Slackware-14.2 ChangeLog (2017-12-20)

Wed Dec 20 03:05:58 UTC 2017

  • patches/packages/ruby-2.2.9-i586-1_slack14.2.txz
    This update fixes a security issue:
    Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile
    use Kernel#open to open a local file. If the localfile argument starts with
    the pipe character “|”, the command following the pipe character is executed.
    The default value of localfile is File.basename(remotefile), so malicious FTP
    servers could cause arbitrary command execution.
    For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17405
    (* Security fix *)
  • news/2017/12/20/slackware-14.2-changelog.txt
  • Last modified: 7 months ago
  • by Giuseppe Di Terlizzi