From vmiklos at frugalware.org Tue May 4 13:07:18 2010 From: vmiklos at frugalware.org (Miklos Vajna) Date: Tue, 4 May 2010 13:07:18 +0200 (CEST) Subject: [Frugalware-security] [ FSA-668 ] kernel Message-ID: <20100504110718.B38A112D90EF@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-668 Date: 2010-04-27 Package: kernel Vulnerable versions: <= 2.6.32-4locris1 Unaffected versions: >= 2.6.32-4locris2 Related bugreport: http://bugs.frugalware.org/task/4183 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1148 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0727 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1162 Description =========== Three vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service). 1) A vulnerability is caused due to a NULL-pointer dereference error within the "cifs_create()" function in fs/cifs/dir.c. This can be exploited to cause a crash when a file without an associated "nameidata" structure is created. 2) There was a check for mandatory locking where the GFS/GFS2 locking code skipped the lock in case sgid bits are set for the file. This can be triggered to cause a crash on a system mounting a GFS/GFS2 filesystem. 3) The vulnerability is caused due to a memory leak within the "release_one_tty()" function in drivers/char/tty_io.c, which can be exploited to e.g. cause a DoS due to memory exhaustion. Updated Packages ================ Check if you have kernel installed: # pacman-g2 -Q kernel If found, then you should upgrade to the latest version: # pacman-g2 -Sy kernel Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/668 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkvf/+YACgkQZ7NElSD1VhmEKgCgldcaPu4/Z+Pw49QjQ8APIItS G0AAn1SLRjl0eWCkiDo+2U33bOVWSv7A =1OlW -----END PGP SIGNATURE----- From vmiklos at frugalware.org Wed May 12 18:28:18 2010 From: vmiklos at frugalware.org (Miklos Vajna) Date: Wed, 12 May 2010 18:28:18 +0200 (CEST) Subject: [Frugalware-security] [ FSA-669 ] gnustep-base Message-ID: <20100512162818.30A1612D90EF@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-669 Date: 2010-05-12 Package: gnustep-base Vulnerable versions: <= 1.18.0-1 Unaffected versions: >= 1.18.0-2locris1 Related bugreport: http://bugs.frugalware.org/task/4210 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1457 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1620 Description =========== Two vulnerabilities have been reported in GNUStep Base, which can be exploited by malicious, local users to potentially gain escalated privileges or disclose sensitive information. 1) The "gdomap" application includes the content of files in error messages when parsing a configuration file specified via the "-c" command line option. This can be exploited to disclose sensitive information by passing an arbitrary file as configuration file to the application. 2) An integer overflow error exists in the "gdomap" application when parsing configuration files. This can be exploited to cause a heap-based buffer overflow when a specially crafted configuration file containing a large number lines is being processed. Successful exploitation of the vulnerabilities requires that the "gdomap" binary has the "setuid" bit set and is owned by e.g. root. Updated Packages ================ Check if you have gnustep-base installed: # pacman-g2 -Q gnustep-base If found, then you should upgrade to the latest version: # pacman-g2 -Sy gnustep-base Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/669 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkvq1yIACgkQZ7NElSD1VhkldwCeOz7Za2CQn92k45mR2VWMnOgc 41MAn2FWGePbAUEyuaYQp627MUwuqsud =a2io -----END PGP SIGNATURE----- From vmiklos at frugalware.org Mon May 17 00:02:41 2010 From: vmiklos at frugalware.org (Miklos Vajna) Date: Mon, 17 May 2010 00:02:41 +0200 (CEST) Subject: [Frugalware-security] [ FSA-670 ] drupal6-imagefield Message-ID: <20100516220241.C5D9D12D90F0@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-670 Date: 2010-05-17 Package: drupal6-imagefield Vulnerable versions: <= 6.x_3.2-1 Unaffected versions: >= 6.x_3.3-1locris1 Related bugreport: http://bugs.frugalware.org/task/4208 CVE: No CVE references, see http://drupal.org/node/791054 Description =========== A security issue has been reported in the ImageField module for Drupal, which can be exploited by malicious people to disclose potentially sensitive information. The security issue exists due to improper access permission checks for thumbnails of restricted images when the Private Downloads setting is used and can be exploited to view the thumbnail. Updated Packages ================ Check if you have drupal6-imagefield installed: # pacman-g2 -Q drupal6-imagefield If found, then you should upgrade to the latest version: # pacman-g2 -Sy drupal6-imagefield Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/670 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkvwa4EACgkQZ7NElSD1VhlQcgCeLHd3E2sbeOeKW7o57CQEOxg8 VFoAoICieSaqA6YE2NggchHpzeDra+RW =tUbi -----END PGP SIGNATURE----- From vmiklos at frugalware.org Mon May 17 00:04:47 2010 From: vmiklos at frugalware.org (Miklos Vajna) Date: Mon, 17 May 2010 00:04:47 +0200 (CEST) Subject: [Frugalware-security] [ FSA-671 ] drupal6-filefield Message-ID: <20100516220447.B13AB12D90F0@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-671 Date: 2010-05-17 Package: drupal6-filefield Vulnerable versions: <= 6.x_3.2-1 Unaffected versions: >= 6.x_3.3-1locris1 Related bugreport: http://bugs.frugalware.org/task/4207 CVE: No CVE references, see http://drupal.org/node/791050. Description =========== A security issue has been reported in the FileField module for Drupal, which potentially can be exploited by malicious users to compromise a vulnerable system. The security issue exists due to improper creation of a default extension for a new file field when the field configuration page is not saved and can be exploited to upload arbitrary files to a directory inside the webroot. Successful exploitation may allow execution of arbitrary PHP code but requires "create" or "edit" permission for the file field. Updated Packages ================ Check if you have drupal6-filefield installed: # pacman-g2 -Q drupal6-filefield If found, then you should upgrade to the latest version: # pacman-g2 -Sy drupal6-filefield Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/671 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkvwa/8ACgkQZ7NElSD1Vhm0nACgnHZLf1VxG/QPq1wlqzyqjfNl MpQAnA7iH19qdTKPa+LVCXz+zvcSteAC =rlsV -----END PGP SIGNATURE----- From vmiklos at frugalware.org Sat May 22 00:32:10 2010 From: vmiklos at frugalware.org (Miklos Vajna) Date: Sat, 22 May 2010 00:32:10 +0200 (CEST) Subject: [Frugalware-security] [ FSA-672 ] drupal6-captcha Message-ID: <20100521223210.5239512D90EF@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-672 Date: 2010-05-22 Package: drupal6-captcha Vulnerable versions: <= 5.x_3.2-1 Unaffected versions: >= 5.x_3.3-1locris1 Related bugreport: http://bugs.frugalware.org/task/4220 CVE: No CVE references, see http://drupal.org/node/803566. Description =========== A vulnerability has been reported in the CAPTCHA module for Drupal, which can be exploited by malicious users to conduct script insertion attacks. Certain input passed via the CAPTCHA description is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed. Successful exploitation requires "administer CAPTCHA settings" permissions. Updated Packages ================ Check if you have drupal6-captcha installed: # pacman-g2 -Q drupal6-captcha If found, then you should upgrade to the latest version: # pacman-g2 -Sy drupal6-captcha Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/672 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkv3CeoACgkQZ7NElSD1VhlpfwCfQXDP68SkAiMC8wg4WmCDwv1g 06EAoJ/4hR2FTJwcwO/fd7VvzXrOUR2t =RG20 -----END PGP SIGNATURE----- From vmiklos at frugalware.org Wed May 26 15:51:54 2010 From: vmiklos at frugalware.org (Miklos Vajna) Date: Wed, 26 May 2010 15:51:54 +0200 (CEST) Subject: [Frugalware-security] [ FSA-673 ] wireshark Message-ID: <20100526135154.7CCB912D90EF@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-673 Date: 2010-05-26 Package: wireshark Vulnerable versions: <= 1.2.6-2 Unaffected versions: >= 1.2.8-1locris1 Related bugreport: http://bugs.frugalware.org/task/4222 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1455 Description =========== A vulnerability has been reported in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error within the DOCSIS (Data Over Cable Service Interface Specifications) dissector and can be exploited to e.g. cause a crash via specially crafted DOCSIS traffic. Updated Packages ================ Check if you have wireshark installed: # pacman-g2 -Q wireshark If found, then you should upgrade to the latest version: # pacman-g2 -Sy wireshark Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/673 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkv9J3cACgkQZ7NElSD1VhnRvwCgnqZuwx2ChKbc0bpgR0yaBpZg WCAAnjsH4NHUnD9Z5I3iCP/GlS/QI4BG =9ytE -----END PGP SIGNATURE-----