Slackware-14.1 ChangeLog (2018-06-01)

Fri Jun 1 21:28:10 UTC 2018

  • patches/packages/git-2.14.4-i486-1_slack14.1.txz
    This update fixes security issues:
    Submodule “names” come from the untrusted .gitmodules file, but we
    blindly append them to $GIT_DIR/modules to create our on-disk repo
    paths. This means you can do bad things by putting “../” into the
    name. We now enforce some rules for submodule names which will cause
    Git to ignore these malicious names (CVE-2018-11235).
    Credit for finding this vulnerability and the proof of concept from
    which the test script was adapted goes to Etienne Stalmans.
    It was possible to trick the code that sanity-checks paths on NTFS
    into reading random piece of memory (CVE-2018-11233).
    Credit for fixing for these bugs goes to Jeff King, Johannes
    Schindelin and others.
    For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11235
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11233
    (* Security fix *)
  • news/2018/06/01/slackware-14.1-changelog.txt
  • Last modified: 8 months ago
  • by Giuseppe Di Terlizzi