Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== Slackware-13.0 ChangeLog (2012-02-08) ====== ====== Wed Feb 8 01:21:42 UTC 2012 ====== ===== Packages ===== ==== Upgraded ==== * [[slackware.13.0>patches/packages/apr-util-1.4.1-i486-1_slack13.0.txz]] \\ Version bump for httpd upgrade. * [[slackware.13.0>patches/packages/httpd-2.2.22-i486-1_slack13.0.txz]] \\ *) SECURITY: CVE-2011-3368 (cve.mitre.org) \\ Reject requests where the request-URI does not match the HTTP \\ specification, preventing unexpected expansion of target URLs in \\ some reverse proxy configurations. [Joe Orton] \\ *) SECURITY: CVE-2011-3607 (cve.mitre.org) \\ Fix integer overflow in ap_pregsub() which, when the mod_setenvif module \\ is enabled, could allow local users to gain privileges via a .htaccess \\ file. [Stefan Fritsch, Greg Ames] \\ *) SECURITY: CVE-2011-4317 (cve.mitre.org) \\ Resolve additional cases of URL rewriting with ProxyPassMatch or \\ RewriteRule, where particular request-URIs could result in undesired \\ backend network exposure in some configurations. \\ [Joe Orton] \\ *) SECURITY: CVE-2012-0021 (cve.mitre.org) \\ mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format \\ string is in use and a client sends a nameless, valueless cookie, causing \\ a denial of service. The issue existed since version 2.2.17. PR 52256. \\ [Rainer Canavan <rainer-apache 7val com>] \\ *) SECURITY: CVE-2012-0031 (cve.mitre.org) \\ Fix scoreboard issue which could allow an unprivileged child process \\ could cause the parent to crash at shutdown rather than terminate \\ cleanly. [Joe Orton] \\ *) SECURITY: CVE-2012-0053 (cve.mitre.org) \\ Fix an issue in error responses that could expose "httpOnly" cookies \\ when no custom ErrorDocument is specified for status code 400. \\ [Eric Covener] \\ For more information, see: \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3368 \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3607 \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4317 \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0021 \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0031 \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0053 \\ (* Security fix *) * [[slackware.13.0>patches/packages/php-5.3.10-i486-1_slack13.0.txz]] \\ Fixed arbitrary remote code execution vulnerability reported by Stefan \\ Esser, CVE-2012-0830. (Stas, Dmitry) \\ For more information, see: \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0830 \\ (* Security fix *) * [[slackware.13.0>patches/packages/proftpd-1.3.4a-i486-1_slack13.0.txz]] \\ This update fixes a use-after-free() memory corruption error, \\ and possibly other unspecified issues. \\ For more information, see: \\ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4130 \\ (* Security fix *) * [[slackware.13.0>patches/packages/vsftpd-2.3.5-i486-1_slack13.0.txz]] \\ Minor version bump, this also works around a hard to trigger heap overflow \\ in glibc (glibc zoneinfo caching vuln). For there to be any possibility \\ to trigger the glibc bug within vsftpd, the non-default option \\ "chroot_local_user" must be set in /etc/vsftpd.conf. \\ Considered 1) low severity (hard to exploit) and 2) not a vsftpd bug :-) \\ Nevertheless: \\ (* Security fix *) {{tag>slackware changelog slackware-13.0 2012-02}} news/2012/02/08/slackware-13.0-changelog.txt Last modified: 13 months agoby Giuseppe Di Terlizzi Log In