Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== Slackware64-14.1 ChangeLog (2015-04-21) ====== ====== Tue Apr 21 23:44:00 UTC 2015 ====== ===== Packages ===== ==== Upgraded ==== * [[slackware64.14.1>patches/packages/bind-9.9.6_P2-x86_64-1_slack14.1.txz]] \\ Fix some denial-of-service and other security issues. \\ For more information, see: \\ https://kb.isc.org/article/AA-01166/ \\ https://kb.isc.org/article/AA-01161/ \\ https://kb.isc.org/article/AA-01167/ \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1349 \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8500 \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8680 \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3214 \\ (* Security fix *) * [[slackware64.14.1>patches/packages/gnupg-1.4.19-x86_64-1_slack14.1.txz]] \\ * Use ciphertext blinding for Elgamal decryption [CVE-2014-3591]. \\ See http://www.cs.tau.ac.il/~tromer/radioexp/ for details. \\ * Fixed data-dependent timing variations in modular exponentiation \\ [related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks \\ are Practical]. \\ For more information, see: \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3591 \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0837 \\ (* Security fix *) * [[slackware64.14.1>patches/packages/httpd-2.4.12-x86_64-1_slack14.1.txz]] \\ This update fixes the following security issues: \\ * CVE-2014-3583 mod_proxy_fcgi: Fix a potential crash due to buffer \\ over-read, with response headers' size above 8K. \\ * CVE-2014-3581 mod_cache: Avoid a crash when Content-Type has an \\ empty value. PR 56924. \\ * CVE-2014-8109 mod_lua: Fix handling of the Require line when a \\ LuaAuthzProvider is used in multiple Require directives with \\ different arguments. PR57204. \\ * CVE-2013-5704 core: HTTP trailers could be used to replace HTTP \\ headers late during request processing, potentially undoing or \\ otherwise confusing modules that examined or modified request \\ headers earlier. Adds "MergeTrailers" directive to restore legacy \\ behavior. \\ For more information, see: \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3583 \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3581 \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8109 \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5704 \\ (* Security fix *) * [[slackware64.14.1>patches/packages/libssh-0.6.4-x86_64-1_slack14.1.txz]] \\ This update fixes some security issues. \\ For more information, see: \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0017 \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8132 \\ (* Security fix *) * [[slackware64.14.1>patches/packages/mozilla-firefox-31.6.0esr-x86_64-1_slack14.1.txz]] \\ This release contains security fixes and improvements. \\ For more information, see: \\ http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html \\ (* Security fix *) * [[slackware64.14.1>patches/packages/mozilla-thunderbird-31.6.0-x86_64-1_slack14.1.txz]] \\ This release contains security fixes and improvements. \\ For more information, see: \\ http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html \\ (* Security fix *) * [[slackware64.14.1>patches/packages/ntp-4.2.8p2-x86_64-1_slack14.1.txz]] \\ In addition to bug fixes and enhancements, this release fixes the \\ following medium-severity vulnerabilities involving private key \\ authentication: \\ * ntpd accepts unauthenticated packets with symmetric key crypto. \\ * Authentication doesn't protect symmetric associations against DoS attacks. \\ For more information, see: \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798 \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799 \\ (* Security fix *) * [[slackware64.14.1>patches/packages/openssl-1.0.1m-x86_64-1_slack14.1.txz]] \\ Fixes several bugs and security issues: \\ o Segmentation fault in ASN1_TYPE_cmp fix (CVE-2015-0286) \\ o ASN.1 structure reuse memory corruption fix (CVE-2015-0287) \\ o PKCS7 NULL pointer dereferences fix (CVE-2015-0289) \\ o DoS via reachable assert in SSLv2 servers fix (CVE-2015-0293) \\ o Use After Free following d2i_ECPrivatekey error fix (CVE-2015-0209) \\ o X509_to_X509_REQ NULL pointer deref fix (CVE-2015-0288) \\ o Removed the export ciphers from the DEFAULT ciphers \\ For more information, see: \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0286 \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0287 \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0289 \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0293 \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0209 \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0288 \\ (* Security fix *) * [[slackware64.14.1>patches/packages/openssl-solibs-1.0.1m-x86_64-1_slack14.1.txz]] * [[slackware64.14.1>patches/packages/php-5.4.40-x86_64-1_slack14.1.txz]] \\ This update fixes some security issues. \\ Please note that this package build also moves the configuration files \\ from /etc/httpd to /etc, /etc/php.d, and /etc/php-fpm.d. \\ For more information, see: \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9709 \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0231 \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1351 \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1352 \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2301 \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2305 \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2331 \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2783 \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3330 \\ (* Security fix *) * [[slackware64.14.1>patches/packages/proftpd-1.3.4e-x86_64-1_slack14.1.txz]] \\ Patched an issue where mod_copy allowed unauthenticated copying \\ of files via SITE CPFR/CPTO. \\ For more information, see: \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3306 \\ (* Security fix *) * [[slackware64.14.1>patches/packages/qt-4.8.6-x86_64-1_slack14.1.txz]] \\ Fixed issues with BMP, ICO, and GIF handling that could lead to a denial \\ of service or the execution of arbitrary code when processing malformed \\ images. \\ For more information, see: \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0295 \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1858 \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1859 \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1860 \\ (* Security fix *) * [[slackware64.14.1>patches/packages/seamonkey-2.33.1-x86_64-1_slack14.1.txz]] \\ This update contains security fixes and improvements. \\ For more information, see: \\ http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html \\ (* Security fix *) * [[slackware64.14.1>patches/packages/seamonkey-solibs-2.33.1-x86_64-1_slack14.1.txz]] ==== Rebuilt ==== * [[slackware64.14.1>patches/packages/mutt-1.5.23-x86_64-2_slack14.1.txz]] \\ Patched a vulnerability where malformed headers can cause mutt to crash. \\ For more information, see: \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9116 \\ (* Security fix *) * [[slackware64.14.1>patches/packages/ppp-2.4.5-x86_64-3_slack14.1.txz]] \\ Fixed a potential security issue in parsing option files. \\ Fixed remotely triggerable PID overflow that causes pppd to crash. \\ For more information, see: \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3158 \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3310 \\ (* Security fix *) {{tag>slackware changelog slackware64-14.1 2015-04}} news/2015/04/21/slackware64-14.1-changelog.txt Last modified: 6 months agoby Giuseppe Di Terlizzi Log In