SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
4 updates (x86_64). Including a (* Security fix *)! : 4 upgraded
Code:
Thu Jan 26 00:34:41 UTC 2023
patches/packages/bind-9.16.37-x86_64-1_slack15.0.txz: Upgraded.
This update fixes bugs and the following security issues:
An UPDATE message flood could cause :iscman:`named` to exhaust all
available memory. This flaw was addressed by adding a new
:any:`update-quota` option that controls the maximum number of
outstanding DNS UPDATE messages that :iscman:`named` can hold in a
queue at any given time (default: 100).
:iscman:`named` could crash with an assertion failure when an RRSIG
query was received and :any:`stale-answer-client-timeout` was set to a
non-zero value. This has been fixed.
:iscman:`named` running as a resolver with the
:any:`stale-answer-client-timeout` option set to any value greater
than ``0`` could crash with an assertion failure, when the
:any:`recursive-clients` soft quota was reached. This has been fixed.
For more information, see:
https://kb.isc.org/docs/cve-2022-3094
https://kb.isc.org/docs/cve-2022-3736
https://kb.isc.org/docs/cve-2022-3924
https://www.cve.org/CVERecord?id=CVE-2022-3094
https://www.cve.org/CVERecord?id=CVE-2022-3736
https://www.cve.org/CVERecord?id=CVE-2022-3924
(* Security fix *)
patches/packages/vim-9.0.1241-x86_64-1_slack15.0.txz: Upgraded.
Fixed a security issue:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1225.
Thanks to marav for the heads-up.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-0433
(* Security fix *)
patches/packages/vim-gvim-9.0.1241-x86_64-1_slack15.0.txz: Upgraded.
testing/packages/bind-9.18.11-x86_64-1_slack15.0.txz: Upgraded.
This update fixes bugs and the following security issues:
An UPDATE message flood could cause :iscman:`named` to exhaust all
available memory. This flaw was addressed by adding a new
:any:`update-quota` option that controls the maximum number of
outstanding DNS UPDATE messages that :iscman:`named` can hold in a
queue at any given time (default: 100).
:iscman:`named` could crash with an assertion failure when an RRSIG
query was received and :any:`stale-answer-client-timeout` was set to a
non-zero value. This has been fixed.
:iscman:`named` running as a resolver with the
:any:`stale-answer-client-timeout` option set to any value greater
than ``0`` could crash with an assertion failure, when the
:any:`recursive-clients` soft quota was reached. This has been fixed.
For more information, see:
https://kb.isc.org/docs/cve-2022-3094
https://kb.isc.org/docs/cve-2022-3736
https://kb.isc.org/docs/cve-2022-3924
https://www.cve.org/CVERecord?id=CVE-2022-3094
https://www.cve.org/CVERecord?id=CVE-2022-3736
https://www.cve.org/CVERecord?id=CVE-2022-3924
(* Security fix *)
3 updates (x86_64). Including a (* Security fix *)! : 3 upgraded
Code:
Wed Feb 1 22:27:31 UTC 2023
patches/packages/apr-1.7.2-x86_64-1_slack15.0.txz: Upgraded.
This update fixes security issues:
Integer Overflow or Wraparound vulnerability in apr_encode functions of
Apache Portable Runtime (APR) allows an attacker to write beyond bounds
of a buffer. (CVE-2022-24963)
Restore fix for out-of-bounds array dereference in apr_time_exp*() functions.
(This issue was addressed as CVE-2017-12613 in APR 1.6.3 and
later 1.6.x releases, but was missing in 1.7.0.) (CVE-2021-35940)
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-24963
https://www.cve.org/CVERecord?id=CVE-2021-35940
https://www.cve.org/CVERecord?id=CVE-2017-12613
(* Security fix *)
patches/packages/apr-util-1.6.3-x86_64-1_slack15.0.txz: Upgraded.
This update fixes a security issue:
Integer Overflow or Wraparound vulnerability in apr_base64 functions
of Apache Portable Runtime Utility (APR-util) allows an attacker to
write beyond bounds of a buffer. (CVE-2022-25147)
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2022-25147
(* Security fix *)
patches/packages/mozilla-thunderbird-102.7.1-x86_64-1_slack15.0.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/102.7.1/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2023-04/
https://www.cve.org/CVERecord?id=CVE-2023-0430
(* Security fix *)
1 updates (x86_64). Including a (* Security fix *)! : 1 upgraded
Code:
Thu Feb 2 22:52:48 UTC 2023
patches/packages/openssh-9.2p1-x86_64-1_slack15.0.txz: Upgraded.
This release contains fixes for two security problems and a memory safety
problem. The memory safety problem is not believed to be exploitable, but
upstream reports most network-reachable memory faults as security bugs.
This update contains some potentially incompatible changes regarding the
scp utility. For more information, see:
https://www.openssh.com/releasenotes.html#9.0
For more information, see:
https://www.openssh.com/releasenotes.html#9.2
(* Security fix *)
7 updates (x86_64). Including a (* Security fix *)! : 2 upgraded, 5 rebuilt
Code:
Tue Feb 7 20:48:57 UTC 2023
patches/packages/openssl-1.1.1t-x86_64-1_slack15.0.txz: Upgraded.
This update fixes security issues:
X.400 address type confusion in X.509 GeneralName.
Timing Oracle in RSA Decryption.
Use-after-free following BIO_new_NDEF.
Double free after calling PEM_read_bio_ex.
For more information, see:
https://www.openssl.org/news/secadv/20230207.txt
https://www.cve.org/CVERecord?id=CVE-2023-0286
https://www.cve.org/CVERecord?id=CVE-2022-4304
https://www.cve.org/CVERecord?id=CVE-2023-0215
https://www.cve.org/CVERecord?id=CVE-2022-4450
(* Security fix *)
patches/packages/openssl-solibs-1.1.1t-x86_64-1_slack15.0.txz: Upgraded.
patches/packages/xorg-server-1.20.14-x86_64-7_slack15.0.txz: Rebuilt.
[PATCH] Xi: fix potential use-after-free in DeepCopyPointerClasses.
Also merged another patch to prevent crashes when using a compositor with
the NVIDIA blob. Thanks to mdinslage, willysr, and Daedra.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-0494
(* Security fix *)
patches/packages/xorg-server-xephyr-1.20.14-x86_64-7_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xnest-1.20.14-x86_64-7_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xvfb-1.20.14-x86_64-7_slack15.0.txz: Rebuilt.
patches/packages/xorg-server-xwayland-21.1.4-x86_64-6_slack15.0.txz: Rebuilt.
[PATCH] Xi: fix potential use-after-free in DeepCopyPointerClasses.
Also merged another patch to prevent crashes when using a compositor with
the NVIDIA blob. Thanks to mdinslage, willysr, and Daedra.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-0494
(* Security fix *)
Thu Feb 9 00:59:27 UTC 2023
patches/packages/mozilla-thunderbird-102.7.2-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/102.7.2/releasenotes/
1 updates (x86_64). Including a (* Security fix *)! : 1 upgraded
Code:
Fri Feb 10 20:08:41 UTC 2023
patches/packages/gnutls-3.7.9-x86_64-1_slack15.0.txz: Upgraded.
libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key exchange.
Reported by Hubert Kario (#1050). Fix developed by Alexander Sosedkin.
[GNUTLS-SA-2020-07-14, CVSS: medium] [CVE-2023-0361]
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-0361
(* Security fix *)
5 updates (x86_64). Including a (* Security fix *)! : 4 upgraded, 1 rebuilt
Code:
Wed Feb 15 03:05:40 UTC 2023
extra/php80/php80-8.0.28-x86_64-1_slack15.0.txz: Upgraded.
This update fixes security issues:
Core: Password_verify() always return true with some hash.
Core: 1-byte array overrun in common path resolve code.
SAPI: DOS vulnerability when parsing multipart request body.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-0567
https://www.cve.org/CVERecord?id=CVE-2023-0568
https://www.cve.org/CVERecord?id=CVE-2023-0662
(* Security fix *)
extra/php81/php81-8.1.16-x86_64-1_slack15.0.txz: Upgraded.
This update fixes security issues:
Core: Password_verify() always return true with some hash.
Core: 1-byte array overrun in common path resolve code.
SAPI: DOS vulnerability when parsing multipart request body.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-0567
https://www.cve.org/CVERecord?id=CVE-2023-0568
https://www.cve.org/CVERecord?id=CVE-2023-0662
(* Security fix *)
patches/packages/hwdata-0.367-noarch-1_slack15.0.txz: Upgraded.
Upgraded to get information for newer hardware.
Requested by kingbeowulf on LQ.
patches/packages/mozilla-firefox-102.8.0esr-x86_64-1_slack15.0.txz: Upgraded.
This update contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/firefox/102.8.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2023-06/
https://www.cve.org/CVERecord?id=CVE-2023-25728
https://www.cve.org/CVERecord?id=CVE-2023-25730
https://www.cve.org/CVERecord?id=CVE-2023-25743
https://www.cve.org/CVERecord?id=CVE-2023-0767
https://www.cve.org/CVERecord?id=CVE-2023-25735
https://www.cve.org/CVERecord?id=CVE-2023-25737
https://www.cve.org/CVERecord?id=CVE-2023-25738
https://www.cve.org/CVERecord?id=CVE-2023-25739
https://www.cve.org/CVERecord?id=CVE-2023-25729
https://www.cve.org/CVERecord?id=CVE-2023-25732
https://www.cve.org/CVERecord?id=CVE-2023-25734
https://www.cve.org/CVERecord?id=CVE-2023-25742
https://www.cve.org/CVERecord?id=CVE-2023-25746
(* Security fix *)
patches/packages/php-7.4.33-x86_64-3_slack15.0.txz: Rebuilt.
This update fixes security issues:
Core: Password_verify() always return true with some hash.
Core: 1-byte array overrun in common path resolve code.
SAPI: DOS vulnerability when parsing multipart request body.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-0567
https://www.cve.org/CVERecord?id=CVE-2023-0568
https://www.cve.org/CVERecord?id=CVE-2023-0662
(* Security fix *)
2 updates (x86_64). Including a (* Security fix *)! : 2 upgraded
Code:
Wed Feb 15 19:48:10 UTC 2023
patches/packages/curl-7.88.0-x86_64-1_slack15.0.txz: Upgraded.
This update fixes security issues:
HTTP multi-header compression denial of service.
HSTS amnesia with --parallel.
HSTS ignored on multiple requests.
For more information, see:
https://curl.se/docs/CVE-2023-23916.html
https://curl.se/docs/CVE-2023-23915.html
https://curl.se/docs/CVE-2023-23914.html
https://www.cve.org/CVERecord?id=CVE-2023-23916
https://www.cve.org/CVERecord?id=CVE-2023-23915
https://www.cve.org/CVERecord?id=CVE-2023-23914
(* Security fix *)
patches/packages/git-2.35.7-x86_64-1_slack15.0.txz: Upgraded.
This update fixes security issues:
Using a specially-crafted repository, Git can be tricked into using
its local clone optimization even when using a non-local transport.
Though Git will abort local clones whose source $GIT_DIR/objects
directory contains symbolic links (c.f., CVE-2022-39253), the objects
directory itself may still be a symbolic link.
These two may be combined to include arbitrary files based on known
paths on the victim's filesystem within the malicious repository's
working copy, allowing for data exfiltration in a similar manner as
CVE-2022-39253.
By feeding a crafted input to "git apply", a path outside the
working tree can be overwritten as the user who is running "git
apply".
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-22490
https://www.cve.org/CVERecord?id=CVE-2023-23946
(* Security fix *)
2 updates (x86_64). Including a (* Security fix *)! : 2 upgraded
Code:
Sat Feb 18 02:04:34 UTC 2023
patches/packages/kernel-firmware-20230214_a253a37-noarch-1.txz: Upgraded.
patches/packages/linux-5.15.80/*: Upgraded.
These updates fix various bugs and security issues.
Be sure to upgrade your initrd after upgrading the kernel packages.
If you use lilo to boot your machine, be sure lilo.conf points to the correct
kernel and initrd and run lilo as root to update the bootloader.
If you use elilo to boot your machine, you should run eliloconfig to copy the
kernel and initrd to the EFI System Partition.
For more information, see:
Fixed in 5.15.81:
https://www.cve.org/CVERecord?id=CVE-2022-47519
https://www.cve.org/CVERecord?id=CVE-2022-47518
https://www.cve.org/CVERecord?id=CVE-2022-47520
https://www.cve.org/CVERecord?id=CVE-2022-47521
https://www.cve.org/CVERecord?id=CVE-2022-3344
Fixed in 5.15.82:
https://www.cve.org/CVERecord?id=CVE-2022-45869
https://www.cve.org/CVERecord?id=CVE-2022-4378
Fixed in 5.15.83:
https://www.cve.org/CVERecord?id=CVE-2022-3643
Fixed in 5.15.84:
https://www.cve.org/CVERecord?id=CVE-2022-3545
Fixed in 5.15.85:
https://www.cve.org/CVERecord?id=CVE-2022-45934
Fixed in 5.15.86:
https://www.cve.org/CVERecord?id=CVE-2022-3534
https://www.cve.org/CVERecord?id=CVE-2022-3424
Fixed in 5.15.87:
https://www.cve.org/CVERecord?id=CVE-2022-41218
https://www.cve.org/CVERecord?id=CVE-2023-23455
https://www.cve.org/CVERecord?id=CVE-2023-23454
https://www.cve.org/CVERecord?id=CVE-2023-0045
https://www.cve.org/CVERecord?id=CVE-2023-0210
https://www.cve.org/CVERecord?id=CVE-2022-36280
Fixed in 5.15.88:
https://www.cve.org/CVERecord?id=CVE-2023-0266
https://www.cve.org/CVERecord?id=CVE-2022-47929
Fixed in 5.15.89:
https://www.cve.org/CVERecord?id=CVE-2023-0179
https://www.cve.org/CVERecord?id=CVE-2023-0394
Fixed in 5.15.90:
https://www.cve.org/CVERecord?id=CVE-2022-4382
https://www.cve.org/CVERecord?id=CVE-2022-4842
Fixed in 5.15.91:
https://www.cve.org/CVERecord?id=CVE-2022-4129
https://www.cve.org/CVERecord?id=CVE-2023-23559
(* Security fix *)
2 updates (x86_64). Including a (* Security fix *)! : 2 upgraded
Code:
Sat Feb 18 02:04:34 UTC 2023
patches/packages/kernel-firmware-20230214_a253a37-noarch-1.txz: Upgraded.
patches/packages/linux-5.15.80/*: Upgraded.
There is a small typo in the upstream changelog, back in november the kernel was updated to 5.15.80 and it was probably a copy-past-error as it now instead was updated to 5.15.94.
There is a small typo in the upstream changelog, back in november the kernel was updated to 5.15.80 and it was probably a copy-past-error as it now instead was updated to 5.15.94.
regards Henrik
Code:
Sat Feb 18 02:04:34 UTC 2023
patches/packages/kernel-firmware-20230214_a253a37-noarch-1.txz: Upgraded.
patches/packages/linux-5.15.80/*: Upgraded.
These updates fix various bugs and security issues.
Be sure to upgrade your initrd after upgrading the kernel packages.
If you use lilo to boot your machine, be sure lilo.conf points to the correct
kernel and initrd and run lilo as root to update the bootloader.
If you use elilo to boot your machine, you should run eliloconfig to copy the
kernel and initrd to the EFI System Partition.
Looks like they backported the modern AMD CPU fix to the 5.15.x kernels. AMD users should see a nice performance increase with 5.15.94 that Pat just released.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
