Debian has issued an advisory today (August 8): https://lists.debian.org/debian-security-announce/2016/msg00222.html The DSA will hopefully be posted here: https://www.debian.org/security/2016/dsa-3644 Patched packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated fontconfig packages fix security vulnerability: Tobias Stoeckmann discovered that cache files are insufficiently validated in fontconfig, a generic font configuration library. An attacker can trigger arbitrary free() calls, which in turn allows double free attacks and therefore arbitrary code execution. In combination with setuid binaries using crafted cache files, this could allow privilege escalation (CVE-2016-5384). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5384 https://lists.debian.org/debian-security-announce/2016/msg00222.html ======================== Updated packages in core/updates_testing: ======================== fontconfig-2.11.1-4.1.mga5 libfontconfig1-2.11.1-4.1.mga5 libfontconfig-devel-2.11.1-4.1.mga5 from fontconfig-2.11.1-4.1.mga5.src.rpm
URL: (none) => http://lwn.net/Vulnerabilities/696807/
MGA5-32 on Acer D620 Xfce No installation issues Used at CLI $ fc-scan /usr/share/fonts/75dpi/courR24-ISO8859-1.pcf.gz and got same result before and after the update.
CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK
Confirmed Herman's results for 64-bits, before and after update.
CC: (none) => tarazed25
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
Update validated, and Advisory uploaded.
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisoryCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0287.html
Status: NEW => RESOLVEDResolution: (none) => FIXED