Frugalware Security Announcements (FSAs)

• Author: kikadf
• Vulnerable: 2.11.0-1
• Unaffected: 2.11.0-2arcturus1

A resource consumption issue was found in the way Xerces-J handled XML declarations.

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002

• Author: kikadf
• Vulnerable: 5.3.26-2arcturus5
• Unaffected: 5.3.26-2arcturus6

Use-after-free vulnerability in ext/spl/spl_array.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted ArrayIterator usage within applications in certain web-hosting environments.

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4698

• Author: kikadf
• Vulnerable: 1.4.14-2arcturus2
• Unaffected: 1.4.14-2arcturus3

Daniel Genkin, Adi Shamir, and Eran Tromer discovered that GnuPG was susceptible to an adaptive chosen ciphertext attack via physical side channels.

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5270

• Author: kikadf
• Vulnerable: 1.5.0-4
• Unaffected: 1.5.0-5arcturus1

Yarom and Falkner discovered that RSA secret keys in applications using the libgcrypt11 library, for example GnuPG 2.x, could be leaked via a side channel attack, where a malicious local user could obtain private key information from another user on the system. Daniel Genkin, Adi Shamir, and Eran Tromer discovered that Libgcrypt was susceptible to an adaptive chosen ciphertext attack via physical side channels.

• Author: kikadf
• Vulnerable: 3.22-5
• Unaffected: 3.22-6arcturus1

Boris pi Piwinger and Tavis Ormandy reported a heap overflow vulnerability in procmail’s formail utility when processing specially-crafted email headers.

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3618

• Author: kikadf
• Vulnerable: 5.1.5-2
• Unaffected: 5.1.5-3arcturus1

A heap-based overflow vulnerability was found in the way Lua, a simple, extensible, embeddable programming language, handles varargs functions with many fixed parameters called with few arguments, leading to application crashes or, potentially, arbitrary code execution.

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5461

• Author: kikadf
• Vulnerable: 5.7.1-4arcturus1
• Unaffected: 5.7.1-4arcturus2

snmptrapd crash when handling an SNMP trap containing a ifMtu with a NULL type.

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3565

• Author: kikadf
• Vulnerable: 0.8.8.4-2
• Unaffected: 0.8.8.5-1arcturus1

Several vulnerabilities have been discovered in libmodplug, a library for mod music based on ModPlug, that might allow arbitrary code execution when processing specially-crafted ABC files through applications using the library, such as media players.

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4233
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4234

• Author: kikadf
• Vulnerable: 3.1.19-1
• Unaffected: 3.1.19-2arcturus1

Squid3, a fully featured Web proxy cache, is prone to a denial of service attack due to memory consumption caused by memory leaks in cachemgr.cgi. Matthew Daley discovered that Squid 3 did not properly perform input validation in request parsing.

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5643
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0189
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3609

• Author: kikadf
• Vulnerable: 1.6.1-3arcturus3
• Unaffected: 1.6.1-3arcturus4

The web interface in CUPS 1.7.4 allows local users in the lp group to read arbitrary files via a symlink attack on a file in /var/cache/cups/rss/ and language[0] set to null. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3537. CUPS before 2.0 allows local users to read arbitrary files via a symlink attack on (1) index.html, (2) index.class, (3) index.pl, (4) index.php, (5) index.pyc, or (6) index.py. The web interface in CUPS before 2.0 does not check that files have world-readable permissions, which allows remote attackers to obtains sensitive information via unspecified vectors.