From vmiklos at frugalware.org Tue Nov 30 13:01:48 2010 From: vmiklos at frugalware.org (Miklos Vajna) Date: Tue, 30 Nov 2010 13:01:48 +0100 (CET) Subject: [Frugalware-security] [ FSA-694 ] phpmyadmin Message-ID: <20101130120148.D0C09132C043@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-694 Date: 2010-11-30 Package: phpmyadmin Vulnerable versions: <= 3.3.7-1haven1 Unaffected versions: >= 3.3.8.1-1haven1 Related bugreport: http://bugs.frugalware.org/task/4381 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3263 Description =========== A vulnerability has been reported in phpMyAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks. Certain unspecified input passed to the setup script is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. NOTE: Successful exploitation requires that installation best-practices have not been followed and the setup scripts have not been deleted after a successful installation. Updated Packages ================ Check if you have phpmyadmin installed: # pacman-g2 -Q phpmyadmin If found, then you should upgrade to the latest version: # pacman-g2 -Sy phpmyadmin Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/694 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkz056wACgkQZ7NElSD1VhkcqACfZwiSgLGwxdlm0RGa4KS7Ld2I 8mUAniTEXBWf8bOrrnMAY9Iru9U1w7IB =DWh2 -----END PGP SIGNATURE----- From vmiklos at frugalware.org Tue Nov 30 13:04:56 2010 From: vmiklos at frugalware.org (Miklos Vajna) Date: Tue, 30 Nov 2010 13:04:56 +0100 (CET) Subject: [Frugalware-security] [ FSA-695 ] mantis Message-ID: <20101130120456.30820132C044@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-695 Date: 2010-11-30 Package: mantis Vulnerable versions: <= 1.2.2-1 Unaffected versions: >= 1.2.3-1haven1 Related bugreport: http://bugs.frugalware.org/task/4318 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3070 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3303 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3763 Description =========== Some vulnerabilities have been reported in MantisBT, which can be exploited by malicious users to conduct script insertion attacks and by malicious people to conduct cross-site scripting attacks. 1) The application bundles a vulnerable version of NuSOAP. 2) Certain Input passed via custom field types is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed. Successful exploitation of this vulnerability requires "Manage Custom Fields" permissions. 3) Certain input passed via project and category names is not properly sanitised before being displayed to the user in print_all_bug_page_word.php. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed. Successful exploitation of this vulnerability requires "Project Manager" permissions. 4) Input passed via the Summary field when creating an issue is not properly sanitised before being used in core/summary_api.php. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed. Successful exploitation of this vulnerability requires "Reporter" permissions. Updated Packages ================ Check if you have mantis installed: # pacman-g2 -Q mantis If found, then you should upgrade to the latest version: # pacman-g2 -Sy mantis Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/695 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkz06GgACgkQZ7NElSD1Vhn5cwCffx62pBOury74iCu66/DBYVCC BegAnRoxIo472txcQWLACK8Bt8AeEcGG =3WUP -----END PGP SIGNATURE----- From vmiklos at frugalware.org Tue Nov 30 13:10:03 2010 From: vmiklos at frugalware.org (Miklos Vajna) Date: Tue, 30 Nov 2010 13:10:03 +0100 (CET) Subject: [Frugalware-security] [ FSA-696 ] drupal6-lightbox2 Message-ID: <20101130121003.4B371132C043@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-696 Date: 2010-11-30 Package: drupal6-lightbox2 Vulnerable versions: <= 6.x_1.9-1 Unaffected versions: >= 6.x_1.10-1haven1 Related bugreport: http://bugs.frugalware.org/task/4326 CVE: No CVE, see http://drupal.org/node/919610. Description =========== Two vulnerabilities have been reported in Lightbox2 module for Drupal, which can be exploited by malicious people to bypass certain security restrictions and conduct cross-site scripting attacks. 1) A vulnerability exists in the access control mechanism for video content and can be exploited to get access to restricted video content. 2) Input passed via unspecified parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Updated Packages ================ Check if you have drupal6-lightbox2 installed: # pacman-g2 -Q drupal6-lightbox2 If found, then you should upgrade to the latest version: # pacman-g2 -Sy drupal6-lightbox2 Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/696 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkz06ZsACgkQZ7NElSD1Vhk5ugCfYo2EWE7CZGj4UiKuB9wYvZ43 sVwAoJ/We93UO+aedN95Z9POXzLCNB5w =VsDr -----END PGP SIGNATURE----- From vmiklos at frugalware.org Tue Nov 30 13:13:20 2010 From: vmiklos at frugalware.org (Miklos Vajna) Date: Tue, 30 Nov 2010 13:13:20 +0100 (CET) Subject: [Frugalware-security] [ FSA-697 ] wireshark Message-ID: <20101130121320.DAFC4132C044@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-697 Date: 2010-11-30 Package: wireshark Vulnerable versions: <= 1.4.1-1haven1 Unaffected versions: >= 1.4.2-1haven1 Related bugreport: http://bugs.frugalware.org/task/4380 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3445 Description =========== A vulnerability has been discovered in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an infinite recursion error in the "dissect_unknown_ber()" function in epan/dissectors/packet-ber.c and can be exploited to cause a stack overflow e.g. via a specially crafted SNMP packet. Updated Packages ================ Check if you have wireshark installed: # pacman-g2 -Q wireshark If found, then you should upgrade to the latest version: # pacman-g2 -Sy wireshark Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/697 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkz06mAACgkQZ7NElSD1Vhn1QgCglRyIvjHUQGFTwkMbPiMfJkep jk0AnRAPIgQ9+ab/cZQhTq9A9D9TNizj =F53+ -----END PGP SIGNATURE----- From vmiklos at frugalware.org Tue Nov 30 13:17:10 2010 From: vmiklos at frugalware.org (Miklos Vajna) Date: Tue, 30 Nov 2010 13:17:10 +0100 (CET) Subject: [Frugalware-security] [ FSA-698 ] wireshark Message-ID: <20101130121710.7C63D132C043@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-698 Date: 2010-11-30 Package: wireshark Vulnerable versions: <= 1.4.1-1haven1 Unaffected versions: >= 1.4.2-1haven1 Related bugreport: http://bugs.frugalware.org/task/4380 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4300 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4301 Description =========== Two vulnerabilities have been reported in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service). 1) A boundary error in "dissect_ldss_transfer()" in epan/dissectors/packet-ldss.c can be exploited to cause a heap-based buffer overflow. 2) An error in the ZigBee ZCL Discover Attribute Response dissector can be exploited to cause an infinite loop. Updated Packages ================ Check if you have wireshark installed: # pacman-g2 -Q wireshark If found, then you should upgrade to the latest version: # pacman-g2 -Sy wireshark Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/698 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkz060YACgkQZ7NElSD1VhkppgCcC/ZL5WcCthBQO96CB806z8IH 8HoAn1lEw03HmJltBhYkQHTgSakgyuI5 =XAru -----END PGP SIGNATURE----- From vmiklos at frugalware.org Tue Nov 30 13:22:11 2010 From: vmiklos at frugalware.org (Miklos Vajna) Date: Tue, 30 Nov 2010 13:22:11 +0100 (CET) Subject: [Frugalware-security] [ FSA-699 ] phpmyadmin Message-ID: <20101130122211.ADCE7132C043@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-699 Date: 2010-11-30 Package: phpmyadmin Vulnerable versions: <= 3.3.7-1haven1 Unaffected versions: >= 3.3.8.1-1haven1 Related bugreport: http://bugs.frugalware.org/task/4381 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4329 Description =========== A vulnerability has been reported in Phpmyadmin, which can be exploited by malicious people to perform an XSS attack. See http://www.phpmyadmin.net/home_page/security/PMASA-2010-8.php for details. Updated Packages ================ Check if you have phpmyadmin installed: # pacman-g2 -Q phpmyadmin If found, then you should upgrade to the latest version: # pacman-g2 -Sy phpmyadmin Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/699 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAkz07HMACgkQZ7NElSD1VhlNnACgnGKleYgrLv8+Y494kTj6JWW9 zZkAoJvfmzYsnQXQktMkFRbIhdzKLkkp =6mG5 -----END PGP SIGNATURE-----