[Full-disclosure] [SECURITY] [DSA 2804-1] drupal7 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2804-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff November 26, 2013 http://www.debian.org/security/faq - - Package: drupal7 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-6385 CVE-2013-6386 CVE-2013-6387 CVE-2013-6388 CVE-2013-6389 Multiple vulnerabilities have been discovered in Drupal, a fully-featured content management framework: Cross-site request forgery, insecure pseudo random number generation, code execution, incorrect security token validation and cross-site scripting. In order to avoid the remote code execution vulnerability, it is recommended to create a .htaccess file (or an equivalent configuration directive in case you are not using Apache to serve your Drupal sites) in each of your sites'"files" directories (both public and private, in case you have both configured). Please refer to the NEWS file provided with this update and the upstream advisory at https://drupal.org/SA-CORE-2013-003 for further information. For the stable distribution (wheezy), these problems have been fixed in version 7.14-2+deb7u1. For the unstable distribution (sid), these problems have been fixed in version 7.24-1. We recommend that you upgrade your drupal7 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iEYEARECAAYFAlKU0OsACgkQXm3vHE4uyloCQwCfZacV87eOtGiU6pZpNLaIYv2o /zgAniyQJO58YkAKZer+fYjegTt7xGU5 =7KOj -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2013:287 ] drupal
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:287 http://www.mandriva.com/en/support/security/ ___ Package : drupal Date: November 26, 2013 Affected: Business Server 1.0 ___ Problem Description: Multiple security issues was identified and fixed in drupal: Drupal core's Image module allows for the on-demand generation of image derivatives. This capability can be abused by requesting a large number of new derivatives which can fill up the server disk space, and which can cause a very high CPU load. Either of these effects may lead to the site becoming unavailable or unresponsive (CVE-2013-0316). Drupal's form API has built-in cross-site request forgery (CSRF) validation, and also allows any module to perform its own validation on the form. In certain common cases, form validation functions may execute unsafe operations (CVE-2013-6385). Drupal core directly used the mt_rand() pseudorandom number generator for generating security related strings used in several core modules. It was found that brute force tools could determine the seeds making these strings predictable under certain circumstances (CVE-2013-6386). Image field descriptions are not properly sanitized before they are printed to HTML, thereby exposing a cross-site scripting vulnerability (CVE-2013-6387). A cross-site scripting vulnerability was found in the Color module. A malicious attacker could trick an authenticated administrative user into visiting a page containing specific JavaScript that could lead to a reflected cross-site scripting attack via JavaScript execution in CSS (CVE-2013-6388). The Overlay module displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module did not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability (CVE-2013-6389). The updated packages has been upgraded to the 7.24 version which is unaffected by these security flaws. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0316 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6385 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6386 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6387 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6388 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6389 https://drupal.org/SA-CORE-2013-002 https://drupal.org/SA-CORE-2013-003 ___ Updated Packages: Mandriva Business Server 1/X86_64: dea15beebe117b22c239a57efcdf4d41 mbs1/x86_64/drupal-7.24-1.mbs1.noarch.rpm b685bd1576bbbcc7d2f8fbed1a63e2bf mbs1/x86_64/drupal-mysql-7.24-1.mbs1.noarch.rpm 9be768cea58a7701f50d3e07bd60ac0c mbs1/x86_64/drupal-postgresql-7.24-1.mbs1.noarch.rpm 90a9e5205f30afcd95d68b75d718a551 mbs1/x86_64/drupal-sqlite-7.24-1.mbs1.noarch.rpm a5240f371727f887c70c1f93fc905171 mbs1/SRPMS/drupal-7.24-1.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD4DBQFSlKYZmqjQ0CJFipgRAgmmAJi7qBxP60iRej5mxXmp8M00/XpQAJ9sHFpX NNCReDqXIthayPbo2ae/NA== =eGAN -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2803-1] quagga security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2803-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff November 26, 2013 http://www.debian.org/security/faq - - Package: quagga Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-2236 CVE-2013-6051 Debian Bug : 730513 726724 Multiple vulnerabilities were discovered in Quagga, a BGP/OSPF/RIP routing daemon: CVE-2013-2236 A buffer overflow was found in the OSPF API-server (exporting the LSDB and allowing announcement of Opaque-LSAs). CVE-2013-6051 bgpd could be crashed through BGP updates. This only affects Wheezy/stable. For the oldstable distribution (squeeze), these problems have been fixed in version 0.99.20.1-0+squeeze5. For the stable distribution (wheezy), these problems have been fixed in version 0.99.22.4-1+wheezy1. For the unstable distribution (sid), these problems have been fixed in version 0.99.22.4-1. We recommend that you upgrade your quagga packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iEYEARECAAYFAlKUyFsACgkQXm3vHE4uylouHQCeNCxgOv9G1tH64xIrkFeU4uii rvAAoIzFahZs7T2On3ppR7ivv3Q4YSuQ =6ZKz -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2013:286 ] ruby
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:286 http://www.mandriva.com/en/support/security/ ___ Package : ruby Date: November 26, 2013 Affected: Business Server 1.0, Enterprise Server 5.0 ___ Problem Description: A vulnerability was found and corrected in ruby: Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision 43780 allows context-dependent attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a string that is converted to a floating point value, as demonstrated using (1) the to_f method or (2) JSON.parse (CVE-2013-4164). The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4164 ___ Updated Packages: Mandriva Enterprise Server 5: 1294917053856fc539899d0b44ad0dbc mes5/i586/ruby-1.8.7-7p72.7mdvmes5.2.i586.rpm 3f2db72bc1631e542779316343e966c4 mes5/i586/ruby-devel-1.8.7-7p72.7mdvmes5.2.i586.rpm 39cfc6c4609fcc57176672475790b32b mes5/i586/ruby-doc-1.8.7-7p72.7mdvmes5.2.i586.rpm 0ec33b39a54d3bdf697f45da9f89e47a mes5/i586/ruby-tk-1.8.7-7p72.7mdvmes5.2.i586.rpm fd07a01ddd78a658dfc153a62031321f mes5/SRPMS/ruby-1.8.7-7p72.7mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: a931882acf32d122e07627496390d938 mes5/x86_64/ruby-1.8.7-7p72.7mdvmes5.2.x86_64.rpm b501426a2e620f092bbb599859250cbe mes5/x86_64/ruby-devel-1.8.7-7p72.7mdvmes5.2.x86_64.rpm ff3c3946cadf9572f9a9156ce1acc4d1 mes5/x86_64/ruby-doc-1.8.7-7p72.7mdvmes5.2.x86_64.rpm 7e11dfe3289d721f58692552d2dffe92 mes5/x86_64/ruby-tk-1.8.7-7p72.7mdvmes5.2.x86_64.rpm fd07a01ddd78a658dfc153a62031321f mes5/SRPMS/ruby-1.8.7-7p72.7mdvmes5.2.src.rpm Mandriva Business Server 1/X86_64: 19f50bdda7f4d5298aad37fffcc161d2 mbs1/x86_64/ruby-1.8.7.p358-2.3.mbs1.x86_64.rpm cb212eb9e77942130daa03bd00129647 mbs1/x86_64/ruby-devel-1.8.7.p358-2.3.mbs1.x86_64.rpm 61727a178644e24a90893fd521beaf26 mbs1/x86_64/ruby-doc-1.8.7.p358-2.3.mbs1.noarch.rpm 7c7c74b929d64434f5fac3e9a6a16eac mbs1/x86_64/ruby-tk-1.8.7.p358-2.3.mbs1.x86_64.rpm 3b57d1f0167760c15f5a2b7187f9301b mbs1/SRPMS/ruby-1.8.7.p358-2.3.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFSlGwWmqjQ0CJFipgRAro6AKDxx5aol75oiREPEvp6GwJOdrHV4ACdEiEp IDtHqkEQ0Csfty0PsqPR7Xg= =XUfQ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2013:285 ] bugzilla
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:285 http://www.mandriva.com/en/support/security/ ___ Package : bugzilla Date: November 26, 2013 Affected: Business Server 1.0 ___ Problem Description: Multiple vulnerabilities was found and corrected in bugzilla: Cross-site request forgery (CSRF) vulnerability in process_bug.cgi in Bugzilla 4.4.x before 4.4.1 allows remote attackers to hijack the authentication of arbitrary users for requests that modify bugs via vectors involving a midair-collision token (CVE-2013-1733). Cross-site request forgery (CSRF) vulnerability in attachment.cgi in Bugzilla 2.x, 3.x, and 4.0.x before 4.0.11; 4.1.x and 4.2.x before 4.2.7; and 4.3.x and 4.4.x before 4.4.1 allows remote attackers to hijack the authentication of arbitrary users for requests that commit an attachment change via an update action (CVE-2013-1734). Multiple cross-site scripting (XSS) vulnerabilities in editflagtypes.cgi in Bugzilla 2.x, 3.x, and 4.0.x before 4.0.11; 4.1.x and 4.2.x before 4.2.7; and 4.3.x and 4.4.x before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) id or (2) sortkey parameter (CVE-2013-1742). Multiple cross-site scripting (XSS) vulnerabilities in report.cgi in Bugzilla 4.1.x and 4.2.x before 4.2.7 and 4.3.x and 4.4.x before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via a field value that is not properly handled during construction of a tabular report, as demonstrated by the (1) summary or (2) real name field. NOTE: this issue exists because of an incomplete fix for CVE-2012-4189 (CVE-2013-1743). The updated packages have been upgraded to the 4.2.7 version which is not affected by these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1733 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1734 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1742 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1743 http://www.bugzilla.org/releases/4.2.6/release-notes.html http://www.bugzilla.org/releases/4.2.7/release-notes.html ___ Updated Packages: Mandriva Business Server 1/X86_64: 9a1a55ee22eeeac4627983498b7f595c mbs1/x86_64/bugzilla-4.2.7-1.mbs1.noarch.rpm 0a3fa051b8bc513811ffc89bfd7aff22 mbs1/x86_64/bugzilla-contrib-4.2.7-1.mbs1.noarch.rpm 56ca09432b832fad00398056f148e3cc mbs1/SRPMS/bugzilla-4.2.7-1.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFSlGoYmqjQ0CJFipgRAgzyAKDf2bSWn3YByiwJ5Tpy1IGe8UEGWwCg7ous FI4snEnJtYak1Y5RHIAh5Ig= =FTVm -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/