Markus Petrux discovered a cross-site scripting vulnerability in the
taxonomy module of drupal6, a fully-featured content management
framework. It is also possible that certain browsers using the UTF-7
encoding are vulnerable to a different cross-site scripting
vulnerability.
Read the full story: DSA-1808 drupal6 – insufficient input sanitising: http://www.debian.org/security/2009/dsa-1808
James Ralston discovered that the sasl_encode64() function of cyrus-sasl2,
a free library implementing the Simple Authentication and Security Layer,
suffers from a missing null termination in certain situations. This causes
several buffer overflows in situations where cyrus-sasl2 itself requires
the string to be null terminated which can lead to denial of service or
arbitrary code execution.
Read the full story: DSA-1807 cyrus-sasl2, cyrus-sasl2-heimdal – buffer overflow: http://www.debian.org/security/2009/dsa-1807
Matt Murphy discovered that cscope, a source code browsing tool, does not
verify the length of file names sourced in include statements, which may
potentially lead to the execution of arbitrary code through specially
crafted source code files.
Read the full story: DSA-1806 cscope – buffer overflows: http://www.debian.org/security/2009/dsa-1806