Fedora Essential and Critical Security Patch Updates - Page 765

Find the information you need for your favorite open source distribution .

Fedora 9 Update: drupal-6.13-1.fc9

Fedora 9 Update: drupal-6.13-1.fc9

data:image/svg+xml,%3Csvg%20xmlns=%22http://www.w3.org/2000/svg%22%20viewBox=%220%200%20100%20100%22%3E%3C/svg%3E

-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2009-7362 2009-07-03 18:38:42 -------------------------------------------------------------------------------- Name : drupal Product : Fedora 9 Version : 6.13 Release : 1.fc9 URL : http://www.drupal.org Summary : An open-source content-management platform Description : Equipped with a powerful blend of features, Drupal is a Content Management System written in PHP that can support a variety of websites ranging from personal weblogs to large community-driven websites. Drupal is highly configurable, skinnable, and secure. -------------------------------------------------------------------------------- Update Information: Fixes SA-CORE-2009-007 ( https://www.drupal.org/node/507572 ). Remember to log in to your site as the admin user before upgrading this package. After upgrading the package, browse to to run the upgrade script. Multiple vulnerabilities and weaknesses were discovered in Drupal. Cross-site scripting The Forum module does not correctly handle certain arguments obtained from the URL. By enticing a suitably privileged user to visit a specially crafted URL, a malicious user is able to insert arbitrary HTML and script code into forum pages. Such a cross-site scripting attack may lead to the malicious user gaining administrative access. Wikipedia has more information about cross-site scripting (XSS). This issue affects Drupal 6.x only. Input format access bypass User signatures have no separate input format, they use the format of the comment with which they are displayed. A user will no longer be able to edit a comment when an administrator changes the comment's input format to a format that is not accessible to the user. However they will still be able to modify their signature, which will then be processed by the new input format. If the new format is very permissive, via their signature, the user may be able to insert arbitrary HTML and script code into pages or, when the PHP filter is enabled for the new format, execute PHP code. This issue affects Drupal 6.x only. Password leaked in URL When an anonymous user fails to login due to mistyping his username or password, and the page he is on contains a sortable table, the (incorrect) username and password are included in links on the table. If the user visits these links the password may then be leaked to external sites via the HTTP referer. In addition, if the anonymous user is enticed to visit the site via a specially crafted URL while the Drupal page cache is enabled, a malicious user might be able to retrieve the (incorrect) username and password from the page cache. This issue affects both Drupal 5.x and Drupal 6.x -------------------------------------------------------------------------------- ChangeLog: * Thu Jul 2 2009 Jon Ciesla - 6.13-1 - Update to 6.11, SA-CORE-2009-007. - Added clarifying text on module installation to readme, BZ 500707. * Thu May 14 2009 Jon Ciesla - 6.12-1 - Update to 6.11, SA-CORE-2009-006. * Thu Apr 30 2009 Jon Ciesla - 6.11-1 - Update to 6.11, SA-CORE-2009-005. * Mon Apr 27 2009 Jon Ciesla - 6.10-2 - Added SELinux/sendmail note to README, BZ 497642. * Thu Feb 26 2009 Jon Ciesla - 6.10-1 - Update to 6.10, SA-CORE-2009-003. * Tue Feb 17 2009 Jon Ciesla - 6.9-2 - Drop pre script for files move, 472642. - Updated drupal-README.fedora. - Mark cron job noreplace, BZ 485567. * Thu Jan 15 2009 Jon Ciesla - 6.9-1 - Upgrade to 6.9, SA-CORE-2009-001. * Fri Jan 2 2009 Jon Ciesla - 6.8-1 - Upgrade to 6.8. - Move files directories from sites to /var/lib/drupal/files/N for selinux reasons, 472642. - Included script to move files outside of default, use at your own risk, patches welcome. * Thu Dec 11 2008 Jon Ciesla - 6.7-1 - Upgrade to 6.7, SA-2008-073. * Wed Oct 22 2008 Jon Ciesla - 6.6-1 - Upgrade to 6.6, SA-2008-067. * Thu Oct 9 2008 Jon Ciesla - 6.5-1 - Upgrade to 6.5, SA-2008-060. - Added notes to README and drupal.conf re CVE-2008-3661. * Thu Aug 14 2008 Jon Ciesla - 6.4-1 - Upgrade to 6.4, SA-2008-047. * Thu Jul 10 2008 Jon Ciesla - 6.3-1 - Upgrade to 6.3, upstream security fixes, SA-2008-044. -------------------------------------------------------------------------------- References: [ 1 ] Bug #500707 - drupal-README.fedora should give hints about where to install modules https://bugzilla.redhat.com/show_bug.cgi?id=500707 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update drupal' at the command line. For more information, refer to "Managing Software with yum", available at . All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ Fedora-package-announce mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. http://www.redhat.com/mailman/listinfo/fedora-package-announce

Fedora 9 Update: phpMyAdmin-3.2.0.1-1.fc9

Fedora 9 Update: phpMyAdmin-3.2.0.1-1.fc9

data:image/svg+xml,%3Csvg%20xmlns=%22http://www.w3.org/2000/svg%22%20viewBox=%220%200%20100%20100%22%3E%3C/svg%3E

The first security release for phpMyAdmin 3.2.0: - [security] XSS: Insufficient output sanitizing in bookmarks This version contains a number of small new features and some bug fixes: - [core] better support for vendor customisation (based on what Debian needs) - [rfe] warn when session.gc_maxlifetime is less than cookie validity - [rfe] configurable default charset for import - [rfe] link to InnoDB status when error 150 occurs - [rfe] strip ` from column names on import - [rfe] LeftFrameDBSeparator can be an array - [privileges] Extra back reference when editing table-specific privileges - [display] Sortable database columns - [lang] Wrong string in setup script hints - [cleanup] XHTML cleanup, - [display] Possibility of disabling the sliders - [privileges] Create user for existing database - [privileges] Cleanup - [auth] AllowNoPasswordRoot error message is too vague - [XHTML] View table headers/footers completely - [core] support column name having square brackets - [lang] Lithuanian update - [auth] New setting AllowNoPassword (supercedes AllowNoPasswordRoot) that applies to all accounts (even the anonymous user) - [relation] Missing code with hashing for relationship editing - [rfe] Added option to disable mcrypt warning. - [bug] Request-URI Too Large error from Location header - [rfe] Check for relations support on main page. - [rfe] Explanation for using Host table. - [rfe] Link to download more themes. - [rfe] Add option to generate password on change password page. - [rfe] Allow logging of user status with Apache. - [patch] None default is different than other None in some languages. - [lang] Chinese Simplified update - [display] Sort arrows problem - [security] warn about existence of config directory on main page - [lang] Polish update - [export] Escape new line in CSV export - [patch] Optimizations for PHP loops - [import] SQL_MODE not saved during Partial Import - [auth] cache control missing (PHP-CGI) - [parser] Incorrect parsing of constraints in ALTER TABLE - [status] Server status - replication - [edit] Multi-row change with "]" improved - [rfe] Automatically copy generated password - [interface] Table with name 'log_views' is incorrectly displayed as a view - [patch] Detect mcrypt initialization failure - [lang] Galician update - [lang] Swedish update - [lang] Norwegian update - [lang] Catalan update - [lang] Finnish update - [lang] Hungarian update

Fedora 10 Update: phpMyAdmin-3.2.0.1-1.fc10

Fedora 10 Update: phpMyAdmin-3.2.0.1-1.fc10

data:image/svg+xml,%3Csvg%20xmlns=%22http://www.w3.org/2000/svg%22%20viewBox=%220%200%20100%20100%22%3E%3C/svg%3E

The first security release for phpMyAdmin 3.2.0: - [security] XSS: Insufficient output sanitizing in bookmarks This version contains a number of small new features and some bug fixes: - [core] better support for vendor customisation (based on what Debian needs) - [rfe] warn when session.gc_maxlifetime is less than cookie validity - [rfe] configurable default charset for import - [rfe] link to InnoDB status when error 150 occurs - [rfe] strip ` from column names on import - [rfe] LeftFrameDBSeparator can be an array - [privileges] Extra back reference when editing table-specific privileges - [display] Sortable database columns - [lang] Wrong string in setup script hints - [cleanup] XHTML cleanup, - [display] Possibility of disabling the sliders - [privileges] Create user for existing database - [privileges] Cleanup - [auth] AllowNoPasswordRoot error message is too vague - [XHTML] View table headers/footers completely - [core] support column name having square brackets - [lang] Lithuanian update - [auth] New setting AllowNoPassword (supercedes AllowNoPasswordRoot) that applies to all accounts (even the anonymous user) - [relation] Missing code with hashing for relationship editing - [rfe] Added option to disable mcrypt warning. - [bug] Request-URI Too Large error from Location header - [rfe] Check for relations support on main page. - [rfe] Explanation for using Host table. - [rfe] Link to download more themes. - [rfe] Add option to generate password on change password page. - [rfe] Allow logging of user status with Apache. - [patch] None default is different than other None in some languages. - [lang] Chinese Simplified update - [display] Sort arrows problem - [security] warn about existence of config directory on main page - [lang] Polish update - [export] Escape new line in CSV export - [patch] Optimizations for PHP loops - [import] SQL_MODE not saved during Partial Import - [auth] cache control missing (PHP-CGI) - [parser] Incorrect parsing of constraints in ALTER TABLE - [status] Server status - replication - [edit] Multi-row change with "]" improved - [rfe] Automatically copy generated password - [interface] Table with name 'log_views' is incorrectly displayed as a view - [patch] Detect mcrypt initialization failure - [lang] Galician update - [lang] Swedish update - [lang] Norwegian update - [lang] Catalan update - [lang] Finnish update - [lang] Hungarian update

Fedora 11 Update: drupal-6.13-1.fc11

Fedora 11 Update: drupal-6.13-1.fc11

data:image/svg+xml,%3Csvg%20xmlns=%22http://www.w3.org/2000/svg%22%20viewBox=%220%200%20100%20100%22%3E%3C/svg%3E

-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2009-7315 2009-07-03 18:38:14 -------------------------------------------------------------------------------- Name : drupal Product : Fedora 11 Version : 6.13 Release : 1.fc11 URL : http://www.drupal.org Summary : An open-source content-management platform Description : Equipped with a powerful blend of features, Drupal is a Content Management System written in PHP that can support a variety of websites ranging from personal weblogs to large community-driven websites. Drupal is highly configurable, skinnable, and secure. -------------------------------------------------------------------------------- Update Information: Fixes SA-CORE-2009-007 ( https://www.drupal.org/node/507572 ). Remember to log in to your site as the admin user before upgrading this package. After upgrading the package, browse to to run the upgrade script. Multiple vulnerabilities and weaknesses were discovered in Drupal. Cross-site scripting The Forum module does not correctly handle certain arguments obtained from the URL. By enticing a suitably privileged user to visit a specially crafted URL, a malicious user is able to insert arbitrary HTML and script code into forum pages. Such a cross-site scripting attack may lead to the malicious user gaining administrative access. Wikipedia has more information about cross-site scripting (XSS). This issue affects Drupal 6.x only. Input format access bypass User signatures have no separate input format, they use the format of the comment with which they are displayed. A user will no longer be able to edit a comment when an administrator changes the comment's input format to a format that is not accessible to the user. However they will still be able to modify their signature, which will then be processed by the new input format. If the new format is very permissive, via their signature, the user may be able to insert arbitrary HTML and script code into pages or, when the PHP filter is enabled for the new format, execute PHP code. This issue affects Drupal 6.x only. Password leaked in URL When an anonymous user fails to login due to mistyping his username or password, and the page he is on contains a sortable table, the (incorrect) username and password are included in links on the table. If the user visits these links the password may then be leaked to external sites via the HTTP referer. In addition, if the anonymous user is enticed to visit the site via a specially crafted URL while the Drupal page cache is enabled, a malicious user might be able to retrieve the (incorrect) username and password from the page cache. This issue affects both Drupal 5.x and Drupal 6.x -------------------------------------------------------------------------------- ChangeLog: * Thu Jul 2 2009 Jon Ciesla - 6.13-1 - Update to 6.11, SA-CORE-2009-007. - Added clarifying text on module installation to readme, BZ 500707. -------------------------------------------------------------------------------- References: [ 1 ] Bug #500707 - drupal-README.fedora should give hints about where to install modules https://bugzilla.redhat.com/show_bug.cgi?id=500707 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update drupal' at the command line. For more information, refer to "Managing Software with yum", available at . All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ Fedora-package-announce mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. http://www.redhat.com/mailman/listinfo/fedora-package-announce

Fedora 9 Update: pam_krb5-2.3.5-1.fc9

Fedora 9 Update: pam_krb5-2.3.5-1.fc9

data:image/svg+xml,%3Csvg%20xmlns=%22http://www.w3.org/2000/svg%22%20viewBox=%220%200%20100%20100%22%3E%3C/svg%3E

This updates the pam_krb5 package from version 2.3.2 to 2.3.5, fixing CVE-2009-1384: in certain configurations, the password prompt could vary depending on whether or not the user account was known to the system or the KDC. It also fixes a bug which prevented password change attempts from working if the KDC denied requests for password-changing credentials with settings which would be used for login credentials, and makes the "-n" option for the "afs5log" command work as advertised.

Fedora 9 Update: deluge-0.5.9.3-2.fc9

Fedora 9 Update: deluge-0.5.9.3-2.fc9

data:image/svg+xml,%3Csvg%20xmlns=%22http://www.w3.org/2000/svg%22%20viewBox=%220%200%20100%20100%22%3E%3C/svg%3E

This release adds a backported upstream patch to fix a directory traversal vulnerability in the included copy of libtorrent which would allow a remote attacker to create or overwrite arbitrary files via a ".." (dot dot) and partial relative pathname in a specially-crafted torrent.

Fedora 10 Update: deluge-1.1.9-1.fc10

Fedora 10 Update: deluge-1.1.9-1.fc10

data:image/svg+xml,%3Csvg%20xmlns=%22http://www.w3.org/2000/svg%22%20viewBox=%220%200%20100%20100%22%3E%3C/svg%3E

Deluge 1.1.9 contains updated translations and fixes for a "move torrent" issue (now only happens when the torrent has data downloaded), a folder renaming bug (renaming a parent folder into multiple folders), and an issue with adding a remote torrent in the WebUI. This update also includes all upstream bug-fixes and enhancements in versions 1.1.7 and 1.1.8 (which were skipped in this package). For a full list of these changes, please see the upstream changelog: https://dev.deluge-torrent.org/wiki/ChangeLog In addition, the included copy of rb_libtorrent has been updated to fix a potential directory traversal vulnerability which would allow a remote attacker to create or overwrite arbitrary files via a ".." (dot dot) and partial relative pathname in a specially-crafted torrent.

Fedora 9 Update: rb_libtorrent-0.12.1-2.fc9

Fedora 9 Update: rb_libtorrent-0.12.1-2.fc9

data:image/svg+xml,%3Csvg%20xmlns=%22http://www.w3.org/2000/svg%22%20viewBox=%220%200%20100%20100%22%3E%3C/svg%3E

This release adds an upstream patch to fix a directory traversal vulnerability which would allow a remote attacker to create or overwrite arbitrary files via a ".." (dot dot) and partial relative pathname in a specially-crafted torrent. In addition to this, asio-devel has been added to the dependencies for the rb_libtorrent-devel package - a fix already applied to the Fedora 10, 11, and Development ("Rawhide") packages.

Fedora 10 Update: pam_krb5-2.3.5-1.fc10

Fedora 10 Update: pam_krb5-2.3.5-1.fc10

data:image/svg+xml,%3Csvg%20xmlns=%22http://www.w3.org/2000/svg%22%20viewBox=%220%200%20100%20100%22%3E%3C/svg%3E

This updates the pam_krb5 package from version 2.3.2 to 2.3.5, fixing CVE-2009-1384: in certain configurations, the password prompt could vary depending on whether or not the user account was known to the system or the KDC. It also fixes a bug which prevented password change attempts from working if the KDC denied requests for password-changing credentials with settings which would be used for login credentials.

Fedora 10 Update: apr-util-1.3.7-1.fc10

Fedora 10 Update: apr-util-1.3.7-1.fc10

data:image/svg+xml,%3Csvg%20xmlns=%22http://www.w3.org/2000/svg%22%20viewBox=%220%200%20100%20100%22%3E%3C/svg%3E

Update to upstream version 1.3.7, see: http://svn.apache.org/repos/asf/apr/ /apr-util/tags/1.3.7/CHANGES Security fixes: - CVE-2009-0023 Fix underflow in apr_strmatch_precompile. - CVE-2009-1955 Fix a denial of service attack against the apr_xml_* interface using the "billion laughs" entity expansion technique. - CVE-2009-1956 Fix off by one overflow in apr_brigade_vprintf. Note: CVE-2009-1956 is only an issue on big-endian architectures.

Fedora 11 Update: apr-util-1.3.7-1.fc11

Fedora 11 Update: apr-util-1.3.7-1.fc11

data:image/svg+xml,%3Csvg%20xmlns=%22http://www.w3.org/2000/svg%22%20viewBox=%220%200%20100%20100%22%3E%3C/svg%3E

Update to upstream version 1.3.7, see: http://svn.apache.org/repos/asf/apr/ /apr-util/tags/1.3.7/CHANGES Security fixes: - CVE-2009-0023 Fix underflow in apr_strmatch_precompile. - CVE-2009-1955 Fix a denial of service attack against the apr_xml_* interface using the "billion laughs" entity expansion technique. - CVE-2009-1956 Fix off by one overflow in apr_brigade_vprintf. Note: CVE-2009-1956 is only an issue on big-endian architectures.

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved