Security announcements for Frugalware stable releases http://frugalware.org/security http://frugalware.org/security/625 http://frugalware.org/security/625#top This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (immediate OOPS and hang, complete loss of response, even of console). The vulnerability is caused due to an error within the "ip_defrag()" function in net/ipv4/ip_fragment.c, which may be exploited to cause a NULL pointer dereference by sending overly large packets to a vulnerable system.Vulnerable version: 2.6.30-3, Unaffected version: 2.6.30-4getorin1, CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1298 Wed, 09 Dec 2009 00:00:00 +0100 http://frugalware.org/security/624 http://frugalware.org/security/624#top See FSA623 for more info.Vulnerable version: 6.x_2.1-1, Unaffected version: 6.x_2.2-1getorin1, CVEs: No CVE references, see http://drupal.org/node/579290. Sun, 27 Sep 2009 00:00:00 +0200 http://frugalware.org/security/623 http://frugalware.org/security/623#top A vulnerability has been reported in the Comment RSS module for Drupal, which can be exploited to disclose potentially sensitive information. The vulnerability is caused due to the module not properly respecting access restrictions when adding the link to a node, which can be exploited to disclose potentially sensitive information.Vulnerable version: 5.x_2.1-1, Unaffected version: 5.x_2.2-1getorin1, CVEs: No CVE references, see http://drupal.org/node/579280. Sun, 27 Sep 2009 00:00:00 +0200 http://frugalware.org/security/622 http://frugalware.org/security/622#top See FSA621 for more info.Vulnerable version: 6.13-1, Unaffected version: 6.14-1getorin1, CVEs: No CVE references, see http://drupal.org/node/579476. Sun, 27 Sep 2009 00:00:00 +0200 http://frugalware.org/security/621 http://frugalware.org/security/621#top Some vulnerabilities have been reported in Drupal, which can be exploited by malicious users to hijack accounts and compromise a vulnerable system, and by malicious people to conduct cross-site request forgery attacks. 1) The OpenID module allows users to perform certain actions via HTTP requests without performing any validation checks to verify the requests. This can be exploited to e.g. add OpenID identities to existing accounts. 2) An unspecified error within the OpenID Authentication 2.0 implementation can be exploited to hijack another user's account if the same OpenID 2.0 provider is used. 3) An error within the File API when processing certain file extensions can be exploited to e.g. upload files which can be executed by the web server. Note: Successful exploitation requires that the web server is configured to ignore Drupal's ".htaccess" file.Vulnerable version: 5.19-1, Unaffected version: 5.20-1getorin1, CVEs: No CVE references, see http://drupal.org/node/579484. Sun, 27 Sep 2009 00:00:00 +0200 http://frugalware.org/security/620 http://frugalware.org/security/620#top A vulnerability has been reported in the Date module for Drupal, which can be exploited by malicious users to conduct script insertion attacks. Certain unspecified input is not properly sanitised before being displayed in the page title. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed. Successful exploitation requires privileges to post date content.Vulnerable version: 5.x_2.7-1, Unaffected version: 5.x_2.8-1getorin1, CVEs: No CVE references, see http://drupal.org/node/579144. Sun, 27 Sep 2009 00:00:00 +0200 http://frugalware.org/security/619 http://frugalware.org/security/619#top Some vulnerabilities have been reported in Horde Groupware and Horde Groupware Webmail Edition, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks and by malicious users to compromise a vulnerable system. 1) Two vulnerabilities can be exploited to conduct cross-site scripting or script insertion attacks. 2) An error within the form library of the Horde Application Framework when handling image form fields can be exploited to overwrite arbitrary local files.Vulnerable version: 1.2.3-1, Unaffected version: 1.2.4-1getorin1, CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3236 Sun, 27 Sep 2009 00:00:00 +0200 http://frugalware.org/security/618 http://frugalware.org/security/618#top Some vulnerabilities have been reported in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service). 1) An error in the "OpcUa" dissector can be exploited to exhaust CPU and memory resources via a specially crafted "Service CallRequest" packet. 2) An assertion error in the "GSM A RR" dissector can be exploited to cause a crash. 3) An error in the TLS dissector can be exploited to cause a crash on certain platforms (e.g. Windows) via specially crafted TLS 1.2 network packets.Vulnerable version: 1.2.1-1, Unaffected version: 1.2.2-1getorin1, CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3241 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3242 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3243 Sun, 27 Sep 2009 00:00:00 +0200 http://frugalware.org/security/617 http://frugalware.org/security/617#top A vulnerability has been reported in the Devel module for Drupal, which can be exploited by malicious users to conduct script insertion attacks. The variable editor does not properly sanitise the variable name before displaying it to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.Vulnerable version: 6.x_1.17-1, Unaffected version: 6.x_1.18-1getorin1, CVEs: No CVE references, see http://drupal.org/node/585952. Sun, 27 Sep 2009 00:00:00 +0200 http://frugalware.org/security/ http://frugalware.org/security/#top Vulnerable version: , Unaffected version: , CVEs: Thu, 01 Jan 1970 01:00:00 +0100