Repository 32bit  Forum
Repository 64bit  Wiki
Sat Dec 24 02:36:05 UTC 2016
patches/packages/httpd-2.4.25-i486-1_slack14.1.txz: Upgraded.
  This update fixes the following security issues:
  * CVE-2016-8740: mod_http2: Mitigate DoS memory exhaustion via endless
  CONTINUATION frames.
  * CVE-2016-5387: core: Mitigate [f]cgi "httpoxy" issues.
  * CVE-2016-2161: mod_auth_digest: Prevent segfaults during client entry
  allocation when the shared memory space is exhausted.
  * CVE-2016-0736: mod_session_crypto: Authenticate the session data/cookie
  with a MAC (SipHash) to prevent deciphering or tampering with a padding
  oracle attack.
  * CVE-2016-8743: Enforce HTTP request grammar corresponding to RFC7230 for
  request lines and request headers, to prevent response splitting and
  cache pollution by malicious clients or downstream proxies.
  For more information, see:
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8740
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5387
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2161
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0736
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743
  (* Security fix *)
patches/packages/openssh-7.4p1-i486-1_slack14.1.txz: Upgraded.
  This is primarily a bugfix release, and also addresses security issues.
  ssh-agent(1): Will now refuse to load PKCS#11 modules from paths outside
  a trusted whitelist.
  sshd(8): When privilege separation is disabled, forwarded Unix-domain
  sockets would be created by sshd(8) with the privileges of 'root'.
  sshd(8): Avoid theoretical leak of host private key material to
  privilege-separated child processes via realloc().
  sshd(8): The shared memory manager used by pre-authentication compression
  support had a bounds checks that could be elided by some optimising
  compilers to potentially allow attacks against the privileged monitor.
  process from the sandboxed privilege-separation process.
  sshd(8): Validate address ranges for AllowUser and DenyUsers directives at
  configuration load time and refuse to accept invalid ones. It was
  previously possible to specify invalid CIDR address ranges
  (e.g. user@127.1.2.3/55) and these would always match, possibly resulting
  in granting access where it was not intended.
  For more information, see:
  https://www.openssh.com/txt/release-7.4
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10009
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10010
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10011
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10012
  (* Security fix *)
patches/packages/xfce4-weather-plugin-0.8.8-i486-1_slack14.1.txz: Upgraded.
  Package upgraded to fix the API used to fetch weather data.
  Thanks to Robby Workman.