Frugalware Security Announcements (FSAs)

Author: kikadf Vulnerable: 3.4-1 Unaffected: 3.4-2arcturus1 Robert Kisteleki discovered a potential privilege escalation in daemon mode. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0240

Author: kikadf Vulnerable: 5.3.26-2arcturus1 Unaffected: 5.3.26-2arcturus2 The default PHP FPM socket permission has been changed from 0666 to 0660 to mitigate a security vulnerability (CVE-2014-0185) in PHP FPM that allowed any local user to run a PHP code under the active user of FPM process via crafted FastCGI client. Denial of service in the CDF parser of the fileinfo module. (CVE-2014-0237,0238) Denial of service in the fileinfo module. (CVE-2014-2270)

Author: kikadf Vulnerable: 2.3-1 Unaffected: 2.3.5-1arcturus1 It was discovered that the lxml.html.clean module incorrectly stripped control characters. An attacked could potentially exploit this to conduct cross-site scripting (XSS) attacks. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3146

Author: kikadf Vulnerable: 1.11.2-2arcturus1 Unaffected: 1.11.2-2arcturus2 It was discovered that libgadu incorrectly handled certain messages from file relay servers. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3775

Author: kikadf Vulnerable: 2.10.7-2arcturus2 Unaffected: 2.10.7-2arcturus3 It was discovered that Pidgin incorrectly handled certain messages from Gadu-Gadu file relay servers. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3775

Author: kikadf Vulnerable: 3.2.6-2arcturus1 Unaffected: 3.2.6-2arcturus2 The actionview/lib/action_view/helpers/number_helper.rb contains multiple cross-site scripting vulnerabilities. The actionpack/lib/action_view/template/text.rb performs symbol interning on MIME type strings, allowing remote denial-of-service attacks via increased memory consumption. A directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb allows remote attackers to read arbitrary files. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0081 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0082 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0130

Author: kikadf Vulnerable: 2.1.8-2 Unaffected: 2.1.8-3arcturus1 It was discovered that Dovecot incorrectly handled closing inactive SSL/TLS connections. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3430

Author: kikadf Vulnerable: 2.8.0-1 Unaffected: 2.8.0-2arcturus1 It was discovered that libxml2 had a heap-based buffer underflow when parsing entities. It was discovered that libxml2 would load XML external entities by default. It was discovered that libxml2 incorrectly handled documents that end abruptly. Daniel Berrange discovered that libxml2 would incorrectly perform entity substitution even when requested not to. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5134 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0339 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2877 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0191

Author: kikadf Vulnerable: 1.5.2-2arcturus1 Unaffected: 1.5.2-2arcturus2 Stephen Stewart, Michael Nelson, Natalia Bidart and James Westby discovered that Django improperly removed Vary and Cache-Control headers from HTTP responses when replying to a request from an Internet Explorer or Chrome Frame client. Peter Kuma and Gavin Wahl discovered that Django did not correctly validate some malformed URLs, which are accepted by some browsers. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1418

Author: James Buren Vulnerable: 3.10-6 Unaffected: 3.10-7 Jiri Slaby discovered a race condition in the pty layer, which could lead to denial of service or privilege escalation. Matthew Daley discovered that missing input sanitising in the FDRAWCMD ioctl and an information leak could result in privilege escalation. Incorrect reference counting in the ping_init_sock() function allows denial of service or privilege escalation. Incorrect locking of memory can result in local denial of service.