Frugalware Security Announcements (FSAs)

Author: kikadf Vulnerable: 5.3.26-2arcturus3 Unaffected: 5.3.26-2arcturus4 Francisco Alonso of the Red Hat Security Response Team reported an incorrect boundary check in the cdf_read_short_sector() function. Francisco Alonso of the Red Hat Security Response Team discovered a flaw in the way the truncated pascal string size in the mconvert() function is computed. Francisco Alonso of the Red Hat Security Response Team reported an incorrect boundary check in the cdf_check_stream_offset() function. rancisco Alonso of the Red Hat Security Response Team reported an insufficient boundary check in the cdf_count_chain() function.

Author: kikadf Vulnerable: 2.0.8-2 Unaffected: 2.0.8-3arcturus1 Multiple buffer overflows have been found in the VideoLAN media player. Processing malformed subtitles or movie files could lead to denial of service and potentially the execution of arbitrary code. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4388

Author: kikadf Vulnerable: 0.8.8b-1 Unaffected: 0.8.8b-2arcturus1 Multiple security issues (cross-site scripting, cross-site request forgery, SQL injections, missing input sanitising) have been found in Cacti, a web frontend for RRDTool. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1435 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5588 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5589 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2327 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2327 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2328 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2708 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2709 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4002

Author: kikadf Vulnerable: 1.6.8-9 Unaffected: 1.6.8-10arcturus1 Alban Crequy at Collabora Ltd. discovered that dbus-daemon sends an AccessDenied error to the service instead of a client when the client is prohibited from accessing the service. Alban Crequy at Collabora Ltd. discovered a bug in dbus-daemon’s support for file descriptor passing. Alban Crequy at Collabora Ltd. and Alejandro Martínez Suárez discovered that a malicious process could force services to be disconnected from the D-Bus system by causing dbus-daemon to attempt to forward invalid file descriptors to a victim process, leading to a denial of service.

Author: kikadf Vulnerable: 1.4.14-2arcturus1 Unaffected: 1.4.14-2arcturus2 Jean-René Reinhard, Olivier Levillain and Florian Maury reported that GnuPG, the GNU Privacy Guard, did not properly parse certain garbled compressed data packets. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4617

Author: kikadf Vulnerable: 2.0.20-1 Unaffected: 2.0.20-2arcturus1 Jean-René Reinhard, Olivier Levillain and Florian Maury reported that GnuPG, the GNU Privacy Guard, did not properly parse certain garbled compressed data packets. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4617

Author: kikadf Vulnerable: 24.4.0-1arcturus1 Unaffected: 24.6.0-1arcturus1 Multiple security issues have been found in the Mozilla Thunderbird mail and news client: multiple memory safety errors and buffer overflows may lead to the execution of arbitrary code or denial of service. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1533 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1538 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1541 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1545

Author: kikadf Vulnerable: 0.9-1 Unaffected: 0.9-2arcturus2 Florian Weimer discovered that json-c incorrectly handled buffer lengths. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6370

Author: kikadf Vulnerable: 1.18.1-1 Unaffected: 1.19.16-1arcturus1 Omer Iqbal discovered that Mediawiki, a wiki engine, parses invalid usernames on Special:PasswordReset as wikitext when $wgRawHtml is enabled. On such wikis this allows an unauthenticated attacker to insert malicious JavaScript, a cross site scripting attack. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3966

Author: kikadf Vulnerable: 5.3.26-2arcturus2 Unaffected: 5.3.26-2arcturus3 Stefan Esser discovered that PHP incorrectly handled DNS TXT records. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4049