Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== Slackware-current ChangeLog (2017-11-29) ====== ====== Wed Nov 29 21:48:33 UTC 2017 ====== ===== Packages ===== ==== Upgraded ==== * [[slackware.current>n/curl-7.57.0-i586-1.txz]] \\ This update fixes security issues: \\ SSL out of buffer access \\ FTP wildcard out of bounds read \\ NTLM buffer overflow via integer overflow \\ For more information, see: \\ https://curl.haxx.se/docs/adv_2017-af0a.html \\ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8818 \\ https://curl.haxx.se/docs/adv_2017-ae72.html \\ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8817 \\ https://curl.haxx.se/docs/adv_2017-12e7.html \\ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8816 \\ (* Security fix *) ====== Wed Nov 29 08:15:09 UTC 2017 ====== ===== Packages ===== ==== Rebuilt ==== * [[slackware.current>a/coreutils-8.28-i586-2.txz]] \\ Removed ancient (1992) aliases "dir, vdir, d, v" from the profile scripts. * [[slackware.current>ap/man-pages-4.14-noarch-2.txz]] \\ Don't ship a whatis database, since man-db doesn't need one. * [[slackware.current>testing/packages/php-7.1.12-i586-2.txz]] \\ Load mysqlnd.so before mysqli.so in etc/php.ini*. Thanks to KewlCat. \\ Load libphp7.so in mod_php.conf.example. Thanks to Willy Sudiarto Raharjo. ==== Added ==== * [[slackware.current>a/lzlib-1.9-i586-1.txz]] * [[slackware.current>a/plzip-1.6-i586-1.txz]] * [[slackware.current>ap/man-db-2.7.6.1-i586-1.txz]] \\ This package replaces the good old man package. Thanks to B. Watson. ==== Removed ==== * <del>[[slackware.current>ap/man-1.6g-i586-3.txz]]</del> * <del>[[slackware.current>x/libXfont-1.5.3-i586-1.txz]]</del> ==== Upgraded ==== * [[slackware.current>ap/mariadb-10.2.11-i586-1.txz]] * [[slackware.current>d/git-2.15.1-i586-1.txz]] * [[slackware.current>d/python-setuptools-38.2.3-i586-1.txz]] * [[slackware.current>x/libXcursor-1.1.15-i586-1.txz]] \\ Fix heap overflows when parsing malicious files. (CVE-2017-16612) \\ It is possible to trigger heap overflows due to an integer overflow \\ while parsing images and a signedness issue while parsing comments. \\ The integer overflow occurs because the chosen limit 0x10000 for \\ dimensions is too large for 32 bit systems, because each pixel takes \\ 4 bytes. Properly chosen values allow an overflow which in turn will \\ lead to less allocated memory than needed for subsequent reads. \\ The signedness bug is triggered by reading the length of a comment \\ as unsigned int, but casting it to int when calling the function \\ XcursorCommentCreate. Turning length into a negative value allows the \\ check against XCURSOR_COMMENT_MAX_LEN to pass, and the following \\ addition of sizeof (XcursorComment) + 1 makes it possible to allocate \\ less memory than needed for subsequent reads. \\ For more information, see: \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16612 \\ (* Security fix *) * [[slackware.current>x/libXfont2-2.0.3-i586-1.txz]] \\ Open files with O_NOFOLLOW. (CVE-2017-16611) \\ A non-privileged X client can instruct X server running under root \\ to open any file by creating own directory with "fonts.dir", \\ "fonts.alias" or any font file being a symbolic link to any other \\ file in the system. X server will then open it. This can be issue \\ with special files such as /dev/watchdog (which could then reboot \\ the system). \\ For more information, see: \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16611 \\ (* Security fix *) * [[slackware.current>x/xfs-1.2.0-i586-1.txz]] {{tag>slackware changelog slackware-current 2017/11}} news/2017/11/29/slackware-current-changelog.txt Last modified: 6 years agoby Giuseppe Di Terlizzi Log In