Frugalware Security Announcements (FSAs)
This is a list of security announcments that have been released for the current stable version of Frugalware
Author: kikadf Vulnerable: 7.26.0-2arcturus1 Unaffected: 7.26.0-2arcturus2 Paras Sethia and Yehezkel Horowitz discovered that libcurl incorrectly reused connections when NTLM authentication was being used. This could lead to the use of unintended credentials, possibly exposing sensitive information.
CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0015
Author: kikadf Vulnerable: 3.2.0-3 Unaffected: 3.2.0-4arcturus1 Just Ferguson discovered that libotr, an off-the-record (OTR) messaging library, can be forced to perform zero-length allocations for heap buffers that are used in base64 decoding routines. An attacker can exploit this flaw by sending crafted messages to an application that is using libotr to perform denial of service attacks or potentially execute arbitrary code.
CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3461
Author: kikadf Vulnerable: 0.1.4-2 Unaffected: 0.1.4-3arcturus1 Florian Weimer discovered that LibYAML incorrectly handled certain large yaml documents. An attacker could use this issue to cause LibYAML to crash, resulting in a denial of service, or possibly execute arbitrary code.
CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2013-6393
Author: kikadf Vulnerable: 1.5.2-2 Unaffected: 1.5.2-3arcturus2 Asias He discovered that QEMU incorrectly handled SCSI controllers with more than 256 attached devices. A local user could possibly use this flaw to elevate privileges. (CVE-2013-4344) It was discovered that QEMU incorrectly handled Xen disks. A local guest could possibly use this flaw to consume resources, resulting in a denial of service. (CVE-2013-4375) Sibiao Luo discovered that QEMU incorrectly handled device hot-unplugging. A local user could possibly use this flaw to cause a denial of service.
Author: kikadf Vulnerable: 7.26.0-1 Unaffected: 7.26.0-2arcturus1 CVE-2013-0249: It was discovered that curl incorrectly handled SASL authentication when communicating over POP3, SMTP or IMAP. CVE-2013-1944: Yamada Yasuharu discovered that cURL, an URL transfer library, is vulnerable to expose potentially sensitive information when doing requests across domains with matching tails. CVE-2013-2174: Timo Sirainen discovered that cURL, an URL transfer library, is prone to a heap overflow vulnerability due to bad checking of the input data in the curl_easy_unescape function.
Author: kikadf Vulnerable: 1.4.14-1 Unaffected: 1.4.14-2arcturus1 Daniel Kahn Gillmor discovered that GnuPG treated keys with empty usage flags as being valid for all usages. (CVE-2013-4351) Taylor R Campbell discovered that GnuPG incorrectly handled certain OpenPGP messages. (CVE-2013-4402) Daniel Genkin, Adi Shamir, and Eran Tromer discovered that GnuPG was susceptible to an adaptive chosen ciphertext attack via acoustic emanations. (CVE-2013-4576)
CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4351 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4402 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4576
Author: kikadf Vulnerable: 1.6.1-2 Unaffected: 1.6.1-3arcturus1 Jann Horn discovered that the CUPS lppasswd tool incorrectly read a user configuration file in certain configurations. A local attacker could use this to read sensitive information from certain files, bypassing access restrictions.
CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6891
Author: kikadf Vulnerable: 3.5.25.2-1 Unaffected: 3.5.25.2-2arcturus1 It was discovered that djvulibre, the Open Source DjVu implementation project, can be crashed or possibly make it execute arbitrary code when processing a specially crafted djvu file.
CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6535
Author: kikadf Vulnerable: 2.28.0-1 Unaffected: 2.28.0-2arcturus2 CVE-2014-0978: It was discovered that user-supplied input used in the yyerror() function in lib/cgraph/scan.l is not bound-checked before beeing copied into an insufficiently sized memory buffer. A context-dependent attacker could supply a specially crafted input file containing a long line to cause a stack-based buffer overlow, resulting in a denial of service (application crash) or potentially allowing the execution of arbitrary code. CVE-2014-1236: Sebastian Krahmer reported an overflow condition in the chkNum() function in lib/cgraph/scan.
Author: kikadf Vulnerable: 4.9.2-3 Unaffected: 4.9.2-4arcturus1 It was discovered that NSPR, Netscape Portable Runtime library, could crash an application using the library when parsing a certificate that causes an integer overflow. This flaw only affects 64-bit systems.
CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5607
