From vmiklos at frugalware.org Tue Jan 13 16:04:11 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Tue Jan 13 16:04:14 2009 Subject: [Frugalware-security] [ FSA-564 ] phpmyadmin Message-ID: <20090113150411.A841911B862F@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-564 Date: 2009-01-13 Package: phpmyadmin Vulnerable versions: <= 2.11.9.3-1solaria1 Unaffected versions: >= 2.11.9.4-1solaria1 Related bugreport: http://bugs.frugalware.org/task/3548 CVE: No CVE, see http://sourceforge.net/forum/forum.php?forum_id=896047. Description =========== This fixes an SQL injection, see http://www.milw0rm.com/exploits/7382 for more info. Updated Packages ================ Check if you have phpmyadmin installed: # pacman-g2 -Q phpmyadmin If found, then you should upgrade to the latest version: # pacman-g2 -Sy phpmyadmin Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/564 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAklsrWsACgkQZ7NElSD1VhlKdgCffGDolJJ4f1FAVBGKTEpHVP9N c34AoIDaB7zYAB5Br2fdnCYYtMxo6IV3 =PxnJ -----END PGP SIGNATURE----- From vmiklos at frugalware.org Wed Jan 21 22:41:32 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Wed Jan 21 22:41:34 2009 Subject: [Frugalware-security] [ FSA-565 ] drupal-i18n Message-ID: <20090121214132.D4B6D11B8632@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-565 Date: 2009-01-21 Package: drupal-i18n Vulnerable versions: <= 5.x_2.4-1 Unaffected versions: >= 5.x_2.5-1solaria1 Related bugreport: http://bugs.frugalware.org/task/3573 CVE: No CVE, see http://drupal.org/node/358958. Description =========== A vulnerability has been reported in the Internationalization (i18n) Translation module for Drupal, which can be exploited by malicious users to bypass certain security restrictions. The vulnerability is caused due to an unspecified error, which can be exploited to view the content of unpublished nodes without requiring any additional permissions to do so. Successful exploitation of this vulnerability requires the "translate node" permission. Updated Packages ================ Check if you have drupal-i18n installed: # pacman-g2 -Q drupal-i18n If found, then you should upgrade to the latest version: # pacman-g2 -Sy drupal-i18n Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/565 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkl3lowACgkQZ7NElSD1VhkozgCbBe35XAlF2hZk2hRsrzudl8uG of8AnjsnmadgEAyxDRJPC6f0YdylIt74 =RssN -----END PGP SIGNATURE----- From vmiklos at frugalware.org Wed Jan 21 22:44:24 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Wed Jan 21 22:44:27 2009 Subject: [Frugalware-security] [ FSA-566 ] drupal Message-ID: <20090121214424.9F25411B8632@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-566 Date: 2009-01-21 Package: drupal Vulnerable versions: <= 5.13-1solaria1 Unaffected versions: >= 5.15-1solaria1 Related bugreport: http://bugs.frugalware.org/task/3571 CVE: No CVE, see http://drupal.org/node/358957. Description =========== A security issue has been reported in Drupal, which can potentially be exploited by malicious people to conduct SQL injection attacks. Unspecified Input passed to the Node Access API is not properly sanitised before being used in an SQL query. This can potentially be exploited to manipulate SQL queries by injecting arbitrary SQL code. NOTE: This is only a risk in combination with a contributed module. Updated Packages ================ Check if you have drupal installed: # pacman-g2 -Q drupal If found, then you should upgrade to the latest version: # pacman-g2 -Sy drupal Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/566 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkl3lzgACgkQZ7NElSD1VhkWiwCfXNc9nBsXI5IgaVWIJzQSXiLN c9gAmwUAK1wJvHsCQH10eA3bEgXgCJ3W =Oj69 -----END PGP SIGNATURE----- From vmiklos at frugalware.org Wed Jan 21 22:46:46 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Wed Jan 21 22:46:48 2009 Subject: [Frugalware-security] [ FSA-567 ] drupal6 Message-ID: <20090121214646.BA24E11B8632@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-567 Date: 2009-01-21 Package: drupal6 Vulnerable versions: <= 6.7-1solaria1 Unaffected versions: >= 6.9-1solaria1 Related bugreport: http://bugs.frugalware.org/task/3572 CVE: No CVE, see http://drupal.org/node/358957. Description =========== A vulnerability has been reported in the Content Translation module for Drupal, which can be exploited by malicious users to bypass certain security restrictions. The vulnerability is caused due to an unspecified error, which can be exploited to bypass normal viewing access restrictions and e.g. view the content of unpublished nodes without requiring any additional permissions to do so. Successful exploitation of this vulnerability requires the "translate content" permission. Updated Packages ================ Check if you have drupal6 installed: # pacman-g2 -Q drupal6 If found, then you should upgrade to the latest version: # pacman-g2 -Sy drupal6 Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/567 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkl3l8YACgkQZ7NElSD1VhkoqwCeLpsvs57K9736MIYwVR5nNZ5g giMAoIPMBECnpc+MMmzvOX+Fs9Sp3J7w =waQj -----END PGP SIGNATURE----- From vmiklos at frugalware.org Wed Jan 21 22:49:25 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Wed Jan 21 22:49:27 2009 Subject: [Frugalware-security] [ FSA-568 ] rails Message-ID: <20090121214925.84B2711B8632@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-568 Date: 2009-01-21 Package: rails Vulnerable versions: <= 2.1.0-1 Unaffected versions: >= 2.1.1-1solaria1 Related bugreport: http://bugs.frugalware.org/task/3368 CVE: No CVE, see http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1. Description =========== Some vulnerabilities have been reported in Ruby on Rails, which can be exploited by malicious people to conduct SQL injection attacks. The vulnerabilities are caused due to Active Record not properly sanitising the ":offset" and ":limit" parameters before using them in SQL queries. This can be exploited to manipulate SQL queries by injecting SQL code. Updated Packages ================ Check if you have rails installed: # pacman-g2 -Q rails If found, then you should upgrade to the latest version: # pacman-g2 -Sy rails Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/568 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkl3mGUACgkQZ7NElSD1VhlsowCfV2JRus7JNeKhxrp20v8j3p2d SI0AniolsrC+NvTfXesoTDn6hZgZBdPL =VYvJ -----END PGP SIGNATURE----- From vmiklos at frugalware.org Wed Jan 21 22:51:50 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Wed Jan 21 22:51:52 2009 Subject: [Frugalware-security] [ FSA-569 ] ndiswrapper Message-ID: <20090121215150.5F1E211B8632@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-569 Date: 2009-01-21 Package: ndiswrapper Vulnerable versions: <= 1.53-6solaria1 Unaffected versions: >= 1.53-6solaria2 Related bugreport: http://bugs.frugalware.org/task/3383 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4395 Description =========== Multiple buffer overflows in the ndiswrapper module 1.53 for the Linux kernel 2.6 allow remote attackers to execute arbitrary code by sending packets over a local wireless network that specify long ESSIDs. Updated Packages ================ Check if you have ndiswrapper installed: # pacman-g2 -Q ndiswrapper If found, then you should upgrade to the latest version: # pacman-g2 -Sy ndiswrapper Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/569 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkl3mPYACgkQZ7NElSD1Vhn6ugCcCbAbINizYSnArf1SFqtfo7Tv RHYAoIjycFoc/u+Dxq7FAvBaTQAFJLVw =XTsN -----END PGP SIGNATURE----- From vmiklos at frugalware.org Wed Jan 21 22:54:11 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Wed Jan 21 22:54:13 2009 Subject: [Frugalware-security] [ FSA-570 ] graphviz Message-ID: <20090121215411.2FB1B11B8632@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-570 Date: 2009-01-21 Package: graphviz Vulnerable versions: <= 2.20.2-1 Unaffected versions: >= 2.20.3-1solaria1 Related bugreport: http://bugs.frugalware.org/task/3413 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4555 Description =========== Roee Hay has discovered a vulnerability in Graphviz, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error within the "push_subg()" function in lib/graph/parser.c, which can be exploited to cause a memory corruption and potentially execute arbitrary code by e.g. tricking a user into processing a specially crafted dot file. Updated Packages ================ Check if you have graphviz installed: # pacman-g2 -Q graphviz If found, then you should upgrade to the latest version: # pacman-g2 -Sy graphviz Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/570 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkl3mYMACgkQZ7NElSD1VhlmOQCdHWSnrcwcpkbhrxpAOy+KzzR4 myoAoIKTHdaOZdpB7nfGg06Zp6tl84ek =TGd3 -----END PGP SIGNATURE----- From vmiklos at frugalware.org Wed Jan 21 22:57:13 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Wed Jan 21 22:57:15 2009 Subject: [Frugalware-security] [ FSA-571 ] thunderbird Message-ID: <20090121215713.B464911B8632@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-571 Date: 2009-01-21 Package: thunderbird Vulnerable versions: <= 2.0.0.17-1 Unaffected versions: >= 2.0.0.18-1solaria1 Related bugreport: http://bugs.frugalware.org/task/3465 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5012 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5014 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5017 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5018 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5021 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5022 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5024 Description =========== Some vulnerabilities have been reported in Mozilla Thunderbird, which can be exploited by malicious people to disclose sensitive information, bypass certain security restrictions, or compromise a user's system. 1) Several vulnerabilities can be exploited to disclose sensitive information, bypass certain security restrictions, or compromise a user's system. 2) An error exists while processing JavaScript code embedded in email messages. This can be exploited to disclose the mailbox URI of the recipient via the ".documentURI" DOM property, or to potentially disclose comments placed in a forwarded email via the ".textContent" DOM property. Updated Packages ================ Check if you have thunderbird installed: # pacman-g2 -Q thunderbird If found, then you should upgrade to the latest version: # pacman-g2 -Sy thunderbird Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/571 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkl3mjkACgkQZ7NElSD1Vhl1AACbBScTYMylArhijE+9u9U1JoEy q8gAmgPYkrDHU9R9QNFF/WZ42jfJCr9h =nxez -----END PGP SIGNATURE----- From vmiklos at frugalware.org Wed Jan 21 23:43:33 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Wed Jan 21 23:43:36 2009 Subject: [Frugalware-security] [ FSA-572 ] mantis Message-ID: <20090121224333.CDDB111B8632@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-572 Date: 2009-01-21 Package: mantis Vulnerable versions: <= 1.1.4-1solaria1 Unaffected versions: >= 1.1.5-1solaria1 Related bugreport: http://bugs.frugalware.org/task/3490 CVE: No CVE, see http://www.mantisbt.org/blog/?p=22. Description =========== This release solves more issues relating to the security fixes introduced by 1.1.3. Updated Packages ================ Check if you have mantis installed: # pacman-g2 -Q mantis If found, then you should upgrade to the latest version: # pacman-g2 -Sy mantis Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/572 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkl3pRUACgkQZ7NElSD1VhkDzQCfXr4H31JrLNmIRAvukhIHuiWR rXsAn3BSKkdFoCQy2Y5dhGNfINMlC5Ae =KZ92 -----END PGP SIGNATURE----- From vmiklos at frugalware.org Wed Jan 21 23:46:11 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Wed Jan 21 23:46:15 2009 Subject: [Frugalware-security] [ FSA-573 ] mplayer Message-ID: <20090121224611.CE3BB11B8632@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-573 Date: 2009-01-21 Package: mplayer Vulnerable versions: <= 1.0rc2-7solaria1 Unaffected versions: >= 1.0rc2-7solaria2 Related bugreport: http://bugs.frugalware.org/task/3524 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5616 Description =========== Tobias Klein has reported a vulnerability in MPlayer, which potentially can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error within the "demux_open_vqf()" function in libmpdemux/demux_vqf.c. This can be exploited to cause a stack-based buffer overflow via a specially crafted TwinVQ file. Successful exploitation may allow execution of arbitrary code. Updated Packages ================ Check if you have mplayer installed: # pacman-g2 -Q mplayer If found, then you should upgrade to the latest version: # pacman-g2 -Sy mplayer Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/573 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkl3pbMACgkQZ7NElSD1VhnYzACglPY193BOUa04lw6r6J3xk79N knYAn3Wl1lEnt2Dh8obBGb8BxdoG27+A =kLRq -----END PGP SIGNATURE----- From vmiklos at frugalware.org Wed Jan 21 23:50:04 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Wed Jan 21 23:50:06 2009 Subject: [Frugalware-security] [ FSA-574 ] kernel Message-ID: <20090121225004.046FE11B8632@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-574 Date: 2009-01-21 Package: kernel Vulnerable versions: <= 2.6.26-2solaria1 Unaffected versions: >= 2.6.26-2solaria2 Related bugreport: http://bugs.frugalware.org/task/3527 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5079 Description =========== A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service). The vulnerability is caused due to the "svc_listen()" function in net/atm/svc.c allowing users to create unassigned PVC/SVC entries by calling the function multiple times on a socket. This can be exploited to trigger an infinite loop within the "__vcc_walk()" function in net/atm/proc.c by creating unassigned entries and then e.g. reading from /proc/net/atm/vc. Updated Packages ================ Check if you have kernel installed: # pacman-g2 -Q kernel If found, then you should upgrade to the latest version: # pacman-g2 -Sy kernel Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/574 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkl3ppsACgkQZ7NElSD1Vhk9bwCeIe/LWHLJdjF02SE96DDoEOOL FlgAoJE4HSQWI5nyFoidxg19zrUOwS9l =hnpQ -----END PGP SIGNATURE----- From vmiklos at frugalware.org Wed Jan 21 23:53:18 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Wed Jan 21 23:53:21 2009 Subject: [Frugalware-security] [ FSA-575 ] openssl Message-ID: <20090121225318.D4BC411B87A9@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-575 Date: 2009-01-21 Package: openssl Vulnerable versions: <= 0.9.8-14 Unaffected versions: >= 0.9.8-15solaria1 Related bugreport: http://bugs.frugalware.org/task/3557 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077 Description =========== OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys. Updated Packages ================ Check if you have openssl installed: # pacman-g2 -Q openssl If found, then you should upgrade to the latest version: # pacman-g2 -Sy openssl Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/575 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkl3p14ACgkQZ7NElSD1VhnwGgCfWWi2LqRor61KiQ8/L17tkioD rqgAn2Xw5Uyq5MdfoCi+8mpYINW0415i =HW5L -----END PGP SIGNATURE-----