Slackwarearm-14.2 ChangeLog (2021-05-28)
Fri May 28 08:08:08 UTC 2021
Packages
Upgraded
- patches/packages/ca-certificates-20210526-noarch-1_slack14.2.txz
This update provides the latest CA certificates to check for the
authenticity of SSL connections. - patches/packages/curl-7.77.0-arm-1_slack14.2.txz
This update fixes security issues:
schannel cipher selection surprise
TELNET stack contents disclosure
TLS session caching disaster
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22297
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22298
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22901
(* Security fix *) - patches/packages/expat-2.4.1-arm-1_slack14.2.txz
This update provides new mitigations against the “billion laughs” denial
of service attack.
For more information, see:
https://github.com/libexpat/libexpat/blob/R_2_4_1/expat/Changes
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0340
(* Security fix *) - patches/packages/gnutls-3.6.16-arm-1_slack14.2.txz
Fixed potential miscalculation of ECDSA/EdDSA code backported from Nettle.
In GnuTLS, as long as it is built and linked against the fixed version of
Nettle, this only affects GOST curves. [CVE-2021-20305]
Fixed potential use-after-free in sending “key_share” and “pre_shared_key”
extensions. When sending those extensions, the client may dereference a
pointer no longer valid after realloc. This happens only when the client
sends a large Client Hello message, e.g., when HRR is sent in a resumed
session previously negotiated large FFDHE parameters, because the initial
allocation of the buffer is large enough without having to call realloc
(#1151). [GNUTLS-SA-2021-03-10, CVSS: low]
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20305
(* Security fix *) - patches/packages/libX11-1.7.1-arm-1_slack14.2.txz
This update fixes missing request length checks in libX11 that can lead to
the emission of extra X protocol requests to the X server.
For more information, see:
https://lists.x.org/archives/xorg-announce/2021-May/003088.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31535
(* Security fix *)
Giuseppe Di Terlizzi