From vmiklos at frugalware.org Sun Mar 8 12:46:37 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Sun Mar 8 12:46:39 2009 Subject: [Frugalware-security] [ FSA-576 ] wireshark Message-ID: <20090308114637.7D6DC11B877D@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-576 Date: 2009-03-08 Package: wireshark Vulnerable versions: <= 1.0.5-1solaria1 Unaffected versions: >= 1.0.6-1solaria1 Related bugreport: http://bugs.frugalware.org/task/3613 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0599 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0600 Description =========== A vulnerability has been reported in Wireshark, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused due to a boundary error in the processing of NetScreen Snoop capture files and can be exploited to cause a stack-based buffer overflow. Successful exploitation may allow execution of arbitrary code depending on the allocation of stack variables. Updated Packages ================ Check if you have wireshark installed: # pacman-g2 -Q wireshark If found, then you should upgrade to the latest version: # pacman-g2 -Sy wireshark Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/576 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkmzsB0ACgkQZ7NElSD1Vhl8MgCfYNJxT6lW0n2jw4Wk0PDtvTo5 lHQAn3v2Xn0PQIus38RKTO+zq3W+7yVb =Ze70 -----END PGP SIGNATURE----- From vmiklos at frugalware.org Sun Mar 8 19:06:14 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Sun Mar 8 19:06:18 2009 Subject: [Frugalware-security] [ FSA-577 ] firefox Message-ID: <20090308180614.E918B11B877D@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-577 Date: 2009-03-08 Package: firefox Vulnerable versions: <= 3.0.4-1solaria1 Unaffected versions: >= 3.0.6-1solaria1 Related bugreport: http://bugs.frugalware.org/task/3614 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0352 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0353 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0354 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0355 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0356 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0357 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0358 Description =========== Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious, local users to potentially disclose sensitive information, and by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, disclose sensitive information, or potentially to compromise a user's system. 1) Multiple errors in the layout engine can be exploited to cause memory corruptions and potentially execute arbitrary code. 2) Multiple errors in the Javascript engine can be exploited to cause memory corruptions and potentially execute arbitrary code. 3) A chrome XBL method can be used in combination with "window.eval" to execute arbitrary Javascript code in the context of another web site 4) An error when restoring a closed tab can be exploited to modify an input control's text value, which allows e.g. to disclose the content of a local file when a user re-opens a tab. 5) An error in the processing of shortcut files can be exploited to execute arbitrary script code with chrome privileges e.g. via an HTML file that loads a privileged chrome document via a .desktop shortcut file. 6) A security issue is caused due to cookies marked "HTTPOnly" being readable by Javascript via the "XMLHttpRequest.getResponseHeader" and "XMLHttpRequest.getAllResponseHeaders" APIs. 7) A security issue is caused due to Firefox ignoring certain HTTP directives to not cache web pages ("Cache-Control: no-store" and "Cache-Control: no-cache" for HTTPS pages), which can be exploited to disclose potentially sensitive information via cached pages. Updated Packages ================ Check if you have firefox installed: # pacman-g2 -Q firefox If found, then you should upgrade to the latest version: # pacman-g2 -Sy firefox Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/577 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkm0CRYACgkQZ7NElSD1VhkZUgCfSUYVkRnj8XTW7qYkA8VWvWYN IOcAnjfmu35K5wKmcenENg7Jc4b8RoQ4 =6Daf -----END PGP SIGNATURE----- From vmiklos at frugalware.org Mon Mar 9 23:34:13 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Mon Mar 9 23:34:16 2009 Subject: [Frugalware-security] [ FSA-578 ] ffmpeg Message-ID: <20090309223413.124BA11B877D@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-578 Date: 2009-03-09 Package: ffmpeg Vulnerable versions: <= ffmpeg-20080427-7 Unaffected versions: >= ffmpeg-20080427-8solaria1 Related bugreport: http://bugs.frugalware.org/task/3599 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0385 Description =========== Tobias Klein has reported a vulnerability in FFmpeg, which potentially can be exploited by malicious people to compromise an application using the library. The vulnerability is caused due to a signedness error within the "fourxm_read_header()" function in libavformat/4xm.c. This can be exploited to corrupt arbitrary memory via a specially crafted 4xm file. Successful exploitation may allow execution of arbitrary code. Updated Packages ================ Check if you have ffmpeg installed: # pacman-g2 -Q ffmpeg If found, then you should upgrade to the latest version: # pacman-g2 -Sy ffmpeg Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/578 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkm1mWUACgkQZ7NElSD1VhmpEQCggiIfhbdd5EgD34PPTaZGPw8e nFkAn3jrPEeBGwVE1UMXXl42KlXTPoIy =NxBc -----END PGP SIGNATURE----- From vmiklos at frugalware.org Mon Mar 9 23:36:33 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Mon Mar 9 23:36:34 2009 Subject: [Frugalware-security] [ FSA-579 ] mplayer Message-ID: <20090309223633.E24C911B877D@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-579 Date: 2009-03-09 Package: mplayer Vulnerable versions: <= 1.0rc2-7solaria2 Unaffected versions: >= 1.0rc2-7solaria3 Related bugreport: http://bugs.frugalware.org/task/3600 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0385 Description =========== Tobias Klein has reported a vulnerability in FFmpeg, which potentially can be exploited by malicious people to compromise an application using the library. For more info, see FSA578. Updated Packages ================ Check if you have mplayer installed: # pacman-g2 -Q mplayer If found, then you should upgrade to the latest version: # pacman-g2 -Sy mplayer Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/579 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkm1mfEACgkQZ7NElSD1VhmTmQCfZ46OkfzuRASoGci+oMhnjB0R D1oAoJ+PSwqwHyl6d3Gc2/BoYeR9EO7N =8nJZ -----END PGP SIGNATURE----- From vmiklos at frugalware.org Mon Mar 9 23:39:18 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Mon Mar 9 23:39:20 2009 Subject: [Frugalware-security] [ FSA-580 ] imlib2 Message-ID: <20090309223918.717E211B877D@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-580 Date: 2009-03-09 Package: imlib2 Vulnerable versions: <= 1.4.1-1 Unaffected versions: >= 1.4.1-2solaria1 Related bugreport: http://bugs.frugalware.org/task/3484 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5187 Description =========== A vulnerability has been discovered in imlib2, which can be exploited by malicious people to potentially compromise an application using the library. The vulnerability is caused due to a pointer arithmetic error within the "load()" function provided by the XPM loader. This can be exploited to cause a heap-based buffer overflow via a specially crafted XPM file. Successful exploitation may allow execution of arbitrary code. Updated Packages ================ Check if you have imlib2 installed: # pacman-g2 -Q imlib2 If found, then you should upgrade to the latest version: # pacman-g2 -Sy imlib2 Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/580 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkm1mpYACgkQZ7NElSD1VhmSCwCfa/UVlsxeDLXDObzW/72neOhp jkIAoJWi+pxpWAG+GoPoIvMNmiK2tEqq =lgj1 -----END PGP SIGNATURE----- From vmiklos at frugalware.org Mon Mar 9 23:43:28 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Mon Mar 9 23:43:29 2009 Subject: [Frugalware-security] [ FSA-581 ] vlc Message-ID: <20090309224328.3879E11B877D@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-581 Date: 2009-03-09 Package: vlc Vulnerable versions: <= 0.9.4-1solaria1 Unaffected versions: >= 0.9.6-1solaria1 Related bugreport: http://bugs.frugalware.org/task/3416 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3964 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4654 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4686 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5032 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5036 Description =========== Four vulnerabilities have been reported in VLC Media Player, which potentially can be exploited by malicious people to compromise a user's system. 1) A boundary error in the processing of TY files can be exploited to cause a stack-based buffer overflow. 2) An integer overflow error in the processing of TY files can be exploited to cause a heap-based buffer overflow. 3) An error in the CUE demuxer can be exploited to cause a stack-based buffer overflow via a specially crafted CUE image file. 4) An error in the RealText demuxer can be exploited to cause a stack-based buffer overflow via a specially crafted RealText subtitle file. Successful exploitation of the vulnerabilities may allow execution of arbitrary code. Updated Packages ================ Check if you have vlc installed: # pacman-g2 -Q vlc If found, then you should upgrade to the latest version: # pacman-g2 -Sy vlc Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/581 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkm1m5AACgkQZ7NElSD1Vhk+aQCgpJG9nY77xGiqng65afcuIcZn PCIAnRFR24OQEWMhFbWZkXY/CNB3tNq4 =iro3 -----END PGP SIGNATURE----- From vmiklos at frugalware.org Mon Mar 9 23:46:36 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Mon Mar 9 23:46:38 2009 Subject: [Frugalware-security] [ FSA-582 ] seamonkey Message-ID: <20090309224636.1EF2811B877D@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-582 Date: 2009-03-09 Package: seamonkey Vulnerable versions: <= 1.1.11-1 Unaffected versions: >= 1.1.13-1solaria1 Related bugreport: http://bugs.frugalware.org/task/3466 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0017 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4582 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5012 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5013 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5014 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5017 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5018 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5021 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5022 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5023 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5024 Description =========== Some vulnerabilities have been reported in Mozilla SeaMonkey, which can be exploited by malicious people to disclose sensitive information, bypass certain security restrictions, or compromise a user's system. 1) Several vulnerabilities can be exploited to disclose sensitive information, bypass certain security restrictions, or compromise a user's system. 2) An error exists while processing JavaScript code embedded in email messages. This can be exploited to disclose the mailbox URI of the recipient via the ".documentURI" DOM property, or to potentially disclose comments placed in a forwarded email via the ".textContent" DOM property. Updated Packages ================ Check if you have seamonkey installed: # pacman-g2 -Q seamonkey If found, then you should upgrade to the latest version: # pacman-g2 -Sy seamonkey Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/582 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkm1nEwACgkQZ7NElSD1VhlFSACdHPs3ulsGhCGC/LND4VN1PQ5k hCIAnjBKpMchSdbWJpDUZbgTELMnQmzX =4Cm/ -----END PGP SIGNATURE----- From vmiklos at frugalware.org Mon Mar 9 23:50:45 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Mon Mar 9 23:50:47 2009 Subject: [Frugalware-security] [ FSA-583 ] firefox Message-ID: <20090309225045.B0BD311B877D@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-583 Date: 2009-03-09 Package: firefox Vulnerable versions: <= 3.0.6-1solaria1 Unaffected versions: >= 3.0.7-1solaria1 Related bugreport: http://bugs.frugalware.org/task/3667 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0040 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0771 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0772 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0773 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0774 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0775 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0776 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0777 Description =========== Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to conduct spoofing attacks, bypass certain security restrictions, disclose sensitive information, or compromise a user's system. 1) Multiple errors in the layout and JavaScript engines can be exploited to corrupt memory and potentially execute arbitrary code. 2) An error in the garbage collection process when handling a set of cloned XUL DOM elements linked as a parent and child can be exploited to access freed memory and execute arbitrary code. 3) An error can be exploited via the "nsIRDFService" interface and a cross-domain redirect to bypass the same-origin policy and read XML data from another domain. 4) An error in libpng when handling out-of-memory conditions can be exploited to potentially execute arbitrary code. 5) An error when handling invisible control characters included in the location bar can be exploited to spoof a trusted URL. Updated Packages ================ Check if you have firefox installed: # pacman-g2 -Q firefox If found, then you should upgrade to the latest version: # pacman-g2 -Sy firefox Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/583 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkm1nUUACgkQZ7NElSD1VhlmQACfSS+Og8eJ/0PS+KRWGCRPowBP 0voAoKVuZoztkGoBBhXums6IVXGdu0nK =ylr6 -----END PGP SIGNATURE----- From vmiklos at frugalware.org Tue Mar 17 13:55:12 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Tue Mar 17 13:55:15 2009 Subject: [Frugalware-security] [ FSA-584 ] qemu Message-ID: <20090317125512.D890A11B80AD@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-584 Date: 2009-03-17 Package: qemu Vulnerable versions: <= 0.9.1-4 Unaffected versions: >= 0.9.1-5solaria1 Related bugreport: http://bugs.frugalware.org/task/3414 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4539 Description =========== The code in hw/cirrus_vga.c has changed a lot between CVE-2007-1320 has been announced and the patch has been applied. As a consequence it has wrongly applied and QEMU is still vulnerable to this bug if using VNC. Updated Packages ================ Check if you have qemu installed: # pacman-g2 -Q qemu If found, then you should upgrade to the latest version: # pacman-g2 -Sy qemu Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/584 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkm/nbAACgkQZ7NElSD1VhkfmACglXaiKPdMlU7MfozArQBUgKab YiEAni+gJjmEieSJWMtYnMycSXTDe/3b =S1Xz -----END PGP SIGNATURE----- From vmiklos at frugalware.org Tue Mar 17 13:59:20 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Tue Mar 17 13:59:22 2009 Subject: [Frugalware-security] [ FSA-585 ] enscript Message-ID: <20090317125920.7F86611B80AD@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-585 Date: 2009-03-17 Package: enscript Vulnerable versions: <= 1.6.4-4 Unaffected versions: >= 1.6.4-5solaria1 Related bugreport: http://bugs.frugalware.org/task/3404 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3863 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4306 Description =========== Some vulnerabilities have been discovered in GNU Enscript, which can be exploited by malicious people to compromise a vulnerable system. 1) A vulnerability is caused due to a boundary error within the "read_special_escape()" function in src/psgen.c when processing the "setfilename" escape sequence. This can be exploited to cause a stack-based buffer overflow by tricking the user into converting a malicious file. 2) A vulnerability is caused due to a boundary error within the "read_special_escape()" function in src/psgen.c when processing the "font" escape sequence. This can be exploited to cause a stack-based buffer overflow by tricking the user into converting a malicious file. Successful exploitation allows execution of arbitrary code, but requires that special escapes processing is enabled with the "-e" option. Updated Packages ================ Check if you have enscript installed: # pacman-g2 -Q enscript If found, then you should upgrade to the latest version: # pacman-g2 -Sy enscript Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/585 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkm/nqgACgkQZ7NElSD1VhmuKACfSIY6Bj3Sp9C4o6sC1te0+bUD L10An39hj8AuuQ31Z4QIGqFi+NS9RY7Z =hFq0 -----END PGP SIGNATURE----- From vmiklos at frugalware.org Tue Mar 17 14:04:16 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Tue Mar 17 14:04:18 2009 Subject: [Frugalware-security] [ FSA-586 ] trac Message-ID: <20090317130416.6400711B80AD@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-586 Date: 2009-03-17 Package: trac Vulnerable versions: <= 0.10.5-1 Unaffected versions: >= 0.11.2-1solaria1 Related bugreport: http://bugs.frugalware.org/task/3448 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5646 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5647 Description =========== Some vulnerabilities have been reported in Trac, which can be exploited by malicious people to cause a DoS (Denial of Service) or to conduct phishing attacks. 1) An unspecified error in the HTML sanitiser filter can be exploited to conduct phishing attacks. 2) An unspecified error when processing wiki markup can be exploited to cause a DoS. Updated Packages ================ Check if you have trac installed: # pacman-g2 -Q trac If found, then you should upgrade to the latest version: # pacman-g2 -Sy trac Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/586 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkm/n9AACgkQZ7NElSD1VhkcMQCfQEcVqmcLjOaO9Mlia9dWlLhu HcAAn2x9bey2YrWcioX9Qsyee56C5ydy =S+3i -----END PGP SIGNATURE----- From vmiklos at frugalware.org Tue Mar 17 14:08:33 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Tue Mar 17 14:08:35 2009 Subject: [Frugalware-security] [ FSA-587 ] xemacs-sumo Message-ID: <20090317130833.51F2B11B80AD@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-587 Date: 2009-03-17 Package: xemacs-sumo Vulnerable versions: <= 20070427-1 Unaffected versions: >= 20090217-1solaria1 Related bugreport: http://bugs.frugalware.org/task/3087 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2142 Description =========== A vulnerability has been reported in XEmacs, which can be exploited by malicious people to compromise a user's system. For more information, see FSA472. Updated Packages ================ Check if you have xemacs-sumo installed: # pacman-g2 -Q xemacs-sumo If found, then you should upgrade to the latest version: # pacman-g2 -Sy xemacs-sumo Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/587 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkm/oNEACgkQZ7NElSD1Vhms5wCcCNq2lKPTJoTPwAVoWqBEzqxD 4rAAn0i/LYsPkpGLiEhvaB7FiExW4DQv =zo+I -----END PGP SIGNATURE----- From vmiklos at frugalware.org Tue Mar 17 14:13:58 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Tue Mar 17 14:14:01 2009 Subject: [Frugalware-security] [ FSA-588 ] gnutls Message-ID: <20090317131358.B1AC211B80AD@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-588 Date: 2009-03-17 Package: gnutls Vulnerable versions: <= 2.2.5-2 Unaffected versions: >= 2.2.5-3solaria1 Related bugreport: http://bugs.frugalware.org/task/3449 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?nameCVE-2008-4989 Description =========== A vulnerability has been reported in GnuTLS, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to an error when validating the X.509 certificate chain and can be exploited to spoof arbitrary names e.g. during a Man-in-the-Middle (MitM) attack. Updated Packages ================ Check if you have gnutls installed: # pacman-g2 -Q gnutls If found, then you should upgrade to the latest version: # pacman-g2 -Sy gnutls Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/588 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkm/ohYACgkQZ7NElSD1VhmC6wCfW1DO/mj0ABiGrl2aui4iHInm WgsAoI9gG9bqAVAqaXdBQUGSRFx09cv4 =zbVS -----END PGP SIGNATURE----- From vmiklos at frugalware.org Wed Mar 25 23:34:44 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Wed Mar 25 23:34:48 2009 Subject: [Frugalware-security] [ FSA-589 ] drupal6-cck Message-ID: <20090325223444.E809311B80AD@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-589 Date: 2009-03-25 Package: drupal6-cck Vulnerable versions: <= 6.x_2.1-1 Unaffected versions: >= 6.x_2.2-1anacreon1 Related bugreport: http://bugs.frugalware.org/task/3710 CVE: No CVE references, see http://drupal.org/node/409696 Description =========== A security issue has been reported in the CCK Field Privacy module for Drupal, which can be exploited by malicious people to bypass certain security restrictions. The security issue is caused due to the application not properly restricting access to certain administrative pages and can be exploited to e.g. change permissions on fields. Updated Packages ================ Check if you have drupal6-cck installed: # pacman-g2 -Q drupal6-cck If found, then you should upgrade to the latest version: # pacman-g2 -Sy drupal6-cck Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/589 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAknKsYQACgkQZ7NElSD1VhnedQCfXjp6wqCcoTk3qGtgjtZGxQv2 jFYAniZaU8BYNDGEDcRt5YCGMF36JTaH =EDxe -----END PGP SIGNATURE-----