Slackwarearm-14.2 ChangeLog (2018-06-04)

Mon Jun 04 08:08:08 UTC 2018

  • patches/packages/git-2.14.4-arm-1_slack14.2.txz
    This update fixes security issues:
    Submodule “names” come from the untrusted .gitmodules file, but we
    blindly append them to $GIT_DIR/modules to create our on-disk repo
    paths. This means you can do bad things by putting “../” into the
    name. We now enforce some rules for submodule names which will cause
    Git to ignore these malicious names (CVE-2018-11235).
    Credit for finding this vulnerability and the proof of concept from
    which the test script was adapted goes to Etienne Stalmans.
    It was possible to trick the code that sanity-checks paths on NTFS
    into reading random piece of memory (CVE-2018-11233).
    Credit for fixing for these bugs goes to Jeff King, Johannes
    Schindelin and others.
    For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11235
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11233
    (* Security fix *)
  • patches/packages/nano-2.9.8-arm-1_slack14.2.txz
  • news/2018/06/04/slackwarearm-14.2-changelog.txt
  • Last modified: 2 years ago
  • by Giuseppe Di Terlizzi