Thu Feb 13 23:45:53 UTC 2014
n/curl-7.35.0-x86_64-1.txz:  Upgraded.
  This update fixes a flaw where libcurl could, in some circumstances, reuse
  the wrong connection when asked to do an NTLM-authenticated HTTP or HTTPS
  request.
  For more information, see:
    http://curl.haxx.se/docs/adv_20140129.html
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0015
  (* Security fix *)
n/ntp-4.2.6p5-x86_64-5.txz:  Rebuilt.
  All stable versions of NTP remain vulnerable to a remote attack where the
  "ntpdc -c monlist" command can be used to amplify network traffic as part
  of a denial of service attack.  By default, Slackware is not vulnerable
  since it includes "noquery" as a default restriction.  However, it is
  vulnerable if this restriction is removed.  To help mitigate this flaw,
  "disable monitor" has been added to the default ntp.conf (which will disable
  the monlist command even if other queries are allowed), and the default
  restrictions have been extended to IPv6 as well.
  All users of the NTP daemon should make sure that their ntp.conf contains
  "disable monitor" to prevent misuse of the NTP service.  The new ntp.conf
  file will be installed as /etc/ntp.conf.new with a package upgrade, but the
  changes will need to be merged into any existing ntp.conf file by the admin.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5211
    http://www.kb.cert.org/vuls/id/348126
  (* Security fix *)
+--------------------------+

Thu Feb 20 00:30:49 UTC 2014
a/kernel-firmware-20140215git-noarch-1.txz:  Upgraded.
a/kernel-generic-3.10.30-x86_64-1.txz:  Upgraded.
  These are new kernels that fix CVE-2014-0038, a bug that can allow local
  users to gain a root shell.
  Be sure to reinstall LILO (run "lilo" as root) after upgrading the kernel
  packages, or on UEFI systems, copy the appropriate kernel to
  /boot/efi/EFI/Slackware/vmlinuz).
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0038
  (* Security fix *)
a/kernel-huge-3.10.30-x86_64-1.txz:  Upgraded.
  These are new kernels that fix CVE-2014-0038, a bug that can allow local
  users to gain a root shell.
  Be sure to reinstall LILO (run "lilo" as root) after upgrading the kernel
  packages, or on UEFI systems, copy the appropriate kernel to
  /boot/efi/EFI/Slackware/vmlinuz).
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0038
  (* Security fix *)
a/kernel-modules-3.10.30-x86_64-1.txz:  Upgraded.
a/shadow-4.1.5.1-x86_64-3.txz:  Rebuilt.
  Shadow 4.1.5 addressed a tty-hijacking vulnerability in "su -c"
  (CVE-2005-4890) by detaching the controlling terminal in the non-PAM
  case via a TIOCNOTTY request.  Bi-directional protection is excessive
  and breaks a commonly-used methods for privilege escalation on non-PAM
  systems (e.g. xterm -e /bin/su -s /bin/bash -c /bin/bash myscript).
  This update relaxes the restriction and only detaches the controlling
  tty when the callee is not root (which is, after all, the threat vector).
  Thanks to mancha for the patch (and the above information).
ap/mariadb-5.5.35-x86_64-1.txz:  Upgraded.
  This update fixes a buffer overflow in the mysql command line client which
  may allow malicious or compromised database servers to cause a denial of
  service (crash) and possibly execute arbitrary code via a long server
  version string.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0001
  (* Security fix *)
d/kernel-headers-3.10.30-x86-1.txz:  Upgraded.
k/kernel-source-3.10.30-noarch-1.txz:  Upgraded.
  These are new kernels that fix CVE-2014-0038, a bug that can allow local
  users to gain a root shell.
  Be sure to reinstall LILO (run "lilo" as root) after upgrading the kernel
  packages, or on UEFI systems, copy the appropriate kernel to
  /boot/efi/EFI/Slackware/vmlinuz).
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0038
  (* Security fix *)
n/gnutls-3.1.21-x86_64-1.txz:  Upgraded.
  This update fixes a flaw where a version 1 intermediate certificate would be
  considered as a CA certificate by GnuTLS by default.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1959
  (* Security fix *)
xap/mozilla-firefox-27.0.1-x86_64-1.txz:  Upgraded.
isolinux/initrd.img:  Rebuilt.
kernels/*:  Upgraded.
usb-and-pxe-installers/usbboot.img:  Rebuilt.
+--------------------------+

Thu Feb 27 20:43:28 UTC 2014
d/subversion-1.7.16-x86_64-1.txz:  Upgraded.
  Fix denial of service bugs.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4505
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4558
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0032
  (* Security fix *)
+--------------------------+

Mon Mar  3 23:32:18 UTC 2014
n/gnutls-3.1.22-x86_64-1.txz:  Upgraded.
  Fixed a security issue where a specially crafted certificate could
  bypass certificate validation checks.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0092
  (* Security fix *)
+--------------------------+

Thu Mar  6 04:14:23 UTC 2014
ap/sudo-1.8.9p5-x86_64-1.txz:  Upgraded.
+--------------------------+

Tue Mar 11 07:06:18 UTC 2014
a/udisks-1.0.5-x86_64-1.txz:  Upgraded.
  This update fixes a stack-based buffer overflow when handling long path
  names.  A malicious, local user could use this flaw to create a
  specially-crafted directory structure that could lead to arbitrary code
  execution with the privileges of the udisks daemon (root).
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0004
  (* Security fix *)
a/udisks2-2.1.3-x86_64-1.txz:  Upgraded.
  This update fixes a stack-based buffer overflow when handling long path
  names.  A malicious, local user could use this flaw to create a
  specially-crafted directory structure that could lead to arbitrary code
  execution with the privileges of the udisks daemon (root).
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0004
  (* Security fix *)
+--------------------------+

Fri Mar 14 00:44:48 UTC 2014
n/samba-4.1.6-x86_64-1.txz:  Upgraded.
  This update fixes two security issues:
  CVE-2013-4496:
  Samba versions 3.4.0 and above allow the administrator to implement
  locking out Samba accounts after a number of bad password attempts.
  However, all released versions of Samba did not implement this check for
  password changes, such as are available over multiple SAMR and RAP
  interfaces, allowing password guessing attacks.
  CVE-2013-6442:
  Samba versions 4.0.0 and above have a flaw in the smbcacls command. If
  smbcacls is used with the "-C|--chown name" or "-G|--chgrp name"
  command options it will remove the existing ACL on the object being
  modified, leaving the file or directory unprotected.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4496
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6442
  (* Security fix *)
+--------------------------+
Thu Mar 13 03:32:38 UTC 2014
n/mutt-1.5.23-x86_64-1.txz:  Upgraded.
  This update fixes a buffer overflow where malformed RFC2047 header
  lines could result in denial of service or potentially the execution
  of arbitrary code as the user running mutt.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0467
  (* Security fix *)
+--------------------------+

Sun Mar 16 02:52:28 UTC 2014
n/php-5.4.26-x86_64-1.txz:  Upgraded.
  This update fixes a flaw where a specially crafted data file may cause a
  segfault or 100% CPU consumption when a web page uses fileinfo() on it.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1943
  (* Security fix *)
+--------------------------+

Fri Mar 28 03:43:11 UTC 2014
l/mozilla-nss-3.16-x86_64-1.txz:  Upgraded.
  This update fixes a security issue:
  The cert_TestHostName function in lib/certdb/certdb.c in the  
  certificate-checking implementation in Mozilla Network Security Services
  (NSS) before 3.16 accepts a wildcard character that is embedded in an
  internationalized domain name's U-label, which might allow man-in-the-middle
  attackers to spoof SSL servers via a crafted certificate.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1492
  (* Security fix *)
l/seamonkey-solibs-2.25-x86_64-1.txz:  Upgraded.
n/curl-7.36.0-x86_64-1.txz:  Upgraded.
  This update fixes four security issues.
  For more information, see:
    http://curl.haxx.se/docs/adv_20140326A.html
    http://curl.haxx.se/docs/adv_20140326B.html
    http://curl.haxx.se/docs/adv_20140326C.html
    http://curl.haxx.se/docs/adv_20140326D.html
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0138
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0139
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1263
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2522
  (* Security fix *)
n/httpd-2.4.9-x86_64-1.txz:  Upgraded.
  This update addresses two security issues.
  Segfaults with truncated cookie logging. mod_log_config:  Prevent segfaults
    when logging truncated cookies.  Clean up the cookie logging parser to
    recognize only the cookie=value pairs, not valueless cookies.
  mod_dav:  Keep track of length of cdata properly when removing leading
    spaces. Eliminates a potential denial of service from specifically crafted
    DAV WRITE requests.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438
  (* Security fix *)
n/openssh-6.6p1-x86_64-1.txz:  Upgraded.
  This update fixes a security issue when using environment passing with
  a sshd_config(5) AcceptEnv pattern with a wildcard.  OpenSSH could be
  tricked into accepting any environment variable that contains the
  characters before the wildcard character.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2532
  (* Security fix *)
n/tin-2.2.0-x86_64-1.txz:  Upgraded.
xap/mozilla-firefox-28.0-x86_64-1.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    http://www.mozilla.org/security/known-vulnerabilities/firefox.html
  (* Security fix *)
xap/mozilla-thunderbird-24.4.0-x86_64-1.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html
  (* Security fix *)
xap/seamonkey-2.25-x86_64-1.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html
  (* Security fix *)
+--------------------------+

Mon Mar 31 20:30:28 UTC 2014
l/apr-1.5.0-x86_64-1.txz:  Upgraded.
l/apr-util-1.5.3-x86_64-1.txz:  Upgraded.
n/httpd-2.4.9-x86_64-2.txz:  Rebuilt.
  Recompiled against new apr/apr-util to restore missing mod_mpm_event.so.
+--------------------------+

Tue Apr  8 14:19:51 UTC 2014
a/openssl-solibs-1.0.1g-x86_64-1.txz:  Upgraded.
n/openssl-1.0.1g-x86_64-1.txz:  Upgraded.
  This update fixes two security issues:
  A missing bounds check in the handling of the TLS heartbeat extension
  can be used to reveal up to 64k of memory to a connected client or server.
  Thanks for Neel Mehta of Google Security for discovering this bug and to
  Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
  preparing the fix.
  Fix for the attack described in the paper "Recovering OpenSSL
  ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
  by Yuval Yarom and Naomi Benger. Details can be obtained from:
  http://eprint.iacr.org/2014/140
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0076
  (* Security fix *)
+--------------------------+

Mon Apr 21 20:09:48 UTC 2014
l/libyaml-0.1.6-x86_64-1.txz:  Upgraded.
  This update fixes a heap overflow in URI escape parsing of YAML in Ruby,
  where a specially crafted string could cause a heap overflow leading to
  arbitrary code execution.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2525
    https://www.ruby-lang.org/en/news/2014/03/29/heap-overflow-in-yaml-uri-escape-parsing-cve-2014-2525/
  (* Security fix *)
n/php-5.4.27-x86_64-1.txz:  Upgraded.
  This update fixes a security issue in the in the awk script detector
  which allows context-dependent attackers to cause a denial of service
  (CPU consumption) via a crafted ASCII file that triggers a large amount
  of backtracking.
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7345
  (* Security fix *)
+--------------------------+

Tue Apr 22 17:31:48 UTC 2014
a/bash-4.3.011-x86_64-1.txz:  Upgraded.
a/gawk-4.1.1-x86_64-1.txz:  Upgraded.
a/grep-2.18-x86_64-1.txz:  Upgraded.
ap/vim-7.4.258-x86_64-1.txz:  Upgraded.
n/openssh-6.6p1-x86_64-2.txz:  Rebuilt.
  Fixed a bug with curve25519-sha256 that caused a key exchange failure in
  about 1 in 512 connection attempts.
xap/vim-gvim-7.4.258-x86_64-1.txz:  Upgraded.
+--------------------------+

Tue Apr 29 23:35:59 UTC 2014
ap/screen-4.2.1-x86_64-1.txz:  Upgraded.
l/qt-4.8.6-x86_64-1.txz:  Upgraded.
xap/mozilla-firefox-29.0-x86_64-1.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    http://www.mozilla.org/security/known-vulnerabilities/firefox.html
  (* Security fix *)
xap/mozilla-thunderbird-24.5.0-x86_64-1.txz:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html
  (* Security fix *)
+--------------------------+

Fri May  9 01:47:42 UTC 2014
a/glibc-solibs-2.19-x86_64-1.txz:  Upgraded.
a/glibc-zoneinfo-2014b-noarch-1.txz:  Upgraded.
a/kernel-firmware-20140506git-noarch-1.txz:  Upgraded.
a/kernel-generic-3.14.3-x86_64-1.txz:  Upgraded.
a/kernel-huge-3.14.3-x86_64-1.txz:  Upgraded.
a/kernel-modules-3.14.3-x86_64-1.txz:  Upgraded.
d/binutils-2.24.51.0.3-x86_64-1.txz:  Upgraded.
d/gcc-4.8.2-x86_64-2.txz:  Rebuilt.
  Include libiberty.a since that's no longer in the binutils package.
d/gcc-g++-4.8.2-x86_64-2.txz:  Rebuilt.
d/gcc-gfortran-4.8.2-x86_64-2.txz:  Rebuilt.
d/gcc-gnat-4.8.2-x86_64-2.txz:  Rebuilt.
d/gcc-go-4.8.2-x86_64-2.txz:  Rebuilt.
d/gcc-java-4.8.2-x86_64-2.txz:  Rebuilt.
d/gcc-objc-4.8.2-x86_64-2.txz:  Rebuilt.
d/kernel-headers-3.14.3-x86-1.txz:  Upgraded.
d/oprofile-0.9.7-x86_64-5.txz:  Rebuilt.
k/kernel-source-3.14.3-noarch-1.txz:  Upgraded.
l/glibc-2.19-x86_64-1.txz:  Upgraded.
l/glibc-i18n-2.19-x86_64-1.txz:  Upgraded.
l/glibc-profile-2.19-x86_64-1.txz:  Upgraded.
n/libnftnl-1.0.1-x86_64-1.txz:  Added.
n/nftables-0.2-x86_64-1.txz:  Added.
extra/bash-completion/bash-completion-2.1-noarch-2.txz:  Rebuilt.
  Patched to fix an issue with bash-4.3.  Thanks to ponce.
isolinux/initrd.img:  Rebuilt.
kernels/*:  Upgraded.
usb-and-pxe-installers/usbboot.img:  Rebuilt.
+--------------------------+

Mon May 12 02:24:36 UTC 2014
l/seamonkey-solibs-2.26-x86_64-1.txz:  Upgraded.
xap/mozilla-firefox-29.0.1-x86_64-1.txz:  Upgraded.
xap/seamonkey-2.26-x86_64-1.tx:  Upgraded.
  This update contains security fixes and improvements.
  For more information, see:
    http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html
  (* Security fix *)
+--------------------------+