From noreply at frugalware.org Sun Nov 5 21:13:16 2006 From: noreply at frugalware.org (voroskoi) Date: Sun Nov 5 21:13:20 2006 Subject: [Frugalware-security] [ FSA-35 ] wireshark Message-ID: <20061105201316.5082EFA466F@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-35 Date: 2006-11-05 Package: wireshark Vulnerable versions: <= 0.99.3a-1 Unaffected versions: >= 0.99.4-1siwenna1 Related bugreport: http://bugs.frugalware.org/task/1376 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5468 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5740 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4805 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5469 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4574 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5595 Description =========== Some vulnerabilities have been reported in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service). Errors within the HTTP, LDAP, XOT, WBXML, and MIME parsers can be exploited to cause a crash or consume large amounts of memory when parsing a specially crafted packet that is either captured off the wire or loaded via a capture file. Updated Packages ================ Check if you have wireshark installed: # pacman -Q wireshark If found, then you should upgrade to the latest version: # pacman -Sy wireshark -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFTkXcZ7NElSD1VhkRAmj+AJ9PAkWnXaBUagDOiwXVCe9oZSv4sgCfQsK6 PSm4x8VVwAco2IsH028DyNM= =racu -----END PGP SIGNATURE----- From noreply at frugalware.org Mon Nov 6 10:38:02 2006 From: noreply at frugalware.org (voroskoi) Date: Mon Nov 6 10:38:06 2006 Subject: [Frugalware-security] [ FSA-36 ] mutt Message-ID: <20061106093802.62F85FA4685@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-36 Date: 2006-11-06 Package: mutt Vulnerable versions: <= 1.4.2.2-1 Unaffected versions: >= 1.4.2.2-2siwenna1 Related bugreport: http://bugs.frugalware.org/task/1399 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5297 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5298 Description =========== Some weaknesses have been reported in mutt, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. 1) The "safe_open()" function insecurely creates temporary files on NFS directories, because the O_EXEC flag is not always correctly honored. This may be exploited to overwrite arbitrary files. 2) A race condition exists within the "mutt_adv_mktemp()" function between calling "mktemp()" and "safe_fopen()". This may be exploited to create files with weak permissions. Updated Packages ================ Check if you have mutt installed: # pacman -Q mutt If found, then you should upgrade to the latest version: # pacman -Sy mutt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFTwJ6Z7NElSD1VhkRAibHAJsF9pVNL7PJE4rG5bEhD9VSlcGtJgCggh8k 1UuWlRg+d84ZkzmsZF3NDZg= =1DsR -----END PGP SIGNATURE----- From noreply at frugalware.org Mon Nov 6 10:42:28 2006 From: noreply at frugalware.org (voroskoi) Date: Mon Nov 6 10:42:32 2006 Subject: [Frugalware-security] [ FSA-37 ] mutt-devel Message-ID: <20061106094228.BA5CAFA4688@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-37 Date: 2006-11-06 Package: mutt-devel Vulnerable versions: <= 1.5.12-1 Unaffected versions: >= 1.5.12-2siwenna1 Related bugreport: http://bugs.frugalware.org/task/1399 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5297 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5298 Description =========== Some weaknesses have been reported in mutt, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. 1) The "safe_open()" function insecurely creates temporary files on NFS directories, because the O_EXEC flag is not always correctly honored. This may be exploited to overwrite arbitrary files. 2) A race condition exists within the "mutt_adv_mktemp()" function between calling "mktemp()" and "safe_fopen()". This may be exploited to create files with weak permissions. Updated Packages ================ Check if you have mutt-devel installed: # pacman -Q mutt-devel If found, then you should upgrade to the latest version: # pacman -Sy mutt-devel -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD4DBQFFTwOEZ7NElSD1VhkRAlTuAJdaX9TMwTsdCcHRKmYhkAYiWu4BAJ9i39eu JOFefS8UWnQNJ6tkkTOKbw== =KzZN -----END PGP SIGNATURE----- From noreply at frugalware.org Mon Nov 6 10:48:40 2006 From: noreply at frugalware.org (voroskoi) Date: Mon Nov 6 10:48:44 2006 Subject: [Frugalware-security] [ FSA-38 ] libx11 Message-ID: <20061106094840.90540FA4687@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-38 Date: 2006-11-06 Package: libx11 Vulnerable versions: <= 1.0.3-1 Unaffected versions: >= 1.0.3-2siwenna1 Related bugreport: http://bugs.frugalware.org/task/1416 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5397 Description =========== Kees Cook has reported a vulnerability in libX11, which can be exploited by malicious, local users to disclose potentially sensitive information. The vulnerability is caused due to a file descriptor leak in the Xinput module, which can be exploited to disclose the content of certain files. Updated Packages ================ Check if you have libx11 installed: # pacman -Q libx11 If found, then you should upgrade to the latest version: # pacman -Sy libx11 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFTwT4Z7NElSD1VhkRAgnlAJ9/49GzgcQeyLWQteB3eMkks9535gCeMZxg K1DpC/H4uM4ZZAPKeNYAdNg= =jkfN -----END PGP SIGNATURE----- From noreply at frugalware.org Mon Nov 6 10:53:50 2006 From: noreply at frugalware.org (voroskoi) Date: Mon Nov 6 10:53:54 2006 Subject: [Frugalware-security] [ FSA-39 ] php Message-ID: <20061106095350.8B09EFA4688@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-39 Date: 2006-11-06 Package: php Vulnerable versions: <= 5.1.6-2siwenna1 Unaffected versions: >= 5.1.6-3siwenna1 Related bugreport: http://bugs.frugalware.org/task/1419 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5465 Description =========== Some vulnerabilities have been reported in PHP, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. The vulnerabilities are caused due to boundary errors within the "htmlentities()" and "htmlspecialchars()" functions. If a PHP application uses these functions to process user-supplied input, this can be exploited to cause a heap-based buffer overflow by passing specially crafted data to the affected application. Successful exploitation may allow execution of arbitrary code, but requires that the UTF-8 character set is selected. Updated Packages ================ Check if you have php installed: # pacman -Q php If found, then you should upgrade to the latest version: # pacman -Sy php -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFTwYuZ7NElSD1VhkRAgD7AJ4i2UFLOnnmhqbQuIQUFHOJgs2XHwCfcm93 IJe67RPE4KAye44QKDXllc4= =n7wI -----END PGP SIGNATURE----- From noreply at frugalware.org Thu Nov 9 14:38:45 2006 From: noreply at frugalware.org (voroskoi) Date: Thu Nov 9 14:38:50 2006 Subject: [Frugalware-security] [ FSA-40 ] bind Message-ID: <20061109133845.DDC7EFA468E@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-40 Date: 2006-11-09 Package: bind Vulnerable versions: <= 9.3.2_P1-1siwenna1 Unaffected versions: >= 9.3.2_P2-1siwenna1 Related bugreport: http://bugs.frugalware.org/task/1420 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940 Description =========== Some vulnerabilities have been reported in BIND, which can be exploited by malicious people to bypass certain security restrictions or cause a DoS (Denial of Service). The vulnerabilities are caused due to the potential use of vulnerable OpenSSL libraries. Updated Packages ================ Check if you have bind installed: # pacman -Q bind If found, then you should upgrade to the latest version: # pacman -Sy bind -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFUy9lZ7NElSD1VhkRAqFoAJkBFKE/yLRKF+41c32IKDKxf41NsQCcCqAm OIIQ51/StCJGhFeyJOSphVk= =VoyW -----END PGP SIGNATURE----- From noreply at frugalware.org Mon Nov 13 18:38:38 2006 From: noreply at frugalware.org (voroskoi) Date: Mon Nov 13 18:38:41 2006 Subject: [Frugalware-security] [ FSA-41 ] kernel Message-ID: <20061113173838.A151EFA46B4@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-41 Date: 2006-11-13 Package: kernel Vulnerable versions: <= 2.6.17-6siwenna1 Unaffected versions: >= 2.6.17-6siwenna2 Related bugreport: http://bugs.frugalware.org/task/1423 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5619 Description =========== A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service). The vulnerability is caused due to an error within the handling of seqfiles for "/proc/net/ip6_flowlabel", which can be exploited to cause kernel lockups and crashes via specially crafted flow labels. Updated Packages ================ Check if you have kernel installed: # pacman -Q kernel If found, then you should upgrade to the latest version: # pacman -Sy kernel -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFWK2eZ7NElSD1VhkRAv2dAJ9yEoUW0S9nQcUWx3SO97jczIIWVwCggzHe HMJOafrU2jVpwY/7MYkZBYA= =LlUh -----END PGP SIGNATURE----- From noreply at frugalware.org Mon Nov 13 18:47:58 2006 From: noreply at frugalware.org (voroskoi) Date: Mon Nov 13 18:48:01 2006 Subject: [Frugalware-security] [ FSA-42 ] imagemagick Message-ID: <20061113174758.1C00FFA46A4@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-42 Date: 2006-11-13 Package: imagemagick Vulnerable versions: <= 6.2.9_3-1 Unaffected versions: >= 6.2.9_3-2siwenna1 Related bugreport: http://bugs.frugalware.org/task/1364 CVE: There is no CVE for this issue, see: http://secunia.com/advisories/22572 Description =========== Some vulnerabilities have been reported in ImageMagick, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. 1) A boundary error within the "ReadDCMImage()" function in coders/dcm.c can be exploited to cause a buffer overflow when processing specially crafted DCM images. 2) Several boundary errors within the "ReadPALMImage()" function in coders/palm.c can be exploited to cause heap-based buffer overflows when processing specially crafted PALM images. Successful exploitation may allow the execution of arbitrary code. Updated Packages ================ Check if you have imagemagick installed: # pacman -Q imagemagick If found, then you should upgrade to the latest version: # pacman -Sy imagemagick -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFWK/OZ7NElSD1VhkRAjwbAJ9bXCYPyd97RS4u1Ermo31VdzKs8QCgnq8Z wbvC3MRzyVdwxcXHFTsmr7g= =aZsE -----END PGP SIGNATURE----- From noreply at frugalware.org Tue Nov 14 19:44:37 2006 From: noreply at frugalware.org (voroskoi) Date: Tue Nov 14 19:44:39 2006 Subject: [Frugalware-security] [ FSA-43 ] seamonkey Message-ID: <20061114184437.C1EAF4E87B7@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-43 Date: 2006-11-14 Package: seamonkey Vulnerable versions: <= 1.0.5-1siwenna1 Unaffected versions: >= 1.0.6-1siwenna1 Related bugreport: http://bugs.frugalware.org/task/1436 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5462 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5463 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5464 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5747 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5748 Description =========== Some vulnerabilities have been reported in Mozilla Firefox and Mozilla SeaMonkey, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, and potentially compromise a vulnerable system. 1) The bundled Network Security Services (NSS) library contains an incomplete fix for the RSA signature verification vulnerability reported in MFSA 2006-60. 2) An error exists within the handling of Script objects. This can potentially be exploited to execute arbitrary JavaScript bytecode by modifying already running Script objects. 3) Some unspecified errors in the layout engine and memory corruption errors in the JavaScript engine can be exploited to crash the application and may allow execution of arbitrary code. 4) An unspecified error within XML.prototype.hasOwnProperty can potentially be exploited to execute arbitrary code. Updated Packages ================ Check if you have seamonkey installed: # pacman -Q seamonkey If found, then you should upgrade to the latest version: # pacman -Sy seamonkey -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFWg6VZ7NElSD1VhkRAhb4AJ94+71Bns6ygaDhtfMXIIzWuq9tCACfQSGj 95rjNi8z6YG3vZqqjZ1qY+4= =yBov -----END PGP SIGNATURE----- From noreply at frugalware.org Tue Nov 14 20:09:23 2006 From: noreply at frugalware.org (voroskoi) Date: Tue Nov 14 20:09:27 2006 Subject: [Frugalware-security] [ FSA-44 ] imlib2 Message-ID: <20061114190923.6B13DFA46B1@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-44 Date: 2006-11-14 Package: imlib2 Vulnerable versions: <= 1.2.2-1 Unaffected versions: >= 1.2.2-2siwenna1 Related bugreport: http://bugs.frugalware.org/task/1425 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4806 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4807 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4808 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4809 Description =========== Some vulnerabilities have been reported in imlib2, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise an application using the library. The vulnerabilities are caused due to unspecified errors within the processing of JPG, ARGB, PNG, LBM, PNM, TIFF, and TGA images. This may be exploited to execute arbitrary code by e.g. tricking a user into opening a specially crafted image file with an application using imlib2. Updated Packages ================ Check if you have imlib2 installed: # pacman -Q imlib2 If found, then you should upgrade to the latest version: # pacman -Sy imlib2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFWhRjZ7NElSD1VhkRAlbtAJ9FpVK7qf4Xs4RbHwa4rZHByTwLQQCdFQCj 89qE1aRbJSEaTsS8ZLBxkOg= =6VWa -----END PGP SIGNATURE----- From noreply at frugalware.org Tue Nov 14 23:47:06 2006 From: noreply at frugalware.org (voroskoi) Date: Tue Nov 14 23:47:08 2006 Subject: [Frugalware-security] [ FSA-45 ] ruby Message-ID: <20061114224706.AB599FA46B3@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-45 Date: 2006-11-14 Package: ruby Vulnerable versions: <= 1.8.5-1 Unaffected versions: >= 1.8.5-2siwenna1 Related bugreport: http://bugs.frugalware.org/task/1418 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0983 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5467 Description =========== A vulnerability has been reported in Ruby, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an input validation error in "cgi.rb". This can be exploited to consume a large amount of CPU resources by sending a specially crafted HTTP POST request. Updated Packages ================ Check if you have ruby installed: # pacman -Q ruby If found, then you should upgrade to the latest version: # pacman -Sy ruby -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFWkdqZ7NElSD1VhkRArcTAJ4vfgCzGtrxzFjYknfv1b3dpiRs7wCcCmMR xCkoRu5QdY1Nf81GZRIQ9YE= =NRVL -----END PGP SIGNATURE----- From noreply at frugalware.org Tue Nov 14 23:57:13 2006 From: noreply at frugalware.org (voroskoi) Date: Tue Nov 14 23:57:15 2006 Subject: [Frugalware-security] [ FSA-46 ] thundeerbird Message-ID: <20061114225713.2200AFA46B1@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-46 Date: 2006-11-14 Package: thundeerbird Vulnerable versions: <= 1.5.0.7-1siwenna1 Unaffected versions: >= 1.5.0.8-1siwenna1 Related bugreport: http://bugs.frugalware.org/task/1435 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5464 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5747 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5748 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5462 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5463 Description =========== Some vulnerabilities have been reported in Mozilla Thunderbird, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, and potentially compromise a vulnerable system. 1) The bundled Network Security Services (NSS) library contains an incomplete fix for the RSA signature verification vulnerability reported in MFSA 2006-60. 2) An error exists within the handling of Script objects. This can be potentially be exploited to execute arbitrary JavaScript bytecode by modifying already running Script objects. Successful exploitation requires that JavaScript is enabled. 3) Some unspecified errors in the layout engine and memory corruption errors in the JavaScript engine can be exploited to crash the application and may allow the execution of arbitrary code. Successful exploitation of some of these vulnerabilities requires that JavaScript is enabled. 4) An unspecified error within XML.prototype.hasOwnProperty can potentially be exploited to execute arbitrary code. Updated Packages ================ Check if you have thundeerbird installed: # pacman -Q thundeerbird If found, then you should upgrade to the latest version: # pacman -Sy thundeerbird -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFWknJZ7NElSD1VhkRAhSjAKCZpXLkQAHjMZiW1OLbeJOeGgyVeQCfU6R+ baO2otO9DmFx++WEEt8QdyA= =HVHQ -----END PGP SIGNATURE----- From noreply at frugalware.org Fri Nov 17 22:50:00 2006 From: noreply at frugalware.org (voroskoi) Date: Fri Nov 17 22:50:04 2006 Subject: [Frugalware-security] [ FSA-47 ] openssh Message-ID: <20061117215000.1E6B6FA46C1@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-47 Date: 2006-11-17 Package: openssh Vulnerable versions: <= 4.4p1-1siwenna1 Unaffected versions: >= 4.5p1-1siwenna1 Related bugreport: http://bugs.frugalware.org/task/1438 CVE: There is no CVE for this issue, see: http://secunia.com/advisories/22771 Description =========== A weakness has been reported in OpenSSH, which can be exploited by malicious people to bypass certain security restrictions. The weakness is caused due to an error within the privilege separation monitor, which may weaken the authentication process. Reportedly, the weakness can only be exploited in combination with other vulnerabilities. Updated Packages ================ Check if you have openssh installed: # pacman -Q openssh If found, then you should upgrade to the latest version: # pacman -Sy openssh -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFXi6IZ7NElSD1VhkRAqF3AJwP28lb+Y2xZEh2fYLp/8XDo7aOlgCgiOzC z00kYuHw5p0XlhgJQcUUnms= =p6kA -----END PGP SIGNATURE----- From noreply at frugalware.org Thu Nov 23 14:55:52 2006 From: noreply at frugalware.org (voroskoi) Date: Thu Nov 23 14:55:57 2006 Subject: [Frugalware-security] [ FSA-48 ] kernel Message-ID: <20061123135552.3194CFA46C1@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-48 Date: 2006-11-23 Package: kernel Vulnerable versions: <= 2.6.17-6siwenna2 Unaffected versions: >= 2.6.17-6siwenna3 Related bugreport: http://bugs.frugalware.org/task/1474 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4352 Description =========== By setting the system time to the end of unixtime, it is possible to reset the system time to the lowest possible integer of unixtime. When the systemclock reaches "Tue Jan 19 03:14:08 UTC 2038", the 32-bit signed integer containing the time will overflow and the system time will be reset to "Fri Dec 13 20:45:52 UTC 1901". This is known as the Year 2038 Problem. Updated Packages ================ Check if you have kernel installed: # pacman -Q kernel If found, then you should upgrade to the latest version: # pacman -Sy kernel -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFZahoZ7NElSD1VhkRAgYBAJ9F8SLHJt4Q2pCxE0wGGHmIYYtROQCfYSxm gf6eqqlxX7O4nTR0g0i1L28= =UmOZ -----END PGP SIGNATURE----- From noreply at frugalware.org Thu Nov 23 17:32:49 2006 From: noreply at frugalware.org (voroskoi) Date: Thu Nov 23 17:32:54 2006 Subject: [Frugalware-security] [ FSA-49 ] pdns-recursor Message-ID: <20061123163249.C16DFFA46B5@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-49 Date: 2006-11-23 Package: pdns-recursor Vulnerable versions: <= 3.1.2-1 Unaffected versions: >= 3.1.4-1siwenna1 Related bugreport: http://bugs.frugalware.org/task/1454 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4251 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4252 Description =========== Two vulnerabilities have been reported in PowerDNS Recursor, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. 1) An error in length calculation when handling TCP DNS queries can be exploited to cause an overly large copy via a specially crafted packet. Successful exploitation may allow execution of arbitrary code. 2) An error in the handling CNAME records can be exploited to crash the service. Updated Packages ================ Check if you have pdns-recursor installed: # pacman -Q pdns-recursor If found, then you should upgrade to the latest version: # pacman -Sy pdns-recursor -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFZc0xZ7NElSD1VhkRAhqGAJwLgKNe62KPzMQSlZIJcrIwROje2QCcDCZz MqnVerkLISqUrN8MqKz+pCk= =cT4w -----END PGP SIGNATURE----- From noreply at frugalware.org Thu Nov 23 17:46:12 2006 From: noreply at frugalware.org (voroskoi) Date: Thu Nov 23 17:46:22 2006 Subject: [Frugalware-security] [ FSA-50 ] avahi avahi-compat avahi-glib avahi-gtk2 avahi-python avahi-qt3 avahi-sharp Message-ID: <20061123164612.1804CFA46C1@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-50 Date: 2006-11-23 Package: avahi avahi-compat avahi-glib avahi-gtk2 avahi-python avahi-qt3 avahi-sharp Vulnerable versions: <= 0.6.13-1 Unaffected versions: >= 0.6.13-2siwenna1 Related bugreport: http://bugs.frugalware.org/task/1453 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5461 Description =========== A vulnerability has been reported in Avahi, which can be exploited by malicious, local users to bypass certain security restrictions. The vulnerability is caused due to Avahi failing to validate the source of netlink messages. This can be exploited to trick Avahi into reacting to fake network changes. Updated Packages ================ Check if you have avahi avahi-compat avahi-glib avahi-gtk2 avahi-python avahi-qt3 avahi-sharp installed: # pacman -Q avahi avahi-compat avahi-glib avahi-gtk2 avahi-python avahi-qt3 avahi-sharp If found, then you should upgrade to the latest version: # pacman -Sy avahi avahi-compat avahi-glib avahi-gtk2 avahi-python avahi-qt3 avahi-sharp -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFZdBUZ7NElSD1VhkRAss+AJ9NN1zvkZVuvKk2jcxnfGXXNU5CZQCgkZ+N vyrDDLHHxybimmVmntZIDkU= =9yuK -----END PGP SIGNATURE----- From noreply at frugalware.org Thu Nov 23 18:00:15 2006 From: noreply at frugalware.org (voroskoi) Date: Thu Nov 23 18:00:28 2006 Subject: [Frugalware-security] [ FSA-51 ] libarchive Message-ID: <20061123170015.BBA92FA46C6@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-51 Date: 2006-11-23 Package: libarchive Vulnerable versions: <= 1.2.57-1 Unaffected versions: >= 1.2.57-2siwenna1 Related bugreport: http://bugs.frugalware.org/task/1442 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5680 Description =========== If the end of an archive is reached while attempting to "skip" past a region of an archive, libarchive will enter an infinite loop wherein it repeatedly attempts (and fails) to read further data. Updated Packages ================ Check if you have libarchive installed: # pacman -Q libarchive If found, then you should upgrade to the latest version: # pacman -Sy libarchive -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFZdOdZ7NElSD1VhkRAm5bAJ9A0RIarC05Wq6rRDPGJK4ucLRHRQCggaZE 85tL3KOfqIwp/iLxi4wCxZo= =9Y6/ -----END PGP SIGNATURE----- From noreply at frugalware.org Thu Nov 23 18:28:33 2006 From: noreply at frugalware.org (voroskoi) Date: Thu Nov 23 18:28:37 2006 Subject: [Frugalware-security] [ FSA-52 ] openldap Message-ID: <20061123172833.F29C3FA46C7@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-52 Date: 2006-11-23 Package: openldap Vulnerable versions: <= 2.3.27-1 Unaffected versions: >= 2.3.29-1siwenna1 Related bugreport: http://bugs.frugalware.org/task/1459 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5779 Description =========== Evgeny Legerov has reported a vulnerability in OpenLDAP, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error when processing certain BIND requests. This can be exploited to cause a crash by sending specially crafted BIND requests to an OpenLDAP server. Updated Packages ================ Check if you have openldap installed: # pacman -Q openldap If found, then you should upgrade to the latest version: # pacman -Sy openldap -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFZdpBZ7NElSD1VhkRAp65AJ9rSmREjA8AsLv/RFQ6+S5J656vtwCeKdjM mIGhf5HgN9ExqHE1YK8NtAw= =BfR0 -----END PGP SIGNATURE----- From noreply at frugalware.org Thu Nov 23 19:53:45 2006 From: noreply at frugalware.org (voroskoi) Date: Thu Nov 23 19:53:48 2006 Subject: [Frugalware-security] [ FSA-53 ] texinfo Message-ID: <20061123185345.DAD66FA46C8@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-53 Date: 2006-11-23 Package: texinfo Vulnerable versions: <= 4.8-7 Unaffected versions: >= 4.8-8siwenna1 Related bugreport: http://bugs.frugalware.org/task/1460 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4810 Description =========== A boundary error exists within the "readline()" function in texindex.c. This can be exploited to cause a heap-based buffer overflow by e.g. tricking a user into opening a specially crafted Texinfo file. Updated Packages ================ Check if you have texinfo installed: # pacman -Q texinfo If found, then you should upgrade to the latest version: # pacman -Sy texinfo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFZe45Z7NElSD1VhkRAghQAKCAdW9dolxrzN8340wJuEHKF6e26QCfaJfi LczS6A0pEHxnvXSDv5bs1rQ= =Aj/k -----END PGP SIGNATURE----- From noreply at frugalware.org Thu Nov 23 21:41:32 2006 From: noreply at frugalware.org (voroskoi) Date: Thu Nov 23 21:41:35 2006 Subject: [Frugalware-security] [ FSA-54 ] libpng Message-ID: <20061123204132.81297FA46C8@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-54 Date: 2006-11-23 Package: libpng Vulnerable versions: <= 1.2.12-4 Unaffected versions: >= 1.2.13-1siwenna1 Related bugreport: http://bugs.frugalware.org/task/1467 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5793 Description =========== Tavis Ormandy has reported a vulnerability in libpng, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an out-of-bounds read error in the "png_set_sPLT()" function in pngset.c. This can be exploited by tricking an application using the library to process a specially crafted PNG file. Updated Packages ================ Check if you have libpng installed: # pacman -Q libpng If found, then you should upgrade to the latest version: # pacman -Sy libpng -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFZgd8Z7NElSD1VhkRAiDcAJ0Tg2lAbKe+PFI2Muo3nKUvqFfxuwCeJ4Am guKy3QYg50ckKwnM95qWZT8= =Tydq -----END PGP SIGNATURE----- From noreply at frugalware.org Thu Nov 23 21:54:13 2006 From: noreply at frugalware.org (voroskoi) Date: Thu Nov 23 21:54:15 2006 Subject: [Frugalware-security] [ FSA-55 ] phpmyadmin Message-ID: <20061123205413.2056BFA46C8@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-55 Date: 2006-11-23 Package: phpmyadmin Vulnerable versions: <= 2.9.1_rc1-1siwenna1 Unaffected versions: >= 2.9.1.1-1siwenna1 Related bugreport: http://bugs.frugalware.org/task/1417 http://bugs.frugalware.org/task/1469 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5718 Description =========== Input containing UTF-7 encoded characters passed to the script which displays error messages is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Three other security issues fixed too, see http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-{7,8,9} for details. Updated Packages ================ Check if you have phpmyadmin installed: # pacman -Q phpmyadmin If found, then you should upgrade to the latest version: # pacman -Sy phpmyadmin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFZgp1Z7NElSD1VhkRAoJnAKCQ5Dh0RlMfmQyadc1V98RH2BVpqQCglFsp mtvOs1u7oGe3XlPARi3VYSs= =BD5c -----END PGP SIGNATURE----- From noreply at frugalware.org Fri Nov 24 00:31:03 2006 From: noreply at frugalware.org (voroskoi) Date: Fri Nov 24 00:31:06 2006 Subject: [Frugalware-security] [ FSA-56 ] rpm Message-ID: <20061123233103.534D3FA46C8@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-56 Date: 2006-11-24 Package: rpm Vulnerable versions: <= 4.4.2-4 Unaffected versions: >= 4.4.2-5siwenna1 Related bugreport: http://bugs.frugalware.org/task/1426 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5466 Description =========== A vulnerability has been reported in RPM, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. The vulnerability is caused due to a boundary error when processing certain RPM packages. This can be exploited to cause a heap-based buffer overflow by e.g. tricking a user into querying a specially crafted RPM package. Updated Packages ================ Check if you have rpm installed: # pacman -Q rpm If found, then you should upgrade to the latest version: # pacman -Sy rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFZi83Z7NElSD1VhkRAvEnAJ9IEC9Tg61yenzDRXhhCwTdKtMdOQCcDE2L +RWVBUeAVwxP22GTZneyUaQ= =GJNX -----END PGP SIGNATURE----- From noreply at frugalware.org Fri Nov 24 00:39:27 2006 From: noreply at frugalware.org (voroskoi) Date: Fri Nov 24 00:39:29 2006 Subject: [Frugalware-security] [ FSA-57 ] elinks Message-ID: <20061123233927.DB80BFA46C8@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-57 Date: 2006-11-24 Package: elinks Vulnerable versions: <= 0.11.1-5 Unaffected versions: >= 0.11.1-6siwenna1 Related bugreport: http://bugs.frugalware.org/task/1468 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5925 Description =========== Teemu Salmela has discovered a vulnerability in ELinks, which can be exploited by malicious people to expose sensitive information and manipulate data. The vulnerability is caused due to an error in the validation of "smb://" URLs when ELinks runs smbclient commands. This can be exploited to download and overwrite local files or upload local files to a SMB share by injecting smbclient commands in the "smb://" URL. Successful exploitation allows exposure of sensitive information or manipulation of data, but requires that the user visits a malicious "smb://" URL or gets redirected to such an URL by a malicious URL, and that the user has the smbclient program installed. Updated Packages ================ Check if you have elinks installed: # pacman -Q elinks If found, then you should upgrade to the latest version: # pacman -Sy elinks -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFZjEvZ7NElSD1VhkRAvTRAJ9tESMqKcYkdk1L+ysi3XhKsU5TagCeNNZU Byb0rKzQW/VW8ocDPMEMDJw= =MDDU -----END PGP SIGNATURE----- From noreply at frugalware.org Fri Nov 24 00:49:23 2006 From: noreply at frugalware.org (voroskoi) Date: Fri Nov 24 00:49:24 2006 Subject: [Frugalware-security] [ FSA-58 ] gv Message-ID: <20061123234923.32D77FA46C8@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-58 Date: 2006-11-24 Package: gv Vulnerable versions: <= 3.6.1-3 Unaffected versions: >= 3.6.1-4siwenna1 Related bugreport: http://bugs.frugalware.org/task/1462 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5864 Description =========== Renaud Lifchitz has reported a vulnerability in GNU gv, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error within the "ps_gettext()" function in ps.c. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into opening a specially crafted PostScript file. Updated Packages ================ Check if you have gv installed: # pacman -Q gv If found, then you should upgrade to the latest version: # pacman -Sy gv -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFZjODZ7NElSD1VhkRAtQjAKCSN3MMrXS29xO6L4XgUdf/lOUT1QCeM/Tb 0VLcLLr4UjpnncFo4NhYdvs= =TGBW -----END PGP SIGNATURE----- From noreply at frugalware.org Sat Nov 25 15:47:03 2006 From: noreply at frugalware.org (voroskoi) Date: Sat Nov 25 15:47:09 2006 Subject: [Frugalware-security] [ FSA-59 ] proftpd Message-ID: <20061125144703.CE9DCFA46E9@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-59 Date: 2006-11-25 Package: proftpd Vulnerable versions: <= 1.3.0-1 Unaffected versions: >= 1.3.0-2siwenna1 Related bugreport: http://bugs.frugalware.org/task/1484 CVE: There is no CVE for this issue, see: http://secunia.com/advisories/22821 Description =========== A vulnerability has been reported in ProFTPD, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error within the "cmd_loop()" function in main.c when the "CommandBufferSize" option is enabled. Updated Packages ================ Check if you have proftpd installed: # pacman -Q proftpd If found, then you should upgrade to the latest version: # pacman -Sy proftpd -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFaFdnZ7NElSD1VhkRAuXXAJ9YYHjLTUD9sqqrIuriMCSuyoILSgCghwAr FuTQrOOHzAl5YFieDTLzBpY= =4a2w -----END PGP SIGNATURE----- From noreply at frugalware.org Tue Nov 28 22:51:14 2006 From: noreply at frugalware.org (voroskoi) Date: Tue Nov 28 22:51:27 2006 Subject: [Frugalware-security] [ FSA-60 ] fvwm-devel Message-ID: <20061128215115.02463FA46E9@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-60 Date: 2006-11-28 Package: fvwm-devel Vulnerable versions: <= 2.5.17-1 Unaffected versions: >= 2.5.17-2siwenna1 Related bugreport: http://bugs.frugalware.org/task/1485 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5969 Description =========== Tavis Ormandy has reported a security issue in FVWM, which can be exploited by malicious, local users to bypass certain security restrictions. The security issue is caused due to an input validation error in the "evalFolderLine()" function. This can be exploited to execute arbitrary commands by tricking a user into using the "fvwm-menu-directory" command on a specially crafted directory. Updated Packages ================ Check if you have fvwm-devel installed: # pacman -Q fvwm-devel If found, then you should upgrade to the latest version: # pacman -Sy fvwm-devel -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFFbK9SZ7NElSD1VhkRAgTxAJ4xaQ3yTizxDOGR9ZHot4FbEQcrSACgmmkA 8bw5fRce8uAy9V9MRxDw/mQ= =Dx11 -----END PGP SIGNATURE-----