Slackwarearm-current ChangeLog (2016-12-29)
Thu Dec 29 19:20:21 UTC 2016
The mini root filesystem for -current has been updated:
ftp://ftp.arm.slackware.com/slackwarearm/slackwarearm-devtools/minirootfs/
The tested upgrade path for this batch is:
# upgradepkg a/aaa_elflibs-*.t?z
# upgradepkg l/ncurses-*.t?z
# removepkg libtermcap
# ldconfig
Then upgrade the rest of them as you would usually.
Packages
Rebuilt
- a/aaa_elflibs-14.2-arm-2.txz
Added libform.so.6.0, libformw.so.6.0, libhistory.so.7.0, libmenu.so.6.0,
libmenuw.so.6.0, libncurses.so.6.0, libncursesw.so.6.0, libpanel.so.6.0,
libpanelw.so.6.0, libreadline.so.7.0, and libtinfo.so.6.0. - isolinux/*
Upgraded
- a/kernel-modules-armv7-4.8.15_armv7-arm-1.txz
- a/kernel_armv7-4.8.15-arm-1.txz
- ap/nano-2.7.3-arm-1.txz
- d/kernel-headers-4.8.15-arm-1.txz
- d/python-2.7.13-arm-1.txz
This release fixes security issues:
Issue #27850: Remove 3DES from ssl module's default cipher list to counter
measure sweet32 attack (CVE-2016-2183).
Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the
HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates
that the script is in CGI mode.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2183
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000110
(* Security fix *) - k/kernel-source-4.8.15-arm-1.txz
- l/expat-2.2.0-arm-1.txz
This update fixes bugs and security issues:
Multiple integer overflows in XML_GetBuffer.
Fix crash on malformed input.
Improve insufficient fix to CVE-2015-1283 / CVE-2015-2716.
Use more entropy for hash initialization.
Resolve troublesome internal call to srand.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1283
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4472
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5300
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6702
(* Security fix *) - l/ncurses-6.0-arm-1.txz
Shared library .so-version bump.
Rebuild of linked binaries pending, but the old library versions are
in the aaa_elflibs package. - l/readline-7.0-arm-1.txz
Shared library .so-version bump.
Rebuild of linked binaries pending, but the old library versions are
in the aaa_elflibs package. - n/curl-7.52.1-arm-1.txz
- n/gpa-0.9.10-arm-1.txz
- n/gpgme-1.7.1-arm-1.txz
- n/httpd-2.4.25-arm-1.txz
This update fixes the following security issues:
* CVE-2016-8740: mod_http2: Mitigate DoS memory exhaustion via endless
CONTINUATION frames.
* CVE-2016-5387: core: Mitigate [f]cgi “httpoxy” issues.
* CVE-2016-2161: mod_auth_digest: Prevent segfaults during client entry
allocation when the shared memory space is exhausted.
* CVE-2016-0736: mod_session_crypto: Authenticate the session data/cookie
with a MAC (SipHash) to prevent deciphering or tampering with a padding
oracle attack.
* CVE-2016-8743: Enforce HTTP request grammar corresponding to RFC7230 for
request lines and request headers, to prevent response splitting and
cache pollution by malicious clients or downstream proxies.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8740
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5387
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2161
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0736
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743
(* Security fix *) - n/lftp-4.7.4-arm-1.txz
- n/libassuan-2.4.3-arm-1.txz
- n/libgcrypt-1.7.5-arm-1.txz
- n/libksba-1.3.5-arm-1.txz
- n/nettle-3.3-arm-1.txz
- n/nmap-7.40-arm-1.txz
- n/openssh-7.4p1-arm-1.txz
This is primarily a bugfix release, and also addresses security issues.
ssh-agent(1): Will now refuse to load PKCS#11 modules from paths outside
a trusted whitelist.
sshd(8): When privilege separation is disabled, forwarded Unix-domain
sockets would be created by sshd(8) with the privileges of 'root'.
sshd(8): Avoid theoretical leak of host private key material to
privilege-separated child processes via realloc().
sshd(8): The shared memory manager used by pre-authentication compression
support had a bounds checks that could be elided by some optimising
compilers to potentially allow attacks against the privileged monitor.
process from the sandboxed privilege-separation process.
sshd(8): Validate address ranges for AllowUser and DenyUsers directives at
configuration load time and refuse to accept invalid ones. It was
previously possible to specify invalid CIDR address ranges
(e.g. user@127.1.2.3/55) and these would always match, possibly resulting
in granting access where it was not intended.
For more information, see:
https://www.openssh.com/txt/release-7.4
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10009
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10010
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10011
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10012
(* Security fix *) - n/pinentry-1.0.0-arm-1.txz
- n/samba-4.5.3-arm-1.txz
This release fixes security issues:
CVE-2016-2123 (Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer
Overflow Remote Code Execution Vulnerability).
CVE-2016-2125 (Unconditional privilege delegation to Kerberos servers
in trusted realms).
CVE-2016-2126 (Flaws in Kerberos PAC validation can trigger privilege
elevation).
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2123
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2125
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2126
(* Security fix *) - xfce/xfce4-weather-plugin-0.8.8-arm-1.txz
Package upgraded to fix the API used to fetch weather data.
Thanks to Robby Workman. - kernels/*
Removed
l/libtermcap-1.2.3-arm-1.txz
Replaced by equivalent functionality in the ncurses package.