Security announcements for Frugalware stable releases http://frugalware.org/security http://frugalware.org/security/529 http://frugalware.org/security/529#top A vulnerability has been reported in the Simplenews module for Drupal, which can be exploited by malicious users to conduct script insertion attacks. Input passed as Newsletter categories is not properly sanitised before being stored. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when the malicious data is viewed. Successful exploitation requires valid user credentials with the "administer taxonomy" permission.Vulnerable version: 5.x_1.4-1, Unaffected version: 5.x_1.5-1solaria1, CVEs: There is no CVE for this issue yet, see http://drupal.org/node/312944. Fri, 26 Sep 2008 00:00:00 +0200 http://frugalware.org/security/528 http://frugalware.org/security/528#top A vulnerability has been reported in phpMyAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks. An error exists in the "PMA_escapeJsString()" function in libraries/js_escape.lib.php, which can be exploited to bypass certain filters and execute arbitrary HTML and script code in a user's browser session in context of an affected site when e.g. Microsoft Internet Explorer is used.Vulnerable version: 2.11.9.1-1solaria1, Unaffected version: 2.11.9.2-1solaria1, CVEs: There is no CVE for this issue yet, see http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-8. Fri, 26 Sep 2008 00:00:00 +0200 http://frugalware.org/security/527 http://frugalware.org/security/527#top A security issue has been reported in BitlBee, which can be exploited by malicious people to bypass certain security restrictions and hijack accounts. The security issue is caused due to an unspecified error, which can be exploited to overwrite existing accounts.Vulnerable version: 1.2.2-1, Unaffected version: 1.2.3-1solaria1, CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3969 Wed, 24 Sep 2008 00:00:00 +0200 http://frugalware.org/security/526 http://frugalware.org/security/526#top Norman Hippert has reported a vulnerability in phpMyAdmin, which can be exploited by malicious users to compromise a vulnerable system. Input passed to the "sort_by" parameter in server_databases.php is not properly sanitised before being used. This can be exploited to execute arbitrary PHP code. Successful exploitation requires valid user credentials.Vulnerable version: 2.11.8.1-1, Unaffected version: 2.11.9.1-1solaria1, CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4096 Sun, 21 Sep 2008 00:00:00 +0200 http://frugalware.org/security/ http://frugalware.org/security/#top Vulnerable version: , Unaffected version: , CVEs: Thu, 01 Jan 1970 01:00:00 +0100 http://frugalware.org/security/ http://frugalware.org/security/#top Vulnerable version: , Unaffected version: , CVEs: Thu, 01 Jan 1970 01:00:00 +0100 http://frugalware.org/security/ http://frugalware.org/security/#top Vulnerable version: , Unaffected version: , CVEs: Thu, 01 Jan 1970 01:00:00 +0100 http://frugalware.org/security/ http://frugalware.org/security/#top Vulnerable version: , Unaffected version: , CVEs: Thu, 01 Jan 1970 01:00:00 +0100 http://frugalware.org/security/ http://frugalware.org/security/#top Vulnerable version: , Unaffected version: , CVEs: Thu, 01 Jan 1970 01:00:00 +0100 http://frugalware.org/security/ http://frugalware.org/security/#top Vulnerable version: , Unaffected version: , CVEs: Thu, 01 Jan 1970 01:00:00 +0100