"A Cross-Site-Scripting (XSS) problem has been discovered in indexed search."

Complete Story

"Joomla! 1.0.11 [ Sunbird ] is now available as of Monday 28th August 2006 24:00 UTC for download here. and is being designated a Critical Security Release."

Complete Story

• Geeklog 1.4.0sr5-1 is available as a complete tarball, as an upgrade from 1.4.0sr5, and as a combo update from any previous 1.4.0 release.
• Geeklog 1.3.11sr7-1 is available as an upgrade from 1.3.11sr7 and as a combo update from any previous 1.3.11 release.

Please note that when using the 1.4.0 "combo" update, you will also have to remove some files to fix the security issue with FCKeditor's file manager, as explained in the included README file."

[Geeklog]

"To address the recently posted exploits for insecure installations and for the mcpuk file manager, we are releasing Geeklog 1.4.0sr4.

In this release, we've removed the file manager altogether, so you will no longer be able to upload images through FCKeditor (this will be enabled again when we release Geeklog 1.4.1 with FCKeditor 2.3). We've also added additional protection against code execution in case of insecure installations but suggest that you really protect your Geeklog install properly as explained in the installation instructions and in the FAQ."

More...

"We are announcing a security release, 0.6.3. This version fixes two major bugs:

• SQL Injection with queries using LIKE.
• A XSS bug in a 3rd Party library (magpierss) RssReader uses.

Please feel free to upgrade your version and report any bug you find."

Security Announcement: SQL Injection -

"A SQL injection vulnerability has been identified in Mambo versions <= 4.6RC1. Meaning that current production version 4.5.4 as well..."

[MamboServer.org]

Just after upgrading CMS Report from Drupal 4.7.0 to 4.7.1 a couple days ago, Drupal has released 4.7.2. In my mind, the update can be best described as a better fix to the fix. Why did Drupal need to release another security update? The below excerpt from a Drupal Security Advisory gives the reasons why:

Recently, the Drupal security team was informed of a potential exploit that would allow untrusted code to be executed upon a successful request by a malicious user. If a dynamic script with multiple extensions such as file.php.pps or file.sh.txt is uploaded and then accessed from a web browser under certain common Apache configurations, it will cause the script inside to be executed. We deemed this exploit critical and released Drupal 4.6.7 and 4.7.1 six hours after the report was filed. The fix was to create a .htaccess file to remove /all/ dynamic script handlers, such as PHP, from the "files" directory.

After continuous review, however, we've found that the fix will not work in certain Apache configurations, for example those for whom .htaccess FileInfo overrides are disabled. We are thus releasing 4.6.8 and 4.7.2 with a more robust .htaccess fix, as well as a Drupal core solution to the issue which will work under all configurations.

The latest versions of Drupal can be downloaded at Drupal.org.

PunBB users will want to note the the latest security release for PunBB, version 1.2.12. An excerpt from the notice posted at PunBB:

Just a quick note to announce 1.2.12. This release fixes two XSS vulnerabilities and one minor bug. Due to the security updates, I recommend that everyone update. As usual, you'll find the download on the downloads page.