From noreply at frugalware.org Mon Dec 4 16:14:32 2006 From: noreply at frugalware.org (voroskoi) Date: Mon Dec 4 16:14:35 2006 Subject: [Frugalware-security] [ FSA-61 ] proftpd Message-ID: <20061204151432.44CA0FA46FE@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-61 Date: 2006-12-04 Package: proftpd Vulnerable versions: <= 1.3.0-2siwenna1 Unaffected versions: >= 1.3.0-3siwenna1 Related bugreport: http://bugs.frugalware.org/task/1461 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5815 Description =========== Evgeny Legerov has reported a vulnerability in ProFTPD, which potentially can be exploited by malicious user's to compromise a vulnerable system. The vulnerability is caused due to an off-by-one error within the "sreplace()" function in src/support.c. This can be exploited to cause a buffer overflow by e.g. uploading a malicious ".message" file or sending specially crafted commands to the server. Successful exploitation may allow execution of arbitrary code. Updated Packages ================ Check if you have proftpd installed: # pacman -Q proftpd If found, then you should upgrade to the latest version: # pacman -Sy proftpd -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFdDtYZ7NElSD1VhkRAunQAKCByEoIl5kM8LckJ/t8W3MHFZuPWwCfR+o3 UtMaCorsGIW3rvlx3kgwuCY= =pz8Z -----END PGP SIGNATURE----- From noreply at frugalware.org Mon Dec 4 17:15:33 2006 From: noreply at frugalware.org (voroskoi) Date: Mon Dec 4 17:15:46 2006 Subject: [Frugalware-security] [ FSA-62 ] kile Message-ID: <20061204161533.B9681FA46FF@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-62 Date: 2006-12-04 Package: kile Vulnerable versions: <= 1.9.2-1 Unaffected versions: >= 1.9.3-1siwenna1 Related bugreport: http://bugs.frugalware.org/task/1493 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6085 Description =========== A security issue has been reported in Kile, which can be exploited by malicious, local users to gain knowledge of certain information. The security issue is caused due to backup files being created with default permissions even when the original file had more restrictive permissions set. This can potentially disclose the contents of files edited by other users. Updated Packages ================ Check if you have kile installed: # pacman -Q kile If found, then you should upgrade to the latest version: # pacman -Sy kile -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFdEmlZ7NElSD1VhkRAnDeAKCOWgHkPJnnOaoNYz8cRFaMi5r2/QCfchpK 6lHlE+0UN3wtPWV8kG6Eyvs= =HCDz -----END PGP SIGNATURE----- From noreply at frugalware.org Tue Dec 5 23:39:59 2006 From: noreply at frugalware.org (voroskoi) Date: Tue Dec 5 23:40:03 2006 Subject: [Frugalware-security] [ FSA-63 ] libgsf Message-ID: <20061205223959.0D0AAFA4709@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-63 Date: 2006-12-05 Package: libgsf Vulnerable versions: <= 1.14.1-3 Unaffected versions: >= 1.14.1-4siwenna1 Related bugreport: http://bugs.frugalware.org/task/1503 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4514 Description =========== A vulnerability has been reported in libgsf, which potentially can be exploited by malicious people to compromise an application using the library. The vulnerability is caused due to a boundary error within the "ole_info_read_metabat()" function in gsf/gsf-infile-msole.c. This can be exploited to cause a heap-based buffer overflow by e.g. tricking a user into opening a specially crafted file in an application using the library. Updated Packages ================ Check if you have libgsf installed: # pacman -Q libgsf If found, then you should upgrade to the latest version: # pacman -Sy libgsf -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFdfU+Z7NElSD1VhkRAs/7AJwOn3i9DFRErpGh7/qAdg8gZijWFwCbBTsN C3nu/Lw8yPFBKPSaLKkufj0= =OY5R -----END PGP SIGNATURE----- From noreply at frugalware.org Tue Dec 5 23:58:41 2006 From: noreply at frugalware.org (voroskoi) Date: Tue Dec 5 23:58:48 2006 Subject: [Frugalware-security] [ FSA-64 ] tar Message-ID: <20061205225841.6E707FA470E@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-64 Date: 2006-12-05 Package: tar Vulnerable versions: <= 1.15.1-4 Unaffected versions: >= 1.15.1-5siwenna1 Related bugreport: http://bugs.frugalware.org/task/1496 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6097 Description =========== Teemu Salmela has reported a security issue in GNU tar, which can be exploited by malicious people to overwrite arbitrary files. The security issue is caused due to the "extract_archive()" function in extract.c and the "extract_mangle()" function in mangle.c still processing the deprecated "GNUTYPE_NAMES" record type containing symbolic links. This can be exploited to overwrite arbitrary files by e.g. tricking a user into unpacking a specially crafted tar file. Updated Packages ================ Check if you have tar installed: # pacman -Q tar If found, then you should upgrade to the latest version: # pacman -Sy tar -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFdfmhZ7NElSD1VhkRAnnNAJ0eQSHLzLg0f0UKZPSoNH+gm2cI2wCfe/wP L+XZ6IXL06sjKWK9FdiiKJE= =4aFZ -----END PGP SIGNATURE----- From noreply at frugalware.org Wed Dec 6 00:23:31 2006 From: noreply at frugalware.org (voroskoi) Date: Wed Dec 6 00:23:36 2006 Subject: [Frugalware-security] [ FSA-65 ] kdegraphics Message-ID: <20061205232331.E008CFA470C@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-65 Date: 2006-12-06 Package: kdegraphics Vulnerable versions: <= 3.5.4-3 Unaffected versions: >= 3.5.4-4siwenna1 Related bugreport: http://bugs.frugalware.org/task/1507 CVE: There is no CVE for this issue, see: http://secunia.com/advisories/23203 Description =========== A weakness has been reported in KDE, which can be exploited by malicious people to cause a DoS (Denial of Service). The weakness is caused due to an error within the JPEG kfile-info plugin when parsing EXIF information. This can be exploited to cause an endless recursion by e.g. tricking a user into opening a specially crafted file with an application using the kfile-info plugin. Updated Packages ================ Check if you have kdegraphics installed: # pacman -Q kdegraphics If found, then you should upgrade to the latest version: # pacman -Sy kdegraphics -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFdf9zZ7NElSD1VhkRAt7KAKCA4SzebgD61QM6Zq0dfs/gQfw3gACfYTKN X0tScclLAOFI78K7/E6zpDw= =2iP8 -----END PGP SIGNATURE----- From noreply at frugalware.org Wed Dec 6 21:02:18 2006 From: noreply at frugalware.org (voroskoi) Date: Wed Dec 6 21:02:21 2006 Subject: [Frugalware-security] [ FSA-66 ] gnupg Message-ID: <20061206200218.2EA4EFA4707@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-66 Date: 2006-12-06 Package: gnupg Vulnerable versions: <= 1.4.5-1 Unaffected versions: >= 1.4.5-2siwenna1 Related bugreport: http://bugs.frugalware.org/task/1497 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6169 Description =========== Hugh Warrington has reported a vulnerability in GnuPG, which potentially can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in the "ask_outfile_name()" function in openfile.c, because the "make_printable_string()" function can return a string longer than the expected "NAMELEN". This can be exploited to cause a buffer overflow by e.g. tricking a user into processing a specially crafted file using the interactive mode. Successful exploitation may allow the execution of arbitrary code, but requires that the interactive mode is used. Applications using the batch mode (e.g. most e-mail clients) are not affected. Updated Packages ================ Check if you have gnupg installed: # pacman -Q gnupg If found, then you should upgrade to the latest version: # pacman -Sy gnupg -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFdyHKZ7NElSD1VhkRAkMDAJ9OMDa5l625kAQZnsrb2//5cQ+rtwCgljF1 xXy5ZM68m0/FuEHWazywdXk= =NsVl -----END PGP SIGNATURE----- From noreply at frugalware.org Wed Dec 6 21:09:38 2006 From: noreply at frugalware.org (voroskoi) Date: Wed Dec 6 21:09:42 2006 Subject: [Frugalware-security] [ FSA-67 ] proftpd Message-ID: <20061206200938.0CFD4FA470C@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-67 Date: 2006-12-06 Package: proftpd Vulnerable versions: <= 1.3.0-3siwenna1 Unaffected versions: >= 1.3.0-4siwenna1 Related bugreport: http://bugs.frugalware.org/task/1499 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6170 Description =========== Evgeny Legerov has reported a vulnerability in the mod_tls module for ProFTPD, which potentially can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error within the "tls_x509_name_oneline()" function in contrib/mod_tls.c. This can be exploited to cause a buffer overflow by sending specially crafted data to a server. Successful exploitation may allow execution of arbitrary code, but requires that ProFTPD uses the mod_tls module. Updated Packages ================ Check if you have proftpd installed: # pacman -Q proftpd If found, then you should upgrade to the latest version: # pacman -Sy proftpd -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFdyOBZ7NElSD1VhkRApQiAJ97PQcz3UtdxydDd7wdeSLC5mRkxQCfTtZr WybiZXN4hJ7u78c51g+TsOo= =mAwb -----END PGP SIGNATURE----- From noreply at frugalware.org Wed Dec 6 21:15:14 2006 From: noreply at frugalware.org (voroskoi) Date: Wed Dec 6 21:15:18 2006 Subject: [Frugalware-security] [ FSA-68 ] lha Message-ID: <20061206201514.D2247FA470E@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-68 Date: 2006-12-06 Package: lha Vulnerable versions: <= 114i-1 Unaffected versions: >= 1.14i_ac20050924p1-1siwenna1 Related bugreport: http://bugs.frugalware.org/task/1501 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4335 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4337 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4338 Description =========== Some vulnerabilities have been reported in LHa, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. 1) An infinite loop within the "read_pt_len()", "read_c_len()", "decode_c_st1()", and "decode_p_st1()" function in huf.c can be exploited to cause a DoS due to CPU consumption by e.g. tricking a user or automated system into unpacking a specially crafted archive. 2) A buffer overflow and a boundary error within the "make_table()" function in maketbl.c can be exploited to modify certain stack data and cause a buffer overflow by e.g. tricking a user or automated system into unpacking a specially crafted archive. Updated Packages ================ Check if you have lha installed: # pacman -Q lha If found, then you should upgrade to the latest version: # pacman -Sy lha -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFdyTSZ7NElSD1VhkRAs6GAJ9J4mQ+/443mUST2L/0S9lKSo++1gCgkFgQ 1Dg9d7Io+tcYGDvqMJOBesY= =YgNf -----END PGP SIGNATURE----- From noreply at frugalware.org Fri Dec 8 21:11:24 2006 From: noreply at frugalware.org (voroskoi) Date: Fri Dec 8 21:11:31 2006 Subject: [Frugalware-security] [ FSA-69 ] evince Message-ID: <20061208201124.886DFFA470E@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-69 Date: 2006-12-08 Package: evince Vulnerable versions: <= 0.6.0-1 Unaffected versions: >= 0.6.0-2siwenna1 Related bugreport: http://bugs.frugalware.org/task/1500 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5864 Description =========== A vulnerability has been discovered in Evince, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error within the "get_next_text()" function in ps/ps.c. This can be exploited to cause a buffer overflow by e.g. tricking a user into opening a specially crafted PostScript file. Updated Packages ================ Check if you have evince installed: # pacman -Q evince If found, then you should upgrade to the latest version: # pacman -Sy evince -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFecbrZ7NElSD1VhkRAosQAJ9pL9qKtBYYuYX6E+BaIx+MLP8TbACfTj6Q dJjmjp8LKnh96TDksGuPCUw= =DSC4 -----END PGP SIGNATURE----- From noreply at frugalware.org Fri Dec 8 21:16:41 2006 From: noreply at frugalware.org (voroskoi) Date: Fri Dec 8 21:16:44 2006 Subject: [Frugalware-security] [ FSA-70 ] squirrelmail Message-ID: <20061208201641.9EA68FA470F@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-70 Date: 2006-12-08 Package: squirrelmail Vulnerable versions: <= 1.4.8-1 Unaffected versions: >= 1.4.9-1siwenna1 Related bugreport: http://bugs.frugalware.org/task/1508 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6142 Description =========== Some vulnerabilities have been reported in SquirrelMail, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks. 1) Input passed to certain parameters in webmail.php and compose.php in the "draft", "compose", and "mailto" functionality is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 2) Input validation errors exist in the magicHTML filter when sanitising HTML mails. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when the malicious data is viewed. Successful exploitation of some of these errors require that the target user runs Microsoft Internet Explorer. Updated Packages ================ Check if you have squirrelmail installed: # pacman -Q squirrelmail If found, then you should upgrade to the latest version: # pacman -Sy squirrelmail -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFecgoZ7NElSD1VhkRAkFcAKCQ2pZz83d/BOAuSxxA/XWJFQT7BACfQ4lt H651//fVXewz/9p5sX9wF2Y= =9msM -----END PGP SIGNATURE----- From noreply at frugalware.org Sat Dec 9 12:26:43 2006 From: noreply at frugalware.org (voroskoi) Date: Sat Dec 9 12:26:58 2006 Subject: [Frugalware-security] [ FSA-71 ] xine-lib Message-ID: <20061209112643.6E22AFA46FE@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-71 Date: 2006-12-09 Package: xine-lib Vulnerable versions: <= 1.1.2-1 Unaffected versions: >= 1.1.3-1siwenna1 Related bugreport: http://bugs.frugalware.org/task/1509 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2200 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6172 Description =========== Some vulnerabilities have been reported in xine-lib, which potentially can be exploited by malicious people to compromise a user's system. 1) A vulnerability is caused due to a boundary error within the "real_parse_sdp()" function in src/input/libreal/real.c. This can be exploited to cause a buffer overflow by e.g. tricking a user into connecting to a malicious server. 2) A buffer overflow exists in the libmms library: Anon Sricharoenchai has discovered some vulnerabilities in MiMMS, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. The vulnerabilities are caused due to boundary errors within the "get_header()" and "get_media_packet" functions when read data from the server. This can be exploited to cause stack-based buffer overflows and may allow arbitrary code execution. Updated Packages ================ Check if you have xine-lib installed: # pacman -Q xine-lib If found, then you should upgrade to the latest version: # pacman -Sy xine-lib -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFep1yZ7NElSD1VhkRAriTAJsEMYFu+p3EM11SqW2WrCDHipV8TgCgoNMc tP/6UlsMMxwIZ1uocC+vOH4= =MQ6I -----END PGP SIGNATURE----- From noreply at frugalware.org Sat Dec 9 20:43:18 2006 From: noreply at frugalware.org (voroskoi) Date: Sat Dec 9 20:43:23 2006 Subject: [Frugalware-security] [ FSA-72 ] gnupg Message-ID: <20061209194318.C1C02FA4700@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-72 Date: 2006-12-09 Package: gnupg Vulnerable versions: <= 1.4.5-2siwenna1 Unaffected versions: >= 1.4.5-3siwenna1 Related bugreport: http://bugs.frugalware.org/task/1512 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6235 Description =========== Tavis Ormandy has reported a vulnerability in GnuPG, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an error within the decryption of malformed OpenPGP messages. This can be exploited to corrupt memory when decrypting a specially crafted OpenPGP message. Successful exploitation allows execution of arbitrary code. Updated Packages ================ Check if you have gnupg installed: # pacman -Q gnupg If found, then you should upgrade to the latest version: # pacman -Sy gnupg -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFexHWZ7NElSD1VhkRAnzQAJwNatVHFm5utAoKvP3n9zVLy0GRqwCgo2hM o2+bRe9lTDUzwqDCPQNEA+Q= =7btq -----END PGP SIGNATURE----- From noreply at frugalware.org Sat Dec 9 20:47:53 2006 From: noreply at frugalware.org (voroskoi) Date: Sat Dec 9 20:47:56 2006 Subject: [Frugalware-security] [ FSA-73 ] madwifi-ng Message-ID: <20061209194753.62D88FA4700@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-73 Date: 2006-12-09 Package: madwifi-ng Vulnerable versions: <= r1491_20060404-9 Unaffected versions: >= 0.9.2.1-1 Related bugreport: http://bugs.frugalware.org/task/1513 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6332 Description =========== Laurent Butti, Jerome Raznieski, and Julien Tinnes have reported a vulnerability in MadWifi, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error and can be exploited to cause a buffer overflow, which allows execution of arbitrary code with kernel privileges. Updated Packages ================ Check if you have madwifi-ng installed: # pacman -Q madwifi-ng If found, then you should upgrade to the latest version: # pacman -Sy madwifi-ng -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFexLpZ7NElSD1VhkRAsagAJ9peKq/gRbH4CfA6jtSLPXQeRg10gCbBWQb lKV6+04BVZlbwTo9k/e2ZRA= =87XO -----END PGP SIGNATURE----- From noreply at frugalware.org Sun Dec 10 18:15:14 2006 From: noreply at frugalware.org (voroskoi) Date: Sun Dec 10 18:15:20 2006 Subject: [Frugalware-security] [ FSA-74 ] denyhosts Message-ID: <20061210171514.B5CBBFA4704@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-74 Date: 2006-12-10 Package: denyhosts Vulnerable versions: <= 2.5-2 Unaffected versions: >= 2.6-1siwenna1 Related bugreport: http://bugs.frugalware.org/task/1517 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6301 Description =========== Tavis Ormandy has discovered a vulnerability in DenyHosts, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the parsing of log files before adding an entry in /etc/hosts.deny. This can be exploited to add arbitrary IP addresses to /etc/hosts.deny resulting in a DoS for that IP. Updated Packages ================ Check if you have denyhosts installed: # pacman -Q denyhosts If found, then you should upgrade to the latest version: # pacman -Sy denyhosts -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFfECiZ7NElSD1VhkRAhVVAKCfVWewEFiI0ZnuoCKfMoKa3t4Q0gCfYyq9 Gt7uOHQrhjQ3XDrjZtBY0yA= =ET8U -----END PGP SIGNATURE----- From noreply at frugalware.org Thu Dec 28 13:50:04 2006 From: noreply at frugalware.org (voroskoi) Date: Thu Dec 28 13:50:10 2006 Subject: [Frugalware-security] [ FSA-76 ] kernel Message-ID: <20061228125004.EF11BFA488F@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-76 Date: 2006-12-28 Package: kernel Vulnerable versions: <= 2.6.17-6siwenna3 Unaffected versions: >= 2.6.17-6siwenna5 Related bugreport: http://bugs.frugalware.org/task/1514 http://bugs.frugalware.org/task/1562 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4572 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5173 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5751 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5757 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6333 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6106 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3741 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4997 Description =========== Various kernel security bugs. We have also released a 2.6.17-6siwenna4, but we have fixed another bug on the same day, that's why there was no FSA. Updated Packages ================ Check if you have kernel installed: # pacman -Q kernel If found, then you should upgrade to the latest version: # pacman -Sy kernel -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFk718Z7NElSD1VhkRApXAAJ4pHMpWvJBWgOSw27eF/bQBrnyBUgCgmpo2 8JqyLsj+AJN/OXsJKhuajnk= =KI4p -----END PGP SIGNATURE----- From noreply at frugalware.org Thu Dec 28 22:59:29 2006 From: noreply at frugalware.org (voroskoi) Date: Thu Dec 28 22:59:32 2006 Subject: [Frugalware-security] [ FSA-77 ] php Message-ID: <20061228215929.9EE66528368@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-77 Date: 2006-12-28 Package: php Vulnerable versions: <= 5.1.6-3siwenna1 Unaffected versions: >= 5.1.6-4siwenna1 Related bugreport: http://bugs.frugalware.org/task/1259 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5178 Description =========== Stefan Esser has reported a vulnerability in PHP, which can be exploited by malicious, local users to bypass certain security restrictions. The vulnerability is caused due to a race condition in the handling of symlinks and can be exploited to bypass the open_basedir protection mechanism. Updated Packages ================ Check if you have php installed: # pacman -Q php If found, then you should upgrade to the latest version: # pacman -Sy php -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFlD5BZ7NElSD1VhkRAs80AJ9z8fHGDR3kxtUckCkLw3OHmwdIYQCfW4PP FriAAlEpKArva6EJo7lx+EI= =nRtd -----END PGP SIGNATURE-----