From bugzilla at redhat.com Fri Dec 1 04:35:56 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 30 Nov 2006 23:35:56 -0500 Subject: [Bug 213985] CVE-2006-5705: wordpress < 2.0.5 directory traversal vulnerability In-Reply-To: Message-ID: <200612010435.kB14Zu4w013542@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5705: wordpress < 2.0.5 directory traversal vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=213985 ------- Additional Comments From dennis at ausil.us 2006-11-30 23:35 EST ------- ping -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Dec 1 12:40:49 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 1 Dec 2006 07:40:49 -0500 Subject: [Bug 217950] CVE-2006-6169: gnupg2 < 2.0.1 buffer overflow In-Reply-To: Message-ID: <200612011240.kB1CenZE010032@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-6169: gnupg2 < 2.0.1 buffer overflow https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=217950 ------- Additional Comments From rdieter at math.unl.edu 2006-12-01 07:40 EST ------- OK, though that's contrary to what the dev's said on the gpg-dev mailing list, I was planning on upgrading FC-6 to 2.0.1 final asap anyway. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Dec 1 15:02:29 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 1 Dec 2006 10:02:29 -0500 Subject: [Bug 217950] CVE-2006-6169: gnupg2 < 2.0.1 buffer overflow In-Reply-To: Message-ID: <200612011502.kB1F2TYm022312@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-6169: gnupg2 < 2.0.1 buffer overflow https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=217950 rdieter at math.unl.edu changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |NEXTRELEASE ------- Additional Comments From rdieter at math.unl.edu 2006-12-01 10:02 EST ------- Okey dokie, builds queue'd for remaining vulnerable releases: FC-6+: * Wed Nov 29 2006 Rex Dieter 2.0.1-1 - gnupg-2.0.1 - CVE-2006-6169 (bug #217950) FC-3/4/5: * Fri Dec 01 2006 Rex Dieter 1.9.22-8 - CVE-2006-6169 (bug #217950) - --disable-optmization on 64bit archs -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Dec 1 15:42:21 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 1 Dec 2006 10:42:21 -0500 Subject: [Bug 218030] koffice: update to 1.6.1 In-Reply-To: Message-ID: <200612011542.kB1FgLYS026279@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: koffice: update to 1.6.1 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=218030 tibbs at math.uh.edu changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fedora-security- | |list at redhat.com ------- Additional Comments From tibbs at math.uh.edu 2006-12-01 10:42 EST ------- Note that the koffice release notes include the following: KPresenter Import Filter for PowerPoint * There is a security issue in the import filter for MS Powerpoint, that is fixed with this release. Every KOffice user should upgrade to 1.6.1 for this reason alone. so this update has security implications. I can find no CVE at this time. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Dec 1 15:55:07 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 1 Dec 2006 10:55:07 -0500 Subject: [Bug 218030] koffice: update to 1.6.1 In-Reply-To: Message-ID: <200612011555.kB1Ft7ts027223@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: koffice: update to 1.6.1 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=218030 rdieter at math.unl.edu changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |Security ------- Additional Comments From rdieter at math.unl.edu 2006-12-01 10:54 EST ------- yucky, I'm working on the koffice-1.6.1 update, I'll try to expedite things. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Dec 1 16:19:41 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 1 Dec 2006 11:19:41 -0500 Subject: [Bug 218030] koffice: update to 1.6.1 In-Reply-To: Message-ID: <200612011619.kB1GJf71029257@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: koffice: update to 1.6.1 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=218030 rdieter at math.unl.edu changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|andreas.bierfert at lowlatency.|rdieter at math.unl.edu |de | CC| |andreas.bierfert at lowlatency. | |de -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Dec 1 19:18:21 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 1 Dec 2006 14:18:21 -0500 Subject: [Bug 218030] koffice: update to 1.6.1 In-Reply-To: Message-ID: <200612011918.kB1JILsQ011043@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: koffice: update to 1.6.1 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=218030 ------- Additional Comments From rdieter at math.unl.edu 2006-12-01 14:18 EST ------- So far, so good, devel(fc7) branch build (almost) done: http://buildsys.fedoraproject.org/build-status/job.psp?uid=22760 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Dec 1 19:53:52 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 1 Dec 2006 14:53:52 -0500 Subject: [Bug 218030] koffice: update to 1.6.1 In-Reply-To: Message-ID: <200612011953.kB1JrqPm015088@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: koffice: update to 1.6.1 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=218030 Bug 218030 depends on bug 217959, which changed state. Bug 217959 Summary: x86_64 broken, can't find magick-config_64.h https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=217959 What |Old Value |New Value ---------------------------------------------------------------------------- Resolution| |CURRENTRELEASE Status|NEW |CLOSED -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Dec 1 23:51:41 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 1 Dec 2006 18:51:41 -0500 Subject: [Bug 218030] koffice: update to 1.6.1 In-Reply-To: Message-ID: <200612012351.kB1NpfQj000889@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: koffice: update to 1.6.1 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=218030 ------- Additional Comments From rdieter at math.unl.edu 2006-12-01 18:51 EST ------- Queue'd builds for koffice/FC-5 (job id: 22771) koffice/FC-6 (job id: 22772) koffice-langpacks/devel (job id 22773) then shortly after buildsys went awol. ?? Will recheck buildsys status later tonight, or tomorrow morning. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sun Dec 3 18:22:26 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sun, 3 Dec 2006 13:22:26 -0500 Subject: [Bug 213985] CVE-2006-5705: wordpress < 2.0.5 directory traversal vulnerability In-Reply-To: Message-ID: <200612031822.kB3IMQ9x028496@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5705: wordpress < 2.0.5 directory traversal vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=213985 jwb at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |NEXTRELEASE ------- Additional Comments From jwb at redhat.com 2006-12-03 13:22 EST ------- Patches FC-[456], updated devel to 2.0.5 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Dec 4 00:17:21 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sun, 3 Dec 2006 19:17:21 -0500 Subject: [Bug 209167] seamonkey < 1.0.5 multiple vulnerabilities; to replace Mozilla In-Reply-To: Message-ID: <200612040017.kB40HLm4010630@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: seamonkey < 1.0.5 multiple vulnerabilities; to replace Mozilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209167 ------- Additional Comments From deisenst at gtw.net 2006-12-03 19:17 EST ------- Michael, I have tried to get the newest Seamonkey going for FC4, FC3, but have run into some issues. Have you managed to get it to compile and run for FC4 or FC3? I think it is seamonkey 1.0.6 now.... -David -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Dec 4 00:49:27 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sun, 3 Dec 2006 19:49:27 -0500 Subject: [Bug 209167] seamonkey < 1.0.5 multiple vulnerabilities; to replace Mozilla In-Reply-To: Message-ID: <200612040049.kB40nROP011853@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: seamonkey < 1.0.5 multiple vulnerabilities; to replace Mozilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209167 ------- Additional Comments From michal at harddata.com 2006-12-03 19:49 EST ------- > I have tried to get the newest Seamonkey going for FC4, FC3, but have > run into some issues. Hard to comment about unspecified issues. I am not aware of any beyond a disk space needed to recompile that. IIRC something in a 2 Gig range. > I think it is seamonkey 1.0.6 now.... Correct; for roughly a month now. I do not have around FC4 or FC3 machines anymore. Recompilation of 1.0.6 on FC5 system (this requires some minor spec changes as nss and nspr libraries are there "external") is not a problem. I mean here a mozilla replacement and not keeping an obsolete component with seamonkey-1.0.6 package from "extras" added. OTOH I do no see what trouble can be caused by a recompilation of RHEL current packages on FC3/4; possibly after small spec tweaks. Also that seamonkey-1.0.5-0.4.fc4.0.mj.src.rpm I proposed in September most likely needs just a replacement of seamonkey-1.0.5.source.tar.bz2 with seamonkey-1.0.6.source.tar.bz2, small edits in a spec file and it should compile (or very nearly so) AFAICT. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Dec 4 17:10:00 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 4 Dec 2006 12:10:00 -0500 Subject: [Bug 215136] CVE-2006-5864: gv <= 3.6.2 stack-based buffer overflow In-Reply-To: Message-ID: <200612041710.kB4HA0HG001010@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5864: gv <= 3.6.2 stack-based buffer overflow https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=215136 michal at harddata.com changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|normal |high CC| |michal at harddata.com ------- Additional Comments From michal at harddata.com 2006-12-04 12:09 EST ------- Mandriva Linux Security Advisory, MDKSA-2006:214-1, says the following: "The patch used in the previous update still left the possibility of causing X to consume unusual amounts of memory if gv is used to view a carefully crafted image designed to exploit CVE-2006-5864. This update uses an improved patch to address this issue." For patches see, for example, gv-3.6.1-4.3.20060mdk.src.rpm http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5864 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Tue Dec 5 13:39:18 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 5 Dec 2006 08:39:18 -0500 Subject: [Bug 209167] seamonkey < 1.0.5 multiple vulnerabilities; to replace Mozilla In-Reply-To: Message-ID: <200612051339.kB5DdIWf016304@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: seamonkey < 1.0.5 multiple vulnerabilities; to replace Mozilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209167 ------- Additional Comments From deisenst at gtw.net 2006-12-05 08:39 EST ------- Thanks, Michael! I don't know why I hadn't thought to use your source packages as a baseline! Duh! :) I'll go and do that now. Thanks! -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Tue Dec 5 19:42:39 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 5 Dec 2006 14:42:39 -0500 Subject: [Bug 215136] CVE-2006-5864: gv <= 3.6.2 stack-based buffer overflow In-Reply-To: Message-ID: <200612051942.kB5Jgdw2016314@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5864: gv <= 3.6.2 stack-based buffer overflow https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=215136 orion at cora.nwra.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |CURRENTRELEASE Fixed In Version| |3.6.2-2 ------- Additional Comments From orion at cora.nwra.com 2006-12-05 14:42 EST ------- Thanks for the references. Fixed in 3.6.2-2. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Tue Dec 5 20:26:55 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 5 Dec 2006 15:26:55 -0500 Subject: [Bug 218030] koffice: update to 1.6.1 In-Reply-To: Message-ID: <200612052026.kB5KQtqK020156@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: koffice: update to 1.6.1 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=218030 rdieter at math.unl.edu changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |NEXTRELEASE ------- Additional Comments From rdieter at math.unl.edu 2006-12-05 15:26 EST ------- All done. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed Dec 6 12:32:06 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 6 Dec 2006 07:32:06 -0500 Subject: [Bug 218030] koffice: update to 1.6.1 In-Reply-To: Message-ID: <200612061232.kB6CW6QV013427@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: koffice: update to 1.6.1 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=218030 ------- Additional Comments From ville.skytta at iki.fi 2006-12-06 07:32 EST ------- The security issue is CVE-2006-6120. For the record, FC-4 (koffice 1.6.0) is still most likely vulnerable. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed Dec 6 14:35:30 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 6 Dec 2006 09:35:30 -0500 Subject: [Bug 218030] koffice: update to 1.6.1 In-Reply-To: Message-ID: <200612061435.kB6EZUhs021204@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: koffice: update to 1.6.1 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=218030 rdieter at math.unl.edu changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |NEW Keywords| |Reopened Resolution|NEXTRELEASE | ------- Additional Comments From rdieter at math.unl.edu 2006-12-06 09:35 EST ------- OK, we can do FC-4 too, reopening... -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed Dec 6 15:18:48 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 6 Dec 2006 10:18:48 -0500 Subject: [Bug 218030] koffice: update to 1.6.1 In-Reply-To: Message-ID: <200612061518.kB6FImvU024579@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: koffice: update to 1.6.1 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=218030 rdieter at math.unl.edu changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |NEXTRELEASE ------- Additional Comments From rdieter at math.unl.edu 2006-12-06 10:18 EST ------- koffice-1.6.1-1.fc4 build queue'd (job id 23038) -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed Dec 6 17:39:48 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 6 Dec 2006 12:39:48 -0500 Subject: [Bug 215136] CVE-2006-5864: gv <= 3.6.2 stack-based buffer overflow In-Reply-To: Message-ID: <200612061739.kB6HdmiQ005399@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5864: gv <= 3.6.2 stack-based buffer overflow https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=215136 ------- Additional Comments From ville.skytta at iki.fi 2006-12-06 12:39 EST ------- For info for people interested in older distros: the patch has been applied in Extras for FC5+ only, not FC4 at the moment. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Dec 7 18:16:58 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 7 Dec 2006 13:16:58 -0500 Subject: [Bug 218821] New: CVE-2006-6235: gnupg2 <= 2.0.1 stack overwrite vulnerability Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=218821 Summary: CVE-2006-6235: gnupg2 <= 2.0.1 stack overwrite vulnerability Product: Fedora Extras Version: fc5 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: gnupg2 AssignedTo: rdieter at math.unl.edu ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6235 "A "stack overwrite" vulnerability in GnuPG (gpg) before 1.2.1 allows attackers to execute arbitrary code via crafted OpenPGP packets that cause GnuPG to dereference a function pointer from deallocated stack memory." FC6+ seem to be taken care of already, FC-[345] not yet. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Dec 7 18:24:50 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 7 Dec 2006 13:24:50 -0500 Subject: [Bug 218824] New: CVE-2006-6301: denyhosts 2.5 hosts.deny DoS Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=218824 Summary: CVE-2006-6301: denyhosts 2.5 hosts.deny DoS Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: denyhosts AssignedTo: tibbs at math.uh.edu ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6301 "DenyHosts 2.5 does not properly parse sshd logs file, which allows remote attackers to add arbitrary hosts to the /etc/hosts.deny file and cause a denial of service by adding arbitrary IP addresses to the sshd log file, as demonstrated by loggig in to ssh using a login name containing certain strings with an IP address, which is not properly handled by a regular expression." Based on version numbers, affects FE-3+ and EPEL-4+ -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Dec 7 18:25:39 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 7 Dec 2006 13:25:39 -0500 Subject: [Bug 218821] CVE-2006-6235: gnupg2 <= 2.0.1 stack overwrite vulnerability In-Reply-To: Message-ID: <200612071825.kB7IPdUl005722@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-6235: gnupg2 <= 2.0.1 stack overwrite vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=218821 rdieter at math.unl.edu changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |CURRENTRELEASE Fixed In Version| |2.0.1-2 ------- Additional Comments From rdieter at math.unl.edu 2006-12-07 13:25 EST ------- Right FC-6+ build pushed yesterday already. %changelog * Wed Dec 06 2006 Rex Dieter 2.0.1-2 - CVE-2006-6235 (bug #218821) Older releases don't include the gpg2 (and friends) binaries, so they aren't (shouldn't!) be affected by this. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Dec 7 20:04:40 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 7 Dec 2006 15:04:40 -0500 Subject: [Bug 218821] CVE-2006-6235: gnupg2 <= 2.0.1 stack overwrite vulnerability In-Reply-To: Message-ID: <200612072004.kB7K4ekf015755@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-6235: gnupg2 <= 2.0.1 stack overwrite vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=218821 ------- Additional Comments From ville.skytta at iki.fi 2006-12-07 15:04 EST ------- Seems so indeed. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Dec 7 20:51:28 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 7 Dec 2006 15:51:28 -0500 Subject: [Bug 218853] New: phpMyAdmin < 2.9.1.1 multiple vulnerabilities Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=218853 Summary: phpMyAdmin < 2.9.1.1 multiple vulnerabilities Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: phpMyAdmin AssignedTo: imlinux at gmail.com ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com phpMyAdmin 2.9.1.1 contains three security fixes: - http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-7 - http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-8 (also apparently http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6373) - http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-9 All FC5+ currently have a pre-2.9.1 snapshot which may be vulnerable. There's also http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6374 but it's unclear to me whether that is covered by the above or applicable to 2.9.x in the first place. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Dec 7 21:21:46 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 7 Dec 2006 16:21:46 -0500 Subject: [Bug 218824] CVE-2006-6301: denyhosts 2.5 hosts.deny DoS In-Reply-To: Message-ID: <200612072121.kB7LLklq022059@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-6301: denyhosts 2.5 hosts.deny DoS https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=218824 tibbs at math.uh.edu changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Additional Comments From tibbs at math.uh.edu 2006-12-07 16:21 EST ------- Upstream has released DenyHosts 2.6 to correct this issue; currently building for rawhide and if successful will be pushed on all branches later today. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Dec 8 03:44:05 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 7 Dec 2006 22:44:05 -0500 Subject: [Bug 218824] CVE-2006-6301: denyhosts 2.5 hosts.deny DoS In-Reply-To: Message-ID: <200612080344.kB83i5GZ013827@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-6301: denyhosts 2.5 hosts.deny DoS https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=218824 tibbs at math.uh.edu changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |CURRENTRELEASE Fixed In Version| |2.6-2 ------- Additional Comments From tibbs at math.uh.edu 2006-12-07 22:43 EST ------- Updates (package version 2.6-2) pushed for FC-3, FC-4, FC-5, FC-6, EL-4, EL-5 and rawhide. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Dec 8 19:10:34 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 8 Dec 2006 14:10:34 -0500 Subject: [Bug 213983] Plone Needs an Important Security Patch for CVE-2006-4249 In-Reply-To: Message-ID: <200612081910.kB8JAYKP007261@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Plone Needs an Important Security Patch for CVE-2006-4249 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=213983 ville.skytta at iki.fi changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Plone Needs an Important |Plone Needs an Important |Security Patch |Security Patch for CVE-2006- | |4249 Keywords| |Security CC| |fedora-security- | |list at redhat.com ------- Additional Comments From ville.skytta at iki.fi 2006-12-08 14:10 EST ------- For the record, this is CVE-2006-4249 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Dec 8 19:18:09 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 8 Dec 2006 14:18:09 -0500 Subject: [Bug 213983] Plone Needs an Important Security Patch for CVE-2006-4249 In-Reply-To: Message-ID: <200612081918.kB8JI9vG007794@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Plone Needs an Important Security Patch for CVE-2006-4249 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=213983 ------- Additional Comments From jonathansteffan at gmail.com 2006-12-08 14:17 EST ------- Thanks for the added information. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Dec 8 23:24:30 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 8 Dec 2006 18:24:30 -0500 Subject: [Bug 218853] phpMyAdmin < 2.9.1.1 multiple vulnerabilities In-Reply-To: Message-ID: <200612082324.kB8NOUBf021544@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: phpMyAdmin < 2.9.1.1 multiple vulnerabilities https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=218853 imlinux at gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sun Dec 10 18:07:38 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sun, 10 Dec 2006 13:07:38 -0500 Subject: [Bug 219095] New: CVE-2006-6406: clamav <= 0.88.6 virus detection bypass Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219095 Summary: CVE-2006-6406: clamav <= 0.88.6 virus detection bypass Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: clamav AssignedTo: enrico.scholz at informatik.tu-chemnitz.de ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6406 "ClamAV 0.88.6 allows remote attackers to bypass virus detection by inserting invalid characters into base64 encoded content in a multipart/mixed MIME file, as demonstrated with the EICAR test file." All FC3+ Extras repos have 0.88.6 at the moment. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Dec 11 14:39:40 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 11 Dec 2006 09:39:40 -0500 Subject: [Bug 218853] phpMyAdmin < 2.9.1.1 multiple vulnerabilities In-Reply-To: Message-ID: <200612111439.kBBEdeve001235@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: phpMyAdmin < 2.9.1.1 multiple vulnerabilities https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=218853 imlinux at gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |NEXTRELEASE ------- Additional Comments From imlinux at gmail.com 2006-12-11 09:39 EST ------- Updated and now available on the mirrors. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Tue Dec 12 20:09:57 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 12 Dec 2006 15:09:57 -0500 Subject: [Bug 219095] CVE-2006-6406: clamav <= 0.88.6 virus detection bypass In-Reply-To: Message-ID: <200612122009.kBCK9v1R005649@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-6406: clamav <= 0.88.6 virus detection bypass https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219095 ville.skytta at iki.fi changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |ERRATA Fixed In Version| |0.88.7 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed Dec 13 21:44:37 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 13 Dec 2006 16:44:37 -0500 Subject: [Bug 210825] RSA signature forgery issues in BouncyCastle < 1.34 In-Reply-To: Message-ID: <200612132144.kBDLib1m003210@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: RSA signature forgery issues in BouncyCastle < 1.34 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=210825 fitzsim at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |RAWHIDE ------- Additional Comments From fitzsim at redhat.com 2006-12-13 16:44 EST ------- I pushed bouncycastle-1.34-2.fc6 and java-1.4.2-gcj-compat-1.4.2.0-40jpp_83rh.4 to final and built bouncycastle-1.34-2.fc7 in Rawhide. Closing. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From liw at iki.fi Wed Dec 13 17:25:41 2006 From: liw at iki.fi (Lars Wirzenius) Date: Wed, 13 Dec 2006 19:25:41 +0200 Subject: [Fwd: EoC 1.2.4 -- security problem fixed, please upgrade immediately] Message-ID: <1166030742.4551.9.camel@dorfl.liw.iki.fi> Fedora Extras seems to include my Enemies of Carlotta mailing list manager. I've just made a new release to fix a security problem, so I'd like to suggest that you update the package. Please see attached message and http://lists.debian.org/debian-security-announce/debian-security-announce-2006/msg00336.html Thanks, and sorry for the mess I created. -- If possible, use code, not comments. -------------- next part -------------- An embedded message was scrubbed... From: Lars Wirzenius Subject: EoC 1.2.4 -- security problem fixed, please upgrade immediately Date: Wed, 13 Dec 2006 15:48:36 +0200 Size: 5453 URL: From paul at city-fan.org Thu Dec 14 12:21:06 2006 From: paul at city-fan.org (Paul Howarth) Date: Thu, 14 Dec 2006 12:21:06 +0000 Subject: [Fwd: EoC 1.2.4 -- security problem fixed, please upgrade immediately] In-Reply-To: <1166030742.4551.9.camel@dorfl.liw.iki.fi> References: <1166030742.4551.9.camel@dorfl.liw.iki.fi> Message-ID: <458141B2.7010905@city-fan.org> Lars Wirzenius wrote: > Fedora Extras seems to include my Enemies of Carlotta mailing list > manager. I've just made a new release to fix a security problem, so I'd > like to suggest that you update the package. Please see attached message > and > http://lists.debian.org/debian-security-announce/debian-security-announce-2006/msg00336.html > > Thanks, and sorry for the mess I created. Fixes for this issue were made in CVS earlier today: FC-4: http://www.redhat.com/archives/fedora-extras-commits/2006-December/msg01390.html FC-5: http://www.redhat.com/archives/fedora-extras-commits/2006-December/msg01389.html FC-6: http://www.redhat.com/archives/fedora-extras-commits/2006-December/msg01388.html development: http://www.redhat.com/archives/fedora-extras-commits/2006-December/msg01387.html I expect the resulting updates will appear in the master repository later today. Paul. From bugzilla at redhat.com Thu Dec 14 22:02:05 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 14 Dec 2006 17:02:05 -0500 Subject: [Bug 219720] New: CVE-2006-6515: mantis bug reminder threshold issue Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219720 Summary: CVE-2006-6515: mantis bug reminder threshold issue Product: Fedora Extras Version: fc4 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: mantis AssignedTo: giallu at gmail.com ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6515 "Mantis before 1.1.0a2 sets the default value of $g_bug_reminder_threshold to "reporter" instead of a more privileged role, which has unknown impact and attack vectors, possibly related to frequency of reminders." The CVE entry says 1.0.6 is vulnerable, however it looks to me as if it's not, see the change in revision 1.283.2.1.2.1.2.1.2.2.2.11 at http://mantisbt.cvs.sourceforge.net/mantisbt/mantisbt/config_defaults_inc.php?view=log FC-3 and FC-4 appear to be vulnerable. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sun Dec 17 09:03:07 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sun, 17 Dec 2006 04:03:07 -0500 Subject: [Bug 219720] CVE-2006-6515: mantis bug reminder threshold issue In-Reply-To: Message-ID: <200612170903.kBH937gF026922@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-6515: mantis bug reminder threshold issue https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219720 ------- Additional Comments From giallu at gmail.com 2006-12-17 04:02 EST ------- AFAICT, 1.0.6 is definetely not affected: http://www.mantisbugtracker.com/bugs/view.php?id=7543 I should ask on extras-list what I am supposed to do with legacy stuff, I believe security is important but I can't afford to guarantee updates for 5 branches. However, the situation could improve if: http://www.mantisbugtracker.com/bugs/view.php?id=7663 will be done in time for 1.1.0 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sun Dec 17 09:25:12 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sun, 17 Dec 2006 04:25:12 -0500 Subject: [Bug 219937] New: CVE-2006-6574: mantis < 1.1.0a2 information disclosure Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219937 Summary: CVE-2006-6574: mantis < 1.1.0a2 information disclosure Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: mantis AssignedTo: giallu at gmail.com ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6574 "Mantis before 1.1.0a2 does not implement per-item access control for Issue History (Bug History), which allows remote attackers to obtain sensitive information by reading the Change column, as demonstrated by the Change column of a custom field." All FE releases are possibly affected. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sun Dec 17 09:38:19 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sun, 17 Dec 2006 04:38:19 -0500 Subject: [Bug 219938] New: CVE-2006-6563: proftpd < 1.3.1rc1 mod_ctrls buffer overflow Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219938 Summary: CVE-2006-6563: proftpd < 1.3.1rc1 mod_ctrls buffer overflow Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: proftpd AssignedTo: matthias at rpmforge.net ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6563 "Stack-based buffer overflow in the pr_ctrls_recv_request function in ctrls.c in the mod_ctrls module in ProFTPD before 1.3.1rc1 allows local users to execute arbitrary code via a large reqarglen length value." All FC-3+ releases possibly affected. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sun Dec 17 11:54:48 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sun, 17 Dec 2006 06:54:48 -0500 Subject: [Bug 219941] New: Tor < 0.1.1.26 has security problem Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219941 Summary: Tor < 0.1.1.26 has security problem Product: Fedora Extras Version: fc6 Platform: All URL: http://archives.seul.org/or/announce/Dec- 2006/msg00000.html OS/Version: Linux Status: NEW Severity: urgent Priority: urgent Component: tor AssignedTo: enrico.scholz at informatik.tu-chemnitz.de ReportedBy: roozbeh at farsiweb.info QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com Description of problem: Tor 0.1.1.26 fixes a serious privacy bug for people who use the HttpProxyAuthenticator config option: Tor would send your proxy auth directly to the directory server when you're tunnelling directory requests through Tor. Specifically, this happens when publishing or accessing hidden services, or when you have set FascistFirewall or ReachableAddresses and you're accessing a directory server that's not reachable directly. Version-Release number of selected component (if applicable): tor-0.1.1.25-1.fc6 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Dec 18 08:11:09 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 18 Dec 2006 03:11:09 -0500 Subject: [Bug 219941] Tor < 0.1.1.26 has security problem In-Reply-To: Message-ID: <200612180811.kBI8B9mE030170@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Tor < 0.1.1.26 has security problem https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219941 enrico.scholz at informatik.tu-chemnitz.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |CURRENTRELEASE Fixed In Version| |0.1.1.26-1 ------- Additional Comments From enrico.scholz at informatik.tu-chemnitz.de 2006-12-18 03:10 EST ------- thx; updated to 0.1.1.26 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Dec 18 16:18:35 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 18 Dec 2006 11:18:35 -0500 Subject: [Bug 220034] New: CVE-2006-6609, CVE-2006-6610: nexuiz < 2.2.1 vulnerabilities Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220034 Summary: CVE-2006-6609, CVE-2006-6610: nexuiz < 2.2.1 vulnerabilities Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: nexuiz AssignedTo: adrian at lisas.de ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com Nexuiz < 2.2.1 is reportedly vulnerable to: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6609 (remote DoS) http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6610 (command injection) Version numbers indicate that all FC4+ distro versions may be vulnerable. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Dec 18 16:33:34 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 18 Dec 2006 11:33:34 -0500 Subject: [Bug 220041] New: CVE-2006-6625, CVE-2006-6626: moodle XSS vulnerabilities Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220041 Summary: CVE-2006-6625, CVE-2006-6626: moodle XSS vulnerabilities Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: moodle AssignedTo: imlinux at gmail.com ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6625 Reported against 1.6.1 but an upstream patch which I suppose fixes this is not applied in 1.6.3: http://moodle.cvs.sourceforge.net/moodle/moodle/mod/forum/discuss.php?r1=1.65.2.9&r2=1.65.2.10 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6626 Reported against 1.5, too little information available at the moment to say whether this is an issue with 1.6.3. All FC4+ distro releases are equally affected (or not). -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Dec 18 16:47:29 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 18 Dec 2006 11:47:29 -0500 Subject: [Bug 219938] CVE-2006-6563: proftpd < 1.3.1rc1 mod_ctrls buffer overflow In-Reply-To: Message-ID: <200612181647.kBIGlTgV001953@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-6563: proftpd < 1.3.1rc1 mod_ctrls buffer overflow https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219938 matthias at rpmforge.net changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Additional Comments From matthias at rpmforge.net 2006-12-18 11:47 EST ------- It seems like the 1.3.0 + patches from devel, FC-6 and FC-5 might not be affected. Still, I'd like to try this release candidate and eventually deploy it, but it fails to build on FC-6 with errors very early in the buils... *sigh* I'll have a look at it when I have time, and make it high priority if anyone confirms that the current builds are vulnerable. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Dec 18 19:32:47 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 18 Dec 2006 14:32:47 -0500 Subject: [Bug 219938] CVE-2006-6563: proftpd < 1.3.1rc1 mod_ctrls buffer overflow In-Reply-To: Message-ID: <200612181932.kBIJWl1J016178@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-6563: proftpd < 1.3.1rc1 mod_ctrls buffer overflow https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219938 ------- Additional Comments From kaboom at oobleck.net 2006-12-18 14:32 EST ------- 1.3.1rc1 builds for me on fc6 Configured as ./configure --libexecdir=/usr/libexec/proftpd --localstatedir=/var/run --ena ble-ctrls --enable-facl --enable-dso --enable-ipv6 --with-libraries=/usr/lib/mys ql --with-includes=/usr/include/mysql --with-modules=mod_readme:mod_auth_pam:mod _tls --with-shared=mod_ldap:mod_sql:mod_sql_mysql:mod_sql_postgres:mod_quotatab: mod_quotatab_file:mod_quotatab_ldap:mod_quotatab_sql (same as fe6 rpm, built on ia32) That's using the stock upstream code, I haven't added the shipped patches yet.... -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Dec 18 21:37:57 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 18 Dec 2006 16:37:57 -0500 Subject: [Bug 209167] seamonkey < 1.0.5 multiple vulnerabilities; to replace Mozilla In-Reply-To: Message-ID: <200612182137.kBILbvYV026280@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: seamonkey < 1.0.5 multiple vulnerabilities; to replace Mozilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209167 ------- Additional Comments From deisenst at gtw.net 2006-12-18 16:37 EST ------- Although the Legacy project is supposed to be shutting down, I thought I would try to get Seamonkey going as a Mozilla replacement at least for our FC4 users. There are build problems. Although much of the build seems to go okay, it gets hung up on a linking step while compiling for the x86_64 architec- ture. It might compile for the i386 arch, but it doesn't get that far in mock/plague, evidentally plague's deciding to abort any other builds in process if one arch it's building for fails. The error that it reports is: > c++ -I/usr/X11R6/include -fno-rtti -fno-exceptions -Wall -Wconversion - Wpointer-arith -Wcast-align -Woverloaded-virtual -Wsynth -Wno-ctor-dtor- privacy -Wno-non-virtual-dtor -Wno-long-long -pedantic -g -fshort-wchar - pthread -pipe -DNDEBUG -DTRIMMED -O2 -fPIC -shared -Wl,-h -Wl,libmozz.so -o libmozz.so adler32.o compress.o crc32.o deflate.o gzio.o infback.o inffast.o inflate.o inftrees.o trees.o uncompr.o zutil.o -ldl -lm > /usr/bin/ld: deflate.o: relocation R_X86_64_PC32 against `memcpy@@GLIBC_2.2.5' can not be used when making a shared object; recompile with -fPIC > /usr/bin/ld: final link failed: Bad value > collect2: ld returned 1 exit status > gmake[2]: *** [libmozz.so] Error 1 More of the log file is available here: http://turbosphere.fedoralegacy.org/logs/fedora-4-core/188-seamonkey-1.0.6- 0.4.fc4.legacy/x86_64/build.log and the .src.rpm is here: http://turbosphere.fedoralegacy.org/logs/fedora-4-core/188-seamonkey-1.0.6- 0.4.fc4.legacy/seamonkey-1.0.6-0.4.fc4.legacy.src.rpm Anyone have any clues? -David -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Tue Dec 19 17:47:30 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 19 Dec 2006 12:47:30 -0500 Subject: [Bug 220034] CVE-2006-6609, CVE-2006-6610: nexuiz < 2.2.1 vulnerabilities In-Reply-To: Message-ID: <200612191747.kBJHlT2K007733@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-6609, CVE-2006-6610: nexuiz < 2.2.1 vulnerabilities https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220034 adrian at lisas.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |NEXTRELEASE ------- Additional Comments From adrian at lisas.de 2006-12-19 12:47 EST ------- Updated FC4+ to 2.2.1. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bhiksha at merl.com Wed Dec 20 05:05:51 2006 From: bhiksha at merl.com (bhiksha) Date: Wed, 20 Dec 2006 00:05:51 -0500 Subject: Machine compromised Message-ID: <4588C4AF.3070807@merl.com> Hi, Ive installed FC5 on my machine. In the past month, when I was away, some hackers (who seem to come in from machines in canada, croatia, italy, and aol) ran a dictionary attack on my machine, and managed to break into an account called "backup". Im not sure if "backup" was a valid account in the first place -- the logs show that the hackers failed to login to backup twice, and then successfully logged in ever after. Its easy to make out that its a classic dictionary attack -- they've tried about a hundred userids, and attempted to login several thousand times. They tried "backup" thrice and managed to get in. Im particularly concerned that either a. Backup is not a standard account and they managed to create it nevertheless or b. They managed to login to a standard installation account, which should really have had /bin/false as shell and should not have been log-into-able. Pls. advice. Im trying to ensure this doesnt happen again. In the meantime, Ive written to the postmaster at aol about the hacker. Thanks Bhiksha From mattdm at mattdm.org Wed Dec 20 05:46:34 2006 From: mattdm at mattdm.org (Matthew Miller) Date: Wed, 20 Dec 2006 00:46:34 -0500 Subject: Machine compromised In-Reply-To: <4588C4AF.3070807@merl.com> References: <4588C4AF.3070807@merl.com> Message-ID: <20061220054634.GA17635@jadzia.bu.edu> On Wed, Dec 20, 2006 at 12:05:51AM -0500, bhiksha wrote: > Im particularly concerned that either > a. Backup is not a standard account and they managed to create it > nevertheless "backup" is not a standard account. After they compromised the machine, they created it, in the hopes that such a generic name might be overlooked in process listings and the password file. -- Matthew Miller mattdm at mattdm.org Boston University Linux ------> From tibbs at math.uh.edu Wed Dec 20 05:50:20 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: 19 Dec 2006 23:50:20 -0600 Subject: Machine compromised In-Reply-To: <4588C4AF.3070807@merl.com> References: <4588C4AF.3070807@merl.com> Message-ID: >>>>> "b" == bhiksha writes: b> Im not sure if "backup" was a valid account in the first place -- I have no such account on any of my machines, so it's certainly not there by default. However, it's possible that some package you installed created that account. I can't think of any package that might have done so; the BackupPC package in extras adds a "backuppc" account, but it's created disabled and with /sbin/nologin as the shell. b> Its easy to make out that its a classic dictionary attack -- b> they've tried about a hundred userids, and attempted to login b> several thousand times. They tried "backup" thrice and managed to b> get in. Well, if you expose port 22 to the Internet, you will find that there are hosts which constantly attempt dictionary attacks against you. You should install something like denyhosts if you want to have them automatically blocked. There are, however, many out there who just treat this as nothing more than noise in their logs. You should of course not leave your machine running and certainly not connected to the Internet; it should be wiped and reinstalled. If you want to do forensics, pull the drive first. There's no telling how many backdoors or malicious bits were installed. - J< From bhiksha at merl.com Wed Dec 20 06:28:48 2006 From: bhiksha at merl.com (bhiksha) Date: Wed, 20 Dec 2006 01:28:48 -0500 Subject: Machine compromised In-Reply-To: References: <4588C4AF.3070807@merl.com> <4588D0B0.4090708@merl.com> Message-ID: <4588D820.4020102@merl.com> Jason L Tibbitts III wrote: >I'm not sure why you replied off-list; you lose the benefit of other >insights into the discussion. > > > Sorry, I didnt realize I'd done that. I just hit a "reply". Im certainly getting a lot of useful advice from the group. >>>>>>"b" == bhiksha writes: >>>>>> >>>>>> > >b> Im still curious about how an account called "backup" belonging to >b> uid 0 came to be! > >I can say with absolute certainty that a hacker put it there, which >means that they found some other way into your system. Are you >absolutely sure that you were keeping up with all of the security >updates? Did you have the firewall on? Obviously you had at least >one port open (22); there have been security issues in openssh >although I don't recall that any of them were remotely exploitable. >What other services were you running? > >b> I just hope the hackers are not taking advantage of some intrinsic >b> hole in FC5. > >Rest assured that if there were a significant unpatched vulnerability, >yours wouldn't be the only compromised machine. But there are many >available servers in Fedora, and there have been many security >updates. And of course there is plenty of software available outside >of Fedora that could present security issues. > > > I have iptables on. I also have a firewall box that only lets in ports 22 and 80. I left port 22 open to allow me to ssh in from outside, and I have tried to keep abreast of the updates. Im not sure what happened exactly, but Im taking the suggested precaution of simply cleaning out the machine and reinstalling. Thanks much Bhiksha > - J< > > From bhiksha at merl.com Wed Dec 20 07:03:55 2006 From: bhiksha at merl.com (bhiksha) Date: Wed, 20 Dec 2006 02:03:55 -0500 Subject: Machine compromised In-Reply-To: <4588D820.4020102@merl.com> References: <4588C4AF.3070807@merl.com> <4588D0B0.4090708@merl.com> <4588D820.4020102@merl.com> Message-ID: <4588E05B.2060602@merl.com> A-ha! It appears that the user "backup" was created on the day I actually installed FC5 on my box (back on September 4), and the user who created the account was root, who logged in from an adjacent windows box, which, presumably, was compromised on that date (its protected with Norton AV, so I expect this happened before liveupdate got the fix for that particular bug..). The PC that the hacker logged in from belongs to my wife who was logged in at that time. Interestingly, whoever had also tried using her userid (on the PC) on my linux box, although she didnt have an account on it till more than a month later! I sshed into the linux box from her machine for something or the other, and they probably read the keystrokes (my linux box had no monitor initially, and after borrowing my wife's monitor for the initial install I returned it to her and simply sshed in from her machine to mess around). I confess I was somewhat sloppy during the installation since the machine was not directly conntected to the net directly (it was however connected to a linksys box that the windows box was also connected to. Portforwarding was turned off and I felt unwisely safe). I changed the root password immediately after installation, before forwarding port 22 to it; this might explain why the subsequent dictionary attacks on root failed. It appears the hacker also attempted a few dictionary attacks on that day for other userids, but did not succed. Trust a windows box (and a careless user) to be at the bottom of it all eventually :-) I do have a new monitor, so my reinstallation should be safe :-) -Bhiksha bhiksha wrote: > Jason L Tibbitts III wrote: > >> I'm not sure why you replied off-list; you lose the benefit of other >> insights into the discussion. >> >> >> > > Sorry, I didnt realize I'd done that. I just hit a "reply". > Im certainly getting a lot of useful advice from the group. > >>>>>>> "b" == bhiksha writes: >>>>>>> >>>>>> >> >> b> Im still curious about how an account called "backup" belonging to >> b> uid 0 came to be! >> >> I can say with absolute certainty that a hacker put it there, which >> means that they found some other way into your system. Are you >> absolutely sure that you were keeping up with all of the security >> updates? Did you have the firewall on? Obviously you had at least >> one port open (22); there have been security issues in openssh >> although I don't recall that any of them were remotely exploitable. >> What other services were you running? >> >> b> I just hope the hackers are not taking advantage of some intrinsic >> b> hole in FC5. >> >> Rest assured that if there were a significant unpatched vulnerability, >> yours wouldn't be the only compromised machine. But there are many >> available servers in Fedora, and there have been many security >> updates. And of course there is plenty of software available outside >> of Fedora that could present security issues. >> >> >> > > I have iptables on. I also have a firewall box that only lets in ports > 22 and 80. > I left port 22 open to allow me to ssh in from outside, and I have > tried to keep > abreast of the updates. > Im not sure what happened exactly, but Im taking the suggested > precaution of simply > cleaning out the machine and reinstalling. > > Thanks much > Bhiksha > > >> - J< >> >> > > -- > Fedora-security-list mailing list > Fedora-security-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-security-list From bhiksha at merl.com Wed Dec 20 13:28:29 2006 From: bhiksha at merl.com (bhiksha) Date: Wed, 20 Dec 2006 08:28:29 -0500 Subject: Machine compromised In-Reply-To: <824a5f7a0612200527m439d7549m3f426367f7b45bb8@mail.gmail.com> References: <4588C4AF.3070807@merl.com> <4588D0B0.4090708@merl.com> <4588D820.4020102@merl.com> <4588E05B.2060602@merl.com> <824a5f7a0612200527m439d7549m3f426367f7b45bb8@mail.gmail.com> Message-ID: <45893A7D.4010301@merl.com> That's a very good idea. Thanks much! -Bhiksha Calvin Dodge wrote: > On 12/20/06, bhiksha wrote: > >> > I have iptables on. I also have a firewall box that only lets in ports >> > 22 and 80. >> > I left port 22 open to allow me to ssh in from outside, and I have >> > tried to keep >> > abreast of the updates. > > > If you change SSH to use a non-standard port (i.e., NOT 22), that > protects you from the random bot probes for that service > (/etc/ssh/sshd_config, "Port") > > Calvin From bugzilla at redhat.com Wed Dec 20 14:38:30 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 20 Dec 2006 09:38:30 -0500 Subject: [Bug 220041] CVE-2006-6625, CVE-2006-6626: moodle XSS vulnerabilities In-Reply-To: Message-ID: <200612201438.kBKEcU9n027706@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-6625, CVE-2006-6626: moodle XSS vulnerabilities https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220041 imlinux at gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Dec 21 21:25:53 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 21 Dec 2006 16:25:53 -0500 Subject: [Bug 220516] New: seamonkey < 1.0.7 multiple vulnerabilities Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220516 Summary: seamonkey < 1.0.7 multiple vulnerabilities Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: high Priority: high Component: seamonkey AssignedTo: kengert at redhat.com ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: fedora-security-list at redhat.com Vulnerabilities reported against seamonkey < 1.0.7: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6497 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6498 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6499 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6500 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6501 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6502 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6503 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6504 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6505 All FE4+ releases have < 1.0.7 at the moment. By the way, seamonkey's CVS and package repository availability needs fixing, the FC-5 branch in Extras CVS has been marked as dead with a comment that seamonkey will be imported as a FC-5 (Core) update, but there's no such Core update and the packages are in the Extras FC-5 repository. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sat Dec 23 22:55:11 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sat, 23 Dec 2006 17:55:11 -0500 Subject: [Bug 220516] seamonkey < 1.0.7 multiple vulnerabilities In-Reply-To: Message-ID: <200612232255.kBNMtBGa021080@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: seamonkey < 1.0.7 multiple vulnerabilities https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220516 kengert at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |CURRENTRELEASE CC| |caillon at redhat.com, | |stransky at redhat.com Fixed In Version| |seamonkey-1.0.7-0.6.fc6 ------- Additional Comments From kengert at redhat.com 2006-12-23 17:54 EST ------- Built seamonkey-1.0.7-0.6.fc6 for FC6 and seamonkey-1.0.7-1.fc7 for Rawhide. Regarding FC5 see also the comments in bug 219365. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sun Dec 24 02:41:46 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sat, 23 Dec 2006 21:41:46 -0500 Subject: [Bug 194511] CVE-2006-2894 arbitrary file read vulnerability In-Reply-To: Message-ID: <200612240241.kBO2fkv0023915@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-2894 arbitrary file read vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=194511 ------- Additional Comments From tibbs at math.uh.edu 2006-12-23 21:41 EST ------- Does anyone know if this has been fixed in the interim? -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sat Dec 30 13:30:25 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sat, 30 Dec 2006 08:30:25 -0500 Subject: [Bug 221023] New: CVE-2006-6808: wordpress 2.0.5 XSS vulnerability Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=221023 Summary: CVE-2006-6808: wordpress 2.0.5 XSS vulnerability Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: high Priority: normal Component: wordpress AssignedTo: jwb at redhat.com ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: fedora-security-list at redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6808 "Cross-site scripting (XSS) vulnerability in wp-admin/templates.php in WordPress 2.0.5 allows remote attackers to inject arbitrary web script or HTML via the file parameter." All FE4+ releases affected. This is supposedly fixed in 2.0.6, but it looks like it hasn't been released yet. Patch at http://trac.wordpress.org/changeset/4665 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From mohsen_basirat at yahoo.com Sun Dec 31 11:02:34 2006 From: mohsen_basirat at yahoo.com (Mohsen Basirat) Date: Sun, 31 Dec 2006 03:02:34 -0800 (PST) Subject: password Migration Message-ID: <20061231110234.43144.qmail@web33014.mail.mud.yahoo.com> Dear all I have debian machine with more than 3000 users and i have to change it to fedora core 4 machine and migrate username and password .i used MD5 password in both system but the password hash generated in fedora is different from debian and i dont know why? please advise me with your comments Regards Mohsen basirat www.basirat.com __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From kevin at tummy.com Sun Dec 31 18:37:32 2006 From: kevin at tummy.com (Kevin Fenzi) Date: Sun, 31 Dec 2006 11:37:32 -0700 Subject: password Migration In-Reply-To: <20061231110234.43144.qmail@web33014.mail.mud.yahoo.com> References: <20061231110234.43144.qmail@web33014.mail.mud.yahoo.com> Message-ID: <20061231113732.3ed45851@ningauble.scrye.com> On Sun, 31 Dec 2006 03:02:34 -0800 (PST) Mohsen Basirat wrote: > Dear all > I have debian machine with more than 3000 users and i > have to change it to fedora core 4 machine Note that Fedora Core 4 is no longer maintained for security updates and the like. Perhaps you should move to Fedora Core 6? > and migrate > username and password .i used MD5 password in both > system but the password hash generated in fedora is > different from debian and i dont know why? please > advise me with your comments Different in what way? I think they should both be using the same md5 setup from the shadow-utils package, so they should be compatible. They might look different if you re-encrypt the password as they will use different salt values and so forth, but they should work I would think. > Regards > > Mohsen basirat > www.basirat.com kevin -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: not available URL: