Slackwarearm-14.2 ChangeLog (2016-02-29)
Mon Feb 29 16:15:14 UTC 2016
Packages
Upgraded
- a/btrfs-progs-4.4.1-arm-1.txz
- a/glibc-solibs-2.23-arm-1.txz
- a/kernel-firmware-20160223git-noarch-1.txz
- a/kernel-modules-armv5-4.4.3_armv5-arm-1.txz
- a/kernel-modules-armv7-4.4.3_armv7-arm-1.txz
- a/kernel_armv5-4.4.3-arm-1.txz
Removed orion_nand from initird due to Kernel oops. See Change Log entry
above for 'eudev'. - a/kernel_armv7-4.4.3-arm-1.txz
- a/sdparm-1.10-arm-1.txz
- ap/mariadb-10.0.24-arm-1.txz
- ap/nano-2.5.3-arm-1.txz
- ap/vim-7.4.1424-arm-1.txz
- d/gdb-7.11-arm-1.txz
- d/kernel-headers-4.4.3-arm-1.txz
- k/kernel-source-4.4.3-arm-1.txz
- l/glibc-2.23-arm-1.txz
This update contains security fixes and improvements.
Of the security fixes, the most important and well-publicized is the
stack-based buffer overflow in libresolv that could allow specially
crafted DNS responses to seize control of execution flow in the DNS
client (CVE-2015-7547). However, due to a patch applied to Slackware's
glibc back in 2009 (don't use the gethostbyname4() lookup method as it
was causing some cheap routers to misbehave), we were not vulnerable to
that issue. The rest of the fixed security issues are less critical.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8776
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8777
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8778
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8779
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9761
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7547
(* Security fix *) - l/glibc-i18n-2.23-arm-1.txz
- l/glibc-profile-2.23-arm-1.txz
- l/gtk+3-3.18.8-arm-1.txz
- l/libical-2.0.0-arm-1.txz
Shared library .so-version bump. - l/libproxy-0.4.12-arm-1.txz
- l/libssh-0.7.3-arm-1.txz
Fixed weak key generation. Due to a bug in the ephemeral secret key
generation for the diffie-hellman-group1 and diffie-hellman-group14
methods, ephemeral secret keys of size 128 bits are generated, instead
of the recommended sizes of 1024 and 2048 bits, giving a practical
security of 63 bits.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0739
(* Security fix *)
l/libssh2-1.7.0-arm-1.txz: Moved.
Moved from N → L series to be consistent with libssh. - l/sg3_utils-1.42-arm-1.txz
- n/bind-9.10.3_P3-arm-1.txz
This release fixes two possible denial-of-service issues:
render_ecs errors were mishandled when printing out a OPT record resulting
in a assertion failure. (CVE-2015-8705) [RT #41397]
Specific APL data could trigger a INSIST. (CVE-2015-8704) [RT #41396]
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8704
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8705
(* Security fix *) - n/libgcrypt-1.6.5-arm-1.txz
Mitigate side-channel attack on ECDH with Weierstrass curves.
For more information, see:
http://www.cs.tau.ac.IL/~tromer/ecdh/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7511
(* Security fix *) - n/libssh2-1.7.0-arm-1.txz
Fixed weak key generation. During the SSHv2 handshake when libssh2 is to
get a suitable value for 'group order' in the Diffle Hellman negotiation,
it would pass in number of bytes to a function that expected number of bits.
This would result in the library generating numbers using only an 8th the
number of random bits than what were intended: 128 or 256 bits instead of
1023 or 2047. Using such drastically reduced amount of random bits for
Diffie Hellman weakended the handshake security significantly.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0787
(* Security fix *) - n/nmap-7.01-arm-1.txz
- n/ntp-4.2.8p6-arm-1.txz
In addition to bug fixes and enhancements, this release fixes
several low and medium severity vulnerabilities.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158
(* Security fix *) - n/samba-4.3.5-arm-1.txz
- x/mesa-11.1.2-arm-1.txz
- x/xf86-video-amdgpu-1.0.1-arm-1.txz
- xap/vim-gvim-7.4.1424-arm-1.txz
- extra/tigervnc/tigervnc-1.6.0-arm-1.txz
- kernels/*
Rebuilt
- a/eudev-3.1.5-arm-4.txz
Black listed orion_nand due to it causing a Kernel oops on the Sheevaplugs/
Kirkwood platforms. I've reported this upstream:
https://bugzilla.kernel.org/show_bug.cgi?id=111701
If this is a problem for you - sorry, but I cannot release with Linux 4.3.x
as it's now EOL. If a patch materialises I will include it prior to release
or patch afterwards. - ap/cups-2.1.3-arm-2.txz
Corrected build script to use compiler flags. Thanks to ecd102. - ap/mc-4.8.15-arm-2.txz
Patched to fix displaying man pages. Thanks to DarkVision. - kde/kdepimlibs-4.14.10-arm-3.txz
Recompiled against libical-2.0.0. - l/GConf-3.2.6-arm-4.txz
Patched “GConf-WARNING **: Client failed to connect to the D-BUS daemon:”
and added a couple other patches from git. Thanks to Robby Workman. - l/alsa-lib-1.1.0-arm-3.txz
Changed the default /etc/asound.conf.new to use a different configuration
for PulseAudio that is less likely to cause issues than the previous one,
especially on machines where the analog output is not recognized as card 0
by the BIOS. Thanks to Ryan P.C. McQuen who went above and beyond on this
bug report by convincing upstream to recommend this on their website in
order to convince me to make the change. - n/bluez-5.37-arm-2.txz
Recompiled against libical-2.0.0. - xap/blueman-2.0.3-arm-2.txz
Rewrite launcher scripts to use #!/usr/bin/python2.7 rather than
#!/usr/bin/env python.
For details, see: https://github.com/blueman-project/blueman/issues/435
Thanks to zakame and Robby Workman. - xfce/orage-4.12.1-arm-3.txz
Recompiled against libical-2.0.0. - isolinux/*