This is an old revision of the document!
Slackwarearm-14.2 ChangeLog (2017-12-20)
Wed Dec 20 08:08:08 UTC 2017
Packages
Upgraded
- patches/packages/ruby-2.2.9-arm-1_slack14.2.txz
This update fixes a security issue:
Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile
use Kernel#open to open a local file. If the localfile argument starts with
the pipe character “|”, the command following the pipe character is executed.
The default value of localfile is File.basename(remotefile), so malicious FTP
servers could cause arbitrary command execution.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17405
(* Security fix *)