From vmiklos at frugalware.org Wed Sep 24 13:34:53 2008 From: vmiklos at frugalware.org (Miklos Vajna) Date: Wed Sep 24 13:34:53 2008 Subject: [Frugalware-security] [ FSA-526 ] phpmyadmin Message-ID: <20080924113453.2A6551190001@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-526 Date: 2008-09-21 Package: phpmyadmin Vulnerable versions: <= 2.11.8.1-1 Unaffected versions: >= 2.11.9.1-1solaria1 Related bugreport: http://bugs.frugalware.org/task/3352 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4096 Description =========== Norman Hippert has reported a vulnerability in phpMyAdmin, which can be exploited by malicious users to compromise a vulnerable system. Input passed to the "sort_by" parameter in server_databases.php is not properly sanitised before being used. This can be exploited to execute arbitrary PHP code. Successful exploitation requires valid user credentials. Updated Packages ================ Check if you have phpmyadmin installed: # pacman-g2 -Q phpmyadmin If found, then you should upgrade to the latest version: # pacman-g2 -Sy phpmyadmin Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/526 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkjaJd0ACgkQZ7NElSD1Vhmt5QCdHoAfvK5SZVhbUrfh159dHDot ce8AnAk9a0Z7jjI5Izo+NIfRuulVXUYc =a/6V -----END PGP SIGNATURE----- From vmiklos at frugalware.org Wed Sep 24 13:35:16 2008 From: vmiklos at frugalware.org (Miklos Vajna) Date: Wed Sep 24 13:35:18 2008 Subject: [Frugalware-security] [ FSA-527 ] bitlbee Message-ID: <20080924113517.014CC1190001@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-527 Date: 2008-09-24 Package: bitlbee Vulnerable versions: <= 1.2.2-1 Unaffected versions: >= 1.2.3-1solaria1 Related bugreport: http://bugs.frugalware.org/task/3344 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3969 Description =========== A security issue has been reported in BitlBee, which can be exploited by malicious people to bypass certain security restrictions and hijack accounts. The security issue is caused due to an unspecified error, which can be exploited to overwrite existing accounts. Updated Packages ================ Check if you have bitlbee installed: # pacman-g2 -Q bitlbee If found, then you should upgrade to the latest version: # pacman-g2 -Sy bitlbee Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/527 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkjaJfQACgkQZ7NElSD1VhktHwCgiDuxbEYp9N2bmZ7acBM7/hLu 8fcAn21v+L95hTj7UQargkquRzHsXzX9 =i+AG -----END PGP SIGNATURE----- From vmiklos at frugalware.org Fri Sep 26 22:59:14 2008 From: vmiklos at frugalware.org (Miklos Vajna) Date: Fri Sep 26 22:59:20 2008 Subject: [Frugalware-security] [ FSA-528 ] phpmyadmin Message-ID: <20080926205914.6B4C61190001@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-528 Date: 2008-09-26 Package: phpmyadmin Vulnerable versions: <= 2.11.9.1-1solaria1 Unaffected versions: >= 2.11.9.2-1solaria1 Related bugreport: http://bugs.frugalware.org/task/3361 CVE: There is no CVE for this issue yet, see http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-8. Description =========== A vulnerability has been reported in phpMyAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks. An error exists in the "PMA_escapeJsString()" function in libraries/js_escape.lib.php, which can be exploited to bypass certain filters and execute arbitrary HTML and script code in a user's browser session in context of an affected site when e.g. Microsoft Internet Explorer is used. Updated Packages ================ Check if you have phpmyadmin installed: # pacman-g2 -Q phpmyadmin If found, then you should upgrade to the latest version: # pacman-g2 -Sy phpmyadmin Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/528 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkjdTSIACgkQZ7NElSD1VhlOEACfed9Yq6QkzQAp9BXb/KIny74s pdAAn1S6nrhYSzV+Sji+yT4wCU4KV23u =16I/ -----END PGP SIGNATURE----- From vmiklos at frugalware.org Fri Sep 26 23:03:45 2008 From: vmiklos at frugalware.org (Miklos Vajna) Date: Fri Sep 26 23:03:47 2008 Subject: [Frugalware-security] [ FSA-529 ] drupal-simplenews Message-ID: <20080926210345.878151190001@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-529 Date: 2008-09-26 Package: drupal-simplenews Vulnerable versions: <= 5.x_1.4-1 Unaffected versions: >= 5.x_1.5-1solaria1 Related bugreport: http://bugs.frugalware.org/task/3362 CVE: There is no CVE for this issue yet, see http://drupal.org/node/312944. Description =========== A vulnerability has been reported in the Simplenews module for Drupal, which can be exploited by malicious users to conduct script insertion attacks. Input passed as Newsletter categories is not properly sanitised before being stored. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when the malicious data is viewed. Successful exploitation requires valid user credentials with the "administer taxonomy" permission. Updated Packages ================ Check if you have drupal-simplenews installed: # pacman-g2 -Q drupal-simplenews If found, then you should upgrade to the latest version: # pacman-g2 -Sy drupal-simplenews Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/529 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkjdTjEACgkQZ7NElSD1VhlhRwCglQzNF1PmeN1+Hzr4PsOz094S 5VgAn0aQDYeU5BpJVcLZ4r9XfmZmECU1 =TymW -----END PGP SIGNATURE-----