Slackware64-current ChangeLog

ChangeLog for: 2026-01-28 00:51:26

a/openssl-solibs-3.5.5-x86_64-1.txz:  Upgraded.
l/lmdb-0.9.34-x86_64-1.txz:  Upgraded.
l/python-pathspec-1.0.4-x86_64-1.txz:  Upgraded.
l/sof-firmware-2025.12.2-noarch-1.txz:  Upgraded.
n/gnupg2-2.5.17-x86_64-1.txz:  Upgraded.
  This version fixes a *critical security bug* in versions 2.5.13 to 2.5.16:
  A crafted CMS (S/MIME) EnvelopedData message carrying an oversized wrapped
  session key can cause a stack buffer overflow in gpg-agent during the
  PKDECRYPT--kem=CMS handling. This can easily be used for a DoS but, worse,
  the memory corruption can very likley also be used to mount a remote code
  execution attack. The bug was introduced while changing an internal API to
  the FIPS required KEM API.
  Fixed stack-based buffer overflow in TPM2 `PKDECRYPT`.
  Fixed null pointer dereference with overlong signature packet.
  For more information, see:
    https://dev.gnupg.org/T8044
    https://dev.gnupg.org/T8045
    https://dev.gnupg.org/T8049
    https://www.cve.org/CVERecord?id=CVE-2026-24881
    https://www.cve.org/CVERecord?id=CVE-2026-24882
    https://www.cve.org/CVERecord?id=CVE-2026-24883
  (* Security fix *)
n/openssl-3.5.5-x86_64-1.txz:  Upgraded.
  OpenSSL 3.5.5 is a security patch release. The most severe CVE fixed in this
  release is High.
  This release incorporates the following bug fixes and mitigations:
  Fixed Improper validation of PBMAC1 parameters in PKCS#12 MAC verification.
  Fixed Stack buffer overflow in CMS `AuthEnvelopedData` parsing.
  Fixed NULL dereference in `SSL_CIPHER_find()` function on unknown cipher ID.
  Fixed `openssl dgst` one-shot codepath silently truncates inputs >16 MiB.
  Fixed TLS 1.3 `CompressedCertificate` excessive memory allocation.
  Fixed Heap out-of-bounds write in `BIO_f_linebuffer` on short writes.
  Fixed Unauthenticated/unencrypted trailing bytes with low-level OCB function
  calls.
  Fixed Out of bounds write in `PKCS12_get_friendlyname()` UTF-8 conversion.
  Fixed Missing `ASN1_TYPE` validation in `TS_RESP_verify_response()` function.
  Fixed NULL Pointer Dereference in `PKCS12_item_decrypt_d2i_ex()` function.
  Fixed Missing `ASN1_TYPE` validation in PKCS#12 parsing.
  Fixed `ASN1_TYPE` Type Confusion in the `PKCS7_digest_from_attributes()`
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2025-11187
    https://www.cve.org/CVERecord?id=CVE-2025-15467
    https://www.cve.org/CVERecord?id=CVE-2025-15468
    https://www.cve.org/CVERecord?id=CVE-2025-15469
    https://www.cve.org/CVERecord?id=CVE-2025-66199
    https://www.cve.org/CVERecord?id=CVE-2025-68160
    https://www.cve.org/CVERecord?id=CVE-2025-69418
    https://www.cve.org/CVERecord?id=CVE-2025-69419
    https://www.cve.org/CVERecord?id=CVE-2025-69420
    https://www.cve.org/CVERecord?id=CVE-2025-69421
    https://www.cve.org/CVERecord?id=CVE-2026-22795
    https://www.cve.org/CVERecord?id=CVE-2026-22796
  (* Security fix *)
xap/gparted-1.8.0-x86_64-1.txz:  Upgraded.
xap/mozilla-thunderbird-140.7.1esr-x86_64-1.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/140.7.1esr/releasenotes/
  (* Security fix *)