patches/packages/coreutils-9.5-x86_64-1_slack15.0.txz: Upgraded.
chmod -R now avoids a race where an attacker may replace a traversed file
with a symlink, causing chmod to operate on an unintended file.
[This bug was present in "the beginning".]
split --line-bytes with a mixture of very long and short lines no longer
overwrites the heap.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2024-0684
(* Security fix *)
patches/packages/emacs-29.3-x86_64-1_slack15.0.txz: Upgraded.
GNU Emacs through 28.2 allows attackers to execute commands via shell
metacharacters in the name of a source-code file, because lib-src/etags.c
uses the system C library function in its implementation of the ctags
program. For example, a victim may use the "ctags *" command (suggested in
the ctags documentation) in a situation where the current working directory
has contents that depend on untrusted input.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-45939
(* Security fix *)
patches/packages/expat-2.6.2-x86_64-1_slack15.0.txz: Upgraded.
Prevent billion laughs attacks with isolated use of external parsers.
For more information, see:
1d50b80cf3https://www.cve.org/CVERecord?id=CVE-2024-28757
(* Security fix *)
patches/packages/ghostscript-9.55.0-x86_64-2_slack15.0.txz: Rebuilt.
Fixes security issues:
A vulnerability was identified in the way Ghostscript/GhostPDL called
tesseract for the OCR devices, which could allow arbitrary code execution.
Thanks to J_W for the heads-up.
Mishandling of permission validation for pipe devices could allow arbitrary
code execution.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36664
(* Security fix *)
patches/packages/openjpeg-2.5.2-x86_64-1_slack15.0.txz: Upgraded.
Fixed a regression in openjpeg-2.5.1:
API breakage / openjpeg version no longer detected (openjpeg.h no longer
includes opj_config.h).
patches/packages/wpa_supplicant-2.10-x86_64-2_slack15.0.txz: Rebuilt.
Patched the implementation of PEAP in wpa_supplicant to prevent an
authentication bypass. For a successful attack, wpa_supplicant must be
configured to not verify the network's TLS certificate during Phase 1
authentication, and an eap_peap_decrypt vulnerability can then be abused
to skip Phase 2 authentication. The attack vector is sending an EAP-TLV
Success packet instead of starting Phase 2. This allows an adversary to
impersonate Enterprise Wi-Fi networks.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-52160
(* Security fix *)
patches/packages/openjpeg-2.5.1-x86_64-1_slack15.0.txz: Upgraded.
Fixed a heap-based buffer overflow in openjpeg in color.c:379:42 in
sycc420_to_rgb when decompressing a crafted .j2k file. An attacker could use
this to execute arbitrary code with the permissions of the application
compiled against openjpeg.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2021-3575
(* Security fix *)
patches/packages/libuv-1.48.0-x86_64-1_slack15.0.txz: Upgraded.
This update fixes a server-side request forgery (SSRF) flaw.
Thanks to alex2grad for the heads-up.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2024-24806
(* Security fix *)
extra/llvm-17.0.6-x86_64-1_slack15.0.txz: Added.
In case anyone needs a newer compiler.
extra/llvm13-compat-13.0.0-x86_64-1_slack15.0.txz: Added.
In case anyone needs to run binaries linked to the old compiler.
patches/packages/ca-certificates-20240216-noarch-1_slack15.0.txz: Upgraded.
This update provides the latest CA certificates to check for the
authenticity of SSL connections.
patches/packages/dehydrated-0.7.1-noarch-1_slack15.0.txz: Upgraded.
This is a bugfix release that addresses (among other things) an
"unbound variable" error if the signing server is not available.
Thanks to metaed for the heads-up.
patches/packages/expat-2.6.0-x86_64-1_slack15.0.txz: Upgraded.
This update fixes security issues:
Fix quadratic runtime issues with big tokens that can cause
denial of service.
Fix billion laughs attacks for users compiling *without* XML_DTD
defined (which is not common).
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-52425https://www.cve.org/CVERecord?id=CVE-2023-52426
(* Security fix *)
patches/packages/libxml2-2.11.7-x86_64-1_slack15.0.txz: Upgraded.
Fix the following security issue:
xmlreader: Don't expand XIncludes when backtracking.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2024-25062
(* Security fix *)
patches/packages/ca-certificates-20240203-noarch-1_slack15.0.txz: Upgraded.
This update provides the latest CA certificates to check for the
authenticity of SSL connections.
patches/packages/glibc-zoneinfo-2024a-noarch-1_slack15.0.txz: Upgraded.
This package provides the latest timezone updates.
extra/sendmail/sendmail-8.18.1-x86_64-1_slack15.0.txz: Upgraded.
sendmail through 8.17.2 allows SMTP smuggling in certain configurations.
Remote attackers can use a published exploitation technique to inject e-mail
messages with a spoofed MAIL FROM address, allowing bypass of an SPF
protection mechanism. This occurs because sendmail supports <LF>.<CR><LF>
but some other popular e-mail servers do not. This is resolved in 8.18 and
later versions with 'o' in srv_features.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-51765
(* Security fix *)
extra/sendmail/sendmail-cf-8.18.1-noarch-1_slack15.0.txz: Upgraded.
patches/packages/curl-8.6.0-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
patches/packages/libmilter-8.18.1-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
patches/packages/postfix-3.6.14-x86_64-1_slack15.0.txz: Upgraded.
Security (inbound SMTP smuggling): with "smtpd_forbid_bare_newline
= normalize" (default "no" for Postfix < 3.9), the Postfix
SMTP server requires the standard End-of-DATA sequence
<CR><LF>.<CR><LF>, and otherwise allows command or message
content lines ending in the non-standard <LF>, processing
them as if the client sent the standard <CR><LF>.
The alternative setting, "smtpd_forbid_bare_newline = reject"
will reject any command or message that contains a bare
<LF>, and is more likely to cause problems with legitimate
clients.
For backwards compatibility, local clients are excluded by
default with "smtpd_forbid_bare_newline_exclusions =
$mynetworks".
For more information, see:
https://www.postfix.org/smtp-smuggling.html
(* Security fix *)
patches/packages/kernel-firmware-20231222_a7dee43-noarch-1.txz: Upgraded.
Updated to the latest kernel firmware.
patches/packages/linux-5.15.145/*: Upgraded.
These updates fix various bugs and security issues.
Thanks to jwoithe for the PCI fix!
Be sure to upgrade your initrd after upgrading the kernel packages.
If you use lilo to boot your machine, be sure lilo.conf points to the correct
kernel and initrd and run lilo as root to update the bootloader.
If you use elilo to boot your machine, you should run eliloconfig to copy the
kernel and initrd to the EFI System Partition.
For more information, see:
Fixed in 5.15.140:
https://www.cve.org/CVERecord?id=CVE-2023-46862
Fixed in 5.15.141:
https://www.cve.org/CVERecord?id=CVE-2023-6121
(* Security fix *)
patches/packages/glibc-zoneinfo-2023d-noarch-1_slack15.0.txz: Upgraded.
This package provides the latest timezone updates.
patches/packages/postfix-3.6.13-x86_64-1_slack15.0.txz: Upgraded.
Security: this release adds support to defend against an email spoofing
attack (SMTP smuggling) on recipients at a Postfix server. Sites
concerned about SMTP smuggling attacks should enable this feature on
Internet-facing Postfix servers. For compatibility with non-standard
clients, Postfix by default excludes clients in mynetworks from this
countermeasure.
The recommended settings are:
# Optionally disconnect remote SMTP clients that send bare newlines,
# but allow local clients with non-standard SMTP implementations
# such as netcat, fax machines, or load balancer health checks.
#
smtpd_forbid_bare_newline = yes
smtpd_forbid_bare_newline_exclusions = $mynetworks
The smtpd_forbid_bare_newline feature is disabled by default.
For more information, see:
https://www.postfix.org/smtp-smuggling.html
(* Security fix *)
patches/packages/bind-9.16.45-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
patches/packages/proftpd-1.3.8b-x86_64-1_slack15.0.txz: Upgraded.
This update fixes a security issue:
mod_sftp: implemented mitigations for "Terrapin" SSH attack.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-48795
(* Security fix *)
testing/packages/bind-9.18.21-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
patches/packages/bluez-5.71-x86_64-1_slack15.0.txz: Upgraded.
This update fixes a security issue:
It may have been possible for an attacker within Bluetooth range to inject
keystrokes (and possibly execute commands) while devices were discoverable.
Thanks to marav for the heads-up.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-45866
(* Security fix *)
patches/packages/libxml2-2.11.6-x86_64-1_slack15.0.txz: Upgraded.
We're going to drop back to the 2.11 branch here on the stable releases
since it has all of the relevant security fixes and better compatibility.
patches/packages/libxml2-2.12.3-x86_64-1_slack15.0.txz: Upgraded.
This update addresses regressions when building against libxml2 that were
due to header file refactoring.
patches/packages/xorg-server-1.20.14-x86_64-10_slack15.0.txz: Rebuilt.
This update fixes two security issues:
Out-of-bounds memory write in XKB button actions.
Out-of-bounds memory read in RRChangeOutputProperty and
RRChangeProviderProperty.
For more information, see:
https://lists.x.org/archives/xorg/2023-December/061517.htmlhttps://www.cve.org/CVERecord?id=CVE-2023-6377https://www.cve.org/CVERecord?id=CVE-2023-6478
(* Security fix *)
patches/packages/xorg-server-xephyr-1.20.14-x86_64-10_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-10_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-10_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xwayland-21.1.4-x86_64-9_slack15.0.txz: Rebuilt.
This update fixes two security issues:
Out-of-bounds memory write in XKB button actions.
Out-of-bounds memory read in RRChangeOutputProperty and
RRChangeProviderProperty.
For more information, see:
https://lists.x.org/archives/xorg/2023-December/061517.htmlhttps://www.cve.org/CVERecord?id=CVE-2023-6377https://www.cve.org/CVERecord?id=CVE-2023-6478
(* Security fix *)
