The following packages have been either updated or patched to ensure the security of SolusOS 2.
Please note: gnupg now also depends on libksba and libpth, which were added to enable this update
Description of issue
|python||2.7.3-1||2.7.3-2||The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.||CVE-2013-4238|
|glibc||2.17-1||2.17-2||Buffer overflow in the extend_buffers function in the regular expression matcher (posix/regexec.c) in glibc, possibly 2.17 and earlier, allows context-dependent attackers to cause a denial of service (memory corruption and crash) via crafted multibyte characters.||CVE-2013-0242|
|Stack-based buffer overflow in the getaddrinfo function in sysdeps/posix/getaddrinfo.c in GNU C Library (aka glibc or libc6) 2.17 and earlier allows remote attackers to cause a denial of service (crash) via a (1) hostname or (2) IP address that triggers a large number of domain conversion results.||CVE-2013-1914|
|libgcrypt||1.5.1-1||1.5.3-2||GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload||CVE-2013-4242|
Remember, if you discover a security issue within SolusOS 2, you should still report it, even in these alpha stages. Although it may not appear to be the highest priority for a system in such a busy development phase, it is essential that the appropriate steps are taken to forward all security issues upstream so that all projects can benefit.