Slackwarearm-14.2 ChangeLog (2022-01-20)
Thu Jan 20 08:08:08 UTC 2022
Packages
Upgraded
- patches/packages/expat-2.4.3-arm-1_slack14.2.txz
Fix issues with left shifts by >=29 places resulting in:
a) realloc acting as free
b) realloc allocating too few bytes
c) undefined behavior
Fix integer overflow on variable m_groupSize in function doProlog leading
to realloc acting as free. Impact is denial of service or other undefined
behavior.
Prevent integer overflows near memory allocation at multiple places.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45960
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46143
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22822
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22823
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22824
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22825
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22826
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22827
(* Security fix *) - patches/packages/wpa_supplicant-2.9-arm-1_slack14.2.txz
This update contains patches for these security issues:
The implementations of EAP-pwd in hostapd before 2.10 and wpa_supplicant
before 2.10 are vulnerable to side-channel attacks as a result of cache
access patterns.
NOTE: this issue exists because of an incomplete fix for CVE-2019-9495.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23303
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23304
(* Security fix *)