Frugalware Security Announcements (FSAs)

Author: kikadf Vulnerable: 1.2.1-3 Unaffected: 1.2.1-4arcturus1 Michele Spagnuolo, of Google Security Team, and Miroslav Lichvar, of Red Hat, discovered two issues in flac, a library handling Free Lossless Audio Codec media: by providing a specially crafted FLAC file, an attacker could execute arbitrary code. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8962 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9028

Author: kikadf Vulnerable: 4.4.0-2arcturus1 Unaffected: 4.4.0-2arcturus2 Buffer overflow in the PPP dissector. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9140

Author: kikadf Vulnerable: 2.1.3-7arcturus1 Unaffected: 2.1.3-7arcturus2 Dragana Damjanovic discovered that an authenticated client could crash an OpenVPN server by sending a control packet containing less than four bytes as payload. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8104

Author: kikadf Vulnerable: 0.98.1-1arcturus1 Unaffected: 0.98.5-1arcturus1 Kurt Seifried discovered that ClamAV incorrectly handled certain JavaScript files. Damien Millescamp discovered that ClamAV incorrectly handled certain PE files. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6497 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9050

Author: kikadf Vulnerable: 1.8.15-1arcturus1 Unaffected: 1.8.15-1arcturus2 Multiple vulnerabilities were discovered in the dissectors/parsers for SigComp UDVM, AMQP, NCP and TN5250, which could result in denial of service. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8710 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8711 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8712 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8713 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8714

Author: kikadf Vulnerable: 6.33-1arcturus1 Unaffected: 6.34-1arcturus1 Aaron Averill discovered that a specially crafted request can give a user access to another user’s session, allowing an attacker to hijack a random session. Michael Cullum, Javier Nieto and Andres Rojas Guerrero discovered that the password hashing API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9015 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9016

Author: kikadf Vulnerable: 7.22-2arcturus5 Unaffected: 7.22-2arcturus6 Aaron Averill discovered that a specially crafted request can give a user access to another user’s session, allowing an attacker to hijack a random session. Michael Cullum, Javier Nieto and Andres Rojas Guerrero discovered that the password hashing API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9015 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9016

Author: kikadf Vulnerable: 1.9.2-2 Unaffected: 1.9.2-3arcturus1 Off-by-one error in the encodes function in pack.c, when using certain format string specifiers, allows context-dependent attackers to cause a denial of service (segmentation fault) via vectors that trigger a stack-based buffer overflow. Tomas Hoger discovered that Ruby incorrectly handled XML entity expansion. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4975 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8080 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8090

Author: kikadf Vulnerable: 4.4.0-1 Unaffected: 4.4.0-2arcturus1 Tcpdump program crash was reported when processing a malformed OLSR payload. The application decoder for the Ad hoc On-Demand Distance Vector (AODV) protocol fails to perform input validation and performs unsafe out-of-bound accesses. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8767 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8769

Author: kikadf Vulnerable: 1.3.18-1 Unaffected: 1.3.18-2arcturus1 Buffer overflow when handling PSD images. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1947