This is a list of security announcments that have been released for the current stable version of Frugalware
A directory traveral flaw was found in the way glibc loaded locale files. Tavis Ormandy reported an off-by-one error leading to a heap-based buffer overflow flaw in glibc’s __gconv_translit_find() function.
Cross-domain websocket hijacking vulnerability.
Florian Apolloner discovered that in certain situations, URL reversing could generate scheme-relative URLs which could unexpectedly redirect a user to a different host, leading to phishing attacks. David Wilson reported a file upload denial of service vulnerability. David Greisen discovered that under some circumstances, the use of the RemoteUserMiddleware middleware and the RemoteUserBackend authentication backend could result in one user receiving another user’s session, if a change to the REMOTE_USER header occurred without corresponding logout/login actions. Collin Anderson discovered that it is possible to reveal any field’s data by modifying the popup and to_field parameters of the query string on an admin change form page.
Andrew Drake discovered that missing input sanitising in the icns decoder of the Python Imaging Library could result in denial of service if a malformed image is processed.
It was discovered that MediaWiki, a website engine for collaborative work, is vulnerable to JSONP injection in Flash (CVE-2014-5241) and clickjacking between OutputPage and ParserOutput (CVE-2014-5243).
Integer overflow in option parsing.
Multiple security issues (cross-site scripting, missing input sanitising and SQL injection) have been discovered in Cacti, a web interface for graphing of monitoring systems.
It was discovered that the CDF parser of the fileinfo module does not properly process malformed files in the Composite Document File (CDF) format, leading to crashes. It was discovered that PHP incorrectly handled certain SPL Iterators. A local attacker could use this flaw to cause PHP to crash, resulting in a denial of service.
Marek Kroemeke discovered that the mod_proxy module incorrectly handled certain requests. Giancarlo Pellegrino and Davide Balzarotti discovered that the mod_deflate module incorrectly handled body decompression. Marek Kroemeke and others discovered that the mod_status module incorrectly handled certain requests. Rainer Jung discovered that the mod_cgid module incorrectly handled certain scripts.
A denial of service vulnerability was discovered in Drupal, a fully-featured content management framework. A remote attacker could exploit this flaw to cause CPU and memory exhaustion and the site’s database to reach the maximum number of open connections, leading to the site becoming unavailable or unresponsive.
