Frugalware Security Announcements (FSAs)

Author: kikadf Vulnerable: 2.16.0-3 Unaffected: 2.16.0-4arcturus1 A directory traveral flaw was found in the way glibc loaded locale files. Tavis Ormandy reported an off-by-one error leading to a heap-based buffer overflow flaw in glibc’s __gconv_translit_find() function. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0475 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5119

Author: kikadf Vulnerable: 1.0.0-1 Unaffected: 1.0.0-2arcturus1 Cross-domain websocket hijacking vulnerability. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3429

Author: kikadf Vulnerable: 1.5.2-2arcturus2 Unaffected: 1.5.9-1arcturus1 Florian Apolloner discovered that in certain situations, URL reversing could generate scheme-relative URLs which could unexpectedly redirect a user to a different host, leading to phishing attacks. David Wilson reported a file upload denial of service vulnerability. David Greisen discovered that under some circumstances, the use of the RemoteUserMiddleware middleware and the RemoteUserBackend authentication backend could result in one user receiving another user’s session, if a change to the REMOTE_USER header occurred without corresponding logout/login actions.

Author: kikadf Vulnerable: 1.1.7-5arcturus1 Unaffected: 1.1.7-5arcturus2 Andrew Drake discovered that missing input sanitising in the icns decoder of the Python Imaging Library could result in denial of service if a malformed image is processed. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3589

Author: kikadf Vulnerable: 1.19.16-1arcturus1 Unaffected: 1.19.18-1arcturus1 It was discovered that MediaWiki, a website engine for collaborative work, is vulnerable to JSONP injection in Flash (CVE-2014-5241) and clickjacking between OutputPage and ParserOutput (CVE-2014-5243). CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5241 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5243

Author: kikadf Vulnerable: 2.4.5-3 Unaffected: 2.4.5-4arcturus1 Integer overflow in option parsing. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3158

Author: kikadf Vulnerable: 0.8.8b-2arcturus1 Unaffected: 0.8.8b-2arcturus2 Multiple security issues (cross-site scripting, missing input sanitising and SQL injection) have been discovered in Cacti, a web interface for graphing of monitoring systems. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5025 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5026 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5043 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5261 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5262

Author: kikadf Vulnerable: 5.3.26-2arcturus4 Unaffected: 5.3.26-2arcturus5 It was discovered that the CDF parser of the fileinfo module does not properly process malformed files in the Composite Document File (CDF) format, leading to crashes. It was discovered that PHP incorrectly handled certain SPL Iterators. A local attacker could use this flaw to cause PHP to crash, resulting in a denial of service. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3538 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3587 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4670

Author: kikadf Vulnerable: 2.2.23-3arcturus1 Unaffected: 2.2.23-3arcturus2 Marek Kroemeke discovered that the mod_proxy module incorrectly handled certain requests. Giancarlo Pellegrino and Davide Balzarotti discovered that the mod_deflate module incorrectly handled body decompression. Marek Kroemeke and others discovered that the mod_status module incorrectly handled certain requests. Rainer Jung discovered that the mod_cgid module incorrectly handled certain scripts. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0117 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0118 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231

Author: kikadf Vulnerable: 6.32-1arcturus1 Unaffected: 6.33-1arcturus1 A denial of service vulnerability was discovered in Drupal, a fully-featured content management framework. A remote attacker could exploit this flaw to cause CPU and memory exhaustion and the site’s database to reach the maximum number of open connections, leading to the site becoming unavailable or unresponsive. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5265 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5266 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5267