Frugalware Let's make things frugal!
En Fr Es It

Frugalware Security Announcements (FSAs)

This is a list of security announcments that have been released for the current stable version of Frugalware
Package:libyaml
Date:2014-12-15
Posted by:kikadf
Vulnerable version:0.1.4-3arcturus2
Unaffected version:0.1.4-3arcturus3
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9130
Description:Jonathan Gray and Stanislaw Pitucha found an assertion failure in the way wrapped strings are parsed in LibYAML, a fast YAML 1.1 parser and emitter library.
Package:denyhosts
Date:2014-12-15
Posted by:kikadf
Vulnerable version:2.6-5
Unaffected version:2.6-6arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6890
Description:Helmut Grohne discovered that denyhosts, a tool preventing SSH brute-force attacks, could be used to perform remote denial of service against the SSH daemon.
Package:mediawiki
Date:2014-12-13
Posted by:kikadf
Vulnerable version:1.19.20-1arcturus1
Unaffected version:1.19.22-1arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9277
Description:A flaw was discovered in mediawiki, a wiki engine: cross-domain-policy mangling allows an article editor to inject code into API consumers that deserialize PHP representations of the page from the API.
Package:links
Date:2014-12-12
Posted by:kikadf
Vulnerable version:2.7-1
Unaffected version:2.7-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6050
Description:Mikulas Patocka discovered an integer overflow in the parsing of HTML tables in the Links web browser.
Package:pdns-recursor
Date:2014-12-12
Posted by:kikadf
Vulnerable version:3.3-8
Unaffected version:3.3-9arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8601
Description:Florian Maury from ANSSI discovered a flaw in pdns-recursor, a recursive DNS server : a remote attacker controlling maliciously-constructed zones or a rogue server could affect the performance of pdns-recursor, thus leading to resource exhaustion and a potential denial-of-service.
Package:graphviz
Date:2014-12-12
Posted by:kikadf
Vulnerable version:2.28.0-2arcturus2
Unaffected version:2.28.0-2arcturus3
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9157
Description:It was discovered that graphviz incorrectly handled parsing errors.
Package:bind
Date:2014-12-12
Posted by:kikadf
Vulnerable version:9.9.4-1arcturus1
Unaffected version:9.9.6-1arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8500
Description:Florian Maury discovered that Bind incorrectly handled delegation.
Package:xorg-server
Date:2014-12-11
Posted by:kikadf
Vulnerable version:1.14.2-2
Unaffected version:1.14.2-3arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8091 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8092 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8093 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8094 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8095 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8096 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8097 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8098 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8099 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8100 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8101 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8102
Description:Ilja van Sprundel discovered a multitude of security issues in the X.Org X server.
Package:qemu
Date:2014-12-10
Posted by:kikadf
Vulnerable version:1.5.2-3arcturus7
Unaffected version:1.5.2-3arcturus8
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8106 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7840
Description:Paolo Bonzini of Red Hat discovered that the blit region checks were insufficient in the Cirrus VGA emulator in qemu, a fast processor emulator. Invalid migration stream can cause arbitrary qemu memory overwrite.
Package:pcre
Date:2014-12-10
Posted by:kikadf
Vulnerable version:8.32-1
Unaffected version:8.32-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8964
Description:Heap overflow while matching against an expression with an assertion with a zero minimum repeat as the condition in a conditional group.
Package:mod_wsgi
Date:2014-12-10
Posted by:kikadf
Vulnerable version:3.4-2arcturus1
Unaffected version:3.4-2arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8583
Description:It was discovered that mod_wsgi incorrectly handled errors when setting up the working directory and group access rights.
Package:libksba
Date:2014-12-10
Posted by:kikadf
Vulnerable version:1.2.0-1
Unaffected version:1.2.0-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9087
Description:Hanno Böck discovered that Libksba incorrectly handled certain S/MIME messages or ECC based OpenPGP data.
Package:jasper
Date:2014-12-10
Posted by:kikadf
Vulnerable version:1.900.1-5
Unaffected version:1.900.1-6arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4516 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4517 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9029
Description:Two buffer overflows were discovered in JasPer, a library for handling JPEG-2000 images, which could lead to the execution of arbitrary code. Josh Duart of the Google Security Team discovered heap-based buffer overflow flaws in JasPer, a library for manipulating JPEG-2000 files, which could lead to denial of service (application crash) or the execution of arbitrary code.
Package:glibc
Date:2014-12-10
Posted by:kikadf
Vulnerable version:2.16.0-4arcturus1
Unaffected version:2.16.0-4arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4043 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6040 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7817
Description:Adhemerval Zanella Netto discovered that the GNU C Library incorrectly handled certain multibyte characters when using the iconv function. Tim Waugh discovered that the GNU C Library incorrectly enforced the WRDE_NOCMD flag when handling the wordexp function.
Package:dbus
Date:2014-12-10
Posted by:kikadf
Vulnerable version:1.6.8-10arcturus2
Unaffected version:1.6.8-10arcturus3
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7824
Description:It was discovered that DBus incorrectly handled a large number of file descriptor messages.
Package:tcpdump
Date:2014-12-06
Posted by:kikadf
Vulnerable version:4.4.0-2arcturus1
Unaffected version:4.4.0-2arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9140
Description:Buffer overflow in the PPP dissector.
Package:flac
Date:2014-12-06
Posted by:kikadf
Vulnerable version:1.2.1-3
Unaffected version:1.2.1-4arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8962 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9028
Description:Michele Spagnuolo, of Google Security Team, and Miroslav Lichvar, of Red Hat, discovered two issues in flac, a library handling Free Lossless Audio Codec media: by providing a specially crafted FLAC file, an attacker could execute arbitrary code.
Package:openvpn
Date:2014-12-04
Posted by:kikadf
Vulnerable version:2.1.3-7arcturus1
Unaffected version:2.1.3-7arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8104
Description:Dragana Damjanovic discovered that an authenticated client could crash an OpenVPN server by sending a control packet containing less than four bytes as payload.
Package:clamav
Date:2014-11-29
Posted by:kikadf
Vulnerable version:0.98.1-1arcturus1
Unaffected version:0.98.5-1arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6497 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9050
Description:Kurt Seifried discovered that ClamAV incorrectly handled certain JavaScript files. Damien Millescamp discovered that ClamAV incorrectly handled certain PE files.
Package:wireshark
Date:2014-11-29
Posted by:kikadf
Vulnerable version:1.8.15-1arcturus1
Unaffected version:1.8.15-1arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8710 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8711 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8712 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8713 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8714
Description:Multiple vulnerabilities were discovered in the dissectors/parsers for SigComp UDVM, AMQP, NCP and TN5250, which could result in denial of service.
Package:tcpdump
Date:2014-11-24
Posted by:kikadf
Vulnerable version:4.4.0-1
Unaffected version:4.4.0-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8767 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8769
Description:Tcpdump program crash was reported when processing a malformed OLSR payload. The application decoder for the Ad hoc On-Demand Distance Vector (AODV) protocol fails to perform input validation and performs unsafe out-of-bound accesses.
Package:ruby
Date:2014-11-24
Posted by:kikadf
Vulnerable version:1.9.2-2
Unaffected version:1.9.2-3arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4975 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8080 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8090
Description:Off-by-one error in the encodes function in pack.c, when using certain format string specifiers, allows context-dependent attackers to cause a denial of service (segmentation fault) via vectors that trigger a stack-based buffer overflow. Tomas Hoger discovered that Ruby incorrectly handled XML entity expansion.
Package:drupal6
Date:2014-11-24
Posted by:kikadf
Vulnerable version:6.33-1arcturus1
Unaffected version:6.34-1arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9015 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9016
Description:Aaron Averill discovered that a specially crafted request can give a user access to another user's session, allowing an attacker to hijack a random session. Michael Cullum, Javier Nieto and Andres Rojas Guerrero discovered that the password hashing API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion.
Package:drupal7
Date:2014-11-24
Posted by:kikadf
Vulnerable version:7.22-2arcturus5
Unaffected version:7.22-2arcturus6
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9015 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9016
Description:Aaron Averill discovered that a specially crafted request can give a user access to another user's session, allowing an attacker to hijack a random session. Michael Cullum, Javier Nieto and Andres Rojas Guerrero discovered that the password hashing API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion.
Package:graphicsmagick
Date:2014-11-21
Posted by:kikadf
Vulnerable version:1.3.18-1
Unaffected version:1.3.18-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1947
Description:Buffer overflow when handling PSD images.
Package:python-3.0
Date:2014-11-21
Posted by:kikadf
Vulnerable version:3.3.0-2
Unaffected version:3.3.0-3arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4650
Description:The CGIHTTPServer Python module does not properly handle URL-encoded path separators in URLs.
Package:python
Date:2014-11-21
Posted by:kikadf
Vulnerable version:2.7.5-2arcturus1
Unaffected version:2.7.5-2arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4650
Description:The CGIHTTPServer Python module does not properly handle URL-encoded path separators in URLs.
Package:qemu
Date:2014-11-05
Posted by:kikadf
Vulnerable version:1.5.2-3arcturus6
Unaffected version:1.5.2-3arcturus7
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3689 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7815
Description:A flaw was found in the way guest provided parameter validation was performed in vmware-vga driver in rectangle handling functionality. bits_per_pixel that are less than 8 could result in accessing non-initialized buffers later in the code due to the expectation that bytes_per_pixel value that is used to initialize these buffers is never zero.
Package:php
Date:2014-11-05
Posted by:kikadf
Vulnerable version:5.3.26-2arcturus6
Unaffected version:5.3.26-2arcturus7
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3668 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3669 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3670 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3710
Description:Symeon Paraschoudis discovered that PHP incorrectly handled the mkgmtime function. Symeon Paraschoudis discovered that PHP incorrectly handled unserializing objects. Otto Ebeling discovered that PHP incorrectly handled the exif_thumbnail function. Francisco Alonso that PHP incorrectly handled ELF files in the fileinfo extension.
Package:dokuwiki
Date:2014-11-05
Posted by:kikadf
Vulnerable version:2012_10_13-1
Unaffected version:2014_09_29-1arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8761 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8762 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8763 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8764
Description:Two vulnerabilities have been discovered in dokuwiki. Access control in the media manager was insufficiently restricted and authentication could be bypassed when using Active Directory for LDAP authentication.
Package:wget
Date:2014-10-31
Posted by:kikadf
Vulnerable version:1.13.4-2
Unaffected version:1.13.4-3arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4877
Description:HD Moore discovered that Wget contained a path traversal vulnerability when downloading symlinks using FTP.
Package:libxml2
Date:2014-10-31
Posted by:kikadf
Vulnerable version:2.8.0-2arcturus1
Unaffected version:2.8.0-2arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3660
Description:Sogeti found a denial of service flaw in libxml2, a library providing support to read, modify and write XML and HTML files.
Package:quassel
Date:2014-10-28
Posted by:kikadf
Vulnerable version:0.8.0-2
Unaffected version:0.8.0-3arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8483
Description:The ECB Blowfish decryption function assumed that encrypted input would always come in blocks of 12 characters, as specified. However, buggy clients or annoying people may not adhere to that assumption, causing the core to crash while trying to process the invalid base64 input.
Package:konversation
Date:2014-10-28
Posted by:kikadf
Vulnerable version:1.4-3
Unaffected version:1.4-4arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8483
Description:The ECB Blowfish decryption function assumed that encrypted input would always come in blocks of 12 characters, as specified. However, buggy clients or annoying people may not adhere to that assumption, causing the core to crash while trying to process the invalid base64 input.
Package:file
Date:2014-10-28
Posted by:kikadf
Vulnerable version:5.14-2arcturus4
Unaffected version:5.14-2arcturus5
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3710
Description:An out-of-bounds read flaw was found in file's donote() function in the way the file utility determined the note headers of a elf file.
Package:hostapd
Date:2014-10-19
Posted by:kikadf
Vulnerable version:1.1-2
Unaffected version:1.1-3arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3686
Description:Jouni Malinen discovered an input sanitization issue in the wpa_cli and hostapd_cli tools included in the wpa package.
Package:wpa_supplicant
Date:2014-10-19
Posted by:kikadf
Vulnerable version:1.1-1
Unaffected version:1.1-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3686
Description:Jouni Malinen discovered an input sanitization issue in the wpa_cli and hostapd_cli tools included in the wpa package.
Package:mysql
Date:2014-10-17
Posted by:kikadf
Vulnerable version:5.5.38-1arcturus1
Unaffected version:5.5.40-1arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5615 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4274 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4287 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6463 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6464 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6469 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6478 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6484 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6491 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6494 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6495 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6496 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6500 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6505 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6507 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6520 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6530 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6551 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6555 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6559
Description:Multiple security issues were discovered in MySQL and this update includes a new upstream MySQL version to fix these issues.
Package:drupal7
Date:2014-10-17
Posted by:kikadf
Vulnerable version:7.22-2arcturus4
Unaffected version:7.22-2arcturus5
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3704
Description:Stefan Horst discovered a vulnerability in the Drupal database abstraction API, which may result in SQL injection.
Package:openssl
Date:2014-10-17
Posted by:kikadf
Vulnerable version:1.0.1-5arcturus6
Unaffected version:1.0.1-5arcturus7
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3513 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3567 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3568
Description:A memory leak flaw was found in the way OpenSSL parsed the DTLS Secure Real-time Transport Protocol (SRTP) extension data. A flaw was found in the way SSL 3.0 handled padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. A memory leak flaw was found in the way an OpenSSL handled failed session ticket integrity checks. When OpenSSL is configured with "no-ssl3" as a build option, servers could accept and complete a SSL 3.0 handshake, and clients could be configured to send them.
Package:openjpeg
Date:2014-10-17
Posted by:kikadf
Vulnerable version:1.5.1-2
Unaffected version:1.5.1-3arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1447 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6045 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6052 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6053 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6887
Description:Several vulnerabilities have been discovered in OpenJPEG, a JPEG 2000 image library, that may lead to denial of service via application crash or high memory consumption, possible code execution through heap buffer overflows, information disclosure.
Package:bash
Date:2014-10-12
Posted by:kikadf
Vulnerable version:4.2_045-5arcturus2
Unaffected version:4.2_053-1arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
Description:Michal Zalewski discovered that Bash incorrectly handled parsing certain function definitions. If an attacker were able to create an environment variable containing a function definition with a very specific name, these issues could possibly be used to bypass certain environment restrictions and execute arbitrary code.
Package:rsyslog
Date:2014-10-12
Posted by:kikadf
Vulnerable version:5.8.13-2arcturus1
Unaffected version:5.8.13-2arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3683
Description:Incomplete fix for CVE-2014-3634.
Package:qemu
Date:2014-10-08
Posted by:kikadf
Vulnerable version:1.5.2-3arcturus5
Unaffected version:1.5.2-3arcturus6
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3615
Description:An information leakage flaw was found in Qemu's VGA emulator. It could lead to leaking host memory bytes to a VNC client. It could occur when a guest GOP driver attempts to set a high display resolution.
Package:mediawiki
Date:2014-10-07
Posted by:kikadf
Vulnerable version:1.19.19-1arcturus1
Unaffected version:1.19.20-1arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7295
Description:It was reported that MediaWiki, a website engine for collaborative work, allowed to load user-created CSS on pages where user-created JavaScript is not allowed.
Package:mantis
Date:2014-10-07
Posted by:kikadf
Vulnerable version:1.2.8-2arcturus1
Unaffected version:1.2.8-2arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6387
Description:Mantis suffers from a null byte poisoning issue when LDAP authentication is used.
Package:openvpn
Date:2014-10-05
Posted by:kikadf
Vulnerable version:2.1.3-6
Unaffected version:2.1.3-7arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2013-2061
Description:It was discovered that OpenVPN incorrectly handled HMAC comparisons when running in UDP mode.
Package:krb5
Date:2014-10-05
Posted by:kikadf
Vulnerable version:1.10.1-2arcturus1
Unaffected version:1.10.1-2arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5351
Description:It was reported that if a privileged user randomized the keys for a service principal, the old key would be returned to them. This could lead to ticket forgery attacks on the service in question.
Package:file
Date:2014-10-05
Posted by:kikadf
Vulnerable version:5.14-2arcturus3
Unaffected version:5.14-2arcturus4
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3587
Description:It was discovered that file incorrectly handled certain CDF documents. A attacker could use this issue to cause file to hang or crash, resulting in a denial of service.
Package:putty
Date:2014-10-05
Posted by:kikadf
Vulnerable version:0.62-1
Unaffected version:0.62-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4206 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4207 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4208 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4852
Description:Mark Wooding discovered a heap-corrupting buffer underrun bug in the modmul function which performs modular multiplication. It was discovered that non-coprime values in DSA signatures can cause a buffer overflow in the calculation code of modular inverses when verifying a DSA signature. Such a signature is invalid. It was discovered that private keys were left in memory after being used by PuTTY tools. Gergely Eberhardt from SEARCH-LAB Ltd. discovered that PuTTY is vulnerable to an integer overflow leading to heap overflow during the SSH handshake before authentication due to improper bounds checking of the length parameter received from the SSH server.
Package:qemu
Date:2014-10-04
Posted by:kikadf
Vulnerable version:1.5.2-3arcturus4
Unaffected version:1.5.2-3arcturus5
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3640
Description:When guest sends udp packet with source port and source addr 0, uninitialized socket is picked up when looking for matching and already created udp sockets, and later passed to sosendto() where NULL pointer dereference is hit during so->slirp->vnetwork_mask.s_addr access.
Package:rsyslog
Date:2014-10-03
Posted by:kikadf
Vulnerable version:5.8.13-1
Unaffected version:5.8.13-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3634
Description:Rainer Gerhards, the rsyslog project leader, reported a vulnerability in Rsyslog, a system for log processing. As a consequence of this vulnerability an attacker can send malformed messages to a server, if this one accepts data from untrusted sources, and trigger a denial of service attack.
Package:libvncserver
Date:2014-10-03
Posted by:kikadf
Vulnerable version:0.9.8.1-2arcturus1
Unaffected version:0.9.8.1-2arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6051 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6052 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6053 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6054
Description:An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way screen sizes were handled by LibVNCServer. A NULL pointer dereference flaw was reported in LibVNCServer's framebuffer setup. A malicious VNC server could use this flaw to cause a client to crash. A divide-by-zero flaw was reported in LibVNCServer's scaling factor handling. A VNC client could use this flaw to cause the VNC server to crash.
Package:krfb
Date:2014-10-03
Posted by:kikadf
Vulnerable version:4.11.1-2arcturus1
Unaffected version:4.11.1-2arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6053 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6054
Description:A malicious VNC server could use this flaw to cause a client to crash. A divide-by-zero flaw was reported in LibVNCServer's scaling factor handling. A VNC client could use this flaw to cause the VNC server to crash.
Package:ctags
Date:2014-10-03
Posted by:kikadf
Vulnerable version:5.8-1
Unaffected version:5.8-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7204
Description:A denial of service issue was discovered in ctags. This could lead to excessive CPU and disk space consumption.
Package:bash
Date:2014-09-26
Posted by:kikadf
Vulnerable version:4.2_045-5arcturus1
Unaffected version:4.2_045-5arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
Description:Tavis Ormandy discovered that the patch applied to fix CVE-2014-6271 for bash, the GNU Bourne-Again Shell, was incomplete and could still allow some characters to be injected into another environment (CVE-2014-7169). With this update prefix and suffix for environment variable names which contain shell functions are added as hardening measure.
Package:libvncserver
Date:2014-09-25
Posted by:kikadf
Vulnerable version:0.9.8.1-1
Unaffected version:0.9.8.1-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6055
Description:Several remotely exploitable security issues have been uncovered in libvncserver, some of which might allow a remote authenticated user code execution or application crashes.
Package:krfb
Date:2014-09-25
Posted by:kikadf
Vulnerable version:4.11.1-1
Unaffected version:4.11.1-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6055
Description:Several remotely exploitable security issues have been uncovered in libvncserver, some of which might allow a remote authenticated user code execution or application crashes.
Package:bash
Date:2014-09-25
Posted by:kikadf
Vulnerable version:4.2_045-4
Unaffected version:4.2_045-5arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
Description:Stephane Chazelas discovered a vulnerability in bash, the GNU Bourne-Again Shell, related to how environment variables are processed. In many common configurations, this vulnerability is exploitable over the network, especially if bash has been configured as the system shell.
Package:mantis
Date:2014-09-25
Posted by:kikadf
Vulnerable version:1.2.8-1
Unaffected version:1.2.8-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1608 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1609
Description:Multiple SQL injection vulnerabilities have been discovered in the Mantis bug tracking system.
Package:nginx
Date:2014-09-25
Posted by:kikadf
Vulnerable version:1.4.1-1
Unaffected version:1.4.1-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4547 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3616
Description:Ivan Fratric of the Google Security Team discovered a bug in nginx, a web server, which might allow an attacker to bypass security restrictions by using a specially crafted request. Antoine Delignat-Lavaud and Karthikeyan Bhargavan discovered that it was possible to reuse cached SSL sessions in unrelated contexts, allowing virtual host confusion attacks in some configurations by an attacker in a privileged network position.
Package:dbus
Date:2014-09-23
Posted by:kikadf
Vulnerable version:1.6.8-10arcturus1
Unaffected version:1.6.8-10arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3635 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3636 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3637 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3638 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3639
Description:On 64-bit platforms, file descriptor passing could be abused by local users to cause heap corruption in dbus-daemon, leading to a crash, or potentially to arbitrary code execution. A denial-of-service vulnerability in dbus-daemon allowed local attackers to prevent new connections to dbus-daemon, or disconnect existing clients, by exhausting descriptor limits. Malicious local users could create D-Bus connections to dbus-daemon which could not be terminated by killing the participating processes, resulting in a denial-of-service vulnerability. dbus-daemon suffered from a denial-of-service vulnerability in the code which tracks which messages expect a reply, allowing local attackers to reduce the performance of dbus-daemon. dbus-daemon did not properly reject malicious connections from local users, resulting in a denial-of-service vulnerability.
Package:squid
Date:2014-09-13
Posted by:kikadf
Vulnerable version:3.1.19-2arcturus1
Unaffected version:3.1.19-2arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6270
Description:Sebastian Krahmer discovered an off-by-one error, leading to a heap-based buffer overflow flaw, in the way Squid handled UDP SNMP requests.
Package:python-oauth2
Date:2014-09-13
Posted by:kikadf
Vulnerable version:1.5.211-3
Unaffected version:1.5.211-4arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4346 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4347
Description:It was found that _check_signature() in python-oauth2, an application for authorization flows for web application, ignored the nonce values when validating signed urls. It was found that in python-oauth2, an application for authorizing flows for web application, the nonce value generated isn't random enough, because while doing bulk operations, nonce might get repeated, so there is a chance of predictability.
Package:xerces-j
Date:2014-09-13
Posted by:kikadf
Vulnerable version:2.11.0-1
Unaffected version:2.11.0-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002
Description:A resource consumption issue was found in the way Xerces-J handled XML declarations.
Package:curl
Date:2014-09-13
Posted by:kikadf
Vulnerable version:7.26.0-2arcturus3
Unaffected version:7.26.0-2arcturus4
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3613 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3620
Description:By not detecting and rejecting domain names for partial literal IP addresses properly when parsing received HTTP cookies, libcurl can be fooled to both sending cookies to wrong sites and into allowing arbitrary sites to set cookies for others. libcurl wrongly allows cookies to be set for Top Level Domains (TLDs), thus making them apply broader than cookies are allowed.
Package:php
Date:2014-09-11
Posted by:kikadf
Vulnerable version:5.3.26-2arcturus5
Unaffected version:5.3.26-2arcturus6
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4698
Description:Use-after-free vulnerability in ext/spl/spl_array.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted ArrayIterator usage within applications in certain web-hosting environments.
Package:procmail
Date:2014-09-05
Posted by:kikadf
Vulnerable version:3.22-5
Unaffected version:3.22-6arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3618
Description:Boris pi Piwinger and Tavis Ormandy reported a heap overflow vulnerability in procmail's formail utility when processing specially-crafted email headers.
Package:libgcrypt
Date:2014-09-05
Posted by:kikadf
Vulnerable version:1.5.0-4
Unaffected version:1.5.0-5arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4242 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5270
Description:Yarom and Falkner discovered that RSA secret keys in applications using the libgcrypt11 library, for example GnuPG 2.x, could be leaked via a side channel attack, where a malicious local user could obtain private key information from another user on the system. Daniel Genkin, Adi Shamir, and Eran Tromer discovered that Libgcrypt was susceptible to an adaptive chosen ciphertext attack via physical side channels.
Package:gnupg
Date:2014-09-05
Posted by:kikadf
Vulnerable version:1.4.14-2arcturus2
Unaffected version:1.4.14-2arcturus3
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5270
Description:Daniel Genkin, Adi Shamir, and Eran Tromer discovered that GnuPG was susceptible to an adaptive chosen ciphertext attack via physical side channels.
Package:lua
Date:2014-09-02
Posted by:kikadf
Vulnerable version:5.1.5-2
Unaffected version:5.1.5-3arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5461
Description:A heap-based overflow vulnerability was found in the way Lua, a simple, extensible, embeddable programming language, handles varargs functions with many fixed parameters called with few arguments, leading to application crashes or, potentially, arbitrary code execution.
Package:net-snmp
Date:2014-09-02
Posted by:kikadf
Vulnerable version:5.7.1-4arcturus1
Unaffected version:5.7.1-4arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3565
Description:snmptrapd crash when handling an SNMP trap containing a ifMtu with a NULL type.
Package:libmodplug
Date:2014-08-30
Posted by:kikadf
Vulnerable version:0.8.8.4-2
Unaffected version:0.8.8.5-1arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4233 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4234
Description:Several vulnerabilities have been discovered in libmodplug, a library for mod music based on ModPlug, that might allow arbitrary code execution when processing specially-crafted ABC files through applications using the library, such as media players.
Package:squid
Date:2014-08-29
Posted by:kikadf
Vulnerable version:3.1.19-1
Unaffected version:3.1.19-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5643 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0189 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3609
Description:Squid3, a fully featured Web proxy cache, is prone to a denial of service attack due to memory consumption caused by memory leaks in cachemgr.cgi. Matthew Daley discovered that Squid 3 did not properly perform input validation in request parsing.
Package:cups
Date:2014-08-28
Posted by:kikadf
Vulnerable version:1.6.1-3arcturus3
Unaffected version:1.6.1-3arcturus4
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5029 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5030 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5031
Description:The web interface in CUPS 1.7.4 allows local users in the lp group to read arbitrary files via a symlink attack on a file in /var/cache/cups/rss/ and language[0] set to null. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3537. CUPS before 2.0 allows local users to read arbitrary files via a symlink attack on (1) index.html, (2) index.class, (3) index.pl, (4) index.php, (5) index.pyc, or (6) index.py. The web interface in CUPS before 2.0 does not check that files have world-readable permissions, which allows remote attackers to obtains sensitive information via unspecified vectors.
Package:glibc
Date:2014-08-28
Posted by:kikadf
Vulnerable version:2.16.0-3
Unaffected version:2.16.0-4arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0475 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5119
Description:A directory traveral flaw was found in the way glibc loaded locale files. Tavis Ormandy reported an off-by-one error leading to a heap-based buffer overflow flaw in glibc's __gconv_translit_find() function.
Package:ipython
Date:2014-08-28
Posted by:kikadf
Vulnerable version:1.0.0-1
Unaffected version:1.0.0-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3429
Description:Cross-domain websocket hijacking vulnerability.
Package:ppp
Date:2014-08-26
Posted by:kikadf
Vulnerable version:2.4.5-3
Unaffected version:2.4.5-4arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3158
Description:Integer overflow in option parsing.
Package:mediawiki
Date:2014-08-26
Posted by:kikadf
Vulnerable version:1.19.16-1arcturus1
Unaffected version:1.19.18-1arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5241 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5243
Description:It was discovered that MediaWiki, a website engine for collaborative work, is vulnerable to JSONP injection in Flash (CVE-2014-5241) and clickjacking between OutputPage and ParserOutput (CVE-2014-5243).
Package:django
Date:2014-08-26
Posted by:kikadf
Vulnerable version:1.5.2-2arcturus2
Unaffected version:1.5.9-1arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0480 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0481 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0482 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0483
Description:Florian Apolloner discovered that in certain situations, URL reversing could generate scheme-relative URLs which could unexpectedly redirect a user to a different host, leading to phishing attacks. David Wilson reported a file upload denial of service vulnerability. David Greisen discovered that under some circumstances, the use of the RemoteUserMiddleware middleware and the RemoteUserBackend authentication backend could result in one user receiving another user's session, if a change to the REMOTE_USER header occurred without corresponding logout/login actions. Collin Anderson discovered that it is possible to reveal any field's data by modifying the popup and to_field parameters of the query string on an admin change form page.
Package:imaging
Date:2014-08-26
Posted by:kikadf
Vulnerable version:1.1.7-5arcturus1
Unaffected version:1.1.7-5arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3589
Description:Andrew Drake discovered that missing input sanitising in the icns decoder of the Python Imaging Library could result in denial of service if a malformed image is processed.
Package:php
Date:2014-08-21
Posted by:kikadf
Vulnerable version:5.3.26-2arcturus4
Unaffected version:5.3.26-2arcturus5
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3538 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3587 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4670
Description:It was discovered that the CDF parser of the fileinfo module does not properly process malformed files in the Composite Document File (CDF) format, leading to crashes. It was discovered that PHP incorrectly handled certain SPL Iterators. A local attacker could use this flaw to cause PHP to crash, resulting in a denial of service.
Package:cacti
Date:2014-08-21
Posted by:kikadf
Vulnerable version:0.8.8b-2arcturus1
Unaffected version:0.8.8b-2arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5025 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5026 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5043 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5261 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5262
Description:Multiple security issues (cross-site scripting, missing input sanitising and SQL injection) have been discovered in Cacti, a web interface for graphing of monitoring systems.
Package:wordpress
Date:2014-08-20
Posted by:kikadf
Vulnerable version:3.9-1arcturus1
Unaffected version:3.9.2-1arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2053 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5204 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5205 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5240 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5265 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5266
Description:Multiple security issues have been discovered in Wordpress, a web blogging tool, resulting in denial of service or information disclosure.
Package:wireshark
Date:2014-08-20
Posted by:kikadf
Vulnerable version:1.8.13-1arcturus1
Unaffected version:1.8.15-1arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5161 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5162 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5163 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5164 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5165
Description:Multiple vulnerabilities were discovered in the dissectors for Catapult DCT2000, IrDA, GSM Management, RLC ASN.1 BER, which could result in denial of service.
Package:tor
Date:2014-08-20
Posted by:kikadf
Vulnerable version:0.2.3.25-2
Unaffected version:0.2.4.23-1arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5117
Description:Several issues have been discovered in Tor, a connection-based low-latency anonymous communication system, resulting in information leaks.
Package:serf
Date:2014-08-20
Posted by:kikadf
Vulnerable version:1.2.1-1
Unaffected version:1.2.1-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3504
Description:Ben Reser discovered that serf did not correctly handle SSL certificates with NUL bytes in the CommonName or SubjectAltNames fields.
Package:openssl
Date:2014-08-20
Posted by:kikadf
Vulnerable version:1.0.1-5arcturus5
Unaffected version:1.0.1-5arcturus6
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3505 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3506 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3507 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3508 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3509 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3510 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3511 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3512 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5139
Description:Multiple vulnerabilities have been identified in OpenSSL, a Secure Sockets Layer toolkit, that may result in denial of service (application crash, large memory consumption), information leak, protocol downgrade. Additionally, a buffer overrun affecting only applications explicitly set up for SRP has been fixed.
Package:kdelibs
Date:2014-08-20
Posted by:kikadf
Vulnerable version:4.11.1-1
Unaffected version:4.11.1-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5033
Description:Sebastian Krahmer discovered that Kauth used Policykit insecurely by relying on the process ID. This could result in privilege escalation.
Package:krb5
Date:2014-08-20
Posted by:kikadf
Vulnerable version:1.10.1-1
Unaffected version:1.10.1-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4341 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4342 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4343 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4344 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4345
Description:An unauthenticated remote attacker with the ability to inject packets into a legitimately established GSSAPI application session can cause a program crash due to invalid memory references when attempting to read beyond the end of a buffer. An unauthenticated remote attacker with the ability to inject packets into a legitimately established GSSAPI application session can cause a program crash due to invalid memory references when reading beyond the end of a buffer or by causing a null pointer dereference. An unauthenticated remote attacker with the ability to spoof packets appearing to be from a GSSAPI acceptor can cause a double-free condition in GSSAPI initiators (clients) which are using the SPNEGO mechanism, by returning a different underlying mechanism than was proposed by the initiator. An unauthenticated or partially authenticated remote attacker can cause a NULL dereference and application crash during a SPNEGO negotiation by sending an empty token as the second or later context token from initiator to acceptor. When kadmind is configured to use LDAP for the KDC database, an authenticated remote attacker can cause it to perform an out-of-bounds write (buffer overflow).
Package:lzo
Date:2014-08-20
Posted by:kikadf
Vulnerable version:2.0.6-1
Unaffected version:2.0.6-1arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4607
Description:Don A. Bailey from Lab Mouse Security discovered an integer overflow flaw in the way the lzo library decompressed certain archives compressed with the LZO algorithm. An attacker could create a specially crafted LZO-compressed input that, when decompressed by an application using the lzo library, would cause that application to crash or, potentially, execute arbitrary code.
Package:gpgme
Date:2014-08-20
Posted by:kikadf
Vulnerable version:1.3.1-5
Unaffected version:1.3.1-6arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3564
Description:Tomáš Trnka discovered a heap-based buffer overflow within the gpgsm status handler of GPGME, a library designed to make access to GnuPG easier for applications. An attacker could use this issue to cause an application using GPGME to crash (denial of service) or possibly to execute arbitrary code.
Package:drupal7
Date:2014-08-20
Posted by:kikadf
Vulnerable version:7.22-2arcturus3
Unaffected version:7.22-2arcturus4
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5265 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5266 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5267
Description:A denial of service vulnerability was discovered in Drupal, a fully-featured content management framework. A remote attacker could exploit this flaw to cause CPU and memory exhaustion and the site's database to reach the maximum number of open connections, leading to the site becoming unavailable or unresponsive.
Package:drupal6
Date:2014-08-20
Posted by:kikadf
Vulnerable version:6.32-1arcturus1
Unaffected version:6.33-1arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5265 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5266 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5267
Description:A denial of service vulnerability was discovered in Drupal, a fully-featured content management framework. A remote attacker could exploit this flaw to cause CPU and memory exhaustion and the site's database to reach the maximum number of open connections, leading to the site becoming unavailable or unresponsive.
Package:apache
Date:2014-08-20
Posted by:kikadf
Vulnerable version:2.2.23-3arcturus1
Unaffected version:2.2.23-3arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0117 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0118 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231
Description:Marek Kroemeke discovered that the mod_proxy module incorrectly handled certain requests. Giancarlo Pellegrino and Davide Balzarotti discovered that the mod_deflate module incorrectly handled body decompression. Marek Kroemeke and others discovered that the mod_status module incorrectly handled certain requests. Rainer Jung discovered that the mod_cgid module incorrectly handled certain scripts.
Package:libtasn1
Date:2014-07-23
Posted by:kikadf
Vulnerable version:2.11-1
Unaffected version:2.11-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3467 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3468 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3469
Description:It was discovered that Libtasn1 incorrectly handled certain ASN.1 data structures. It was discovered that Libtasn1 incorrectly handled negative bit lengths.
Package:cups
Date:2014-07-23
Posted by:kikadf
Vulnerable version:1.6.1-3arcturus2
Unaffected version:1.6.1-3arcturus3
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3537
Description:Francisco Alonso discovered that the CUPS web interface incorrectly validated permissions on rss files.
Package:drupal6
Date:2014-07-23
Posted by:kikadf
Vulnerable version:6.31-1arcturus1
Unaffected version:6.32-1arcturus1
Bug tracker entry:
CVEs:https://www.drupal.org/SA-CORE-2014-003
Description:Multiple security issues have been discovered in the Drupal content management system, ranging from denial of service to cross-site scripting.
Package:drupal7
Date:2014-07-23
Posted by:kikadf
Vulnerable version:7.22-2arcturus2
Unaffected version:7.22-2arcturus3
Bug tracker entry:
CVEs:https://www.drupal.org/SA-CORE-2014-003
Description:Multiple security issues have been discovered in the Drupal content management system, ranging from denial of service to cross-site scripting.
Package:activerecord
Date:2014-07-20
Posted by:kikadf
Vulnerable version:3.2.13-1
Unaffected version:3.2.13-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3482 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3483
Description:Sean Griffin discovered two vulnerabilities in the PostgreSQL adapter for Active Record which could lead to SQL injection.
Package:transmission-cli
Date:2014-07-20
Posted by:kikadf
Vulnerable version:2.81-1
Unaffected version:2.81-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4909
Description:Ben Hawkes discovered that Transmission incorrectly handled certain peer messages.
Package:miniupnpc
Date:2014-07-20
Posted by:kikadf
Vulnerable version:1.7-1
Unaffected version:1.7-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3985
Description:It was discovered that MiniUPnPc incorrectly handled certain buffer lengths.
Package:file
Date:2014-07-20
Posted by:kikadf
Vulnerable version:5.14-2arcturus2
Unaffected version:5.14-2arcturus3
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7345 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0207 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3478 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3479 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3480 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3487 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3538
Description:Mike Frysinger discovered that the file awk script detector used multiple wildcard with unlimited repetitions. Francisco Alonso discovered that file incorrectly handled certain CDF documents. Jan Kaluža discovered that file did not properly restrict the amount of data read during regex searches.
Package:fail2ban
Date:2014-07-20
Posted by:kikadf
Vulnerable version:0.8.4-3
Unaffected version:0.8.13-1arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7176 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7177
Description:Two vulnerabilities were discovered in Fail2ban, a solution to ban hosts that cause multiple authentication errors. When using Fail2ban to monitor Postfix or Cyrus IMAP logs, improper input validation in log parsing could enable a remote attacker to trigger an IP ban on arbitrary addresses, resulting in denial of service.
Package:mysql
Date:2014-07-20
Posted by:kikadf
Vulnerable version:5.5.37-1arcturus1
Unaffected version:5.5.38-1arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2494 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4207 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4258 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4260
Description:Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier allows remote authenticated users to affect availability via vectors related to ENARC. Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier allows remote authenticated users to affect availability via vectors related to SROPTZR. Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to SRINFOSC. Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier allows remote authenticated users to affect integrity and availability via vectors related to SRCHAR.
Package:php
Date:2014-07-17
Posted by:kikadf
Vulnerable version:5.3.26-2arcturus3
Unaffected version:5.3.26-2arcturus4
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0207 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3478 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3479 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3480 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3487 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4721
Description:Francisco Alonso of the Red Hat Security Response Team reported an incorrect boundary check in the cdf_read_short_sector() function. Francisco Alonso of the Red Hat Security Response Team discovered a flaw in the way the truncated pascal string size in the mconvert() function is computed. Francisco Alonso of the Red Hat Security Response Team reported an incorrect boundary check in the cdf_check_stream_offset() function. rancisco Alonso of the Red Hat Security Response Team reported an insufficient boundary check in the cdf_count_chain() function. Francisco Alonso of the Red Hat Security Response Team discovered an incorrect boundary check in the cdf_read_property_info() funtion. Stefan Esser discovered a type confusion issue affecting phpinfo(), which might allow an attacker to obtain sensitive information from process memory.
Package:vlc
Date:2014-07-17
Posted by:kikadf
Vulnerable version:2.0.8-2
Unaffected version:2.0.8-3arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4388
Description:Multiple buffer overflows have been found in the VideoLAN media player. Processing malformed subtitles or movie files could lead to denial of service and potentially the execution of arbitrary code.
Package:dbus
Date:2014-07-03
Posted by:kikadf
Vulnerable version:1.6.8-9
Unaffected version:1.6.8-10arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2168 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3477 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3532 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3533
Description:Alban Crequy at Collabora Ltd. discovered that dbus-daemon sends an AccessDenied error to the service instead of a client when the client is prohibited from accessing the service. Alban Crequy at Collabora Ltd. discovered a bug in dbus-daemon's support for file descriptor passing. Alban Crequy at Collabora Ltd. and Alejandro Martínez Suárez discovered that a malicious process could force services to be disconnected from the D-Bus system by causing dbus-daemon to attempt to forward invalid file descriptors to a victim process, leading to a denial of service.
Package:cacti
Date:2014-07-03
Posted by:kikadf
Vulnerable version:0.8.8b-1
Unaffected version:0.8.8b-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1435 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5588 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5589 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2327 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2327 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2328 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2708 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2709 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4002
Description:Multiple security issues (cross-site scripting, cross-site request forgery, SQL injections, missing input sanitising) have been found in Cacti, a web frontend for RRDTool.
Package:gnupg2
Date:2014-06-26
Posted by:kikadf
Vulnerable version:2.0.20-1
Unaffected version:2.0.20-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4617
Description:Jean-René Reinhard, Olivier Levillain and Florian Maury reported that GnuPG, the GNU Privacy Guard, did not properly parse certain garbled compressed data packets.
Package:gnupg
Date:2014-06-26
Posted by:kikadf
Vulnerable version:1.4.14-2arcturus1
Unaffected version:1.4.14-2arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4617
Description:Jean-René Reinhard, Olivier Levillain and Florian Maury reported that GnuPG, the GNU Privacy Guard, did not properly parse certain garbled compressed data packets.
Package:thunderbird
Date:2014-06-26
Posted by:kikadf
Vulnerable version:24.4.0-1arcturus1
Unaffected version:24.6.0-1arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1533 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1538 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1541 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1545
Description:Multiple security issues have been found in the Mozilla Thunderbird mail and news client: multiple memory safety errors and buffer overflows may lead to the execution of arbitrary code or denial of service.
Package:samba
Date:2014-06-23
Posted by:kikadf
Vulnerable version:3.6.23-1arcturus1
Unaffected version:3.6.24-1arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0244 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3493
Description:Denial of service (infinite CPU loop) in the nmbd Netbios name service daemon. Denial of service (daemon crash) in the smbd file server daemon.
Package:php
Date:2014-06-23
Posted by:kikadf
Vulnerable version:5.3.26-2arcturus2
Unaffected version:5.3.26-2arcturus3
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4049
Description:Stefan Esser discovered that PHP incorrectly handled DNS TXT records.
Package:mediawiki
Date:2014-06-23
Posted by:kikadf
Vulnerable version:1.18.1-1
Unaffected version:1.19.16-1arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3966
Description:Omer Iqbal discovered that Mediawiki, a wiki engine, parses invalid usernames on Special:PasswordReset as wikitext when $wgRawHtml is enabled. On such wikis this allows an unauthenticated attacker to insert malicious JavaScript, a cross site scripting attack.
Package:json-c
Date:2014-06-25
Posted by:kikadf
Vulnerable version:0.9-1
Unaffected version:0.9-2arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6370
Description:Florian Weimer discovered that json-c incorrectly handled buffer lengths.
Package:kernel
Date:2014-06-18
Posted by:kikadf
Vulnerable version:3.10-7
Unaffected version:3.10-8arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3153 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1739 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4014
Description:Pinkie Pie discovered a flaw in the Linux kernel's futex subsystem. Kernel Infoleak vulnerability in media_enum_entities(). Linux kernel user namespace bug.
Package:firefox
Date:2014-06-14
Posted by:kikadf
Vulnerable version:29.0-1arcturus1
Unaffected version:30.0-1arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1533 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1534 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1536 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1537 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1538 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1540 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1541 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1542
Description:Gary Kwong, Christoph Diehl, Christian Holler, Hannes Verschore, Jan de Mooij, Ryan VanderMeulen, Jeff Walden, Kyle Huey, Jesse Ruderman, Gregor Wagner, Benoit Jacob and Karl Tomlinson discovered multiple memory safety issues in Firefox. Abhishek Arya discovered multiple use-after-free and out-of-bounds read issues in Firefox. Tyson Smith and Jesse Schwartzentruber discovered a use-after-free in the event listener manager. A use-after-free was discovered in the SMIL animation controller. Holger Fuhrmannek discovered a buffer overflow in Web Audio.
Package:chromium-browser
Date:2014-06-13
Posted by:kikadf
Vulnerable version:35.0.1916.114-1arcturus1
Unaffected version:35.0.1916.153-1arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3154 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3155 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3156 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3157
Description:Use-after-free in filesystem api. Out-of-bounds read in SPDY. Buffer overflow in clipboard. Heap overflow in media.
Package:mupdf
Date:2014-06-06
Posted by:kikadf
Vulnerable version:1.1-1
Unaffected version:1.1-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2013
Description:It was discovered that a buffer overflow in the MuPDF viewer might lead to the execution of arbitrary code.
Package:openssl
Date:2014-06-05
Posted by:kikadf
Vulnerable version:1.0.1-5arcturus4
Unaffected version:1.0.1-5arcturus5
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0195 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0221 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470
Description:Jüri Aedla discovered that OpenSSL incorrectly handled invalid DTLS fragments. Imre Rad discovered that OpenSSL incorrectly handled DTLS recursions. Kikuchi Masashi discovered that OpenSSL incorrectly handled certain handshakes. Felix Gröbert and Ivan Fratrić discovered that OpenSSL incorrectly handled anonymous ECDH ciphersuites.
Package:python-gnupg
Date:2014-06-05
Posted by:kikadf
Vulnerable version:0.3.4-1
Unaffected version:0.3.6-1arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7323 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1927 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1928 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1929
Description:Multiple vulnerabilities were discovered in the Python wrapper for the Gnu Privacy Guard (GPG). Insufficient sanitising could lead to the execution of arbitrary shell commands.
Package:chkrootkit
Date:2014-06-05
Posted by:kikadf
Vulnerable version:49-1
Unaffected version:50-1arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0476
Description:Thomas Stangner discovered a vulnerability in chkrootkit, a rootkit detector, which may allow local attackers to gain root access when /tmp is mounted without the noexec option.
Package:chromium-browser
Date:2014-06-05
Posted by:kikadf
Vulnerable version:34.0.1847.118-1arcturus1
Unaffected version:35.0.1916.114-1arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1743 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1744 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1745 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1746 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1747 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1748 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1749 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3152
Description:Cloudfuzzer discovered a use-after-free issue in the Blink/Webkit document object model implementation. Aaron Staple discovered an integer overflow issue in audio input handling. Atte Kettunen discovered a use-after-free issue in the Blink/Webkit scalable vector graphics implementation. Holger Fuhrmannek discovered an out-of-bounds read issue in the URL protocol implementation for handling media. Packagesu discovered a cross-site scripting issue involving malformed MHTML files. Jordan Milne discovered a user interface spoofing issue. The Google Chrome development team discovered and fixed multiple issues with potential security impact. An integer underflow issue was discovered in the v8 javascript library.
Package:php
Date:2014-06-02
Posted by:kikadf
Vulnerable version:5.3.26-2arcturus1
Unaffected version:5.3.26-2arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0185 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0237 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0238 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2270
Description:The default PHP FPM socket permission has been changed from 0666 to 0660 to mitigate a security vulnerability (CVE-2014-0185) in PHP FPM that allowed any local user to run a PHP code under the active user of FPM process via crafted FastCGI client. Denial of service in the CDF parser of the fileinfo module. (CVE-2014-0237,0238) Denial of service in the fileinfo module. (CVE-2014-2270)
Package:gnutls
Date:2014-06-02
Posted by:kikadf
Vulnerable version:2.12.17-2arcturus1
Unaffected version:2.12.17-2arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3466
Description:Joonas Kuorilehto discovered that GNU TLS performed insufficient validation of session IDs during TLS/SSL handshakes. A malicious server could use this to execute arbitrary code or perform denial of service.
Package:mod_wsgi
Date:2014-06-02
Posted by:kikadf
Vulnerable version:3.4-1
Unaffected version:3.4-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0240
Description:Robert Kisteleki discovered a potential privilege escalation in daemon mode.
Package:lxml
Date:2014-05-24
Posted by:kikadf
Vulnerable version:2.3-1
Unaffected version:2.3.5-1arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3146
Description:It was discovered that the lxml.html.clean module incorrectly stripped control characters. An attacked could potentially exploit this to conduct cross-site scripting (XSS) attacks.
Package:pidgin
Date:2014-05-22
Posted by:kikadf
Vulnerable version:2.10.7-2arcturus2
Unaffected version:2.10.7-2arcturus3
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3775
Description:It was discovered that Pidgin incorrectly handled certain messages from Gadu-Gadu file relay servers.
Package:libgadu
Date:2014-05-22
Posted by:kikadf
Vulnerable version:1.11.2-2arcturus1
Unaffected version:1.11.2-2arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3775
Description:It was discovered that libgadu incorrectly handled certain messages from file relay servers.
Package:actionpack
Date:2014-05-17
Posted by:kikadf
Vulnerable version:3.2.6-2arcturus1
Unaffected version:3.2.6-2arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0081 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0082 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0130
Description:The actionview/lib/action_view/helpers/number_helper.rb contains multiple cross-site scripting vulnerabilities. The actionpack/lib/action_view/template/text.rb performs symbol interning on MIME type strings, allowing remote denial-of-service attacks via increased memory consumption. A directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb allows remote attackers to read arbitrary files.
Package:libxml2
Date:2014-05-16
Posted by:kikadf
Vulnerable version:2.8.0-1
Unaffected version:2.8.0-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5134 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0339 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2877 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0191
Description:It was discovered that libxml2 had a heap-based buffer underflow when parsing entities. It was discovered that libxml2 would load XML external entities by default. It was discovered that libxml2 incorrectly handled documents that end abruptly. Daniel Berrange discovered that libxml2 would incorrectly perform entity substitution even when requested not to.
Package:dovecot
Date:2014-05-16
Posted by:kikadf
Vulnerable version:2.1.8-2
Unaffected version:2.1.8-3arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3430
Description:It was discovered that Dovecot incorrectly handled closing inactive SSL/TLS connections.
Package:django
Date:2014-05-15
Posted by:kikadf
Vulnerable version:1.5.2-2arcturus1
Unaffected version:1.5.2-2arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1418
Description:Stephen Stewart, Michael Nelson, Natalia Bidart and James Westby discovered that Django improperly removed Vary and Cache-Control headers from HTTP responses when replying to a request from an Internet Explorer or Chrome Frame client. Peter Kuma and Gavin Wahl discovered that Django did not correctly validate some malformed URLs, which are accepted by some browsers.
Package:kernel
Date:2014-05-15
Posted by:James Buren
Vulnerable version:3.10-6
Unaffected version:3.10-7
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0196 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1737 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1738 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2851 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3122
Description:Jiri Slaby discovered a race condition in the pty layer, which could lead to denial of service or privilege escalation. Matthew Daley discovered that missing input sanitising in the FDRAWCMD ioctl and an information leak could result in privilege escalation. Incorrect reference counting in the ping_init_sock() function allows denial of service or privilege escalation. Incorrect locking of memory can result in local denial of service.
Package:libxfont
Date:2014-05-14
Posted by:kikadf
Vulnerable version:1.4.5-2arcturus2
Unaffected version:1.4.5-2arcturus3
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0209 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0210 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0211
Description:Integer overflow of allocations in font metadata file parsing could allow a local user who is already authenticated to the X server to overwrite other memory in the heap. Libxfont does not validate length fields when parsing xfs protocol replies allowing to write past the bounds of allocated memory when storing the returned data from the font server. Integer overflows calculating memory needs for xfs replies could result in allocating too little memory and then writing the returned data from the font server past the end of the allocated buffer.
Package:rxvt-unicode
Date:2014-05-09
Posted by:kikadf
Vulnerable version:9.18-1
Unaffected version:9.18-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3121
Description:Phillip Hallam-Baker discovered that window property values could be queried in rxvt-unicode, resulting in the potential execution of arbitrary commands.
Package:libtiff
Date:2014-05-07
Posted by:kikadf
Vulnerable version:3.9.5-1
Unaffected version:3.9.5-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1173 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2088 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2113 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3401 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4447 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4564 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5581 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1960 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1961 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4231 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4232 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4243 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4244
Description:It was discovered that LibTIFF incorrectly handled certain malformed images when using the gif2tiff tool. If a user or automated system were tricked into opening a specially crafted GIF image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges.
Package:strongswan
Date:2014-05-07
Posted by:kikadf
Vulnerable version:5.0.1-2arcturus1
Unaffected version:5.0.1-2arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2891
Description:A vulnerability has been found in the ASN.1 parser of strongSwan, an IKE/IPsec suite used to establish IPsec protected links.
Package:openssl
Date:2014-05-07
Posted by:kikadf
Vulnerable version:1.0.1-5arcturus3
Unaffected version:1.0.1-5arcturus4
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198
Description:It was discovered that OpenSSL incorrectly handled memory in the do_ssl3_write() function. A remote attacker could use this issue to possibly cause OpenSSL to crash, resulting in a denial of service.
Package:libmms
Date:2014-04-30
Posted by:kikadf
Vulnerable version:0.6.2-1
Unaffected version:0.6.2-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2892
Description:Alex Chapman discovered that a buffer overflow in processing "MMS over HTTP" messages could result in the execution of arbitrary code.
Package:qemu
Date:2014-04-28
Posted by:kikadf
Vulnerable version:1.5.2-3arcturus3
Unaffected version:1.5.2-3arcturus4
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4544 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2894
Description:Michael S. Tsirkin discovered that QEMU incorrectly handled vmxnet3 devices. Benoît Canet discovered that QEMU incorrectly handled SMART self-tests. A local guest could possibly use this issue to cause a denial of service, or possibly execute arbitrary code on the host.
Package:drupal7
Date:2014-04-26
Posted by:kikadf
Vulnerable version:7.22-2arcturus1
Unaffected version:7.22-2arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2983
Description:An information disclosure vulnerability was discovered in Drupal, a fully-featured content management framework. When pages are cached for anonymous users, form state may leak between anonymous users. Sensitive or private information recorded for one anonymous user could thus be disclosed to other users interacting with the same form at the same time.
Package:drupal6
Date:2014-04-26
Posted by:kikadf
Vulnerable version:6.30-1arcturus1
Unaffected version:6.31-1arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2983
Description:An information disclosure vulnerability was discovered in Drupal, a fully-featured content management framework. When pages are cached for anonymous users, form state may leak between anonymous users. Sensitive or private information recorded for one anonymous user could thus be disclosed to other users interacting with the same form at the same time.
Package:cups
Date:2014-04-25
Posted by:kikadf
Vulnerable version:1.6.1-3arcturus1
Unaffected version:1.6.1-3arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2856
Description:Alex Korobkin discovered that the CUPS web interface incorrectly protected against cross-site scripting (XSS) attacks.
Package:django
Date:2014-04-22
Posted by:kikadf
Vulnerable version:1.5.2-1
Unaffected version:1.5.2-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0472 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0473 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0474
Description:Benjamin Bach discovered that Django incorrectly handled dotted Python paths when using the reverse() function. Paul McMillan discovered that Django incorrectly cached certain pages that contained CSRF cookies. Michael Koziarski discovered that Django did not always perform explicit conversion of certain fields when using a MySQL database.
Package:qemu
Date:2014-04-20
Posted by:kikadf
Vulnerable version:1.5.2-3arcturus2
Unaffected version:1.5.2-3arcturus3
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0150
Description:Michael S. Tsirkin of Red Hat discovered a buffer overflow flaw in the way qemu processed MAC addresses table update requests from the guest. A privileged guest user could use this flaw to corrupt qemu process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the qemu process.
Package:openssl
Date:2014-04-18
Posted by:kikadf
Vulnerable version:1.0.1-5arcturus2
Unaffected version:1.0.1-5arcturus3
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298
Description:A read buffer can be freed even when it still contains data that is used later on, leading to a use-after-free. Given a race condition in a multi-threaded application it may permit an attacker to inject data from one connection into another or cause denial of service.
Package:ntp
Date:2014-04-18
Posted by:kikadf
Vulnerable version:4.2.6p5-2
Unaffected version:4.2.6p5-3arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5211
Description:The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013.
Package:openssh
Date:2014-04-18
Posted by:kikadf
Vulnerable version:6.1p1-1
Unaffected version:6.1p1-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4548 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2532 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2653
Description:Jann Horn discovered that OpenSSH incorrectly handled wildcards in AcceptEnv lines. A remote attacker could use this issue to trick OpenSSH into accepting any environment variable that contains the characters before the wildcard character. Matthew Vernon reported that if a SSH server offers a HostCertificate that the ssh client doesn't accept, then the client doesn't check the DNS for SSHFP records. As a consequence a malicious server can disable SSHFP-checking by presenting a certificate.
Package:python
Date:2014-04-18
Posted by:kikadf
Vulnerable version:2.7.5-1
Unaffected version:2.7.5-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4238 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1912
Description:Ryan Sleevi discovered that NULL characters in the subject alternate names of SSL cerficates were parsed incorrectly. Ryan Smith-Roberts discovered a buffer overflow in the socket.recvfrom_into() function.
Package:imaging
Date:2014-04-17
Posted by:kikadf
Vulnerable version:1.1.7-4
Unaffected version:1.1.7-5arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1932 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1933
Description:Jakub Wilk discovered that the Python Imaging Library incorrectly handled temporary files. A local attacker could possibly use this issue to overwrite arbitrary files, or gain access to temporary file contents.
Package:xalan-j
Date:2014-04-17
Posted by:kikadf
Vulnerable version:2.7.1-2
Unaffected version:2.7.1-3arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0107
Description:Nicolas Gregoire discovered several vulnerabilities in libxalan2-java, a Java library for XSLT processing. Crafted XSLT programs could access system properties or load arbitrary classes, resulting in information disclosure and, potentially, arbitrary code execution.
Package:wordpress
Date:2014-04-17
Posted by:kikadf
Vulnerable version:3.5.1-1
Unaffected version:3.9-1arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0165 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0166
Description:A user with a contributor role, using a specially crafted request, can publish posts, which is reserved for users of the next-higher role. Jon Cave of the WordPress security team discovered that the wp_validate_auth_cookie function in wp-includes/pluggable.php does not properly determine the validity of authentication cookies, allowing a remote attacker to obtain access via a forged cookie.
Package:strongswan
Date:2014-04-17
Posted by:kikadf
Vulnerable version:5.0.1-1
Unaffected version:5.0.1-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5018 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6075 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2338
Description:A vulnerability has been found in the ASN.1 parser of strongSwan, an IKE daemon used to establish IPsec protected links. An authentication bypass vulnerability was found in charon, the daemon handling IKEv2 in strongSwan, an IKE/IPsec suite. The state machine handling the security association (IKE_SA) handled some state transitions incorrectly.
Package:samba
Date:2014-04-17
Posted by:kikadf
Vulnerable version:3.6.9-4arcturus1
Unaffected version:3.6.23-1arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4496 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6442
Description:Andrew Bartlett discovered that Samba did not properly enforce the password guessing protection mechanism for all interfaces. Samba have a flaw in the smbcacls command. If smbcacls is used with the "-C|--chown name" or "-G|--chgrp name" command options it will remove the existing ACL on the object being modified, leaving the file or directory unprotected.
Package:postfixadmin
Date:2014-04-17
Posted by:kikadf
Vulnerable version:2.3.6-1
Unaffected version:2.3.6-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2655
Description:An SQL injection vulnerability was discovered in postfixadmin, a web administration interface for the Postfix Mail Transport Agent, which allowed authenticated users to make arbitrary manipulations to the database.
Package:net-snmp
Date:2014-04-16
Posted by:kikadf
Vulnerable version:5.7.1-3
Unaffected version:5.7.1-4arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6151 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2284 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2285
Description:Ken Farnen discovered that Net-SNMP incorrectly handled AgentX timeouts. It was discovered that the Net-SNMP ICMP-MIB incorrectly validated input. Viliam Púčik discovered that the Net-SNMP perl trap handler incorrectly handled NULL arguments.
Package:jbigkit
Date:2014-04-16
Posted by:kikadf
Vulnerable version:2.0-2
Unaffected version:2.0-3arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6369
Description:Florian Weimer of the Red Hat product security team discovered multiple buffer overflows in jbigkit, which could lead to the execution of arbitrary code when processing malformed images.
Package:curl
Date:2014-04-16
Posted by:kikadf
Vulnerable version:7.26.0-2arcturus2
Unaffected version:7.26.0-2arcturus3
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0138 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0139
Description:Steve Holme discovered that libcurl can in some circumstances re-use the wrong connection when asked to do transfers using other protocols than HTTP and FTP. Richard Moore from Westpoint Ltd. reported that libcurl does not behave compliant to RFC 2828 under certain conditions and incorrectly validates wildcard SSL certificates containing literal IP addresses.
Package:libyaml
Date:2014-04-14
Posted by:kikadf
Vulnerable version:0.1.4-3arcturus1
Unaffected version:0.1.4-3arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2525
Description:Ivan Fratric of the Google Security Team discovered a heap-based buffer overflow vulnerability in LibYAML, a fast YAML 1.1 parser and emitter library.
Package:apache
Date:2014-04-14
Posted by:kikadf
Vulnerable version:2.2.23-2
Unaffected version:2.2.23-3arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3499 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4558 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4929 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1862 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1896 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098
Description:Ning Zhang and Amin Tora discovered that the mod_dav module incorrectly handled whitespace characters in CDATA sections. Rainer M Canavan discovered that the mod_log_config module incorrectly handled certain cookies.
Package:actionmailer
Date:2014-04-14
Posted by:kikadf
Vulnerable version:3.2.6-1
Unaffected version:3.2.6-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4389
Description:Aaron Neyer discovered that missing input sanitising in the logging component of Ruby Actionmailer could result in denial of service through a malformed e-mail message.
Package:actionpack
Date:2014-04-14
Posted by:kikadf
Vulnerable version:3.2.6-1
Unaffected version:3.2.6-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3424 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3463 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3465 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0155 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1855 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1857 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4389 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4491 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6414 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6415 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6417
Description:Toby Hsieh, Peter McLarnan, Ankit Gupta, Sudhir Rao and Kevin Reintjes discovered multiple cross-site scripting and denial of service vulnerabilities in Ruby Actionpack.
Package:a2ps
Date:2014-04-12
Posted by:kikadf
Vulnerable version:4.14-4
Unaffected version:4.14-5arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1953 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0466
Description:The spy_user function which is called when a2ps is invoked with the --debug flag insecurely used temporary files. Brian M. Carlson reported that a2ps's fixps script does not invoke gs with the -dSAFER option. Consequently executing fixps on a malicious PostScript file could result in files being deleted or arbitrary commands being executed with the privileges of the user running fixps.
Package:openssl
Date:2014-04-08
Posted by:James Buren
Vulnerable version:1.0.1-5arcturus1
Unaffected version:1.0.1-5arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
Description:A vulnerability has been discovered in OpenSSL's support for the TLS/DTLS Heartbeat extension. Up to 64KB of memory from either client or server can be recovered by an attacker. This vulnerability might allow an attacker to compromise the private key and other sensitive data in memory.
Package:lighttpd
Date:2014-03-15
Posted by:kikadf
Vulnerable version:1.4.32-2
Unaffected version:1.4.35-1arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2323 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2324 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4508 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4559 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4560
Description:Jann Horn discovered that specially crafted host names can be used to inject arbitrary MySQL queries in lighttpd servers using the MySQL virtual hosting module (mod_mysql_vhost). Jann Horn discovered that specially crafted host names can be used to traverse outside of the document root under certain situations in lighttpd servers using either the mod_mysql_vhost, mod_evhost, or mod_simple_vhost virtual hosting modules.
Package:mutt-devel
Date:2014-03-14
Posted by:kikadf
Vulnerable version:1.5.21-3
Unaffected version:1.5.21-4arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0467
Description:Beatrice Torracca and Evgeni Golov discovered a buffer overflow in the mutt mailreader. Malformed RFC2047 header lines could result in denial of service or potentially the execution of arbitrary code.
Package:php
Date:2014-03-13
Posted by:kikadf
Vulnerable version:5.3.26-1
Unaffected version:5.3.26-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4413 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4248 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6420 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6712 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1943
Description:It was discovered that file, a file type classification tool, contains a flaw in the handling of indirect magic rules in the libmagic library, which leads to an infinite recursion when trying to determine the file type of certain files.
Package:icedtea-web
Date:2014-03-13
Posted by:kikadf
Vulnerable version:1.3.1-1
Unaffected version:1.3.1-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6493
Description:Michael Scherer discovered that IcedTea Web created temporary directories in an unsafe fashion.
Package:cups-filters
Date:2014-03-13
Posted by:kikadf
Vulnerable version:1.0.24-1
Unaffected version:1.0.24-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6474 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6475 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6476
Description:Florian Weimer of the Red Hat Product Security Team discovered multiple vulnerabilities in the pdftoopvp CUPS filter, which could result in the execution of aribitrary code if a malformed PDF file is processed.
Package:libssh
Date:2014-03-13
Posted by:kikadf
Vulnerable version:0.5.3-1
Unaffected version:0.5.3-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0176 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0017
Description:Aris Adamantiadis discovered that libssh allowed the OpenSSL PRNG state to be reused when implementing forking servers.
Package:udisks
Date:2014-03-13
Posted by:kikadf
Vulnerable version:1.0.4-7
Unaffected version:1.0.4-8arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0004
Description:Florian Weimer discovered a buffer overflow in udisks's mount path parsing code which may result in privilege escalation.
Package:file
Date:2014-03-13
Posted by:kikadf
Vulnerable version:5.14-2arcturus1
Unaffected version:5.14-2arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2270
Description:Aaron Reffett reported a flaw in the way the file utility determined the type of Portable Executable (PE) format files, the executable format used on Windows. When processing a defective or intentionally prepared PE executable which contains invalid offset information, the file_strncmp routine will access memory that is out of bounds, causing file to crash.
Package:wireshark
Date:2014-03-13
Posted by:kikadf
Vulnerable version:1.8.6-1
Unaffected version:1.8.13-1arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2281 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2283 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2299
Description:Moshe Kaplan discovered that the NFS dissector could be crashed, resulting in denial of service. It was discovered that the RLC dissector could be crashed, resulting in denial of service. Wesley Neelen discovered a buffer overflow in the MPEG file parser, which could lead to the execution of arbitrary code.
Package:postgresql
Date:2014-03-13
Posted by:kikadf
Vulnerable version:9.1.9-1
Unaffected version:9.1.12-1arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0060 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0061 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0062 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0063 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0064 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0065 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0066 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0067
Description:Shore up GRANT ... WITH ADMIN OPTION restrictions (Noah Misch). Prevent privilege escalation via manual calls to PL validator functions (Andres Freund). Avoid multiple name lookups during table and index DDL (Robert Haas, Andres Freund). Prevent buffer overrun with long datetime strings (Noah Misch). Prevent buffer overrun due to integer overflow in size calculations (Noah Misch, Heikki Linnakangas). Prevent overruns of fixed-size buffers (Peter Eisentraut, Jozef Mlich). Avoid crashing if crypt() returns NULL (Honza Horak, Bruce Momjian). Document risks of make check in the regression testing instructions (Noah Misch, Tom Lane).
Package:gnutls
Date:2014-03-05
Posted by:kikadf
Vulnerable version:2.12.17-1
Unaffected version:2.12.17-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0092 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1959
Description:Nikos Mavrogiannopoulos of Red Hat discovered an X.509 certificate verification issue in GnuTLS, an SSL/TLS library. A certificate validation could be reported sucessfully even in cases were an error would prevent all verification steps to be performed. Suman Jana reported that GnuTLS, deviating from the documented behavior, considers a version 1 intermediate certificate as a CA certificate by default.
Package:file
Date:2014-02-27
Posted by:kikadf
Vulnerable version:5.14-1
Unaffected version:5.14-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1943
Description:It was discovered that file, a file type classification tool, contains a flaw in the handling of "indirect" magic rules in the libmagic library, which leads to an infinite recursion when trying to determine the file type of certain files.
Package:libtar
Date:2014-02-27
Posted by:kikadf
Vulnerable version:1.2.11-5
Unaffected version:1.2.20-1arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4397 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4420
Description:Timo Warns reported multiple integer overflow vulnerabilities in libtar, a library for manipulating tar archives, which can result in the execution of arbitrary code. A directory traversal attack was reported against libtar, a C library for manipulating tar archives. The application does not validate the filenames inside the tar archive, allowing to extract files in arbitrary path. An attacker can craft a tar file to override files beyond the tar_extract_glob and tar_extract_all prefix parameter.
Package:perl
Date:2014-02-14
Posted by:kikadf
Vulnerable version:5.14.1-5
Unaffected version:5.14.1-6arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5526 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6329 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1667
Description:It was discovered that Perl's Locale::Maketext module incorrectly handled backslashes and fully qualified method names. An attacker could possibly use this flaw to execute arbitrary code when an application used untrusted templates.
Package:pidgin
Date:2014-02-14
Posted by:kikadf
Vulnerable version:2.10.7-1
Unaffected version:2.10.7-2arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6152 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6477 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6478 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6479 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6481 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6482 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6483 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6484 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6485 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6487 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6489 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6490 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0020
Description:Jaime Breva Ribes discovered that a remote XMPP user can trigger a crash by sending a message with a timestamp in the distant future. Pidgin could be crashed through overly wide tooltip windows. Jacob Appelbaum discovered that a malicious server or a "man in the middle" could send a malformed HTTP header resulting in denial of service. Daniel Atallah discovered that Pidgin could be crashed through malformed Yahoo! P2P messages. Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin could be crashed through malformed MSN messages. Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin could be crashed through malformed XMPP messages. It was discovered that incorrect error handling when reading the response from a STUN server could result in a crash. Matt Jones discovered a buffer overflow in the parsing of malformed HTTP responses. Yves Younan and Ryan Pentney discovered a buffer overflow when parsing Gadu-Gadu messages. Yves Younan and Pawel Janic discovered an integer overflow when parsing MXit emoticons. Yves Younan discovered a buffer overflow when parsing SIMPLE headers. Daniel Atallah discovered that Pidgin could be crashed via malformed IRC arguments.
Package:mumble
Date:2014-02-14
Posted by:kikadf
Vulnerable version:1.2.4-1
Unaffected version:1.2.4-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0044 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0045
Description:It was discovered that a malformed Opus voice packet sent to a Mumble client could trigger a NULL pointer dereference or an out-of-bounds array access. A malicious remote attacker could exploit this flaw to mount a denial of service attack against a mumble client by causing the application to crash. It was discovered that a malformed Opus voice packet sent to a Mumble client could trigger a heap-based buffer overflow. A malicious remote attacker could use this flaw to cause a client crash (denial of service) or potentially use it to execute arbitrary code.
Package:libgadu
Date:2014-02-14
Posted by:kikadf
Vulnerable version:1.11.2-1
Unaffected version:1.11.2-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6487
Description:Yves Younan and Ryan Pentney discovered that libgadu, a library for accessing the Gadu-Gadu instant messaging service, contained an integer overflow leading to a buffer overflow. Attackers which impersonate the server could crash clients and potentially execute arbitrary code.
Package:drupal6
Date:2014-02-07
Posted by:kikadf
Vulnerable version:6.28-1
Unaffected version:6.30-1arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6385 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6386 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1475
Description:Multiple vulnerabilities have been discovered in Drupal, a fully-featured content management framework: Cross-site request forgery, insecure pseudo random number generation, code execution, incorrect security token validation and cross-site scripting. Christian Mainka and Vladislav Mladenov reported a vulnerability in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts.
Package:drupal7
Date:2014-02-07
Posted by:kikadf
Vulnerable version:7.22-1
Unaffected version:7.22-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6385 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6386 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6387 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6388 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6389 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1475 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1476
Description:Multiple vulnerabilities have been discovered in Drupal, a fully-featured content management framework: Cross-site request forgery, insecure pseudo random number generation, code execution, incorrect security token validation and cross-site scripting. Christian Mainka and Vladislav Mladenov reported a vulnerability in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts. Matt Vance and Damien Tournoud reported an access bypass vulnerability in the taxonomy module. Under certain circumstances, unpublished content can appear on listing pages provided by the taxonomy module and will be visible to users who should not have permission to see it.
Package:curl
Date:2014-02-06
Posted by:kikadf
Vulnerable version:7.26.0-2arcturus1
Unaffected version:7.26.0-2arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0015
Description:Paras Sethia and Yehezkel Horowitz discovered that libcurl incorrectly reused connections when NTLM authentication was being used. This could lead to the use of unintended credentials, possibly exposing sensitive information.
Package:libotr
Date:2014-02-06
Posted by:kikadf
Vulnerable version:3.2.0-3
Unaffected version:3.2.0-4arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3461
Description:Just Ferguson discovered that libotr, an off-the-record (OTR) messaging library, can be forced to perform zero-length allocations for heap buffers that are used in base64 decoding routines. An attacker can exploit this flaw by sending crafted messages to an application that is using libotr to perform denial of service attacks or potentially execute arbitrary code.
Package:libyaml
Date:2014-02-06
Posted by:kikadf
Vulnerable version:0.1.4-2
Unaffected version:0.1.4-3arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2013-6393
Description:Florian Weimer discovered that LibYAML incorrectly handled certain large yaml documents. An attacker could use this issue to cause LibYAML to crash, resulting in a denial of service, or possibly execute arbitrary code.
Package:qemu
Date:2014-02-06
Posted by:kikadf
Vulnerable version:1.5.2-2
Unaffected version:1.5.2-3arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4344 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4375 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4377
Description:Asias He discovered that QEMU incorrectly handled SCSI controllers with more than 256 attached devices. A local user could possibly use this flaw to elevate privileges. (CVE-2013-4344) It was discovered that QEMU incorrectly handled Xen disks. A local guest could possibly use this flaw to consume resources, resulting in a denial of service. (CVE-2013-4375) Sibiao Luo discovered that QEMU incorrectly handled device hot-unplugging. A local user could possibly use this flaw to cause a denial of service. (CVE-2013-4377)
Package:gnupg
Date:2014-01-18
Posted by:kikadf
Vulnerable version:1.4.14-1
Unaffected version:1.4.14-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4351 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4402 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4576
Description:Daniel Kahn Gillmor discovered that GnuPG treated keys with empty usage flags as being valid for all usages. (CVE-2013-4351) Taylor R Campbell discovered that GnuPG incorrectly handled certain OpenPGP messages. (CVE-2013-4402) Daniel Genkin, Adi Shamir, and Eran Tromer discovered that GnuPG was susceptible to an adaptive chosen ciphertext attack via acoustic emanations. (CVE-2013-4576)
Package:curl
Date:2014-01-18
Posted by:kikadf
Vulnerable version:7.26.0-1
Unaffected version:7.26.0-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0249 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1944 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2174 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4545 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6422
Description:CVE-2013-0249: It was discovered that curl incorrectly handled SASL authentication when communicating over POP3, SMTP or IMAP. CVE-2013-1944: Yamada Yasuharu discovered that cURL, an URL transfer library, is vulnerable to expose potentially sensitive information when doing requests across domains with matching tails. CVE-2013-2174: Timo Sirainen discovered that cURL, an URL transfer library, is prone to a heap overflow vulnerability due to bad checking of the input data in the curl_easy_unescape function. CVE-2013-4545: Scott Cantor discovered that curl, a file retrieval tool, would disable the CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting was disabled. This would also disable ssl certificate host name checks when it should have only disabled verification of the certificate trust chain. CVE-2013-6422: Marc Deslauriers discovered that curl, a file retrieval tool, would mistakenly skip verifying the CN and SAN name fields when digital signature verification was disabled in the libcurl GnuTLS backend.
Package:cups
Date:2014-01-17
Posted by:kikadf
Vulnerable version:1.6.1-2
Unaffected version:1.6.1-3arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6891
Description:Jann Horn discovered that the CUPS lppasswd tool incorrectly read a user configuration file in certain configurations. A local attacker could use this to read sensitive information from certain files, bypassing access restrictions.
Package:nspr
Date:2014-01-17
Posted by:kikadf
Vulnerable version:4.9.2-3
Unaffected version:4.9.2-4arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5607
Description:It was discovered that NSPR, Netscape Portable Runtime library, could crash an application using the library when parsing a certificate that causes an integer overflow. This flaw only affects 64-bit systems.
Package:graphviz
Date:2014-01-17
Posted by:kikadf
Vulnerable version:2.28.0-1
Unaffected version:2.28.0-2arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0978 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1236
Description:CVE-2014-0978: It was discovered that user-supplied input used in the yyerror() function in lib/cgraph/scan.l is not bound-checked before beeing copied into an insufficiently sized memory buffer. A context-dependent attacker could supply a specially crafted input file containing a long line to cause a stack-based buffer overlow, resulting in a denial of service (application crash) or potentially allowing the execution of arbitrary code. CVE-2014-1236: Sebastian Krahmer reported an overflow condition in the chkNum() function in lib/cgraph/scan.l that is triggered as the used regular expression accepts an arbitrary long digit list. With a specially crafted input file, a context-dependent attacker can cause a stack-based buffer overflow, resulting in a denial of service (application crash) or potentially allowing the execution of arbitrary code.
Package:djvulibre
Date:2014-01-17
Posted by:kikadf
Vulnerable version:3.5.25.2-1
Unaffected version:3.5.25.2-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6535
Description:It was discovered that djvulibre, the Open Source DjVu implementation project, can be crashed or possibly make it execute arbitrary code when processing a specially crafted djvu file.
Package:hplip
Date:2014-01-16
Posted by:kikadf
Vulnerable version:3.12.11-1
Unaffected version:3.12.11-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4267 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4325 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6402 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6427
Description:Multiple vulnerabilities have been found in the HP Linux Printing and Imaging System: Insecure temporary files, insufficient permission checks in PackageKit and the insecure hp-upgrade service has been disabled.
Package:bind
Date:2014-01-14
Posted by:kikadf
Vulnerable version:9.9.2-2
Unaffected version:9.9.4-1arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2266 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4854 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0591
Description:libdns allows remote attackers to cause a denial of service (memory consumption) via a crafted regular expression, as demonstrated by a memory-exhaustion attack against a machine running a named process. Maxim Shudrak and the HP Zero Day Initiative reported a denial of service vulnerability in BIND, a DNS server. A specially crafted query that includes malformed rdata can cause named daemon to terminate with an assertion failure while rejecting the malformed query.
Package:memcached
Date:2014-01-13
Posted by:kikadf
Vulnerable version:1.4.15-1
Unaffected version:1.4.15-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7239
Description:It was reported that SASL authentication could be bypassed due to a flaw related to the managment of the SASL authentication state. With a specially crafted request, a remote attacker may be able to authenticate with invalid SASL credentials.
Package:openssl
Date:2014-01-12
Posted by:kikadf
Vulnerable version:1.0.1-4
Unaffected version:1.0.1-5arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4353 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6449 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6450
Description:Anton Johansson discovered that an invalid TLS handshake package could crash OpenSSL with a NULL pointer dereference. Multiple security issues have been fixed in OpenSSL: The TLS 1.2 support was susceptible to denial of service and retransmission of DTLS messages was fixed. In addition this update disables the insecure Dual_EC_DRBG algorithm and no longer uses the RdRand feature available on some Intel CPUs as a sole source of entropy unless explicitly requested.
Package:spice
Date:2014-01-12
Posted by:kikadf
Vulnerable version:0.12.2-1
Unaffected version:0.12.2-2arcturus1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4130
Description:David Gibson of Red Hat discovered that SPICE incorrectly handled certain network errors. A remote user able to initiate a SPICE connection to an application acting as a SPICE server could use this flaw to crash the application.
Package:libxfont
Date:2014-01-10
Posted by:kikadf
Vulnerable version:1.4.5-1
Unaffected version:1.4.5-2arcturus2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6462
Description:It was discovered that a buffer overflow in the processing of Glyph Bitmap Distribution fonts (BDF) could result in the execution of arbitrary code.