Slackwarearm-14.1 ChangeLog (2013-04-01)
Mon Apr 1 18:13:44 UTC 2013
More updates, and several rebuilds due to bumped library versions in
the boost, icu4c, ilmbase, imagemagick, libzip, and net-snmp packages.
Thanks to Heinz Wiesinger for several of these library bumps, and to
Robby Workman for the initial work on lots of the updates in this batch.
The big news here is the removal of MySQL in favor of MariaDB. This
shouldn't really be a surprise on any level. Thanks are due to Heinz
Wiesinger for his work on transitioning the build script, testing, and
getting us all behind this move.
In the vast majority of situations, MariaDB is entirely compatible with
existing MySQL databases and will drop right in with no changes required.
There's an article available outlining the areas in which MariaDB differs
from MySQL that I'd recommend reading:
https://kb.askmonty.org/v/mariadb-versus-mysql-compatibility/
Thanks to the MariaDB Foundation! We look forward to working with you.
GCC 4.8.0 has been added to /extra rather than the main tree. This is
because GCC 4.8.0 has not been able to produce a bootable Kernel here.
I tried reverting to the previous version of binutils and applying the
latest SVN branch update, but to no avail – so for now we're sticking
with GCC 4.7.2.
Packages
Upgraded
- l/libssh-0.5.4-arm-1.tgz
This update fixes a possible denial of service issue.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0176
(* Security fix *) - n/bind-9.9.2_P2-arm-1.tgz
This update fixes a critical defect in BIND 9 that allows an attacker
to cause excessive memory consumption in named or other programs linked
to libdns.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2266
https://kb.isc.org/article/AA-00871
(* Security fix *) - n/dhcp-4.2.5_P1-arm-1.tgz
This update replaces the included BIND 9 code that the DHCP programs
link against. Those contained a defect that could possibly lead to
excessive memory consumption and a denial of service.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2266
(* Security fix *) - n/php-5.4.13-arm-1.tgz
This release fixes two security issues in SOAP:
Added check that soap.wsdl_cache_dir conforms to open_basedir.
Disabled external entities loading.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1635
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1643
(* Security fix *) - xap/network-manager-applet-0.9.8.0-arm-1.tgz
Patched for new version of GTK+. Thanks to yenn. - xap/xpdf-3.03-arm-1.tgz
Fixed patch to xpdfrc for Japanese language support.
Thanks to ABE Shin-ichi.
Rebuilt
- a/shadow-4.1.4.3-arm-7.tgz
Patched pw_encrypt() to fix “crypt: Invalid argument” and immediate login
failure when a non-existent user tries to log in. This was caused by a
change in the behavior of glibc's crypt() function. When a user that does
not exist tries to log in, the code in shadow calls crypt() with an invalid
salt. The old version of crypt() used the provided bad salt (always “!”)
to produce a DES hash with “!!” at the beginning, while the new one just
returns NULL which isn't well-handled by the shadow code. To fix this
shadow bug, if the salt is invalid, we'll call crypt() using a good SHA512
salt, prepend “!!” to the hash that we get back, and have pw_encrypt()
return this as the result. The effect is identical to the previous
behavior – unless the exact same malformed hash happens to be the hash in
/etc/shadow (it won't be), the login will fail. While I see no way that
these 6 lines of code could be less secure than the original code, I
welcome additional review. Also, if anyone spots anything else that was
adversely affected by the change to crypt()'s behavior, please let me know.
Thanks to Michael L. Semon for information about the /bin/login problem.
Patched to handle more than 16 supplemental groups.
Thanks to Cal Peake. - d/llvm-3.2-arm-3.tgz
Added /usr/bin/$ARCH-slackware-linux-{clang,clang++} symlinks. If these
are present, LLVM/clang will be used to compile itself. Other programs
might need them as well. - kde/amarok-2.7.0-arm-3.tgz
Rebuilt to use the dynamic embedded library in MariaDB. - l/glibc-2.17-arm-4.tgz
Built against Linux 3.8.5 kernel headers. - l/qt-4.8.4-arm-2.tgz
Patched moc to fix issues with the latest boost library.
Thanks to Corrado Franco. - xfce/tumbler-0.1.25-arm-2.tgz
Reverted to tumbler-0.1.25, since later versions require gstreamer-1.0, and
patched a bug that caused tumbler to hold files open preventing volumes from
being ejected. - xfce/xfwm4-4.10.0-arm-2.tgz
Patched mouse bug with GTK+3 apps. Thanks to Per-Arne Hognert.