Security Advisories
Related articles
Security Advisories are published by the community driven Arch CVE Monitoring Team to the public arch-security list. A subset of the released advisories can be found below, however if you want to be up-to-date its recommended to subscribe to the list. All assigned CVE's are tracked at the relevant CVE page CVE, by the ACMT.
Contents
Scheduled Advisories
Recent Advisories
Here is an archive of security advisories posted to the arch-security list.
- [17 Feb 2015] ASA-201502-12 krb5 multiple issues
- [11 Feb 2015] ASA-201502-11 xorg-server information leak and denial of service
- [10 Feb 2015] ASA-201502-10 dbus denial of service
- [09 Feb 2015] ASA-201502-9 pigz remote write to arbitrary file
- [09 Feb 2015] ASA-201502-8 glibc multiple issues
- [05 Feb 2015] ASA-201502-7 ntp multiple issues
- [05 Feb 2015] ASA-201502-6 clamav arbitrary code execution
- [05 Feb 2015] ASA-201502-5 chromium multiple issues
- [05 Feb 2015] ASA-201502-4 postgresql multiple issues
- [05 Feb 2015] ASA-201502-3 mantisbt multiple issues
- [05 Feb 2015] ASA-201502-2 flashplugin remote code execution
- [03 Feb 2015] ASA-201502-1 privoxy denial of service
Jan 2015
- [28 Jan 2015] ASA-201501-24 patch multiple issues
- [27 Jan 2015] ASA-201501-23 jasper arbitrary code execution
- [26 Jan 2015] ASA-201501-22 flashplugin multiple issues
- [25 Jan 2015] ASA-201501-21 chromium multiple issues
- [23 Jan 2015] ASA-201501-20 jre7-openjdk-headless multiple issues
- [23 Jan 2015] ASA-201501-19 jre7-openjdk multiple issues
- [23 Jan 2015] ASA-201501-18 jdk7-openjdk multiple issues
- [23 Jan 2015] ASA-201501-17 php remote code execution
- [23 Jan 2015] ASA-201501-16 jre8-openjdk-headless multiple issues
- [23 Jan 2015] ASA-201501-15 jre8-openjdk multiple issues
- [23 Jan 2015] ASA-201501-14 jdk8-openjdk multiple issues
- [20 Jan 2015] ASA-201501-13 polarssl remote code execution
- [19 Jan 2015] ASA-201501-12 libssh denial of service
- [19 Jan 2015] ASA-201501-11 tinyproxy denial of service
- [19 Jan 2015] ASA-201501-10 samba privilege elevation
- [19 Jan 2015] ASA-201501-9 curl url request injection
- [15 Jan 2015] ASA-201501-8 flashplugin multiple issues
- [14 Jan 2015] ASA-201501-7 thunderbird multiple issues
- [14 Jan 2015] ASA-201501-6 firefox multiple issues
- [14 Jan 2015] ASA-201501-5 cpio heap buffer overflow
- [13 Jan 2015] ASA-201501-4 libevent heap overflow
- [10 Jan 2015] ASA-201501-3 unzip arbitrary code execution
- [09 Jan 2015] ASA-201501-2 openssl multiple issues
- [07 Jan 2015] ASA-201501-1 imagemagick multiple issues
Dec 2014
- [22 Dec 2014] ASA-201412-24 ntp multiple issues
- [18 Dec 2014] ASA-201412-23 php use after free
- [18 Dec 2014] ASA-201412-22 jasper arbitrary code execution
- [18 Dec 2014] ASA-201412-21 glibc arbitrary code execution
- [16 Dec 2014] ASA-201412-20 unrtf arbitrary code execution
- [16 Dec 2014] ASA-201412-19 dokuwiki cross-site scripting
- [16 Dec 2014] ASA-201412-18 nss signature forgery
- [16 Dec 2014] ASA-201412-17 subversion denial of service
- [15 Dec 2014] ASA-201412-16 docker multiple issues
- [15 Dec 2014] ASA-201412-15 python2 multiple issues
- [12 Dec 2014] ASA-201412-14 xorg-server multiple issues
- [12 Dec 2014] ASA-201412-13 flashplugin multiple issues
- [12 Dec 2014] ASA-201412-12 nvidia arbitrary code execution
- [12 Dec 2014] ASA-201412-11 nvidia-340xx arbitrary code execution
- [12 Dec 2014] ASA-201412-10 nvidia-304xx arbitrary code execution
- [09 Dec 2014] ASA-201412-9 powerdns-recursor denial of service
- [09 Dec 2014] ASA-201412-8 unbound denial of service
- [08 Dec 2014] ASA-201412-7 bind denial of service
- [08 Dec 2014] ASA-201412-6 mantisbt multiple issues
- [04 Dec 2014] ASA-201412-5 antiword buffer overflow
- [03 Dec 2014] ASA-201412-4 graphviz format string vulnerability
- [03 Dec 2014] ASA-201412-3 firefox multiple issues
- [02 Dec 2014] ASA-201412-2 openvpn denial of service
- [01 Dec 2014] ASA-201412-1 gnupg denial of service
Nov 2014
- [28 Nov 2014] ASA-201411-31 libksba denial of service
- [28 Nov 2014] ASA-201411-32 icecast information leak
- [28 Nov 2014] ASA-201411-33 libjpeg-turbo denial of service
- [26 Nov 2014] ASA-201411-30 flac arbitrary code execution
- [26 Nov 2014] ASA-201411-29 pcre heap buffer overflow
- [23 Nov 2014] ASA-201411-28 dbus denial of service
- [21 Nov 2014] ASA-201411-27 glibc command execution
- [20 Nov 2014] ASA-201411-26 chromium multiple issues
- [20 Nov 2014] ASA-201411-25 drupal session hijacking and denial of service
- [20 Nov 2014] ASA-201411-24 wireshark-qt denial of service
- [20 Nov 2014] ASA-201411-23 wireshark-gtk denial of service
- [20 Nov 2014] ASA-201411-22 wireshark-cli denial of service
- [20 Nov 2014] ASA-201411-21 clamav denial of service
- [19 Nov 2014] ASA-201411-20 avr-binutils multiple issues
- [19 Nov 2014] ASA-201411-19 mingw-w64-binutils multiple issues
- [19 Nov 2014] ASA-201411-18 arm-none-eabi-binutils multiple issues
- [19 Nov 2014] ASA-201411-17 binutils multiple issues
- [17 Nov 2014] ASA-201411-16 ruby denial of service
- [17 Nov 2014] ASA-201411-15 linux-lts local denial of service, privilege escalation
- [17 Nov 2014] ASA-201411-14 linux local denial of service, privilege escalation
- [13 Nov 2014] ASA-201411-13 php denial of service
- [13 Nov 2014] ASA-201411-12 imagemagick denial of service
- [13 Nov 2014] ASA-201411-11 flashplugin remote code execution
- [12 Nov 2014] ASA-201411-10 gnutls out-of-bounds memory write
- [12 Nov 2014] ASA-201411-9 file denial of service through out-of-bounds read
- [12 Nov 2014] ASA-201411-8 mantisbt arbitrary code execution and unrestricted access
- [11 Nov 2014] ASA-201411-7 curl out-of-bounds read
- [10 Nov 2014] ASA-201411-6 kdebase-workspace local privilege escalation
- [09 Nov 2014] ASA-201411-5 konversation denial of service
- [06 Nov 2014] ASA-201411-4 polarssl multiple issues
- [05 Nov 2014] ASA-201411-3 mantisbt sql injection
- [03 Nov 2014] ASA-201411-2 aircrack-ng multiple vulnerabilities
- [01 Nov 2014] ASA-201411-1 tnftp arbitrary command execution
Oct 2014
- [29 Oct 2014] ASA-201410-14 wget arbitrary filesystem access
- [27 Oct 2014] ASA-201410-13 ejabberd circumvention of encryption
- [24 Oct 2014] ASA-201410-12 libxml2 Denial of service
- [24 Oct 2014] ASA-201410-11 ctags Denial of service
- [23 Oct 2014] ASA-201410-10 libvncserver Remote code execution and Remote DoS
- [22 Oct 2014] ASA-201410-9 libpurple Remote DoS and Information leakage
- [20 Oct 2014] ASA-201410-8 wpa_supplicant, hostapd Arbitrary command execution
- [16 Oct 2014] ASA-201410-7 drupal SQL Injection
- [16 Oct 2014] ASA-201410-6 openssl Memory leak and poodle mitigation
- [15 Oct 2014] ASA-201410-4 zeromq Man-in-the-middle downgrade and replay attack
- [8 Oct 2014] ASA-201410-5 rsyslog Denial of service
- [4 Oct 2014] ASA-201410-3 mediawiki Cross-site Scripting (XSS) and UI redressing
- [2 Oct 2014] ASA-201410-2 jenkins Multiple issues
- [1 Oct 2014] ASA-201410-1 rsyslog Remote denial of service
Sep 2014
- [29 Sep 2014] ASA-201409-5 libvirt Out-of-bounds read access
- [29 Sep 2014] ASA-201409-4 mediawiki Cross-site Scripting (XSS)
- [26 Sep 2014] ASA-201409-3 python2 Information leakage through integer overflow
- [26 Sep 2014] ASA-201409-2 bash Remote code execution
- [25 Sep 2014] ASA-201409-1 nss Signature forgery attack
Publishing a new advisory
We try to always wait for the vulnerability to have been fixed in the corresponding package before issuing an advisory. In case of an extremely critical vulnerability, we may issue an advisory before the package has been fixed, but only if a work-around exists.
If you want to publish a new advisory, please check that:
- the corresponding Arch Linux package is really vulnerable ;
- no Arch Linux Security Advisory for this vulnerability has been published yet ;
- no upcoming Security Advisory for this vulnerability has been claimed in the "Scheduled Advisories" list of this page, as it would mean that someone is already working on an advisory ;
- the current maintainer has been notified, either by flagging the package ouf-of-date if an upstream release fixing the issue exists and/or by creating a new bug-tracker entry (see the exact procedure here).
You may then:
- add a line in the "Scheduled Advisories" list of this page, indicating that you are going to publish an advisory soon ;
- use the following template as an example to write the advisory ;
- send the advisory to the arch-security mailing-list (note that it would be nice if you could send a PGP-signed e-mail, but it is not required).
- move the published advisory from "Scheduled Advisories" to "Recent Advisories"
- adapt the CVE tracking page for the fixed package and add a link to the appropriate ASA.
Templates
Subject: [ASA-<YYYYMM-N>] <Package>: <Vulnerability Type> Body: Arch Linux Security Advisory ASA-YYYYMM-N ========================================= Severity: Low, Medium, High, Critical Date : YYYY-MM-DD CVE-ID : <CVE-ID> Package : <package> Type : <Vulnerability Type> Remote : <Yes/No> Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package <package> before version <Arch Linux fixed version> is vulnerable to <Vulnerability type>. Resolution ========== Upgrade to <Arch Linux fixed version>. # pacman -Syu "<package>>=<Arch Linux fixed version>" The problem has been fixed upstream in version <upstream fixed version>. Workaround ========== <Is there a way to mitigate this vulnerability without upgrading?> Description =========== <Long description, for example from original advisory>. Impact ====== < What is it that an attacker can do? Does this need existing pre-conditions to be exploited (valid credentials, physical access)? Is this remotely exploitable? >. References ========== <CVE-Link> <Upstream report> <Arch Linux Bug-Tracker>
Vim-Snippet
Vim-Snippet for vim-ultisnips plugin for easy completing the archlinux template. Just install vim-ultisnips and copy the text below in your ~/.vim/UltiSnips/all.snippets
you can jump through the tabstops with CTRL+j
.
snippet archsec "arch security form" Arch Linux Security Advisory ASA-`date -I -u | egrep -o '[0-9]{4}'`-${1} ========================================= Severity: ${2} Date : `date -I -u` CVE-ID : ${3} Package : ${4} Type : ${5} Remote : ${6} Link : https://wiki.archlinux.org/index.php/CVE Summary ======= ${7} Resolution ========== ${8} Workaround ========== ${9} Description =========== ${10} Impact ====== ${11} References ========== ${12} endsnippet