Commit graph

1453 commits

Author SHA1 Message Date
Patrick J Volkerding
67eca0c848 Wed Nov 13 20:22:00 UTC 2024
patches/packages/sudo-1.9.16p1-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
2024-11-14 13:30:48 +01:00
Patrick J Volkerding
43b066a8b0 Tue Nov 12 20:26:19 UTC 2024
patches/packages/mozilla-thunderbird-128.4.3esr-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/128.4.3esr/releasenotes/
  (* Security fix *)
2024-11-13 13:30:50 +01:00
Patrick J Volkerding
431dd191b6 Mon Nov 11 20:56:27 UTC 2024
patches/packages/wget-1.25.0-x86_64-1_slack15.0.txz:  Upgraded.
  [Breaking change] Drop support for shorthand FTP URLs (CVE-2024-10524)
  [Breaking change] Switch to continuous reading from stdin pipes
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-10524
  (* Security fix *)
2024-11-12 13:30:48 +01:00
Patrick J Volkerding
34532a5a6a Thu Nov 7 21:46:13 UTC 2024
patches/packages/curl-8.11.0-x86_64-2_slack15.0.txz:  Rebuilt.
  Adjust libcurl.pc to remove ldap from Requires.private.
  This fixes building PHP. Thanks to Thom1b.
patches/packages/expat-2.6.4-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and a security issue:
  Fix crash within function XML_ResumeParser from a NULL pointer dereference
  by disallowing function XML_StopParser to (stop or) suspend an unstarted
  parser. A new error code XML_ERROR_NOT_STARTED was introduced to properly
  communicate this situation.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-50602
  (* Security fix *)
patches/packages/mozilla-thunderbird-128.4.2esr-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/128.4.2esr/releasenotes/
2024-11-08 13:30:43 +01:00
Patrick J Volkerding
61277a2a35 Wed Nov 6 20:54:05 UTC 2024
patches/packages/curl-8.11.0-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
2024-11-07 13:30:41 +01:00
Patrick J Volkerding
073b53fba5 Tue Nov 5 19:22:31 UTC 2024
patches/packages/mozilla-thunderbird-128.4.1esr-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/128.4.1/releasenotes/
2024-11-06 13:30:54 +01:00
Patrick J Volkerding
659d74cc8d Mon Nov 4 19:08:43 UTC 2024
patches/packages/dhcpcd-9.5.2-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release, primarily to address the broken --dumplease option.
  Thanks to slackwhere.
patches/packages/mariadb-10.5.27-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
  For more information, see:
    https://mariadb.com/kb/en/mariadb-10-5-27-release-notes/
2024-11-05 13:30:43 +01:00
Patrick J Volkerding
2d770ad859 Wed Oct 30 21:03:27 UTC 2024
extra/llvm-19.1.3-x86_64-1_slack15.0.txz:  Upgraded.
  Shared library .so-version bump.
  If you are upgrading from a previous LLVM, you might also need llvm13-compat
  and/or llvm17-compat. We'll be using this for newer Mozilla things.
extra/llvm17-compat-17.0.6-x86_64-1_slack15.0.txz:  Added.
  This is to support any locally compiled software that was linked against
  libLLVM-17.so from the llvm-17.0.6 that was previously in /extra.
extra/rust-bindgen-0.69.4-x86_64-1_slack15.0.txz:  Added.
extra/rust-for-mozilla/rust-1.82.0-x86_64-1_slack15.0.txz:  Upgraded.
extra/tigervnc/tigervnc-1.12.0-x86_64-7_slack15.0.txz:  Rebuilt.
  Recompiled against xorg-server-1.20.14, including a patch for a
  security issue:
  By providing a modified bitmap, a heap-based buffer overflow may occur.
  This may lead to local privilege escalation if the server is run as root
  or remote code execution (e.g. x11 over ssh).
  This vulnerability was discovered by:
  Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
  For more information, see:
    https://lists.x.org/archives/xorg-announce/2024-October/003545.html
    https://www.cve.org/CVERecord?id=CVE-2024-9632
  (* Security fix *)
patches/packages/mozilla-firefox-128.4.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/128.4.0/releasenotes/
    https://www.mozilla.org/security/advisories/mfsa2024-56/
    https://www.cve.org/CVERecord?id=CVE-2024-10458
    https://www.cve.org/CVERecord?id=CVE-2024-10459
    https://www.cve.org/CVERecord?id=CVE-2024-10460
    https://www.cve.org/CVERecord?id=CVE-2024-10461
    https://www.cve.org/CVERecord?id=CVE-2024-10462
    https://www.cve.org/CVERecord?id=CVE-2024-10463
    https://www.cve.org/CVERecord?id=CVE-2024-10464
    https://www.cve.org/CVERecord?id=CVE-2024-10465
    https://www.cve.org/CVERecord?id=CVE-2024-10466
    https://www.cve.org/CVERecord?id=CVE-2024-10467
  (* Security fix *)
patches/packages/mozilla-thunderbird-128.4.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/128.4.0esr/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2024-58/
    https://www.cve.org/CVERecord?id=CVE-2024-10458
    https://www.cve.org/CVERecord?id=CVE-2024-10459
    https://www.cve.org/CVERecord?id=CVE-2024-10460
    https://www.cve.org/CVERecord?id=CVE-2024-10461
    https://www.cve.org/CVERecord?id=CVE-2024-10462
    https://www.cve.org/CVERecord?id=CVE-2024-10463
    https://www.cve.org/CVERecord?id=CVE-2024-10464
    https://www.cve.org/CVERecord?id=CVE-2024-10465
    https://www.cve.org/CVERecord?id=CVE-2024-10466
    https://www.cve.org/CVERecord?id=CVE-2024-10467
  (* Security fix *)
patches/packages/xorg-server-1.20.14-x86_64-14_slack15.0.txz:  Rebuilt.
  This update fixes a security issue:
  By providing a modified bitmap, a heap-based buffer overflow may occur.
  This may lead to local privilege escalation if the server is run as root
  or remote code execution (e.g. x11 over ssh).
  This vulnerability was discovered by:
  Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
  For more information, see:
    https://lists.x.org/archives/xorg-announce/2024-October/003545.html
    https://www.cve.org/CVERecord?id=CVE-2024-9632
  (* Security fix *)
patches/packages/xorg-server-xephyr-1.20.14-x86_64-14_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-14_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-14_slack15.0.txz:  Rebuilt.
patches/packages/xorg-server-xwayland-21.1.4-x86_64-12_slack15.0.txz:  Rebuilt.
  This update fixes a security issue:
  By providing a modified bitmap, a heap-based buffer overflow may occur.
  This may lead to local privilege escalation if the server is run as root
  or remote code execution (e.g. x11 over ssh).
  This vulnerability was discovered by:
  Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
  For more information, see:
    https://lists.x.org/archives/xorg-announce/2024-October/003545.html
    https://www.cve.org/CVERecord?id=CVE-2024-9632
  (* Security fix *)
2024-10-31 13:30:38 +01:00
Patrick J Volkerding
837ccc192b Wed Oct 23 19:39:39 UTC 2024
extra/php81/php81-8.1.30-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and security issues:
  Bypass of CVE-2024-4577, Parameter Injection Vulnerability.
  cgi.force_redirect configuration is bypassable due to the environment
  variable collision.
  Logs from childrens may be altered.
  Erroneous parsing of multipart form data.
  For more information, see:
    https://www.php.net/ChangeLog-8.php#8.1.30
    https://www.cve.org/CVERecord?id=CVE-2024-8926
    https://www.cve.org/CVERecord?id=CVE-2024-8927
    https://www.cve.org/CVERecord?id=CVE-2024-9026
    https://www.cve.org/CVERecord?id=CVE-2024-8925
  (* Security fix *)
2024-10-24 13:30:41 +02:00
Patrick J Volkerding
af81c69cb8 Mon Oct 21 21:23:46 UTC 2024
patches/packages/openssl-1.1.1zb-x86_64-1_slack15.0.txz:  Upgraded.
  Apply patch to fix a security issue:
  Harden BN_GF2m_poly2arr against misuse.
  This CVE was fixed by the 1.1.1zb release that is only available to
  subscribers to OpenSSL's premium extended support. The patch was prepared
  by backporting from the OpenSSL-3.0 repo. The reported version number has
  been updated so that vulnerability scanners calm down.
  Thanks to Ken Zalewski for the patch!
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-9143
  (* Security fix *)
patches/packages/openssl-solibs-1.1.1zb-x86_64-1_slack15.0.txz:  Upgraded.
2024-10-22 13:30:40 +02:00
Patrick J Volkerding
72f412a04a Sun Oct 20 23:42:23 UTC 2024
testing/packages/rust-1.82.0-x86_64-1_slack15.0.txz:  Upgraded.
2024-10-21 13:30:40 +02:00
Patrick J Volkerding
251d060cc5 Fri Oct 18 22:51:09 UTC 2024
testing/packages/llvm-19.1.2-x86_64-1_slack15.0.txz:  Upgraded.
  Shared library .so-version bump.
  Chromium requires either a patched LLVM18, or LLVM19, so we're upgrading.
  Thanks to alienBOB.
2024-10-19 13:30:41 +02:00
Patrick J Volkerding
cbadbff78d Wed Oct 16 19:11:30 UTC 2024
patches/packages/libssh2-1.11.1-x86_64-1_slack15.0.txz:  Upgraded.
  src: add 'strict KEX' to fix CVE-2023-48795 "Terrapin Attack."
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-48795
  (* Security fix *)
patches/packages/mozilla-thunderbird-115.16.1-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/115.16.1esr/releasenotes/
  (* Security fix *)
2024-10-17 13:30:41 +02:00
Patrick J Volkerding
61509941c5 Sun Oct 13 19:49:05 UTC 2024
patches/packages/libarchive-3.7.7-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes bug and the following security issues:
  gzip: prevent a hang when processing a malformed gzip inside a gzip.
  tar: don't crash on truncated tar archives.
  tar: fix two leaks in tar header parsing.
  (* Security fix *)
patches/packages/openssh-9.9p1-x86_64-1_slack15.0.txz:  Upgraded.
  This update is primarily to address a regression that prevents using
  inetd or xinetd with sshd. Thanks to a_biardi for the bug report.
  Future deprecation notice: OpenSSH plans to remove support for the DSA
  signature algorithm in early 2025. For now, this package retains DSA
  support, but plan accordingly.
2024-10-14 13:30:40 +02:00
Patrick J Volkerding
bf5634b29d Sat Oct 12 19:16:04 UTC 2024
testing/packages/mozilla-firefox-128.3.1esr-x86_64-1_slack15.0.txz:  Added.
testing/packages/mozilla-thunderbird-128.3.1esr-x86_64-1_slack15.0.txz:  Added.
patches/packages/perl-5.34.0-x86_64-3_slack15.0.txz:  Rebuilt.
  This is a bugfix release.
  Upgraded: DBI-1.645, URI-5.30, XML-Parser-2.47, Authen-SASL-2.1700,
  IO-Socket-SSL-2.089, Net-SSLeay-1.94, libnet-3.15, Path-Tiny-0.146,
  Template-Toolkit-3.102, Moo-2.005005, Sub-Quote-2.006008.
  Added: Path-Tiny-0.146. (Needed by Moo, thanks to Andypoo)
2024-10-13 13:30:42 +02:00
Patrick J Volkerding
ae90f32e03 Thu Oct 10 22:42:17 UTC 2024
patches/packages/mozilla-thunderbird-115.16.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/115.16.0esr/releasenotes/
  (* Security fix *)
2024-10-11 13:30:52 +02:00
Patrick J Volkerding
c29a1ed636 Wed Oct 9 21:09:16 UTC 2024
patches/packages/mozilla-firefox-115.16.1esr-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains a critical security fix:
  Use-after-free in Animation timeline.
  "An attacker was able to achieve code execution in the content process by
  exploiting a use-after-free in Animation timelines. We have had reports of
  this vulnerability being exploited in the wild."
  For more information, see:
    https://www.mozilla.org/en-US/firefox/115.16.1/releasenotes/
    https://www.mozilla.org/security/advisories/mfsa2024-51/
    https://www.cve.org/CVERecord?id=CVE-2024-9680
  (* Security fix *)
2024-10-10 13:30:53 +02:00
Patrick J Volkerding
4657194ae3 Tue Oct 1 18:01:38 UTC 2024
Several ELF objects were found to have rpaths pointing into /tmp, a world
writable directory. This could have allowed a local attacker to launch denial
of service attacks or execute arbitrary code when the affected binaries are
run by placing crafted ELF objects in the /tmp rpath location. All rpaths with
an embedded /tmp path have been scrubbed from the binaries, and makepkg has
gained a lint feature to detect these so that they won't creep back in.
extra/llvm-17.0.6-x86_64-2_slack15.0.txz:  Rebuilt.
  Remove rpaths from binaries.
  (* Security fix *)
patches/packages/cryfs-0.10.3-x86_64-5_slack15.0.txz:  Rebuilt.
  Remove rpaths from binaries.
  (* Security fix *)
patches/packages/cups-filters-1.28.17-x86_64-2_slack15.0.txz:  Rebuilt.
  Mitigate security issue that could lead to a denial of service or
  the execution of arbitrary code.
  Rebuilt with --with-browseremoteprotocols=none to disable incoming
  connections, since this daemon has been shown to be insecure. If you
  actually use cups-browsed, be sure to install the new
  /etc/cups/cups-browsed.conf.new containing this line:
  BrowseRemoteProtocols none
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-47176
  (* Security fix *)
patches/packages/espeak-ng-1.50-x86_64-4_slack15.0.txz:  Rebuilt.
  Remove rpaths from binaries.
  (* Security fix *)
patches/packages/libvncserver-0.9.13-x86_64-4_slack15.0.txz:  Rebuilt.
  Remove rpaths from binaries.
  (* Security fix *)
patches/packages/marisa-0.2.6-x86_64-5_slack15.0.txz:  Rebuilt.
  Remove rpaths from binaries.
  (* Security fix *)
patches/packages/mlt-7.4.0-x86_64-2_slack15.0.txz:  Rebuilt.
  Remove rpaths from binaries.
  (* Security fix *)
patches/packages/mozilla-firefox-115.16.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/115.16.0/releasenotes/
    https://www.mozilla.org/security/advisories/mfsa2024-48
    https://www.cve.org/CVERecord?id=CVE-2024-9392
    https://www.cve.org/CVERecord?id=CVE-2024-9393
    https://www.cve.org/CVERecord?id=CVE-2024-9394
    https://www.cve.org/CVERecord?id=CVE-2024-9401
  (* Security fix *)
patches/packages/openobex-1.7.2-x86_64-6_slack15.0.txz:  Rebuilt.
  Remove rpaths from binaries.
  (* Security fix *)
patches/packages/pkgtools-15.0-noarch-44_slack15.0.txz:  Rebuilt.
  makepkg: when looking for ELF objects with --remove-rpaths or
  --remove-tmp-rpaths, avoid false hits on files containing 'ELF' as part
  of the directory or filename.
  Also warn about /tmp rpaths after the package is built.
patches/packages/spirv-llvm-translator-13.0.0-x86_64-2_slack15.0.txz:  Rebuilt.
  Remove rpaths from binaries.
  (* Security fix *)
testing/packages/llvm-18.1.8-x86_64-2_slack15.0.txz:  Rebuilt.
  Remove rpaths from binaries.
  (* Security fix *)
2024-10-02 13:30:38 +02:00
Patrick J Volkerding
10f65d4bf6 Fri Sep 27 21:10:23 UTC 2024
patches/packages/pkgtools-15.0-noarch-43_slack15.0.txz:  Rebuilt.
  This update adds new makepkg options and fixes a bug:
  makepkg: added options --remove-rpaths, --remove-tmp-rpaths.
  Thanks to Petri Kaukasoina for code examples.
  makepkg: chown root:root, not root.root.
2024-09-28 13:30:33 +02:00
Patrick J Volkerding
3dc8ac7064 Thu Sep 26 18:28:55 UTC 2024
patches/packages/boost-1.78.0-x86_64-3_slack15.0.txz:  Rebuilt.
  Get rid of hardcoded temporary paths in the cmake files.
  Since these paths point to a location that an unprivileged user could
  create and populate with files that could be picked up during a build,
  it's possible this bug could be used for malicious purposes.
  Thanks to jmacloue.
  (* Security fix *)
2024-09-27 13:30:42 +02:00
Patrick J Volkerding
993216ab39 Wed Sep 25 18:40:09 UTC 2024
patches/packages/git-2.46.2-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
  Some projects are requiring newer git features than git-2.39.4 provides,
  so have an upgrade. Thanks to lancsuk for the suggestion.
2024-09-26 13:30:40 +02:00
Patrick J Volkerding
9809668267 Tue Sep 24 18:42:58 UTC 2024
patches/packages/netatalk-3.2.10-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
2024-09-25 13:30:40 +02:00
Patrick J Volkerding
53f7d421db Mon Sep 23 20:01:35 UTC 2024
patches/packages/libarchive-3.7.6-x86_64-1_slack15.0.txz:  Upgraded.
  This release fixes a tar regression introduced in libarchive 3.7.5.
2024-09-24 13:30:38 +02:00
Patrick J Volkerding
d1483d2e62 Fri Sep 20 19:25:40 UTC 2024
patches/packages/bind-9.18.30-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
2024-09-21 13:30:35 +02:00
Patrick J Volkerding
cf77f89919 Wed Sep 18 21:23:19 UTC 2024
patches/packages/curl-8.10.1-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
2024-09-19 13:30:42 +02:00
Patrick J Volkerding
02beedc910 Mon Sep 16 19:58:49 UTC 2024
patches/packages/netatalk-3.2.9-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
2024-09-17 13:30:44 +02:00
Patrick J Volkerding
52e9abcddc Sat Sep 14 18:15:34 UTC 2024
patches/packages/libarchive-3.7.5-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes the following security issues:
  fix multiple vulnerabilities identified by SAST (#2251, #2256)
  cpio: ignore out-of-range gid/uid/size/ino and harden AFIO parsing (#2258)
  lzop: prevent integer overflow (#2174)
  rar4: protect copy_from_lzss_window_to_unp() (#2172, CVE-2024-20696)
  rar4: fix CVE-2024-26256 (#2269)
  rar4: fix OOB in delta and audio filter (#2148, #2149)
  rar4: fix out of boundary access with large files (#2179)
  rar4: add boundary checks to rgb filter (#2210)
  rar4: fix OOB access with unicode filenames (#2203)
  rar5: clear 'data ready' cache on window buffer reallocs (#2265)
  rpm: calculate huge header sizes correctly (#2158)
  unzip: unify EOF handling (#2175)
  util: fix out of boundary access in mktemp functions (#2160)
  uu: stop processing if lines are too long (#2168)
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-20696
    https://www.cve.org/CVERecord?id=CVE-2024-26256
  (* Security fix *)
2024-09-15 13:30:43 +02:00
Patrick J Volkerding
ced6fa47ab Fri Sep 13 01:32:33 UTC 2024
patches/packages/libssh2-1.11.0-x86_64-1_slack15.0.txz:  Upgraded.
  This update adds support for rsa-sha2-512 and rsa-sha2-256, which are needed
  to connect to servers that use a recent version of OpenSSH.
  Thanks to Jonathan Woithe.
2024-09-13 13:30:46 +02:00
Patrick J Volkerding
6b496a06b1 Wed Sep 11 17:47:14 UTC 2024
patches/packages/curl-8.10.0-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
2024-09-12 13:30:43 +02:00
Patrick J Volkerding
c438a3c0d9 Mon Sep 9 17:27:00 UTC 2024
patches/packages/netatalk-3.2.8-x86_64-1_slack15.0.txz:  Upgraded.
  Bump bundled WolfSSL library to stable version 5.7.2, GitHub #1433.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-1544
    https://www.cve.org/CVERecord?id=CVE-2024-5288
    https://www.cve.org/CVERecord?id=CVE-2024-5991
    https://www.cve.org/CVERecord?id=CVE-2024-5814
  (* Security fix *)
2024-09-10 13:30:45 +02:00
Patrick J Volkerding
8039a5b124 Mon Sep 9 00:53:17 UTC 2024
patches/packages/python3-3.9.20-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  Bundled libexpat was updated to 2.6.3.
  Fix quadratic complexity in parsing "-quoted cookie values with backslashes
  by http.cookies.
  Fixed various false positives and false negatives in IPv4Address.is_private,
  IPv4Address.is_global, IPv6Address.is_private, IPv6Address.is_global.
  Fix urllib.parse.urlunparse() and urllib.parse.urlunsplit() for URIs with
  path starting with multiple slashes and no authority.
  Remove backtracking from tarfile header parsing for hdrcharset, PAX, and
  GNU sparse headers.
  email.utils.getaddresses() and email.utils.parseaddr() now return ('', '')
  2-tuples in more situations where invalid email addresses are encountered
  instead of potentially inaccurate values. Add optional strict parameter to
  these two functions: use strict=False to get the old behavior, accept
  malformed inputs. getattr(email.utils, 'supports_strict_parsing', False) can
  be used to check if the strict paramater is available.
  Sanitize names in zipfile.Path to avoid infinite loops (gh-122905) without
  breaking contents using legitimate characters.
  Email headers with embedded newlines are now quoted on output. The generator
  will now refuse to serialize (write) headers that are unsafely folded or
  delimited; see verify_generated_headers.
  For more information, see:
    https://pythoninsider.blogspot.com/2024/09/python-3130rc2-3126-31110-31015-3920.html
    https://www.cve.org/CVERecord?id=CVE-2024-28757
    https://www.cve.org/CVERecord?id=CVE-2024-45490
    https://www.cve.org/CVERecord?id=CVE-2024-45491
    https://www.cve.org/CVERecord?id=CVE-2024-45492
    https://www.cve.org/CVERecord?id=CVE-2024-7592
    https://www.cve.org/CVERecord?id=CVE-2024-4032
    https://www.cve.org/CVERecord?id=CVE-2015-2104
    https://www.cve.org/CVERecord?id=CVE-2024-6232
    https://www.cve.org/CVERecord?id=CVE-2023-27043
    https://www.cve.org/CVERecord?id=CVE-2024-8088
    https://www.cve.org/CVERecord?id=CVE-2024-6923
  (* Security fix *)
2024-09-09 13:30:45 +02:00
Patrick J Volkerding
382f07b69c Sat Sep 7 18:16:12 UTC 2024
patches/packages/glibc-zoneinfo-2024b-noarch-1_slack15.0.txz:  Upgraded.
  This package provides the latest timezone updates.
2024-09-08 13:30:53 +02:00
Patrick J Volkerding
a782e78272 Fri Sep 6 19:22:57 UTC 2024
testing/packages/rust-1.81.0-x86_64-1_slack15.0.txz:  Upgraded.
2024-09-07 13:30:46 +02:00
Patrick J Volkerding
b684b4dc4a Thu Sep 5 22:14:23 UTC 2024
patches/packages/mozilla-thunderbird-115.15.0-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/115.15.0esr/releasenotes/
  (* Security fix *)
2024-09-06 13:30:49 +02:00
Patrick J Volkerding
91fbde5fb9 Wed Sep 4 23:37:27 UTC 2024
patches/packages/expat-2.6.3-x86_64-1_slack15.0.txz:  Upgraded.
  This update addresses security issues with impact ranging from denial of
  service to potentially artitrary code execution.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-45490
    https://www.cve.org/CVERecord?id=CVE-2024-45491
    https://www.cve.org/CVERecord?id=CVE-2024-45492
  (* Security fix *)
2024-09-05 13:30:37 +02:00
Patrick J Volkerding
3637e85ebe Tue Sep 3 21:07:09 UTC 2024
patches/packages/mozilla-firefox-115.15.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/115.15.0/releasenotes/
    https://www.mozilla.org/security/advisories/mfsa2024-41/
    https://www.cve.org/CVERecord?id=CVE-2024-8381
    https://www.cve.org/CVERecord?id=CVE-2024-8382
    https://www.cve.org/CVERecord?id=CVE-2024-8383
    https://www.cve.org/CVERecord?id=CVE-2024-8384
  (* Security fix *)
patches/packages/seamonkey-2.53.19-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.seamonkey-project.org/releases/seamonkey2.53.19
  (* Security fix *)
2024-09-04 13:39:55 +02:00
Patrick J Volkerding
a55d5c5151 Sat Aug 31 18:26:20 UTC 2024
patches/packages/libpcap-1.10.5-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  Clean up sock_initaddress() and its callers to avoid double frees
  in some cases.
  Fix pcap_findalldevs_ex() not to crash if passed a file:// URL with a
  path to a directory that cannot be opened.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-7256
    https://www.cve.org/CVERecord?id=CVE-2024-8006
  (* Security fix *)
2024-09-01 13:31:05 +02:00
Patrick J Volkerding
b13ab22fec Fri Aug 30 17:52:19 UTC 2024
patches/packages/ca-certificates-20240830-noarch-1_slack15.0.txz:  Upgraded.
  This update provides the latest CA certificates to check for the
  authenticity of SSL connections.
2024-08-31 13:30:59 +02:00
Patrick J Volkerding
e472158ace Tue Aug 27 19:24:48 UTC 2024
patches/packages/kcron-21.12.3-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes a security issue:
  kcron: Invalid temporary file handling.
  Thanks to pbslxw for the heads-up.
  For more information, see:
    https://kde.org/info/security/advisory-20220216-1.txt
    https://www.cve.org/CVERecord?id=CVE-2022-24986
  (* Security fix *)
patches/packages/plasma-workspace-5.23.5-x86_64-4_slack15.0.txz:  Rebuilt.
  This update patches a security issue:
  ksmserver: Unauthorized users can access session manager.
  Thanks to pbslxw for the heads-up.
  For more information, see:
    https://kde.org/info/security/advisory-20240531-1.txt
    https://www.cve.org/CVERecord?id=CVE-2024-36041
  (* Security fix *)
2024-08-28 13:30:50 +02:00
Patrick J Volkerding
1246cf6d34 Thu Aug 22 19:10:18 UTC 2024
patches/packages/bind-9.18.29-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
patches/packages/ffmpeg-4.4.5-x86_64-1_slack15.0.txz:  Upgraded.
  This update addresses several vulnerabilities in FFmpeg which could result
  in denial of service, or potentially the execution of arbitrary code if
  malformed files/streams are processed.
  Thanks to pbslxw for the heads-up.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-1475
    https://www.cve.org/CVERecord?id=CVE-2022-48434
    https://www.cve.org/CVERecord?id=CVE-2022-3109
    https://www.cve.org/CVERecord?id=CVE-2022-3341
    https://www.cve.org/CVERecord?id=CVE-2022-3964
    https://www.cve.org/CVERecord?id=CVE-2024-7055
    https://www.cve.org/CVERecord?id=CVE-2023-47342
  (* Security fix *)
2024-08-23 13:31:07 +02:00
Patrick J Volkerding
20718db5e4 Thu Aug 15 20:07:37 UTC 2024
patches/packages/libX11-1.8.10-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bug fix release, correcting an empty XKeysymDB file.
  Thanks to Jonathan Woithe for the bug report.
2024-08-16 13:31:00 +02:00
Patrick J Volkerding
5edf138e9c Wed Aug 14 19:36:01 UTC 2024
patches/packages/dovecot-2.3.21.1-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes security issues:
  A large number of address headers in email resulted in excessive CPU usage.
  Abnormally large email headers are now truncated or discarded, with a limit
  of 10MB on a single header and 50MB for all the headers of all the parts of
  an email.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-23184
    https://www.cve.org/CVERecord?id=CVE-2024-23185
  (* Security fix *)
2024-08-15 13:30:54 +02:00
Patrick J Volkerding
690d923d27 Sun Aug 11 19:00:08 UTC 2024
These are needed to build Chromium. Thanks to alienBOB.
We'll probably move them to /extra once the Mozilla stuff needs it.
Please note that if upgrading to the new llvm, you'll need the llvm13-compat
package from /extra.
testing/packages/llvm-18.1.8-x86_64-1_slack15.0.txz:  Added.
testing/packages/rust-1.80.1-x86_64-1_slack15.0.txz:  Added.
testing/packages/rust-bindgen-0.69.4-x86_64-1_slack15.0.txz:  Added.
2024-08-12 13:30:50 +02:00
Patrick J Volkerding
a2bba28e56 Fri Aug 9 21:22:03 UTC 2024
patches/packages/mariadb-10.5.26-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
  For more information, see:
    https://mariadb.com/kb/en/mariadb-10-5-26-release-notes/
2024-08-10 13:30:53 +02:00
Patrick J Volkerding
d6bbed4a7d Wed Aug 7 04:03:09 UTC 2024
patches/packages/curl-8.9.1-x86_64-2_slack15.0.txz:  Rebuilt.
  This is a bugfix release.
  [PATCH] sigpipe: init the struct so that first apply ignores.
  Thanks to ponce.
patches/packages/mozilla-firefox-115.14.0esr-x86_64-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/115.14.0/releasenotes/
    https://www.mozilla.org/security/advisories/mfsa2024-34/
    https://www.cve.org/CVERecord?id=CVE-2024-7519
    https://www.cve.org/CVERecord?id=CVE-2024-7521
    https://www.cve.org/CVERecord?id=CVE-2024-7522
    https://www.cve.org/CVERecord?id=CVE-2024-7524
    https://www.cve.org/CVERecord?id=CVE-2024-7525
    https://www.cve.org/CVERecord?id=CVE-2024-7526
    https://www.cve.org/CVERecord?id=CVE-2024-7527
    https://www.cve.org/CVERecord?id=CVE-2024-7529
    https://www.cve.org/CVERecord?id=CVE-2024-7531
  (* Security fix *)
patches/packages/mozilla-thunderbird-115.14.0-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/115.14.0esr/releasenotes/
2024-08-08 13:30:52 +02:00
Patrick J Volkerding
56b509117f Mon Aug 5 21:58:24 UTC 2024
patches/packages/ksh93-1.0.10-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
2024-08-06 13:30:53 +02:00
Patrick J Volkerding
c6614b91d7 Wed Jul 31 18:35:06 UTC 2024
patches/packages/curl-8.9.1-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes a security issue:
  ASN.1 date parser overread.
  For more information, see:
    https://curl.se/docs/CVE-2024-7264.html
    https://www.cve.org/CVERecord?id=CVE-2024-7264
  (* Security fix *)
2024-08-01 13:30:48 +02:00
Patrick J Volkerding
a44e6a9f0b Thu Jul 25 02:39:18 UTC 2024
patches/packages/curl-8.9.0-x86_64-1_slack15.0.txz:  Upgraded.
  This is a bugfix release.
patches/packages/htdig-3.2.0b6-x86_64-10_slack15.0.txz:  Rebuilt.
  Patch XSS vulnerability. Thanks to jayjwa.
  Get this out of cgi-bin. Thanks to LuckyCyborg.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2007-6110
  (* Security fix *)
patches/packages/libxml2-2.11.9-x86_64-1_slack15.0.txz:  Upgraded.
  This update fixes a security issue:
  Fix XXE protection in downstream code.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-40896
  (* Security fix *)
2024-07-26 13:30:58 +02:00
Patrick J Volkerding
75a92ded1e Tue Jul 23 18:54:25 UTC 2024
patches/packages/bind-9.18.28-x86_64-1_slack15.0.txz:  Upgraded.
  Please note that we have moved to the 9.18 branch, as 9.16 is EOL.
  This update fixes security issues:
  Remove SIG(0) support from named as a countermeasure for CVE-2024-1975.
  qctx-zversion was not being cleared when it should have been leading to
  an assertion failure if it needed to be reused.
  An excessively large number of rrtypes per owner can slow down database query
  processing, so a limit has been placed on the number of rrtypes that can be
  stored per owner (node) in a cache or zone database. This is configured with
  the new "max-rrtypes-per-name" option, and defaults to 100.
  Excessively large rdatasets can slow down database query processing, so a
  limit has been placed on the number of records that can be stored per
  rdataset in a cache or zone database. This is configured with the new
  "max-records-per-type" option, and defaults to 100.
  Malicious DNS client that sends many queries over TCP but never reads
  responses can cause server to respond slowly or not respond at all for other
  clients.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-1975
    https://www.cve.org/CVERecord?id=CVE-2024-4076
    https://www.cve.org/CVERecord?id=CVE-2024-1737
    https://www.cve.org/CVERecord?id=CVE-2024-0760
  (* Security fix *)
patches/packages/aaa_glibc-solibs-2.33-x86_64-7_slack15.0.txz:  Rebuilt.
patches/packages/glibc-2.33-x86_64-7_slack15.0.txz:  Rebuilt.
  This update fixes security issues:
  nscd: Stack-based buffer overflow in netgroup cache.
  nscd: Null pointer crash after notfound response.
  nscd: netgroup cache may terminate daemon on memory allocation failure.
  nscd: netgroup cache assumes NSS callback uses in-buffer strings.
  These vulnerabilities were only present in the nscd binary.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-33599
    https://www.cve.org/CVERecord?id=CVE-2024-33600
    https://www.cve.org/CVERecord?id=CVE-2024-33601
    https://www.cve.org/CVERecord?id=CVE-2024-33602
  (* Security fix *)
patches/packages/glibc-i18n-2.33-x86_64-7_slack15.0.txz:  Rebuilt.
patches/packages/glibc-profile-2.33-x86_64-7_slack15.0.txz:  Rebuilt.
patches/packages/mozilla-thunderbird-115.13.0-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/115.13.0/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2024-31/
    https://www.cve.org/CVERecord?id=CVE-2024-6600
    https://www.cve.org/CVERecord?id=CVE-2024-6601
    https://www.cve.org/CVERecord?id=CVE-2024-6602
    https://www.cve.org/CVERecord?id=CVE-2024-6603
    https://www.cve.org/CVERecord?id=CVE-2024-6604
  (* Security fix *)
2024-07-24 13:31:01 +02:00
Patrick J Volkerding
39cc109e67 Thu Jul 18 20:01:18 UTC 2024
patches/packages/httpd-2.4.62-x86_64-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  The first CVE is for Windows, but the second one is an additional fix for
  the source code disclosure regression when using AddType.
  Users are recommended to upgrade to version 2.4.62 which fixes this issue.
  For more information, see:
    https://downloads.apache.org/httpd/CHANGES_2.4.62
    https://www.cve.org/CVERecord?id=CVE-2024-40898
    https://www.cve.org/CVERecord?id=CVE-2024-40725
  (* Security fix *)
2024-07-19 13:31:06 +02:00