From vmiklos at frugalware.org Sun Jul 26 13:31:08 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Sun, 26 Jul 2009 13:31:08 +0200 (CEST) Subject: [Frugalware-security] [ FSA-611 ] phpmyadmin Message-ID: <20090726113108.9F5DC11F063F@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-611 Date: 2009-07-26 Package: phpmyadmin Vulnerable versions: <= 3.1.3.2-1anacreon1 Unaffected versions: >= 3.2.0.1-1anacreon1 Related bugreport: http://bugs.frugalware.org/task/3839 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2284 Description =========== A vulnerability has been reported in phpMyAdmin, which can be exploited by malicious users to conduct script insertion attacks. Certain input to SQL bookmarks is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is viewed. Updated Packages ================ Check if you have phpmyadmin installed: # pacman-g2 -Q phpmyadmin If found, then you should upgrade to the latest version: # pacman-g2 -Sy phpmyadmin Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/611 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkpsPnwACgkQZ7NElSD1Vhnx7ACcDzDq2l7PBy2WBk7F1eawgahR DbIAnR0fciskD7DUhf+V1/x876Q5Bg2o =Q/mY -----END PGP SIGNATURE----- From vmiklos at frugalware.org Sun Jul 26 13:34:50 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Sun, 26 Jul 2009 13:34:50 +0200 (CEST) Subject: [Frugalware-security] [ FSA-612 ] wordpress Message-ID: <20090726113450.6738C11F063F@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-612 Date: 2009-07-26 Package: wordpress Vulnerable versions: <= 2.8.1-1anacreon1 Unaffected versions: >= 2.8.2-1anacreon1 Related bugreport: http://bugs.frugalware.org/task/3873 CVE: No CVE references, see http://wordpress.org/development/2009/07/wordpress-2-8-2/ Description =========== A vulnerability has been reported in WordPress, which can be exploited by malicious people to conduct script insertion attacks. Input passed via the comment author URL is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected website when the malicious data is viewed. Updated Packages ================ Check if you have wordpress installed: # pacman-g2 -Q wordpress If found, then you should upgrade to the latest version: # pacman-g2 -Sy wordpress Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/612 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkpsP1oACgkQZ7NElSD1Vhm6LACffQcfiLaxXFpXgP2lDnAis+w+ 5ccAoKZCnLLDjrTAP4hFs0C/OOatKTmy =HEpZ -----END PGP SIGNATURE----- From vmiklos at frugalware.org Sun Jul 26 13:38:12 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Sun, 26 Jul 2009 13:38:12 +0200 (CEST) Subject: [Frugalware-security] [ FSA-613 ] wireshark Message-ID: <20090726113812.4E73411F063F@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-613 Date: 2009-07-26 Package: wireshark Vulnerable versions: <= 1.0.8-1anacreon1 Unaffected versions: >= 1.2.1-1anacreon1 Related bugreport: http://bugs.frugalware.org/task/3872 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2559 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2560 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2561 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2562 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2563 Description =========== Some vulnerabilities have been reported in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service). 1) An array indexing error in the IPMI dissector can be exploited to cause a crash via a specially crafted network packet. 2) Errors in the Bluetooth L2CAP, RADIUS, MIOP, and sFlow dissectors can be exploited to cause crashes or hangs via specially crafted network packets. 3) An error in the AFS dissector can be exploited to cause a crash via a specially crafted network packet. 4) An error in the Infiniband dissector can be exploited to cause a crash on certain platforms via a specially crafted network packet. Updated Packages ================ Check if you have wireshark installed: # pacman-g2 -Q wireshark If found, then you should upgrade to the latest version: # pacman-g2 -Sy wireshark Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/613 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkpsQCQACgkQZ7NElSD1Vhk6rwCdG3nvj7kM6eTT7SsIoryJWO/6 8T4AoINMGHO7ZpjYT+QYl0/nv3PtF36D =QF2o -----END PGP SIGNATURE----- From vmiklos at frugalware.org Sun Jul 26 13:41:33 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Sun, 26 Jul 2009 13:41:33 +0200 (CEST) Subject: [Frugalware-security] [ FSA-614 ] drupal6-img_assist Message-ID: <20090726114133.DDBE011F063F@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-614 Date: 2009-07-26 Package: drupal6-img_assist Vulnerable versions: <= 6.x_1.0-1 Unaffected versions: >= 6.x_1.1-1anacreon1 Related bugreport: http://bugs.frugalware.org/task/3876 CVE: No CVE references, see http://drupal.org/node/520564 Description =========== Some vulnerabilities have been reported in the Image Assist module for Drupal, which can be exploited by malicious users to conduct script insertion attacks or to disclose potentially sensitive information. 1) Input passed to the node title is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is viewed. 2) Certain pages do not properly check the required access permissions, which can be exploited to view the title and body of arbitrary nodes. Updated Packages ================ Check if you have drupal6-img_assist installed: # pacman-g2 -Q drupal6-img_assist If found, then you should upgrade to the latest version: # pacman-g2 -Sy drupal6-img_assist Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/614 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkpsQO0ACgkQZ7NElSD1VhkhcgCbBotPUG+RPxQfSYgkltcrCeXI vfUAoJfVSQpfcdz2gUgORXkpCg3GW5DQ =aE8/ -----END PGP SIGNATURE-----