This is a list of security announcments that have been released for the current stable version of Frugalware
A vulnerability has been reported in Wesnoth, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an unspecified error in the processing of UTF-8 strings within the multiplayer engine . This can be exploited by malicious clients to crash a vulnerable Wesnoth client.
A vulnerability has been reported in Konqueror, which can be exploited by malicious people to disclose potentially sensitive information. The vulnerability is caused due to an unspecified error within the interaction between Konqueror and the Adobe Flash Player plug-in, which may result in key presses being leaked to a Flash applet. This can be exploited to disclose potentially sensitive information.
Slythers Bro has discovered a security issue in the imageop module for Python, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. The security issue is caused due to an integer overflow error within the “tovideo()” function and can be exploited to cause a heap-based buffer overflow when specially crafted parameters are passed to the function. Successful exploitation may allow execution of arbitrary code.
Some vulnerabilities have been reported in OpenSSL, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system.
Some vulnerabilities have been reported in the X.Org X11 X Font Server (XFS), which can be exploited by malicious, local users to gain escalated privileges.
Chris Clark has reported a security issue in Ruby, which can be exploited by malicious people to conduct spoofing attacks. The security issue is caused due to the “Net::HTTPS” library not properly checking if the Common Name field provided inside SSL server certificates matches the requested hostname of a server. This can be exploited to conduct spoofing attacks. Successful exploitation requires a MitM (Man-in-the-Middle) attack and possession of a valid certificate, which is signed by the CA specified in the client.
Hamid Ebadi has reported a vulnerability in t1lib, which can be exploited by malicious users to potentially compromise a vulnerable system. The vulnerability is caused due to a boundary error within the “intT1_EnvGetCompletePath()” function in lib/t1lib/t1env.c. This can be exploited to cause a buffer overflow when an application processes an overly long string in the “FileName” parameter.
A weakness has been reported in ELinks, which can be exploited by malicious people to disclose sensitive information. The content of POST requests sent to HTTPS webservers via a proxy is sent unencrypted via the CONNECT command to the configured proxy. This can be exploited to disclose the content of POST requests by e.g. sniffing network traffic.
Mozilla has acknowledged a security issue in Firefox, which potentially can be exploited by malicious people to compromise a user’s system. The security issue is caused due to the “-chrome” parameter allowing execution of arbitrary Javascript script code in chrome context. This can be exploited to execute arbitrary commands on a user’s system e.g. via applications invoking Firefox with unfiltered command line arguments.
A vulnerability has been reported in inotify-tools, which can potentially be exploited by malicious users to compromise an application using the library. The vulnerability is caused due to a boundary error within the “inotifytools_snprintf()” function in src/inotifytools.c. This can be exploited to cause a buffer overflow by e.g. creating a file with an overly long filename in a specific directory. Successful exploitation may allow the execution of arbitrary code with privileges of the application using the affected library.
