FreeBSD Security Advisory FreeBSD-SA-19:08.rack
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
=
FreeBSD-SA-19:08.rack Security Advisory
The FreeBSD Project
Topic: Resource exhaustion in non-default RACK TCP stack
Category: core
Module: inet
Announced: 2019-06-19
Credits:Jonathan Looney (Netflix)
Peter Lei (Netflix)
Affects:FreeBSD 12.0 and later
Corrected: 2019-06-19 16:25:39 UTC (stable/12, 12.0-STABLE)
2019-06-19 16:43:05 UTC (releng/12.0, 12.0-RELEASE-p6)
CVE Name: CVE-2019-5599
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.
I. Background
The Transmission Control Protocol (TCP) of the TCP/IP protocol suite provides
a connection-oriented, reliable, sequence-preserving data stream service.
A TCP loss detection algorithm called RACK ("Recent ACKnowledgment") uses the
notion of time, in addition to packet or sequence counts, to detect losses
for modern TCP implementations that support per-packet timestamps and the
selective acknowledgment (SACK) option.
FreeBSD ships an optional implementation of RACK. Please note this is not
included by default. If RACK was not specifically compiled, installed, and
loaded, the system is not vulnerable.
II. Problem Description
While processing acknowledgements, the RACK code uses several linked lists to
maintain state entries. A malicious attacker can cause the lists to grow
unbounded. This can cause an expensive list traversal on every packet being
processed, leading to resource exhaustion and a denial of service.
III. Impact
An attacker with the ability to send specially crafted TCP traffic to a
victim system can degrade network performance and/or consume excessive CPU by
exploiting the inefficiency of traversing the potentially very large RACK
linked lists with relatively small bandwidth cost.
IV. Workaround
By default RACK is not compiled or loaded into the TCP stack. To determine
if you are using RACK, check the net.inet.tcp.functions_available sysctl.
If it includes a line with "rack", the RACK stack is loaded.
To disable RACK, unload the kernel module with:
# kldunload tcp_rack
Note: it may be required to use the force flag (-f) with the kldunload.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or release /
security branch (releng) dated after the correction date.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Since the tcp_rack kernel module is not built by default, recompile,
reinstall, and reload the kernel module.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-19:08/rack.patch
# fetch https://security.FreeBSD.org/patches/SA-19:08/rack.patch.asc
# gpg --verify rack.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile, reinstall, and reload the tcp_rack kernel module.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -
stable/12/r349197
releng/12.0/ r349199
- -
To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:
# svn diff -cNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NN with the revision number:
https://svnweb.freebsd.org/base?view=revision&revision=NN>
VII. References
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md>
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5599>
The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:08.rack.asc>
-BEGIN PGP SIGNATURE-
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl0KZy1fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUV
[SECURITY] [DSA 4447-2] intel-microcode security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4447-2 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff Jun 20, 2019 https://www.debian.org/security/faq - - Package: intel-microcode CVE ID : CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091 DSA 4447-1 shipped updated CPU microcode for most types of Intel CPUs as mitigations for the MSBDS, MFBDS, MLPDS and MDSUM hardware vulnerabilities. This update provides additional support for some Sandybridge server and Core-X CPUs which were not covered in the original May microcode release. For a list of specific CPU models now supported please refer to the entries listed under CPUID 206D6 and 206D7 at https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf For the stable distribution (stretch), these problems have been fixed in version 3.20190618.1~deb9u1. We recommend that you upgrade your intel-microcode packages. For the detailed security status of intel-microcode please refer to its security tracker page at: https://security-tracker.debian.org/tracker/intel-microcode Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl0LKeoACgkQEMKTtsN8 TjZNtxAAi0dfmsv3xJXYXa/UIG7ayCCdywg7bfYUIFh7eaz5K9IUdq1RRea+qPsd BKzBaWDDGl6+YyZJibFD+JYjrxvHOEWtVrJPuoco2Z34nKkEJDieoFtQjjeZ61ik S9iT2zWnTQa+VixIdJuYBS9z1Rakf58SU/IpNKxZ33eaJ+isAe9KQLO0OyD/d9qN x56EQyAmSOx44IrzkHegIchFNaV2fvScoJ1kVg21FMKWi96P4GTU7jw2UWzNepVs 6yrXfTSaPWUbSg93D24i0FXVce9m35OP7SosdkIyDU5fRfHGxTPxDFnXa2PmY71j uBniE6oUe75Fh9tZpNCQoL9e08463pZjjETcTBxMKYF+Q9/3OwIeRfYCd39gLlsP H3GNW8bLzxrntWquRazthkvfkTP+H9QG7E3ibeR/YX7l2aS5p8e6fs2OP57g3NCI ZJPrhrPstYJ6NhESUVi2N/QAiaOj4pBsel8bvIKyanGvWcNkonM5FV4tjfXm0GHx ZfIiBANF5aLh/pAkd5uDzxyH5xKhM/F0FRlDyqHjb2BuyoG3B2GLe2lXgkIhAR20 JmbPk9S/d15GNC9ndr+XFOkU6+IDgC7glSf0PLuRli7db6u6US1Ch+cS4k5mTzWS 7/Run+QoeSzZjIBvF6aamMZfWxISOHyvV+5b/cWGbfX4wqyppHQ= =VGab -END PGP SIGNATURE-
[slackware-security] bind (SSA:2019-171-01)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] bind (SSA:2019-171-01) New bind packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix a denial-of-service security issue. Here are the details from the Slackware 14.2 ChangeLog: +--+ patches/packages/bind-9.11.8-i586-1_slack14.2.txz: Upgraded. Fixed a race condition in dns_dispatch_getnext() that could cause an assertion failure if a significant number of incoming packets were rejected. For more information, see: https://kb.isc.org/docs/cve-2019-6471 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6471 (* Security fix *) +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/bind-9.11.8-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/bind-9.11.8-x86_64-1_slack14.0.txz Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/bind-9.11.8-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/bind-9.11.8-x86_64-1_slack14.1.txz Updated package for Slackware 14.2: ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/bind-9.11.8-i586-1_slack14.2.txz Updated package for Slackware x86_64 14.2: ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/bind-9.11.8-x86_64-1_slack14.2.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/bind-9.14.3-i586-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/bind-9.14.3-x86_64-1.txz MD5 signatures: +-+ Slackware 14.0 package: 9607f8e5a02ddd973b611b132e27a18a bind-9.11.8-i486-1_slack14.0.txz Slackware x86_64 14.0 package: 7ca41b2cc7476a177d86efb8e0d635ca bind-9.11.8-x86_64-1_slack14.0.txz Slackware 14.1 package: 82fe22a0cd33f6401ea24ad0f2f4a3d3 bind-9.11.8-i486-1_slack14.1.txz Slackware x86_64 14.1 package: b5abf1923df6e5eeb88d3ef2764cf74c bind-9.11.8-x86_64-1_slack14.1.txz Slackware 14.2 package: c94fa2993da21984d436c8f7e6a31478 bind-9.11.8-i586-1_slack14.2.txz Slackware x86_64 14.2 package: 681a10d5b96c806146b68e15c785e073 bind-9.11.8-x86_64-1_slack14.2.txz Slackware -current package: 27af9b7debe692841182193eb397e2da n/bind-9.14.3-i586-1.txz Slackware x86_64 -current package: a8e742c791d996a68be9e687a50b8288 n/bind-9.14.3-x86_64-1.txz Installation instructions: ++ Upgrade the package as root: # upgradepkg bind-9.11.8-i586-1_slack14.2.txz Then, restart the name server: # /etc/rc.d/rc.bind restart +-+ Slackware Linux Security Team http://slackware.com/gpg-key secur...@slackware.com ++ | To leave the slackware-security mailing list: | ++ | Send an email to majord...@slackware.com with this text in the body of | | the email message: | || | unsubscribe slackware-security | || | You will get a confirmation message back containing instructions to| | complete the process. Please do not reply to this email address. | ++ -BEGIN PGP SIGNATURE- iEYEARECAAYFAl0LzDsACgkQakRjwEAQIjOsnQCeN3xh8ruGxMCerBrwdOiuDE+M bwoAn2F6rHk2C5UOr5B6Yqbt77gfk7eh =Q1GL -END PGP SIGNATURE-
APPLE-SA-2019-6-20-1 AirPort Base Station Firmware Update 7.8.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2019-6-20-1 AirPort Base Station Firmware Update 7.8.1 AirPort Base Station Firmware Update 7.8.1 is now available and addresses the following: AirPort Base Station Firmware Available for: AirPort Express, AirPort Extreme, and AirPort Time Capsule base stations with 802.11n Impact: A remote attacker may be able to leak memory Description: An out-of-bounds read was addressed with improved input validation. CVE-2019-8581: Lucio Albornoz AirPort Base Station Firmware Available for: AirPort Express, AirPort Extreme, and AirPort Time Capsule base stations with 802.11n Impact: A remote attacker may be able to cause a system denial of service Description: A null pointer dereference was addressed with improved input validation. CVE-2019-8588: Vince Cali (@0x56) AirPort Base Station Firmware Available for: AirPort Express, AirPort Extreme, and AirPort Time Capsule base stations with 802.11n Impact: A remote attacker may be able to cause arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2019-8578: Maxime Villard AirPort Base Station Firmware Available for: AirPort Express, AirPort Extreme, and AirPort Time Capsule base stations with 802.11n Impact: A remote attacker may be able to cause a system denial of service Description: A denial of service issue was addressed with improved validation. CVE-2019-8573: Maxime Villard AirPort Base Station Firmware Available for: AirPort Express, AirPort Extreme, and AirPort Time Capsule base stations with 802.11n Impact: A base station factory reset may not delete all user information Description: The issue was addressed with improved data deletion. CVE-2019-8575: joshua stein AirPort Base Station Firmware Available for: AirPort Express, AirPort Extreme, and AirPort Time Capsule base stations with 802.11n Impact: An attacker in a privileged position may be able to perform a denial of service attack Description: A denial of service issue was addressed with improved memory handling. CVE-2019-7291: Maxime Villard AirPort Base Station Firmware Available for: AirPort Express, AirPort Extreme, and AirPort Time Capsule base stations with 802.11n Impact: Source-routed IPv4 packets may be unexpectedly accepted Description: Source-routed IPv4 packets were disabled by default. CVE-2019-8580: Maxime Villard AirPort Base Station Firmware Available for: AirPort Express, AirPort Extreme, and AirPort Time Capsule base stations with 802.11n Impact: A remote attacker may be able to cause arbitrary code execution Description: A null pointer dereference was addressed with improved input validation. CVE-2019-8572: Maxime Villard Installation note: Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAl0LwDUACgkQeC9tht7T K3E5Zg//Q3A/rWtm1UXqA/AUuCqDPIw/LBdHI3adiFy82OYvFMiH5uzsmePPF+aZ INKefZJpatkAw0gYISivHkPcV+TOsyYvB9b38wgRMxxXQiH1jqVCceYiCE/WIzS6 yJoffLRp/q6EtWc4drMPTsGV9T6CsSA40xcdmEjYzOYEDu6qlPzfIFS821Tbkj/8 FmIg1hghtSOu3agflYjyuk2Q8+dR7GVNJWWURdjCi1cKkhzTsAmB3yLTJ2IHD9i9 PEeYGCmA5QYuCoHzBBe/PQZrg0cTuNZkCyJZdI5jOD+UsHPqkDpOLpTLVjSYv7zR U/mXiMxPoXyBqaTcKpsc1OzLgAM5E2D+yF1Ln9tOrkR28rWW/XqpIhVrfQgibd5c zNB2JJALOh1SDvzNnB7ZbjWTOPzI/Fnig+TLG4oSOgh35gagh5n2H9sEGmy82KK/ VIABqNmiz1By0weWseG+nPoUAXENixnPaVw2nJ/JdGevpnMwmd0Rmob2I6+DIaeW MwjZMxwWSmH8PLuyBBJN6CPtpZp2W1fUDpFHqYwdbOkOzSa/dEqhXJOEKEX9E0KQ CrKAYDqBGjvKlz25llklR6do5DptiJLPluSNWDQj7DRqVsORfAx6o4pxlwrb4627 8aa2B4pK0B26K07e7Fe7+ydh6dYo/YzNfgxNDX4iFr1YDGaotVo= =2YFH -END PGP SIGNATURE-
[SECURITY] [DSA 4468-1] php-horde-form security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4468-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 21, 2019 https://www.debian.org/security/faq - - Package: php-horde-form CVE ID : CVE-2019-9858 Debian Bug : 930321 A path traversal vulnerability due to an unsanitized POST parameter was discovered in php-horde-form, a package providing form rendering, validation, and other functionality for the Horde Application Framework. An attacker can take advantage of this flaw for remote code execution. For the stable distribution (stretch), this problem has been fixed in version 2.0.15-1+deb9u1. We recommend that you upgrade your php-horde-form packages. For the detailed security status of php-horde-form please refer to its security tracker page at: https://security-tracker.debian.org/tracker/php-horde-form Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl0MkOFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0SW5A/9E7S6A7CA8KgwvxXf6rUrtrFfl1x8JW/yb/IIvIPRBCT23+5tSKeTbj5U +i4530dWMi7EK9WWH15gwySKIRs+8MtVU+HfbFcUjZbRr7S/UoTw93iu1rca8q1S FDTHNIy96XkKJFUIb488PRnkjNTKn7zXGY37qLqfsi4aAIbE7uGa8dMGxoiWcuv9 rAZhZwv7Ie3lhWRTun8OZCeYXx8AnkrQX+5FzPpDTfGjJyAwUZca78cTUYCMhEgS 2kOOJzx9U2QJcNKv+kEPojfImZkve/a8zMObSr7ouklpUsTayQNpliovMK3WYaLc QjyAbTLoxi2/MmtvhjdGpwj6Gpagg01KuNhXRaVGeq9e/HFeUlUW53G+Zh6gCh7K CMsU8bAETc+7uIm14Mwfdlv1/LVF1kl2a4OzfObj0ohIXIkwUbKfgO3GWcJFka2l OcEFu+GzgOt/AtPCoV8JCfvjPvJwDRqhTMgQxsMhQ/HayG/wZtkFE5sl93wbloPQ sqnv2eAvLmbK5p//PB3tkaO2py9XrofBF5o/BAfZexMgTO++PtnYUdQPAlTz8yn+ zZegX8TZTwlzodIISCaNOY+Dd6fnzZpo1Gq6JNOBxq6q1TR2YqvCLlkzjnfysOk6 aoIoAv2xyHepww5lg0igntzZszS8d341qpTxq8gLL80zPuuQW/k= =3DIh -END PGP SIGNATURE-
[slackware-security] mozilla-thunderbird (SSA:2019-172-02)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] mozilla-thunderbird (SSA:2019-172-02) New mozilla-thunderbird packages are available for Slackware 14.2 and -current to fix a security issue. Here are the details from the Slackware 14.2 ChangeLog: +--+ patches/packages/mozilla-thunderbird-60.7.2-i686-1_slack14.2.txz: Upgraded. This release contains security fixes and improvements. For more information, see: https://www.mozilla.org/en-US/thunderbird/60.7.2/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2019-20/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11707 (* Security fix *) +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 14.2: ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/mozilla-thunderbird-60.7.2-i686-1_slack14.2.txz Updated package for Slackware x86_64 14.2: ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/mozilla-thunderbird-60.7.2-x86_64-1_slack14.2.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/mozilla-thunderbird-60.7.2-i686-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/xap/mozilla-thunderbird-60.7.2-x86_64-1.txz MD5 signatures: +-+ Slackware 14.2 package: 95587bb59373075e0de46848cd652835 mozilla-thunderbird-60.7.2-i686-1_slack14.2.txz Slackware x86_64 14.2 package: 0ab1af7a774d9404791809e5af411f83 mozilla-thunderbird-60.7.2-x86_64-1_slack14.2.txz Slackware -current package: f82124e7256f53d092805e4e659821c9 xap/mozilla-thunderbird-60.7.2-i686-1.txz Slackware x86_64 -current package: 056bbf7164f85dda82ffb8b2209d9ed5 xap/mozilla-thunderbird-60.7.2-x86_64-1.txz Installation instructions: ++ Upgrade the package as root: # upgradepkg mozilla-thunderbird-60.7.2-i686-1_slack14.2.txz +-+ Slackware Linux Security Team http://slackware.com/gpg-key secur...@slackware.com ++ | To leave the slackware-security mailing list: | ++ | Send an email to majord...@slackware.com with this text in the body of | | the email message: | || | unsubscribe slackware-security | || | You will get a confirmation message back containing instructions to| | complete the process. Please do not reply to this email address. | ++ -BEGIN PGP SIGNATURE- iEYEARECAAYFAl0MdfAACgkQakRjwEAQIjPOWgCgkGZo+IDl0QmDVMyyCxEogDXY cjAAmQFMF637+jAqajHqCvf04wKHkv7Z =3dbd -END PGP SIGNATURE-
[slackware-security] mozilla-firefox (SSA:2019-172-01)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] mozilla-firefox (SSA:2019-172-01) New mozilla-firefox packages are available for Slackware 14.2 and -current to fix a security issue. Here are the details from the Slackware 14.2 ChangeLog: +--+ patches/packages/mozilla-firefox-60.7.2esr-i686-1_slack14.2.txz: Upgraded. This release contains security fixes and improvements. For more information, see: https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11708 (* Security fix *) +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 14.2: ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/mozilla-firefox-60.7.2esr-i686-1_slack14.2.txz Updated package for Slackware x86_64 14.2: ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/mozilla-firefox-60.7.2esr-x86_64-1_slack14.2.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/mozilla-firefox-60.7.2esr-i686-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/xap/mozilla-firefox-60.7.2esr-x86_64-1.txz MD5 signatures: +-+ Slackware 14.2 package: bd6b13b02c54a1dd8aea8e100beaff65 mozilla-firefox-60.7.2esr-i686-1_slack14.2.txz Slackware x86_64 14.2 package: c144e0ce3cc6c2526d0331ab540a4b35 mozilla-firefox-60.7.2esr-x86_64-1_slack14.2.txz Slackware -current package: 43015adcaf219efa63358b795ee9558b xap/mozilla-firefox-60.7.2esr-i686-1.txz Slackware x86_64 -current package: 28afdd952e9f3b8fadab495b5e7e616d xap/mozilla-firefox-60.7.2esr-x86_64-1.txz Installation instructions: ++ Upgrade the package as root: # upgradepkg mozilla-firefox-60.7.2esr-i686-1_slack14.2.txz +-+ Slackware Linux Security Team http://slackware.com/gpg-key secur...@slackware.com ++ | To leave the slackware-security mailing list: | ++ | Send an email to majord...@slackware.com with this text in the body of | | the email message: | || | unsubscribe slackware-security | || | You will get a confirmation message back containing instructions to| | complete the process. Please do not reply to this email address. | ++ -BEGIN PGP SIGNATURE- iEYEARECAAYFAl0Mde4ACgkQakRjwEAQIjMM4ACghLAFikaEMZCRTliLs3lJDpVa kOEAnAgFvfX015gIdn3zms/VQSMYMjF4 =1H46 -END PGP SIGNATURE-
[SECURITY] [DSA 4467-2] vim regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4467-2 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 23, 2019 https://www.debian.org/security/faq - - Package: vim CVE ID : CVE-2019-12735 The update for vim released as DSA 4467-1 introduced a regression which broke syntax highlighting in some circumstances. Updated vim packages are now available to correct this issue. For the stable distribution (stretch), this problem has been fixed in version 8.0.0197-4+deb9u3. We recommend that you upgrade your vim packages. For the detailed security status of vim please refer to its security tracker page at: https://security-tracker.debian.org/tracker/vim Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl0P5xcACgkQEMKTtsN8 TjZMbRAAoaZnTeE4PA4rwiKWhZ3SdmIIS3PHBJQbApopgyJLOGDfJzbIAaZ1MmDA vyqJJuYLY9rJq0J3Qual7hQP8OZiDUWBVdemWg0O32BVb70Kt+BuwkVl20aBlI/S nsPp9SnLC9k/sMtPo5VOQVfEHrvJp5+FiWGG9+V1JbgyS0qRX+pQhDlpzbyOxgGL Mb7gqyZC9NBe00OtFdO64S2gEg+sGhhW9kfyhYeX6a+E5mo6Q6SAdoYOvmTAz5sa FW1f3qbQzLfS5W5QEBc6k2FElXGcI68LGs67ou/FwCQO6Y0pHuzTvTGJ1UrWMpFQ vrjg6AOgipTYbWlsxn/tumoqsk+6iB68lqdYK9ukE3V9OTw+cJkkUrpAFtH41NGX xHnbncm2pPaN+hpiSLSPq83cWou6B6CB96zwmDk80Z13++nLq0EYYvMAcEC0wmyM fyUqaIcdFKUml/WSl11seznxEEku9+bZSmPOcDKNGympQVzugrBU9EfV9zqAGqjQ xiKLZCa7Ia0j0DJwxv7liiNEpUzaoMIRBNpBXqeryOMEZO1Mv9QxSTwA2rwwoNFG 1uueK6K1HpaTz1pR7cDNKW+NIAlT748Cty9iVRYU38oILYiYcaPHtZoQ/vA/1ZMA RGIrLc0d2W2EpSUgtLBAlI3qNsO8/VSz2DBmnEJOl9PEtinMhyE= =NLOL -END PGP SIGNATURE-
[SECURITY] [DSA 4469-1] libvirt security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4469-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 22, 2019 https://www.debian.org/security/faq - - Package: libvirt CVE ID : CVE-2019-10161 CVE-2019-10167 Two vulnerabilities were discovered in Libvirt, a virtualisation abstraction library, allowing an API client with read-only permissions to execute arbitrary commands via the virConnectGetDomainCapabilities API, or read or execute arbitrary files via the virDomainSaveImageGetXMLDesc API. Additionally the libvirt's cpu map was updated to make addressing CVE-2018-3639, CVE-2017-5753, CVE-2017-5715, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130 and CVE-2019-11091 easier by supporting the md-clear, ssbd, spec-ctrl and ibpb CPU features when picking CPU models without having to fall back to host-passthrough. For the stable distribution (stretch), these problems have been fixed in version 3.0.0-4+deb9u4. We recommend that you upgrade your libvirt packages. For the detailed security status of libvirt please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libvirt Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl0OXUhfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0SDEw//TQJ0CQdeuADmjoGfnEyOPSf4hfcWFCZyF1H+oEgQ35MTIaxtHf/JgE32 BxeE6ZytyzpO3kGgptc5kNEThJ1oJJ5ClCSY75S/75pIQP5PlNSSvqKHDv6gX0zv 2FTV2T/KY1jXmpOe5jkH8RJSh3PIz37+mZgi/KqfaBNhcbO9JuIQreYxQl5woHk6 flK+g0s6sq5xPXzH+p88xMLgQAZ3LivTqsKDTy9anNQlHbJCw1TfWEBOL9BPpctU ABXu2QanPTTQe5weCHBG+BwskUeqVS7WjQsgCtnKsaVA6MLf9KfSv/3CjwRmUetw yGFXncfgnOmwx3QRBNlpw1zUqxpee9uU5dWOw8AsfJDUu13MHXchjUAzxiGKbFnS w8S3i1hcD4x92/FwMSxu9T18QCXDbTSFDyPx7sIMY+0IlbhA5a4UsH5FdinCJNE3 Y8MOBJymywAhpD2aD5LytJZKJrPcLjTgbeF9PNLg09pzHPp80SNArOJEbRBaa/1R kEk4R5ptHgOh79axYgDWgMoqw3rlVIAL8nh+7511k0BC1hPUvijUpbWrLRTbWMTT TCq9CZPelblbGO9etSMPHVNDOy20+Go1ad6G7lkHgmooKZFyCnNZzk7o0RBJC8on DjZ7rK+vLNH9TzYCHWdLd9eJs73emvrOalgq3Nwvb/OasobJwPQ= =MlBA -END PGP SIGNATURE-
[SECURITY] [DSA 4470-1] pdns security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4470-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 23, 2019 https://www.debian.org/security/faq - - Package: pdns CVE ID : CVE-2019-10162 CVE-2019-10163 Two vulnerabilities have been discovered in pdns, an authoritative DNS server which may result in denial of service via malformed zone records and excessive NOTIFY packets in a master/slave setup. For the stable distribution (stretch), these problems have been fixed in version 4.0.3-1+deb9u5. We recommend that you upgrade your pdns packages. For the detailed security status of pdns please refer to its security tracker page at: https://security-tracker.debian.org/tracker/pdns Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl0P6LYACgkQEMKTtsN8 Tjbi2RAAqjNYSOlZ5W/yfVxGPO5OiyC8XojhGPuPdVmByyCDTqzgPtZftKHxXfD2 0sdc5/NM7ZNC/3brzRrVlMVRm7/bJvPloeDAGb8bnSzge9Nzz9FB7zcQxc5fdaqA pn7/++FWXDmOVy2NEObcerk/SodAWDpVfmIZP6kH3aIeGs0WrUA/cusmV+C94kgv 6XVJ3IW2dsIQrHvkoBMi4TJg5PrIHW0RruuJHlUSUgTusZ3XQS+hd93dciK7E+an xi0yB5oA6Mb/vw7DzlBRQfkgMiG6p9YRTgXwBdvrxqEVkNYpq9G/xH+nUdE6rDqt M3bG5tUMGCdtywwmwaSGXvkv6/5puPkMRpJIyTeVQTVYMbOgWyovC5sB5T8JytyD tW7qpbv/Mbhw0mmh0m8KoWnegNQhTTn8d3IKCxalB9JYpw3zhkHmfQW79lBRtqCy SvJEhkOVW7yhsWCl+HjKMXphsPST/oeKP3vJx4ET+4n58OfOt9Fm7rx406g2sY2o NsUwTdF3GDD00v0iuF+Vcm2nA6Qj6dOAXlp4kZygjFbDao4iF6lzY4KGDYS/Pn5Z kB4g58ShfWkAE+/WAvF8QVNcICnlI3l9SxwR2NiY/x6O53vkYBWeiJP/OvRQhlPQ Kw4enCb3qrjgb6jMNDPBMe8TjMh92sEqiXPQBy57OcStAjcfxfI= =nUCz -END PGP SIGNATURE-
