Slackwarearm-14.1 ChangeLog (2016-01-15)

Fri Jan 15 10:10:10 UTC 2016

  • patches/packages/dhcp-4.3.3-arm-1_slack14.1.txz
    This update fixes a denial-of-service vulnerability.
    For more information, see:
    (* Security fix *)
  • patches/packages/openssh-7.1p2-arm-1_slack14.1.txz
    This update fixes an information leak and a buffer overflow. In particular,
    the information leak allows a malicious SSH server to steal the client's
    private keys. Thanks to Qualys for reporting this issue.
    For more information, see:
    Rather than backport the fix for the information leak (which is the only
    hazardous flaw), we have upgraded to the latest OpenSSH. As of version
    7.0, OpenSSH has deprecated some older (and presumably less secure)
    algorithms, and also (by default) only allows root login by public-key,
    hostbased and GSSAPI authentication. Make sure that your keys and
    authentication method will allow you to continue accessing your system
    after the upgrade.
    The release notes for OpenSSH 7.0 list the following incompatible changes
    to be aware of:
    * Support for the legacy SSH version 1 protocol is disabled by
    default at compile time.
    * Support for the 1024-bit diffie-hellman-group1-sha1 key exchange
    is disabled by default at run-time. It may be re-enabled using
    the instructions at
    * Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled
    by default at run-time. These may be re-enabled using the
    instructions at
    * Support for the legacy v00 cert format has been removed.
    * The default for the sshd_config(5) PermitRootLogin option has
    changed from “yes” to “prohibit-password”.
    * PermitRootLogin=without-password/prohibit-password now bans all
    interactive authentication methods, allowing only public-key,
    hostbased and GSSAPI authentication (previously it permitted
    keyboard-interactive and password-less authentication if those
    were enabled).
    (* Security fix *)
  • patches/packages/xscreensaver-5.34-arm-1_slack14.1.txz
    Patrick promised jwz that he'd keep this updated in -stable when he removed
    (against his wishes) the nag screen that complains if a year has passed since
    that version was released. So, here's the latest one.
  • news/2016/01/15/slackwarearm-14.1-changelog.txt
  • Last modified: 7 years ago
  • by Giuseppe Di Terlizzi