Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== Slackware-14.1 ChangeLog (2017-08-11) ====== ====== Fri Aug 11 23:02:43 UTC 2017 ====== ===== Packages ===== ==== Upgraded ==== * [[slackware.14.1>patches/packages/git-2.14.1-i486-1_slack14.1.txz]] \\ Fixes security issues: \\ A "ssh://..." URL can result in a "ssh" command line with a hostname that \\ begins with a dash "-", which would cause the "ssh" command to instead \\ (mis)treat it as an option. This is now prevented by forbidding such a \\ hostname (which should not impact any real-world usage). \\ Similarly, when GIT_PROXY_COMMAND is configured, the command is run with \\ host and port that are parsed out from "ssh://..." URL; a poorly written \\ GIT_PROXY_COMMAND could be tricked into treating a string that begins with a \\ dash "-" as an option. This is now prevented by forbidding such a hostname \\ and port number (again, which should not impact any real-world usage). \\ For more information, see: \\ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000117 \\ (* Security fix *) * [[slackware.14.1>patches/packages/mercurial-4.3.1-i486-1_slack14.1.txz]] \\ Fixes security issues: \\ Mercurial's symlink auditing was incomplete prior to 4.3, and could \\ be abused to write to files outside the repository. \\ Mercurial was not sanitizing hostnames passed to ssh, allowing \\ shell injection attacks on clients by specifying a hostname starting \\ with -oProxyCommand. \\ For more information, see: \\ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000115 \\ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000116 \\ (* Security fix *) ==== Rebuilt ==== * [[slackware.14.1>patches/packages/libsoup-2.42.2-i486-2_slack14.1.txz]] \\ Fixed a chunked decoding buffer overrun that could be exploited against \\ either clients or servers. \\ For more information, see: \\ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2885 \\ (* Security fix *) * [[slackware.14.1>patches/packages/subversion-1.7.22-i486-3_slack14.1.txz]] \\ Fixed client side arbitrary code execution vulnerability. \\ For more information, see: \\ https://subversion.apache.org/security/CVE-2017-9800-advisory.txt \\ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9800 \\ (* Security fix *) {{tag>slackware changelog slackware-14.1 2017-08}} news/2017/08/11/slackware-14.1-changelog.txt Last modified: 8 months agoby Giuseppe Di Terlizzi Log In