This is a list of security announcments that have been released for the current stable version of Frugalware
A vulnerability has been reported in Avahi, which can be exploited by malicious, local users to bypass certain security restrictions. The vulnerability is caused due to Avahi failing to validate the source of netlink messages. This can be exploited to trick Avahi into reacting to fake network changes.
By setting the system time to the end of unixtime, it is possible to reset the system time to the lowest possible integer of unixtime. When the systemclock reaches “Tue Jan 19 03:14:08 UTC 2038”, the 32-bit signed integer containing the time will overflow and the system time will be reset to “Fri Dec 13 20:45:52 UTC 1901”. This is known as the Year 2038 Problem.
If the end of an archive is reached while attempting to “skip” past a region of an archive, libarchive will enter an infinite loop wherein it repeatedly attempts (and fails) to read further data.
Tavis Ormandy has reported a vulnerability in libpng, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an out-of-bounds read error in the “png_set_sPLT()” function in pngset.c. This can be exploited by tricking an application using the library to process a specially crafted PNG file.
Evgeny Legerov has reported a vulnerability in OpenLDAP, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error when processing certain BIND requests. This can be exploited to cause a crash by sending specially crafted BIND requests to an OpenLDAP server.
Two vulnerabilities have been reported in PowerDNS Recursor, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.
Input containing UTF-7 encoded characters passed to the script which displays error messages is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. Three other security issues fixed too, see http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-{7,8,9} for details.
A boundary error exists within the “readline()” function in texindex.c. This can be exploited to cause a heap-based buffer overflow by e.g. tricking a user into opening a specially crafted Texinfo file.
A weakness has been reported in OpenSSH, which can be exploited by malicious people to bypass certain security restrictions. The weakness is caused due to an error within the privilege separation monitor, which may weaken the authentication process. Reportedly, the weakness can only be exploited in combination with other vulnerabilities.
Some vulnerabilities have been reported in imlib2, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise an application using the library. The vulnerabilities are caused due to unspecified errors within the processing of JPG, ARGB, PNG, LBM, PNM, TIFF, and TGA images. This may be exploited to execute arbitrary code by e.g. tricking a user into opening a specially crafted image file with an application using imlib2.
