From vmiklos at frugalware.org Sun Sep 27 11:33:40 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Sun, 27 Sep 2009 11:33:40 +0200 (CEST) Subject: [Frugalware-security] [ FSA-617 ] drupal6-devel Message-ID: <20090927093340.A35B611F0027@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-617 Date: 2009-09-27 Package: drupal6-devel Vulnerable versions: <= 6.x_1.17-1 Unaffected versions: >= 6.x_1.18-1getorin1 Related bugreport: http://bugs.frugalware.org/task/3964 CVE: No CVE references, see http://drupal.org/node/585952. Description =========== A vulnerability has been reported in the Devel module for Drupal, which can be exploited by malicious users to conduct script insertion attacks. The variable editor does not properly sanitise the variable name before displaying it to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed. Updated Packages ================ Check if you have drupal6-devel installed: # pacman-g2 -Q drupal6-devel If found, then you should upgrade to the latest version: # pacman-g2 -Sy drupal6-devel Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/617 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkq/MXQACgkQZ7NElSD1VhlkwACfaUSkWzdOwWdv1sdTBow+ydxM 1yIAoJMM6XSYT+3hEAoG27ZezXHjPs8l =Ttbr -----END PGP SIGNATURE----- From vmiklos at frugalware.org Sun Sep 27 11:37:23 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Sun, 27 Sep 2009 11:37:23 +0200 (CEST) Subject: [Frugalware-security] [ FSA-618 ] wireshark Message-ID: <20090927093723.58E7711F0027@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-618 Date: 2009-09-27 Package: wireshark Vulnerable versions: <= 1.2.1-1 Unaffected versions: >= 1.2.2-1getorin1 Related bugreport: http://bugs.frugalware.org/task/3957 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3241 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3242 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3243 Description =========== Some vulnerabilities have been reported in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service). 1) An error in the "OpcUa" dissector can be exploited to exhaust CPU and memory resources via a specially crafted "Service CallRequest" packet. 2) An assertion error in the "GSM A RR" dissector can be exploited to cause a crash. 3) An error in the TLS dissector can be exploited to cause a crash on certain platforms (e.g. Windows) via specially crafted TLS 1.2 network packets. Updated Packages ================ Check if you have wireshark installed: # pacman-g2 -Q wireshark If found, then you should upgrade to the latest version: # pacman-g2 -Sy wireshark Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/618 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkq/MlMACgkQZ7NElSD1VhngnACfTf2XyuFI+pmX3ctpXXXEPBcq g0QAnjEj1Sz+yjOu6BdVjXY3rhnglV0V =mbwG -----END PGP SIGNATURE----- From vmiklos at frugalware.org Sun Sep 27 11:41:12 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Sun, 27 Sep 2009 11:41:12 +0200 (CEST) Subject: [Frugalware-security] [ FSA-619 ] horde-webmail Message-ID: <20090927094112.B759011F0027@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-619 Date: 2009-09-27 Package: horde-webmail Vulnerable versions: <= 1.2.3-1 Unaffected versions: >= 1.2.4-1getorin1 Related bugreport: http://bugs.frugalware.org/task/3958 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3236 Description =========== Some vulnerabilities have been reported in Horde Groupware and Horde Groupware Webmail Edition, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks and by malicious users to compromise a vulnerable system. 1) Two vulnerabilities can be exploited to conduct cross-site scripting or script insertion attacks. 2) An error within the form library of the Horde Application Framework when handling image form fields can be exploited to overwrite arbitrary local files. Updated Packages ================ Check if you have horde-webmail installed: # pacman-g2 -Q horde-webmail If found, then you should upgrade to the latest version: # pacman-g2 -Sy horde-webmail Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/619 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkq/MzgACgkQZ7NElSD1VhkNswCfe4ElgsgxFidy64u1HGHabtNy 8zgAnjNuL8PbpKTbWl+9B4ZB6asOLiOF =TjIv -----END PGP SIGNATURE----- From vmiklos at frugalware.org Sun Sep 27 11:44:18 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Sun, 27 Sep 2009 11:44:18 +0200 (CEST) Subject: [Frugalware-security] [ FSA-620 ] drupal-date Message-ID: <20090927094418.0D29711F0027@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-620 Date: 2009-09-27 Package: drupal-date Vulnerable versions: <= 5.x_2.7-1 Unaffected versions: >= 5.x_2.8-1getorin1 Related bugreport: http://bugs.frugalware.org/task/3951 CVE: No CVE references, see http://drupal.org/node/579144. Description =========== A vulnerability has been reported in the Date module for Drupal, which can be exploited by malicious users to conduct script insertion attacks. Certain unspecified input is not properly sanitised before being displayed in the page title. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed. Successful exploitation requires privileges to post date content. Updated Packages ================ Check if you have drupal-date installed: # pacman-g2 -Q drupal-date If found, then you should upgrade to the latest version: # pacman-g2 -Sy drupal-date Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/620 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkq/M/IACgkQZ7NElSD1VhkRnACeO4FLe9u/HhCs2L36I6ebAvNX /jwAoJXuR3vJtwBBQqmSs3Mg1ZJbXo6L =yFjx -----END PGP SIGNATURE----- From vmiklos at frugalware.org Sun Sep 27 12:23:23 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Sun, 27 Sep 2009 12:23:23 +0200 (CEST) Subject: [Frugalware-security] [ FSA-621 ] drupal Message-ID: <20090927102323.1B81611F0028@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-621 Date: 2009-09-27 Package: drupal Vulnerable versions: <= 5.19-1 Unaffected versions: >= 5.20-1getorin1 Related bugreport: http://bugs.frugalware.org/task/3947 CVE: No CVE references, see http://drupal.org/node/579484. Description =========== Some vulnerabilities have been reported in Drupal, which can be exploited by malicious users to hijack accounts and compromise a vulnerable system, and by malicious people to conduct cross-site request forgery attacks. 1) The OpenID module allows users to perform certain actions via HTTP requests without performing any validation checks to verify the requests. This can be exploited to e.g. add OpenID identities to existing accounts. 2) An unspecified error within the OpenID Authentication 2.0 implementation can be exploited to hijack another user's account if the same OpenID 2.0 provider is used. 3) An error within the File API when processing certain file extensions can be exploited to e.g. upload files which can be executed by the web server. Note: Successful exploitation requires that the web server is configured to ignore Drupal's ".htaccess" file. Updated Packages ================ Check if you have drupal installed: # pacman-g2 -Q drupal If found, then you should upgrade to the latest version: # pacman-g2 -Sy drupal Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/621 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkq/PRsACgkQZ7NElSD1Vhm8EwCgmseU4LmGXG2MlkCb8b634HR+ IQEAnjrKkdH4LFhY4F4GTymFXbDI0pfA =2RDK -----END PGP SIGNATURE----- From vmiklos at frugalware.org Sun Sep 27 12:25:06 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Sun, 27 Sep 2009 12:25:06 +0200 (CEST) Subject: [Frugalware-security] [ FSA-622 ] drupal6 Message-ID: <20090927102506.BE74A11F0027@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-622 Date: 2009-09-27 Package: drupal6 Vulnerable versions: <= 6.13-1 Unaffected versions: >= 6.14-1getorin1 Related bugreport: http://bugs.frugalware.org/task/3948 CVE: No CVE references, see http://drupal.org/node/579476. Description =========== See FSA621 for more info. Updated Packages ================ Check if you have drupal6 installed: # pacman-g2 -Q drupal6 If found, then you should upgrade to the latest version: # pacman-g2 -Sy drupal6 Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/622 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkq/PYIACgkQZ7NElSD1VhlM1QCeKCAMZP4k9YwHV9CTCM3REhqU lFgAn359DgxPeDr4CIwIe03/2NkXNACH =PRYH -----END PGP SIGNATURE----- From vmiklos at frugalware.org Sun Sep 27 12:29:48 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Sun, 27 Sep 2009 12:29:48 +0200 (CEST) Subject: [Frugalware-security] [ FSA-623 ] drupal-commentrss Message-ID: <20090927102948.AF26311F0027@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-623 Date: 2009-09-27 Package: drupal-commentrss Vulnerable versions: <= 5.x_2.1-1 Unaffected versions: >= 5.x_2.2-1getorin1 Related bugreport: http://bugs.frugalware.org/task/3949 CVE: No CVE references, see http://drupal.org/node/579280. Description =========== A vulnerability has been reported in the Comment RSS module for Drupal, which can be exploited to disclose potentially sensitive information. The vulnerability is caused due to the module not properly respecting access restrictions when adding the link to a node, which can be exploited to disclose potentially sensitive information. Updated Packages ================ Check if you have drupal-commentrss installed: # pacman-g2 -Q drupal-commentrss If found, then you should upgrade to the latest version: # pacman-g2 -Sy drupal-commentrss Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/623 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkq/PpwACgkQZ7NElSD1VhkpJQCfZUxeuVHs4d/dOw1w6+HOj+y2 ztQAn0X6RrGUv3SYNXDR/v4G48eHJAJN =isFq -----END PGP SIGNATURE----- From vmiklos at frugalware.org Sun Sep 27 12:31:46 2009 From: vmiklos at frugalware.org (Miklos Vajna) Date: Sun, 27 Sep 2009 12:31:46 +0200 (CEST) Subject: [Frugalware-security] [ FSA-624 ] drupal6-commentrss Message-ID: <20090927103146.3AEC811F0027@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-624 Date: 2009-09-27 Package: drupal6-commentrss Vulnerable versions: <= 6.x_2.1-1 Unaffected versions: >= 6.x_2.2-1getorin1 Related bugreport: http://bugs.frugalware.org/task/3950 CVE: No CVE references, see http://drupal.org/node/579290. Description =========== See FSA623 for more info. Updated Packages ================ Check if you have drupal6-commentrss installed: # pacman-g2 -Q drupal6-commentrss If found, then you should upgrade to the latest version: # pacman-g2 -Sy drupal6-commentrss Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/624 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkq/PxIACgkQZ7NElSD1VhniugCggqCIdvfrkxA99i/tjF+oUTTx ZNQAn2lEaustYxqswJX6zBInflKkC27x =VZ2G -----END PGP SIGNATURE-----