Repository 32bit  Forum
Repository 64bit  Wiki
Fri Aug 11 23:02:43 UTC 2017
patches/packages/git-2.14.1-x86_64-1_slack14.2.txz: Upgraded.
  Fixes security issues:
  A "ssh://..." URL can result in a "ssh" command line with a hostname that
  begins with a dash "-", which would cause the "ssh" command to instead
  (mis)treat it as an option. This is now prevented by forbidding such a
  hostname (which should not impact any real-world usage).
  Similarly, when GIT_PROXY_COMMAND is configured, the command is run with
  host and port that are parsed out from "ssh://..." URL; a poorly written
  GIT_PROXY_COMMAND could be tricked into treating a string that begins with a
  dash "-" as an option. This is now prevented by forbidding such a hostname
  and port number (again, which should not impact any real-world usage).
  For more information, see:
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000117
  (* Security fix *)
patches/packages/libsoup-2.52.2-x86_64-3_slack14.2.txz: Rebuilt.
  Fixed a chunked decoding buffer overrun that could be exploited against
  either clients or servers.
  For more information, see:
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2885
  (* Security fix *)
patches/packages/mercurial-4.3.1-x86_64-1_slack14.2.txz: Upgraded.
  Fixes security issues:
  Mercurial's symlink auditing was incomplete prior to 4.3, and could
  be abused to write to files outside the repository.
  Mercurial was not sanitizing hostnames passed to ssh, allowing
  shell injection attacks on clients by specifying a hostname starting
  with -oProxyCommand.
  For more information, see:
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000115
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000116
  (* Security fix *)
patches/packages/subversion-1.9.7-x86_64-1_slack14.2.txz: Upgraded.
  Fixed client side arbitrary code execution vulnerability.
  For more information, see:
  https://subversion.apache.org/security/CVE-2017-9800-advisory.txt
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9800
  (* Security fix *)