Slackwarearm-14.2 ChangeLog (2017-11-30)

Thu Nov 30 08:08:08 UTC 2017

  • patches/packages/libXfont-1.5.1-arm-2_slack14.2.txz
    Open files with O_NOFOLLOW. (CVE-2017-16611)
    A non-privileged X client can instruct X server running under root
    to open any file by creating own directory with “fonts.dir”,
    “fonts.alias” or any font file being a symbolic link to any other
    file in the system. X server will then open it. This can be issue
    with special files such as /dev/watchdog (which could then reboot
    the system).
    For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16611
    (* Security fix *)
  • patches/packages/samba-4.4.16-arm-2_slack14.2.txz
    This is a security update in order to patch the following defects:
    CVE-2017-14746 (Use-after-free vulnerability.)
    All versions of Samba from 4.0.0 onwards are vulnerable to a use after
    free vulnerability, where a malicious SMB1 request can be used to
    control the contents of heap memory via a deallocated heap pointer. It
    is possible this may be used to compromise the SMB server.
    CVE-2017-15275 (Server heap memory information leak.)
    All versions of Samba from 3.6.0 onwards are vulnerable to a heap
    memory information leak, where server allocated heap memory may be
    returned to the client without being cleared.
    For more information, see:
    https://www.samba.org/samba/security/CVE-2017-14746.html
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14746
    https://www.samba.org/samba/security/CVE-2017-15275.html
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15275
    (* Security fix *)
  • news/2017/11/30/slackwarearm-14.2-changelog.txt
  • Last modified: 3 years ago
  • by Giuseppe Di Terlizzi