a/coreutils-8.28-arm-2.txz
Removed ancient (1992) aliases “dir, vdir, d, v” from the profile scripts.

ap/hplip-3.17.11-arm-2.txz
Fixed a few Python scripts that did not have a proper python3 shebang.
Thanks to dugan.

l/ffmpeg-3.4-arm-2.txz
Recompiled against libva.so.2.0.0.

n/cyrus-sasl-2.1.26-arm-3.txz
Use /dev/urandom rather than /dev/random to avoid entropy starvation.
Thanks to mr.spuratic.

n/dhcpcd-6.11.5-arm-2.txz
Use hostname_short in dhcpcd.conf. Thanks to KewlCat.

n/network-scripts-15.0-noarch-2.txz
Script cleanups from Jakub Jankowski:
netconfig: Add comment to netconfig-generated rc.inet1.conf
rc.inet1: Check for iface in /sys/class/net, not /proc/net/dev
rc.inet1: Remove unnecessary unset num
rc.inet1: Factor DEBUG_ETH_UP logging to a separate function
rc.inet1: Use ${array[*]} not ${array[@]} to produce a string
rc.inet1: Avoid de-/configuring ifaces with indexes >=MAXNICS
rc.inet1: Avoid code duplication by combining case/esac
rc.inet1: Add missing 'dev' keyword
rc.inet1: Remove unnecessary $(echo)
rc.inet1*: Simplify virtif_* code, add note to example config
rc.inet1: Test for loopback being “state UNKNOWN” too.
rc.inet1: Use simple test (-n/-z) for non-empty/empty
rc.inet1: Replace [ test1 -a test2 ] with [ test1 ] && [ test2 ]

x/xf86-video-armsoc-1.4.1-arm-10.txz

x/xf86-video-fbdev-110.e0bce0d-arm-8.txz

x/xf86-video-fbturbo-199.f9a6ed7-arm-11.txz

x/xf86-video-opentegra-0.7.0-arm-10.txz

xap/xine-lib-1.2.8-arm-4.txz
Recompiled against libva.so.2.0.0.

a/eudev-3.2.5-arm-1.txz

a/usbutils-009-arm-1.txz

ap/lxc-2.0.9-arm-1.txz

ap/man-pages-4.14-noarch-1.txz
Don't ship a whatis database, since man-db doesn't need one.

ap/mariadb-10.2.11-arm-1.txz

ap/mc-4.8.20-arm-1.txz

ap/nano-2.9.1-arm-1.txz

d/git-2.15.1-arm-1.txz

d/python-setuptools-38.2.3-arm-1.txz

kde/konsole-4.14.3-arm-1.txz
Fixed scrollUp behavior. Thanks to Andrzej Telszewski.

l/QScintilla-2.10.2-arm-1.txz

l/sip-4.19.6-arm-1.txz

n/curl-7.57.0-arm-1.txz
This update fixes security issues:
SSL out of buffer access
FTP wildcard out of bounds read
NTLM buffer overflow via integer overflow
For more information, see:
https://curl.haxx.se/docs/adv_2017-af0a.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8818
https://curl.haxx.se/docs/adv_2017-ae72.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8817
https://curl.haxx.se/docs/adv_2017-12e7.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8816
(* Security fix *)

n/openldap-client-2.4.45-arm-1.txz

n/samba-4.7.3-arm-1.txz
This is a security release in order to address the following defects:
CVE-2017-14746 (Use-after-free vulnerability.)
All versions of Samba from 4.0.0 onwards are vulnerable to a use after
free vulnerability, where a malicious SMB1 request can be used to
control the contents of heap memory via a deallocated heap pointer. It
is possible this may be used to compromise the SMB server.
CVE-2017-15275 (Server heap memory information leak.)
All versions of Samba from 3.6.0 onwards are vulnerable to a heap
memory information leak, where server allocated heap memory may be
returned to the client without being cleared.
For more information, see:
https://www.samba.org/samba/security/CVE-2017-14746.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14746
https://www.samba.org/samba/security/CVE-2017-15275.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15275
(* Security fix *)

x/libXcursor-1.1.15-arm-1.txz
Fix heap overflows when parsing malicious files. (CVE-2017-16612)
It is possible to trigger heap overflows due to an integer overflow
while parsing images and a signedness issue while parsing comments.
The integer overflow occurs because the chosen limit 0x10000 for
dimensions is too large for 32 bit systems, because each pixel takes
4 bytes. Properly chosen values allow an overflow which in turn will
lead to less allocated memory than needed for subsequent reads.
The signedness bug is triggered by reading the length of a comment
as unsigned int, but casting it to int when calling the function
XcursorCommentCreate. Turning length into a negative value allows the
check against XCURSOR_COMMENT_MAX_LEN to pass, and the following
addition of sizeof (XcursorComment) + 1 makes it possible to allocate
less memory than needed for subsequent reads.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16612
(* Security fix *)

x/libXfont2-2.0.3-arm-1.txz
Open files with O_NOFOLLOW. (CVE-2017-16611)
A non-privileged X client can instruct X server running under root
to open any file by creating own directory with “fonts.dir”,
“fonts.alias” or any font file being a symbolic link to any other
file in the system. X server will then open it. This can be issue
with special files such as /dev/watchdog (which could then reboot
the system).
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16611
(* Security fix *)

x/libva-2.0.0-arm-1.txz
Shared library .so-version bump.

x/mesa-17.2.6-arm-1.txz

x/xfs-1.2.0-arm-1.txz

x/xkeyboard-config-2.22-arm-1.txz

xap/gparted-0.30.0-arm-1.txz

xfce/Thunar-1.6.13-arm-1.txz

l/talloc-2.1.10-arm-1.txz

l/tdb-1.3.15-arm-1.txz

l/tevent-0.9.34-arm-1.txz

x/libva-utils-2.0.0-arm-1.txz

x/libXfont-1.5.3-arm-1.txz