Frugalware Security Announcements (FSAs)

This is a list of security announcments that have been released for the current stable version of Frugalware

sox

Author: kikadf Vulnerable: 14.3.2-1 Unaffected: 14.3.2-2arcturus1 Michele Spagnuolo of the Google Security Team dicovered two heap-based buffer overflows in SoX, the Swiss Army knife of sound processing programs. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8145

unzip

Author: kikadf Vulnerable: 6.0-2 Unaffected: 6.0-3arcturus1 Michele Spagnuolo of the Google Security Team discovered that unzip, an extraction utility for archives compressed in .zip format, is affected by heap-based buffer overflows within the CRC32 verification function (CVE-2014-8139), the test_compr_eb() function (CVE-2014-8140) and the getZip64Data() function (CVE-2014-8141), which may lead to the execution of arbitrary code. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8139 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8140 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8141

jasper

Author: kikadf Vulnerable: 1.900.1-6arcturus1 Unaffected: 1.900.1-6arcturus2 Jose Duart of the Google Security Team discovered a double free flaw (CVE-2014-8137) and a heap-based buffer overflow flaw (CVE-2014-8138) in JasPer, a library for manipulating JPEG-2000 files. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8137 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8138

mailx

Author: kikadf Vulnerable: 12.4-4 Unaffected: 12.4-5arcturus1 Mailx interprets shell meta-characters in certain email addresses. An unexpected feature of mailx treats syntactically valid email addresses as shell commands to execute. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2771 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7844

ntp

Author: kikadf Vulnerable: 4.2.6p5-3arcturus1 Unaffected: 4.2.6p5-3arcturus2 ntpd generated a weak key for its internal use, with full administrative privileges. The ntp-keygen utility generated weak MD5 keys with insufficient entropy. ntpd had several buffer overflows (both on the stack and in the data section), allowing remote authenticated attackers to crash ntpd or potentially execute arbitrary code. The general packet processing function in ntpd did not handle an error case correctly.

denyhosts

Author: kikadf Vulnerable: 2.6-5 Unaffected: 2.6-6arcturus1 Helmut Grohne discovered that denyhosts, a tool preventing SSH brute-force attacks, could be used to perform remote denial of service against the SSH daemon. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6890

libyaml

Author: kikadf Vulnerable: 0.1.4-3arcturus2 Unaffected: 0.1.4-3arcturus3 Jonathan Gray and Stanislaw Pitucha found an assertion failure in the way wrapped strings are parsed in LibYAML, a fast YAML 1.1 parser and emitter library. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9130

mediawiki

Author: kikadf Vulnerable: 1.19.20-1arcturus1 Unaffected: 1.19.22-1arcturus1 A flaw was discovered in mediawiki, a wiki engine: cross-domain-policy mangling allows an article editor to inject code into API consumers that deserialize PHP representations of the page from the API. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9277

bind

Author: kikadf Vulnerable: 9.9.4-1arcturus1 Unaffected: 9.9.6-1arcturus1 Florian Maury discovered that Bind incorrectly handled delegation. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8500

graphviz

Author: kikadf Vulnerable: 2.28.0-2arcturus2 Unaffected: 2.28.0-2arcturus3 It was discovered that graphviz incorrectly handled parsing errors. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9157