(Sorry for the spam, ugh!)
Looking at the ChangeLog at $URL, I see two things that appear security-related.
Fixed in 3.9.3
- Fix =NULL= pointer dereference in conf file parser. Problem will arise for all
interfaces that at one point might not have an address.
Fixed in 3.9.5
- Ported from pimd after CVE-2011-0007: Insecure file creation in /var/tmp.
"On USR1, pimd will write to /var/tmp/pimd.dump a dump of the multicast route
table. Since /var/tmp is writable by any user, a user can create a symlink to any
file he wants to destroy with the content of the multicast routing table."
Stumbled upon this.
Arch teams, please test and mark stable:
Target KEYWORDS="amd64 ppc x86"
Thanks, everyone. GLSA Vote: Yes.
Vote: YES. New GLSA request filed.
Can one of our new scouts check if there is a CVE for this and request one if
there is none?
This issue was resolved and addressed in
GLSA 201412-09 at http://security.gentoo.org/glsa/glsa-201412-09.xml
by GLSA coordinator Sean Amoss (ackle).