Frugalware Security Announcements (FSAs)

• Author: Miklos Vajna
• Vulnerable: 6.x_1.18-1
• Unaffected: 6.x_1.21-1locris1

A vulnerability has been reported in the Devel (Performance logging) module for Drupal, which can be exploited by malicious users to conduct script insertion attacks. Certain input passed via node paths is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user’s browser session in context of an affected site when the malicious data is being viewed. Successful exploitation requires that the attacker has permissions to add url aliases and the victim has access to the reports of the performance module.

• Author: Miklos Vajna
• Vulnerable: 6.x_1.2-1
• Unaffected: 6.x_1.4-1locris1

See FSA688 for more info.

• Bug Tracker URL: http://bugs.frugalware.org/task/4288

CVEs:

• No CVE, see http://drupal.org/node/880522.

• Author: Miklos Vajna
• Vulnerable: 5.x_1.10-1
• Unaffected: 5.x_1.12-1locris1

A vulnerability has been reported in the Drupal Content Construction Kit, which can be exploited by malicious users to disclose sensitive information. The vulnerability in the CCK “Node Reference” module is caused due to improper validation of access levels, which can be exploited to gain view access to controlled nodes.

• Bug Tracker URL: http://bugs.frugalware.org/task/4242

CVEs:

• No CVE, see http://drupal.org/node/829566.

• Author: Miklos Vajna
• Vulnerable: 5.x_2.4-1
• Unaffected: 5.x_2.5-1locris1

A vulnerability has been reported in the FileField module for Drupal, which can be exploited by malicious users to conduct script insertion attacks. Input passed e.g. via the “filepath” parameter is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which is executed in a user’s browser session in context of an affected site when the malicious data is being viewed. Successful exploitation requires permission to create or edit content with a FileField and that the administrator has configured a vulnerable display format or uses a special token.

• Author: Miklos Vajna
• Vulnerable: 5.x_1.7-1locris1
• Unaffected: 5.x_1.8-1locris1

Multiple vulnerabilities have been reported in the Views module for Drupal, which can be exploited by malicious people to conduct cross-site request forgery, and cross-site scripting attacks.

1. The Views UI module allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. enable or disable all Views in a site when a logged-in user visits a malicious site. This vulnerability is reported in versions prior to 5.x-1.8 and 6.x-2.11. Successful exploitation requires that Views UI module is enabled.
2. Input passed via URLs or aggregator feed titles are not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user’s browser session in context of an affected site when the malicious data is returned to the user.

• Bug Tracker URL: http://bugs.frugalware.org/task/4246

CVEs:

• No CVE, see http://drupal.org/node/829840.

• Author: Miklos Vajna
• Vulnerable: 6.x_2.6-1
• Unaffected: 6.x_2.7-1locris1

Some vulnerabilities have been reported in the Drupal Content Construction Kit, which can be exploited by malicious users to disclose sensitive information.

1. A vulnerability in the CCK “Node Reference” module is caused due to improper validation of access levels, which can be exploited to gain view access to controlled nodes.
2. Another vulnerability in the “Node Reference” module is caused due to improper validation of access levels for a backend URL. This can be exploited to send direct queries to the backend URL and disclose node titles and IDs.

• Bug Tracker URL: http://bugs.frugalware.org/task/4243

CVEs:

• No CVE, see http://drupal.org/node/829566.

• Author: Miklos Vajna
• Vulnerable: 6.x_3.3-1locris1
• Unaffected: 6.x_3.4-1locris1

See FSA682 for details.

• Bug Tracker URL: http://bugs.frugalware.org/task/4245

CVEs:

• No CVE, see http://drupal.org/node/829808.

• Author: Miklos Vajna
• Vulnerable: 6.x_2.10-1locris1
• Unaffected: 6.x_2.11-1locris1

See FSA684 for details.

• Bug Tracker URL: http://bugs.frugalware.org/task/4247

CVEs:

• No CVE, see http://drupal.org/node/829840.

• Author: Miklos Vajna
• Vulnerable: 0.9.8-18
• Unaffected: 0.9.8-19locris1

Multiple vulnerabilities have been reported in OpenSSL:

1. A vulnerability is caused due to certain applications (e.g. Apache with the PHP module) calling OpenSSL’s “CRYPTO_free_all_ex_data()” function prematurely. In certain cases, this can result in memory leaks, which can be exploited to e.g. cause a DoS due to memory exhaustion.
2. A vulnerability is caused due to an error in the TLS protocol while handling session re-negotiations. This can be exploited to insert arbitrary plaintext before data sent by a legitimate client in an existing TLS session via Man-in-the-Middle (MitM) attacks. Successful exploitation may allow e.g. sending an arbitrary HTTP request under an authenticated context if certificate-based authentication is used by the server.
3. A vulnerability is caused due to the library not properly verifying the return value of the “bn_wexpand()” function.
4. The library does not limit the number of buffered DTLS records with a future epoch. This can be exploited to exhaust all available memory via specially crafted DTLS packets.
5. An error when processing DTLS messages can be exploited to exhaust all available memory by sending a large number of out of sequence handshake messages.
6. A use-after-free error in the “dtls1_retrieve_buffered_fragment()” function can be exploited to cause a crash in a client context.
7. An error in the “dtls1_process_out_of_seq_message()” function can be exploited to crash a DTLS server via a specially crafted out of sequence DTLS packet.
8. The “kssk_keytab_is_available()” function in ssl/kssl.c does not check the return value of a call to the “krb5_sname_to_principal()” function, which can be exploited to cause a NULL pointer dereference by e.g. sending certain cipher suites within the client hello.
9. An error exists within the “ssl3_get_record()” function in openssl/ssl/s3_pkt.c when processing certain records, which can be exploited to cause a crash by sending specially crafted records.
10. A vulnerability is caused due to an error when handling CMS (Cryptographic Message Syntax) structures. This can be exploited to trigger a write to an invalid memory address or a double-free via a specially crafted CMS structure containing an “OriginatorInfo” element.

• Bug Tracker URL: http://bugs.frugalware.org/task/4231

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4355
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3245
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1377
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1378
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1379
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1387
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0433
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0740
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0742

• Author: Miklos Vajna
• Vulnerable: 3.12.3-1
• Unaffected: 3.12.6-1locris1

A vulnerability has been reported in Network Security Services (NSS), which can be exploited by malicious people to manipulate certain data. The vulnerability is caused due to an error in the TLS protocol while handling session re-negotiations.

• Bug Tracker URL: http://bugs.frugalware.org/task/4258

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555