The following packages have been either updated or patched to ensure the security of SolusOS 2.
Please note: gnupg now also depends on libksba and libpth, which were added to enable this update
Package | Old Version | New Version | Description of issue | NVD Link |
|---|---|---|---|---|
| python | 2.7.3-1 | 2.7.3-2 | The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. | CVE-2013-4238 |
| python3 | 3.3.2-1 | 3.3.2-2 | ||
| glibc | 2.17-1 | 2.17-2 | Buffer overflow in the extend_buffers function in the regular expression matcher (posix/regexec.c) in glibc, possibly 2.17 and earlier, allows context-dependent attackers to cause a denial of service (memory corruption and crash) via crafted multibyte characters. | CVE-2013-0242 |
| Stack-based buffer overflow in the getaddrinfo function in sysdeps/posix/getaddrinfo.c in GNU C Library (aka glibc or libc6) 2.17 and earlier allows remote attackers to cause a denial of service (crash) via a (1) hostname or (2) IP address that triggers a large number of domain conversion results. | CVE-2013-1914 | |||
| libgcrypt | 1.5.1-1 | 1.5.3-2 | GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload | CVE-2013-4242 |
| gnupg | 1.4.13-1 | 2.0.21-2 |
Remember, if you discover a security issue within SolusOS 2, you should still report it, even in these alpha stages. Although it may not appear to be the highest priority for a system in such a busy development phase, it is essential that the appropriate steps are taken to forward all security issues upstream so that all projects can benefit.
