From noreply at frugalware.org Thu Jun 7 12:08:06 2007 From: noreply at frugalware.org (voroskoi) Date: Thu Jun 7 12:08:08 2007 Subject: [Frugalware-security] [ FSA-192 ] kernel Message-ID: <20070607100806.30568186801C@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-192 Date: 2007-06-07 Package: kernel Vulnerable versions: <= 2.6.20-5terminus3 Unaffected versions: >= 2.6.20-5terminus4 Related bugreport: http://bugs.frugalware.org/task/2097 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2480 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2525 Description =========== Some vulnerabilities have been reported in the Linux Kernel, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service) or disclose potentially sensitive information. 1) A memory leak exists when releasing PPPoE sockets after they are connected, but before the "PPPIOCGCHAN" ioctl is called. This can be exploited to cause a DoS due to memory exhaustion. 2) An error within the "_udp_lib_get_port()" function in net/ipv4/udp.c can be exploited to intercept traffic by binding to a port using a local address if a wildcard bind exists with a local address to that port. Updated Packages ================ Check if you have kernel installed: # pacman -Q kernel If found, then you should upgrade to the latest version: # pacman -Sy kernel -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFGZ9kEZ7NElSD1VhkRAnJUAJ9sdVBUq5wOj6jsSV3OfZid4yJL9gCcC68k pjQEZB6IL58JBuKH/GD2vjQ= =eGT4 -----END PGP SIGNATURE----- From noreply at frugalware.org Thu Jun 7 12:19:58 2007 From: noreply at frugalware.org (voroskoi) Date: Thu Jun 7 12:20:10 2007 Subject: [Frugalware-security] [ FSA-193 ] tcl Message-ID: <20070607101958.79336186801C@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-193 Date: 2007-06-07 Package: tcl Vulnerable versions: <= 8.4.14-1 Unaffected versions: >= 8.4.15-1terminus1 Related bugreport: http://bugs.frugalware.org/task/2118 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2877 Description =========== Martin Lemburg has reported a security issue in Tcl, which potentially can be exploited by malicious, local users to gain escalated privileges. The security issue is caused due to a boundary error within tcl/win/tclWinReg.c when processing overly long registry key names. This can be exploited to cause a buffer overflow by e.g. creating a malicious registry key and enticing another user to query it with an application using Tcl. Updated Packages ================ Check if you have tcl installed: # pacman -Q tcl If found, then you should upgrade to the latest version: # pacman -Sy tcl -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFGZ9vMZ7NElSD1VhkRAgJ6AJ9yp9vzx0F9w6+eF4omujQ0Y/V4sgCeMbMC danQ8enx42LOAhVz5nMIAHk= =peAo -----END PGP SIGNATURE----- From noreply at frugalware.org Thu Jun 7 12:33:35 2007 From: noreply at frugalware.org (voroskoi) Date: Thu Jun 7 12:33:39 2007 Subject: [Frugalware-security] [ FSA-194 ] file Message-ID: <20070607103335.652051768122@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-194 Date: 2007-06-07 Package: file Vulnerable versions: <= 4.20-1 Unaffected versions: >= 4.21-1terminus1 Related bugreport: http://bugs.frugalware.org/task/2119 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1536 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2799 Description =========== A vulnerability has been reported in file, which potentially can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an unspecified integer underflow within the "file_printf" function, which can be exploited to cause a heap-based buffer overflow. Updated Packages ================ Check if you have file installed: # pacman -Q file If found, then you should upgrade to the latest version: # pacman -Sy file -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFGZ97/Z7NElSD1VhkRAkawAJ45BQ9sV70sp0+wgu3/G4Z/fc4JgwCfWtM0 TO6mreVAtKK3dH0JZaD/NQo= =VGr6 -----END PGP SIGNATURE----- From noreply at frugalware.org Thu Jun 7 12:43:31 2007 From: noreply at frugalware.org (voroskoi) Date: Thu Jun 7 12:43:33 2007 Subject: [Frugalware-security] [ FSA-195 ] tor Message-ID: <20070607104331.5B6AD1768122@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-195 Date: 2007-06-07 Package: tor Vulnerable versions: <= 0.1.1.26-3terminus1 Unaffected versions: >= 0.1.2.14-1terminus1 Related bugreport: http://bugs.frugalware.org/task/2121 CVE: No CVE for this issue. Description =========== lodger has reported a weakness in Tor, which potentially can be exploited by malicious people to expose sensitive information. When building a circuit, Tor checks if an entry guard is exactly the same as an exit guard, but fails to check if they are also part of the same family. This may weaken the Tor security concept and could make it easier to launch certain attacks. Updated Packages ================ Check if you have tor installed: # pacman -Q tor If found, then you should upgrade to the latest version: # pacman -Sy tor -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFGZ+FTZ7NElSD1VhkRAj/MAJ4wAqnu7D6KVPAg1+v49OULYl5HywCfTHO7 JyRNGD5BWlB16FQmXVjwfkg= =HGaw -----END PGP SIGNATURE----- From noreply at frugalware.org Thu Jun 7 12:48:22 2007 From: noreply at frugalware.org (voroskoi) Date: Thu Jun 7 12:48:27 2007 Subject: [Frugalware-security] [ FSA-196 ] xfsprogs-xfsdump Message-ID: <20070607104822.5BD681768122@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-196 Date: 2007-06-07 Package: xfsprogs-xfsdump Vulnerable versions: <= 2.2.38_1-2 Unaffected versions: >= 2.2.45_1-1terminus1 Related bugreport: http://bugs.frugalware.org/task/2122 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2654 Description =========== Paul Martin has reported a security issue in xfsdump, which can be exploited by malicious, local users to disclose potentially sensitive information or manipulate data. The security issue is caused due to xfs_fsr creating a temporary directory with insecure permissions within the function "tmp_init()" in fsr/xfs_fsr.c. This can be exploited to read or overwrite files created in this directory or subdirectories, potentially allowing for the disclosure of sensitive information or data manipulation. Updated Packages ================ Check if you have xfsprogs-xfsdump installed: # pacman -Q xfsprogs-xfsdump If found, then you should upgrade to the latest version: # pacman -Sy xfsprogs-xfsdump -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFGZ+J1Z7NElSD1VhkRAvc+AJ95E+JmLNMAKtmeL+scaSt0xv+LfgCeLm0N syIEBbCsnr0aVg8vbOTckVk= =NWf1 -----END PGP SIGNATURE----- From noreply at frugalware.org Thu Jun 7 13:49:08 2007 From: noreply at frugalware.org (voroskoi) Date: Thu Jun 7 13:49:12 2007 Subject: [Frugalware-security] [ FSA-197 ] firefox Message-ID: <20070607114908.80E3B1768122@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-197 Date: 2007-06-07 Package: firefox Vulnerable versions: <= 2.0.0.3-1terminus1 Unaffected versions: >= 2.0.0.4-1terminus1 Related bugreport: http://bugs.frugalware.org/task/2125 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2867 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2868 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2870 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2871 Description =========== Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to conduct spoofing attacks, bypass certain security restrictions, and potentially compromise a user's system. 1) Errors in the JavaScript engine can be exploited to cause memory corruption and potentially to execute arbitrary code. 2) An error in the "addEventListener" method can be exploited to inject script into another site, circumventing the browser's same-origin policy. This could be used to access or modify sensitive information from the other site. 3) An error in the handling of XUL popups can be exploited to spoof parts of the browser such as the location bar. Updated Packages ================ Check if you have firefox installed: # pacman -Q firefox If found, then you should upgrade to the latest version: # pacman -Sy firefox -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFGZ/C0Z7NElSD1VhkRAhvxAJ4+mtDwQEv+jjRjchMD5o0nRRxbAQCbBFX5 eMZtE0Hkq34JDSBbTdRu1tQ= =nMr7 -----END PGP SIGNATURE----- From noreply at frugalware.org Thu Jun 7 13:56:18 2007 From: noreply at frugalware.org (voroskoi) Date: Thu Jun 7 13:56:20 2007 Subject: [Frugalware-security] [ FSA-198 ] seamonkey Message-ID: <20070607115618.D254F1768122@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-198 Date: 2007-06-07 Package: seamonkey Vulnerable versions: <= 1.1.1-1 Unaffected versions: >= 1.1.2-1terminus1 Related bugreport: http://bugs.frugalware.org/task/2123 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2867 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2868 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2870 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2871 Description =========== Some vulnerabilities have been reported in Mozilla SeaMonkey, which can be exploited by malicious people to conduct spoofing attacks, bypass certain security restrictions, and potentially compromise a user's system. 1) Errors in the JavaScript engine can be exploited to cause memory corruption and potentially to execute arbitrary code. 2) An error in the "addEventListener" method can be exploited to inject script into another site, circumventing the browser's same-origin policy. This could be used to access or modify sensitive information from the other site. 3) An error in the handling of XUL popups can be exploited to spoof parts of the browser such as the location bar. Updated Packages ================ Check if you have seamonkey installed: # pacman -Q seamonkey If found, then you should upgrade to the latest version: # pacman -Sy seamonkey -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFGZ/JiZ7NElSD1VhkRAi8JAKCB66JFkF2lN1Z5zqXJcltdxAQzJwCfRFOw Fre2SkWjJHdklyH2WCfrHuI= =yHrE -----END PGP SIGNATURE----- From noreply at frugalware.org Thu Jun 7 19:06:04 2007 From: noreply at frugalware.org (voroskoi) Date: Thu Jun 7 19:06:07 2007 Subject: [Frugalware-security] [ FSA-199 ] gd Message-ID: <20070607170604.330EA1768122@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-199 Date: 2007-06-07 Package: gd Vulnerable versions: <= 2.0.34-1 Unaffected versions: >= 2.0.34-2terminus1 Related bugreport: http://bugs.frugalware.org/task/2074 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2756 Description =========== Xavier Roche has reported a vulnerability in GD Graphics Library, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to the incorrect use of libpng within the function "gdPngReadData()" when processing truncated data. This can be exploited to cause an infinite loop by e.g. tricking an application using the library to process a specially crafted file. Updated Packages ================ Check if you have gd installed: # pacman -Q gd If found, then you should upgrade to the latest version: # pacman -Sy gd -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFGaDr8Z7NElSD1VhkRAg+rAKCR82xLuQKD0eJ0clbQKsdJSuUyYgCcCPvO zgEM3sjFZxo10mQ/Qc1un7E= =2drU -----END PGP SIGNATURE----- From noreply at frugalware.org Thu Jun 7 19:14:13 2007 From: noreply at frugalware.org (voroskoi) Date: Thu Jun 7 19:14:17 2007 Subject: [Frugalware-security] [ FSA-200 ] mutt Message-ID: <20070607171413.E4FF61768122@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-200 Date: 2007-06-07 Package: mutt Vulnerable versions: <= 1.4.2.2-2 Unaffected versions: >= 1.4.2.2-3terminus1 Related bugreport: http://bugs.frugalware.org/task/2120 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2683 Description =========== A vulnerability has been reported in mutt, which potentially can be exploited by malicious, local users to gain escalated privileges. Successful exploitation may allow execution of arbitrary code with another user's privileges, but requires that the malicious user has a specially crafted realname and exists in the target user's alias file. Also fixes http://dev.mutt.org/trac/ticket/2846 Updated Packages ================ Check if you have mutt installed: # pacman -Q mutt If found, then you should upgrade to the latest version: # pacman -Sy mutt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFGaDzlZ7NElSD1VhkRAl4DAJ9l6svA3b0Ee+2kvlGzSeOc4TaxAgCfTDnp ROrjIqdtdRUC1KOvgt48F6g= =9eLl -----END PGP SIGNATURE----- From noreply at frugalware.org Thu Jun 7 19:20:07 2007 From: noreply at frugalware.org (voroskoi) Date: Thu Jun 7 19:20:10 2007 Subject: [Frugalware-security] [ FSA-201 ] thunderbird Message-ID: <20070607172007.E94C61768122@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-201 Date: 2007-06-07 Package: thunderbird Vulnerable versions: <= 1.5.0.10-1 Unaffected versions: >= 1.5.0.12-1terminus1 Related bugreport: http://bugs.frugalware.org/task/2124 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2867 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2868 Description =========== A vulnerability has been reported in Mozilla Thunderbird, which can potentially be exploited by malicious people to compromise a user's system. Errors in the JavaScript engine can be exploited to cause memory corruption and potentially to execute arbitrary code. Updated Packages ================ Check if you have thunderbird installed: # pacman -Q thunderbird If found, then you should upgrade to the latest version: # pacman -Sy thunderbird -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFGaD5HZ7NElSD1VhkRAv1fAKCnnNYurmjPm3g/nL5OjwCYwdCrQgCeOB2+ Ekwj/3BXhdrH04Pi2UIOXvE= =DZrA -----END PGP SIGNATURE----- From noreply at frugalware.org Thu Jun 7 19:40:48 2007 From: noreply at frugalware.org (voroskoi) Date: Thu Jun 7 19:40:52 2007 Subject: [Frugalware-security] [ FSA-202 ] kernel Message-ID: <20070607174048.721161768122@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-202 Date: 2007-06-07 Package: kernel Vulnerable versions: <= 2.6.20-5terminus4 Unaffected versions: >= 2.6.20-5terminus5 Related bugreport: http://bugs.frugalware.org/task/2126 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2878 Description =========== A security issue has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service). The security issue is caused due to an error within the handling of certain VFAT IOCTLs on 64bit systems, which can be exploited to crash the kernel by calling certain IOCTLs with malicious parameters. Successful exploitation requires a 64bit-system and vfat and msdos file systems. Updated Packages ================ Check if you have kernel installed: # pacman -Q kernel If found, then you should upgrade to the latest version: # pacman -Sy kernel -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFGaEMgZ7NElSD1VhkRAm+CAKCKbPcHbLAq6/PwQE5ym+vNF5cdUACfc7tU kDwleojq3uSLAmOmOz59fTE= =/FSo -----END PGP SIGNATURE----- From noreply at frugalware.org Fri Jun 8 09:31:36 2007 From: noreply at frugalware.org (voroskoi) Date: Fri Jun 8 09:31:37 2007 Subject: [Frugalware-security] [ FSA-203 ] php Message-ID: <20070608073136.15B4E186802A@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-203 Date: 2007-06-08 Package: php Vulnerable versions: <= 5.2.2-1terminus2 Unaffected versions: >= 5.2.3-1terminus1 Related bugreport: http://bugs.frugalware.org/task/2127 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2872 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1900 Description =========== A weakness and a vulnerability have been reported in PHP 5, which can be exploited by malicious, local users to bypass certain security restrictions. 1) An integer overflow error in the "chunk_split()" function can be exploited to cause a heap based buffer overflow. Successful exploitation of this vulnerability may allow execution of arbitrary code, which can lead to security restrictions, such as the "disable_functions" directive, being bypassed. 2) An error in the "realpath()" function allows bypassing of the "open_basedir" restriction and identifying the existence of files. Stefan Esser has reported a vulnerability in PHP, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to the use of an incorrect regular expression within the "FILTER_VALIDATE_EMAIL" filter of the ext/filter extension. This can be exploited to inject newlines via specially crafted email addresses, which may allow mail header injection. Updated Packages ================ Check if you have php installed: # pacman -Q php If found, then you should upgrade to the latest version: # pacman -Sy php -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFGaQXYZ7NElSD1VhkRAsHLAJ49FTGkaqLrPAaxghzXVsNlH2BKEgCfQ65p 9Je72hpBkiiZQpMr6+BvCnk= =n3J2 -----END PGP SIGNATURE----- From noreply at frugalware.org Fri Jun 8 09:37:34 2007 From: noreply at frugalware.org (voroskoi) Date: Fri Jun 8 09:37:36 2007 Subject: [Frugalware-security] [ FSA-204 ] findutils Message-ID: <20070608073734.1645A186802A@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-204 Date: 2007-06-08 Package: findutils Vulnerable versions: <= 4.3.2-1 Unaffected versions: >= 4.3.2-2terminus1 Related bugreport: http://bugs.frugalware.org/task/2128 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2452 Description =========== A vulnerability has been reported in GNU findutils, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error when parsing "old" style formatted locate databases. This can be exploited to cause a heap-based buffer overflow by e.g. tricking a user into running locate on a specially crafted "old" style database containing an overly long path (more than 1026 bytes). Updated Packages ================ Check if you have findutils installed: # pacman -Q findutils If found, then you should upgrade to the latest version: # pacman -Sy findutils -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFGaQc+Z7NElSD1VhkRAv2qAJ9wOeh9Q7b2ZiSD6bEXyRBqfsX0NgCfXBir gExEM3h023iLEWuW437AKOk= =XRog -----END PGP SIGNATURE----- From noreply at frugalware.org Fri Jun 8 09:53:03 2007 From: noreply at frugalware.org (voroskoi) Date: Fri Jun 8 09:53:06 2007 Subject: [Frugalware-security] [ FSA-205 ] mplayer Message-ID: <20070608075303.59C4B186802A@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-205 Date: 2007-06-08 Package: mplayer Vulnerable versions: <= 1.0rc1-4terminus2 Unaffected versions: >= 1.0rc1-4terminus3 Related bugreport: http://bugs.frugalware.org/task/2131 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2948 Description =========== Secunia Research has discovered some vulnerabilities in MPlayer, which can be exploited by malicious people to compromise a user's system. 1) A boundary error within the "cddb_query_parse()" function in stream/stream_cddb.c when parsing album titles can be exploited to cause a stack-based buffer overflow by tricking a user into parsing malicious CDDB entries via overly long album titles. Successful exploitation allows execution of arbitrary code. 2) Boundary errors within the "cddb_parse_matches_list()" and "cddb_read_parse()" functions in stream/stream_cddb.c when parsing album and category titles can be exploited to cause stack-based buffer overflows by tricking a user into parsing malicious CDDB entries with overly long album or category titles. Successful exploitation allows execution of arbitrary code, but may require that the user connects to a malicious server. Updated Packages ================ Check if you have mplayer installed: # pacman -Q mplayer If found, then you should upgrade to the latest version: # pacman -Sy mplayer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFGaQrfZ7NElSD1VhkRAlvuAJ0XTNvhv7rLqVBuQ08yhdJzVxuSeACeLg8E Y4Thq100NKcNonMWYWFOGsw= =RtaB -----END PGP SIGNATURE----- From noreply at frugalware.org Fri Jun 8 10:00:06 2007 From: noreply at frugalware.org (voroskoi) Date: Fri Jun 8 10:00:08 2007 Subject: [Frugalware-security] [ FSA-206 ] mutt-devel Message-ID: <20070608080006.1C7D6186802A@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-206 Date: 2007-06-08 Package: mutt-devel Vulnerable versions: <= 1.5.14-1 Unaffected versions: >= 1.5.14-2terminus1 Related bugreport: http://bugs.frugalware.org/task/2139 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2683 Description =========== A vulnerability has been reported in mutt, which potentially can be exploited by malicious, local users to gain escalated privileges. Successful exploitation may allow execution of arbitrary code with another user's privileges, but requires that the malicious user has a specially crafted realname and exists in the target user's alias file. Also fixes http://dev.mutt.org/trac/ticket/2846 Updated Packages ================ Check if you have mutt-devel installed: # pacman -Q mutt-devel If found, then you should upgrade to the latest version: # pacman -Sy mutt-devel -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFGaQyGZ7NElSD1VhkRAg8kAJ0auhk7YWbipGkhPdDjNKt7JPyf1QCfZW79 7WZM/F7Npbe1hHctTx6/os8= =rSwM -----END PGP SIGNATURE----- From noreply at frugalware.org Mon Jun 25 16:49:46 2007 From: noreply at frugalware.org (voroskoi) Date: Mon Jun 25 16:49:50 2007 Subject: [Frugalware-security] [ FSA-207 ] cacti Message-ID: <20070625144946.BC78913A400D@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-207 Date: 2007-06-25 Package: cacti Vulnerable versions: <= 0.8.6j-1 Unaffected versions: >= 0.8.6j-2terminus1 Related bugreport: http://bugs.frugalware.org/task/2133 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3112 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3113 Description =========== A vulnerability has been discovered in Cacti, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in graph_image.php, which can be exploited to use lots of system resources by passing malicious values to the "graph_start", "graph_end", "graph_width", and "graph_height" parameters. Updated Packages ================ Check if you have cacti installed: # pacman -Q cacti If found, then you should upgrade to the latest version: # pacman -Sy cacti -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFGf9YKZ7NElSD1VhkRAl5/AKCOd0At4hrZKmN8vtZ36zhjgTeSdgCgkznn 0gQfYvEEU7sIwpQbELkDuT4= =uPHA -----END PGP SIGNATURE----- From noreply at frugalware.org Mon Jun 25 16:56:50 2007 From: noreply at frugalware.org (voroskoi) Date: Mon Jun 25 16:56:59 2007 Subject: [Frugalware-security] [ FSA-208 ] mutt-ng Message-ID: <20070625145650.7742913A400D@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-208 Date: 2007-06-25 Package: mutt-ng Vulnerable versions: <= 20070125-1 Unaffected versions: >= 20070125-2terminus1 Related bugreport: http://bugs.frugalware.org/task/2140 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2683 Description =========== A vulnerability has been reported in mutt, which potentially can be exploited by malicious, local users to gain escalated privileges. Successful exploitation may allow execution of arbitrary code with another user's privileges, but requires that the malicious user has a specially crafted realname and exists in the target user's alias file. Also fixes http://dev.mutt.org/trac/ticket/2846 Updated Packages ================ Check if you have mutt-ng installed: # pacman -Q mutt-ng If found, then you should upgrade to the latest version: # pacman -Sy mutt-ng -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFGf9eyZ7NElSD1VhkRAkqNAJ4koSZL3jDAJHqTKwLHpCNIx2A5TwCfSwiL 4vZGtKBAc+udpVnPCb0Wz0s= =q19O -----END PGP SIGNATURE----- From noreply at frugalware.org Mon Jun 25 17:03:19 2007 From: noreply at frugalware.org (voroskoi) Date: Mon Jun 25 17:03:20 2007 Subject: [Frugalware-security] [ FSA-209 ] kernel Message-ID: <20070625150319.60C0C13A400D@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-209 Date: 2007-06-25 Package: kernel Vulnerable versions: <= 2.6.20-5terminus5 Unaffected versions: >= 2.6.20-5terminus6 Related bugreport: http://bugs.frugalware.org/task/2160 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2453 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2875 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2876 Description =========== Two vulnerabilities and a weakness have been reported in the Linux Kernel, which can be exploited by malicious, local users to disclose potentially sensitive information and malicious people to cause a DoS (Denial of Service). 1) A NULL-pointer dereference exists within netfilter when handling new SCTP connections with unknown chunk types. This can be exploited to crash the kernel by sending malicious packets. 2) An underflow error within the "cpuset_task_read()" function in /kernel/cpuset.c can be exploited to read kernel memory, which may contain potentially sensitive information. Successful exploitation requires that the attacker has access to open the /dev/cpuset/tasks file (the cpuset file system needs to be mounted). 3) The kernel does not handle seeds for the random number generator correctly. This may weaken the security of applications relying on the randomness of the kernel random number generator. Updated Packages ================ Check if you have kernel installed: # pacman -Q kernel If found, then you should upgrade to the latest version: # pacman -Sy kernel -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iD8DBQFGf9k3Z7NElSD1VhkRAhgzAJ0e7guw53lwmdAxhvQM5fw41NNS1wCdEBTU nzgqkAx6U1DE3d9IJoNv5wk= =u4ka -----END PGP SIGNATURE-----