From vmiklos at frugalware.org  Sun Feb  5 20:27:49 2012
From: vmiklos at frugalware.org (Miklos Vajna)
Date: Sun,  5 Feb 2012 20:27:49 +0100 (CET)
Subject: [Frugalware-security] [ FSA-751 ] phpmyadmin
Message-ID: <20120205192749.9C355224CBE7@genesis.frugalware.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frugalware Security Advisory                           FSA-751

Date: 2012-02-05
Package: phpmyadmin
Vulnerable versions: <= 3.4.8-1mores1
Unaffected versions: >= 3.4.9-1mores1
Related bugreport: https://bugs.frugalware.org/ticket/4643
CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4780

Description
===========

Multiple cross-site scripting (XSS) vulnerabilities in libraries/display_export.lib.php in phpMyAdmin allow remote attackers to inject arbitrary web script or HTML via crafted URL parameters, related to the export panels in the (1) server, (2) database, and (3) table sections.

Updated Packages
================

Check if you have phpmyadmin installed:

	# pacman-g2 -Q phpmyadmin

If found, then you should upgrade to the latest version:

	# pacman-g2 -Sy phpmyadmin

Availability
============

The latest revision of this advisory is available at
http://frugalware.org/security/751

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: See http://ftp.frugalware.org/pub/README.GPG for info

iEYEARECAAYFAk8u2DUACgkQZ7NElSD1Vhlt8ACggmvnM5WHULGxYr20ax+HqIXp
DTgAoI1CZeBFEUUY2fJ/4zD+XyWWDti8
=QRS3
-----END PGP SIGNATURE-----

From vmiklos at frugalware.org  Sun Feb  5 20:34:50 2012
From: vmiklos at frugalware.org (Miklos Vajna)
Date: Sun,  5 Feb 2012 20:34:50 +0100 (CET)
Subject: [Frugalware-security] [ FSA-752 ] wordpress
Message-ID: <20120205193450.283CD224CBE5@genesis.frugalware.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frugalware Security Advisory                           FSA-752

Date: 2012-02-05
Package: wordpress
Vulnerable versions: <= 3.2.1-1
Unaffected versions: >= 3.3.1-1mores1
Related bugreport: https://bugs.frugalware.org/ticket/4644
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0287

Description
===========

Aditya Modha and Samir Shah discovered a vulnerability in WordPress, which can be exploited by malicious people to conduct cross-site scripting attacks.
Input passed via the URL to e.g. wp-comments-post.php is not properly sanitised within the "wp_guess_url()" function in wp-includes/functions.php before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Updated Packages
================

Check if you have wordpress installed:

	# pacman-g2 -Q wordpress

If found, then you should upgrade to the latest version:

	# pacman-g2 -Sy wordpress

Availability
============

The latest revision of this advisory is available at
http://frugalware.org/security/752

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: See http://ftp.frugalware.org/pub/README.GPG for info

iEYEARECAAYFAk8u2doACgkQZ7NElSD1VhmYIQCfSSqP3HIM+MqDKTss5MSH9WFc
rzoAn1cLu9qANM6idKFQkkOUrgKoQc1F
=hjw/
-----END PGP SIGNATURE-----

From vmiklos at frugalware.org  Sun Feb  5 20:40:12 2012
From: vmiklos at frugalware.org (Miklos Vajna)
Date: Sun,  5 Feb 2012 20:40:12 +0100 (CET)
Subject: [Frugalware-security] [ FSA-753 ] wireshark
Message-ID: <20120205194012.5B96E224CBE5@genesis.frugalware.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frugalware Security Advisory                           FSA-753

Date: 2012-02-05
Package: wireshark
Vulnerable versions: <= 1.6.3-1mores1
Unaffected versions: >= 1.6.5-1mores1
Related bugreport: https://bugs.frugalware.org/ticket/4650
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0041
			http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0042
			http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0043
			http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0066
			http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0067
			http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0068

Description
===========

Multiple vulnerabilities have been reported in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a user's system.
1) NULL pointer dereference errors when reading certain packet information can be exploited to cause a crash.
2) An error within the RLC dissector can be exploited to cause a buffer overflow via a specially crafted RLC packet capture file.
Successful exploitation of this vulnerability may allow execution of arbitrary code.
3) An error within the "lanalyzer_read()" function (wiretap/lanalyzer.c) when parsing LANalyzer files can be exploited to cause a heap-based buffer underflow.
Successful exploitation of this vulnerability may allow execution of arbitrary code.
NOTE: A weakness within the file parser, which can lead to a crash when handling capture files has also been reported.

Updated Packages
================

Check if you have wireshark installed:

	# pacman-g2 -Q wireshark

If found, then you should upgrade to the latest version:

	# pacman-g2 -Sy wireshark

Availability
============

The latest revision of this advisory is available at
http://frugalware.org/security/753

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: See http://ftp.frugalware.org/pub/README.GPG for info

iEYEARECAAYFAk8u2xwACgkQZ7NElSD1VhkEuACfZ5+0t2ROUIRXvkO8xd5fSu7c
ebMAn1ON4eNaQWm9UnCQ4M/vyTmnR8Wy
=3mp3
-----END PGP SIGNATURE-----

From vmiklos at frugalware.org  Sun Feb  5 20:48:46 2012
From: vmiklos at frugalware.org (Miklos Vajna)
Date: Sun,  5 Feb 2012 20:48:46 +0100 (CET)
Subject: [Frugalware-security] [ FSA-754 ] drupal7
Message-ID: <20120205194846.BA725224CBE5@genesis.frugalware.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frugalware Security Advisory                           FSA-754

Date: 2012-02-05
Package: drupal7
Vulnerable versions: <= 7.7-1
Unaffected versions: >= 7.12-1mores1
Related bugreport: https://bugs.frugalware.org/ticket/4655
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0825
			http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0826
			http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0827

Description
===========

A security issue and a vulnerability have been reported in Drupal, which can be exploited by malicious people to manipulate certain data and bypass certain security restrictions.
1) The security issue is caused due to the OpenID module not properly verifying the signature of Attribute Exchange (AX) information, which can be exploited to manipulate AX information.
2) An error in the File module when using certain field access modules can be exploited to download private files which would otherwise be restricted.

Updated Packages
================

Check if you have drupal7 installed:

	# pacman-g2 -Q drupal7

If found, then you should upgrade to the latest version:

	# pacman-g2 -Sy drupal7

Availability
============

The latest revision of this advisory is available at
http://frugalware.org/security/754

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: See http://ftp.frugalware.org/pub/README.GPG for info

iEYEARECAAYFAk8u3R4ACgkQZ7NElSD1VhlpQgCfRnj/7+MUqA9iwoHA+DynHg4X
bYMAoIqneN0QMXwX+YECFr4kvYHDLnZq
=A+c1
-----END PGP SIGNATURE-----

From vmiklos at frugalware.org  Sun Feb  5 20:54:45 2012
From: vmiklos at frugalware.org (Miklos Vajna)
Date: Sun,  5 Feb 2012 20:54:45 +0100 (CET)
Subject: [Frugalware-security] [ FSA-755 ] drupal6
Message-ID: <20120205195445.87EAA224CBE5@genesis.frugalware.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frugalware Security Advisory                           FSA-755

Date: 2012-02-05
Package: drupal6
Vulnerable versions: <= 6.22-1
Unaffected versions: >= 6.24-1mores1
Related bugreport: https://bugs.frugalware.org/ticket/4654
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0825
			http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0826
			http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0827

Description
===========

A security issue and a vulnerability have been reported in Drupal, which can be exploited by malicious people to manipulate certain data and bypass certain security restrictions.
1) The security issue is caused due to the OpenID module not properly verifying the signature of Attribute Exchange (AX) information, which can be exploited to manipulate AX information.
2) An error in the File module when using certain field access modules can be exploited to download private files which would otherwise be restricted.

Updated Packages
================

Check if you have drupal6 installed:

	# pacman-g2 -Q drupal6

If found, then you should upgrade to the latest version:

	# pacman-g2 -Sy drupal6

Availability
============

The latest revision of this advisory is available at
http://frugalware.org/security/755

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: See http://ftp.frugalware.org/pub/README.GPG for info

iEYEARECAAYFAk8u3oUACgkQZ7NElSD1VhkzrwCePIUlYbOFuVhDTnO8iUNVbELz
wzoAmwSBr1XlNbtHRLbOtcQebluN6Uqt
=PhdW
-----END PGP SIGNATURE-----