Slackwarearm-14.1 ChangeLog (2015-07-31)

Fri Jul 31 22:39:46 UTC 2015

  • patches/packages/bind-9.9.7_P2-arm-1_slack14.1.txz
    This update fixes a security issue where an error in the handling of TKEY
    queries can be exploited by an attacker for use as a denial-of-service
    vector, as a constructed packet can use the defect to trigger a REQUIRE
    assertion failure, causing BIND to exit.
    Impact:
    Both recursive and authoritative servers are vulnerable to this defect.
    Additionally, exposure is not prevented by either ACLs or configuration
    options limiting or denying service because the exploitable code occurs
    early in the packet handling, before checks enforcing those boundaries.
    Operators should take steps to upgrade to a patched version as soon as
    possible.
    For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5477
    https://kb.isc.org/article/AA-01272
    (* Security fix *)
  • patches/packages/slackpkg-2.82.0-noarch-14_slack14.1.txz
    Patched to abort immediately if the date is not recent (at least July 2015).
    This is usually a problem with Raspberry Pi systems that do not have an RTC,
    and where no NTP client has been configured: resulting in the system's date
    being at UNIX Epoch time (1970).
    With the date so far in the past, GPG fails with a generic verification
    failure message, resulting in confusion as to whether the packages or keys
    have been tampered with.
  • ap/slackpkg-2.82.0-noarch-14_slack14.1.txz
    Patched to abort immediately if the date is not recent (at least July 2015).
    This is usually a problem with Raspberry Pi systems that do not have an RTC,
    and where no NTP client has been configured: resulting in the system's date
    being at UNIX Epoch time (1970).
    With the date so far in the past, GPG fails with a generic verification
    failure message, resulting in confusion as to whether the packages or keys
    have been tampered with.
    This build also expects the updated Slackware ARM GPG key rather than the old
    ARMedslack key. Ordinarily after a Slackware release, the original
    'slackware' tree would never be modified; but users are installing Slackware
    ARM 14.1 and attempting to update using slackpkg, but are finding that it fails
    either due to the GPG key mismatch or due to the date being wrong, or both!
    It's worth reiterating that on ARM, you _must_ read the Change log and not
    blindly update packages: failure to do so could render your machine unbootable,
    particularly for the Kernel packages!
  • news/2015/07/31/slackwarearm-14.1-changelog.txt
  • Last modified: 4 years ago
  • by Giuseppe Di Terlizzi