This is a list of security announcments that have been released for the current stable version of Frugalware
A vulnerability has been reported in teTeX, which potentially can be exploited by malicious people to compromise a user’s system. The vulnerability is caused due to the use of vulnerable Xpdf code.
A vulnerability has been reported in the Apache mod_proxy module, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to the improper handling of date headers within the “ap_proxy_date_canon()” function in proxy_util.c. This can be exploited to cause a DoS by sending specially crafted requests to the affected server. Successful exploitation results in a crash if a threaded Multi-Processing Module is used on servers where a reverse or forward proxy is configured.
Three vulnerabilities has been reported in Asterisk, which can be exploited by malicious people to cause a DoS (Denial of Service).
Nikolaus Schulz has reported a security issue in id3lib, which can be exploited by malicious, local users to gain escalated privileges. The security issue is caused due to the “RenderV2ToFile()” function in src/tag_file.cpp handling temporary files in an insecure manner. This can be exploited to execute arbitrary commands with escalated privileges (usually root user).
Robert Swiecki has discovered a vulnerability in Konqueror, which can be exploited by malicious people to conduct spoofing attacks. The vulnerability is caused due to an error when processing the “setInterval()” function and can be exploited to display arbitrary content while showing the URL of a trusted web site in the address bar. The vulnerability is caused due to an error in the handling of the “data:” URI scheme. This can be exploited to display arbitrary content while showing the URL of a trusted web site in the address bar when a user follows a specially crafted link.
Robert Swiecki has discovered a vulnerability in Konqueror, which can be exploited by malicious people to conduct spoofing attacks. The vulnerability is caused due to an error when processing the “setInterval()” function and can be exploited to display arbitrary content while showing the URL of a trusted web site in the address bar. The vulnerability is caused due to an error in the handling of the “data:” URI scheme. This can be exploited to display arbitrary content while showing the URL of a trusted web site in the address bar when a user follows a specially crafted link.
A vulnerability has been reported in Opera, which potentially can be exploited by malicious people to compromise a user’s system. The vulnerability is caused due to an unspecified error when processing JavaScript code and can result in a virtual function call using an invalid pointer. This can be exploited to execute arbitrary code by e.g. tricking a user into visiting a malicious website.
shinnai has discovered a vulnerability in PHP, which can be exploited by malicious, local users to bypass certain security restrictions. The vulnerability is caused due to an error in the handling of an uninitialized structure inside the “glob()” function. This can be exploited to execute arbitrary code, which may lead to security restrictions (e.g. the “disable_functions” directive) being bypassed.
A security issue has been reported in po4a, which can be exploited by malicious, local users to perform certain actions with escalated privileges. The security issue is caused due to the “gettextize()” function in lib/Locale/Po4a/Po.pm creating the file “/tmp/gettextization.failed.po” in an insecure manner. This can be exploited via symlink attacks to e.g. overwrite arbitrary files with the permissions of the user running the po4a-gettextize tool.
A vulnerability has been reported in Poppler, which potentially can be exploited by malicious people to compromise an application using the library. The vulnerability is caused due to the use of vulnerable Xpdf code, which may allow the execution of arbitrary code.
