Frugalware Security Announcements (FSAs)

• Author: Miklos Vajna
• Vulnerable: 0.9.8-14
• Unaffected: 0.9.8-15solaria1

OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys.

• Bug Tracker URL: http://bugs.frugalware.org/task/3557

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077

• Author: Miklos Vajna
• Vulnerable: 2.1.0-1
• Unaffected: 2.1.1-1solaria1

Some vulnerabilities have been reported in Ruby on Rails, which can be exploited by malicious people to conduct SQL injection attacks. The vulnerabilities are caused due to Active Record not properly sanitising the “:offset” and “:limit” parameters before using them in SQL queries. This can be exploited to manipulate SQL queries by injecting SQL code.

• Bug Tracker URL: http://bugs.frugalware.org/task/3368

CVEs:

• No CVE, see http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1.

• Author: Miklos Vajna
• Vulnerable: 2.0.0.17-1
• Unaffected: 2.0.0.18-1solaria1

Some vulnerabilities have been reported in Mozilla Thunderbird, which can be exploited by malicious people to disclose sensitive information, bypass certain security restrictions, or compromise a user’s system.

1. Several vulnerabilities can be exploited to disclose sensitive information, bypass certain security restrictions, or compromise a user’s system.
2. An error exists while processing JavaScript code embedded in email messages. This can be exploited to disclose the mailbox URI of the recipient via the “.documentURI” DOM property, or to potentially disclose comments placed in a forwarded email via the “.textContent” DOM property.

• Bug Tracker URL: http://bugs.frugalware.org/task/3465

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5012
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5014
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5017
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5018
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5021
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5022
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5024

• Author: Miklos Vajna
• Vulnerable: 2.11.9.3-1solaria1
• Unaffected: 2.11.9.4-1solaria1

This fixes an SQL injection, see http://www.milw0rm.com/exploits/7382 for more info.

• Bug Tracker URL: http://bugs.frugalware.org/task/3548

CVEs:

• No CVE, see http://sourceforge.net/forum/forum.php?forum_id=896047.

• Author: Miklos Vajna
• Vulnerable: 5.12-1solaria1
• Unaffected: 5.13-1solaria1

Some vulnerabilities have been reported in Drupal, which can be exploited by malicious people to conduct cross-site request forgery and cross-site scripting attacks.

1. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain operations (e.g. execute old updates) when a logged-in superuser visits a malicious web site.

• Author: Miklos Vajna
• Vulnerable: 6.6-1solaria1
• Unaffected: 6.7-1solaria1

Some vulnerabilities have been reported in Drupal 6, which can be exploited by malicious people to conduct cross-site request forgery and cross-site scripting attacks. For more info, see FSA560.

• Bug Tracker URL: http://bugs.frugalware.org/task/3513

CVEs:

• No CVE, see http://drupal.org/node/345441.

• Author: Miklos Vajna
• Vulnerable: 1.1.2-1
• Unaffected: 1.2.1-1solaria1

This is a minor security release that adds another check to the XSS filter for an Internet Explorer exploit and fixes unescaped output in the test.php scripts. All users are encouraged to upgrade to this version. In addition all users are encouraged to disable test.php in production, per the install documentation.

• Bug Tracker URL: http://bugs.frugalware.org/task/3518

CVEs:

• No CVE, see http://lists.horde.org/archives/announce/2008/000472.html.

• Author: Miklos Vajna
• Vulnerable: 2.6.26-1
• Unaffected: 2.6.26-2solaria1

Some vulnerabilities have been reported in the Linux kernel, which potentially can be exploited by malicious people to compromise a vulnerable system.

1. The error-reporting functionality in (1) fs/ext2/dir.c, (2) fs/ext3/dir.c, and possibly (3) fs/ext4/dir.c in the Linux kernel 2.6.26.5 does not limit the number of printk console messages that report directory corruption, which allows physically proximate attackers to cause a denial of service (temporary system hang) by mounting a filesystem that has corrupted dir->i_size and dir->i_blocks values and performing (a) read or (b) write operations. NOTE: there are limited scenarios in which this crosses privilege boundaries.
2. The i915 driver in (1) drivers/char/drm/i915_dma.c in the Linux kernel 2.6.24 on Debian GNU/Linux and (2) sys/dev/pci/drm/i915_drv.c in OpenBSD does not restrict the DRM_I915_HWS_ADDR ioctl to the Direct Rendering Manager (DRM) master, which allows local users to cause a denial of service (memory corruption) via a crafted ioctl call, related to absence of the DRM_MASTER and DRM_ROOT_ONLY flags in the ioctl’s configuration.
3. Linux kernel 2.6.28 allows local users to cause a denial of service (“soft lockup” and process loss) via a large number of sendmsg function calls, which does not block during AF_UNIX garbage collection and triggers an OOM condition, a different vulnerability than CVE-2008-5029. Successful exploitation of the vulnerabilities may allow execution of arbitrary code.

• Bug Tracker URL: http://bugs.frugalware.org/task/3520

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3528
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3831
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5300

• Author: Miklos Vajna
• Vulnerable: 1.0.4-1solaria1
• Unaffected: 1.0.5-1solaria1

Two vulnerabilities have been reported in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service).

1. An error in the SMTP dissector can be exploited to trigger the execution of an infinite loop via a large SMTP packet.
2. An error in the WLCCP dissector can be exploited to trigger the execution of an infinite loop via a specially crafted packet.

• Bug Tracker URL: http://bugs.frugalware.org/task/3514

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5285

• Author: Miklos Vajna
• Vulnerable: 2.6.3-1solaria1
• Unaffected: 2.6.5-1solaria1

Jeremias Reith has reported a vulnerability in WordPress, which can be exploited by malicious people to conduct script insertion attacks. Input passed via the HTTP “Host” header is not properly sanitised before being used. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site if malicious data is viewed. Note: Reportedly, this only affects IP-based virtual servers running on Apache 2.x.