From vmiklos at frugalware.org Fri Dec 23 14:55:09 2011 From: vmiklos at frugalware.org (Miklos Vajna) Date: Fri, 23 Dec 2011 14:55:09 +0100 (CET) Subject: [Frugalware-security] [ FSA-747 ] drupal6-views Message-ID: <20111223135509.C3B3519F4010@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-747 Date: 2011-12-23 Package: drupal6-views Vulnerable versions: <= 6.x_2.12-2 Unaffected versions: >= 6.x_2.14-1mores1 Related bugreport: https://bugs.frugalware.org/ticket/4632 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4113 Description =========== A vulnerability has been reported in the Views module for Drupal, which can be exploited by malicious people to conduct SQL injection attacks. Input passed via certain filters or arguments on certain types of views is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Updated Packages ================ Check if you have drupal6-views installed: # pacman-g2 -Q drupal6-views If found, then you should upgrade to the latest version: # pacman-g2 -Sy drupal6-views Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/747 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAk70iDwACgkQZ7NElSD1Vhk/sgCeJCim69k7wtsA+s9EGi5O5y86 baAAoIoV3+oGV9hwKoriisUf9UeLonSV =G82v -----END PGP SIGNATURE----- From vmiklos at frugalware.org Fri Dec 23 15:00:27 2011 From: vmiklos at frugalware.org (Miklos Vajna) Date: Fri, 23 Dec 2011 15:00:27 +0100 (CET) Subject: [Frugalware-security] [ FSA-748 ] wireshark Message-ID: <20111223140027.A45DA142001F@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-748 Date: 2011-12-23 Package: wireshark Vulnerable versions: <= 1.6.2-1mores1 Unaffected versions: >= 1.6.3-1mores1 Related bugreport: https://bugs.frugalware.org/ticket/4633 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4100 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4101 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4102 Description =========== Multiple vulnerabilities have been reported in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. 1) An error related to an uninitialised variable within the CSN.1 dissector can be exploited to cause a crash. 2) A NULL pointer dereference error within the Infiniband dissector can be exploited to cause a crash. 3) An error within the ERF file parser can be exploited to cause a heap-based buffer overflow. Successful exploitation of this vulnerability may allow execution of arbitrary code. Updated Packages ================ Check if you have wireshark installed: # pacman-g2 -Q wireshark If found, then you should upgrade to the latest version: # pacman-g2 -Sy wireshark Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/748 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAk70iXsACgkQZ7NElSD1VhmoagCgjQmz7mr9Kgy0W7Ke9Jnwz7zp CUkAnjIuBJs38+8zo6F4xOx990b92KZY =Su7A -----END PGP SIGNATURE----- From vmiklos at frugalware.org Fri Dec 23 15:18:40 2011 From: vmiklos at frugalware.org (Miklos Vajna) Date: Fri, 23 Dec 2011 15:18:40 +0100 (CET) Subject: [Frugalware-security] [ FSA-749 ] roundcube Message-ID: <20111223141840.EC94E142001F@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-749 Date: 2011-12-23 Package: roundcube Vulnerable versions: <= 0.5.4-1mores1 Unaffected versions: >= 0.7-1mores1 Related bugreport: https://bugs.frugalware.org/ticket/4642 CVE: No CVE, see http://sourceforge.net/news/?group_id=139281&id=305129. Description =========== Beside fixing bugs the developers added some security improvements which will protect the Roundcube users from XSS and clickjacking attacks. Updated Packages ================ Check if you have roundcube installed: # pacman-g2 -Q roundcube If found, then you should upgrade to the latest version: # pacman-g2 -Sy roundcube Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/749 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAk70jcAACgkQZ7NElSD1Vhn5XQCfbkOyFqjaYUDIDvsO/n+WpbJ5 8VUAniVx8zIobFwdFWPg9tQCkGOGva5M =kIHb -----END PGP SIGNATURE----- From vmiklos at frugalware.org Fri Dec 23 15:36:17 2011 From: vmiklos at frugalware.org (Miklos Vajna) Date: Fri, 23 Dec 2011 15:36:17 +0100 (CET) Subject: [Frugalware-security] [ FSA-750 ] phpmyadmin Message-ID: <20111223143617.473A7142001F@genesis.frugalware.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frugalware Security Advisory FSA-750 Date: 2011-12-23 Package: phpmyadmin Vulnerable versions: <= 3.4.7.1-1mores1 Unaffected versions: >= 3.4.8-1mores1 Related bugreport: https://bugs.frugalware.org/ticket/4640 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4634 Description =========== Using crafted database names, it was possible to produce XSS in the Database Synchronize and Database rename panels. Using an invalid and crafted SQL query, it was possible to produce XSS when editing a query on a table overview panel or when using the view creation dialog. Using a crafted column type, it was possible to produce XSS in the table search and create index dialogs. Updated Packages ================ Check if you have phpmyadmin installed: # pacman-g2 -Q phpmyadmin If found, then you should upgrade to the latest version: # pacman-g2 -Sy phpmyadmin Availability ============ The latest revision of this advisory is available at http://frugalware.org/security/750 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: See http://ftp.frugalware.org/pub/README.GPG for info iEYEARECAAYFAk70keEACgkQZ7NElSD1VhmEQgCdGtBzM661yrhtWEFjikluvE9S u58AnAxEQw3VHLlRmFqfJDco82imXwS2 =Q6fv -----END PGP SIGNATURE-----