Security announcements for Frugalware stable releases http://frugalware.org/security http://frugalware.org/security/642 http://frugalware.org/security/642#top See FSA641 for details.Vulnerable version: 6.x_1.2-1, Unaffected version: 6.x_1.3-1locris1, CVEs: No CVE references, see http://drupal.org/node/731632. Fri, 12 Mar 2010 00:00:00 +0100 http://frugalware.org/security/641 http://frugalware.org/security/641#top A vulnerability has been reported in the Internationalization module for Drupal, which can be exploited by malicious users to compromise a vulnerable system. Certain unspecified input is not properly sanitised before being used to translate the text. This can be exploited to execute arbitrary PHP code by passing a malicious string to the input filter.Vulnerable version: 5.x_2.5-1, Unaffected version: 5.x_2.6-1locris1, CVEs: No CVE references, see http://drupal.org/node/731632. Fri, 12 Mar 2010 00:00:00 +0100 http://frugalware.org/security/640 http://frugalware.org/security/640#top See FSA639 for details.Vulnerable version: 6.15-1, Unaffected version: 6.16-1locris1, CVEs: No CVE references, see http://drupal.org/node/731710. Thu, 11 Mar 2010 00:00:00 +0100 http://frugalware.org/security/639 http://frugalware.org/security/639#top Some vulnerabilities have been reported in Drupal, which can be exploited by malicious users to conduct script insertion attacks and bypass certain security restrictions. 1) Input passed via the "langcode", "name", and "native" parameters in the languages interface while using the Locale module is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed. Successful exploitation requires "administer languages" permissions. 2) An error in the handling of certain sessions can be exploited to maintain an open session despite the user being blocked.Vulnerable version: 5.21-1, Unaffected version: 5.22-2locris1, CVEs: No CVE references, see http://drupal.org/node/731710. Thu, 11 Mar 2010 00:00:00 +0100 http://frugalware.org/security/638 http://frugalware.org/security/638#top A vulnerability has been discovered in WordPress, which can be exploited by malicious users to bypass certain security restrictions. The vulnerability is caused due to WordPress not properly restricting access to trashed posts, which can be exploited to e.g. view a trashed post by accessing it's page directly. Successful exploitation requires a valid user account.Vulnerable version: 2.9.1-1, Unaffected version: 2.9.2-1locris1, CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0682 Wed, 10 Mar 2010 00:00:00 +0100 http://frugalware.org/security/637 http://frugalware.org/security/637#top Braden Thomas from Apple has discovered a signature verification bypass issue in xar. The issue is that xar_open assumes that the checksum is stored at offset 0, but xar_signature_copy_signed_data uses xar property "checksum/offset" to find the offset to the checksum when validating the signature. As a result, a modified xar archive can pass signature validation by putting the checksum for the modified TOC at offset 0, pointing "checksum/offset" at the non-modified checksum at a higher offset, and using the original non-modified signature.Vulnerable version: 1.5.2-1, Unaffected version: 1.5.2-2locris1, CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0055 Tue, 09 Mar 2010 00:00:00 +0100 http://frugalware.org/security/ http://frugalware.org/security/#top Vulnerable version: , Unaffected version: , CVEs: Thu, 01 Jan 1970 01:00:00 +0100 http://frugalware.org/security/ http://frugalware.org/security/#top Vulnerable version: , Unaffected version: , CVEs: Thu, 01 Jan 1970 01:00:00 +0100 http://frugalware.org/security/ http://frugalware.org/security/#top Vulnerable version: , Unaffected version: , CVEs: Thu, 01 Jan 1970 01:00:00 +0100 http://frugalware.org/security/ http://frugalware.org/security/#top Vulnerable version: , Unaffected version: , CVEs: Thu, 01 Jan 1970 01:00:00 +0100