Slackware-current ChangeLog (2017-04-21)
Fri Apr 21 22:40:12 UTC 2017
Packages
Rebuilt
- a/etc-14.2-i586-10.txz
Added user:group for NTP (UID 44/GID 44).
Upgraded
- n/curl-7.54.0-i586-1.txz
This update fixes a security issue:
Switch off SSL session id when client cert is used.
For more information, see:
https://curl.haxx.se/docs/adv_20170419.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7468
(* Security fix *) - n/dhcpcd-6.11.5-i586-1.txz
Thanks to Robby Workman. - n/ntp-4.2.8p10-i586-1.txz
There were some changes made to NTP setup in -current:
First, NTP drops privileges and runs as ntp:ntp. Be sure to install the
updated etc package to get the new user and group.
Some files have been relocated:
The ntp.keys file has moved from /etc/ntp/ to /etc/.
The drift and stats files now reside in /var/lib/ntp/.
The step-tickers file has been removed. It's actually been deprecated for
a while and nothing has referenced in for quite some time.
Be sure to move the new rc.ntpd.new into place, and move over or merge
from the .new config files.
Thanks to Robby Workman for help with these changes.
In addition to bug fixes and enhancements, this release fixes security
issues of medium and low severity:
Denial of Service via Malformed Config (Medium)
Authenticated DoS via Malicious Config Option (Medium)
Potential Overflows in ctl_put() functions (Medium)
Buffer Overflow in ntpq when fetching reslist from a malicious ntpd (Medium)
0rigin DoS (Medium)
Buffer Overflow in DPTS Clock (Low)
Improper use of snprintf() in mx4200_send() (Low)
The following issues do not apply to Linux systems:
Privileged execution of User Library code (WINDOWS PPSAPI ONLY) (Low)
Stack Buffer Overflow from Command Line (WINDOWS installer ONLY) (Low)
Data Structure terminated insufficiently (WINDOWS installer ONLY) (Low)
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6464
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6463
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6458
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6460
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9042
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6462
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6451
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6455
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6452
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6459
(* Security fix *) - n/proftpd-1.3.6-i586-1.txz
This release fixes a security issue:
AllowChrootSymlinks off does not check entire DefaultRoot path for symlinks.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7418
(* Security fix *)