Frugalware Let's make things frugal!
En Fr Es It

Frugalware Security Announcements (FSAs)

This is a list of security announcments that have been released for the current stable version of Frugalware
Package:freetype2
Date:2015-03-02
Posted by:kikadf
Vulnerable version:2.4.11-1
Unaffected version:2.4.11-2rigel1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9656 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9657 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9658 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9660 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9661 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9663 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9664 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9666 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9667 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9669 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9670 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9671 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9672 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9673 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9674 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9675
Description:Mateusz Jurczyk discovered that FreeType did not correctly handle certain malformed font files.
Package:cups
Date:2015-03-02
Posted by:kikadf
Vulnerable version:1.6.1-12
Unaffected version:1.6.1-13rigel1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9679
Description:Peter De Wachter discovered that CUPS, the Common UNIX Printing System, did not correctly parse compressed raster files.
Package:xorg-server
Date:2015-03-02
Posted by:kikadf
Vulnerable version:1.15.2-2
Unaffected version:1.15.2-3rigel2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0255
Description:Olivier Fourdan discovered that missing input validation in the Xserver's handling of XkbSetGeometry requests may result in an information leak or denial of service.
Package:vlc
Date:2015-03-02
Posted by:kikadf
Vulnerable version:2.0.9-5
Unaffected version:2.0.9-6rigel2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9626 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9627 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9628 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9629 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9630
Description:The MP4 demuxer, when parsing string boxes, did not properly check the length of the box, leading to a possible integer underflow when using this length value in a call to memcpy(). The MP4 demuxer, when parsing string boxes, did not properly check that the conversion of the box length from 64bit integer to 32bit integer on 32bit platforms did not cause a truncation, leading to a possible buffer overflow. The MP4 demuxer, when parsing string boxes, did not properly check the length of the box, leading to a possible buffer overflow. The Dirac and Schroedinger encoders did not properly check for an integer overflow on 32bit platforms, leading to a possible buffer overflow.
Package:unrtf
Date:2015-03-02
Posted by:kikadf
Vulnerable version:0.21.5-1
Unaffected version:0.21.5-2rigel2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9274 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9275
Description:Michal Zalewski and Hanno Boeck discovered several vulnerabilities in unrtf, a RTF to other formats converter, leading to a denial of service (application crash) or, potentially, the execution of arbitrary code.
Package:sudo
Date:2015-03-02
Posted by:kikadf
Vulnerable version:1.8.9-1
Unaffected version:1.8.12-1rigel2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9680
Description:Jakub Wilk reported that sudo, a program designed to provide limited super user privileges to specific users, preserves the TZ variable from a user's environment without any sanitization. A user with sudo access may take advantage of this to exploit bugs in the C library functions which parse the TZ environment variable or to open files that the user would not otherwise be able to open. The later could potentially cause changes in system behavior when reading certain device special files or cause the program run via sudo to block.
Package:postgresql
Date:2015-03-01
Posted by:kikadf
Vulnerable version:9.1.12-1
Unaffected version:9.1.15-1rigel2
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8161 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0241 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0243 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0244
Description:A user with limited clearance on a table might have access to information in columns without SELECT rights on through server error messages. The function to_char() might read/write past the end of a buffer. This might crash the server when a formatting template is processed. The pgcrypto module is vulnerable to stack buffer overrun that might crash the server. Emil Lenngren reported that an attacker can inject SQL commands when the synchronization between client and server is lost.
Package:php
Date:2015-02-28
Posted by:kikadf
Vulnerable version:5.5.18-2
Unaffected version:5.5.22-1rigel1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8142 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9427 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0231 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0232 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0273
Description:Brian Carpenter discovered that the PHP CGI component incorrectly handled invalid files. Stefan Esser discovered that PHP incorrectly handled unserializing objects. Alex Eubanks discovered that PHP incorrectly handled EXIF data in JPEG images.
Package:ntp
Date:2015-02-28
Posted by:kikadf
Vulnerable version:4.2.8-1
Unaffected version:4.2.8-2rigel1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9297 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9298
Description:Stephen Roettger of the Google Security Team, Sebastian Krahmer of the SUSE Security Team and Harlan Stenn of Network Time Foundation discovered that the length value in extension fields is not properly validated in several code paths in ntp_crypto.c, which could lead to information leakage or denial of service (ntpd crash). Stephen Roettger of the Google Security Team reported that ACLs based on IPv6 ::1 addresses can be bypassed.
Package:krb5
Date:2015-02-28
Posted by:kikadf
Vulnerable version:1.12.2-2
Unaffected version:1.12.3-1rigel1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5352 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9421 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9422 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9423
Description:Incorrect memory management in the libgssapi_krb5 library might result in denial of service or the execution of arbitrary code. Incorrect memory management in kadmind's processing of XDR data might result in denial of service or the execution of arbitrary code. Incorrect processing of two-component server principals might result in impersonation attacks. An information leak in the libgssrpc library.
Package:file
Date:2015-02-28
Posted by:kikadf
Vulnerable version:5.14-6
Unaffected version:5.14-7rigel1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8116 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8117
Description:Thomas Jarosch discovered that file incorrectly handled certain ELF files. Thomas Jarosch discovered that file incorrectly limited recursion.
Package:dbus
Date:2015-02-28
Posted by:kikadf
Vulnerable version:1.8.2-4
Unaffected version:1.8.2-5rigel1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0245
Description:Simon McVittie discovered a local denial of service flaw in dbus, an asynchronous inter-process communication system. On systems with systemd-style service activation, dbus-daemon does not prevent forged ActivationFailure messages from non-root processes.
Package:clamav
Date:2015-02-28
Posted by:kikadf
Vulnerable version:0.98.5-1
Unaffected version:0.98.6-1rigel1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9328
Description:Sebastian Andrzej Siewior discovered that ClamAV incorrectly handled certain upack packer files.
Package:binutils
Date:2015-02-28
Posted by:kikadf
Vulnerable version:2.24-4
Unaffected version:2.24-5rigel1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8484 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8485 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8501 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8502 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8503 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8504 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8737 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8738
Description:Michal Zalewski discovered that the srec_scan function in libbfd in GNU binutils allowed out-of-bounds reads. Michal Zalewski discovered that the setup_group function in libbfd in GNU binutils did not properly check group headers in ELF files. Hanno Böck discovered that the _bfd_XXi_swap_aouthdr_in function in libbfd in GNU binutils allowed out-of-bounds writes. Hanno Böck discovered a heap-based buffer overflow in the pe_print_edata function in libbfd in GNU binutils. Hanno Böck discovered a stack-based buffer overflow in the ihex_scan function in libbfd in GNU binutils. Michal Zalewski discovered a stack-based buffer overflow in the srec_scan function in libbfd in GNU binutils. Alexander Cherepanov discovered multiple directory traversal vulnerabilities in GNU binutils. Alexander Cherepanov discovered the _bfd_slurp_extended_name_table function in libbfd in GNU binutils allowed invalid writes when handling extended name tables in an archive.
Package:samba
Date:2015-02-26
Posted by:kikadf
Vulnerable version:3.6.24-2
Unaffected version:3.6.25-1rigel1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0240
Description:Richard van Eeden of Microsoft Vulnerability Research discovered that Samba, a SMB/CIFS file, print, and login server for Unix, contains a flaw in the netlogon server code which allows remote code execution with root privileges from an unauthenticated connection.
Package:glibc
Date:2015-02-26
Posted by:kikadf
Vulnerable version:2.19-4
Unaffected version:2.19-5rigel1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3406 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9402 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1472 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1473
Description:The vfprintf function in stdio-common/vfprintf.c in GNU C Library does not "properly restrict the use of" the alloca function when allocating the SPECS array. The getnetbyname function in glibc 2.21 or earlier will enter an infinite loop if the DNS backend is activated in the system Name Service Switch configuration, and the DNS resolver receives a positive answer while processing the network name. Under certain conditions wscanf can allocate too little memory for the to-be-scanned arguments and overflow the allocated buffer.
Package:bind
Date:2015-02-26
Posted by:kikadf
Vulnerable version:9.9.6-1
Unaffected version:9.9.6-2rigel1
Bug tracker entry:
CVEs:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1349
Description:Jan-Piet Mens discovered that the BIND DNS server would crash when processing an invalid DNSSEC key rollover, either due to an error on the zone operator's part, or due to interference with network traffic by an attacker.