Slackware-13.0 ChangeLog (2012-02-08)

Wed Feb 8 01:21:42 UTC 2012

  • patches/packages/apr-util-1.4.1-i486-1_slack13.0.txz
    Version bump for httpd upgrade.
  • patches/packages/httpd-2.2.22-i486-1_slack13.0.txz
    *) SECURITY: CVE-2011-3368 (cve.mitre.org)
    Reject requests where the request-URI does not match the HTTP
    specification, preventing unexpected expansion of target URLs in
    some reverse proxy configurations. [Joe Orton]
    *) SECURITY: CVE-2011-3607 (cve.mitre.org)
    Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
    is enabled, could allow local users to gain privileges via a .htaccess
    file. [Stefan Fritsch, Greg Ames]
    *) SECURITY: CVE-2011-4317 (cve.mitre.org)
    Resolve additional cases of URL rewriting with ProxyPassMatch or
    RewriteRule, where particular request-URIs could result in undesired
    backend network exposure in some configurations.
    [Joe Orton]
    *) SECURITY: CVE-2012-0021 (cve.mitre.org)
    mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
    string is in use and a client sends a nameless, valueless cookie, causing
    a denial of service. The issue existed since version 2.2.17. PR 52256.
    [Rainer Canavan <rainer-apache 7val com>]
    *) SECURITY: CVE-2012-0031 (cve.mitre.org)
    Fix scoreboard issue which could allow an unprivileged child process
    could cause the parent to crash at shutdown rather than terminate
    cleanly. [Joe Orton]
    *) SECURITY: CVE-2012-0053 (cve.mitre.org)
    Fix an issue in error responses that could expose “httpOnly” cookies
    when no custom ErrorDocument is specified for status code 400.
    [Eric Covener]
    For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3368
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3607
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4317
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0021
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0031
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0053
    (* Security fix *)
  • patches/packages/php-5.3.10-i486-1_slack13.0.txz
    Fixed arbitrary remote code execution vulnerability reported by Stefan
    Esser, CVE-2012-0830. (Stas, Dmitry)
    For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0830
    (* Security fix *)
  • patches/packages/proftpd-1.3.4a-i486-1_slack13.0.txz
    This update fixes a use-after-free() memory corruption error,
    and possibly other unspecified issues.
    For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4130
    (* Security fix *)
  • patches/packages/vsftpd-2.3.5-i486-1_slack13.0.txz
    Minor version bump, this also works around a hard to trigger heap overflow
    in glibc (glibc zoneinfo caching vuln). For there to be any possibility
    to trigger the glibc bug within vsftpd, the non-default option
    “chroot_local_user” must be set in /etc/vsftpd.conf.
    Considered 1) low severity (hard to exploit) and 2) not a vsftpd bug :-)
    Nevertheless:
    (* Security fix *)
  • news/2012/02/08/slackware-13.0-changelog.txt
  • Last modified: 6 years ago
  • by Giuseppe Di Terlizzi