Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== Slackware64-14.1 ChangeLog (2016-12-24) ====== ====== Sat Dec 24 18:14:51 UTC 2016 ====== ===== Packages ===== ==== Upgraded ==== * [[slackware64.14.1>patches/packages/expat-2.2.0-x86_64-1_slack14.1.txz]] \\ This update fixes bugs and security issues: \\ Multiple integer overflows in XML_GetBuffer. \\ Fix crash on malformed input. \\ Improve insufficient fix to CVE-2015-1283 / CVE-2015-2716. \\ Use more entropy for hash initialization. \\ Resolve troublesome internal call to srand. \\ For more information, see: \\ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1283 \\ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718 \\ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4472 \\ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5300 \\ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6702 \\ (* Security fix *) ====== Sat Dec 24 02:36:05 UTC 2016 ====== ===== Packages ===== ==== Upgraded ==== * [[slackware64.14.1>patches/packages/httpd-2.4.25-x86_64-1_slack14.1.txz]] \\ This update fixes the following security issues: \\ * CVE-2016-8740: mod_http2: Mitigate DoS memory exhaustion via endless \\ CONTINUATION frames. \\ * CVE-2016-5387: core: Mitigate [f]cgi "httpoxy" issues. \\ * CVE-2016-2161: mod_auth_digest: Prevent segfaults during client entry \\ allocation when the shared memory space is exhausted. \\ * CVE-2016-0736: mod_session_crypto: Authenticate the session data/cookie \\ with a MAC (SipHash) to prevent deciphering or tampering with a padding \\ oracle attack. \\ * CVE-2016-8743: Enforce HTTP request grammar corresponding to RFC7230 for \\ request lines and request headers, to prevent response splitting and \\ cache pollution by malicious clients or downstream proxies. \\ For more information, see: \\ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8740 \\ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5387 \\ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2161 \\ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0736 \\ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743 \\ (* Security fix *) * [[slackware64.14.1>patches/packages/openssh-7.4p1-x86_64-1_slack14.1.txz]] \\ This is primarily a bugfix release, and also addresses security issues. \\ ssh-agent(1): Will now refuse to load PKCS#11 modules from paths outside \\ a trusted whitelist. \\ sshd(8): When privilege separation is disabled, forwarded Unix-domain \\ sockets would be created by sshd(8) with the privileges of 'root'. \\ sshd(8): Avoid theoretical leak of host private key material to \\ privilege-separated child processes via realloc(). \\ sshd(8): The shared memory manager used by pre-authentication compression \\ support had a bounds checks that could be elided by some optimising \\ compilers to potentially allow attacks against the privileged monitor. \\ process from the sandboxed privilege-separation process. \\ sshd(8): Validate address ranges for AllowUser and DenyUsers directives at \\ configuration load time and refuse to accept invalid ones. It was \\ previously possible to specify invalid CIDR address ranges \\ (e.g. user@127.1.2.3/55) and these would always match, possibly resulting \\ in granting access where it was not intended. \\ For more information, see: \\ https://www.openssh.com/txt/release-7.4 \\ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10009 \\ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10010 \\ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10011 \\ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10012 \\ (* Security fix *) * [[slackware64.14.1>patches/packages/xfce4-weather-plugin-0.8.8-x86_64-1_slack14.1.txz]] \\ Package upgraded to fix the API used to fetch weather data. \\ Thanks to Robby Workman. {{tag>slackware changelog slackware64-14.1 2016-12}} news/2016/12/24/slackware64-14.1-changelog.txt Last modified: 5 months agoby Giuseppe Di Terlizzi Log In