Slackware-12.0 ChangeLog detailed RSS at Slackware.PL

patches/packages/freetype-2.4.8-i486-1_slack12.0.tgz

Wed, 01 Feb 2012 23:14:56 +0100

Upgraded. Some vulnerabilities in handling CID-keyed PostScript fonts have been fixed. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3439 (* Security fix *)

patches/packages/openssl-0.9.8t-i486-1_slack12.0.tgz

Wed, 01 Feb 2012 23:14:56 +0100

Upgraded. This fixes a bug where DTLS applications were not properly supported. This bug could have allowed remote attackers to cause a denial of service via unspecified vectors. CVE-2012-0050 has been assigned to this issue. For more details see: http://openssl.org/news/secadv_20120118.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0050 (* Security fix *)

patches/packages/openssl-solibs-0.9.8t-i486-1_slack12.0.tgz

Wed, 01 Feb 2012 23:14:56 +0100

patches/packages/bind-9.4_ESV_R5_P1-i486-1_slack12.0.tgz

Thu, 17 Nov 2011 02:09:25 +0100

Upgraded. --- 9.4-ESV-R5-P1 released --- nonexistent records, leading to an assertion failure. [RT #26590] (* Security fix *)

patches/packages/glibc-zoneinfo-2011i_2011n-noarch-1.tgz

Fri, 11 Nov 2011 18:58:21 +0100

Upgraded. New upstream homepage: http://www.iana.org/time-zones

patches/packages/httpd-2.2.21-i486-1_slack12.0.tgz

Tue, 11 Oct 2011 07:50:04 +0200

Upgraded. Respond with HTTP_NOT_IMPLEMENTED when the method is not recognized. [Jean-Frederic Clere] SECURITY: CVE-2011-3348 Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20. PR 51748. [] For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3348 (* Security fix *)

patches/packages/httpd-2.2.20-i486-1_slack12.0.tgz

Sun, 04 Sep 2011 02:17:37 +0200

Upgraded. SECURITY: CVE-2011-3192 (cve.mitre.org) core: Fix handling of byte-range requests to use less memory, to avoid denial of service. If the sum of all ranges in a request is larger than the original file, ignore the ranges and send the complete file. PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener] For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192 (* Security fix *)

patches/packages/php-5.3.8-i486-1_slack12.0.tgz

Thu, 25 Aug 2011 09:10:45 +0200

Upgraded. Security fixes vs. 5.3.6 (5.3.7 was not usable): Updated crypt_blowfish to 1.2. (CVE-2011-2483) Fixed crash in error_log(). Reported by Mateusz Kocielski Fixed buffer overflow on overlog salt in crypt(). Fixed bug #54939 (File path injection vulnerability in RFC1867 File upload filename). Reported by Krzysztof Kotowicz. (CVE-2011-2202) Fixed stack buffer overflow in socket_connect(). (CVE-2011-1938) Fixed bug #54238 (use-after-free in substr_replace()). (CVE-2011-1148) For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1148 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1938 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2202 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2483 For those upgrading from PHP 5.2.x, be aware that quite a bit has changed, and it will very likely not 'drop in', but PHP 5.2.x is not supported by php.net any longer, so there wasn't a lot of choice in the matter. We're not able to support a security fork of PHP 5.2.x here either, so you'll have to just bite the bullet on this. You'll be better off in the long run. :) (* Security fix *)

patches/packages/bind-9.4_ESV_R5-i486-1_slack12.0.tgz

Fri, 12 Aug 2011 23:20:00 +0200

Upgraded. This BIND update addresses a couple of security issues: * named, set up to be a caching resolver, is vulnerable to a user querying a domain with very large resource record sets (RRSets) when trying to negatively cache the response. Due to an off-by-one error, caching the response could cause named to crash. [RT #24650] [CVE-2011-1910] * Change #2912 (see CHANGES) exposed a latent bug in the DNS message processing code that could allow certain UPDATE requests to crash named. [RT #24777] [CVE-2011-2464] For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1910 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2464 (* Security fix *)

patches/packages/libpng-1.2.46-i486-1_slack12.0.tgz

Fri, 29 Jul 2011 18:22:40 +0200

Upgraded. Fixed uninitialized memory read in png_format_buffer() (Bug report by Frank Busse, related to CVE-2004-0421). For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0421 (* Security fix *)

patches/packages/fetchmail-6.3.20-i486-1_slack12.0.tgz

Mon, 20 Jun 2011 00:49:34 +0200

Upgraded. This release fixes a denial of service in STARTTLS protocol phases. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1947 http://www.fetchmail.info/fetchmail-SA-2011-01.txt (* Security fix *)

patches/packages/bind-9.4_ESV_R4_P1-i486-1_slack12.0.tgz

Fri, 27 May 2011 22:56:00 +0200

Upgraded. This release fixes security issues: * A large RRSET from a remote authoritative server that results in the recursive resolver trying to negatively cache the response can hit an off by one code error in named, resulting in named crashing. [RT #24650] [CVE-2011-1910] * Zones that have a DS record in the parent zone but are also listed in a DLV and won't validate without DLV could fail to validate. [RT #24631] For more information, see: http://www.isc.org/software/bind/advisories/cve-2011-1910 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1910 (* Security fix *)