From vmiklos at frugalware.org Sat Jun 6 13:33:28 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Sat, 6 Jun 2009 13:33:28 +0200 (CEST) Subject: [Frugalware-security] [ FSA-608 ] squirrelmail Message-ID: <20090606113328.1A6C811F063C@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-608 Date: 2009-06-06 Package: squirrelmail Vulnerable versions: <= 1.4.17-2anacreon1 Unaffected versions: >= 1.4.17-3anacreon1 Related bugreport: http://bugs.frugalware.org/task/3779 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1579 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1381 Description =========== The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.18 allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the ypmatch program. Updated Packages ================ Check if you have squirrelmail installed: # pacman-g2 -Q squirrelmail If found, then you should upgrade to the latest version: # pacman-g2 -Sy squirrelmail Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/608 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkoqVAgACgkQZ7NElSD1VhkD5ACeNwkwwLXFxRTrrzdErHZyaMGv qLsAniazL9Wg/3ApyqD/X7Y9TUlX/dd9 =ytnO -----END PGP SIGNATURE----- From vmiklos at frugalware.org Sat Jun 6 13:40:53 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Sat, 6 Jun 2009 13:40:53 +0200 (CEST) Subject: [Frugalware-security] [ FSA-609 ] drupal-webform Message-ID: <20090606114053.283E811F063C@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-609 Date: 2009-06-06 Package: drupal-webform Vulnerable versions: <= 5.x_2.6-1 Unaffected versions: >= 5.x_2.7-1anacreon1 Related bugreport: http://bugs.frugalware.org/task/3802 CVE: No CVE references, see http://drupal.org/node/481268. Description =========== A vulnerability has been reported in the Webform module for Drupal, which can be exploited by malicious people to conduct script insertion attacks. Input passed via unspecified parameters to e.g. questionnaires, contact, request, or registration forms, surveys, or polls is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is viewed. Updated Packages ================ Check if you have drupal-webform installed: # pacman-g2 -Q drupal-webform If found, then you should upgrade to the latest version: # pacman-g2 -Sy drupal-webform Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/609 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkoqVcUACgkQZ7NElSD1VhlnCQCePccf9KpJpDtAkHUdWvsINfFa OTQAniY7PHlzB+UUm0wO7F8a1UxGodvS =gbz/ -----END PGP SIGNATURE----- From vmiklos at frugalware.org Sun Jun 28 13:01:30 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Sun, 28 Jun 2009 13:01:30 +0200 (CEST) Subject: [Frugalware-security] [ FSA-610 ] drupal6-views Message-ID: <20090628110130.C874D634002@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-610 Date: 2009-06-28 Package: drupal6-views Vulnerable versions: <= 6.x_2.3-1 Unaffected versions: >= 6.x_2.6-1anacreon1 Related bugreport: http://bugs.frugalware.org/task/3816 CVE: No CVE references, see http://drupal.org/node/488068. Description =========== Some vulnerabilities and security issues have been reported in the Views Module for Drupal, which can be exploited by malicious users to conduct script insertion attacks, and by malicious users and malicious people to bypass certain security restrictions. 1) Input passed e.g. when configuring exposed filters is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is viewed. 2) Input passed in view names when adding views is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is viewed. Successful exploitation requires "administer views" permissions. 3) A security issue exists due to unpublished content owned by the anonymous user being accessible by anonymous users. 4) An error in the generation of queries can result in users being able to access private content. Updated Packages ================ Check if you have drupal6-views installed: # pacman-g2 -Q drupal6-views If found, then you should upgrade to the latest version: # pacman-g2 -Sy drupal6-views Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/610 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkpHTYoACgkQZ7NElSD1VhlkkACfcWvTB/d/eOm0QKUaroMJyNQM nX4AoKSOIYqUzKK5HOuJu0E7hHkabFeq =lPVU -----END PGP SIGNATURE-----