Slackware64-current ChangeLog

ChangeLog for: 2012-02-08 02:21:42

a/cups-1.4.8-x86_64-1.txz:  Upgraded.
a/glibc-solibs-2.14.1-x86_64-4.txz:  Rebuilt.
  Patched an overflow in tzfile.  This was evidently first reported in
  2009, but is only now getting around to being patched.  To exploit it,
  one must be able to write beneath /usr/share/zoneinfo, which is usually
  not possible for a normal user, but may be in the case where they are
  chroot()ed to a directory that they own.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5029
  (* Security fix *)
a/glibc-zoneinfo-2011i_2011n-noarch-4.txz:  Rebuilt.
ap/alsa-utils-1.0.25-x86_64-1.txz:  Upgraded.
ap/hplip-3.11.12-x86_64-1.txz:  Upgraded.
ap/sqlite-3.7.10-x86_64-1.txz:  Upgraded.
l/alsa-oss-1.0.25-x86_64-1.txz:  Upgraded.
l/alsa-lib-1.0.25-x86_64-1.txz:  Upgraded.
l/apr-util-1.4.1-x86_64-1.txz:  Upgraded.
l/glibc-2.14.1-x86_64-4.txz:  Rebuilt.
  Patched an overflow in tzfile.  This was evidently first reported in
  2009, but is only now getting around to being patched.  To exploit it,
  one must be able to write beneath /usr/share/zoneinfo, which is usually
  not possible for a normal user, but may be in the case where they are
  chroot()ed to a directory that they own.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5029
  (* Security fix *)
l/glibc-i18n-2.14.1-x86_64-4.txz:  Rebuilt.
l/glibc-profile-2.14.1-x86_64-4.txz:  Rebuilt.
  Patched an overflow in tzfile.  This was evidently first reported in
  2009, but is only now getting around to being patched.  To exploit it,
  one must be able to write beneath /usr/share/zoneinfo, which is usually
  not possible for a normal user, but may be in the case where they are
  chroot()ed to a directory that they own.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5029
  (* Security fix *)
n/httpd-2.2.22-x86_64-1.txz:  Upgraded.
  *) SECURITY: CVE-2011-3368 (cve.mitre.org)
     Reject requests where the request-URI does not match the HTTP
     specification, preventing unexpected expansion of target URLs in
     some reverse proxy configurations.  [Joe Orton]
  *) SECURITY: CVE-2011-3607 (cve.mitre.org)
     Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
     is enabled, could allow local users to gain privileges via a .htaccess
     file. [Stefan Fritsch, Greg Ames]
  *) SECURITY: CVE-2011-4317 (cve.mitre.org)
     Resolve additional cases of URL rewriting with ProxyPassMatch or
     RewriteRule, where particular request-URIs could result in undesired
     backend network exposure in some configurations.
     [Joe Orton]
  *) SECURITY: CVE-2012-0021 (cve.mitre.org)
     mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
     string is in use and a client sends a nameless, valueless cookie, causing
     a denial of service. The issue existed since version 2.2.17. PR 52256.
     [Rainer Canavan ]
  *) SECURITY: CVE-2012-0031 (cve.mitre.org)
     Fix scoreboard issue which could allow an unprivileged child process
     could cause the parent to crash at shutdown rather than terminate
     cleanly.  [Joe Orton]
  *) SECURITY: CVE-2012-0053 (cve.mitre.org)
     Fix an issue in error responses that could expose "httpOnly" cookies
     when no custom ErrorDocument is specified for status code 400.
     [Eric Covener]
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3368
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3607
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4317
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0021
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0031
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0053
  (* Security fix *)
n/php-5.3.10-x86_64-1.txz:  Upgraded.
  Fixed arbitrary remote code execution vulnerability reported by Stefan
  Esser, CVE-2012-0830. (Stas, Dmitry)
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0830
  (* Security fix *)
n/proftpd-1.3.4a-x86_64-1.txz:  Upgraded.
  This update fixes a use-after-free() memory corruption error,
  and possibly other unspecified issues.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4130
  (* Security fix *)
n/vsftpd-2.3.5-x86_64-1.txz:  Upgraded.
  Minor version bump, this also works around a hard to trigger heap overflow
  in glibc (glibc zoneinfo caching vuln).  For there to be any possibility
  to trigger the glibc bug within vsftpd, the non-default option
  "chroot_local_user" must be set in /etc/vsftpd.conf.
  Considered 1) low severity (hard to exploit) and 2) not a vsftpd bug :-)
    Nevertheless:
  (* Security fix *)