From vmiklos at frugalware.org Mon May 5 14:29:17 2008 From: vmiklos at frugalware.org (Miklos Vajna) Date: Mon May 5 14:29:19 2008 Subject: [Frugalware-security] [ FSA-437 ] xine-lib Message-ID: <20080505122917.55A121190ACB@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-437 Date: 2008-05-05 Package: xine-lib Vulnerable versions: <= 1.1.11-1kalgan2 Unaffected versions: >= 1.1.11-1kalgan3 Related bugreport: http://bugs.frugalware.org/task/3010 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1686 Description =========== A vulnerability has been reported in xine-lib, which can potentially be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to the use of vulnerable libfishsound; an input validation error when processing Speex headers, which can be exploited via a specially crafted Speex stream containing a negative "modeID" field in the header. Successful exploitation may allow execution of arbitrary code. Updated Packages ================ Check if you have xine-lib installed: # pacman-g2 -Q xine-lib If found, then you should upgrade to the latest version: # pacman-g2 -Sy xine-lib Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/437 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkge/Z0ACgkQZ7NElSD1Vhl+9QCaArz5j+/1X3A0c3zgFAgBxmm4 RpoAn29tHnFkNnonqkCdC9X5xccd/cch =sIqO -----END PGP SIGNATURE----- From vmiklos at frugalware.org Mon May 5 14:36:33 2008 From: vmiklos at frugalware.org (Miklos Vajna) Date: Mon May 5 14:36:35 2008 Subject: [Frugalware-security] [ FSA-438 ] xine-lib Message-ID: <20080505123633.BDF271190AC8@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-438 Date: 2008-05-05 Package: xine-lib Vulnerable versions: <= 1.1.11-1kalgan2 Unaffected versions: >= 1.1.11-1kalgan3 Related bugreport: http://bugs.frugalware.org/task/3027 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1878 Description =========== Guido Landi has discovered a vulnerability in xine-lib, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error within the "demux_nsf_send_chunk()" function in src/demuxers/demux_nsf.c. This can be exploited to cause a stack-based buffer overflow via an overly long NSF title. Updated Packages ================ Check if you have xine-lib installed: # pacman-g2 -Q xine-lib If found, then you should upgrade to the latest version: # pacman-g2 -Sy xine-lib Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/438 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkge/1EACgkQZ7NElSD1Vhny9gCdFBu7ZG7JlQqqGcSxb6JoTyi+ 8NoAnifOAs3U61OeFTavXZxlJYorq+Yd =DmGq -----END PGP SIGNATURE----- From vmiklos at frugalware.org Mon May 5 14:45:54 2008 From: vmiklos at frugalware.org (Miklos Vajna) Date: Mon May 5 14:45:56 2008 Subject: [Frugalware-security] [ FSA-439 ] vorbis-tools Message-ID: <20080505124554.CFE451190AC8@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-439 Date: 2008-05-05 Package: vorbis-tools Vulnerable versions: <= 1.1.1-3 Unaffected versions: >= 1.1.1-4kalgan1 Related bugreport: http://bugs.frugalware.org/task/3032 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1686 Description =========== A vulnerability has been reported in vorbis-tools, which can potentially be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to the use of vulnerable libfishsound; an input validation error when processing Speex headers, which can be exploited via a specially crafted Speex stream containing a negative "modeID" field in the header. Successful exploitation may allow execution of arbitrary code. Updated Packages ================ Check if you have vorbis-tools installed: # pacman-g2 -Q vorbis-tools If found, then you should upgrade to the latest version: # pacman-g2 -Sy vorbis-tools Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/439 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkgfAYIACgkQZ7NElSD1Vhkb1gCePqK5KcEHpJAPxJWTMPq1Sr7/ U2UAoJJCzTGTc8hYVkh5MRmP7JzrGDv6 =5GTC -----END PGP SIGNATURE----- From vmiklos at frugalware.org Mon May 5 14:56:41 2008 From: vmiklos at frugalware.org (Miklos Vajna) Date: Mon May 5 14:56:43 2008 Subject: [Frugalware-security] [ FSA-440 ] frugalwareutils Message-ID: <20080505125641.59D221190AC8@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-440 Date: 2008-05-05 Package: frugalwareutils Vulnerable versions: <= 0.7.9-1 Unaffected versions: >= 0.7.9-2kalgan1 Related bugreport: http://bugs.frugalware.org/task/3052 CVE: There is no CVE for this issue. Description =========== A vulnerability has been reported in frugalwareutils, which can potentially be exploited by malicious people to cause a DoS on a vulnerable system. The vulnerability is caused due to creating new files as root without checking the current value of umask. Successful exploitation may allow execution of arbitrary code. Updated Packages ================ Check if you have frugalwareutils installed: # pacman-g2 -Q frugalwareutils If found, then you should upgrade to the latest version: # pacman-g2 -Sy frugalwareutils Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/440 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkgfBAkACgkQZ7NElSD1VhkKmwCffvc9Ej9cdK78p09qLm2rIps5 uvAAoKKMSMFFZk5ZqIel7SxaQJJvyoXu =fjT8 -----END PGP SIGNATURE----- From vmiklos at frugalware.org Mon May 5 15:05:24 2008 From: vmiklos at frugalware.org (Miklos Vajna) Date: Mon May 5 15:05:25 2008 Subject: [Frugalware-security] [ FSA-441 ] kernel Message-ID: <20080505130524.3D2141190AC9@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-441 Date: 2008-05-05 Package: kernel Vulnerable versions: <= 2.6.24-3 Unaffected versions: >= 2.6.24-4kalgan1 Related bugreport: http://bugs.frugalware.org/task/3050 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1375 Description =========== A vulnerability has been reported in the Linux kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or to potentially gain escalated privileges. A race condition error exists in the dnotify subsystem between calls to "fcntl()" and "close()". This can be exploited to cause a system crash or potentially gain root privileges. Updated Packages ================ Check if you have kernel installed: # pacman-g2 -Q kernel If found, then you should upgrade to the latest version: # pacman-g2 -Sy kernel Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/441 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkgfBhQACgkQZ7NElSD1VhltDgCfR+RbFzhas+uSyiNOS/31csCL e9cAn1V0UXidRkCYyuZjbXPDBcRXG1tw =PHbP -----END PGP SIGNATURE----- From vmiklos at frugalware.org Thu May 15 15:19:48 2008 From: vmiklos at frugalware.org (Miklos Vajna) Date: Thu May 15 15:19:52 2008 Subject: [Frugalware-security] [ FSA-442 ] wordpress Message-ID: <20080515131948.7F6391778015@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-442 Date: 2008-05-15 Package: wordpress Vulnerable versions: <= 2.3.3-2kalgan1 Unaffected versions: >= 2.5.1-1kalgan1 Related bugreport: http://bugs.frugalware.org/task/3048 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1930 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2068 Description =========== Two vulnerabilities have been reported in WordPress, which can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, and to compromise a vulnerable system. 1) A vulnerability is caused due to improper access restriction of the administration section. This can be exploited to bypass the authentication mechanism and gain administrative access by setting a specially crafted cookie. This can further be exploited to execute arbitrary PHP code. Successful exploitation of this vulnerability requires that registering new accounts is enabled. The vulnerability is reported in version 2.5. 2) Input passed to an unspecified parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Updated Packages ================ Check if you have wordpress installed: # pacman-g2 -Q wordpress If found, then you should upgrade to the latest version: # pacman-g2 -Sy wordpress Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/442 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkgsOHQACgkQZ7NElSD1Vhm00gCeKHkhOYuBmqjVcVQffuLJdt05 2OsAoKLIHJV2qdNsrfBc66K3xXSrMdyg =UjG8 -----END PGP SIGNATURE----- From vmiklos at frugalware.org Thu May 15 15:21:37 2008 From: vmiklos at frugalware.org (Miklos Vajna) Date: Thu May 15 15:21:39 2008 Subject: [Frugalware-security] [ FSA-443 ] util-linux-ng Message-ID: <20080515132137.D8B801778001@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-443 Date: 2008-05-15 Package: util-linux-ng Vulnerable versions: <= 2.13.1-1 Unaffected versions: >= 2.13.1-2kalgan1 Related bugreport: http://bugs.frugalware.org/task/3046 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1926 Description =========== A weakness has been reported in util-linux-ng, which can be exploited by malicious people to manipulate certain data. The security issue is caused due to an error in login.c while logging login attempts. This can be exploited to inject e.g. an arbitrary address in the audit logs via a specially crafted username. Updated Packages ================ Check if you have util-linux-ng installed: # pacman-g2 -Q util-linux-ng If found, then you should upgrade to the latest version: # pacman-g2 -Sy util-linux-ng Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/443 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkgsOOEACgkQZ7NElSD1VhkK4QCgmzzPURM3bnnes6mv5eikPIMY Z/gAnA0KO2PAbsgyfyuTJqBmevN6ROWR =gWGp -----END PGP SIGNATURE----- From vmiklos at frugalware.org Thu May 15 15:24:29 2008 From: vmiklos at frugalware.org (Miklos Vajna) Date: Thu May 15 15:24:31 2008 Subject: [Frugalware-security] [ FSA-444 ] thunderbird Message-ID: <20080515132429.0D3391778001@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-444 Date: 2008-05-15 Package: thunderbird Vulnerable versions: <= 2.0.0.12-1 Unaffected versions: >= 2.0.0.14-1kalgan1 Related bugreport: http://bugs.frugalware.org/task/2906 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1233 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1234 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1235 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1236 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1237 Description =========== Some vulnerabilities have been reported in Mozilla Thunderbird, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, or potentially compromise a user's system. For more information, see FSA407. Updated Packages ================ Check if you have thunderbird installed: # pacman-g2 -Q thunderbird If found, then you should upgrade to the latest version: # pacman-g2 -Sy thunderbird Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/444 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkgsOY0ACgkQZ7NElSD1VhnR5wCfTDhxWi4sKT4bxuTXFPnD1EWJ NFsAoJ4fqws9+rP94l78B1/iE1CbrBfE =iErN -----END PGP SIGNATURE----- From vmiklos at frugalware.org Thu May 15 15:28:42 2008 From: vmiklos at frugalware.org (Miklos Vajna) Date: Thu May 15 15:28:45 2008 Subject: [Frugalware-security] [ FSA-445 ] kernel Message-ID: <20080515132842.C6F0C1778001@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-445 Date: 2008-05-15 Package: kernel Vulnerable versions: <= 2.6.24-4kalgan1 Unaffected versions: >= 2.6.24-4kalgan2 Related bugreport: http://bugs.frugalware.org/task/3060 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1669 Description =========== A vulnerability has been reported in the Linux kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service). The vulnerability is caused due to an error when preventing race conditions between "fcntl_setlk()" and "close()" calls on SMP systems. This can be exploited to trigger the improper, reordered access to the file descriptor table and the "file_lock" structure of an inode, between threads running on different CPUs. Updated Packages ================ Check if you have kernel installed: # pacman-g2 -Q kernel If found, then you should upgrade to the latest version: # pacman-g2 -Sy kernel Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/445 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkgsOooACgkQZ7NElSD1VhltyACaAotrvSX1Ipd3GJ/z2hjhm+8V RKIAn3PQPIWYE2TjlBQwghumo14JlVVt =zDD+ -----END PGP SIGNATURE----- From vmiklos at frugalware.org Thu May 15 15:30:44 2008 From: vmiklos at frugalware.org (Miklos Vajna) Date: Thu May 15 15:30:47 2008 Subject: [Frugalware-security] [ FSA-446 ] kdelibs Message-ID: <20080515133044.DF17B1778001@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-446 Date: 2008-05-15 Package: kdelibs Vulnerable versions: <= 3.5.9-1 Unaffected versions: >= 3.5.9-2kalgan1 Related bugreport: http://bugs.frugalware.org/task/3047 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1671 Description =========== A vulnerability has been reported in KDE, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or to potentially gain escalated privileges. The vulnerability is caused due to an error in the start_kdeinit script (installed setuid root by default). This can be exploited to send signals to privileged processes, cause a DoS, or potentially execute arbitrary code in the context of the target process. Updated Packages ================ Check if you have kdelibs installed: # pacman-g2 -Q kdelibs If found, then you should upgrade to the latest version: # pacman-g2 -Sy kdelibs Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/446 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkgsOwQACgkQZ7NElSD1VhlAiwCfYvMDGpoOko4FEKocvOYEvfsc UQAAnjEWLiSIy9m6EhjvfZD9v8KWyIzE =hGZ5 -----END PGP SIGNATURE----- From vmiklos at frugalware.org Thu May 15 15:35:06 2008 From: vmiklos at frugalware.org (Miklos Vajna) Date: Thu May 15 15:35:09 2008 Subject: [Frugalware-security] [ FSA-447 ] eterm Message-ID: <20080515133506.47A201778001@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-447 Date: 2008-05-15 Package: eterm Vulnerable versions: <= 0.9.4-2 Unaffected versions: >= 0.9.4-3kalgan1 Related bugreport: http://bugs.frugalware.org/task/2918 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1692 Description =========== A security issue has been reported in Eterm, which can be exploited by malicious, local users to gain escalated privileges. Eterm 0.9.4 opens a terminal window on :0 if -display is not specified and the DISPLAY environment variable is not set, which might allow local users to hijack X11 connections. NOTE: realistic attack scenarios require that the victim enters a command on the wrong machine. Updated Packages ================ Check if you have eterm installed: # pacman-g2 -Q eterm If found, then you should upgrade to the latest version: # pacman-g2 -Sy eterm Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/447 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkgsPAoACgkQZ7NElSD1VhnpZwCfXY9xuKTM5c1klbksYGuPHaAI XbMAnimux5wa9h+zEj7C4IhLVTw2BPXC =CGzc -----END PGP SIGNATURE----- From vmiklos at frugalware.org Tue May 20 13:22:22 2008 From: vmiklos at frugalware.org (Miklos Vajna) Date: Tue May 20 13:22:26 2008 Subject: [Frugalware-security] [ FSA-448 ] php Message-ID: <20080520112222.5C7BE1778001@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-448 Date: 2008-05-20 Package: php Vulnerable versions: <= 5.2.5-2 Unaffected versions: >= 5.2.6-1kalgan1 Related bugreport: http://bugs.frugalware.org/task/3074 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0599 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2050 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2051 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2107 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2108 Description =========== Some vulnerabilities have been reported in PHP, where some have unknown impacts and others can be exploited by malicious users to bypass certain security restrictions, and potentially by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. 1) An unspecified error in the FastCGI SAPI can be exploited to cause a stack-based buffer overflow. 2) An error in the processing of multibyte characters within the "escapeshellcmd()" and "escapeshellarg()" functions can be exploited to escape the inserted backslash or quote characters via certain multibyte characters. Successful exploitation allows to bypass the "safe_mode_exec_dir" and "disable_functions" directives, and potentially to inject arbitrary shell commands via user controlled input, but requires that the shell uses a locale with a variable width character (e.g. GBK, EUC-KR, SJIS). 3) A vulnerability is caused due to an error during path translation in cgi_main.c. This can potentially be exploited to execute arbitrary code, but depends on how a targeted application is using PHP. 4) An error in cURL can be exploited to bypass the "safe_mode" directive. 5) A boundary error in PCRE can potentially be exploited by malicious people to cause a DoS or compromise a vulnerable system. Updated Packages ================ Check if you have php installed: # pacman-g2 -Q php If found, then you should upgrade to the latest version: # pacman-g2 -Sy php Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/448 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkgytG4ACgkQZ7NElSD1VhlhyACgkFKOloZjWdLaiRgGIE9CJy2r NaIAoJGB8+UtGGF1qCdfI9+LTaU9gQDQ =mKYS -----END PGP SIGNATURE----- From vmiklos at frugalware.org Tue May 20 13:24:32 2008 From: vmiklos at frugalware.org (Miklos Vajna) Date: Tue May 20 13:24:35 2008 Subject: [Frugalware-security] [ FSA-449 ] rdesktop Message-ID: <20080520112432.E26B21778001@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-449 Date: 2008-05-20 Package: rdesktop Vulnerable versions: <= 1.5.0-2 Unaffected versions: >= 1.6.0-1kalgan1 Related bugreport: http://bugs.frugalware.org/task/3078 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1801 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1802 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1803 Description =========== Some vulnerabilities have been reported in rdesktop, which can be exploited by malicious people to compromise a user's system. 1) An integer underflow error in iso.c when processing RDP requests can be exploited to cause a heap-based buffer overflow. 2) An input validation error in rdp.c when processing RDP redirect requests can be exploited to cause a BSS-based buffer overflow. 3) A signedness error within "xrealloc()" in rdesktop.c can be exploited to cause a heap-based buffer overflow. Successful exploitation allows execution of arbitrary code but requires that a user is tricked into connecting to a malicious RDP server. Updated Packages ================ Check if you have rdesktop installed: # pacman-g2 -Q rdesktop If found, then you should upgrade to the latest version: # pacman-g2 -Sy rdesktop Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/449 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkgytPAACgkQZ7NElSD1Vhna8wCeLdmlmUwtbT8RWaV6ZLgqoC7x Q0YAn3HOr/thxZ3JvHh8a4HFAWNMFx3/ =V/xH -----END PGP SIGNATURE----- From vmiklos at frugalware.org Tue May 20 13:27:06 2008 From: vmiklos at frugalware.org (Miklos Vajna) Date: Tue May 20 13:27:08 2008 Subject: [Frugalware-security] [ FSA-450 ] pngcrush Message-ID: <20080520112706.483FC1778001@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-450 Date: 2008-05-20 Package: pngcrush Vulnerable versions: <= 1.6.4-1 Unaffected versions: >= 1.6.5-1kalgan1 Related bugreport: http://bugs.frugalware.org/task/3079 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1382 Description =========== A vulnerability has been reported in Pngcrush, which can be exploited by malicious people to disclose potentially sensitive information or potentially compromise a user's system. The vulnerability is caused due to the use of vulnerable libpng code. For more information, see FSA434. Updated Packages ================ Check if you have pngcrush installed: # pacman-g2 -Q pngcrush If found, then you should upgrade to the latest version: # pacman-g2 -Sy pngcrush Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/450 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkgytYoACgkQZ7NElSD1VhldkQCfU2h+oB4yKYKYneBYknZFkpM9 flQAnil/q/SPikaXATajQ7DyXiWu3Mrw =a+7b -----END PGP SIGNATURE----- From vmiklos at frugalware.org Tue May 20 13:28:58 2008 From: vmiklos at frugalware.org (Miklos Vajna) Date: Tue May 20 13:29:01 2008 Subject: [Frugalware-security] [ FSA-451 ] audacity Message-ID: <20080520112858.B1FA71778001@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-451 Date: 2008-05-20 Package: audacity Vulnerable versions: <= 1.3.3-2 Unaffected versions: >= 1.3.5-1kalgan1 Related bugreport: http://bugs.frugalware.org/task/3080 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6061 Description =========== Viktor Griph has reported a security issue in Audacity, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or to delete arbitrary files and directories. The security issue is caused due to the "AudacityApp::OnInit()" method in src/AudacityApp.cpp handling temporary files in an insecure manner. This can be exploited to delete arbitrary files and directories via symlink attacks, or to cause a deadlock. Updated Packages ================ Check if you have audacity installed: # pacman-g2 -Q audacity If found, then you should upgrade to the latest version: # pacman-g2 -Sy audacity Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/451 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkgytfoACgkQZ7NElSD1VhkGXgCgitrY7pMb6TVrdkFnGlWsHplf QOwAmgODrQ9GWusmFZy7Miw7XqAvuThW =aRfn -----END PGP SIGNATURE----- From vmiklos at frugalware.org Tue May 20 13:31:20 2008 From: vmiklos at frugalware.org (Miklos Vajna) Date: Tue May 20 13:31:23 2008 Subject: [Frugalware-security] [ FSA-452 ] graphicsmagick Message-ID: <20080520113120.DC62A1778001@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-452 Date: 2008-05-20 Package: graphicsmagick Vulnerable versions: <= 1.1.11-1 Unaffected versions: >= 1.1.12-1kalgan1 Related bugreport: http://bugs.frugalware.org/task/3076 CVE: There is no CVE for this issue, see http://sourceforge.net/project/shownotes.php?release_id=595544 Description =========== A security issue has been reported in GraphicsMagick, which can be exploited by malicious people to bypass certain security restrictions. The security issue is caused due to the improper processing of file extensions and can be exploited to e.g. access X11 or to invoke certain delegate programs. Successful exploitation requires that a user is tricked into processing a malicious file with a specific file extension. Updated Packages ================ Check if you have graphicsmagick installed: # pacman-g2 -Q graphicsmagick If found, then you should upgrade to the latest version: # pacman-g2 -Sy graphicsmagick Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/452 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkgytogACgkQZ7NElSD1VhkuNQCgl565BNkj90xXnIy/3UJlginG JyAAnRSDIaifPvtA0syG/bqejkBtoxbm =HaUp -----END PGP SIGNATURE----- From vmiklos at frugalware.org Sun May 25 14:35:45 2008 From: vmiklos at frugalware.org (Miklos Vajna) Date: Sun May 25 14:35:47 2008 Subject: [Frugalware-security] [ FSA-453 ] gnutls Message-ID: <20080525123545.CFF22119019F@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-453 Date: 2008-05-25 Package: gnutls Vulnerable versions: <= 2.2.0-1 Unaffected versions: >= 2.2.5-1kalgan1 Related bugreport: http://bugs.frugalware.org/task/3100 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1948 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1949 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1950 Description =========== Some vulnerabilities have been reported in GnuTLS, which can be exploited by malicious people to cause a DoS (Denial of Service) or to potentially compromise an application using the library. 1) A boundary error exists in the processing "Client Hello" messages containing a "Server Name" extension. This can be exploited to cause a heap-based buffer overflow via a specially crafted TLS packet. Successful exploitation may allow execution of arbitrary code. 2) A NULL-pointer dereference error in the processing of TLS packets containing multiple "Client Hello" messages can be exploited to crash an affected application. 3) A signedness error exists within the "_gnutls_ciphertext2compressed()" function in lib/gnutls_cipher.c. This can be exploited to cause an out of bounds read and crash an affected application via specially crafted, encrypted TLS data. Updated Packages ================ Check if you have gnutls installed: # pacman-g2 -Q gnutls If found, then you should upgrade to the latest version: # pacman-g2 -Sy gnutls Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/453 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkg5XSEACgkQZ7NElSD1VhnUFwCfSvO32yT1zyt3OEh00HZubzVU fYsAnjFljSStt1m0/hHNneWlLBrUdzqq =+R1+ -----END PGP SIGNATURE----- From vmiklos at frugalware.org Sun May 25 14:39:00 2008 From: vmiklos at frugalware.org (Miklos Vajna) Date: Sun May 25 14:39:02 2008 Subject: [Frugalware-security] [ FSA-454 ] chicken Message-ID: <20080525123900.4AAE0119019F@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-454 Date: 2008-05-25 Package: chicken Vulnerable versions: <= 2.732-1 Unaffected versions: >= 3.1.10-1kalgan1 Related bugreport: http://bugs.frugalware.org/task/3091 CVE: CVE-2008-0674 Description =========== A vulnerability been reported in Chicken, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. The vulnerabilities are caused due to the use of a vulnerable version of the PCRE library. Updated Packages ================ Check if you have chicken installed: # pacman-g2 -Q chicken If found, then you should upgrade to the latest version: # pacman-g2 -Sy chicken Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/454 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkg5XeQACgkQZ7NElSD1VhnkCwCgojrXeqxF08ecApWka4kFrizV P4gAn1TKFIv7yFPprwF9fYrEhtnsUnEA =cdn/ -----END PGP SIGNATURE----- From vmiklos at frugalware.org Sun May 25 14:42:33 2008 From: vmiklos at frugalware.org (Miklos Vajna) Date: Sun May 25 14:42:37 2008 Subject: [Frugalware-security] [ FSA-455 ] qemu Message-ID: <20080525124233.B4D1B119019F@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-455 Date: 2008-05-25 Package: qemu Vulnerable versions: <= 0.9.1-2 Unaffected versions: >= 0.9.1-3kalgan1 Related bugreport: http://bugs.frugalware.org/task/3043 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2004 Description =========== A vulnerability has been reported in QEMU, which can be exploited by malicious, local users to bypass certain security restrictions. The vulnerability is caused due to the "drive_init()" function in vl.c determining the format of a disk from data contained in the disk's header. This can be exploited by a malicious user in a guest system to e.g. read arbitrary files on the host by writing a fake header to a raw formatted disk image. Updated Packages ================ Check if you have qemu installed: # pacman-g2 -Q qemu If found, then you should upgrade to the latest version: # pacman-g2 -Sy qemu Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/455 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkg5XrkACgkQZ7NElSD1Vhk48ACeM6zAloO0zJOcuAZHJfDIhQO/ tXwAn3H/DI9Pjj+RUcXsvr8mmRG7R3EZ =txnM -----END PGP SIGNATURE----- From vmiklos at frugalware.org Sun May 25 14:45:29 2008 From: vmiklos at frugalware.org (Miklos Vajna) Date: Sun May 25 14:45:33 2008 Subject: [Frugalware-security] [ FSA-456 ] xemacs Message-ID: <20080525124529.B4CE1119019F@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-456 Date: 2008-05-25 Package: xemacs Vulnerable versions: <= 21.4.21-1 Unaffected versions: >= 21.4.21-2kalgan1 Related bugreport: http://bugs.frugalware.org/task/3041 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1694 Description =========== Some security issues have been reported in XEmacs, which can be exploited by malicious, local users to perform certain actions with escalated privileges. The security issues are caused due to the use of vulnerable GNU Emacs code. For more information, see FSA423. Updated Packages ================ Check if you have xemacs installed: # pacman-g2 -Q xemacs If found, then you should upgrade to the latest version: # pacman-g2 -Sy xemacs Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/456 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkg5X2kACgkQZ7NElSD1VhlZbACcDhNs47oYCB5vBU3AGsz2jPz3 7ngAni6exnE95cS6NkVv5ZxGurFVd8f/ =Q16R -----END PGP SIGNATURE----- From vmiklos at frugalware.org Sun May 25 14:49:30 2008 From: vmiklos at frugalware.org (Miklos Vajna) Date: Sun May 25 14:49:34 2008 Subject: [Frugalware-security] [ FSA-457 ] kvm Message-ID: <20080525124930.AAE2C119019F@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-457 Date: 2008-05-25 Package: kvm Vulnerable versions: <= 61-2 Unaffected versions: >= 61-3kalgan1 Related bugreport: http://bugs.frugalware.org/task/3044 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2004 Description =========== A vulnerability has been reported in KVM, which can be exploited by malicious, local users to bypass certain security restrictions or cause a DoS (Denial of Service). The error can be exploited by a guest to read arbitrary files on the host via a specially crafted disk header. For more information, see FSA455. Updated Packages ================ Check if you have kvm installed: # pacman-g2 -Q kvm If found, then you should upgrade to the latest version: # pacman-g2 -Sy kvm Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/457 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkg5YFoACgkQZ7NElSD1Vhlg8QCeKN8Cwn3wlL89Su7/+ng0pzON SgwAn3ghZCzu62lWCZDmlgNnqifC4Q+c =TMD2 -----END PGP SIGNATURE----- From vmiklos at frugalware.org Mon May 26 16:25:52 2008 From: vmiklos at frugalware.org (Miklos Vajna) Date: Mon May 26 16:25:54 2008 Subject: [Frugalware-security] [ FSA-458 ] asterisk Message-ID: <20080526142552.7CDCE11904C9@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-458 Date: 2008-05-26 Package: asterisk Vulnerable versions: <= 1.4.17-1 Unaffected versions: >= 1.4.19.2-1kalgan1 Related bugreport: http://bugs.frugalware.org/task/3077 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1897 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1923 Description =========== A vulnerability has been reported in Asterisk, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to improper verification of ACK responses during IAX2 handshakes, which can be exploited to spoof an IAX2 handshake and cause a DoS via high bandwidth usage. Updated Packages ================ Check if you have asterisk installed: # pacman-g2 -Q asterisk If found, then you should upgrade to the latest version: # pacman-g2 -Sy asterisk Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/458 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkg6yHAACgkQZ7NElSD1VhkYjwCcDaq8eS1viYOcrIY1mRcZE3kR LjwAoKIMZpsKAzUdhrp7wQKSTgYVwsnq =BZni -----END PGP SIGNATURE----- From vmiklos at frugalware.org Mon May 26 16:28:06 2008 From: vmiklos at frugalware.org (Miklos Vajna) Date: Mon May 26 16:28:10 2008 Subject: [Frugalware-security] [ FSA-459 ] django Message-ID: <20080526142806.22091119019F@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-459 Date: 2008-05-26 Package: django Vulnerable versions: <= 0.96.1-1 Unaffected versions: >= 0.96.2-1kalgan1 Related bugreport: http://bugs.frugalware.org/task/3084 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2302 Description =========== A vulnerability has been reported in Django, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed via the URL is not properly sanitised before being returned to the user through the login form. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Updated Packages ================ Check if you have django installed: # pacman-g2 -Q django If found, then you should upgrade to the latest version: # pacman-g2 -Sy django Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/459 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkg6yPYACgkQZ7NElSD1VhkQqQCbBanT7ZYrWsdwkowwOJiMVvyS T5IAn3MIL8bZE8xJncpHj/pVp7c6h1V9 =aY+p -----END PGP SIGNATURE----- From vmiklos at frugalware.org Mon May 26 16:30:19 2008 From: vmiklos at frugalware.org (Miklos Vajna) Date: Mon May 26 16:30:22 2008 Subject: [Frugalware-security] [ FSA-450 ] seamonkey Message-ID: <20080526143019.C2E5C119019F@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-450 Date: 2008-05-26 Package: seamonkey Vulnerable versions: <= 1.1.9-1kalgan1 Unaffected versions: >= 1.1.9-1kalgan2 Related bugreport: http://bugs.frugalware.org/task/3021 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1380 Description =========== A vulnerability has been reported in Mozilla SeaMonkey, which can potentially be exploited by malicious people to compromise a user's system. For more information, see FSA431. Updated Packages ================ Check if you have seamonkey installed: # pacman-g2 -Q seamonkey If found, then you should upgrade to the latest version: # pacman-g2 -Sy seamonkey Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/450 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkg6yXsACgkQZ7NElSD1VhmumwCgoyy5OPycv5OET6Hwzqb36UJA gYEAn0KOtjND1WoX/ojNUKPfFA2pIjFd =nxbJ -----END PGP SIGNATURE----- From vmiklos at frugalware.org Mon May 26 16:33:57 2008 From: vmiklos at frugalware.org (Miklos Vajna) Date: Mon May 26 16:34:02 2008 Subject: [Frugalware-security] [ FSA-451 ] mysql Message-ID: <20080526143357.EA21B119019F@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-451 Date: 2008-05-26 Package: mysql Vulnerable versions: <= 5.0.51-2 Unaffected versions: >= 5.0.51-3kalgan1 Related bugreport: http://bugs.frugalware.org/task/3075 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2079 Description =========== A security issue has been reported in MySQL, which can be exploited by malicious, local users to bypass certain security restrictions. The problem is that it is possible to bypass certain privilege checks by creating a MyISAM table with certain DATA DIRECTORY and INDEX DIRECTORY options to overwrite existing table files in the MySQL data directory. Updated Packages ================ Check if you have mysql installed: # pacman-g2 -Q mysql If found, then you should upgrade to the latest version: # pacman-g2 -Sy mysql Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/451 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkg6ylUACgkQZ7NElSD1VhkCcwCeM/sAZ6KHbjV6nFW2+ZNVCpLl 6PIAoIZWCHijRlI11CtA3kfGxmUlr8bw =r6aH -----END PGP SIGNATURE----- From vmiklos at frugalware.org Mon May 26 16:35:46 2008 From: vmiklos at frugalware.org (Miklos Vajna) Date: Mon May 26 16:35:49 2008 Subject: [Frugalware-security] [ FSA-452 ] libxslt Message-ID: <20080526143546.1624B119019F@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-452 Date: 2008-05-26 Package: libxslt Vulnerable versions: <= 1.1.22-2kalgan1 Unaffected versions: >= 1.1.22-2kalgan1 Related bugreport: http://bugs.frugalware.org/task/3104 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1767 Description =========== A vulnerability has been reported in libxslt, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. The vulnerability is caused due to an error in the handling of XSL style-sheet files. This can potentially be exploited to trigger the use of uninitialized memory in e.g. a call to "free()" when a specially crafted XSL file is being processed by an application using the library. Successful exploitation may allow execution of arbitrary code. Updated Packages ================ Check if you have libxslt installed: # pacman-g2 -Q libxslt If found, then you should upgrade to the latest version: # pacman-g2 -Sy libxslt Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/452 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkg6ysIACgkQZ7NElSD1VhnngACeL6GAcu3qnW6YsSJ15frQCRSb PhoAn3zf1hy6TQ6nGsFzQSF71asR8jBx =aVSB -----END PGP SIGNATURE-----