Frugalware Security Announcements (FSAs)

Author: kikadf Vulnerable: 2.7.5-2arcturus1 Unaffected: 2.7.5-2arcturus2 The CGIHTTPServer Python module does not properly handle URL-encoded path separators in URLs. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4650

Author: kikadf Vulnerable: 3.3.0-2 Unaffected: 3.3.0-3arcturus1 The CGIHTTPServer Python module does not properly handle URL-encoded path separators in URLs. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4650

Author: kikadf Vulnerable: 2012_10_13-1 Unaffected: 2014_09_29-1arcturus1 Two vulnerabilities have been discovered in dokuwiki. Access control in the media manager was insufficiently restricted and authentication could be bypassed when using Active Directory for LDAP authentication. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8761 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8762 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8763 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8764

Author: kikadf Vulnerable: 5.3.26-2arcturus6 Unaffected: 5.3.26-2arcturus7 Symeon Paraschoudis discovered that PHP incorrectly handled the mkgmtime function. Symeon Paraschoudis discovered that PHP incorrectly handled unserializing objects. Otto Ebeling discovered that PHP incorrectly handled the exif_thumbnail function. Francisco Alonso that PHP incorrectly handled ELF files in the fileinfo extension. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3668 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3669 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3670 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3710

Author: kikadf Vulnerable: 1.5.2-3arcturus6 Unaffected: 1.5.2-3arcturus7 A flaw was found in the way guest provided parameter validation was performed in vmware-vga driver in rectangle handling functionality. bits_per_pixel that are less than 8 could result in accessing non-initialized buffers later in the code due to the expectation that bytes_per_pixel value that is used to initialize these buffers is never zero. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3689 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7815

Author: kikadf Vulnerable: 2.8.0-2arcturus1 Unaffected: 2.8.0-2arcturus2 Sogeti found a denial of service flaw in libxml2, a library providing support to read, modify and write XML and HTML files. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3660

Author: kikadf Vulnerable: 1.13.4-2 Unaffected: 1.13.4-3arcturus1 HD Moore discovered that Wget contained a path traversal vulnerability when downloading symlinks using FTP. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4877

Author: kikadf Vulnerable: 5.14-2arcturus4 Unaffected: 5.14-2arcturus5 An out-of-bounds read flaw was found in file’s donote() function in the way the file utility determined the note headers of a elf file. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3710

Author: kikadf Vulnerable: 1.4-3 Unaffected: 1.4-4arcturus1 The ECB Blowfish decryption function assumed that encrypted input would always come in blocks of 12 characters, as specified. However, buggy clients or annoying people may not adhere to that assumption, causing the core to crash while trying to process the invalid base64 input. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8483

Author: kikadf Vulnerable: 0.8.0-2 Unaffected: 0.8.0-3arcturus1 The ECB Blowfish decryption function assumed that encrypted input would always come in blocks of 12 characters, as specified. However, buggy clients or annoying people may not adhere to that assumption, causing the core to crash while trying to process the invalid base64 input. CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8483