Frugalware Security Announcements (FSAs)
This is a list of security announcments that have been released for the current stable version of Frugalware
Author: kikadf Vulnerable: 5.14-6 Unaffected: 5.14-7rigel1 Thomas Jarosch discovered that file incorrectly handled certain ELF files. Thomas Jarosch discovered that file incorrectly limited recursion.
CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8116 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8117
Author: kikadf Vulnerable: 1.12.2-2 Unaffected: 1.12.3-1rigel1 Incorrect memory management in the libgssapi_krb5 library might result in denial of service or the execution of arbitrary code. Incorrect memory management in kadmind’s processing of XDR data might result in denial of service or the execution of arbitrary code. Incorrect processing of two-component server principals might result in impersonation attacks. An information leak in the libgssrpc library.
CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5352 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9421 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9422 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9423
Author: kikadf Vulnerable: 4.2.8-1 Unaffected: 4.2.8-2rigel1 Stephen Roettger of the Google Security Team, Sebastian Krahmer of the SUSE Security Team and Harlan Stenn of Network Time Foundation discovered that the length value in extension fields is not properly validated in several code paths in ntp_crypto.c, which could lead to information leakage or denial of service (ntpd crash). Stephen Roettger of the Google Security Team reported that ACLs based on IPv6 ::1 addresses can be bypassed.
Author: kikadf Vulnerable: 5.5.18-2 Unaffected: 5.5.22-1rigel1 Brian Carpenter discovered that the PHP CGI component incorrectly handled invalid files. Stefan Esser discovered that PHP incorrectly handled unserializing objects. Alex Eubanks discovered that PHP incorrectly handled EXIF data in JPEG images.
CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8142 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9427 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0231 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0232 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0273
Author: kikadf Vulnerable: 9.9.6-1 Unaffected: 9.9.6-2rigel1 Jan-Piet Mens discovered that the BIND DNS server would crash when processing an invalid DNSSEC key rollover, either due to an error on the zone operator’s part, or due to interference with network traffic by an attacker.
CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1349
Author: kikadf Vulnerable: 2.19-4 Unaffected: 2.19-5rigel1 The vfprintf function in stdio-common/vfprintf.c in GNU C Library does not “properly restrict the use of” the alloca function when allocating the SPECS array. The getnetbyname function in glibc 2.21 or earlier will enter an infinite loop if the DNS backend is activated in the system Name Service Switch configuration, and the DNS resolver receives a positive answer while processing the network name. Under certain conditions wscanf can allocate too little memory for the to-be-scanned arguments and overflow the allocated buffer.
Author: kikadf Vulnerable: 3.6.24-2 Unaffected: 3.6.25-1rigel1 Richard van Eeden of Microsoft Vulnerability Research discovered that Samba, a SMB/CIFS file, print, and login server for Unix, contains a flaw in the netlogon server code which allows remote code execution with root privileges from an unauthenticated connection.
CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0240
Author: kikadf Vulnerable: 2.16.0-4arcturus2 Unaffected: 2.16.0-4arcturus3 Qualys discovered that the gethostbyname and gethostbyname2 functions were subject to a buffer overflow if provided with a crafted IP address argument.
CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
Author: kikadf Vulnerable: 2.11-2 Unaffected: 2.11-3arcturus1 Michal Zalewski discovered an out of bounds write issue in cpio, a tool for creating and extracting cpio archive files.
CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9112
Author: kikadf Vulnerable: 3.10-1 Unaffected: 3.10-2arcturus1 Jonathan Gray and Stanislaw Pitucha found an assertion failure in the way wrapped strings are parsed in Python-YAML, a YAML parser and emitter for Python.
CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9130