Fixes security issues:
A “ssh:…” URL can result in a “ssh” command line with a hostname that
begins with a dash “-”, which would cause the “ssh” command to instead
(mis)treat it as an option. This is now prevented by forbidding such a
hostname (which should not impact any real-world usage).
Similarly, when GIT_PROXY_COMMAND is configured, the command is run with
host and port that are parsed out from “ssh:…” URL; a poorly written
GIT_PROXY_COMMAND could be tricked into treating a string that begins with a
dash “-” as an option. This is now prevented by forbidding such a hostname
and port number (again, which should not impact any real-world usage).
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000117
(* Security fix *)

Fri Aug 11 08:08:08 UTC 2017

• patches/packages/curl-7.55.0-arm-1_slack14.2.txz
  This update fixes three security issues:
  URL globbing out of bounds read
  TFTP sends more than buffer size
  FILE buffer read out of bounds
  For more information, see:
  https://curl.haxx.se/docs/adv_20170809A.html
  https://curl.haxx.se/docs/adv_20170809B.html
  https://curl.haxx.se/docs/adv_20170809C.html
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000101
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000100
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000099
  (* Security fix *)

• patches/packages/glibc-2.23-arm-6_slack14.2.txz
  Fixed a regression with the recent glibc patch packages:
  Don't clobber the libm.so linker script with a symlink.
  Thanks to guanx.
• patches/packages/glibc-i18n-2.23-arm-6_slack14.2.txz
• patches/packages/glibc-profile-2.23-arm-6_slack14.2.txz
• patches/packages/glibc-solibs-2.23-arm-6_slack14.2.txz