Frugalware Security Announcements (FSAs)

Author: kikadf Vulnerable: 2.11.0-1 Unaffected: 2.11.0-2arcturus1 A resource consumption issue was found in the way Xerces-J handled XML declarations. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002

Author: kikadf Vulnerable: 5.3.26-2arcturus5 Unaffected: 5.3.26-2arcturus6 Use-after-free vulnerability in ext/spl/spl_array.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted ArrayIterator usage within applications in certain web-hosting environments. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4698

Author: kikadf Vulnerable: 1.4.14-2arcturus2 Unaffected: 1.4.14-2arcturus3 Daniel Genkin, Adi Shamir, and Eran Tromer discovered that GnuPG was susceptible to an adaptive chosen ciphertext attack via physical side channels. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5270

Author: kikadf Vulnerable: 1.5.0-4 Unaffected: 1.5.0-5arcturus1 Yarom and Falkner discovered that RSA secret keys in applications using the libgcrypt11 library, for example GnuPG 2.x, could be leaked via a side channel attack, where a malicious local user could obtain private key information from another user on the system. Daniel Genkin, Adi Shamir, and Eran Tromer discovered that Libgcrypt was susceptible to an adaptive chosen ciphertext attack via physical side channels.

Author: kikadf Vulnerable: 3.22-5 Unaffected: 3.22-6arcturus1 Boris pi Piwinger and Tavis Ormandy reported a heap overflow vulnerability in procmail’s formail utility when processing specially-crafted email headers. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3618

Author: kikadf Vulnerable: 5.1.5-2 Unaffected: 5.1.5-3arcturus1 A heap-based overflow vulnerability was found in the way Lua, a simple, extensible, embeddable programming language, handles varargs functions with many fixed parameters called with few arguments, leading to application crashes or, potentially, arbitrary code execution. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5461

Author: kikadf Vulnerable: 5.7.1-4arcturus1 Unaffected: 5.7.1-4arcturus2 snmptrapd crash when handling an SNMP trap containing a ifMtu with a NULL type. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3565

Author: kikadf Vulnerable: 0.8.8.4-2 Unaffected: 0.8.8.5-1arcturus1 Several vulnerabilities have been discovered in libmodplug, a library for mod music based on ModPlug, that might allow arbitrary code execution when processing specially-crafted ABC files through applications using the library, such as media players. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4233 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4234

Author: kikadf Vulnerable: 3.1.19-1 Unaffected: 3.1.19-2arcturus1 Squid3, a fully featured Web proxy cache, is prone to a denial of service attack due to memory consumption caused by memory leaks in cachemgr.cgi. Matthew Daley discovered that Squid 3 did not properly perform input validation in request parsing. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5643 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0189 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3609

Author: kikadf Vulnerable: 1.6.1-3arcturus3 Unaffected: 1.6.1-3arcturus4 The web interface in CUPS 1.7.4 allows local users in the lp group to read arbitrary files via a symlink attack on a file in /var/cache/cups/rss/ and language[0] set to null. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3537. CUPS before 2.0 allows local users to read arbitrary files via a symlink attack on (1) index.html, (2) index.class, (3) index.pl, (4) index.