Slackware Security Advisories (sigurnosne nadogradnje)

[stereo Administrator offline]

31. VII 2023.

Sveži mozilla-thunderbird i seamonkey paketi za Slackware 15.0 i -current:

Code: Select all

patches/packages/mozilla-thunderbird-102.13.1-i686-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/102.13.1/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2023-28/
    https://www.cve.org/CVERecord?id=CVE-2023-3417
  (* Security fix *)

Code: Select all

patches/packages/seamonkey-2.53.17-i686-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.seamonkey-project.org/releases/seamonkey2.53.17
  (* Security fix *)

[stereo Administrator offline]

02. VIII 2023.

Sveži openssl paketi za Slackware 15.0 i -current:

Code: Select all

patches/packages/openssl-1.1.1v-i586-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and security issues:
  Fix excessive time spent checking DH q parameter value.
  Fix DH_check() excessive time with over sized modulus.
  For more information, see:
    https://www.openssl.org/news/secadv/20230731.txt
    https://www.openssl.org/news/secadv/20230719.txt
    https://www.cve.org/CVERecord?id=CVE-2023-3817
    https://www.cve.org/CVERecord?id=CVE-2023-3446
  (* Security fix *)
patches/packages/openssl-solibs-1.1.1v-i586-1_slack15.0.txz:  Upgraded.

[stereo Administrator offline]

04. VIII 2023.

Sveži mozilla-firefox i samba paketi za Slackware 15.0 i -current:

Code: Select all

patches/packages/mozilla-firefox-115.1.0esr-i686-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/115.1.0esr/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/
    https://www.cve.org/CVERecord?id=CVE-2023-4045
    https://www.cve.org/CVERecord?id=CVE-2023-4046
    https://www.cve.org/CVERecord?id=CVE-2023-4047
    https://www.cve.org/CVERecord?id=CVE-2023-4048
    https://www.cve.org/CVERecord?id=CVE-2023-4049
    https://www.cve.org/CVERecord?id=CVE-2023-4050
    https://www.cve.org/CVERecord?id=CVE-2023-4052
    https://www.cve.org/CVERecord?id=CVE-2023-4054
    https://www.cve.org/CVERecord?id=CVE-2023-4055
    https://www.cve.org/CVERecord?id=CVE-2023-4056
    https://www.cve.org/CVERecord?id=CVE-2023-4057
  (* Security fix *)

Code: Select all

patches/packages/samba-4.18.5-i586-1_slack15.0.txz:  Upgraded.
  PLEASE NOTE: We are taking the unusual step of moving to the latest Samba
  branch because Windows has made changes that break Samba 4.15.x. The last
  4.15.x will be retained in /pasture as a fallback. There may be some
  required configuration changes with this, but we've kept using MIT Kerberos
  to try to have the behavior change as little as possible. Upgrade carefully.
  This update fixes security issues:
  When winbind is used for NTLM authentication, a maliciously crafted request
  can trigger an out-of-bounds read in winbind and possibly crash it.
  SMB2 packet signing is not enforced if an admin configured
  "server signing = required" or for SMB2 connections to Domain Controllers
  where SMB2 packet signing is mandatory.
  An infinite loop bug in Samba's mdssvc RPC service for Spotlight can be
  triggered by an unauthenticated attacker by issuing a malformed RPC request.
  Missing type validation in Samba's mdssvc RPC service for Spotlight can be
  used by an unauthenticated attacker to trigger a process crash in a shared
  RPC mdssvc worker process.
  As part of the Spotlight protocol Samba discloses the server-side absolute
  path of shares and files and directories in search results.
  For more information, see:
    https://www.samba.org/samba/security/CVE-2022-2127.html
    https://www.samba.org/samba/security/CVE-2023-3347.html
    https://www.samba.org/samba/security/CVE-2023-34966.html
    https://www.samba.org/samba/security/CVE-2023-34967.html
    https://www.samba.org/samba/security/CVE-2023-34968.html
    https://www.cve.org/CVERecord?id=CVE-2022-2127
    https://www.cve.org/CVERecord?id=CVE-2023-3347
    https://www.cve.org/CVERecord?id=CVE-2023-34966
    https://www.cve.org/CVERecord?id=CVE-2023-34967
    https://www.cve.org/CVERecord?id=CVE-2023-34968
  (* Security fix *)

[stereo Administrator offline]

30. VIII 2023.

Sveži mozilla-firefox i mozilla-thunderbird paketi za Slackware 15.0 i -current:

Code: Select all

patches/packages/mozilla-firefox-115.2.0esr-i686-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/115.2.0/releasenotes/
    https://www.mozilla.org/security/advisories/mfsa2023-36/
    https://www.cve.org/CVERecord?id=CVE-2023-4573
    https://www.cve.org/CVERecord?id=CVE-2023-4574
    https://www.cve.org/CVERecord?id=CVE-2023-4575
    https://www.cve.org/CVERecord?id=CVE-2023-4576
    https://www.cve.org/CVERecord?id=CVE-2023-4577
    https://www.cve.org/CVERecord?id=CVE-2023-4051
    https://www.cve.org/CVERecord?id=CVE-2023-4578
    https://www.cve.org/CVERecord?id=CVE-2023-4053
    https://www.cve.org/CVERecord?id=CVE-2023-4580
    https://www.cve.org/CVERecord?id=CVE-2023-4581
    https://www.cve.org/CVERecord?id=CVE-2023-4582
    https://www.cve.org/CVERecord?id=CVE-2023-4583
    https://www.cve.org/CVERecord?id=CVE-2023-4584
    https://www.cve.org/CVERecord?id=CVE-2023-4585
  (* Security fix *)

Code: Select all

patches/packages/mozilla-thunderbird-115.2.0-i686-1_slack15.0.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/115.2.0/releasenotes/
  (* Security fix *)

[stereo Administrator offline]

11. IX 2023.

Sveži vim paketi za Slackware 15.0 i -current:

Code: Select all

patches/packages/vim-9.0.1897-i586-1_slack15.0.txz:  Upgraded.
  Fixed three use-after-free security issues.
  Thanks to marav for the heads-up.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-4733
    https://www.cve.org/CVERecord?id=CVE-2023-4752
    https://www.cve.org/CVERecord?id=CVE-2023-4750
  (* Security fix *)
patches/packages/vim-gvim-9.0.1897-i586-1_slack15.0.txz:  Upgraded.
  Fixed three use-after-free security issues.
  Thanks to marav for the heads-up.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-4733
    https://www.cve.org/CVERecord?id=CVE-2023-4752
    https://www.cve.org/CVERecord?id=CVE-2023-4750
  (* Security fix *)

[stereo Administrator offline]

12. IX 2023.

Sveži mozilla-firefox paketi za Slackware 15.0 i -current:

Code: Select all

patches/packages/mozilla-firefox-115.2.1esr-i686-1_slack15.0.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/115.2.1/releasenotes/
  (* Security fix *)

[stereo Administrator offline]

13. IX 2023.

Sveži curl paketi za Slackware 14.0, 14.1, 14.2, 15.0 i -current:

Code: Select all

This update fixes a security issue:
  HTTP headers eat all memory.
    https://curl.se/docs/CVE-2023-38039.html
    https://www.cve.org/CVERecord?id=CVE-2023-38039
  (* Security fix *)

Sveži libarchive paketi za Slackware 14.1, 14.2, 15.0 i -current:

Code: Select all

patches/packages/libarchive-3.7.2-i586-1_slack15.0.txz:  Upgraded.
  This update fixes multiple security vulnerabilities in the PAX writer:
  Heap overflow in url_encode() in archive_write_set_format_pax.c.
  NULL dereference in archive_write_pax_header_xattrs().
  Another NULL dereference in archive_write_pax_header_xattrs().
  NULL dereference in archive_write_pax_header_xattr().
  (* Security fix *)

Sveži netatalk paketi za Slackware 14.1, 14.2, 15.0 i -current:

Code: Select all

patches/packages/netatalk-3.1.16-i586-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and security issues.
  Shared library .so-version bump.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-23121
    https://www.cve.org/CVERecord?id=CVE-2022-23123
  (* Security fix *)

Sveži mozilla-thunderbird paketi za Slackware 15.0 i -current:

Code: Select all

patches/packages/mozilla-thunderbird-115.2.2-i686-1_slack15.0.txz:  Upgraded.
  This release contains a security fix for a critical heap buffer overflow.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/115.2.2/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/
    https://www.cve.org/CVERecord?id=CVE-2023-4863
  (* Security fix *)

[stereo Administrator offline]

14. IX 2023.

Sveži libwebp paketi za Slackware 15.0 i -current:

Code: Select all

patches/packages/libwebp-1.3.2-i586-1_slack15.0.txz:  Upgraded.
  Security fix for lossless decoder (chromium: #1479274, CVE-2023-4863).
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-4863
  (* Security fix *)

[stereo Administrator offline]

15. IX 2023.

Sveži python3 paketi za Slackware 15.0 i -current:

Code: Select all

patches/packages/python3-3.9.18-i586-1_slack15.0.txz:  Upgraded.
  This update fixes a security issue:
  Fixed an issue where instances of ssl.SSLSocket were vulnerable to a bypass
  of the TLS handshake and included protections (like certificate verification)
  and treating sent unencrypted data as if it were post-handshake TLS encrypted
  data. Security issue reported by Aapo Oksman; patch by Gregory P. Smith.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-40217
  (* Security fix *)

[stereo Administrator offline]

18. IX 2023.

Sveži netatalk paketi za Slackware 15.0 i -current:

Code: Select all

patches/packages/netatalk-3.1.17-i586-1_slack15.0.txz:  Upgraded.
  This update fixes bugs and a security issue:
  Validate data type in dalloc_value_for_key(). This flaw could allow a
  malicious actor to cause Netatalk's afpd daemon to crash, or possibly to
  execute arbitrary code.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2023-42464
  (* Security fix *)