Slackware-14.2 ChangeLog (2017-08-11)

Fri Aug 11 23:02:43 UTC 2017

  • patches/packages/git-2.14.1-i586-1_slack14.2.txz
    Fixes security issues:
    A “ssh:…” URL can result in a “ssh” command line with a hostname that
    begins with a dash “-”, which would cause the “ssh” command to instead
    (mis)treat it as an option. This is now prevented by forbidding such a
    hostname (which should not impact any real-world usage).
    Similarly, when GIT_PROXY_COMMAND is configured, the command is run with
    host and port that are parsed out from “ssh:
    …” URL; a poorly written
    GIT_PROXY_COMMAND could be tricked into treating a string that begins with a
    dash “-” as an option. This is now prevented by forbidding such a hostname
    and port number (again, which should not impact any real-world usage).
    For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000117
    (* Security fix *)
  • patches/packages/mercurial-4.3.1-i586-1_slack14.2.txz
    Fixes security issues:
    Mercurial's symlink auditing was incomplete prior to 4.3, and could
    be abused to write to files outside the repository.
    Mercurial was not sanitizing hostnames passed to ssh, allowing
    shell injection attacks on clients by specifying a hostname starting
    with -oProxyCommand.
    For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000115
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000116
    (* Security fix *)
  • patches/packages/subversion-1.9.7-i586-1_slack14.2.txz
    Fixed client side arbitrary code execution vulnerability.
    For more information, see:
    https://subversion.apache.org/security/CVE-2017-9800-advisory.txt
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9800
    (* Security fix *)
  • news/2017/08/11/slackware-14.2-changelog.txt
  • Last modified: 8 months ago
  • by Giuseppe Di Terlizzi