Frugalware Security Announcements (FSAs)

Author: kikadf Vulnerable: 7.22-2arcturus3 Unaffected: 7.22-2arcturus4 A denial of service vulnerability was discovered in Drupal, a fully-featured content management framework. A remote attacker could exploit this flaw to cause CPU and memory exhaustion and the site’s database to reach the maximum number of open connections, leading to the site becoming unavailable or unresponsive. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5265 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5266 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5267

Author: kikadf Vulnerable: 1.3.1-5 Unaffected: 1.3.1-6arcturus1 Tomáš Trnka discovered a heap-based buffer overflow within the gpgsm status handler of GPGME, a library designed to make access to GnuPG easier for applications. An attacker could use this issue to cause an application using GPGME to crash (denial of service) or possibly to execute arbitrary code. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3564

Author: kikadf Vulnerable: 4.11.1-1 Unaffected: 4.11.1-2arcturus1 Sebastian Krahmer discovered that Kauth used Policykit insecurely by relying on the process ID. This could result in privilege escalation. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5033

Author: kikadf Vulnerable: 1.10.1-1 Unaffected: 1.10.1-2arcturus1 An unauthenticated remote attacker with the ability to inject packets into a legitimately established GSSAPI application session can cause a program crash due to invalid memory references when attempting to read beyond the end of a buffer. An unauthenticated remote attacker with the ability to inject packets into a legitimately established GSSAPI application session can cause a program crash due to invalid memory references when reading beyond the end of a buffer or by causing a null pointer dereference.

Author: kikadf Vulnerable: 2.0.6-1 Unaffected: 2.0.6-1arcturus1 Don A. Bailey from Lab Mouse Security discovered an integer overflow flaw in the way the lzo library decompressed certain archives compressed with the LZO algorithm. An attacker could create a specially crafted LZO-compressed input that, when decompressed by an application using the lzo library, would cause that application to crash or, potentially, execute arbitrary code. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4607

Author: kikadf Vulnerable: 1.0.1-5arcturus5 Unaffected: 1.0.1-5arcturus6 Multiple vulnerabilities have been identified in OpenSSL, a Secure Sockets Layer toolkit, that may result in denial of service (application crash, large memory consumption), information leak, protocol downgrade. Additionally, a buffer overrun affecting only applications explicitly set up for SRP has been fixed. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3505 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3506 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3507 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3508 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3509 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3510 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3511 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3512 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5139

Author: kikadf Vulnerable: 1.2.1-1 Unaffected: 1.2.1-2arcturus1 Ben Reser discovered that serf did not correctly handle SSL certificates with NUL bytes in the CommonName or SubjectAltNames fields. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3504

Author: kikadf Vulnerable: 0.2.3.25-2 Unaffected: 0.2.4.23-1arcturus1 Several issues have been discovered in Tor, a connection-based low-latency anonymous communication system, resulting in information leaks. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5117

Author: kikadf Vulnerable: 1.8.13-1arcturus1 Unaffected: 1.8.15-1arcturus1 Multiple vulnerabilities were discovered in the dissectors for Catapult DCT2000, IrDA, GSM Management, RLC ASN.1 BER, which could result in denial of service. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5161 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5162 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5163 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5164 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5165

Author: kikadf Vulnerable: 3.9-1arcturus1 Unaffected: 3.9.2-1arcturus1 Multiple security issues have been discovered in Wordpress, a web blogging tool, resulting in denial of service or information disclosure. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2053 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5204 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5205 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5240 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5265 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5266