file
- Author: kikadf
- Vulnerable: 5.14-6
- Unaffected: 5.14-7rigel1
Thomas Jarosch discovered that file incorrectly handled certain ELF files. Thomas Jarosch discovered that file incorrectly limited recursion.
Frugalware Security Announcements (FSAs)
This is a list of security announcments that have been released for the current stable version of Frugalware
krb5
- Author: kikadf
- Vulnerable: 1.12.2-2
- Unaffected: 1.12.3-1rigel1
Incorrect memory management in the libgssapi_krb5 library might result in denial of service or the execution of arbitrary code. Incorrect memory management in kadmind’s processing of XDR data might result in denial of service or the execution of arbitrary code. Incorrect processing of two-component server principals might result in impersonation attacks. An information leak in the libgssrpc library.
CVEs:
ntp
- Author: kikadf
- Vulnerable: 4.2.8-1
- Unaffected: 4.2.8-2rigel1
Stephen Roettger of the Google Security Team, Sebastian Krahmer of the SUSE Security Team and Harlan Stenn of Network Time Foundation discovered that the length value in extension fields is not properly validated in several code paths in ntp_crypto.c, which could lead to information leakage or denial of service (ntpd crash). Stephen Roettger of the Google Security Team reported that ACLs based on IPv6 ::1 addresses can be bypassed.
php
- Author: kikadf
- Vulnerable: 5.5.18-2
- Unaffected: 5.5.22-1rigel1
Brian Carpenter discovered that the PHP CGI component incorrectly handled invalid files. Stefan Esser discovered that PHP incorrectly handled unserializing objects. Alex Eubanks discovered that PHP incorrectly handled EXIF data in JPEG images.
CVEs:
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8142
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9427
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0231
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0232
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0273
bind
- Author: kikadf
- Vulnerable: 9.9.6-1
- Unaffected: 9.9.6-2rigel1
Jan-Piet Mens discovered that the BIND DNS server would crash when processing an invalid DNSSEC key rollover, either due to an error on the zone operator’s part, or due to interference with network traffic by an attacker.
CVEs:
glibc
- Author: kikadf
- Vulnerable: 2.19-4
- Unaffected: 2.19-5rigel1
The vfprintf function in stdio-common/vfprintf.c in GNU C Library does not “properly restrict the use of” the alloca function when allocating the SPECS array. The getnetbyname function in glibc 2.21 or earlier will enter an infinite loop if the DNS backend is activated in the system Name Service Switch configuration, and the DNS resolver receives a positive answer while processing the network name. Under certain conditions wscanf can allocate too little memory for the to-be-scanned arguments and overflow the allocated buffer.
samba
- Author: kikadf
- Vulnerable: 3.6.24-2
- Unaffected: 3.6.25-1rigel1
Richard van Eeden of Microsoft Vulnerability Research discovered that Samba, a SMB/CIFS file, print, and login server for Unix, contains a flaw in the netlogon server code which allows remote code execution with root privileges from an unauthenticated connection.
CVEs:
glibc
- Author: kikadf
- Vulnerable: 2.16.0-4arcturus2
- Unaffected: 2.16.0-4arcturus3
Qualys discovered that the gethostbyname and gethostbyname2 functions were subject to a buffer overflow if provided with a crafted IP address argument.
CVEs:
cpio
- Author: kikadf
- Vulnerable: 2.11-2
- Unaffected: 2.11-3arcturus1
Michal Zalewski discovered an out of bounds write issue in cpio, a tool for creating and extracting cpio archive files.
CVEs:
pyyaml
- Author: kikadf
- Vulnerable: 3.10-1
- Unaffected: 3.10-2arcturus1
Jonathan Gray and Stanislaw Pitucha found an assertion failure in the way wrapped strings are parsed in Python-YAML, a YAML parser and emitter for Python.