This is an old revision of the document!
Slackwarearm-14.2 ChangeLog (2018-08-26)
Sun Aug 26 08:08:08 UTC 2018
Packages
Upgraded
- patches/packages/linux-4.4.151/kernel-headers-4.4.151-arm-1_slack14.2.txz
- patches/packages/linux-4.4.151/kernel-modules-armv5-4.4.151_armv5-arm-1_slack14.2.txz
- patches/packages/linux-4.4.151/kernel-modules-armv7-4.4.151_armv7-arm-1_slack14.2.txz
- patches/packages/linux-4.4.151/kernel-source-4.4.151-arm-1_slack14.2.txz
- patches/packages/linux-4.4.151/kernel_armv5-4.4.151-arm-1_slack14.2.txz
- patches/packages/linux-4.4.151/kernel_armv7-4.4.151-arm-1_slack14.2.txz
- patches/packages/ntp-4.2.8p12-arm-1_slack14.2.txz
This release improves on one security fix in ntpd:
LOW/MEDIUM: Sec 3012: Sybil vulnerability: ephemeral association attack
While fixed in ntp-4.2.8p7 and with significant additional protections for
this issue in 4.2.8p11, ntp-4.2.8p12 includes a fix for an edge case in
the new noepeer support. Originally reported by Matt Van Gundy of Cisco.
Edge-case hole reported by Martin Burnicki of Meinberg.
And fixes another security issue in ntpq and ntpdc:
LOW: Sec 3505: The openhost() function used during command-line hostname
processing by ntpq and ntpdc can write beyond its buffer limit, which
could allow an attacker to achieve code execution or escalate to higher
privileges via a long string as the argument for an IPv4 or IPv6
command-line parameter. NOTE: It is unclear whether there are any common
situations in which ntpq or ntpdc is used with a command line from an
untrusted source. Reported by Fakhri Zulkifli.
For more information, see:
http://support.ntp.org/bin/view/Main/SecurityNotice#August_2018_ntp_4_2_8p12_NTP_Rel
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12327
(* Security fix *)