[slackware-security] Slackware 14.2 kernel (SSA:2019-238-01)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] Slackware 14.2 kernel (SSA:2019-238-01) New kernel packages are available for Slackware 14.2 to fix a security issue. Here are the details from the Slackware 14.2 ChangeLog: +--+ patches/packages/linux-4.4.190/*: Upgraded. These updates fix various bugs and a minor local denial-of-service security issue. They also change this option: FANOTIFY_ACCESS_PERMISSIONS n -> y This is needed by on-access virus scanning software. Be sure to upgrade your initrd after upgrading the kernel packages. If you use lilo to boot your machine, be sure lilo.conf points to the correct kernel and initrd and run lilo as root to update the bootloader. If you use elilo to boot your machine, you should run eliloconfig to copy the kernel and initrd to the EFI System Partition. For more information, see: Fixed in 4.4.190: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20961 (* Security fix *) +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated packages for Slackware 14.2: ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.190/kernel-firmware-20190821_c0fb3d9-noarch-1.txz ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.190/kernel-generic-4.4.190-i586-1.txz ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.190/kernel-generic-smp-4.4.190_smp-i686-1.txz ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.190/kernel-headers-4.4.190_smp-x86-1.txz ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.190/kernel-huge-4.4.190-i586-1.txz ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.190/kernel-huge-smp-4.4.190_smp-i686-1.txz ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.190/kernel-modules-4.4.190-i586-1.txz ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.190/kernel-modules-smp-4.4.190_smp-i686-1.txz ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.190/kernel-source-4.4.190_smp-noarch-1.txz Updated packages for Slackware x86_64 14.2: ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.190/kernel-firmware-20190821_c0fb3d9-noarch-1.txz ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.190/kernel-generic-4.4.190-x86_64-1.txz ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.190/kernel-headers-4.4.190-x86-1.txz ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.190/kernel-huge-4.4.190-x86_64-1.txz ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.190/kernel-modules-4.4.190-x86_64-1.txz ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.190/kernel-source-4.4.190-noarch-1.txz MD5 signatures: +-+ Slackware 14.2 packages: e6d93deb002a0851d04e31927750ab38 kernel-firmware-20190821_c0fb3d9-noarch-1.txz 9f2f5d68193192a02f1acd50961d7bf8 kernel-generic-4.4.190-i586-1.txz fd8df419fd9bb18eaa024f3b283fe3d9 kernel-generic-smp-4.4.190_smp-i686-1.txz 1321b644dcb1885940bb77227e3fa7f4 kernel-headers-4.4.190_smp-x86-1.txz 784aaadf0689e6fba438a2b17eb7bee8 kernel-huge-4.4.190-i586-1.txz e4aba4622501579386773c053a8fe881 kernel-huge-smp-4.4.190_smp-i686-1.txz 18a3e5ec95a00cca03c9a6998b0970ee kernel-modules-4.4.190-i586-1.txz 5718428fc20cf09a60c7dd4106f960c8 kernel-modules-smp-4.4.190_smp-i686-1.txz b90f8185ba89e2c2ad5ac81733977376 kernel-source-4.4.190_smp-noarch-1.txz Slackware x86_64 14.2 packages: e6d93deb002a0851d04e31927750ab38 kernel-firmware-20190821_c0fb3d9-noarch-1.txz 8608bffca8687e5be1c3c2e80e268e77 kernel-generic-4.4.190-x86_64-1.txz 7e1f2e3cb09ed5f357ae461713a398f1 kernel-headers-4.4.190-x86-1.txz daa8f51d8d6f050791694d53575d7c6b kernel-huge-4.4.190-x86_64-1.txz 0d389d5a64ab573d567991d9eba7a235 kernel-modules-4.4.190-x86_64-1.txz 9d92130a6d4906c5a30dab0950a28416 kernel-source-4.4.190-noarch-1.txz Installation instructions: ++ Upgrade the packages as root: # upgradepkg kernel-*.txz If you are using an initrd, you'll need to rebuild it. For a 32-bit SMP machine, use this command (substitute the appropriate kernel version if you are not running Slackware 14.2): # /usr/share/mkinitrd/mkinitrd_command_generator.sh -k 4.4.190-smp | bash For a 64-bit machine, or a 32-bit uniprocessor machine, use this command (substitute the appropriate kernel version if you are not running Slackware 14.2): #
[SECURITY] [DSA 4509-1] apache2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4509-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 26, 2019 https://www.debian.org/security/faq - - Package: apache2 CVE ID : CVE-2019-9517 CVE-2019-10081 CVE-2019-10082 CVE-2019-10092 CVE-2019-10097 CVE-2019-10098 Several vulnerabilities have been found in the Apache HTTPD server. CVE-2019-9517 Jonathan Looney reported that a malicious client could perform a denial of service attack (exhausting h2 workers) by flooding a connection with requests and basically never reading responses on the TCP connection. CVE-2019-10081 Craig Young reported that HTTP/2 PUSHes could lead to an overwrite of memory in the pushing request's pool, leading to crashes. CVE-2019-10082 Craig Young reported that the HTTP/2 session handling could be made to read memory after being freed, during connection shutdown. CVE-2019-10092 Matei "Mal" Badanoiu reported a limited cross-site scripting vulnerability in the mod_proxy error page. CVE-2019-10097 Daniel McCarney reported that when mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by untrusted HTTP clients. The issue does not affect the stretch release. CVE-2019-10098 Yukitsugu Sasaki reported a potential open redirect vulnerability in the mod_rewrite module. For the oldstable distribution (stretch), these problems have been fixed in version 2.4.25-3+deb9u8. For the stable distribution (buster), these problems have been fixed in version 2.4.38-3+deb10u1. We recommend that you upgrade your apache2 packages. For the detailed security status of apache2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/apache2 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl1kODxfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RAEw/+OaEyxK9D+s1uIin5SkmJJ4buicbeEwh6Qwn03SCj5RYW+PbGaW67dSZN qcTGyJqU2YrY3y75q0S5V6GBvcg1+QRCbTAlZhUwALGmMpnfkPhn3q6uUXY8511i tZhKZYQa5ZVnpcDH2IF1EP+ilwK4q2uzMh1Wpz79PWLitWhk5dNMtjcjJ+KXP15C oOs3aeHheAkLGKE8drgLpYRSgx3ccD9i7lts6gr/uAJOW7pvQoY+SDOZvceU6/0A GIjOO56hw1tW6qkbDiG/sCYncVv6ZKTVsjhBJabw55kaIrReSnEMiWjqkV4BhCBF JjsewEBYZMV7DC+gkHKRoHHrSrI6gLYAFuTREXAjnf6fsPoVgX8hYkZ0QqH7F5zX dgSV7wpjjFzDb/iPkkncKJS1h11GlrM/6VhT1cr/6ZlHvqSAWlz0OUseRA9ii6Le jVxFTb7EAGsrEzK9SPhA/IbvIBj1UPQhjEgIthfImw4S+M5q40Oh0oKW+/FgzMqH LarHY+jQcOuGxE7T6EK4gozGxpLvpRhg8NcCzL/Vnst5JW7vr/F4R3H1NFk579tS RcXuBUy8+DkKecawPgP05zPxrhuAFIi89TkEMX3LyyA/Kn0KX+2KXabQll9Q2KYz Cn5eimlukcxKmWUxA3cJggcDj/80YgxE6wmFqHPtI/8Sx4XN0pY= =v6GC -END PGP SIGNATURE-
APPLE-SA-2019-8-26-3 tvOS 12.4.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2019-8-26-3 tvOS 12.4.1 tvOS 12.4.1 is now available and addresses the following: Kernel Available for: Apple TV 4K and Apple TV HD Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A use after free issue was addressed with improved memory management. CVE-2019-8605: Ned Williamson working with Google Project Zero Additional recognition Kernel We would like to acknowledge @Pwn20wnd for their assistance. Installation note: Apple TV will periodically check for software updates. Alternatively, you may manually check for software updates by selecting "Settings -> System -> Software Update -> Update Software." To check the current version of software, select "Settings -> General -> About." Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl1kFfgACgkQBz4uGe3y 0M3LxxAAhd3dNmgTWTjyWFi43axxWCPBHVudzGWrMFACG4l9025YmqW/A73kO9Jo j/jEonLUCXzJCzc9bb5t/Mem5Ti1wpHM/HpZ8lpubCU07T4old5N6cAcwVg95YMC U8xnKBucXTuf3CXk9FUUamDj5RPm9jTzgSQpDvwytMoKjXkaXdN1dTZB4MxTLHg5 tBFTMiIcw7IuI7+DYExTbe71ScLT+JCuShoI9b666B0OjiaBC5mNSj1VJTC5583J MwgoFK/KP/5T9uIXOqz+sjvcDlTOL6Y6sR78kEwggHTQT1NyAxlck+ht3e9oZzqG cqe6fJnduYPm4bHJpx2SYqzPrf+2xKzYm0up/thuiQ4SxixsUbC1uljec/zkm4e4 v3jxGYtsckbfjQjRCvXIWKDmtqDPqA0dvRGkNEO+oEsP0YoY1a3SFpgVbq1Cpm89 RkR+/XRa51LQ7+/2xxrHrOeIyJUcm+RRiaME+79umJ8kuNuAlVtqIyqLBqaT5hyd jteN6pQz2wKHuiectT5AUSQVNNIcFkeEPl6/o4SOeqokQ8zCYSoWn4jAo3U+cpg3 PpYSKrL+fOEGaa82oAUKaEJvOuMM85CTNVmsioMfaPRPSs5K2+4AXshAzckHpNcn I5ps+5DrSU8qWG/NodcryDArxIchO8aBTSH9DkUVGBeN6L4+E+A= =U5HO -END PGP SIGNATURE-
APPLE-SA-2019-8-26-2 macOS Mojave 10.14.6 Supplemental Update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2019-8-26-2 macOS Mojave 10.14.6 Supplemental Update macOS Mojave 10.14.6 Supplemental Update is now available and addresses the following: Kernel Available for: macOS Mojave 10.14.6 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A use after free issue was addressed with improved memory management. CVE-2019-8605: Ned Williamson working with Google Project Zero Additional recognition Kernel We would like to acknowledge @Pwn20wnd for their assistance. Installation note: macOS Mojave 10.14.6 Supplemental Update may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl1kFfgACgkQBz4uGe3y 0M0cTw//dP4wrZN4RqKI/Jk4ogQb/N3xOBFhfmK+QStQP7NNslk8xMNQ/N7kPTRn 2bUSMmTXOupXXdP1MgDa4wmti8SB/CfB8TmtPER0DUtiLoeTXv+/CIv/ZcdQOi1Y ICE9qBa+vcX++yifYZzhBBZ1sPFflAwUlG5khXzMjFGo58NkoWMT8atDlWB1KGSi 744GilS8PGO/Bw6MNlWmK4gZCSjx1e+bGF/BU+P2TvkSaB8s9GD70ECfj+9FECmU 9ZQE3n6+78KbM8S6UShSUsWRVtMiyfqavmopAgpZUBSqQ94jzUtqhWD+Q3DnR97p WdwIRuJjPxtf21YND9V61Sp/KY4Cf6IVAww5cUoUnTLcPQ0B17AT1qs3Fp+d4iGz V14YF1rDkbyaCEvIeDyOW8nig1IA07uo4zpH4RzwanjWQPd3BIw24IjvOjq9m18c rxiV6wqpPWNBaytwc/T50vWqK2EqFc1lNA/Azw7k+MxCcHLm0fP+B230JtNiu2nh bI8SlN/3i7FiUjR2GS6UaMlxCGIXlUsZa6eP6gB/DF03zSFhXMBEu94YZKd927+9 xQ6TypwG/9BBvAuhAvGwCyW5Y9VJBQHCYns9D9T+RWu3GrvlSlz0JtdRxnjSbNQn pu5zW/1Ltrb1qvnb1iWTFu6IiqOMYKDsGNwfc/Y35rN03QEywkI= =B+5n -END PGP SIGNATURE-
APPLE-SA-2019-8-26-1 iOS 12.4.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2019-8-26-1 iOS 12.4.1 iOS 12.4.1 is now available and addresses the following: Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A use after free issue was addressed with improved memory management. CVE-2019-8605: Ned Williamson working with Google Project Zero Additional recognition Kernel We would like to acknowledge @Pwn20wnd for their assistance. Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "iOS 12.4.1". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl1kFecACgkQBz4uGe3y 0M0DRw//YmdQNBN0iQqFZvvnlb4ytWimIXBJoSSDrNs3qzPeKncy50oZDczu8D8k yD8RmN/PPia4rRvTmkDE5XKgxyRCnCiwe3JkR3FZEfWaChAqJI9ietsLjkUF0noP M4cyUCXwveDRMqAierXSuKuwr3jgvzHtaFBrdrZYwcMMjlNRaKPMv3mkaMPnpPV/ 9os2uZU/zrXvcG8ptp/I8FqfvuXRik91b3F+BCO50jfubGOIakgUJhf+nBHoj/+D 1DORc00FAmd50CXA50s5sD+QNEcBtLo+orAYN+J37rQxYWoFbTYazZ/mTd/AfAiL +AZCajkZckDypZYCZWimxQtCY8+Nm+HgBp7Tj8a9vrG80ayD2Ze4aw1By9cUuDHN LZwa+a+aClhHzMzxEQWt74EW5z1XDm1ZdHCE6ME43xlwigYiJSMbJKasWvYqWFAo MTmwcKkm2tct1k8g94CLIYDKF6SxDMUkzLwo+YD5hKYSGUrlr0VSEGS/o6upyXS8 htO1N2ld6b84dSDRSsVUCXjxld8bvOkH7F8zjeGLKw3EMNbFsAIqysJSHs2sWtLN 5Mltwj8u2aiUo+ayf0RUY30UxZ8jhH1xEl3PyE2i+WzqsgEsEewjoF4m7KphuRil gVoCXuag6s24yNUboaoOB06Q7g/54ttni4ai7MSn0pzQJKapiSk= =QYKC -END PGP SIGNATURE-