aboutsummaryrefslogtreecommitdiffstats
path: root/main
Commit message (Collapse)AuthorAgeFilesLines
...
* main/expat: security upgrade to 2.2.0 (CVE-2016-5300,CVE-2012-6702)Natanael Copa2017-02-171-13/+8
| | | | fixes #6890
* main/vim: security fixes #6864Sergey Lukin2017-02-162-4/+39
| | | | CVE-2017-5953: Tree length values not validated properly when handling a spell file
* main/postfixadmin: security upgrade to 3.0.2 - fixes #6836Sergey Lukin2017-02-151-15/+15
| | | | CVE-2017-5930: allows to delete protected aliases
* main/bind: security upgrade to 9.10.4_p6 - fixes #6830Sergey Lukin2017-02-151-4/+6
| | | | CVE-2017-3135: Combination of DNS64 and RPZ Can Lead to Crash
* main/owncloud: upgrade to 9.0.8Leonardo Arena2017-02-131-13/+13
|
* main/postgresql: update to 9.5.6Jakub Jirutka2017-02-131-4/+4
|
* main/tcpdump: security upgrade to 4.9.0 - fixes #6813Sergey Lukin2017-02-091-4/+49
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | CVE-2016-7922 (arbitrary code execution) CVE-2016-7923 (arbitrary code execution) CVE-2016-7924 (arbitrary code execution) CVE-2016-7925 (arbitrary code execution) CVE-2016-7926 (arbitrary code execution) CVE-2016-7927 (arbitrary code execution) CVE-2016-7928 (arbitrary code execution) CVE-2016-7929 (arbitrary code execution) CVE-2016-7930 (arbitrary code execution) CVE-2016-7931 (arbitrary code execution) CVE-2016-7932 (arbitrary code execution) CVE-2016-7933 (arbitrary code execution) CVE-2016-7934 (arbitrary code execution) CVE-2016-7935 (arbitrary code execution) CVE-2016-7936 (arbitrary code execution) CVE-2016-7937 (arbitrary code execution) CVE-2016-7938 (arbitrary code execution) CVE-2016-7939 (arbitrary code execution) CVE-2016-7940 (arbitrary code execution) CVE-2016-7973 (arbitrary code execution) CVE-2016-7974 (arbitrary code execution) CVE-2016-7975 (arbitrary code execution) CVE-2016-7983 (arbitrary code execution) CVE-2016-7984 (arbitrary code execution) CVE-2016-7985 (arbitrary code execution) CVE-2016-7986 (arbitrary code execution) CVE-2016-7992 (arbitrary code execution) CVE-2016-7993 (arbitrary code execution) CVE-2016-8574 (arbitrary code execution) CVE-2016-8575 (arbitrary code execution) CVE-2017-5202 (arbitrary code execution) CVE-2017-5203 (arbitrary code execution) CVE-2017-5204 (arbitrary code execution) CVE-2017-5205 (arbitrary code execution) CVE-2017-5341 (arbitrary code execution) CVE-2017-5342 (arbitrary code execution) CVE-2017-5482 (arbitrary code execution) CVE-2017-5483 (arbitrary code execution) CVE-2017-5484 (arbitrary code execution) CVE-2017-5485 (arbitrary code execution) CVE-2017-5486 (arbitrary code execution)
* main/wireshark: security upgrade to 2.0.10 - fixes #6824Sergey Lukin2017-02-081-4/+8
| | | | | CVE-2017-5596: ASTERIX infinite loop CVE-2017-5597: DHCPv6 large loop
* main/wavpack: security upgrade to 5.1.0 - fixes #6819Sergey Lukin2017-02-071-4/+12
| | | | | | | CVE-2016-10169: global buffer overread in read_code / read_words.c CVE-2016-10170: Heap out of bounds read in WriteCaffHeader / caff.c CVE-2016-10171: heap out of bounds read in unreorder_channels / wvunpack.c CVE-2016-10172: Heap out of bounds read in read_new_config_info / open_utils.c
* main/libevent: security fixes #6800Sergey Lukin2017-02-074-9/+290
| | | | | | CVE-2016-10195: dns remote stack overread vulnerability CVE-2016-10196: (stack) buffer overflow in evutil_parse_sockaddr_port() CVE-2016-10197: out-of-bounds read in search_make_new()
* main/libarchive: security upgrade to 3.2.2 - fixes #6792Sergei Lukin2017-02-012-4/+35
| | | | CVE-2017-5601: Out of bounds read in lha_read_file_header_1() function
* main/ansible: security upgrade to 2.1.4.0 - fixes #6784Sergei Lukin2017-02-011-4/+9
| | | | CVE-2016-9587: host to controller command execution vulnerability
* main/lcms2: security upgrade to 2.8 - fixes #6779Sergei Lukin2017-02-012-6/+35
| | | | CVE-2016-10165: Out-of-bounds read in Type_MLU_Read()
* main/libxpm: security upgrade to 3.5.12 - fixes #6752Sergey Lukin2017-01-311-5/+10
| | | | | | | CVE-2016-10164: Out-of-bounds write in XPM extension parsing libXpm 3.5.12 changes: https://lists.freedesktop.org/archives/xorg/2016-December/058537.html
* main/libgit2: fix checksumsLeonardo Arena2017-01-271-4/+7
|
* main/libgit2: security upgrade to 0.24.6 - fixes #6741Sergey Lukin2017-01-272-2/+24
| | | | | | CVE-2016-10128: smart_pkt: verify packet length exceeds PKT_LEN_SIZE CVE-2016-10129: smart_pkt: treat empty packet lines as error CVE-2016-10130: http: check certificate validity before clobbering the error variable
* main/tiff: security fixes #6735Sergey Lukin2017-01-272-5/+81
| | | | CVE-2017-5225: Heap-buffer overflow in tools/tiffcp via crafted BitsPerSample value
* main/ca-certificates: upgrade to 20161130Sergei Lukin2017-01-261-9/+10
| | | | ref #6528
* main/openssl: security upgrade to 1.0.2kTimo Teräs2017-01-261-4/+10
| | | | | | - CVE-2017-3731 - CVE-2017-3732 - CVE-2016-7055
* main/bash: security fixes #6656Sergey Lukin2017-01-242-1/+38
| | | | CVE-2016-9401
* main/mariadb: security upgrade to 10.1.21 - fixes #6719Sergey Lukin2017-01-241-4/+19
| | | | | | | | | | | | | | CVE-2016-6664 CVE-2017-3238 CVE-2017-3243 CVE-2017-3244 CVE-2017-3257 CVE-2017-3258 CVE-2017-3265 CVE-2017-3291 CVE-2017-3312 CVE-2017-3317 CVE-2017-3318
* main/php5: upgrade to 5.6.30 (security fixes)Andy Postnikov2017-01-201-4/+4
| | | | Security release http://php.net/archive/2017.php#id2017-01-19-3
* main/busybox: security fixes #6617Sergey Lukin2017-01-182-5/+55
| | | | CVE-2016-6301: NTP server denial of service flaw
* main/libvncserver: security fixes #6639Sergey Lukin2017-01-183-4/+125
| | | | | CVE-2016-9941: Heap-based buffer overflow in rfbproto.c CVE-2016-9942: Heap-based buffer overflow in ultra.c
* main/irssi: security upgrade to 0.8.21 - fixes #6692Sergey Lukin2017-01-181-4/+13
| | | | | | | | CVE-2017-5193: A NULL pointer dereference in the nickcmp function. CVE-2017-5194: Use after free when receiving invalid nick message. CVE-2017-5356: Out of bounds read when Printing the value. CVE-2017-5195: Out of bounds read in certain incomplete control codes. CVE-2017-5196: Out of bounds read in certain incomplete character sequences.
* main/subversion: security upgrade to 1.9.5 (CVE-2016-8734)Natanael Copa2017-01-131-4/+4
| | | | fixes #6648
* main/php5-phpmailer: security upgrade to 5.2.4 - fixes #6624Sergei Lukin2017-01-132-9/+92
| | | | | | | | | | | | | | | | | | | | CVE-2016-10033 CVE-2016-10045 Issues were fixed in 5.2.18 and 5.2.20 However, there were major changes between 5.2.0 and 5.2.20 https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md 5.2.0 is NOT AVAILABLE anymore for download Next available version is 5.2.4 https://github.com/PHPMailer/PHPMailer/releases?after=v5.2.5 (not sure if there were major changes between 5.2.0 and 5.2.4) This upgrade contains patch which is based on 2 commits containing fix for CVE-2016-10045 and CVE-2016-10033: https://github.com/PHPMailer/PHPMailer/commit/9743ff5c7ee16e8d49187bd2e11149afb9485eae https://github.com/PHPMailer/PHPMailer/commit/833c35fe39715c3d01934508987e97af1fbc1ba0 These commits were adjusted to 5.2.4
* main/bind: security upgrade to 9.10.4_p5 - fixes #6677Sergei Lukin2017-01-131-8/+15
| | | | | | CVE-2016-9131: A malformed response to an ANY query can cause an assertion failure during recursion CVE-2016-9147: An error handling a query response containing inconsistent DNSSEC information could cause an assertion failure CVE-2016-9444: An unusually-formed DS record response could cause an assertion failure
* main/tiff: security upgrade to 4.0.7 - fixes #6665Sergey Lukin2017-01-1310-727/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes: CVE-2016-9273: heap-buffer-overflow in cpStrips CVE-2016-9297: segfault in _TIFFPrintField CVE-2016-9448: Invalid read of size 1 in TIFFFetchNormalTag CVE-2016-9453: out-of-bounds Write Caused by memcpy and no bound check in tiff2pdf CVE-2016-3186: Buffer overflow in the readextension function in gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (application crash) via a crafted GIF file. CVE-2016-3621: Out-of-bounds Read in the bmp2tiff tool CVE-2016-3622: Divide By Zero in the tiff2rgba tool CVE-2016-3623, CVE-2016-3624: Divide By Zero in the rgb2ycbcr tool CVE-2016-3625: Out-of-bounds Read in the tiff2bw tool CVE-2016-3658, CVE-2014-8127: Illegal read in TIFFWriteDirectoryTagLongLong8Array function in tiffset / tif_dirwrite.c CVE-2016-5314, CVE-2016-5315, CVE-2016-5316, CVE-2016-5317: PixarLogDecode() out-of-bound writes CVE-2016-5320, CVE-2016-5875: Out-of-bounds write in PixarLogDecode() function in tif_pixarlog.c bugzilla suppose that CVE-2016-5320 is a duplicate of CVE-2016-5314 (https://bugs.alpinelinux.org/issues/6661) which was fixed in tiff 4.0.7 (http://bugzilla.maptools.org/show_bug.cgi?id=2554#c1) CVE-2016-5321: out-of-bounds read in tiffcrop / DumpModeDecode() function CVE-2016-5323: Divide-by-zero in _TIFFFax3fillruns() function CVE-2016-5652: tiff2pdf JPEG Compression Tables Heap Buffer Overflow TODO: CVE-2016-5318: Memory corruption in _TIFFVGetField (thumbnail) remains unfixed still (http://bugzilla.maptools.org/show_bug.cgi?id=2561) because of that #6661 could not be marked as fixed Comments: 4.0.7 contains lots of fixes: http://libtiff.maptools.org/v4.0.7.html https://fossies.org/diffs/tiff/4.0.6_vs_4.0.7/ChangeLog-diff.html There is only one major change mentioned: The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff, sgisv, and ycbcr are completely removed from the distribution. These tools were written in the late 1980s and early 1990s for test and demonstration purposes. In some cases the tools were never updated to support updates to the file format, or the file formats are now rarely used. In all cases these tools increased the libtiff security and maintenance exposure beyond the value offered by the tool. http://libtiff.maptools.org/v4.0.7.html Patches: CVE-2015-7554.patch, CVE-2015-8665.patch, CVE-2015-8668.patch, CVE-2015-8781-8782-8783.patch, CVE-2015-8784.patch, CVE-2016-3632.patch, CVE-2016-3945.patch, CVE-2016-3990.patch, CVE-2016-3991.patch are not needed anymore, because these issues were fixed in 4.0.7
* main/curl: security upgrade to 7.52.1 - fixes #6599Sergey Lukin2017-01-091-5/+11
| | | | | | | | | CVE-2016-9594: unititialized random CVE-2016-9586: printf floating point buffer overflow CVE-2016-9952: Win CE schannel cert wildcard matches too much CVE-2016-9953: Win CE schannel cert name out of buffer read https://curl.haxx.se/changes.html
* main/pcsc-lite: security upgrade to 1.8.20 (CVE-2016-10109)Timo Teräs2017-01-062-31/+10
| | | | | fixes #6631 remove unneeded patch (upstream fixed issue)
* main/pcsc-lite: keep libpcsclite.so in -libsTimo Teräs2017-01-061-2/+10
| | | | | fixes #3236 fixes #6392
* main/pcsc-lite: upgrade to 1.8.18Timo Teräs2017-01-062-65/+16
| | | | fix pcscd capabilities
* main/ssh-getkey-ldap: upgrade to 0.1.2Jakub Jirutka2017-01-041-4/+4
|
* main/samba: security fixes #6559Sergey Lukin2016-12-302-1/+212
| | | | | | | | | | | CVE-2016-2123: NDR Parsing ndr_pull_dnsp_name Heap-based Buffer Overflow Remote Code Execution Vulnerability https://www.samba.org/samba/security/CVE-2016-2123.html CVE-2016-2125: Unconditional privilege delegation to Kerberos servers in trusted realms https://www.samba.org/samba/security/CVE-2016-2125.html CVE-2016-2126: Flaws in Kerberos PAC validation can trigger privilege elevation https://www.samba.org/samba/security/CVE-2016-2126.html https://www.samba.org/samba/history/security.html
* main/phpmyadmin: security upgrade to 4.6.5.2 - fixes #6596Sergey Lukin2016-12-301-4/+27
| | | | | | | | | | | | | | | | | | | | | | | CVE-2016-9847: Unsafe generation of blowfish secret CVE-2016-9848: phpinfo information leak value of sensitive (HttpOnly) cookies CVE-2016-9849: Username deny rules bypass (AllowRoot & Others) by using Null Byte CVE-2016-9850: Username rule matching issues CVE-2016-9851: With a crafted request parameter value it is possible to bypass the logout timeout. CVE-2016-9852 CVE-2016-9853 CVE-2016-9854 CVE-2016-9855: Multiple full path disclosure vulnerabilities CVE-2016-9856 CVE-2016-9857: Multiple XSS vulnerabilities CVE-2016-9858 CVE-2016-9859 CVE-2016-9860: We consider these vulnerabilities to be of moderate severity. CVE-2016-9861: Bypass white-list protection for URL redirection CVE-2016-9862: BBCode injection vulnerability CVE-2016-9863: DOS vulnerability in table partitioning CVE-2016-9864: Multiple SQL injection vulnerabilities CVE-2016-9865: Incorrect serialized string parsing CVE-2016-9866: CSRF token not stripped from the URL Jumping through 3 versions: 4.6.5, 4.6.5.1, 4.6.5.2 These upgrades do not contain major changes: https://www.phpmyadmin.net/news/2016/11/25/phpmyadmin-401018-44159-and-465-are-released/ https://www.phpmyadmin.net/news/2016/11/26/phpmyadmin-4651-released/ https://www.phpmyadmin.net/news/2016/12/5/phpmyadmin-4652-released/
* main/squid: security upgrade to 3.5.23 - fixes #6580Sergey Lukin2016-12-291-7/+13
| | | | | | | | | | CVE-2016-10002: Information disclosure in HTTP Request processing. CVE-2016-10003: Information disclosure in Collapsed Forwarding. There were no major changes from 3.5.20 to 3.5.23 http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID_3_5_21.html http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID_3_5_22.html http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID_3_5_23.html
* main/openssh: security fixes #6584Sergey Lukin2016-12-297-4/+369
| | | | | | | CVE-2016-10009: loading of untrusted PKCS#11 modules in ssh-agent CVE-2016-10010: privilege escalation via Unix domain socket forwarding CVE-2016-10011: Leak of host private key material to privilege-separated child process via realloc() CVE-2016-10012: Bounds check can be evaded in the shared memory manager used by pre-authentication compression support
* main/xen: security fixes #6571Sergey Lukin2016-12-294-1/+179
| | | | | | | | | | | CVE-2016-10024, XSA-202: x86 PV guests may be able to mask interrupts http://xenbits.xen.org/xsa/advisory-202.html CVE-2016-10025, XSA-203: x86: missing NULL pointer check in VMFUNC emulation http://xenbits.xen.org/xsa/advisory-203.html CVE-2016-10013, XSA-204: x86: Mishandling of SYSCALL singlestep during emulation http://xenbits.xen.org/xsa/advisory-204.html
* main/icu: APKBUILD track secfixesLeonardo Arena2016-12-271-0/+2
|
* main/icu: security fix (CVE-2016-7415). Fixes #6549Leonardo Arena2016-12-272-4/+186
|
* main/tiff: security fixes #6010Sergey Lukin2016-12-267-9/+384
| | | | | CVE-2015-7554, CVE-2015-8668, CVE-2016-3945, CVE-2016-3632, CVE-2016-3990, CVE-2016-3991
* main/ffmpeg2.8: security upgrade to 2.8.10Daniel Sabogal2016-12-261-4/+4
| | | | | | | | | | | | | | | | 2.8.9 CVE-2016-7502 CVE-2016-7785 CVE-2016-7905 CVE-2016-7562 2.8.8 CVE-2016-6164 CVE-2016-6881 CVE-2016-7122 CVE-2016-7450 (cherry picked from commit 00a2dbef659f87f6897cbdd299719f64a679bdcf)
* main/openjpeg: security fixes (CVE-2016-9580, CVE-2016-9581). Fixes #6566Francesco Colista2016-12-222-22/+258
|
* main/zabbix: upgrade to 3.0.7Leonardo Arena2016-12-211-4/+4
|
* main/python3: backport upstream fix for getrandomNatanael Copa2016-12-202-5/+268
| | | | | | upstream bug report: https://bugs.python.org/issue27955 (cherry picked from commit ddfa383303714cbd8ad18f447924678a7fabbcc9)
* main/vim: security fix (CVE-2016-1248). Fixes #6501Leonardo Arena2016-12-202-4/+106
| | | | (cherry picked from commit 39df8950b2072203f0c6afec938c35be8d28be51)
* main/xen: security fixes. Fixes #6541Leonardo Arena2016-12-206-1/+545
| | | | | | | | | | CVE-2016-9932 CVE-2016-9815 CVE-2016-9816 CVE-2016-9817 CVE-2016-9818 (cherry picked from commit 3b5fa3b170637b8149c63d415d3a42c638b8b71a)
* main/libass: security upgrade to 0.13.4. Fixes #6536Leonardo Arena2016-12-201-4/+12
| | | | | | | | | CVE-2016-7969 CVE-2016-7970 CVE-2016-7971 CVE-2016-7972 (cherry picked from commit 8887c484286e50ad0cf41a47ffe52f2954ec7921)
* main/libgsf: security upgrade to 1.14.41 (CVE-2016-9888). Fixes #6555Leonardo Arena2016-12-201-3/+9
| | | | (cherry picked from commit cf24cc64fbe2e718b0bee91cc486ca9071a87ddf)
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-06 19:46:47 +0000