Slackware Security Advisories (sigurnosne nadogradnje)

[stereo Administrator offline]

14.04.2020.

Sveži git paketi za Slackware 14.0, 14.1, 14.2 i -current:

Code: Select all

patches/packages/git-2.17.4-i586-1_slack14.2.txz:  Upgraded.
  This update fixes a security issue:
  With a crafted URL that contains a newline in it, the credential helper
  machinery can be fooled to give credential information for a wrong host.
  The attack has been made impossible by forbidding a newline character in
  any value passed via the credential protocol. Credit for finding the
  vulnerability goes to Felix Wilhelm of Google Project Zero.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5260
  (* Security fix *)

[stereo Administrator offline]

15.04.2020.

Sveži bind paketi za Slackware 14.0, 14.1, 14.2 i -current:

Code: Select all

patches/packages/bind-9.11.18-i586-1_slack14.2.txz:  Upgraded.
  This update fixes a security issue:
  DNS rebinding protection was ineffective when BIND 9 is configured as a
  forwarding DNS server. Found and responsibly reported by Tobias Klein.
  [GL #1574]
  (* Security fix *)

[stereo Administrator offline]

16.04.2020.

Sveži openvpn paketi za Slackware 14.0, 14.1, 14.2 i -current:

Code: Select all

patches/packages/openvpn-2.4.9-i586-1_slack14.2.txz:  Upgraded.
  This update fixes a security issue:
  Fix illegal client float. Thanks to Lev Stipakov.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11810
  (* Security fix *)

[stereo Administrator offline]

21.04.2020.

Sveži git paketi za Slackware 14.0, 14.1, 14.2 i -current:

Code: Select all

patches/packages/git-2.17.5-i586-1_slack14.2.txz:  Upgraded.
  This update fixes a security issue:
  With a crafted URL that contains a newline or empty host, or lacks
  a scheme, the credential helper machinery can be fooled into
  providing credential information that is not appropriate for the
  protocol in use and host being contacted.
  Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
  credentials are not for a host of the attacker's choosing; instead,
  they are for some unspecified host (based on how the configured
  credential helper handles an absent "host" parameter).
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11008
  (* Security fix *)

[stereo Administrator offline]

03.05.2020.

Sveži seamonkey paketi za Slackware 14.2 i -current:

Code: Select all

+--------------------------+
patches/packages/seamonkey-2.53.2-i686-1_slack14.2.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.seamonkey-project.org/releases/seamonkey2.53.2
  (* Security fix *)

[stereo Administrator offline]

05.05.2020.

Sveži mozilla-firefox i mozilla-thunderbird paketi za Slackware 14.2 i -current:

Code: Select all

patches/packages/mozilla-firefox-68.8.0esr-i686-1_slack14.2.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/68.8.0/releasenotes/
    https://www.mozilla.org/security/advisories/mfsa2020-17/
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12387
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12388
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12389
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6831
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12392
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12393
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12395
  (* Security fix *)

Code: Select all

patches/packages/mozilla-thunderbird-68.8.0-i686-1_slack14.2.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/68.8.0/releasenotes/
  (* Security fix *)

[stereo Administrator offline]

14.05.2020.

Sveži mariadb paketi za Slackware 14.1 i -current:

Code: Select all

patches/packages/mariadb-5.5.68-i486-1_slack14.1.txz:  Upgraded.
  This update fixes potential denial-of-service vulnerabilities.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2752
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2812
  (* Security fix *)

[stereo Administrator offline]

18.05.2020.

Sveži sane paketi za Slackware 14.0, 14.1, 14.2 i -current:

Code: Select all

patches/packages/sane-1.0.30-i586-1_slack14.2.txz:  Upgraded.
  This update fixes several security issues.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12867
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12862
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12863
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12865
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12866
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12861
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12864
  (* Security fix *)

[stereo Administrator offline]

19.05.2020.

Sveži bind paketi za Slackware 14.0, 14.1, 14.2 i -current:

Code: Select all

patches/packages/bind-9.11.19-i586-1_slack14.2.txz:  Upgraded.
  This update fixes security issues:
  A malicious actor who intentionally exploits the lack of effective
  limitation on the number of fetches performed when processing referrals
  can, through the use of specially crafted referrals, cause a recursing
  server to issue a very large number of fetches in an attempt to process
  the referral. This has at least two potential effects: The performance of
  the recursing server can potentially be degraded by the additional work
  required to perform these fetches, and the attacker can exploit this
  behavior to use the recursing server as a reflector in a reflection attack
  with a high amplification factor.
  Replaying a TSIG BADTIME response as a request could trigger an assertion
  failure.
  For more information, see:
    https://kb.isc.org/docs/cve-2020-8616
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8616
    https://kb.isc.org/docs/cve-2020-8617
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8617
  (* Security fix *)

Sveži libexif paketi za Slackware 14.0, 14.1, 14.2 i -current:

Code: Select all

patches/packages/libexif-0.6.22-i486-1_slack14.2.txz:  Upgraded.
  This update fixes bugs and security issues:
  CVE-2018-20030: Fix for recursion DoS
  CVE-2020-13114: Time consumption DoS when parsing canon array markers
  CVE-2020-13113: Potential use of uninitialized memory
  CVE-2020-13112: Various buffer overread fixes due to integer overflows
                  in maker notes
  CVE-2020-0093:  read overflow
  CVE-2019-9278:  replaced integer overflow checks the compiler could
                  optimize away by safer constructs
  CVE-2020-12767: fixed division by zero
  CVE-2016-6328:  fixed integer overflow when parsing maker notes
  CVE-2017-7544:  fixed buffer overread
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20030
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13114
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13113
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13112
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0093
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9278
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12767
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6328
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7544
  (* Security fix *)

[stereo Administrator offline]

01.06.2020.

Sveži mozilla-firefox paketi za Slackware 14.2 i -current:

Code: Select all

patches/packages/mozilla-firefox-68.9.0esr-i686-1_slack14.2.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/68.9.0/releasenotes/
  (* Security fix *)