:00
Patrick J Volkerding
71cfddeb9f Fri Jan 26 20:59:27 UTC 2024
patches/packages/pam-1.6.0-x86_64-1_slack15.0.txz:  Upgraded.
  pam_namespace.so: fixed a possible local denial-of-service vulnerability.
  For more information, see:
    https://seclists.org/oss-sec/2024/q1/31
    https://www.cve.org/CVERecord?id=CVE-2024-22365
  (* Security fix *)
2024-01-27 13:30:38 +01:00
Patrick J Volkerding
4e88327303 Sun Jan 21 20:50:08 UTC 2024
extra/tigervnc/tigervnc-1.12.0-x86_64-5_slack15.0.txz:  Rebuilt.
  Recompiled against xorg-server-1.20.14, including the latest patches for
  several security issues. Thanks to marav.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-6377
    https://www.cve.org/CVERecord?id=CVE-2023-6478
    https://www.cve.org/CVERecord?id=CVE-2023-6816
    https://www.cve.org/CVERecord?id=CVE-2024-0229
    https://www.cve.org/CVERecord?id=CVE-2024-0408
    https://www.cve.org/CVERecord?id=CVE-2024-0409
    https://www.cve.org/CVERecord?id=CVE-2024-21885
    https://www.cve.org/CVERecord?id=CVE-2024-21886
    https://www.cve.org/CVERecord?id=CVE-2024-21886
  (* Security fix *)
2024-01-22 13:30:35 +01:00
Patrick J Volkerding
95fd8ef935 Tue Jan 16 20:49:28 UTC 2024
patches/packages/gnutls-3.8.3-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes two medium severity security issues:
  Fix more timing side-channel inside RSA-PSK key exchange.
  Fix assertion failure when verifying a certificate chain with a cycle of
  cross signatures.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-0553
    https://www.cve.org/CVERecord?id=CVE-2024-0567
  (* Security fix *)
patches/packages/xorg-server-1.20.14-x86_64-11_slack15.0.txz:  Rebuilt.
  This update fixes security issues:
  Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer.
  Reattaching to different master device may lead to out-of-bounds memory access.
  Heap buffer overflow in XISendDeviceHierarchyEvent.
  Heap buffer overflow in DisableDevice.
  SELinux context corruption.
  SELinux unlabeled GLX PBuffer.
  For more information, see:
    https://lists.x.org/archives/xorg/2024-January/061525.html
    https://www.cve.org/CVERecord?id=CVE-2023-6816
    https://www.cve.org/CVERecord?id=CVE-2024-0229
    https://www.cve.org/CVERecord?id=CVE-2024-21885
    https://www.cve.org/CVERecord?id=CVE-2024-21886
    https://www.cve.org/CVERecord?id=CVE-2024-0408
    https://www.cve.org/CVERecord?id=CVE-2024-0409
  (* Security fix *)
patches/packages/xorg-server-xephyr-1.20.14-x86_64-11_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-11_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-11_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xwayland-21.1.4-x86_64-10_slack15.0.txz:  Rebuilt.
  This update fixes security issues:
  Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer.
  Reattaching to different master device may lead to out-of-bounds memory access.
  Heap buffer overflow in XISendDeviceHierarchyEvent.
  Heap buffer overflow in DisableDevice.
  SELinux unlabeled GLX PBuffer.
  For more information, see:
    https://lists.x.org/archives/xorg/2024-January/061525.html
    https://www.cve.org/CVERecord?id=CVE-2023-6816
    https://www.cve.org/CVERecord?id=CVE-2024-0229
    https://www.cve.org/CVERecord?id=CVE-2024-21885
    https://www.cve.org/CVERecord?id=CVE-2024-21886
    https://www.cve.org/CVERecord?id=CVE-2024-0408
  (* Security fix *)
2024-01-17 13:30:37 +01:00
Patrick J Volkerding
d46ef1440f Sat Dec 23 02:48:56 UTC 2023
patches/packages/glibc-zoneinfo-2023d-noarch-1_slack15.0.txz:  Upgraded.
  This package provides the latest timezone updates.
patches/packages/postfix-3.6.13-x86_64-1_slack15.0.txz:  Upgraded.
  Security: this release adds support to defend against an email spoofing
  attack (SMTP smuggling) on recipients at a Postfix server. Sites
  concerned about SMTP smuggling attacks should enable this feature on
  Internet-facing Postfix servers. For compatibility with non-standard
  clients, Postfix by default excludes clients in mynetworks from this
  countermeasure.
  The recommended settings are:
    # Optionally disconnect remote SMTP clients that send bare newlines,
    # but allow local clients with non-standard SMTP implementations
    # such as netcat, fax machines, or load balancer health checks.
    #
    smtpd_forbid_bare_newline = yes
    smtpd_forbid_bare_newline_exclusions = $mynetworks
  The smtpd_forbid_bare_newline feature is disabled by default.
  For more information, see:
    https://www.postfix.org/smtp-smuggling.html
  (* Security fix *)
2023-12-23 13:30:45 +01:00
Patrick J Volkerding
ae2de64cd3 Wed Dec 20 21:10:47 UTC 2023
patches/packages/bind-9.16.45-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
patches/packages/proftpd-1.3.8b-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes a security issue:
  mod_sftp: implemented mitigations for "Terrapin" SSH attack.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-48795
  (* Security fix *)
testing/packages/bind-9.18.21-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
2023-12-21 13:30:36 +01:00
Patrick J Volkerding
823a8c2cb7 Wed Dec 13 22:01:34 UTC 2023
patches/packages/libxml2-2.12.3-x86_64-1_slack15.0.txz:  Upgraded.
  This update addresses regressions when building against libxml2 that were
  due to header file refactoring.
patches/packages/xorg-server-1.20.14-x86_64-10_slack15.0.txz:  Rebuilt.
  This update fixes two security issues:
  Out-of-bounds memory write in XKB button actions.
  Out-of-bounds memory read in RRChangeOutputProperty and
  RRChangeProviderProperty.
  For more information, see:
    https://lists.x.org/archives/xorg/2023-December/061517.html
    https://www.cve.org/CVERecord?id=CVE-2023-6377
    https://www.cve.org/CVERecord?id=CVE-2023-6478
  (* Security fix *)
patches/packages/xorg-server-xephyr-1.20.14-x86_64-10_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-10_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-10_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xwayland-21.1.4-x86_64-9_slack15.0.txz:  Rebuilt.
  This update fixes two security issues:
  Out-of-bounds memory write in XKB button actions.
  Out-of-bounds memory read in RRChangeOutputProperty and
  RRChangeProviderProperty.
  For more information, see:
    https://lists.x.org/archives/xorg/2023-December/061517.html
    https://www.cve.org/CVERecord?id=CVE-2023-6377
    https://www.cve.org/CVERecord?id=CVE-2023-6478
  (* Security fix *)
2023-12-14 13:39:45 +01:00
Patrick J Volkerding
e20d844068 Sun Dec 10 01:12:17 UTC 2023
patches/packages/libxml2-2.12.2-x86_64-1_slack15.0.txz:  Upgraded.
  Add --sysconfdir=/etc option so that this can find the xml catalog.
  Thanks to SpiderTux.
  Fix the following security issues:
  Fix integer overflows with XML_PARSE_HUGE.
  Fix dict corruption caused by entity reference cycles.
  Hashing of empty dict strings isn't deterministic.
  Fix null deref in xmlSchemaFixupComplexType.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-40303
    https://www.cve.org/CVERecord?id=CVE-2022-40304
    https://www.cve.org/CVERecord?id=CVE-2023-29469
    https://www.cve.org/CVERecord?id=CVE-2023-28484
  (* Security fix *)
2023-12-10 13:30:41 +01:00
Patrick J Volkerding
65d9c1e075 Thu Nov 16 20:51:47 UTC 2023
patches/packages/gegl-0.4.46-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release, needed by the GIMP upgrade.
patches/packages/gimp-2.10.36-x86_64-1_slack15.0.txz:  Upgraded.
  This release fixes security issues:
  If a user loads a malicious DDS, PSD, or PSP file, this could result in a
  program crash or possibly the execution of arbitrary code.
  Please note that this package also requires the updated gegl package.
  Thanks to henca for the heads-up.
  For more information, see:
    https://www.gimp.org/news/2023/11/07/gimp-2-10-36-released/
    https://www.zerodayinitiative.com/advisories/ZDI-23-1591/
    https://www.zerodayinitiative.com/advisories/ZDI-23-1592/
    https://www.zerodayinitiative.com/advisories/ZDI-23-1593/
    https://www.zerodayinitiative.com/advisories/ZDI-23-1594/
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44441
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44442
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44443
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44444
  (* Security fix *)
2023-11-17 13:30:41 +01:00
Patrick J Volkerding
3dc2470097 Mon Nov 13 19:20:40 UTC 2023
extra/tigervnc/tigervnc-1.12.0-x86_64-4_slack15.0.txz:  Rebuilt.
  Recompiled against xorg-server-1.20.14, including patches for several
  security issues. Thanks to marav.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-3550
    https://www.cve.org/CVERecord?id=CVE-2022-3551
    https://www.cve.org/CVERecord?id=CVE-2022-3553
    https://www.cve.org/CVERecord?id=CVE-2022-4283
    https://www.cve.org/CVERecord?id=CVE-2022-46340
    https://www.cve.org/CVERecord?id=CVE-2022-46341
    https://www.cve.org/CVERecord?id=CVE-2022-46342
    https://www.cve.org/CVERecord?id=CVE-2022-46343
    https://www.cve.org/CVERecord?id=CVE-2022-46344
    https://www.cve.org/CVERecord?id=CVE-2023-0494
    https://www.cve.org/CVERecord?id=CVE-2023-1393
    https://www.cve.org/CVERecord?id=CVE-2023-5367
    https://www.cve.org/CVERecord?id=CVE-2023-5380
  (* Security fix *)
2023-11-14 13:30:39 +01:00
Patrick J Volkerding
61c8c898a8 Thu Oct 26 19:55:16 UTC 2023
patches/packages/mozilla-thunderbird-115.4.1-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/115.4.1/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2023-47/
    https://www.cve.org/CVERecord?id=CVE-2023-5721
    https://www.cve.org/CVERecord?id=CVE-2023-5732
    https://www.cve.org/CVERecord?id=CVE-2023-5724
    https://www.cve.org/CVERecord?id=CVE-2023-5725
    https://www.cve.org/CVERecord?id=CVE-2023-5726
    https://www.cve.org/CVERecord?id=CVE-2023-5727
    https://www.cve.org/CVERecord?id=CVE-2023-5728
    https://www.cve.org/CVERecord?id=CVE-2023-5730
  (* Security fix *)
patches/packages/xorg-server-1.20.14-x86_64-9_slack15.0.txz:  Rebuilt.
  This update fixes security issues:
  OOB write in XIChangeDeviceProperty/RRChangeOutputProperty.
  Use-after-free bug in DestroyWindow.
  For more information, see:
    https://lists.x.org/archives/xorg-announce/2023-October/003430.html
    https://www.cve.org/CVERecord?id=CVE-2023-5367
    https://www.cve.org/CVERecord?id=CVE-2023-5380
  (* Security fix *)
patches/packages/xorg-server-xephyr-1.20.14-x86_64-9_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-9_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-9_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xwayland-21.1.4-x86_64-8_slack15.0.txz:  Rebuilt.
  This update fixes a security issue:
  OOB write in XIChangeDeviceProperty/RRChangeOutputProperty.
  For more information, see:
    https://lists.x.org/archives/xorg-announce/2023-October/003430.html
    https://www.cve.org/CVERecord?id=CVE-2023-5367
  (* Security fix *)
2023-10-27 13:30:41 +02:00
Patrick J Volkerding
9615afc308 Thu Sep 21 19:32:42 UTC 2023
patches/packages/bind-9.16.44-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and a security issue:
  Limit the amount of recursion that can be performed by isccc_cc_fromwire.
  For more information, see:
    https://kb.isc.org/docs/cve-2023-3341
    https://www.cve.org/CVERecord?id=CVE-2023-3341
  (* Security fix *)
patches/packages/cups-2.4.7-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and a security issue:
  Fixed Heap-based buffer overflow when reading Postscript in PPD files.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-4504
  (* Security fix *)
patches/packages/mozilla-thunderbird-115.2.3-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/115.2.3/releasenotes/
patches/packages/seamonkey-2.53.17.1-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.seamonkey-project.org/releases/seamonkey2.53.17.1
    https://www.cve.org/CVERecord?id=CVE-2023-4863
  (* Security fix *)
testing/packages/bind-9.18.19-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and security issues:
  Limit the amount of recursion that can be performed by isccc_cc_fromwire.
  Fix use-after-free error in TLS DNS code when sending data.
  For more information, see:
    https://kb.isc.org/docs/cve-2023-3341
    https://www.cve.org/CVERecord?id=CVE-2023-3341
    https://kb.isc.org/docs/cve-2023-4236
    https://www.cve.org/CVERecord?id=CVE-2023-4236
  (* Security fix *)
2023-09-22 13:30:41 +02:00
Patrick J Volkerding
79e6c8efb8 Fri Aug 4 20:17:36 UTC 2023
extra/php81/php81-8.1.22-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes a security issue:
  Libxml: Fixed bug GHSA-3qrf-m4j2-pcrr (Security issue with external entity
  loading in XML without enabling it).
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-3823
  (* Security fix *)
extra/rust-for-mozilla/rust-1.70.0-x86_64-1_slack15.0.txz:  Upgraded.
  Upgraded the Rust compiler for Firefox 115.1.0 ESR and Thunderbird 115.1.0.
pasture/samba-4.15.13-x86_64-1_slack15.0.txz:  Added.
  We'll hang onto this just in case.
patches/packages/mozilla-firefox-115.1.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/115.1.0esr/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/
    https://www.cve.org/CVERecord?id=CVE-2023-4045
    https://www.cve.org/CVERecord?id=CVE-2023-4046
    https://www.cve.org/CVERecord?id=CVE-2023-4047
    https://www.cve.org/CVERecord?id=CVE-2023-4048
    https://www.cve.org/CVERecord?id=CVE-2023-4049
    https://www.cve.org/CVERecord?id=CVE-2023-4050
    https://www.cve.org/CVERecord?id=CVE-2023-4052
    https://www.cve.org/CVERecord?id=CVE-2023-4054
    https://www.cve.org/CVERecord?id=CVE-2023-4055
    https://www.cve.org/CVERecord?id=CVE-2023-4056
    https://www.cve.org/CVERecord?id=CVE-2023-4057
  (* Security fix *)
patches/packages/mozilla-thunderbird-115.1.0-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/115.1.0/releasenotes/
patches/packages/samba-4.18.5-x86_64-1_slack15.0.txz:  Upgraded.
  PLEASE NOTE: We are taking the unusual step of moving to the latest Samba
  branch because Windows has made changes that break Samba 4.15.x. The last
  4.15.x will be retained in /pasture as a fallback. There may be some
  required configuration changes with this, but we've kept using MIT Kerberos
  to try to have the behavior change as little as possible. Upgrade carefully.
  This update fixes security issues:
  When winbind is used for NTLM authentication, a maliciously crafted request
  can trigger an out-of-bounds read in winbind and possibly crash it.
  SMB2 packet signing is not enforced if an admin configured
  "server signing = required" or for SMB2 connections to Domain Controllers
  where SMB2 packet signing is mandatory.
  An infinite loop bug in Samba's mdssvc RPC service for Spotlight can be
  triggered by an unauthenticated attacker by issuing a malformed RPC request.
  Missing type validation in Samba's mdssvc RPC service for Spotlight can be
  used by an unauthenticated attacker to trigger a process crash in a shared
  RPC mdssvc worker process.
  As part of the Spotlight protocol Samba discloses the server-side absolute
  path of shares and files and directories in search results.
  For more information, see:
    https://www.samba.org/samba/security/CVE-2022-2127.html
    https://www.samba.org/samba/security/CVE-2023-3347.html
    https://www.samba.org/samba/security/CVE-2023-34966.html
    https://www.samba.org/samba/security/CVE-2023-34967.html
    https://www.samba.org/samba/security/CVE-2023-34968.html
    https://www.cve.org/CVERecord?id=CVE-2022-2127
    https://www.cve.org/CVERecord?id=CVE-2023-3347
    https://www.cve.org/CVERecord?id=CVE-2023-34966
    https://www.cve.org/CVERecord?id=CVE-2023-34967
    https://www.cve.org/CVERecord?id=CVE-2023-34968
  (* Security fix *)
2023-08-05 13:30:38 +02:00
Patrick J Volkerding
b64d3ecbf3 Mon Jul 31 21:52:46 UTC 2023
patches/packages/mozilla-thunderbird-102.13.1-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/102.13.1/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2023-28/
    https://www.cve.org/CVERecord?id=CVE-2023-3417
  (* Security fix *)
patches/packages/seamonkey-2.53.17-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.seamonkey-project.org/releases/seamonkey2.53.17
  (* Security fix *)
2023-08-01 13:30:32 +02:00
Patrick J Volkerding
57f9e5505b Mon Jun 26 19:44:44 UTC 2023
patches/packages/network-scripts-15.0-noarch-19_slack15.0.txz:  Rebuilt.
  This update fixes a bug and adds a new feature:
  Re-add support for the DHCP_IPADDR parameter from rc.inet1.conf.
  Expand the help text for DHCP_IPADDR in rc.inet1.conf.
  Add support for a DHCP_OPTS parameter.
  Thanks to ljb643 and Darren 'Tadgy' Austin.
patches/packages/vim-9.0.1667-x86_64-1_slack15.0.txz:  Upgraded.
  This fixes a rare divide-by-zero bug that could cause vim to crash. In an
  interactive program such as vim, I can't really see this qualifying as a
  security issue, but since it was brought up as such on LQ we'll just go
  along with it this time. :)
  Thanks to marav for the heads-up.
  (* Security fix *)
patches/packages/vim-gvim-9.0.1667-x86_64-1_slack15.0.txz:  Upgraded.
2023-06-27 13:30:30 +02:00
Patrick J Volkerding
da0323f6eb Wed Jun 7 21:12:41 UTC 2023
patches/packages/cups-2.4.4-x86_64-1_slack15.0.txz:  Upgraded.
  This update is a hotfix for a segfault in cupsGetNamedDest(), when caller
  tries to find the default destination and the default destination is not set
  on the machine.
patches/packages/ksh93-1.0.5_20230607_9b251344-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix and robustness enhancement release.
  Thanks to McDutchie for the great work!
  Thanks to pghvlaans for improvements to the build script.
2023-06-08 13:30:33 +02:00
Patrick J Volkerding
d839987e86 Sun Jun 4 19:16:13 UTC 2023
extra/sendmail/sendmail-8.17.2-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
extra/sendmail/sendmail-cf-8.17.2-noarch-1_slack15.0.txz:  Upgraded.
patches/packages/libmilter-8.17.2-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
2023-06-05 13:39:22 +02:00
Patrick J Volkerding
3f544e903a Fri Jun 2 20:56:35 UTC 2023
patches/packages/cups-2.4.3-x86_64-1_slack15.0.txz:  Upgraded.
  Fixed a heap buffer overflow in _cups_strlcpy(), when the configuration file
  cupsd.conf sets the value of loglevel to DEBUG, that could allow a remote
  attacker to launch a denial of service (DoS) attack, or possibly execute
  arbirary code.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-32324
  (* Security fix *)
patches/packages/ntp-4.2.8p16-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and security issues.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-26551
    https://www.cve.org/CVERecord?id=CVE-2023-26552
    https://www.cve.org/CVERecord?id=CVE-2023-26553
    https://www.cve.org/CVERecord?id=CVE-2023-26554
    https://www.cve.org/CVERecord?id=CVE-2023-26555
  (* Security fix *)
2023-06-03 13:30:32 +02:00
Patrick J Volkerding
73b668742a Thu May 25 00:24:33 UTC 2023
patches/packages/curl-8.1.1-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
patches/packages/texlive-2023.230322-x86_64-1_slack15.0.txz:  Upgraded.
  This update patches a security issue:
  LuaTeX before 1.17.0 allows execution of arbitrary shell commands when
  compiling a TeX file obtained from an untrusted source. This occurs
  because luatex-core.lua lets the original io.popen be accessed. This also
  affects TeX Live before 2023 r66984 and MiKTeX before 23.5.
  Thanks to Johannes Schoepfer.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-32700
  (* Security fix *)
2023-05-25 13:30:31 +02:00
Patrick J Volkerding
837ec54cfe Fri May 19 18:59:24 UTC 2023
patches/packages/cups-filters-1.28.17-x86_64-1_slack15.0.txz:  Upgraded.
  [PATCH] Merge pull request from GHSA-gpxc-v2m8-fr3x.
  With execv() command line arguments are passed as separate strings and
  not the full command line in a single string. This prevents arbitrary
  command execution by escaping the quoting of the arguments in a job
  with forged job title.
  Thanks to marav.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-24805
  (* Security fix *)
2023-05-20 13:39:15 +02:00
Patrick J Volkerding
3ec3cf58c9 Wed Apr 5 18:31:03 UTC 2023
patches/packages/zstd-1.5.5-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release. The primary focus is to correct a rare corruption
  bug in high compression mode. While the probability might be very small,
  corruption issues are nonetheless very serious, so an update to this version
  is highly recommended, especially if you employ high compression modes
  (levels 16+).
2023-04-06 13:39:05 +02:00
Patrick J Volkerding
b4079a7f22 Sun Apr 2 18:33:01 UTC 2023
patches/packages/irssi-1.4.4-x86_64-1_slack15.0.txz:  Upgraded.
  Do not crash Irssi when one line is printed as the result of another line
  being printed.
  Also solve a memory leak while printing unformatted lines.
  (* Security fix *)
2023-04-03 13:30:33 +02:00
Patrick J Volkerding
39f697baee Fri Mar 31 18:01:09 UTC 2023
patches/packages/ruby-3.0.6-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  ReDoS vulnerability in URI.
  ReDoS vulnerability in Time.
  For more information, see:
    https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/
    https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756/
    https://www.cve.org/CVERecord?id=CVE-2023-28755
    https://www.cve.org/CVERecord?id=CVE-2023-28756
  (* Security fix *)
patches/packages/seamonkey-2.53.16-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.seamonkey-project.org/releases/seamonkey2.53.16
  (* Security fix *)
2023-04-01 13:30:36 +02:00
Patrick J Volkerding
5b606a9169 Wed Mar 29 20:56:21 UTC 2023
patches/packages/glibc-zoneinfo-2023c-noarch-1_slack15.0.txz:  Upgraded.
  This package provides the latest timezone updates.
patches/packages/mozilla-thunderbird-102.9.1-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/102.9.1/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2023-12/
    https://www.cve.org/CVERecord?id=CVE-2023-28427
  (* Security fix *)
patches/packages/xorg-server-1.20.14-x86_64-8_slack15.0.txz:  Rebuilt.
  [PATCH] composite: Fix use-after-free of the COW.
  Fix use-after-free that can lead to local privileges elevation on systems
  where the X server is running privileged and remote code execution for ssh
  X forwarding sessions.
  For more information, see:
    https://lists.x.org/archives/xorg-announce/2023-March/003374.html
    https://www.cve.org/CVERecord?id=CVE-2023-1393
  (* Security fix *)
patches/packages/xorg-server-xephyr-1.20.14-x86_64-8_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-8_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-8_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xwayland-21.1.4-x86_64-7_slack15.0.txz:  Rebuilt.
  [PATCH] composite: Fix use-after-free of the COW.
  Fix use-after-free that can lead to local privileges elevation on systems
  where the X server is running privileged and remote code execution for ssh
  X forwarding sessions.
  For more information, see:
    https://lists.x.org/archives/xorg-announce/2023-March/003374.html
    https://www.cve.org/CVERecord?id=CVE-2023-1393
  (* Security fix *)
2023-03-30 13:30:41 +02:00
Patrick J Volkerding
694953a024 Fri Mar 24 19:42:46 UTC 2023
patches/packages/glibc-zoneinfo-2023b-noarch-1_slack15.0.txz:  Upgraded.
  This package provides the latest timezone updates.
patches/packages/tar-1.34-x86_64-2_slack15.0.txz:  Rebuilt.
  GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use
  of uninitialized memory for a conditional jump. Exploitation to change the
  flow of control has not been demonstrated. The issue occurs in from_header
  in list.c via a V7 archive in which mtime has approximately 11 whitespace
  characters.
  Thanks to marav for the heads-up.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-48303
  (* Security fix *)
2023-03-25 13:30:35 +01:00
Patrick J Volkerding
78c0119973 Mon Mar 6 02:21:57 UTC 2023
patches/packages/xscreensaver-6.06-x86_64-1_slack15.0.txz:  Upgraded.
  Here's an upgrade to the latest xscreensaver.
2023-03-06 13:30:35 +01:00