Thu Apr 30 20:56:17 CDT 2009 ruby-1.8.6_p368-i486-1.tgz: Upgraded to ruby-1.8.6-p368. This update fixes a DoS in REXML. For details, see: http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/ (* Security fix *) +--------------------------+ Sun Apr 26 15:20:57 CDT 2009 cups-1.3.10-i486-1.tgz: Upgraded to cups-1.3.10. This fixes several security issues, including an integer overflow in the TIFF decoder, a failure to properly verify the Host HTTP header, and several problems with PDF handling (the new CUPS uses a wrapper rather than embedded code taken from xpdf). These issues could result in a denial of service or the execution of arbitrary code. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0146 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0147 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0163 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0164 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0166 (* Security fix *) +--------------------------+ Mon Apr 20 23:29:57 CDT 2009 udev-118-i486-4.tgz: This package has been patched to fix a local root hole and a denial of service issue. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1185 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1186 (* Security fix *) +--------------------------+ Mon Apr 13 16:22:12 CDT 2009 seamonkey-1.1.16-i486-1.tgz: Upgraded to seamonkey-1.1.16. This release fixes some more security vulnerabilities. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/seamonkey11.html (* Security fix *) +--------------------------+ Tue Apr 7 16:59:49 CDT 2009 openssl-0.9.8h-i486-3.tgz: Patched (see below). openssl-solibs-0.9.8h-i486-3.tgz: Patched to fix possible crashes as well as a (fairly unlikely) case where an invalid signature might verify as valid. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0789 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0591 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0590 (* Security fix *) php-5.2.9-i486-1.tgz: Upgraded to php-5.2.9. This update fixes a few security issues: - Fixed a crash on extract in zip when files or directories entry names contain a relative path. - Fixed security issue in imagerotate(), background colour isn't validated correctly with a non truecolour image. (CVE-2008-5498) Reported by Hamid Ebadi, APA Laboratory. - Fixed a segfault when malformed string is passed to json_decode(). For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5498 (* Security fix *) xine-lib-1.1.16.3-i486-1.tgz: Upgraded to xine-lib-1.1.16.3. - Fix another possible int overflow in the 4XM demuxer. (ref. TKADV2009-004, CVE-2009-0385) For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0385 (* Security fix *) +--------------------------+ Fri Mar 27 20:30:48 CDT 2009 glib2-2.14.6-i486-5.tgz: This library has been patched to fix overflows that are possible security holes. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4316 (* Security fix *) +--------------------------+ Tue Mar 24 01:56:10 CDT 2009 lcms-1.18-i486-1.tgz: Upgraded to lcms-1.18. This update fixes security issues discovered in LittleCMS by Chris Evans. These flaws could cause program crashes (denial of service) or the execution of arbitrary code as the user of the lcms-linked program. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0581 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0723 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0733 (* Security fix *) mozilla-thunderbird-2.0.0.21-i686-1.tgz: Upgraded to thunderbird-2.0.0.21. This upgrade fixes some more security bugs. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/thunderbird20.html (* Security fix *) seamonkey-1.1.15-i486-1.tgz: Upgraded to seamonkey-1.1.15. This release fixes some more security vulnerabilities. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/seamonkey11.html (* Security fix *) +--------------------------+ Mon Mar 9 00:00:38 CDT 2009 curl-7.16.2-i486-2.tgz: Patched curl-7.16.2. This fixes a security issue where automatic redirection could be made to follow file:// URLs, reading or writing a local instead of remote file. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0037 (* Security fix *) xterm-241-i486-1.tgz: Upgraded to xterm-241. This fixes a vulnerability where displaying a file containing DECRQSS (Device Control Request Status String) sequences could cause arbitrary commands to be executed as the user running xterm. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2383 (* Security fix *) +--------------------------+ Fri Feb 20 17:20:49 CST 2009 cdrtools-2.01.01a57-i486-2.tgz: Fixed build script to put the charset conversion tables in /usr/lib/siconv. Hopefully this will work correctly with k3b now. Thanks to Krasimir Kazakov for the bug report. git-1.6.1.3-i486-1.tgz: Upgraded to git-1.6.1.3. This fixes a vulnerability where running git-diff or git-grep on a hostile git repository would result in the execution of arbirary code as the git user. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3546 (* Security fix *) libpng-1.2.35-i486-1.tgz: Upgraded to libpng-1.2.35. This fixes multiple memory-corruption vulnerabilities due to a failure to properly initialize data structures. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0040 ftp://ftp.simplesystems.org/pub/png/src/libpng-1.2.34-ADVISORY.txt (* Security fix *) +--------------------------+ Mon Feb 9 16:13:43 CST 2009 cdrtools-2.01.01a57-i486-1.tgz: Upgraded to cdrtools-2.01.01a57. Also, fixed a build script error so that the utilities look for locale files in the correct directory. Thanks to Krasimir Kazakov for the bug report. Anyone who had problems with k3b previously should upgrade this package. +-------------------------+ Sun Jan 18 21:01:11 CDT 2009 sysvinit-scripts-t-1.2-noarch-2.tgz Fixed bugs in /etc/rc.d/* scripts in real mode bind-9.4.3_P1-i486-1.tgz: Upgraded to bind-9.4.3-P1. Fixed checking on return values from OpenSSL's EVP_VerifyFinal and DSA_do_verify functions to prevent spoofing answers returned from zones using the DNSKEY algorithms DSA and NSEC3DSA. For more information, see: https://www.isc.org/node/373 http://www.ocert.org/advisories/ocert-2008-016.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0025 (* Security fix *) ntp-4.2.4p6-i486-1.tgz: [Sec 1111] Fix incorrect check of EVP_VerifyFinal()'s return value. For more information, see: https://lists.ntp.org/pipermail/announce/2009-January/000055.html http://www.ocert.org/advisories/ocert-2008-016.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0021 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077 (* Security fix *) openssl-0.9.8h-i486-2.tgz: Patched to fix the return value EVP_VerifyFinal, preventing malformed signatures from being considered good. This flaw could possibly allow a 'man in the middle' attack. For more information, see: http://www.openssl.org/news/secadv_20090107.txt http://www.ocert.org/advisories/ocert-2008-016.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077 (* Security fix *) openssl-solibs-0.9.8h-i486-2.tgz: Patched to fix the return value EVP_VerifyFinal, preventing malformed signatures from being considered good. This flaw could possibly allow a 'man in the middle' attack. For more information, see: http://www.openssl.org/news/secadv_20090107.txt http://www.ocert.org/advisories/ocert-2008-016.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077 (* Security fix *) +--------------------------+