Slackwarearm-14.2 ChangeLog (1970-01-01)
+patches/packages/git-2.14.1-x86_64-1_slack14.2.txz: Upgraded.
Fixes security issues:
A “ssh:…” URL can result in a “ssh” command line with a hostname that
begins with a dash “-”, which would cause the “ssh” command to instead
(mis)treat it as an option. This is now prevented by forbidding such a
hostname (which should not impact any real-world usage).
Similarly, when GIT_PROXY_COMMAND is configured, the command is run with
host and port that are parsed out from “ssh:…” URL; a poorly written
GIT_PROXY_COMMAND could be tricked into treating a string that begins with a
dash “-” as an option. This is now prevented by forbidding such a hostname
and port number (again, which should not impact any real-world usage).
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000117
(* Security fix *)
Fri Aug 11 08:08:08 UTC 2017
Packages
Upgraded
- patches/packages/curl-7.55.0-arm-1_slack14.2.txz
This update fixes three security issues:
URL globbing out of bounds read
TFTP sends more than buffer size
FILE buffer read out of bounds
For more information, see:
https://curl.haxx.se/docs/adv_20170809A.html
https://curl.haxx.se/docs/adv_20170809B.html
https://curl.haxx.se/docs/adv_20170809C.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000101
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000100
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000099
(* Security fix *)
Rebuilt
- patches/packages/glibc-2.23-arm-6_slack14.2.txz
Fixed a regression with the recent glibc patch packages:
Don't clobber the libm.so linker script with a symlink.
Thanks to guanx. - patches/packages/glibc-i18n-2.23-arm-6_slack14.2.txz
- patches/packages/glibc-profile-2.23-arm-6_slack14.2.txz
- patches/packages/glibc-solibs-2.23-arm-6_slack14.2.txz