This is an old revision of the document!
Slackwarearm-14.2 ChangeLog (2018-06-04)
Mon Jun 04 08:08:08 UTC 2018
Packages
Upgraded
- patches/packages/git-2.14.4-arm-1_slack14.2.txz
This update fixes security issues:
Submodule “names” come from the untrusted .gitmodules file, but we
blindly append them to $GIT_DIR/modules to create our on-disk repo
paths. This means you can do bad things by putting “../” into the
name. We now enforce some rules for submodule names which will cause
Git to ignore these malicious names (CVE-2018-11235).
Credit for finding this vulnerability and the proof of concept from
which the test script was adapted goes to Etienne Stalmans.
It was possible to trick the code that sanity-checks paths on NTFS
into reading random piece of memory (CVE-2018-11233).
Credit for fixing for these bugs goes to Jeff King, Johannes
Schindelin and others.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11235
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11233
(* Security fix *) - patches/packages/nano-2.9.8-arm-1_slack14.2.txz