From bugzilla at redhat.com Mon Jul 3 17:11:36 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 3 Jul 2006 13:11:36 -0400 Subject: [Bug 191095] multiple vulnerabilities in thttpds htpasswd utility In-Reply-To: Message-ID: <200607031711.k63HBapS026687@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: multiple vulnerabilities in thttpds htpasswd utility https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=191095 ------- Additional Comments From matthias at rpmforge.net 2006-07-03 13:03 EST ------- I've just had another look at these htpasswd.c files, and the one from apache 2.x would add a requirement on apr, and the one from apache 1.3.x would add a build requirement on apache-devel and possibly a runtime requirement on apache too! Not to mention the license, which might change the entire package's license since thttpd is BSD licensed, whereas Apache has its own (would have to look into the details, though). I really don't know if/when we can expect a new version of thttpd, and the developer has apparently already acknowledged the issue and possibly worked on it. My current choice would be between : - Not doing anything, since by default no one should be affected... but if someone runs htpasswd from their web server, they might be. - Removing the htpasswd utility from the thttpd package for now. And let people who needs to generate htpasswds use an online version of the binary from an apache httpd installation. Any preference? -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Jul 3 17:44:16 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 3 Jul 2006 13:44:16 -0400 Subject: [Bug 191095] multiple vulnerabilities in thttpds htpasswd utility In-Reply-To: Message-ID: <200607031744.k63HiGla027602@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: multiple vulnerabilities in thttpds htpasswd utility https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=191095 ------- Additional Comments From ville.skytta at iki.fi 2006-07-03 13:35 EST ------- One more thing to look into: the Debian testing security team has marked both these CVE's fixed in their 2.23beta1-2.4, perhaps a patch could be "borrowed" from there: http://svn.debian.org/wsvn/secure-testing/data/CVE/list?op=file&rev=0&sc=0 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=253816 http://ftp.debian.org/debian/pool/main/t/thttpd/thttpd_2.23beta1-4.diff.gz -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Jul 3 18:01:48 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 3 Jul 2006 14:01:48 -0400 Subject: [Bug 191095] multiple vulnerabilities in thttpds htpasswd utility In-Reply-To: Message-ID: <200607031801.k63I1mGB028023@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: multiple vulnerabilities in thttpds htpasswd utility https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=191095 ------- Additional Comments From matthias at rpmforge.net 2006-07-03 13:53 EST ------- Indeed, there are lots of nice fixes in that Debian patch! I'll merge all the relevant bits ASAP, as some might not be needed since we ship 2.25b. Thanks Ville for the pointers ;-) -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From ville.skytta at iki.fi Mon Jul 3 18:29:21 2006 From: ville.skytta at iki.fi (Ville =?ISO-8859-1?Q?Skytt=E4?=) Date: Mon, 03 Jul 2006 21:29:21 +0300 Subject: Team member focus areas and competences Message-ID: <1151951361.2728.16.camel@localhost.localdomain> In context of the issues regarding the security team raised in https://www.redhat.com/archives/fedora-maintainers/2006-July/msg00005.html , I thought it would be a good idea to find out what security related interests and expertise do individual security team members currently have. This would help in forming a picture of what the security team is collectively potentially capable of etc, and perhaps give advance hints to questions like "can security team do X" (such as the issue with EOL'd FE releases above which we should answer ASAP). I added mine to Wiki, others, go ahead and add yours if you think this would be useful: http://fedoraproject.org/wiki/Security/ResponseTeam From bugzilla at redhat.com Tue Jul 4 11:25:20 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 4 Jul 2006 07:25:20 -0400 Subject: [Bug 191095] multiple vulnerabilities in thttpds htpasswd utility In-Reply-To: Message-ID: <200607041125.k64BPKS4020848@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: multiple vulnerabilities in thttpds htpasswd utility https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=191095 matthias at rpmforge.net changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |RAWHIDE ------- Additional Comments From matthias at rpmforge.net 2006-07-04 07:16 EST ------- I've included the fixes to makeweb and htpasswd, which is now renamed thtpasswd instead of htpasswd.thttpd too. I've tested both quickly, but will double check the devel build, then push the changes to FC-4 and FC-5 too. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Jul 7 22:48:56 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 7 Jul 2006 18:48:56 -0400 Subject: [Bug 194511] CVE-2006-2894 arbitrary file read vulnerability In-Reply-To: Message-ID: <200607072248.k67Mmub6026008@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-2894 arbitrary file read vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=194511 bugs.michael at gmx.net changed: What |Removed |Added ---------------------------------------------------------------------------- OtherBugsDependingO| |187071 nThis| | -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sun Jul 9 18:59:28 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sun, 9 Jul 2006 14:59:28 -0400 Subject: [Bug 198106] New: CVE-2006-3458: Zope local information disclosure Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198106 Summary: CVE-2006-3458: Zope local information disclosure Product: Fedora Extras Version: fc5 Platform: All URL: http://www.zope.org/Products/Zope/Hotfix-2006-07- 05/Hotfix-20060705/README.txt OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: zope AssignedTo: gauret at free.fr ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com Unspecified vulnerability in Zope 2.7.0 to 2.7.8, 2.8.0 to 2.8.7, and 2.9.0 to 2.9.3 (Zope2) allows local users to obtain sensitive information via unknown attack vectors related to the docutils module and "restructured text". http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3458 http://www.zope.org/Products/Zope/Hotfix-2006-07-05/Hotfix-20060705/README.txt Based on the version numbers, all FC-3+ appear to be vulnerable. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sun Jul 9 19:03:40 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sun, 9 Jul 2006 15:03:40 -0400 Subject: [Bug 198107] New: CVE-2006-3390: Wordpress information disclosure Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198107 Summary: CVE-2006-3390: Wordpress information disclosure Product: Fedora Extras Version: fc5 Platform: All URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3390 OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: wordpress AssignedTo: jwb at redhat.com ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com WordPress 2.0.3 allows remote attackers to obtain the installation path via a direct request to various files, such as those in the (1) wp-admin, (2) wp-content, and (3) wp-includes directories, possibly due to uninitialized variables. http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3390 This sounds to me like a "not an issue, installation paths are not a secret in Fedora", but a confirmation from someone familiar with Wordpress would be nice. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sun Jul 9 19:09:38 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sun, 9 Jul 2006 15:09:38 -0400 Subject: [Bug 198108] New: CVE-NOID: Multiple stack/heap overflow vulnerabilities in adplug Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198108 Summary: CVE-NOID: Multiple stack/heap overflow vulnerabilities in adplug Product: Fedora Extras Version: fc5 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: adplug AssignedTo: triad at df.lth.se ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com Adplug <= 2.0 and CVS <= 2006-07-04 is reportedly affected by various heap and stack overflow vulnerabilities. No CVE id Yet. http://seclists.org/lists/bugtraq/2006/Jul/0071.html -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sun Jul 9 19:22:24 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sun, 9 Jul 2006 15:22:24 -0400 Subject: [Bug 198107] CVE-2006-3390: Wordpress information disclosure In-Reply-To: Message-ID: <200607091922.k69JMO2a023043@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-3390: Wordpress information disclosure https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198107 jwb at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Flag| |needinfo? ------- Additional Comments From jwb at redhat.com 2006-07-09 15:13 EST ------- Not only are installation paths not secret, but there dosn't seem to be any true information leak: http://www.securityfocus.com/archive/1/439031/100/0/threaded If there are no objections within a few days to a week, I'll close this NOTBUG at that time. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed Jul 12 11:17:18 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 12 Jul 2006 07:17:18 -0400 Subject: [Bug 198106] CVE-2006-3458: Zope local information disclosure In-Reply-To: Message-ID: <200607121117.k6CBHI64018732@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-3458: Zope local information disclosure https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198106 gauret at free.fr changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |NEXTRELEASE ------- Additional Comments From gauret at free.fr 2006-07-12 07:08 EST ------- Hotfix added and published from FC-3 to rawhide, thanks -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bressers at redhat.com Wed Jul 12 17:49:42 2006 From: bressers at redhat.com (Josh Bressers) Date: Wed, 12 Jul 2006 13:49:42 -0400 Subject: Security bug fix in monotone In-Reply-To: Your message of "Wed, 12 Jul 2006 11:15:40 EDT." <1152717340.28052.69.camel@vmx.eros-os.org> Message-ID: <200607121749.k6CHngic020314@devserv.devel.redhat.com> The below message was sent to secalert at redhat.com. I'm sending this to the fedora security team mailing list. -- JB > I've just filed a bug report against "monotone" in Fedora Extras: > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198652 > > The request is to update to v0.27 of monotone, because 0.27 fixes a > security bug. In 0.26, passphrases were sometimes written to the > monotone log file. In 0.27 this has been repaired. > > The only work necessary (that I know about) is to package 0.27 for > extras. I would volunteer to do it, but I'm about to go traveling and > will be off the air for about two weeks. > > > shap > From tibbs at math.uh.edu Wed Jul 12 18:22:33 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Wed, 12 Jul 2006 13:22:33 -0500 Subject: Security bug fix in monotone In-Reply-To: <200607121749.k6CHngic020314@devserv.devel.redhat.com> (Josh Bressers's message of "Wed, 12 Jul 2006 13:49:42 -0400") References: <200607121749.k6CHngic020314@devserv.devel.redhat.com> Message-ID: >>>>> "JB" == Josh Bressers writes: >> The only work necessary (that I know about) is to package 0.27 for >> extras. This is already done; the builds were completed ten hours ago. - J< From secalert at redhat.com Wed Jul 12 17:47:55 2006 From: secalert at redhat.com (Red Hat Security Response Team) Date: Wed, 12 Jul 2006 13:47:55 -0400 Subject: [engineering.redhat.com #2862] Security bug fix in monotone In-Reply-To: <1152717340.28052.69.camel@vmx.eros-os.org> References: <1152717340.28052.69.camel@vmx.eros-os.org> Message-ID: I'm kicking this over to the fedora security team From bugzilla at redhat.com Wed Jul 12 18:53:22 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 12 Jul 2006 14:53:22 -0400 Subject: [Bug 198652] Please pull v0.27 In-Reply-To: Message-ID: <200607121853.k6CIrM8O020559@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Please pull v0.27 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198652 ville.skytta at iki.fi changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fedora-security- | |list at redhat.com ------- Additional Comments From ville.skytta at iki.fi 2006-07-12 14:44 EST ------- The FC5 build which succeeded is on its way to the repository at the moment, but the FC4 and devel builds seem to have failed: http://buildsys.fedoraproject.org/build-status/job.psp?uid=12485 http://buildsys.fedoraproject.org/build-status/job.psp?uid=12488 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From fedora at m7info.com.br Thu Jul 13 14:19:09 2006 From: fedora at m7info.com.br (fedora at m7info.com.br) Date: Thu, 13 Jul 2006 11:19:09 -0300 Subject: Password - Fedora Core 3 Message-ID: <1152800349.44b6565d4af1d@mail.lean.org.br> Hello all, Fedora core 3 (with all updates until Jul/12/2006) has a problem with lenght of password Any char (of password) after 08th (eighth), doesn?t make difference This was not happen in Core 2 or Core 1 All right ... Core 3 is not in production ... I know ... But it is a serious problem, and could be fix thanks From smooge at gmail.com Thu Jul 13 15:36:16 2006 From: smooge at gmail.com (Stephen John Smoogen) Date: Thu, 13 Jul 2006 09:36:16 -0600 Subject: Password - Fedora Core 3 In-Reply-To: <1152800349.44b6565d4af1d@mail.lean.org.br> References: <1152800349.44b6565d4af1d@mail.lean.org.br> Message-ID: <80d7e4090607130836k11cf2f52ja463b4f4f365a25d@mail.gmail.com> On 7/13/06, fedora at m7info.com.br wrote: > > > Hello all, > > > > Fedora core 3 (with all updates until Jul/12/2006) > has a problem with lenght of password > In most cases this is because the user has selected to not use md5sum in authconfig. THis defaults to DES-HASH which only stores 8 characters. You need to use authconfig and turn on Use MD5sum and then have users recreate their passwords. -- Stephen J Smoogen. CSIRT/Linux System Administrator From bugzilla at redhat.com Fri Jul 14 19:13:38 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 14 Jul 2006 15:13:38 -0400 Subject: [Bug 198108] CVE-2006-3581, CVE-2006-3582: Multiple stack/heap overflow vulnerabilities in adplug In-Reply-To: Message-ID: <200607141913.k6EJDck5008911@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-3581, CVE-2006-3582: Multiple stack/heap overflow vulnerabilities in adplug https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198108 ville.skytta at iki.fi changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|CVE-NOID: Multiple |CVE-2006-3581, CVE-2006- |stack/heap overflow |3582: Multiple stack/heap |vulnerabilities in adplug |overflow vulnerabilities in | |adplug ------- Additional Comments From ville.skytta at iki.fi 2006-07-14 15:04 EST ------- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3581 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3582 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From abc.bhaskar at gmail.com Wed Jul 19 11:45:42 2006 From: abc.bhaskar at gmail.com (Bhaskar) Date: Wed, 19 Jul 2006 17:15:42 +0530 Subject: Implementing Security Policies In-Reply-To: References: <80d7e4090606230633m202230b6u1f642a1025648439@mail.gmail.com> <80d7e4090606230828t5ff12513i93aab05959b4166e@mail.gmail.com> <80d7e4090606230944k47643f16l3b1883f33497c1ba@mail.gmail.com> <80d7e4090606270901r121b77a1s2de49dedab6028cb@mail.gmail.com> Message-ID: Dear Steven, I am the one who confirmed about the implementation of the Linux Security Policies. I did my homework on PAM, SELinux, shell scripting and came to conclusion of writing shell scripts for implementing those policies. As I mentioned in my previous thread, my policies are from the custom server and include enabling/disabling ftp, rlogin, rsh, telnet to particular user. Here whenever the user logs into the system, my script would get executed and the permissions are setted accordingly. In the scripts, I am changing the group of the executables and setting the permissions using the chmod command. The point that I want to confirm with you is that changing the permissions like this for every user as soon as he logs into the system is feasible or not. Regards, Bhaskar. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla at redhat.com Wed Jul 19 15:49:24 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 19 Jul 2006 11:49:24 -0400 Subject: [Bug 199432] New: nant: arbitrary command execution due to buildroot remainders Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=199432 Summary: nant: arbitrary command execution due to buildroot remainders Product: Fedora Extras Version: devel Platform: All OS/Version: Linux Status: NEW Severity: high Priority: high Component: nant AssignedTo: paul at all-the-johnsons.co.uk ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com See bug 193957 comment 17 (and a potential fix in comment 16 there): /usr/bin/nant from nant-0.85-5.fc6 tries to execute NAnt.exe from a path containing the build root, ie. /var/tmp/... which is world writable, resulting in arbitrary command execution vulnerability. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From smooge at gmail.com Wed Jul 19 15:49:40 2006 From: smooge at gmail.com (Stephen John Smoogen) Date: Wed, 19 Jul 2006 09:49:40 -0600 Subject: Implementing Security Policies In-Reply-To: References: <80d7e4090606230828t5ff12513i93aab05959b4166e@mail.gmail.com> <80d7e4090606230944k47643f16l3b1883f33497c1ba@mail.gmail.com> <80d7e4090606270901r121b77a1s2de49dedab6028cb@mail.gmail.com> Message-ID: <80d7e4090607190849k6d4c0c71m1ecdc0c0256bfe20@mail.gmail.com> On 7/19/06, Bhaskar wrote: > > Dear Steven, > > I am the one who confirmed about the implementation of the Linux Security > Policies. > > I did my homework on PAM, SELinux, shell scripting and came to conclusion of > writing shell scripts for implementing those policies. > > As I mentioned in my previous thread, my policies are from the custom server > and include enabling/disabling ftp, rlogin, rsh, telnet to particular user. > > Here whenever the user logs into the system, my script would get executed > and the permissions are setted accordingly. > > In the scripts, I am changing the group of the executables and setting the > permissions using the chmod command. > > The point that I want to confirm with you is that changing the permissions > like this for every user as soon as he logs into the system is feasible or > not. > It is racy. A person knowing what they are doing could break out of the startups before they are executed (eg control C logging in can cause the .bash_profile etc not to be executed in some cases). An old solution would be to create an everyone-else group: Group goodguys would have every good user in it (up to the limit of number of people in a group ) You would set the executables you are worried about to being 0550 or equivalent and that they had the group goodguys. This would mean that permissions arent being changed on log-in but are always set. Problems are that it doesnt stop bad-user from doing something like uploading a working ftp/scp/telnet client into their home account and using that versus the global executable. The only fix to that is setting an selinux policy for the user where he can't open ports etc from non-allowed programs. > Regards, > > Bhaskar. > > -- Stephen J Smoogen. CSIRT/Linux System Administrator From bugzilla at redhat.com Thu Jul 20 12:23:30 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 20 Jul 2006 08:23:30 -0400 Subject: [Bug 198107] CVE-2006-3390: Wordpress information disclosure In-Reply-To: Message-ID: <200607201223.k6KCNUI4020918@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-3390: Wordpress information disclosure https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198107 jwb at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |CLOSED Resolution| |NOTABUG Flag|needinfo? | -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Jul 20 12:35:42 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 20 Jul 2006 08:35:42 -0400 Subject: [Bug 199432] nant: arbitrary command execution due to buildroot remainders In-Reply-To: Message-ID: <200607201235.k6KCZg5m021495@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: nant: arbitrary command execution due to buildroot remainders https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=199432 paul at all-the-johnsons.co.uk changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |CURRENTRELEASE Fixed In Version| |0.85-6 ------- Additional Comments From paul at all-the-johnsons.co.uk 2006-07-20 08:26 EST ------- This has been fixed in 0.85-6 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Jul 24 22:02:48 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 24 Jul 2006 18:02:48 -0400 Subject: [Bug 198652] Please pull v0.27 In-Reply-To: Message-ID: <200607242202.k6OM2mdO029656@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Please pull v0.27 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198652 ------- Additional Comments From roland at redhat.com 2006-07-24 17:53 EST ------- The devel build seems to have failed due to some problem in the rawhide gcc. I resubmitted the build and it worked with the newer devel build environment. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Tue Jul 25 20:44:22 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 25 Jul 2006 16:44:22 -0400 Subject: [Bug 198108] CVE-2006-3581, CVE-2006-3582: Multiple stack/heap overflow vulnerabilities in adplug In-Reply-To: Message-ID: <200607252044.k6PKiMpf031942@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-3581, CVE-2006-3582: Multiple stack/heap overflow vulnerabilities in adplug https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198108 triad at df.lth.se changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |NEXTRELEASE ------- Additional Comments From triad at df.lth.se 2006-07-25 16:35 EST ------- Solved by upgrading to the new upstream version. Thanks for bringing this to attention, Ville! I hope not too many systems were compromised by rouge AdLib songs ;-) -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From mattdm at mattdm.org Wed Jul 26 00:10:58 2006 From: mattdm at mattdm.org (Matthew Miller) Date: Tue, 25 Jul 2006 20:10:58 -0400 Subject: openmotif bug #174815 (please review before FC4 eol) Message-ID: <20060726001058.GA32402@jadzia.bu.edu> I know it's no fun to work on less-than-cutting-edge Fedora releases, but updates shouldn't just get dropped on the floor as this one appears to have been. Can someone shed some light? Thanks! -- Matthew Miller mattdm at mattdm.org Boston University Linux ------> From twoerner at redhat.com Wed Jul 26 08:21:45 2006 From: twoerner at redhat.com (Thomas Woerner) Date: Wed, 26 Jul 2006 10:21:45 +0200 Subject: [mattdm@mattdm.org: openmotif bug #174815 (please review before FC4 eol)] In-Reply-To: <20060726052943.GB9664@dudweiler.stuttgart.redhat.com> References: <20060726052943.GB9664@dudweiler.stuttgart.redhat.com> Message-ID: <44C72619.2010807@redhat.com> Hello, I apologize for the delay. The package has been built, but I forgot to put in the update system. Should get pushed today. Thanks, Thomas Florian La Roche wrote: > FYI > > ----- Forwarded message from Matthew Miller ----- > > From: Matthew Miller > Subject: openmotif bug #174815 (please review before FC4 eol) > To: fedora-security-list at redhat.com > Date: Tue, 25 Jul 2006 20:10:58 -0400 > > I know it's no fun to work on less-than-cutting-edge Fedora releases, but > updates shouldn't just get dropped on the floor as this one appears to have > been. Can someone shed some light? Thanks! > > > From bugzilla at redhat.com Wed Jul 26 20:34:45 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 26 Jul 2006 16:34:45 -0400 Subject: [Bug 200321] New: CVE-2006-3119, fbida: malicious postscript command vulnerability Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200321 Summary: CVE-2006-3119, fbida: malicious postscript command vulnerability Product: Fedora Extras Version: fc5 Platform: All URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3119 OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: fbida AssignedTo: adrian at lisas.de ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3119 "The fbgs framebuffer Postscript/PDF viewer in fbi before 2.01 has a typo that prevents a filter from working correctly, which allows user-assisted attackers to bypass the filter and execute malicious Postscript commands." The CVE description says before 2.01, but 2.03 seems to be affected too. Fix: s/-dSAVER/-dSAFER/ in fbgs -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed Jul 26 20:43:41 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 26 Jul 2006 16:43:41 -0400 Subject: [Bug 200323] New: CVE-2006-3816, krusader: cleartext passwords in bookmarks file Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200323 Summary: CVE-2006-3816, krusader: cleartext passwords in bookmarks file Product: Fedora Extras Version: fc5 Platform: All URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3816 OS/Version: Linux Status: NEW Severity: high Priority: normal Component: krusader AssignedTo: mgarski at post.pl ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3816 http://krusader.sourceforge.net/phpBB/viewtopic.php?p=7965 Krusader 1.50-beta1 up to 1.70.0 stores passwords for remote connections in cleartext in the bookmark file (krbookmarks.xml), which allows attackers to steal passwords by obtaining the file. FE[345] and devel affected. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed Jul 26 20:56:22 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 26 Jul 2006 16:56:22 -0400 Subject: [Bug 198108] CVE-2006-3581, CVE-2006-3582: Multiple stack/heap overflow vulnerabilities in adplug In-Reply-To: Message-ID: <200607262056.k6QKuMQ0004937@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-3581, CVE-2006-3582: Multiple stack/heap overflow vulnerabilities in adplug https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198108 ------- Additional Comments From ville.skytta at iki.fi 2006-07-26 16:47 EST ------- Thanks for the fix, but please be careful with shared library sonames in the future. Packages built against the old one and depending on it are likely to prevent the new fixed library package from being installed. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed Jul 26 21:11:31 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 26 Jul 2006 17:11:31 -0400 Subject: [Bug 198108] CVE-2006-3581, CVE-2006-3582: Multiple stack/heap overflow vulnerabilities in adplug In-Reply-To: Message-ID: <200607262111.k6QLBViP007208@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-3581, CVE-2006-3582: Multiple stack/heap overflow vulnerabilities in adplug https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198108 ------- Additional Comments From triad at df.lth.se 2006-07-26 17:02 EST ------- Yeah, sorry I know, in this case I happened to maintain all affected packages so just rebuilt them. However, a first timer the question arise: how do I properly retire an .so file with security vulnerabilities? (Cannot find a good idea in any guidelines.) -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Jul 27 07:56:02 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 27 Jul 2006 03:56:02 -0400 Subject: [Bug 200370] Security Vulnerability: CVE-2006-3668 In-Reply-To: Message-ID: <200607270756.k6R7u2XY010195@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Security Vulnerability: CVE-2006-3668 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200370 j.w.r.degoede at hhs.nl changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED Severity|normal |high Priority|normal |high CC| |fedora-security- | |list at redhat.com ------- Additional Comments From j.w.r.degoede at hhs.nl 2006-07-27 03:47 EST ------- Woops, hit enter too soon. Ah well. This is mainly a tracker bug, since I (the reporter) am also the maintainer. The subject says most, a security vulnerability in dumb has been found and catagories as CVE-2006-3668. Description from CVE: Heap-based buffer overflow in the it_read_envelope function in Dynamic Universal Music Bibliotheque (DUMB) 0.9.3 and earlier, and current CVS as of 20060716, allows user-complicit attackers to execute arbitrary code via a ".it" (Impulse Tracker) file with an enveloper with a large number of nodes. Description from DSA: Luigi Auriemma discovered that DUMB, a tracker music library, performs insufficient sanitising of values parsed from IT music files, which might lead to a buffer overflow and execution of arbitrary code if manipulated files are read. Debian has a fix, I'm currently test building a new version with this fix. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From j.w.r.degoede at hhs.nl Thu Jul 27 08:20:04 2006 From: j.w.r.degoede at hhs.nl (Hans de Goede) Date: Thu, 27 Jul 2006 10:20:04 +0200 Subject: [Bug 200370] Security Vulnerability: CVE-2006-3668 In-Reply-To: <200607270756.k6R7u2XY010195@bugzilla.redhat.com> References: <200607270756.k6R7u2XY010195@bugzilla.redhat.com> Message-ID: <44C87734.5040804@hhs.nl> Guys, The fix for this is building as I type, but I cannot find any documentation on writing up the advisory. From memory there was a template somewhere which I should fill, after which I should send it to a certain address (the official announce list I believe), where it would get verified by a human and then send to the official announce list. Can someone please document the procedure for getting an (FE) advisory out the door. This would seem like a good place to put this: http://fedoraproject.org/wiki/Security Thanks & Regards, Hans From bugzilla at redhat.com Thu Jul 27 08:17:55 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 27 Jul 2006 04:17:55 -0400 Subject: [Bug 200370] Security Vulnerability: CVE-2006-3668 In-Reply-To: Message-ID: <200607270817.k6R8HteG012037@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Security Vulnerability: CVE-2006-3668 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200370 j.w.r.degoede at hhs.nl changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |NEXTRELEASE ------- Additional Comments From j.w.r.degoede at hhs.nl 2006-07-27 04:08 EST ------- Version 0.9.3-4 which fixes this has been build for FC-5 and devel and should show up on a mirror near you soon. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Jul 27 15:36:33 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 27 Jul 2006 11:36:33 -0400 Subject: [Bug 200370] Security Vulnerability: CVE-2006-3668 In-Reply-To: Message-ID: <200607271536.k6RFaXxq008759@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Security Vulnerability: CVE-2006-3668 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200370 ville.skytta at iki.fi changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |Security -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Jul 27 15:54:25 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 27 Jul 2006 11:54:25 -0400 Subject: [Bug 200370] Security Vulnerability: CVE-2006-3668 In-Reply-To: Message-ID: <200607271554.k6RFsPg5010663@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Security Vulnerability: CVE-2006-3668 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200370 jimpop at yahoo.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jimpop at yahoo.com ------- Additional Comments From jimpop at yahoo.com 2006-07-27 11:45 EST ------- In the future please make sure the application name appears in the summary title. Thank you, -Jim P. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Jul 27 16:14:28 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 27 Jul 2006 12:14:28 -0400 Subject: [Bug 200321] CVE-2006-3119, fbida: malicious postscript command vulnerability In-Reply-To: Message-ID: <200607271614.k6RGESTG011979@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-3119, fbida: malicious postscript command vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200321 adrian at lisas.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Additional Comments From adrian at lisas.de 2006-07-27 12:05 EST ------- I have released fixes for FC-3, FC-4 and FC-5. The build for devel failed on ppc because of changes in the kernel headers. I need to investigate how to solve the problem on devel and will then close this bug. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Jul 27 19:58:57 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 27 Jul 2006 15:58:57 -0400 Subject: [Bug 200455] New: Seamonkey multiple vulnerabilities: CVE-2006-3677, CVE-2006-3803, CVE-2006-3804, CVE-2006-3806, CVE-2006-3807 Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200455 Summary: Seamonkey multiple vulnerabilities: CVE-2006-3677, CVE- 2006-3803, CVE-2006-3804, CVE-2006-3806, CVE-2006-3807 Product: Fedora Extras Version: fc5 Platform: All OS/Version: Linux Status: NEW Severity: high Priority: high Component: seamonkey AssignedTo: kengert at redhat.com ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com Arbitrary code execution: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3677 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3803 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3806 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3807 Denial of service: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3804 All these are reported against seamonkey < 1.0.3. FE[45] and devel affected. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Jul 28 09:56:30 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 28 Jul 2006 05:56:30 -0400 Subject: [Bug 200321] CVE-2006-3119, fbida: malicious postscript command vulnerability In-Reply-To: Message-ID: <200607280956.k6S9uURm018241@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-3119, fbida: malicious postscript command vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200321 adrian at lisas.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |NEXTRELEASE ------- Additional Comments From adrian at lisas.de 2006-07-28 05:47 EST ------- also fixed on devel -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Jul 28 15:44:43 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 28 Jul 2006 11:44:43 -0400 Subject: [Bug 200455] Seamonkey multiple vulnerabilities: CVE-2006-{3113, 3677, 3801-3811} In-Reply-To: Message-ID: <200607281544.k6SFihBx004571@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Seamonkey multiple vulnerabilities: CVE-2006-{3113,3677,3801-3811} https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200455 ville.skytta at iki.fi changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Seamonkey multiple |Seamonkey multiple |vulnerabilities: CVE-2006- |vulnerabilities: CVE-2006- |3677, CVE-2006-3803, CVE- |{3113,3677,3801-3811} |2006-3804, CVE-2006-3806, | |CVE-2006-3807 | ------- Additional Comments From ville.skytta at iki.fi 2006-07-28 11:35 EST ------- There's more: CVE-2006-3113, CVE-2006-3801, CVE-2006-3802, CVE-2006-3805, CVE-2006-3808, CVE-2006-3809, CVE-2006-3810, CVE-2006-3811 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Jul 28 15:51:14 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 28 Jul 2006 11:51:14 -0400 Subject: [Bug 200545] New: CVE-2006-3913, freeciv: server buffer overflow issues Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200545 Summary: CVE-2006-3913, freeciv: server buffer overflow issues Product: Fedora Extras Version: fc5 Platform: All URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3913 OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: freeciv AssignedTo: bdpepple at ameritech.net ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com CVE-2006-3913, http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3913 : Buffer overflow in Freeciv 2.1.0-beta1 and earlier, and SVN 15 Jul 2006 and earlier, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a (1) negative chunk_length or a (2) large chunk->offset value in a PACKET_PLAYER_ATTRIBUTE_CHUNK packet in the generic_handle_player_attribute_chunk function in common/packets.c, and (3) a large packet->length value in the handle_unit_orders function in server/unithand.c. All FE-[345] and devel are probably affected. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From ville.skytta at iki.fi Fri Jul 28 16:08:38 2006 From: ville.skytta at iki.fi (Ville =?ISO-8859-1?Q?Skytt=E4?=) Date: Fri, 28 Jul 2006 19:08:38 +0300 Subject: Extras errata In-Reply-To: <200606292115.k5TLFBbo005317@devserv.devel.redhat.com> References: <200606292115.k5TLFBbo005317@devserv.devel.redhat.com> Message-ID: <1154102919.18799.91.camel@localhost.localdomain> On Thu, 2006-06-29 at 17:15 -0400, Josh Bressers wrote: > Hi everyone, > > I finally checked in an extras errata generation system. It's rather > trivial. I've been sitting on this for a few weeks and just haven't had > time to clean it up enough to commit it. And now we've sat on it a bit more, no announcements sent :(. Let's try to improve. > The readme file has some details on how things work. In a nutshell you > just have to run the errata-gen command, which places an advisory into the > errata directory for you. Then just edit away. Okay, tested by creating FEDORA-EXTRAS-2006-003 for CVE-2006-3668, it worked. > Now we have to think about how editing should be handled. I'm thinking at > least one other team member should approve an errata before it gets mailed. > > Thoughts? Works for me. As a general rule, who mails it? The package maintainer? The 1st or 2nd security team member handling the issue? It might not be a bad idea to add a "CVE ID(s):" placeholder somewhere in the template so that info is more likely to be included in the announcement. From ville.skytta at iki.fi Fri Jul 28 16:12:22 2006 From: ville.skytta at iki.fi (Ville =?ISO-8859-1?Q?Skytt=E4?=) Date: Fri, 28 Jul 2006 19:12:22 +0300 Subject: [Bug 200370] Security Vulnerability: CVE-2006-3668 In-Reply-To: <44C87734.5040804@hhs.nl> References: <200607270756.k6R7u2XY010195@bugzilla.redhat.com> <44C87734.5040804@hhs.nl> Message-ID: <1154103143.18799.96.camel@localhost.localdomain> On Thu, 2006-07-27 at 10:20 +0200, Hans de Goede wrote: > Can someone please document the procedure for getting an (FE) advisory > out the door. This would seem like a good place to put this: > http://fedoraproject.org/wiki/Security I think this is just about all we have at the moment for FE announcements, but nobody has used it yet apart from initial tests: https://www.redhat.com/archives/fedora-security-list/2006-June/msg00058.html I've reserved FEDORA-EXTRAS-2006-003 for this issue. Could you fill the attached template? -------------- next part -------------- --------------------------------------------------------------------- Fedora Update Notification FEDORA-EXTRAS-2006-003 --------------------------------------------------------------------- Product: Fedora Extras [4 5] Name: dumb Version: Release: Summary: Description: --------------------------------------------------------------------- Update Information: CVE ID: CVE-2006-3668 --------------------------------------------------------------------- This update can be installed with the 'yum' update program. Use 'yum update package-name' at the command line. For more information, refer to 'Managing Software with yum,' available at http://fedora.redhat.com/docs/yum/ From bugzilla at redhat.com Fri Jul 28 16:26:19 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 28 Jul 2006 12:26:19 -0400 Subject: [Bug 198108] CVE-2006-3581, CVE-2006-3582: Multiple stack/heap overflow vulnerabilities in adplug In-Reply-To: Message-ID: <200607281626.k6SGQJIc007154@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-3581, CVE-2006-3582: Multiple stack/heap overflow vulnerabilities in adplug https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198108 ------- Additional Comments From ville.skytta at iki.fi 2006-07-28 12:17 EST ------- (In reply to comment #4) > Yeah, sorry I know, in this case I happened to maintain all affected packages Yes, but only in FE. 3rd party repositories and local packages which use the libs are affected too. > However, a first timer the question arise: how do I properly retire an .so > file with security vulnerabilities? (Cannot find a good idea in any > guidelines.) If doable and feasible, backporting only the security fixes and avoiding the soname change would be one way of handling it smoothly. An incompatible upgrade policy and instructions are slowly in the works, but so far there is no consensus except that the very least one should do is to send a mail to fedora-maintainers, notifying about the issue, beforehand if at all possible so others (including non-FC/FE packagers) can prepare. Here's one example which IMO is being handled well. https://www.redhat.com/archives/fedora-maintainers/2006-July/msg00397.html https://www.redhat.com/archives/fedora-maintainers/2006-July/msg00398.html -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sat Jul 29 09:32:56 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sat, 29 Jul 2006 05:32:56 -0400 Subject: [Bug 200455] Seamonkey multiple vulnerabilities: CVE-2006-{3113, 3677, 3801-3812} In-Reply-To: Message-ID: <200607290932.k6T9Wur1029371@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Seamonkey multiple vulnerabilities: CVE-2006-{3113,3677,3801-3812} https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200455 ville.skytta at iki.fi changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Seamonkey multiple |Seamonkey multiple |vulnerabilities: CVE-2006- |vulnerabilities: CVE-2006- |{3113,3677,3801-3811} |{3113,3677,3801-3812} ------- Additional Comments From ville.skytta at iki.fi 2006-07-29 05:23 EST ------- ...and CVE-2006-3812 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sat Jul 29 10:52:27 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sat, 29 Jul 2006 06:52:27 -0400 Subject: [Bug 200357] major (public) security flaws fixed in firefox 1.5.0.5: CVE-2006-3113, CVE-2006-3677, CVE-2006-3801, CVE-2006-3802, CVE-2006-3803, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3808, CVE-2006-3809, CVE-2006-3810, CVE-2006-3811, CVE-2006-3812 In-Reply-To: Message-ID: <200607291052.k6TAqRhi001131@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: major (public) security flaws fixed in firefox 1.5.0.5: CVE-2006-3113, CVE-2006-3677, CVE-2006-3801, CVE-2006-3802, CVE-2006-3803,CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3808, CVE-2006-3809, CVE-2006-3810, CVE-2006-3811, CVE-2006-3812 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200357 mattdm at mattdm.org changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|CVE-2006-3113, CVE-2006- |major (public) security |3677, CVE-2006-3801, CVE- |flaws fixed in firefox |2006-3802, CVE-2006- |1.5.0.5: CVE-2006-3113, CVE- |3803,CVE-2006-3805, CVE- |2006-3677, CVE-2006-3801, |2006-3806, CVE-2006-3807, |CVE-2006-3802, CVE-2006- |CVE-2006-3808, CVE-2006- |3803,CVE-2006-3805, CVE- |3809, CVE-2006-3810, CVE- |2006-3806, CVE-2006-3807, |2006-3811, CVE-2006-3812: |CVE-2006-3808, CVE-2006- |major (public) security |3809, CVE-2006-3810, CVE- |flaws fixed in firefox |2006-3811, CVE-2006-3812 |1.5.0.5 | CC| |fedora-security- | |list at redhat.com -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sat Jul 29 10:52:43 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sat, 29 Jul 2006 06:52:43 -0400 Subject: [Bug 200455] Seamonkey multiple vulnerabilities: CVE-2006-{3113, 3677, 3801-3812} In-Reply-To: Message-ID: <200607291052.k6TAqhS4001185@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Seamonkey multiple vulnerabilities: CVE-2006-{3113,3677,3801-3812} https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200455 ------- Additional Comments From mattdm at mattdm.org 2006-07-29 06:43 EST ------- See also related Firefox bug #200357 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sat Jul 29 22:03:22 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sat, 29 Jul 2006 18:03:22 -0400 Subject: [Bug 200323] CVE-2006-3816, krusader: cleartext passwords in bookmarks file In-Reply-To: Message-ID: <200607292203.k6TM3M0D027221@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-3816, krusader: cleartext passwords in bookmarks file https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200323 mgarski at post.pl changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |RAWHIDE Fixed In Version| |1.70.1-1 ------- Additional Comments From mgarski at post.pl 2006-07-29 17:54 EST ------- Thanks for bug report. Bug is fixed in 1.70.1-1. Sorry for such delay in case of security bug, but I was on holiday. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sun Jul 30 16:39:07 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sun, 30 Jul 2006 12:39:07 -0400 Subject: [Bug 200357] major (public) security flaws fixed in firefox 1.5.0.5: CVE-2006-3113, CVE-2006-3677, CVE-2006-3801, CVE-2006-3802, CVE-2006-3803, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3808, CVE-2006-3809, CVE-2006-3810, CVE-2006-3811, CVE-2006-3812 In-Reply-To: Message-ID: <200607301639.k6UGd7sr020962@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: major (public) security flaws fixed in firefox 1.5.0.5: CVE-2006-3113, CVE-2006-3677, CVE-2006-3801, CVE-2006-3802, CVE-2006-3803,CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3808, CVE-2006-3809, CVE-2006-3810, CVE-2006-3811, CVE-2006-3812 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200357 kengert at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kengert at redhat.com -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sun Jul 30 20:11:13 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sun, 30 Jul 2006 16:11:13 -0400 Subject: [Bug 200323] CVE-2006-3816, krusader: cleartext passwords in bookmarks file In-Reply-To: Message-ID: <200607302011.k6UKBDCg030090@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-3816, krusader: cleartext passwords in bookmarks file https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200323 ville.skytta at iki.fi changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |NEW Keywords| |Reopened Resolution|RAWHIDE | ------- Additional Comments From ville.skytta at iki.fi 2006-07-30 16:01 EST ------- Did you remember to push FC-5 and devel builds too? FC-3 and FC-4 are at 1.70.1 but FC-5 and devel still at 1.70.0. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Jul 31 14:09:12 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 31 Jul 2006 10:09:12 -0400 Subject: [Bug 200323] CVE-2006-3816, krusader: cleartext passwords in bookmarks file In-Reply-To: Message-ID: <200607311409.k6VE9ChG020828@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-3816, krusader: cleartext passwords in bookmarks file https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200323 mgarski at post.pl changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |RAWHIDE ------- Additional Comments From mgarski at post.pl 2006-07-31 09:59 EST ------- Yes I did, but I didn't noticed that result files from ppc builder couldn't be downloaded. I've requeued that two packages and this time everything went fine. Thanks for pointing out. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Jul 31 18:21:36 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 31 Jul 2006 14:21:36 -0400 Subject: [Bug 200793] New: gallery2: world writable .htaccess Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200793 Summary: gallery2: world writable .htaccess Product: Fedora Extras Version: fc5 Platform: All OS/Version: Linux Status: NEW Severity: high Priority: high Component: gallery2 AssignedTo: jwb at redhat.com ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com /usr/share/gallery2/.htaccess is world writable apparently due to bad umask setting in the FE build system; its maintainers have been notified. FE[45] and devel are affected and this should be fixed in the package anyway, a fix is to use "install -pm 644" instead of cp to install the file. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Jul 31 18:21:36 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 31 Jul 2006 14:21:36 -0400 Subject: [Bug 200794] New: zope: world writable files Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200794 Summary: zope: world writable files Product: Fedora Extras Version: fc5 Platform: All OS/Version: Linux Status: NEW Severity: high Priority: urgent Component: zope AssignedTo: gauret at free.fr ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com The following files in zope are world writable apparently due to bad umask setting in the FE build system; its maintainers have been notified. /usr/lib/zope/skel/etc/logrotate.conf.in /usr/share/doc/zope-2.8.3/README.Fedora /var/lib/zope/etc/logrotate.conf FE[345] and devel are affected and this should be fixed in the package anyway, a fix is to use "install -pm 644" instead of cp when copying files around. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Jul 31 18:21:55 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 31 Jul 2006 14:21:55 -0400 Subject: [Bug 200795] New: xboard: world writable chess.png Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200795 Summary: xboard: world writable chess.png Product: Fedora Extras Version: fc5 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: xboard AssignedTo: kaboom at oobleck.net ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com /usr/share/pixmaps/chess.png is world writable apparently due to bad umask setting in the FE build system; its maintainers have been notified. FE5 and devel are affected and this should be fixed in the package anyway, a fix is to use "install -pm 644" instead of cp to install the file. In the FE4 package the file is 664, not world writable, but I'd recommend fixing this in it too. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bressers at redhat.com Mon Jul 31 21:06:37 2006 From: bressers at redhat.com (Josh Bressers) Date: Mon, 31 Jul 2006 17:06:37 -0400 Subject: Extras errata In-Reply-To: Your message of "Fri, 28 Jul 2006 19:08:38 +0300." <1154102919.18799.91.camel@localhost.localdomain> Message-ID: <200607312106.k6VL6bVf019603@devserv.devel.redhat.com> > On Thu, 2006-06-29 at 17:15 -0400, Josh Bressers wrote: > > Hi everyone, > > > > I finally checked in an extras errata generation system. It's rather > > trivial. I've been sitting on this for a few weeks and just haven't had > > time to clean it up enough to commit it. > > And now we've sat on it a bit more, no announcements sent :(. Let's try > to improve. Indeed. Sadly I've had a terribly hectic July and it's still not over. We shall have to have a discussion next week regarding how to best handle this moving forward. The hardest part is that there isn't a nice way to tell when a package has been built and pushed. Ideally the bug gets updated, but that's not always the case. > > > Now we have to think about how editing should be handled. I'm thinking at > > least one other team member should approve an errata before it gets mailed. > > > > Thoughts? > > Works for me. As a general rule, who mails it? The package maintainer? > The 1st or 2nd security team member handling the issue? I'm thinking the person who has taken responsibility for the issue in question should also send the mail. This is up for discussion of course. > > It might not be a bad idea to add a "CVE ID(s):" placeholder somewhere > in the template so that info is more likely to be included in the > announcement. I agree with this. I'll take a look next week, if nobody else does it first. -- JB