Slackware Security Advisories (sigurnosne nadogradnje)

[stereo Administrator offline]

08. VI 2023.

Sveži mozilla-thunderbird, php8 i python3 paketi za Slackware 15.0 i -current:

Code: Select all

patches/packages/mozilla-thunderbird-102.12.0-i686-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/102.12.0/releasenotes/
  (* Security fix *)

Code: Select all

extra/php81/php81-8.1.20-i586-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and security issues.
  For more information, see:
    https://www.php.net/ChangeLog-8.php#8.1.20
  (* Security fix *)

Code: Select all

patches/packages/python3-3.9.17-i586-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and a security issue:
  urllib.parse.urlsplit() now strips leading C0 control and space characters
  following the specification for URLs defined by WHATWG.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-24329
  (* Security fix *)

[stereo Administrator offline]

15. VI 2023.

Sveži libX11 paketi za Slackware 14.0, 14.1, 14.2, 15.0 i -current:

Code: Select all

patches/packages/libX11-1.8.6-i586-1_slack15.0.txz:  Upgraded.
  This update fixes buffer overflows in InitExt.c that could at least cause
  the client to crash due to memory corruption.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-3138
  (* Security fix *)

[stereo Administrator offline]

21. VI 2023.

Sveži bind paketi za Slackware 15.0 i -current:

Code: Select all

patches/packages/bind-9.16.42-i586-1_slack15.0.txz:  Upgraded.
  This update fixes a security issue:
  Exceeding the recursive-clients quota may cause named to terminate
  unexpectedly when stale-answer-client-timeout is set to 0.
  For more information, see:
    https://kb.isc.org/docs/cve-2023-2911
    https://www.cve.org/CVERecord?id=CVE-2023-2911
  (* Security fix *)

Sveži kernel paketi za Slackware 15.0:

Code: Select all

patches/packages/linux-5.15.118/*:  Upgraded.
  These updates fix various bugs and security issues.
  Be sure to upgrade your initrd after upgrading the kernel packages.
  If you use lilo to boot your machine, be sure lilo.conf points to the correct
  kernel and initrd and run lilo as root to update the bootloader.
  If you use elilo to boot your machine, you should run eliloconfig to copy the
  kernel and initrd to the EFI System Partition.
  For more information, see:
    Fixed in 5.15.93:
    https://www.cve.org/CVERecord?id=CVE-2023-2162
    https://www.cve.org/CVERecord?id=CVE-2023-32269
    Fixed in 5.15.94:
    https://www.cve.org/CVERecord?id=CVE-2023-1078
    https://www.cve.org/CVERecord?id=CVE-2022-27672
    Fixed in 5.15.95:
    https://www.cve.org/CVERecord?id=CVE-2023-1513
    https://www.cve.org/CVERecord?id=CVE-2023-1281
    https://www.cve.org/CVERecord?id=CVE-2023-26545
    Fixed in 5.15.96:
    https://www.cve.org/CVERecord?id=CVE-2023-0459
    https://www.cve.org/CVERecord?id=CVE-2022-3707
    https://www.cve.org/CVERecord?id=CVE-2022-2196
    Fixed in 5.15.99:
    https://www.cve.org/CVERecord?id=CVE-2023-2985
    https://www.cve.org/CVERecord?id=CVE-2023-1079
    https://www.cve.org/CVERecord?id=CVE-2023-25012
    https://www.cve.org/CVERecord?id=CVE-2023-1076
    https://www.cve.org/CVERecord?id=CVE-2023-1077
    https://www.cve.org/CVERecord?id=CVE-2023-1118
    Fixed in 5.15.100:
    https://www.cve.org/CVERecord?id=CVE-2023-23004
    https://www.cve.org/CVERecord?id=CVE-2023-1829
    Fixed in 5.15.104:
    https://www.cve.org/CVERecord?id=CVE-2023-30456
    https://www.cve.org/CVERecord?id=CVE-2023-2235
    https://www.cve.org/CVERecord?id=CVE-2023-1855
    https://www.cve.org/CVERecord?id=CVE-2023-1990
    Fixed in 5.15.105:
    https://www.cve.org/CVERecord?id=CVE-2023-2483
    https://www.cve.org/CVERecord?id=CVE-2023-30772
    https://www.cve.org/CVERecord?id=CVE-2023-33203
    https://www.cve.org/CVERecord?id=CVE-2023-33288
    https://www.cve.org/CVERecord?id=CVE-2022-4379
    https://www.cve.org/CVERecord?id=CVE-2023-1670
    https://www.cve.org/CVERecord?id=CVE-2022-4269
    https://www.cve.org/CVERecord?id=CVE-2023-1989
    https://www.cve.org/CVERecord?id=CVE-2023-28466
    https://www.cve.org/CVERecord?id=CVE-2023-2194
    Fixed in 5.15.106:
    https://www.cve.org/CVERecord?id=CVE-2023-1611
    Fixed in 5.15.108:
    https://www.cve.org/CVERecord?id=CVE-2023-1859
    Fixed in 5.15.109:
    https://www.cve.org/CVERecord?id=CVE-2023-2156
    https://www.cve.org/CVERecord?id=CVE-2023-31436
    https://www.cve.org/CVERecord?id=CVE-2023-2248
    Fixed in 5.15.110:
    https://www.cve.org/CVERecord?id=CVE-2023-1380
    https://www.cve.org/CVERecord?id=CVE-2023-2002
    Fixed in 5.15.111:
    https://www.cve.org/CVERecord?id=CVE-2023-32233
    https://www.cve.org/CVERecord?id=CVE-2023-2269
    Fixed in 5.15.112:
    https://www.cve.org/CVERecord?id=CVE-2023-34256
    Fixed in 5.15.113:
    https://www.cve.org/CVERecord?id=CVE-2022-48425
  (* Security fix *)

[stereo Administrator offline]

22. VI 2023.

Sveži cups paketi za Slackware 14.2, 15.0 i -current:

Code: Select all

patches/packages/cups-2.4.6-i586-1_slack15.0.txz:  Upgraded.
  Fixed use-after-free when logging warnings in case of failures
  in cupsdAcceptClient().
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-34241
  (* Security fix *)

[stereo Administrator offline]

26. VI 2023.

Sveži vim paketi za Slackware 15.0 i -current:

Code: Select all

patches/packages/vim-9.0.1667-i586-1_slack15.0.txz:  Upgraded.
  This fixes a rare divide-by-zero bug that could cause vim to crash. In an
  interactive program such as vim, I can't really see this qualifying as a
  security issue, but since it was brought up as such on LQ we'll just go
  along with it this time. :)
  Thanks to marav for the heads-up.
  (* Security fix *)
patches/packages/vim-gvim-9.0.1667-i586-1_slack15.0.txz:  Upgraded.

[stereo Administrator offline]

04. VII 2023.

Sveži mozilla-firefox paketi za Slackware 15.0 i -current:

Code: Select all

patches/packages/mozilla-firefox-102.13.0esr-i686-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/102.13.0/releasenotes/
    https://www.mozilla.org/security/advisories/mfsa2023-23/
    https://www.cve.org/CVERecord?id=CVE-2023-37201
    https://www.cve.org/CVERecord?id=CVE-2023-37202
    https://www.cve.org/CVERecord?id=CVE-2023-37207
    https://www.cve.org/CVERecord?id=CVE-2023-37208
    https://www.cve.org/CVERecord?id=CVE-2023-37211
  (* Security fix *)

[stereo Administrator offline]

07. VII 2023.

Sveži mozilla-thunderbird paketi za Slackware 15.0 i -current:

Code: Select all

patches/packages/mozilla-thunderbird-102.13.0-i686-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/102.13.0/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2023-24/
    https://www.cve.org/CVERecord?id=CVE-2023-37201
    https://www.cve.org/CVERecord?id=CVE-2023-37202
    https://www.cve.org/CVERecord?id=CVE-2023-37207
    https://www.cve.org/CVERecord?id=CVE-2023-37208
    https://www.cve.org/CVERecord?id=CVE-2023-37211
  (* Security fix *)

[stereo Administrator offline]

12. VII 2023.

Sveži krb5 paketi za Slackware 15.0 i -current:

Code: Select all

patches/packages/krb5-1.19.2-i586-4_slack15.0.txz:  Rebuilt.
  Fix potential uninitialized pointer free in kadm5 XDR parsing.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-36054
  (* Security fix *)

[stereo Administrator offline]

19. VII 2023.

Sveži openssh paketi za Slackware 15.0 i -current:

Code: Select all

patches/packages/openssh-9.3p2-i586-1_slack15.0.txz:  Upgraded.
  This update fixes a security issue:
  ssh-agent(1) in OpenSSH between and 5.5 and 9.3p1 (inclusive): remote code
  execution relating to PKCS#11 providers.
  The PKCS#11 support ssh-agent(1) could be abused to achieve remote code
  execution via a forwarded agent socket if the following conditions are met:
  * Exploitation requires the presence of specific libraries on the victim
    system.
  * Remote exploitation requires that the agent was forwarded to an
    attacker-controlled system.
  Exploitation can also be prevented by starting ssh-agent(1) with an empty
  PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that
  contains only specific provider libraries.
  This vulnerability was discovered and demonstrated to be exploitable by the
  Qualys Security Advisory team.
  Potentially-incompatible changes:
  * ssh-agent(8): the agent will now refuse requests to load PKCS#11 modules
  issued by remote clients by default. A flag has been added to restore the
  previous behaviour: "-Oallow-remote-pkcs11".
  For more information, see:
    https://www.openssh.com/txt/release-9.3p2
    https://www.cve.org/CVERecord?id=CVE-2023-38408
  (* Security fix *)

Sveži curl paketi za Slackware 14.0, 14.1, 14.2, 15.0 i -current:

Code: Select all

patches/packages/curl-8.2.0-i586-1_slack15.0.txz:  Upgraded.
  This update fixes a security issue:
  fopen race condition.
  For more information, see:
    https://curl.se/docs/CVE-2023-32001.html
    https://www.cve.org/CVERecord?id=CVE-2023-32001
  (* Security fix *)

[stereo Administrator offline]

24. VII 2023.

Sveži kernel-firmware paketi za Slackware 14.2, 15.0 i -current:

Code: Select all

patches/packages/kernel-firmware-20230724_59fbffa-noarch-1.txz:  Upgraded.
  AMD microcode updated to fix a use-after-free in AMD Zen2 processors.
  From Tavis Ormandy's annoucement of the issue:
    "The practical result here is that you can spy on the registers of other
    processes. No system calls or privileges are required.
    It works across virtual machines and affects all operating systems.
    I have written a poc for this issue that's fast enough to reconstruct
    keys and passwords as users log in."
  For more information, see:
    https://seclists.org/oss-sec/2023/q3/59
    https://www.cve.org/CVERecord?id=CVE-2023-20593
  (* Security fix *)