SolusOS 2 Package Updates

The following packages have been either updated or patched to ensure the security of SolusOS 2.

Please note: gnupg now also depends on libksba and libpth, which were added to enable this update

Old Version
New Version
Description of issue
NVD Link
python2.7.3-12.7.3-2The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.CVE-2013-4238
glibc2.17-12.17-2Buffer overflow in the extend_buffers function in the regular expression matcher (posix/regexec.c) in glibc, possibly 2.17 and earlier, allows context-dependent attackers to cause a denial of service (memory corruption and crash) via crafted multibyte characters. CVE-2013-0242
Stack-based buffer overflow in the getaddrinfo function in sysdeps/posix/getaddrinfo.c in GNU C Library (aka glibc or libc6) 2.17 and earlier allows remote attackers to cause a denial of service (crash) via a (1) hostname or (2) IP address that triggers a large number of domain conversion results.CVE-2013-1914
libgcrypt1.5.1-11.5.3-2GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+ReloadCVE-2013-4242

Remember, if you discover a security issue within SolusOS 2, you should still report it, even in these alpha stages. Although it may not appear to be the highest priority for a system in such a busy development phase, it is essential that the appropriate steps are taken to forward all security issues upstream so that all projects can benefit.