From bugzilla at redhat.com  Thu Jun  1 19:04:17 2006
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Thu, 1 Jun 2006 15:04:17 -0400
Subject: [Bug 193809] New: Snort URIContent Rules Detection Evasion
	Vulnerability
Message-ID: <bug-193809-199382@bugzilla.redhat.com>

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.




https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=193809

           Summary: Snort URIContent Rules Detection Evasion Vulnerability
           Product: Fedora Extras
           Version: devel
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: normal
         Component: snort
        AssignedTo: dennis at ausil.us
        ReportedBy: dennis at ausil.us
         QAContact: extras-qa at fedoraproject.org
                CC: extras-qa at fedoraproject.org,fedora-security-
                    list at redhat.com


Snort is reportedly prone to a vulnerability that may allow malicious packets 
to bypass detection. 

A successful attack can allow attackers to bypass intrusion detection and to 
carry out attacks against computers protected by Snort.

This vulnerability affects Snort 2.4.4. Other versions may be vulnerable as 
well.

there is no CVE yet

Demarc snort-2.4.4-demarc-patch.diff
 http://www.demarc.com/files/patch_20060531/snort-2.4.4-demarc-patch.diff

-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.



From deisenst at gtw.net  Fri Jun  2 07:41:07 2006
From: deisenst at gtw.net (David Eisenstein)
Date: Fri, 2 Jun 2006 02:41:07 -0500 (CDT)
Subject: [Legacy] Mentoring for vulnerability bug tracking -- kernel, and
 general
Message-ID: <Pine.LNX.4.44.0606020200130.10600-100000@twinkfed.homedns.org>

Hi,

(Please forgive me for cross-posting, but I thought I'd post this question
to all the relevant groups I could think of.  Please let me know if I am
committing a cross-posting felony here.  :)  )

I am in the process of mentoring someone to help them learn how to do
vulnerability tracking for Fedora Legacy.  This evening, we were looking
at doing that for the kernels.  We quickly got confused, though, because
we weren't sure how to go about making sure we only report issues into
Bugzilla that would be relevant kernel issues for Fedora Legacy at this
time.

One complicating factor here is that we in Legacy don't necessarily
release kernels in any kind of lock-step with what either Fedora Core or
Red Hat Enterprise Linux does, so the issues we have to fix are a
different subset of issues than what is reported in any given RHSA or
FEDORA release announcement.  And even if we did release kernels in 
lockstep, no doubt there would still be differing CVE's per distro.

(For those of you not familiar with Legacy processes:  we normally put
multiple CVE issues [maybe as many as dozens of CVE's] into a single
bugzilla report for a given .src.rpm component; and we also put multiple
distros in a given bugzilla ticket as well, using a "Version" tag of
"unspecified"  and tracking what distros are being worked on and their
statuses via the use of Status Whiteboard entries.  For more information
about this, you can refer to
<http://fedoraproject.org/wiki/Legacy/StatusWhiteboard>, and the most
recent completed Legacy kernel bug is here in case you're interested:
<https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157459>.)

I started to suggest to my mentee this method:  Have a look at the latest
release announcements from Fedora Legacy for the kernels that we maintain,
and then look for issues in the usual places (e.g., those resources listed
in <http://fedoraproject.org/wiki/Legacy/VulnerabilityTracking>) that have
come up since we released our latest security-fixed kernels.  That would
provide a list of CVE's to then put in a new Bugzilla ticket or add to an
already-existing ticket that would likely be relevant.  But is this 
enough?

Does this method sound workable to you?  Are we missing something?  Do you
have you have some better ideas how to track kernel vulnerabilities to get
those vulnerabilities properly listed in a Bugzilla ticket to be worked 
on?

A more general question is this:  How do we in Fedora Legacy track 
vulnerabilities and make sure that we are aware of all the relevant 
vulnerabilities for the packages that we maintain, and haven't missed 
something?

The fedora-security-list and Josh Bressers are using audit files to track 
all relevant security vulnerabilities for their sets of packages, which 
are kept in CVS here,
  <http://cvs.fedora.redhat.com/viewcvs/fedora-security/audit/?root=fedora>

but we here in Fedora Legacy haven't started using this kind of tool yet.
Is it time for us to start doing so?  If so, are any of you interested in
forming some kind of vulnerability tracking team and getting started on
such list(s) for the products we maintain?

Thanks much in advance!

	Regards,

	David Eisenstein



From sundaram at fedoraproject.org  Fri Jun  2 11:20:58 2006
From: sundaram at fedoraproject.org (Rahul Sundaram)
Date: Fri, 02 Jun 2006 16:50:58 +0530
Subject: [Legacy] Mentoring for vulnerability bug tracking -- kernel,
	and general
In-Reply-To: <Pine.LNX.4.44.0606020200130.10600-100000@twinkfed.homedns.org>
References: <Pine.LNX.4.44.0606020200130.10600-100000@twinkfed.homedns.org>
Message-ID: <1149247258.4138.3.camel@sundaram.pnq.redhat.com>

On Fri, 2006-06-02 at 02:41 -0500, David Eisenstein wrote:

> A more general question is this:  How do we in Fedora Legacy track 
> vulnerabilities and make sure that we are aware of all the relevant 
> vulnerabilities for the packages that we maintain, and haven't missed 
> something?
> 
> The fedora-security-list and Josh Bressers are using audit files to track 
> all relevant security vulnerabilities for their sets of packages, which 
> are kept in CVS here,
>   <http://cvs.fedora.redhat.com/viewcvs/fedora-security/audit/?root=fedora>
> 
> but we here in Fedora Legacy haven't started using this kind of tool yet.
> Is it time for us to start doing so?  If so, are any of you interested in
> forming some kind of vulnerability tracking team and getting started on
> such list(s) for the products we maintain?

It seems to me that whatever system used by the Fedora Security Team
should be adopted by Fedora Legacy after discussion with the relevant
contributors.

Rahul



From bugzilla at redhat.com  Fri Jun  2 15:31:54 2006
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Fri, 2 Jun 2006 11:31:54 -0400
Subject: [Bug 193809] CVE-2006-2769 Snort URIContent Rules Detection Evasion
	Vulnerability
In-Reply-To: <bug-193809-199382@bugzilla.redhat.com>
Message-ID: <200606021531.k52FVso1022872@bugzilla.redhat.com>

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: CVE-2006-2769 Snort URIContent Rules Detection Evasion Vulnerability


https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=193809


dennis at ausil.us changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Snort URIContent Rules      |CVE-2006-2769 Snort
                   |Detection Evasion           |URIContent Rules Detection
                   |Vulnerability               |Evasion Vulnerability
             Status|NEW                         |CLOSED
         Resolution|                            |NEXTRELEASE




------- Additional Comments From dennis at ausil.us  2006-06-02 11:24 EST -------
I've applied the supplied patch. 

Fixed in 2.4.4-4 

Hans  would you mind doing an audit of the snort code?  this is the second 
similar vulnerability this year

-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.



From bugzilla at redhat.com  Fri Jun  2 20:16:19 2006
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Fri, 2 Jun 2006 16:16:19 -0400
Subject: [Bug 193809] CVE-2006-2769 Snort URIContent Rules Detection Evasion
	Vulnerability
In-Reply-To: <bug-193809-199382@bugzilla.redhat.com>
Message-ID: <200606022016.k52KGJrT009188@bugzilla.redhat.com>

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: CVE-2006-2769 Snort URIContent Rules Detection Evasion Vulnerability


https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=193809


dennis at ausil.us changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|CLOSED                      |NEW
           Keywords|                            |Reopened
         Resolution|NEXTRELEASE                 |




------- Additional Comments From dennis at ausil.us  2006-06-02 16:08 EST -------
turns out that the patch is incomplete.

-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.



From bugzilla at redhat.com  Sat Jun  3 13:46:43 2006
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Sat, 3 Jun 2006 09:46:43 -0400
Subject: [Bug 193962] New: CVE-2006-2777 (seamonkey): remote arbitrary code
	execution vulnerability
Message-ID: <bug-193962-199382@bugzilla.redhat.com>

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.




https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=193962

           Summary: CVE-2006-2777 (seamonkey): remote arbitrary code
                    execution vulnerability
           Product: Fedora Extras
           Version: fc5
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: high
          Priority: high
         Component: seamonkey
        AssignedTo: kengert at redhat.com
        ReportedBy: ville.skytta at iki.fi
         QAContact: extras-qa at fedoraproject.org
                CC: extras-qa at fedoraproject.org,fedora-security-
                    list at redhat.com


Remote arbitrary code execution vulnerability in seamonkey < 1.0.2:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-2777

-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.



From bugzilla at redhat.com  Sat Jun  3 13:50:14 2006
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Sat, 3 Jun 2006 09:50:14 -0400
Subject: [Bug 193963] New: CVE-2006-2781 (seamonkey): DOS/arbitrary code
	execution vuln with vcards
Message-ID: <bug-193963-199382@bugzilla.redhat.com>

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.




https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=193963

           Summary: CVE-2006-2781 (seamonkey): DOS/arbitrary code execution
                    vuln with vcards
           Product: Fedora Extras
           Version: fc5
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: high
          Priority: high
         Component: seamonkey
        AssignedTo: kengert at redhat.com
        ReportedBy: ville.skytta at iki.fi
         QAContact: extras-qa at fedoraproject.org
                CC: extras-qa at fedoraproject.org,fedora-security-
                    list at redhat.com


vcard parsing related DOS/arbitrary code execution in seamonkey < 1.0.2:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-2781

-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.



From bugzilla at redhat.com  Sat Jun  3 18:55:27 2006
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Sat, 3 Jun 2006 14:55:27 -0400
Subject: [Bug 193809] CVE-2006-2769 Snort URIContent Rules Detection Evasion
	Vulnerability
In-Reply-To: <bug-193809-199382@bugzilla.redhat.com>
Message-ID: <200606031855.k53ItRxj032440@bugzilla.redhat.com>

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: CVE-2006-2769 Snort URIContent Rules Detection Evasion Vulnerability


https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=193809





------- Additional Comments From ville.skytta at iki.fi  2006-06-03 14:47 EST -------
FYI: due to rawhide libpcap packaging issues, libpcap may have been statically
linked in in the current devel snort package, see bug 193189 comment 2

One possible workaround: BuildRequire both libpcap and libpcap-devel

-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.



From deisenst at gtw.net  Sat Jun  3 19:36:13 2006
From: deisenst at gtw.net (David Eisenstein)
Date: Sat, 03 Jun 2006 14:36:13 -0500
Subject: New Mozilla vulnerabilities??
Message-ID: <4481E4AD.4040106@gtw.net>

Hello all,

Yesterday, I received a notice from US-CERT regarding Technical Cyber
Security Alert TA06-153A -- Mozilla Products Contain Multiple
Vulnerabilities, (available at
<http://www.us-cert.gov/cas/techalerts/TA06-153A.html>).

It mentions a bunch of vulnerabilities (all of which seem to affect
Seamonkey, Thunderbird, and Firefox).  After looking at each VU#, it appears
that none of the announcements mention the Mozilla suite.  Also, at least as
of last night, none of them mention any CVE #'s.

What's going on with this?  Are any Mozilla Suite products affected by these
vulnerabilities?  Some of these sound critical -- and if there are no
patches available for mozilla-1.7.13, well, it seems bad!

   "Several vulnerabilities have been reported in the Mozilla web browser
   and derived products. More detailed information is available in the
   individual vulnerability notes, including:

   "VU#237257 - Mozilla privilege escalation using addSelectionListener
   A privilege escalation vulnerability exists in the Mozilla
   addSelectionListener method. This may allow a remote attacker to
   execute arbitrary code.

   "VU#421529 - Mozilla contains a buffer overflow vulnerability in
   crypto.signText()
   Mozilla products contain a buffer overflow in the crypto.signText()
   method. This may allow a remote attacker to execute arbitrary code.

   "VU#575969 - Mozilla may process content-defined setters on object
   prototypes with elevated privileges
   Mozilla allows content-defined setters on object prototypes to execute
   with elevated privileges. This may allow a remote attacker to execute
   arbitrary code.

   "VU#243153 - Mozilla may associate persisted XUL attributes with an
   incorrect URL
   Mozilla can allow persisted XUL attributes to associate with the wrong
   URL. This may allow a remote attacker to execute arbitrary code.

   "VU#466673 - Mozilla contains multiple memory corruption
   vulnerabilities
   Mozilla contains several memory corruption vulnerabilities. This may
   allow a remote attacker to execute arbitrary code."

-David



From deisenst at gtw.net  Sat Jun  3 19:56:21 2006
From: deisenst at gtw.net (David Eisenstein)
Date: Sat, 03 Jun 2006 14:56:21 -0500
Subject: Full list of Seamonkey (unpatched Mozilla Suite??)
	vulnerabilities...
Message-ID: <4481E965.3090809@gtw.net>

Hi again all,

More Seamonkey vulnerabilties...

From
<http://www.mozilla.org/projects/security/known-vulnerabilities.html#SeaMonkey>,
there is this list:

Fixed in SeaMonkey 1.0.2
------------------------
Critical - MFSA 2006-43 Privilege escalation using addSelectionListener
High     - MFSA 2006-42 Web site XSS using BOM on UTF-8 pages
High     - MFSA 2006-41 File stealing by changing input type (variant)
Critical - MFSA 2006-40 Double-free on malformed VCard
Low      - MFSA 2006-39 "View Image" local resource linking (Windows)
Critical - MFSA 2006-38 Buffer overflow in crypto.signText()
Critical - MFSA 2006-37 Remote compromise via content-defined setter on
                        object prototypes
Critical - MFSA 2006-35 Privilege escalation through XUL persist
Moderate - MFSA 2006-34 XSS viewing javascript: frames or images from
                        context menu
High     - MFSA 2006-33 HTTP response smuggling
Critical - MFSA 2006-32 Fixes for crashes with potential memory corruption
Moderate - MFSA 2006-31 EvalInSandbox escape (Proxy Autoconfig,
                        Greasemonkey)

Similar lists exists for Firefox ("Fixed in Firefox 1.5.0.4") and
Thunderbird ("Fixed in Thunderbird 1.5.0.4") vulnerabilities on that same page.

Somehow, I suspect that if these vulnerabilities exist in Seamonkey, then
many will also exist in Mozilla-1.7.13, in Firefox-1.0.8, and
Thunderbird-1.0.8 ....

What is the Mozilla Foundation trying to do here?  Make zero-day exploits
available to malware writers to use against legacy users of Mozilla-1.7.13
Firefox-1.0.8, and Thunderbird-1.0.8 users?!?  Is there any coordination
among outside maintainers of these legacy packages (since the Mozilla
foundation's official policy is that Mozilla-1.7.13 was the end of the line
for the Mozilla suite)?  Should there be??

	Regards,

	David Eisenstein

ps:  None of the detailed MSFA's linked to from the known-vulnerabilities
page that I looked at had any CVE's listed for them.  Does anyone know if
any CVE's are assigned for these vulnerabilities?  Also, all of the
bugzilla.mozilla.org links from the MFSA's seem to be embargoed (at least
for me).  Does anyone here have access to those bug reports?



From deisenst at gtw.net  Sat Jun  3 20:08:46 2006
From: deisenst at gtw.net (David Eisenstein)
Date: Sat, 03 Jun 2006 15:08:46 -0500
Subject: [Fwd: Re: [Bug 193962] New: CVE-2006-2777 (seamonkey): remote
 arbitrary code	execution vulnerability]
Message-ID: <4481EC4E.8030803@gtw.net>

Oops, used wrong "From" address...  trying again ... sorry 'bout that.
	-David

-------- Original Message --------
Subject: Re: [Bug 193962] New: CVE-2006-2777 (seamonkey): remote arbitrary
From: Dave Eisenstein <c438421 at twinkie.homedns.org>
To: fedora-security-list at redhat.com

Hey Ville,

How did you get news of the existence of CVE-2006-2777?

	Regards,
	David Eisenstein

bugzilla at redhat.com wrote:

> 
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=193962
> 
>            Summary: CVE-2006-2777 (seamonkey): remote arbitrary code
>                     execution vulnerability
>            Product: Fedora Extras
>            Version: fc5
>           Platform: All
>         OS/Version: Linux
>             Status: NEW
>           Severity: high
>           Priority: high
>          Component: seamonkey
>         AssignedTo: kengert at redhat.com
>         ReportedBy: ville.skytta at iki.fi
>          QAContact: extras-qa at fedoraproject.org
>                 CC: extras-qa at fedoraproject.org,fedora-security-
>                     list at redhat.com
> 
> Remote arbitrary code execution vulnerability in seamonkey < 1.0.2:
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-2777
> 




From ville.skytta at iki.fi  Sat Jun  3 21:43:14 2006
From: ville.skytta at iki.fi (Ville =?ISO-8859-1?Q?Skytt=E4?=)
Date: Sun, 04 Jun 2006 00:43:14 +0300
Subject: [Fwd: Re: [Bug 193962] New: CVE-2006-2777 (seamonkey): remote
	arbitrary code	execution vulnerability]
In-Reply-To: <4481EC4E.8030803@gtw.net>
References: <4481EC4E.8030803@gtw.net>
Message-ID: <1149370994.2853.24.camel@localhost.localdomain>

On Sat, 2006-06-03 at 15:08 -0500, David Eisenstein wrote:

> How did you get news of the existence of CVE-2006-2777?

>From the RSS feeds available at http://nvd.nist.gov/download.cfm#RSS



From bressers at redhat.com  Sun Jun  4 00:34:32 2006
From: bressers at redhat.com (Josh Bressers)
Date: Sat, 03 Jun 2006 20:34:32 -0400
Subject: Full list of Seamonkey (unpatched Mozilla Suite??)
	vulnerabilities...
In-Reply-To: Your message of "Sat, 03 Jun 2006 14:56:21 CDT."
	<4481E965.3090809@gtw.net>
Message-ID: <200606040034.k540YWJA019896@devserv.devel.redhat.com>

> 
> Similar lists exists for Firefox ("Fixed in Firefox 1.5.0.4") and
> Thunderbird ("Fixed in Thunderbird 1.5.0.4") vulnerabilities on that same page.
> 
> Somehow, I suspect that if these vulnerabilities exist in Seamonkey, then
> many will also exist in Mozilla-1.7.13, in Firefox-1.0.8, and
> Thunderbird-1.0.8 ....

Some of them do, some of them don't.  I don't have a complete list yet.

I've tracked down the most critical issues.  Take a look at these bugs for
the CVE ids I've identified.

Mozilla: 193906
Firefox: 193895

We're working on a patch for those particular issues.

Thunderbird has no critical bugs.

> 
> What is the Mozilla Foundation trying to do here?  Make zero-day exploits
> available to malware writers to use against legacy users of Mozilla-1.7.13
> Firefox-1.0.8, and Thunderbird-1.0.8 users?!?  Is there any coordination
> among outside maintainers of these legacy packages (since the Mozilla
> foundation's official policy is that Mozilla-1.7.13 was the end of the line
> for the Mozilla suite)?  Should there be??

The Mozilla Foundation doesn't care about users running the older versions
of the suite and Firefox.  I could go into detail about their mishandling
of this, but I'd rather not.  They have no interest in coordinating with
vendors in any way.  They've done a very poor job communicating the EOL of
their products.

I personally consider releasing a critical update on a Friday very
irresponsible.  I've let them know this more than once, which has been
ignored.

> 
> 	Regards,
> 
> 	David Eisenstein
> 
> ps:  None of the detailed MSFA's linked to from the known-vulnerabilities
> page that I looked at had any CVE's listed for them.  Does anyone know if
> any CVE's are assigned for these vulnerabilities?  Also, all of the
> bugzilla.mozilla.org links from the MFSA's seem to be embargoed (at least
> for me).  Does anyone here have access to those bug reports?

All issues have CVE ids.  I'm attaching the CVE mails that detail these.

-- 
    JB



From coley at mitre.org  Fri Jun  2 18:01:38 2006
From: coley at mitre.org (coley at mitre.org)
Date: Fri, 2 Jun 2006 14:01:38 -0400 (EDT)
Subject: [CVENEW] New CVE CANs: 2006/06/02 14:00 ; count=4
Message-ID: <200606021801.k52I1cba021249@cairo.mitre.org>

======================================================
Name: CVE-2006-2775
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2775
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20060602
Category: 
Reference: CONFIRM:http://www.mozilla.org/security/announce/2006/mfsa2006-35.html
Reference: CERT-VN:VU#243153
Reference: URL:http://www.kb.cert.org/vuls/id/243153

Mozilla Firefox and Thunderbird before 1.5.0.4 associates XZUL
attributes with the wrong URL under certain unspecified circumstances,
which might allow remote attackers to bypass restrictions by causing a
persisted string to be associated with the wrong URL.



======================================================
Name: CVE-2006-2776
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2776
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20060602
Category: 
Reference: CONFIRM:http://www.mozilla.org/security/announce/2006/mfsa2006-37.html
Reference: CERT-VN:VU#575969
Reference: URL:http://www.kb.cert.org/vuls/id/575969

Certain privileged UI code in Mozilla Firefox and Thunderbird before
1.5.0.4 calls content-defined setters on an object prototype, which
allows remote attackers to execute code at a higher privilege than
intended.



======================================================
Name: CVE-2006-2777
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2777
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20060602
Category: 
Reference: CONFIRM:http://www.mozilla.org/security/announce/2006/mfsa2006-43.html
Reference: CERT-VN:VU#237257
Reference: URL:http://www.kb.cert.org/vuls/id/237257

Unspecified vulnerability in Mozilla Firefox before 1.5.0.4 and
SeaMonkey before 1.0.2 allows remote attackers to execute arbitrary
code by using the nsISelectionPrivate interface of the Selection
object to add a SelectionListener and create notifications that are
executed in a privileged context.



======================================================
Name: CVE-2006-2778
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2778
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20060602
Category: 
Reference: CONFIRM:http://www.mozilla.org/security/announce/2006/mfsa2006-38.html
Reference: CERT-VN:VU#421529
Reference: URL:http://www.kb.cert.org/vuls/id/421529

The crypto.signText function in Mozilla Firefox and Thunderbird before
1.5.0.4 allows remote attackers to execute arbitrary code via certain
optional Certificate Authority name arguments, which causes an invalid
array index and triggers a buffer overflow.





From coley at mitre.org  Fri Jun  2 19:01:37 2006
From: coley at mitre.org (coley at mitre.org)
Date: Fri, 2 Jun 2006 15:01:37 -0400 (EDT)
Subject: [CVENEW] New CVE CANs: 2006/06/02 15:00 ; count=7
Message-ID: <200606021901.k52J1bOv022240@cairo.mitre.org>

======================================================
Name: CVE-2006-2779
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2779
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20060602
Category: 
Reference: CONFIRM:http://www.mozilla.org/security/announce/2006/mfsa2006-32.html
Reference: CERT-VN:VU#466673
Reference: URL:http://www.kb.cert.org/vuls/id/466673

Mozilla Firefox and Thunderbird before 1.5.0.4 allow remote attackers
to cause a denial of service (crash) and possibly execute arbitrary
code via (1) nested <option> tags in a select tag, (2) a
DOMNodeRemoved mutation event, (3) "Content-implemented tree views,"
(4) BoxObjects, (5) the XBL implementation, (6) an iframe that
attempts to remove itself, which leads to memory corruption.



======================================================
Name: CVE-2006-2780
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2780
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20060602
Category: 
Reference: CONFIRM:http://www.mozilla.org/security/announce/2006/mfsa2006-32.html
Reference: CERT-VN:VU#466673
Reference: URL:http://www.kb.cert.org/vuls/id/466673

Integer overflow in Mozilla Firefox and Thunderbird before 1.5.0.4
allows remote attackers to cause a denial of service (crash) and
possibly execute arbitrary code via "jsstr tagify," which leads to
memory corruption.



======================================================
Name: CVE-2006-2781
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2781
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20060602
Category: 
Reference: CONFIRM:http://www.mozilla.org/security/announce/2006/mfsa2006-40.html

Double-free vulnerability in Mozilla Thunderbird before 1.5.0.4 and
SeaMonkey before 1.0.2 allows remote attackers to cause a denial of
service (hang) and possibly execute arbitrary code via a VCard that
contains invalid base64 characters.



======================================================
Name: CVE-2006-2782
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2782
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20060602
Category: 
Reference: CONFIRM:http://www.mozilla.org/security/announce/2006/mfsa2006-41.html

Firefox 1.5.0.2 does not fix all test cases associated with
CVE-2006-1729, which allows remote attackers to read arbitrary files
by inserting the target filename into a text box, then turning that
box into a file upload control.



======================================================
Name: CVE-2006-2783
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2783
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20060602
Category: 
Reference: CONFIRM:http://www.mozilla.org/security/announce/2006/mfsa2006-42.html

Mozilla Firefox and Thunderbird before 1.5.0.4 strips the Unicode
Byte-order-Mark (BOM) from a UTF-8 page before the page is passed to
the parser, which allows remote attackers to conduct cross-site
scripting (XSS) attacks via a BOM sequence in the middle of a
dangerous tag such as SCRIPT.



======================================================
Name: CVE-2006-2784
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2784
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20060602
Category: 
Reference: CONFIRM:http://www.mozilla.org/security/announce/2006/mfsa2006-36.html

The PLUGINSPAGE functionality in Mozilla Firefox before 1.5.0.4 allows
remote user-complicit attackers to execute privileged code by tricking
a user into installing missing plugins and selecting the "Manual
Install" button, then using nested javascript: URLs.  NOTE: the manual
install button is used for downloading software from a remote web
site, so this issue would not cross privilege boundaries if the user
progresses to the point of installing malicious software from the
attacker-controlled site.



======================================================
Name: CVE-2006-2785
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2785
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20060602
Category: 
Reference: CONFIRM:http://www.mozilla.org/security/announce/2006/mfsa2006-34.html

Cross-site scripting (XSS) vulnerability in Mozilla Firefox before
1.5.0.4 allows user-complicit remote attackers to inject arbitrary web
script or HTML by tricking a user into (1) performing a "View Image"
on a broken image in which the SRC attribute contains a Javascript
URL, or (2) selecting "Show only this frame" on a frame whose SRC
attribute contains a Javascript URL.





From coley at mitre.org  Fri Jun  2 20:01:37 2006
From: coley at mitre.org (coley at mitre.org)
Date: Fri, 2 Jun 2006 16:01:37 -0400 (EDT)
Subject: [CVENEW] New CVE CANs: 2006/06/02 16:00 ; count=2
Message-ID: <200606022001.k52K1bGV023384@cairo.mitre.org>

======================================================
Name: CVE-2006-2786
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2786
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20060602
Category: 
Reference: CONFIRM:http://www.mozilla.org/security/announce/2006/mfsa2006-33.html

HTTP response smuggling vulnerability in Mozilla Firefox and
Thunderbird before 1.5.0.4, when used with certain proxy servers,
allows remote attackers to cause Firefox to interpret certain
responses as if they were responses from two different sites via (1)
invalid HTTP response headers with spaces between the header name and
the colon, which might not be ignored in some cases, or (2) HTTP 1.1
headers through an HTTP 1.0 proxy, which are ignored by the proxy but
processed by the client.



======================================================
Name: CVE-2006-2787
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2787
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20060602
Category: 
Reference: CONFIRM:http://www.mozilla.org/security/announce/2006/mfsa2006-31.html

EvalInSandbox in Mozilla Firefox and Thunderbird before 1.5.0.4 allows
remote attackers to gain privileges via javascript that calls the
valueOf method on objects that were created outside of the sandbox.





From coley at mitre.org  Fri Jun  2 21:01:44 2006
From: coley at mitre.org (coley at mitre.org)
Date: Fri, 2 Jun 2006 17:01:44 -0400 (EDT)
Subject: [CVENEW] New CVE CANs: 2006/06/02 17:00 ; count=1
Message-ID: <200606022101.k52L1iEg024878@cairo.mitre.org>

======================================================
Name: CVE-2006-2788
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2788
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20060602
Category: 
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=321598

Double-free vulnerability in the getRawDER function for nsIX509Cert in
Firefox allows remote attackers to cause a denial of service (hang)
and possibly execute arbitrary code via certain Javascript code.




------- =_aaaaaaaaaa0--



From bugzilla at redhat.com  Mon Jun  5 18:01:21 2006
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Mon, 5 Jun 2006 14:01:21 -0400
Subject: [Bug 187353] Possible security issue
In-Reply-To: <bug-187353-199382@bugzilla.redhat.com>
Message-ID: <200606051801.k55I1LFw023726@bugzilla.redhat.com>

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: Possible security issue


https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=187353


lmacken at redhat.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fedora-security-
                   |                            |list at redhat.com




------- Additional Comments From lmacken at redhat.com  2006-06-05 13:53 EST -------
I agree that this is an issue with NetHack and needs to be fixed.  After quickly
looking around, I don't believe a patch for this has been written yet (I could
be wrong).

CC'ing fedora-security-list.

-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.



From bugzilla at redhat.com  Tue Jun  6 18:24:17 2006
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Tue, 6 Jun 2006 14:24:17 -0400
Subject: [Bug 192983] CVE-2006-2575 Remote termination security issue
In-Reply-To: <bug-192983-199382@bugzilla.redhat.com>
Message-ID: <200606061824.k56IOHtH025569@bugzilla.redhat.com>

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: CVE-2006-2575 Remote termination security issue


https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192983





------- Additional Comments From j.w.r.degoede at hhs.nl  2006-06-06 14:16 EST -------
Created an attachment (id=130628)
 --> (https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=130628&action=view)
Patch fixing this CVE

Since no-one else was doing it I've taken a look at this, with as a result the
attached patch which fixes this.

I confirmed the crash with the exploit given in the URL above, and checked that
it no longer crashes with this patch.

I however didnot check if this influences play in anyway, someone who actually
plays the game should test this, especially the flag selection for a player.
Although I believe that there should be no influence.

p.s.

Whats going on with getting the fix for the other vulnerability from SVN?


-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.



From bugzilla at redhat.com  Thu Jun  8 23:25:57 2006
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Thu, 8 Jun 2006 19:25:57 -0400
Subject: [Bug 193962] CVE-2006-2777 (seamonkey): remote arbitrary code
	execution vulnerability
In-Reply-To: <bug-193962-199382@bugzilla.redhat.com>
Message-ID: <200606082325.k58NPvbl010957@bugzilla.redhat.com>

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: CVE-2006-2777 (seamonkey): remote arbitrary code execution vulnerability


https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=193962


kengert at redhat.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |CLOSED
         Resolution|                            |CURRENTRELEASE
   Fixed In Version|                            |1.0.2-1




------- Additional Comments From kengert at redhat.com  2006-06-08 19:17 EST -------
released 1.0.2 rpm, fixed


-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.



From bugzilla at redhat.com  Thu Jun  8 23:26:06 2006
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Thu, 8 Jun 2006 19:26:06 -0400
Subject: [Bug 193963] CVE-2006-2781 (seamonkey): DOS/arbitrary code
	execution vuln with vcards
In-Reply-To: <bug-193963-199382@bugzilla.redhat.com>
Message-ID: <200606082326.k58NQ6hA010970@bugzilla.redhat.com>

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: CVE-2006-2781 (seamonkey): DOS/arbitrary code execution vuln with vcards


https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=193963


kengert at redhat.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |CLOSED
         Resolution|                            |CURRENTRELEASE
   Fixed In Version|                            |1.0.2-1




------- Additional Comments From kengert at redhat.com  2006-06-08 19:18 EST -------
released 1.0.2 rpm, fixed


-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.



From mattdm at mattdm.org  Fri Jun  9 14:53:41 2006
From: mattdm at mattdm.org (Matthew Miller)
Date: Fri, 9 Jun 2006 10:53:41 -0400
Subject: New Mozilla vulnerabilities??
In-Reply-To: <4481E4AD.4040106@gtw.net>
References: <4481E4AD.4040106@gtw.net>
Message-ID: <20060609145341.GA5829@jadzia.bu.edu>

On Sat, Jun 03, 2006 at 02:36:13PM -0500, David Eisenstein wrote:
> It mentions a bunch of vulnerabilities (all of which seem to affect
> Seamonkey, Thunderbird, and Firefox).  After looking at each VU#, it appears
> that none of the announcements mention the Mozilla suite.  Also, at least as
> of last night, none of them mention any CVE #'s.

No updates for Firefox for Fedora Core yet, either....

<https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=194617>

-- 
Matthew Miller           mattdm at mattdm.org          <http://mattdm.org/>
Boston University Linux      ------>              <http://linux.bu.edu/>



From deisenst at gtw.net  Fri Jun  9 15:33:38 2006
From: deisenst at gtw.net (David Eisenstein)
Date: Fri, 09 Jun 2006 10:33:38 -0500
Subject: [Fwd: Re: New Mozilla vulnerabilities??]
Message-ID: <448994D2.7000700@gtw.net>


Matthew Miller wrote:
> On Sat, Jun 03, 2006 at 02:36:13PM -0500, David Eisenstein wrote:
> 
>>It mentions a bunch of vulnerabilities (all of which seem to affect
>>Seamonkey, Thunderbird, and Firefox).  After looking at each VU#, it appears
>>that none of the announcements mention the Mozilla suite.  Also, at least as
>>of last night, none of them mention any CVE #'s.
> 
> 
> No updates for Firefox for Fedora Core yet, either....
> 
> <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=194617>
> 

I heard a rumor the other day that Red Hat Enterprise Linux may be planning
to replace Mozilla with Seamonkey in their currently-maintained distros.  Am
wondering if there is any truth to this rumor?  Also wondering if there is
anything we in Fedora Legacy can do to help in this process of dealing with
these critical Mozilla/Firefox/Seamonkey bugs?

Fedora Legacy bug for these issues:
   <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=194440>

Congrats to Fedora Extras for getting Seamonkey packages out already!  :)

	Regards,
	David




From bugzilla at redhat.com  Fri Jun  9 15:52:44 2006
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Fri, 9 Jun 2006 11:52:44 -0400
Subject: [Bug 192983] CVE-2006-2575 Remote termination security issue
In-Reply-To: <bug-192983-199382@bugzilla.redhat.com>
Message-ID: <200606091552.k59FqiVE008102@bugzilla.redhat.com>

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: CVE-2006-2575 Remote termination security issue


https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192983


hugo at devin.com.br changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |CLOSED
         Resolution|                            |CURRENTRELEASE
   Fixed In Version|                            |0.8-4




------- Additional Comments From hugo at devin.com.br  2006-06-09 11:44 EST -------
Thanks Hans, I've applied your patch and it works fine! (Tested too)

-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.



From bugzilla at redhat.com  Fri Jun  9 15:52:40 2006
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Fri, 9 Jun 2006 11:52:40 -0400
Subject: [Bug 192990] CVE-2005-2295 - netpanzer server remote DOS
In-Reply-To: <bug-192990-199382@bugzilla.redhat.com>
Message-ID: <200606091552.k59FqeXT008091@bugzilla.redhat.com>

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: CVE-2005-2295 - netpanzer server remote DOS


https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192990


hugo at devin.com.br changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |CLOSED
         Resolution|                            |CURRENTRELEASE
   Fixed In Version|                            |0.8-4




------- Additional Comments From hugo at devin.com.br  2006-06-09 11:44 EST -------
Found a patch to this issue in Gentoo build tree under:

games-strategy/netpanzer/files/netpanzer-0.8-min-size-check.patch

Fixed! Thanks.

-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.



From bressers at redhat.com  Fri Jun  9 17:08:30 2006
From: bressers at redhat.com (Josh Bressers)
Date: Fri, 09 Jun 2006 13:08:30 -0400
Subject: [Fwd: Re: New Mozilla vulnerabilities??]
In-Reply-To: Your message of "Fri, 09 Jun 2006 10:33:38 CDT."
	<448994D2.7000700@gtw.net>
Message-ID: <200606091708.k59H8UPD020604@devserv.devel.redhat.com>

> 
> Matthew Miller wrote:
> > On Sat, Jun 03, 2006 at 02:36:13PM -0500, David Eisenstein wrote:
> > 
> >>It mentions a bunch of vulnerabilities (all of which seem to affect
> >>Seamonkey, Thunderbird, and Firefox).  After looking at each VU#, it appears
> >>that none of the announcements mention the Mozilla suite.  Also, at least as
> >>of last night, none of them mention any CVE #'s.
> > 
> > 
> > No updates for Firefox for Fedora Core yet, either....
> > 
> > <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=194617>
> > 
> 
> I heard a rumor the other day that Red Hat Enterprise Linux may be planning
> to replace Mozilla with Seamonkey in their currently-maintained distros.  Am
> wondering if there is any truth to this rumor?  Also wondering if there is
> anything we in Fedora Legacy can do to help in this process of dealing with
> these critical Mozilla/Firefox/Seamonkey bugs?

This is true.  We're going with seamonkey in RHEL.  I think this current
round of issues is proof as to why this has to happen.  Backporting to the
firefox 1.0 branch is nearly impossible given the drastic changes between
versions.

Right now we're furiously working on backporting patches for the most
critical issues.  If you want to help mail Chris Aillon (caillon at redhat)
with your request.  He's currently heading up a small group of various
distributors trying to get all this work done.

-- 
    JB



From mattdm at mattdm.org  Fri Jun  9 17:38:20 2006
From: mattdm at mattdm.org (Matthew Miller)
Date: Fri, 9 Jun 2006 13:38:20 -0400
Subject: [Fwd: Re: New Mozilla vulnerabilities??]
In-Reply-To: <200606091708.k59H8UPD020604@devserv.devel.redhat.com>
References: <448994D2.7000700@gtw.net>
	<200606091708.k59H8UPD020604@devserv.devel.redhat.com>
Message-ID: <20060609173820.GA12792@jadzia.bu.edu>

On Fri, Jun 09, 2006 at 01:08:30PM -0400, Josh Bressers wrote:
> Right now we're furiously working on backporting patches for the most
> critical issues.  If you want to help mail Chris Aillon (caillon at redhat)
> with your request.  He's currently heading up a small group of various
> distributors trying to get all this work done.

In the meantime, can someone take care of the simpler case of updating FC5
from 1.5.0.3 to 1.5.0.4?

-- 
Matthew Miller           mattdm at mattdm.org          <http://mattdm.org/>
Boston University Linux      ------>              <http://linux.bu.edu/>



From smooge at gmail.com  Fri Jun  9 17:44:18 2006
From: smooge at gmail.com (Stephen John Smoogen)
Date: Fri, 9 Jun 2006 11:44:18 -0600
Subject: [Fwd: Re: New Mozilla vulnerabilities??]
In-Reply-To: <200606091708.k59H8UPD020604@devserv.devel.redhat.com>
References: <448994D2.7000700@gtw.net>
	<200606091708.k59H8UPD020604@devserv.devel.redhat.com>
Message-ID: <80d7e4090606091044s53da6aa2u7ecddb831871db07@mail.gmail.com>

On 6/9/06, Josh Bressers <bressers at redhat.com> wrote:
> >
> > Matthew Miller wrote:
> > > On Sat, Jun 03, 2006 at 02:36:13PM -0500, David Eisenstein wrote:
> > >
> > >>It mentions a bunch of vulnerabilities (all of which seem to affect
> > >>Seamonkey, Thunderbird, and Firefox).  After looking at each VU#, it appears
> > >>that none of the announcements mention the Mozilla suite.  Also, at least as
> > >>of last night, none of them mention any CVE #'s.
> > >
> > >
> > > No updates for Firefox for Fedora Core yet, either....
> > >
> > > <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=194617>
> > >
> >
> > I heard a rumor the other day that Red Hat Enterprise Linux may be planning
> > to replace Mozilla with Seamonkey in their currently-maintained distros.  Am
> > wondering if there is any truth to this rumor?  Also wondering if there is
> > anything we in Fedora Legacy can do to help in this process of dealing with
> > these critical Mozilla/Firefox/Seamonkey bugs?
>
> This is true.  We're going with seamonkey in RHEL.  I think this current
> round of issues is proof as to why this has to happen.  Backporting to the
> firefox 1.0 branch is nearly impossible given the drastic changes between
> versions.
>
> Right now we're furiously working on backporting patches for the most
> critical issues.  If you want to help mail Chris Aillon (caillon at redhat)
> with your request.  He's currently heading up a small group of various
> distributors trying to get all this work done.
>

I would say that it is not worth the effort to do that much
backporting. I am having to deal with sites that just want to block
old Firefox browser strings anyway at their firewalls. So my day job
is basically going to be get 1.5.0.4{5,6,7} onto RHL-7.3 -> RHEL-4
anyway.

My {I am not much of a coder, but have to deal with the mess left over
by them} possition would be that  getting a modularized javascript
interpreter written, debugged, security minded than trying to back-fix
things might be a better idea.


-- 
Stephen J Smoogen.
CSIRT/Linux System Administrator



From deisenst at gtw.net  Fri Jun  9 23:28:01 2006
From: deisenst at gtw.net (David Eisenstein)
Date: Fri, 09 Jun 2006 18:28:01 -0500
Subject: [Fwd: Re: New Mozilla vulnerabilities??]
In-Reply-To: <200606091708.k59H8UPD020604@devserv.devel.redhat.com>
References: <200606091708.k59H8UPD020604@devserv.devel.redhat.com>
Message-ID: <448A0401.4000403@gtw.net>

Josh Bressers wrote:
>>Matthew Miller wrote:
>>
>>>On Sat, Jun 03, 2006 at 02:36:13PM -0500, David Eisenstein wrote:
>>>
>>>
>>>>It mentions a bunch of vulnerabilities (all of which seem to affect
>>>>Seamonkey, Thunderbird, and Firefox).  After looking at each VU#, it appears
>>>>that none of the announcements mention the Mozilla suite.  Also, at least as
>>>>of last night, none of them mention any CVE #'s.
>>>
>>>
>>>No updates for Firefox for Fedora Core yet, either....
>>>
>>><https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=194617>
>>>
>>I heard a rumor the other day that Red Hat Enterprise Linux may be planning
>>to replace Mozilla with Seamonkey in their currently-maintained distros.  Am
>>wondering if there is any truth to this rumor?  Also wondering if there is
>>anything we in Fedora Legacy can do to help in this process of dealing with
>>these critical Mozilla/Firefox/Seamonkey bugs?
> 
> 
> This is true.  We're going with seamonkey in RHEL.  I think this current
> round of issues is proof as to why this has to happen.  Backporting to the
> firefox 1.0 branch is nearly impossible given the drastic changes between
> versions.
> 
> Right now we're furiously working on backporting patches for the most
> critical issues.  If you want to help mail Chris Aillon (caillon at redhat)
> with your request.  He's currently heading up a small group of various
> distributors trying to get all this work done.
> 

You are backporting patches then for the most critical issues for Mozilla
suite 1.7.13 only, Josh?  Or also for Firefox-1.0.8?

	Regards,
	David



From bressers at redhat.com  Sat Jun 10 04:25:24 2006
From: bressers at redhat.com (Josh Bressers)
Date: Sat, 10 Jun 2006 00:25:24 -0400
Subject: [Fwd: Re: New Mozilla vulnerabilities??]
In-Reply-To: Your message of "Fri, 09 Jun 2006 18:28:01 CDT."
	<448A0401.4000403@gtw.net>
Message-ID: <200606100425.k5A4POWc004151@devserv.devel.redhat.com>

> > 
> > 
> > This is true.  We're going with seamonkey in RHEL.  I think this current
> > round of issues is proof as to why this has to happen.  Backporting to the
> > firefox 1.0 branch is nearly impossible given the drastic changes between
> > versions.
> > 
> > Right now we're furiously working on backporting patches for the most
> > critical issues.  If you want to help mail Chris Aillon (caillon at redhat)
> > with your request.  He's currently heading up a small group of various
> > distributors trying to get all this work done.
> > 
> 
> You are backporting patches then for the most critical issues for Mozilla
> suite 1.7.13 only, Josh?  Or also for Firefox-1.0.8?

We're working on just the critical issues.  The codebase for suite 1.7.13
and Firefox 1.0.8 are nearly the same.  Patches for one should apply to the
other.

-- 
    JB



From smooge at gmail.com  Mon Jun 12 02:44:50 2006
From: smooge at gmail.com (Stephen John Smoogen)
Date: Sun, 11 Jun 2006 20:44:50 -0600
Subject: [Fwd: Re: New Mozilla vulnerabilities??]
In-Reply-To: <200606100425.k5A4POWc004151@devserv.devel.redhat.com>
References: <448A0401.4000403@gtw.net>
	<200606100425.k5A4POWc004151@devserv.devel.redhat.com>
Message-ID: <80d7e4090606111944j9cb9d66j1b4613c3503ac42f@mail.gmail.com>

On 6/9/06, Josh Bressers <bressers at redhat.com> wrote:
> > >
> > >
> > > This is true.  We're going with seamonkey in RHEL.  I think this current
> > > round of issues is proof as to why this has to happen.  Backporting to the
> > > firefox 1.0 branch is nearly impossible given the drastic changes between
> > > versions.
> > >
> > > Right now we're furiously working on backporting patches for the most
> > > critical issues.  If you want to help mail Chris Aillon (caillon at redhat)
> > > with your request.  He's currently heading up a small group of various
> > > distributors trying to get all this work done.
> > >
> >
> > You are backporting patches then for the most critical issues for Mozilla
> > suite 1.7.13 only, Josh?  Or also for Firefox-1.0.8?
>
> We're working on just the critical issues.  The codebase for suite 1.7.13
> and Firefox 1.0.8 are nearly the same.  Patches for one should apply to the
> other.
>

Ok this seems more confusing. The RHEL-3 U8 beta is supposed to move
to seamonkey which is 1.8.x based. It would seem that if were the
case.. it would be better to move everyone to the 1.8.x base
(RHEL-4/FC-x).. or maybe I am just not understanding everything that
is happening.



-- 
Stephen J Smoogen.
CSIRT/Linux System Administrator



From bressers at redhat.com  Mon Jun 12 10:43:22 2006
From: bressers at redhat.com (Josh Bressers)
Date: Mon, 12 Jun 2006 06:43:22 -0400
Subject: [Fwd: Re: New Mozilla vulnerabilities??]
In-Reply-To: Your message of "Sun, 11 Jun 2006 20:44:50 MDT."
	<80d7e4090606111944j9cb9d66j1b4613c3503ac42f@mail.gmail.com>
Message-ID: <200606121043.k5CAhMMN018385@devserv.devel.redhat.com>

> On 6/9/06, Josh Bressers <bressers at redhat.com> wrote:
> > > >
> > > >
> > > > This is true.  We're going with seamonkey in RHEL.  I think this current
> > > > round of issues is proof as to why this has to happen.  Backporting to the
> > > > firefox 1.0 branch is nearly impossible given the drastic changes between
> > > > versions.
> > > >
> > > > Right now we're furiously working on backporting patches for the most
> > > > critical issues.  If you want to help mail Chris Aillon (caillon at redhat)
> > > > with your request.  He's currently heading up a small group of various
> > > > distributors trying to get all this work done.
> > > >
> > >
> > > You are backporting patches then for the most critical issues for Mozilla
> > > suite 1.7.13 only, Josh?  Or also for Firefox-1.0.8?
> >
> > We're working on just the critical issues.  The codebase for suite 1.7.13
> > and Firefox 1.0.8 are nearly the same.  Patches for one should apply to the
> > other.
> >
> 
> Ok this seems more confusing. The RHEL-3 U8 beta is supposed to move
> to seamonkey which is 1.8.x based. It would seem that if were the
> case.. it would be better to move everyone to the 1.8.x base
> (RHEL-4/FC-x).. or maybe I am just not understanding everything that
> is happening.

The plan is to move everything to seamonkey, but there is much testing that
needs to be done.  We're not ready yet, which is why we are backporting the
critical patches first.

-- 
    JB



From mattdm at mattdm.org  Mon Jun 12 14:57:07 2006
From: mattdm at mattdm.org (Matthew Miller)
Date: Mon, 12 Jun 2006 10:57:07 -0400
Subject: [Fwd: Re: New Mozilla vulnerabilities??]
In-Reply-To: <200606121043.k5CAhMMN018385@devserv.devel.redhat.com>
References: <80d7e4090606111944j9cb9d66j1b4613c3503ac42f@mail.gmail.com>
	<200606121043.k5CAhMMN018385@devserv.devel.redhat.com>
Message-ID: <20060612145707.GA12537@jadzia.bu.edu>

On Mon, Jun 12, 2006 at 06:43:22AM -0400, Josh Bressers wrote:
> The plan is to move everything to seamonkey, but there is much testing that
> needs to be done.  We're not ready yet, which is why we are backporting the
> critical patches first.

But in the meantime, what about firefox in FC5, which is already 1.5.0.x?
Does the (presumably) easier fix for the current release have to wait on the
harder work for the older releases? As far as I can tell, there wasn't even
a bug entry for this, and I had to file it myself. (And it's gotten no
response at all.)

<https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=194617>

C'mon, it may not be a remote root compromise, but it is highly visible and
_could_ allow remote code execution. Fedora can do better than this!


-- 
Matthew Miller           mattdm at mattdm.org          <http://mattdm.org/>
Boston University Linux      ------>              <http://linux.bu.edu/>



From caillon at redhat.com  Mon Jun 12 17:07:43 2006
From: caillon at redhat.com (Christopher Aillon)
Date: Mon, 12 Jun 2006 13:07:43 -0400
Subject: [Fwd: Re: New Mozilla vulnerabilities??]
In-Reply-To: <20060612145707.GA12537@jadzia.bu.edu>
References: <80d7e4090606111944j9cb9d66j1b4613c3503ac42f@mail.gmail.com>	<200606121043.k5CAhMMN018385@devserv.devel.redhat.com>
	<20060612145707.GA12537@jadzia.bu.edu>
Message-ID: <448D9F5F.1030602@redhat.com>

Matthew Miller wrote:
> On Mon, Jun 12, 2006 at 06:43:22AM -0400, Josh Bressers wrote:
>   
>> The plan is to move everything to seamonkey, but there is much testing that
>> needs to be done.  We're not ready yet, which is why we are backporting the
>> critical patches first.
>>     
>
> But in the meantime, what about firefox in FC5, which is already 1.5.0.x?
> Does the (presumably) easier fix for the current release have to wait on the
> harder work for the older releases? As far as I can tell, there wasn't even
> a bug entry for this, and I had to file it myself. (And it's gotten no
> response at all.)
>
> <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=194617>
>
> C'mon, it may not be a remote root compromise, but it is highly visible and
> _could_ allow remote code execution. Fedora can do better than this!
>
>   
If someone wants to simply rev the spec, commit, and build, that's fine 
(and very welcome) as long as the Release is set to 2 for rawhide, and 
1.1.fc5 for fc5 (to keep up with my numbering scheme).  I find its best 
to not jump out of doing something you'd rather not jump back into, 
which is why I'm focusing on the backport.




From dennis at ausil.us  Mon Jun 12 17:10:31 2006
From: dennis at ausil.us (Dennis Gilmore)
Date: Mon, 12 Jun 2006 12:10:31 -0500 (CDT)
Subject: [Fwd: Re: New Mozilla vulnerabilities??]
In-Reply-To: <448D9F5F.1030602@redhat.com>
References: <80d7e4090606111944j9cb9d66j1b4613c3503ac42f@mail.gmail.com>	<200606121043.k5CAhMMN018385@devserv.devel.redhat.com>
	<20060612145707.GA12537@jadzia.bu.edu> <448D9F5F.1030602@redhat.com>
Message-ID: <38544.68.254.239.133.1150132231.squirrel@webmail.ausil.us>

> Matthew Miller wrote:
>> On Mon, Jun 12, 2006 at 06:43:22AM -0400, Josh Bressers wrote:
>>

>>
> If someone wants to simply rev the spec, commit, and build, that's fine
> (and very welcome) as long as the Release is set to 2 for rawhide, and
> 1.1.fc5 for fc5 (to keep up with my numbering scheme).  I find its best
> to not jump out of doing something you'd rather not jump back into,
> which is why I'm focusing on the backport.

Can someone outside of redhat do that?

Dennis



From mattdm at mattdm.org  Mon Jun 12 17:11:19 2006
From: mattdm at mattdm.org (Matthew Miller)
Date: Mon, 12 Jun 2006 13:11:19 -0400
Subject: [Fwd: Re: New Mozilla vulnerabilities??]
In-Reply-To: <448D9F5F.1030602@redhat.com>
References: <80d7e4090606111944j9cb9d66j1b4613c3503ac42f@mail.gmail.com>
	<200606121043.k5CAhMMN018385@devserv.devel.redhat.com>
	<20060612145707.GA12537@jadzia.bu.edu>
	<448D9F5F.1030602@redhat.com>
Message-ID: <20060612171119.GA19358@jadzia.bu.edu>

On Mon, Jun 12, 2006 at 01:07:43PM -0400, Christopher Aillon wrote:
> If someone wants to simply rev the spec, commit, and build, that's fine 
> (and very welcome) as long as the Release is set to 2 for rawhide, and 
> 1.1.fc5 for fc5 (to keep up with my numbering scheme).  I find its best 
> to not jump out of doing something you'd rather not jump back into, 
> which is why I'm focusing on the backport.

Yeah, I certainly don't blame you -- clearly you've got a lot going on. But
for a package as important as this one, someone should get you some help. :)

-- 
Matthew Miller           mattdm at mattdm.org          <http://mattdm.org/>
Boston University Linux      ------>              <http://linux.bu.edu/>



From caillon at redhat.com  Mon Jun 12 17:21:14 2006
From: caillon at redhat.com (Christopher Aillon)
Date: Mon, 12 Jun 2006 13:21:14 -0400
Subject: [Fwd: Re: New Mozilla vulnerabilities??]
In-Reply-To: <80d7e4090606091044s53da6aa2u7ecddb831871db07@mail.gmail.com>
References: <448994D2.7000700@gtw.net>	
	<200606091708.k59H8UPD020604@devserv.devel.redhat.com>
	<80d7e4090606091044s53da6aa2u7ecddb831871db07@mail.gmail.com>
Message-ID: <448DA28A.9040403@redhat.com>

Stephen John Smoogen wrote:
> On 6/9/06, Josh Bressers <bressers at redhat.com> wrote:
>> >
>> > Matthew Miller wrote:
>> > > On Sat, Jun 03, 2006 at 02:36:13PM -0500, David Eisenstein wrote:
>> > >
>> > >>It mentions a bunch of vulnerabilities (all of which seem to affect
>> > >>Seamonkey, Thunderbird, and Firefox).  After looking at each VU#, 
>> it appears
>> > >>that none of the announcements mention the Mozilla suite.  Also, 
>> at least as
>> > >>of last night, none of them mention any CVE #'s.
>> > >
>> > >
>> > > No updates for Firefox for Fedora Core yet, either....
>> > >
>> > > <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=194617>
>> > >
>> >
>> > I heard a rumor the other day that Red Hat Enterprise Linux may be 
>> planning
>> > to replace Mozilla with Seamonkey in their currently-maintained 
>> distros.  Am
>> > wondering if there is any truth to this rumor?  Also wondering if 
>> there is
>> > anything we in Fedora Legacy can do to help in this process of 
>> dealing with
>> > these critical Mozilla/Firefox/Seamonkey bugs?
>>
>> This is true.  We're going with seamonkey in RHEL.  I think this current
>> round of issues is proof as to why this has to happen.  Backporting 
>> to the
>> firefox 1.0 branch is nearly impossible given the drastic changes 
>> between
>> versions.
>>
>> Right now we're furiously working on backporting patches for the most
>> critical issues.  If you want to help mail Chris Aillon (caillon at redhat)
>> with your request.  He's currently heading up a small group of various
>> distributors trying to get all this work done.
>>
>
> I would say that it is not worth the effort to do that much
> backporting. I am having to deal with sites that just want to block
> old Firefox browser strings anyway at their firewalls. So my day job
> is basically going to be get 1.5.0.4{5,6,7} onto RHL-7.3 -> RHEL-4
> anyway.
>
> My {I am not much of a coder, but have to deal with the mess left over
> by them} possition would be that  getting a modularized javascript
> interpreter written, debugged, security minded than trying to back-fix
> things might be a better idea.
That would take years of effort to duplicate something that already 
exists.  SpiderMonkey (the mozilla.org JavaScript engine) is very 
security minded, and very modularized.  Download it from mozilla.org/js 
but not that while there are occasional issues in it, there aren't very 
many.  You are confusing JavaScript (the language) with DOM (an object 
model), which is where all the security holes are because it is designed 
to be a security hole if you think about it.  The point of the DOM is to 
give web sites access to things that HTML doesn't give them, and lets 
them control the browser in certain ways.  Just like you don't claim 
that C is insecure when there's a kernel vulnerability, you should be 
careful with claiming JavaScript is insecure when there is a DOM 
vulnerability.  JavaScript bindings are simply more readily available to 
websites than the native bindings, but those are also vulnerable if you 
ever install extensions which make use of them (such as enigmail).



From bressers at redhat.com  Tue Jun 13 00:43:23 2006
From: bressers at redhat.com (Josh Bressers)
Date: Mon, 12 Jun 2006 20:43:23 -0400
Subject: Public Announcment for Fedora Extras
In-Reply-To: Your message of "Fri, 19 May 2006 17:18:31 EDT."
	<20060519211831.GD6480@tomservo.boston.redhat.com>
Message-ID: <200606130043.k5D0hNPr031565@devserv.devel.redhat.com>

> 
> > We put a file in our cvs repository that looks a bit like this
> > 
> > 2006-001
> > 2006-002
> > 2006-003
> > <see if you can figure out what's next>
> > 
> > We then take one
> > 
> > 2006-001 some package
> > 
> > and commit the file.  It's important we remember to commit the file lest
> > someone else steal it.  It prevents concurrency issues as only one person
> > can commit at a time.
> > 
> > Ideally I think it would be best to have a directory layout as such
> > 
> > advisories/
> >     ids
> >     text/
> >         2006-001
> > 
> > We could then write a script that we run with a package name.  It then
> > modifies the ids file, adds a new skeleton file in text/ then runs
> > cvs commit -m 'Create errata 2006-001'
> > 
> > Once we're happy with the errata text (multiple people can read/modify it),
> > we run another command that magically mails it to the list in question, and
> > makes a note in the ids file that it's been "pushed" along with the date.
> > This would allow us to work on advisories before the packages are ready.
> > 
> > We could also then generate a sort of advisory index page for the project
> > so when we find some web space somewhere, publishing our advisories is
> > trivial.
> > 
> > If we ensure we note the bugs fixed in our errata it will also be possible
> > to close the bugs automagically via our script.
> 
> The current update system already automatically generates and sends
> advisory text, as well as automatic bug commenting/closing.
> 
> > Thoughts?
> 
> Seeing as how getting the update system out from under it's rock is
> getting to be a pretty large priority, I'd hate to have us duplicate
> this functionality for Extras/Legacy/Core.

I had a short chat with Luke about this yesterday.  An update system is
still a few months out.  Unless someone complains, I'm going to create a
simple script based system similar to what I describe above.  I think we've
drug our feet long enough.

If anyone has any thoughts or complaints, let me know.

-- 
    JB



From bugzilla at redhat.com  Wed Jun 14 13:25:35 2006
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Wed, 14 Jun 2006 09:25:35 -0400
Subject: [Bug 192983] CVE-2006-2575 Remote termination security issue
In-Reply-To: <bug-192983-199382@bugzilla.redhat.com>
Message-ID: <200606141325.k5EDPZTA023296@bugzilla.redhat.com>

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: CVE-2006-2575 Remote termination security issue


https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192983


hugo at devin.com.br changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |CLOSED
         Resolution|                            |CURRENTRELEASE
   Fixed In Version|                            |0.8-4




------- Additional Comments From hugo at devin.com.br  2006-06-14 09:17 EST -------
Package fixed. Closing. Thanks!

-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.



From bugzilla at redhat.com  Wed Jun 14 13:26:41 2006
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Wed, 14 Jun 2006 09:26:41 -0400
Subject: [Bug 192990] CVE-2005-2295 - netpanzer server remote DOS
In-Reply-To: <bug-192990-199382@bugzilla.redhat.com>
Message-ID: <200606141326.k5EDQf34023380@bugzilla.redhat.com>

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: CVE-2005-2295 - netpanzer server remote DOS


https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192990


hugo at devin.com.br changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |CLOSED
         Resolution|                            |CURRENTRELEASE
   Fixed In Version|                            |0.8-4




------- Additional Comments From hugo at devin.com.br  2006-06-14 09:18 EST -------
Package fixed. Closing. Thanks!

-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.



From bugzilla at redhat.com  Wed Jun 14 13:56:22 2006
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Wed, 14 Jun 2006 09:56:22 -0400
Subject: [Bug 195019] New: CVE-2006-2197 wv2 integer overflow
Message-ID: <bug-195019-199382@bugzilla.redhat.com>

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.




https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=195019

           Summary: CVE-2006-2197 wv2 integer overflow
           Product: Fedora Extras
           Version: fc5
          Platform: All
               URL: http://bugs.gentoo.org/show_bug.cgi?id=136759
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: normal
         Component: wv2
        AssignedTo: andreas.bierfert at lowlatency.de
        ReportedBy: bressers at redhat.com
         QAContact: extras-qa at fedoraproject.org
                CC: extras-qa at fedoraproject.org,fedora-security-
                    list at redhat.com


wv2 version 0.2.3 has been recently released that fixes an integer overflow bug.
 The patch can be found here:

http://wvware.cvs.sourceforge.net/wvware/wv2/src/word_helper.h?r1=1.17&r2=1.18

This issue should also affect wv2 in FC4.

-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.



From deisenst at gtw.net  Wed Jun 14 16:18:52 2006
From: deisenst at gtw.net (David Eisenstein)
Date: Wed, 14 Jun 2006 11:18:52 -0500
Subject: FYI- Re: FWD: Re: New Mozilla vulnerabilities??
In-Reply-To: <448E291B.4090108@gtw.net>
References: <200606121817.k5CIHEfw032727@devserv.devel.redhat.com>	<44297.68.254.239.133.1150138452.squirrel@webmail.ausil.us>
	<448E291B.4090108@gtw.net>
Message-ID: <449036EC.1090509@gtw.net>

David Eisenstein wrote:
> Dennis Gilmore wrote:
> 
>>>The Firefox maintainer, Chris Aillon asked me to forward this along to
>>>this
>>>list.  He's swamped right now trying to get the fixes for the various
>>>Mozilla security issues backported.  He's looking for anyone willing to
>>>help roll new Firefox packages for FC5 and rawhide.
>>>
>>>Thanks.
>>>
>>
>>Work is underway  I have test builds compiling now
>>
>>Dennis

Since Bugzilla barfed yesterday, this bug has been re-entered as Bug #195241:

<https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=195241>.  -David



From bugzilla at redhat.com  Sun Jun 18 08:07:12 2006
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Sun, 18 Jun 2006 04:07:12 -0400
Subject: [Bug 195019] CVE-2006-2197 wv2 integer overflow
In-Reply-To: <bug-195019-199382@bugzilla.redhat.com>
Message-ID: <200606180807.k5I87Ci0017870@bugzilla.redhat.com>

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: CVE-2006-2197 wv2 integer overflow


https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=195019


andreas.bierfert at lowlatency.de changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED




-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.



From bugzilla at redhat.com  Sun Jun 18 08:56:56 2006
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Sun, 18 Jun 2006 04:56:56 -0400
Subject: [Bug 195019] CVE-2006-2197 wv2 integer overflow
In-Reply-To: <bug-195019-199382@bugzilla.redhat.com>
Message-ID: <200606180856.k5I8uug1004959@bugzilla.redhat.com>

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: CVE-2006-2197 wv2 integer overflow


https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=195019


andreas.bierfert at lowlatency.de changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |CLOSED
         Resolution|                            |NEXTRELEASE




------- Additional Comments From andreas.bierfert at lowlatency.de  2006-06-18 04:48 EST -------
pushed for (FE4,FE5,devel)... thx for the bug...

-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.



From tdbtdb at gmail.com  Tue Jun 20 04:25:06 2006
From: tdbtdb at gmail.com (David Burns)
Date: Mon, 19 Jun 2006 18:25:06 -1000
Subject: controlling "background services", closing ports
Message-ID: <943be0b10606192125r3e0e9564gbadfc27488fefc51@mail.gmail.com>

I recently installed fedora core 5 on  two systems.

Is the system/administration/services GUI thing discussed in the
documentation somewhere? (I can't seem to find anything except selinux.) I'd
like to know a bit more about what the consequences of turning off some
services might be. There is a terse description available in the tool, but
it doesn't make it clear what will happen if I turn 'em off. For instance, I
don't really know whether I need to "Listen and dispatch ACPI events from
the kernel. (acpid)" Hate to just turn them all off & see what breaks.

Also, I'm running nmap and lsof to try to figure out my open ports so I can
close those I don't need and tell the firewall about the ones I do need.


*nmap -sT -O mysystem ; *
Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2006-06-19 17:06 HST
Interesting ports on lin...
(The 1666 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
111/tcp  open  rpcbind
587/tcp  open  submission
603/tcp  open  mnotes            ??? What are these? How would I find out?
841/tcp  open  unknown          ???
868/tcp  open  unknown          ???
2049/tcp open  nfs
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.4.0 - 2.5.20, Linux 2.5.25 - 2.6.8 or Gentoo 1.2 Linux
2.4.19 rc1-rc7, Linux 2.6.3 - 2.6.10

Nmap finished: 1 IP address (1 host up) scanned in 2.290 seconds

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2006-06-19 17:06 HST
Interesting ports on ... <http://ao.soest.hawaii.edu/>:
(The 1668 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
640/tcp  open  unknown    ?
666/tcp  open  doom                *****???????????????!!!!*********** I did
not knowingly turn this on, don't know what service it is associated with.
773/tcp  open  submit
2049/tcp open  nfs
MAC Address: ... (Dell Computer)
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.4.0 - 2.5.20, Linux 2.4.7 - 2.6.11

Nmap finished: 1 IP address (1 host up) scanned in 2.670 seconds

lsof|grep LISTEN
portmap   1720       rpc    4u     IPv4       5412                 TCP
*:sunrpc (LISTEN)
rpc.statd 1739   rpcuser    7u     IPv4       5522                 TCP
*:36911 (LISTEN)
ypbind    1864      root    5u     IPv4       5771                 TCP
*:submit (LISTEN)
sshd      2114      root    3u     IPv6       6199                 TCP *:ssh
(LISTEN)
rpc.rquot 2131      root    4u     IPv4       6281                 TCP
*:entrust-sps (LISTEN)
rpc.mount 2165      root    7u     IPv4       6378                 TCP
*:mdqs (LISTEN)


There's some info in /etc/services, but not enough for me to "get it."

I hope this is the right forum for these questions. Thanks in advance for
any answers!
TDB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-security-list/attachments/20060619/aec9463a/attachment.htm>

From bressers at redhat.com  Tue Jun 20 11:09:33 2006
From: bressers at redhat.com (Josh Bressers)
Date: Tue, 20 Jun 2006 07:09:33 -0400
Subject: controlling "background services", closing ports
In-Reply-To: Your message of "Mon, 19 Jun 2006 18:25:06 -1000."
	<943be0b10606192125r3e0e9564gbadfc27488fefc51@mail.gmail.com>
Message-ID: <200606201109.k5KB9X8w005172@devserv.devel.redhat.com>

> 
> I recently installed fedora core 5 on  two systems.
> 
> Is the system/administration/services GUI thing discussed in the
> documentation somewhere? (I can't seem to find anything except selinux.) I'd
> like to know a bit more about what the consequences of turning off some
> services might be. There is a terse description available in the tool, but
> it doesn't make it clear what will happen if I turn 'em off. For instance, I
> don't really know whether I need to "Listen and dispatch ACPI events from
> the kernel. (acpid)" Hate to just turn them all off & see what breaks.
> 
> Also, I'm running nmap and lsof to try to figure out my open ports so I can
> close those I don't need and tell the firewall about the ones I do need.
> 
> <...>
> 
> I hope this is the right forum for these questions. Thanks in advance for
> any answers!
> TDB

Hi David,

This list is for the discussion of fedora security issues, such as security
bugs.

If you're looking for help configuring your firewall there are several ways
to find community support detailed here:

http://fedora.redhat.com/participate/communicate/

Thanks and good luck,
-- 
Josh Bressers



From bugzilla at redhat.com  Fri Jun 23 06:20:41 2006
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Fri, 23 Jun 2006 02:20:41 -0400
Subject: [Bug 194511] CVE-2006-2894 arbitrary file read vulnerability
In-Reply-To: <bug-194511-199382@bugzilla.redhat.com>
Message-ID: <200606230620.k5N6Kfwf029037@bugzilla.redhat.com>

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: CVE-2006-2894 arbitrary file read vulnerability


https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=194511


ville.skytta at iki.fi changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fedora-security-
                   |                            |list at redhat.com




-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.



From abc.bhaskar at gmail.com  Fri Jun 23 07:14:42 2006
From: abc.bhaskar at gmail.com (Bhaskar)
Date: Fri, 23 Jun 2006 12:44:42 +0530
Subject: Implementing Security Policies
Message-ID: <f63322490606230014o3dd0644r726b45fd6cee2dd6@mail.gmail.com>

Dear All,

I am trying to implement some security policies like password, login, etc.

On googling regarding the security policies, I found them implemented
through SELinux and PAM modules.

Can any one provide a pointer to the exact starting point for implementing
the security policies.

Regards,
Bhaskar.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-security-list/attachments/20060623/45ff0a03/attachment.htm>

From smooge at gmail.com  Fri Jun 23 13:33:56 2006
From: smooge at gmail.com (Stephen John Smoogen)
Date: Fri, 23 Jun 2006 07:33:56 -0600
Subject: Implementing Security Policies
In-Reply-To: <f63322490606230014o3dd0644r726b45fd6cee2dd6@mail.gmail.com>
References: <f63322490606230014o3dd0644r726b45fd6cee2dd6@mail.gmail.com>
Message-ID: <80d7e4090606230633m202230b6u1f642a1025648439@mail.gmail.com>

On 6/23/06, Bhaskar <abc.bhaskar at gmail.com> wrote:
> Dear All,
>
>  I am trying to implement some security policies like password, login, etc.
>

I think we need a bit more information on what you are meaning by
security policies.. (a very large boat). Are you wanting to limit the
amount of time a person is logged in, how hard his password must be?
etc? Or something completely different


There are a lot of starting points, but a little more information is
needed to make sure you are getting the correct path

-- 
Stephen J Smoogen.
CSIRT/Linux System Administrator



From abc.bhaskar at gmail.com  Fri Jun 23 14:09:48 2006
From: abc.bhaskar at gmail.com (Bhaskar)
Date: Fri, 23 Jun 2006 19:39:48 +0530
Subject: Implementing Security Policies
In-Reply-To: <80d7e4090606230633m202230b6u1f642a1025648439@mail.gmail.com>
References: <f63322490606230014o3dd0644r726b45fd6cee2dd6@mail.gmail.com>
	<80d7e4090606230633m202230b6u1f642a1025648439@mail.gmail.com>
Message-ID: <f63322490606230709q52f2cc00o908dca7e621a1bf1@mail.gmail.com>

Dear Stephen,

Thanks for responding.

My security policies include something as below:

setting minimum password length.
setting number of retry attempts for the password.
setting password history, etc.

In FC3, I tried by changing MIN_PASS_LEN=5 in /etc/login.defs files and also
included minlen=5 parameter in /etc/pam.d/system-auth file.

Kindly suggest whether I am proceeding in the correct direction or not.

Regards,
Bhaskar.

On 6/23/06, Stephen John Smoogen <smooge at gmail.com> wrote:
>
> On 6/23/06, Bhaskar <abc.bhaskar at gmail.com> wrote:
> > Dear All,
> >
> >  I am trying to implement some security policies like password, login,
> etc.
> >
>
> I think we need a bit more information on what you are meaning by
> security policies.. (a very large boat). Are you wanting to limit the
> amount of time a person is logged in, how hard his password must be?
> etc? Or something completely different
>
>
> There are a lot of starting points, but a little more information is
> needed to make sure you are getting the correct path
>
> --
> Stephen J Smoogen.
> CSIRT/Linux System Administrator
>
> --
> Fedora-security-list mailing list
> Fedora-security-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-security-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-security-list/attachments/20060623/3de6b2f6/attachment.htm>

From smooge at gmail.com  Fri Jun 23 15:28:13 2006
From: smooge at gmail.com (Stephen John Smoogen)
Date: Fri, 23 Jun 2006 09:28:13 -0600
Subject: Implementing Security Policies
In-Reply-To: <f63322490606230709q52f2cc00o908dca7e621a1bf1@mail.gmail.com>
References: <f63322490606230014o3dd0644r726b45fd6cee2dd6@mail.gmail.com>
	<80d7e4090606230633m202230b6u1f642a1025648439@mail.gmail.com>
	<f63322490606230709q52f2cc00o908dca7e621a1bf1@mail.gmail.com>
Message-ID: <80d7e4090606230828t5ff12513i93aab05959b4166e@mail.gmail.com>

n 6/23/06, Bhaskar <abc.bhaskar at gmail.com> wrote:
> Dear Stephen,
>
>  Thanks for responding.
>
>  My security policies include something as below:
>
>  setting minimum password length.
>  setting number of retry attempts for the password.
>  setting password history, etc.
>
>  In FC3, I tried by changing MIN_PASS_LEN=5 in /etc/login.defs files and
> also included minlen=5 parameter in /etc/pam.d/system-auth file.
>

THat is correct. You will also need to run through /etc/shadow and
make sure that any account with passwords has the correct values in
them also.

Password history you will need to use the pam_passwdqc moduel in pam.

Most security policies will ask for a minimum length of 7 characters
(though 8 is preferred), and a change time of 90 days.

-- 
Stephen J Smoogen.
CSIRT/Linux System Administrator



From abc.bhaskar at gmail.com  Fri Jun 23 16:27:21 2006
From: abc.bhaskar at gmail.com (Bhaskar)
Date: Fri, 23 Jun 2006 21:57:21 +0530
Subject: Implementing Security Policies
In-Reply-To: <80d7e4090606230828t5ff12513i93aab05959b4166e@mail.gmail.com>
References: <f63322490606230014o3dd0644r726b45fd6cee2dd6@mail.gmail.com>
	<80d7e4090606230633m202230b6u1f642a1025648439@mail.gmail.com>
	<f63322490606230709q52f2cc00o908dca7e621a1bf1@mail.gmail.com>
	<80d7e4090606230828t5ff12513i93aab05959b4166e@mail.gmail.com>
Message-ID: <f63322490606230927x5074c13gba520b59c6a77e76@mail.gmail.com>

>
>
> THat is correct. You will also need to run through /etc/shadow and
> make sure that any account with passwords has the correct values in
> them also.



What do you exactly mean by running through /etc/shadow.


Password history you will need to use the pam_passwdqc moduel in pam.
>
> Most security policies will ask for a minimum length of 7 characters
> (though 8 is preferred), and a change time of 90 days.



As I mentioned, I changed /etc/pam.d/system-auth file and /etc/login.defs
file(Made minimum password length as 9), but it is not reflecting when the
user issues passwd command.


I will do some home work here and get back to you on Monday.


--
> Stephen J Smoogen.
> CSIRT/Linux System Administrator
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-security-list/attachments/20060623/e79f9025/attachment.htm>

From smooge at gmail.com  Fri Jun 23 16:44:26 2006
From: smooge at gmail.com (Stephen John Smoogen)
Date: Fri, 23 Jun 2006 10:44:26 -0600
Subject: Implementing Security Policies
In-Reply-To: <f63322490606230927x5074c13gba520b59c6a77e76@mail.gmail.com>
References: <f63322490606230014o3dd0644r726b45fd6cee2dd6@mail.gmail.com>
	<80d7e4090606230633m202230b6u1f642a1025648439@mail.gmail.com>
	<f63322490606230709q52f2cc00o908dca7e621a1bf1@mail.gmail.com>
	<80d7e4090606230828t5ff12513i93aab05959b4166e@mail.gmail.com>
	<f63322490606230927x5074c13gba520b59c6a77e76@mail.gmail.com>
Message-ID: <80d7e4090606230944k47643f16l3b1883f33497c1ba@mail.gmail.com>

On 6/23/06, Bhaskar <abc.bhaskar at gmail.com> wrote:
>
>
> >
> > THat is correct. You will also need to run through /etc/shadow and
> > make sure that any account with passwords has the correct values in
> > them also.
>
>
>  What do you exactly mean by running through /etc/shadow.
>

After you have gotten approval for a policy (or had a policy laid out)
you would go through existing accounts and retrochange their ages.

for acct in `awk -F: '{print $1}'`; do
  chage -m 5 -M 90 ${acct}
done

And then force everyone who already has an account to change their
passwords at next setting.


>
> > Password history you will need to use the pam_passwdqc moduel in pam.
> >
> > Most security policies will ask for a minimum length of 7 characters
> > (though 8 is preferred), and a change time of 90 days.
>
>
>
>  As I mentioned, I changed /etc/pam.d/system-auth file and /etc/login.defs
> file(Made minimum password length as 9), but it is not reflecting when the
> user issues passwd command.
>

That I didn't see before in your message.

>
>  I will do some home work here and get back to you on Monday.
>



-- 
Stephen J Smoogen.
CSIRT/Linux System Administrator



From bugzilla at redhat.com  Thu Jun 29 09:57:15 2006
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Thu, 29 Jun 2006 05:57:15 -0400
Subject: [Bug 193809] CVE-2006-2769 Snort URIContent Rules Detection Evasion
	Vulnerability
In-Reply-To: <bug-193809-199382@bugzilla.redhat.com>
Message-ID: <200606290957.k5T9vFRK011734@bugzilla.redhat.com>

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: CVE-2006-2769 Snort URIContent Rules Detection Evasion Vulnerability


https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=193809





------- Additional Comments From ville.skytta at iki.fi  2006-06-29 05:48 EST -------
Ping, status update?

-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.



From bugzilla at redhat.com  Thu Jun 29 11:43:11 2006
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Thu, 29 Jun 2006 07:43:11 -0400
Subject: [Bug 193809] CVE-2006-2769 Snort URIContent Rules Detection Evasion
	Vulnerability
In-Reply-To: <bug-193809-199382@bugzilla.redhat.com>
Message-ID: <200606291143.k5TBhBPl017794@bugzilla.redhat.com>

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: CVE-2006-2769 Snort URIContent Rules Detection Evasion Vulnerability


https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=193809


dennis at ausil.us changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |CLOSED
         Resolution|                            |CURRENTRELEASE
   Fixed In Version|                            |2.6.0-1




------- Additional Comments From dennis at ausil.us  2006-06-29 07:34 EST -------
I was looking at thins last night.  I have updated to 2.6.0  since and 
according to snort.org its fixed there

Sourcefire is aware of a possible Snort evasion that exists in the 
http_inspect preprocessor. This evasion case only applies to protected Apache 
web servers. We have prepared fixes for both the 2.4 and 2.6 branches and will 
have fully tested releases, including binaries, available for both on Monday, 
June 5th.
 
 
 Evasion Details:
 
 The Apache web server supports special characters in HTTP requests that do 
not affect the processing of the particular request. The current target-based 
profiles for Apache in the http_inspect preprocessor do not properly handle 
these requests, resulting in the possibility that an attacker can bypass 
detection of rules that use the "uricontent" keyword by embedding special 
characters in a HTTP request.
 
 
 Background Information:
 
 It is important to note that this is an evasion and not a vulnerability. This 
means that while it is possible for an attacker to bypass detection, Snort 
sensors and the networks they protect are not at a heightened risk of other 
attacks.
 
 
 Timeline:
 
 Sourcefire has prepared fixes and is currently finalizing a complete round of 
testing to ensure that the fixes not only solve the issue at hand but do not 
create new bugs as well. The following releases, including binaries for Linux 
and Windows deployments, will be available on Monday, June 5th:
 
 * Snort v2.4.5
 * Snort v2.6.0 final
 
 
 Questions:
 
 Any questions regarding these releases can be sent to 
snort-team at sourcefire.com.

-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.



From bugzilla at redhat.com  Thu Jun 29 12:58:58 2006
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Thu, 29 Jun 2006 08:58:58 -0400
Subject: [Bug 192830] CVE-2006-2453 Additional dia format string flaws
In-Reply-To: <bug-192830-199382@bugzilla.redhat.com>
Message-ID: <200606291258.k5TCwwZm021653@bugzilla.redhat.com>

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: CVE-2006-2453 Additional dia format string flaws


https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192830





------- Additional Comments From ville.skytta at iki.fi  2006-06-29 08:50 EST -------
Hans, this is still marked as VULNERABLE in audit/fe5.  Could you update the
status in it as appropriate?

-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.



From bugzilla at redhat.com  Thu Jun 29 13:05:00 2006
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Thu, 29 Jun 2006 09:05:00 -0400
Subject: [Bug 192830] CVE-2006-2453 Additional dia format string flaws
In-Reply-To: <bug-192830-199382@bugzilla.redhat.com>
Message-ID: <200606291305.k5TD50gt022059@bugzilla.redhat.com>

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: CVE-2006-2453 Additional dia format string flaws


https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192830





------- Additional Comments From j.w.r.degoede at hhs.nl  2006-06-29 08:56 EST -------
I cannot do that because I don't have the rights todo that I'm not a Security
Response team member (by choice).


-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.



From bugzilla at redhat.com  Thu Jun 29 13:09:12 2006
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Thu, 29 Jun 2006 09:09:12 -0400
Subject: [Bug 192830] CVE-2006-2453 Additional dia format string flaws
In-Reply-To: <bug-192830-199382@bugzilla.redhat.com>
Message-ID: <200606291309.k5TD9CaY022234@bugzilla.redhat.com>

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: CVE-2006-2453 Additional dia format string flaws


https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192830





------- Additional Comments From ville.skytta at iki.fi  2006-06-29 09:00 EST -------
Oops, sorry, memory didn't serve me well.  I'll take care of it.

-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.



From bressers at redhat.com  Thu Jun 29 21:15:11 2006
From: bressers at redhat.com (Josh Bressers)
Date: Thu, 29 Jun 2006 17:15:11 -0400
Subject: Extras errata
Message-ID: <200606292115.k5TLFBbo005317@devserv.devel.redhat.com>

Hi everyone,

I finally checked in an extras errata generation system.  It's rather
trivial.  I've been sitting on this for a few weeks and just haven't had
time to clean it up enough to commit it.

The bits are here:
http://cvs.fedora.redhat.com/viewcvs/fedora-security/extras-errata/?root=fedora

If you have the fedora-security CVS repository checked out you should just
have to do a cvs up to get it.

The readme file has some details on how things work.  In a nutshell you
just have to run the errata-gen command, which places an advisory into the
errata directory for you.  Then just edit away.

Now we have to think about how editing should be handled.  I'm thinking at
least one other team member should approve an errata before it gets mailed.

Thoughts?

-- 
    JB



From deisenst at gtw.net  Fri Jun 30 03:54:37 2006
From: deisenst at gtw.net (David Eisenstein)
Date: Thu, 29 Jun 2006 22:54:37 -0500
Subject: Extras errata
References: <200606292115.k5TLFBbo005317@devserv.devel.redhat.com>
Message-ID: <019501c69bf9$18f35500$6401a8c0@vdavide>

So is this errata system also available for folks in Legacy to work with as well?

Thanks!

    Warm regards,

    David Eisenstein


----- Original Message ----- 
From: "Josh Bressers" <bressers at redhat.com>
To: <fedora-security-list at redhat.com>
Sent: Thursday, June 29, 2006 4:15 PM
Subject: Extras errata


> Hi everyone,
> 
> I finally checked in an extras errata generation system.  It's rather
> trivial.  I've been sitting on this for a few weeks and just haven't had
> time to clean it up enough to commit it.
> 
> The bits are here:
> http://cvs.fedora.redhat.com/viewcvs/fedora-security/extras-errata/?root=fedora
> 
> If you have the fedora-security CVS repository checked out you should just
> have to do a cvs up to get it.
> 
> The readme file has some details on how things work.  In a nutshell you
> just have to run the errata-gen command, which places an advisory into the
> errata directory for you.  Then just edit away.
> 
> Now we have to think about how editing should be handled.  I'm thinking at
> least one other team member should approve an errata before it gets mailed.
> 
> Thoughts?
> 
> -- 
>     JB
> 
> --
> Fedora-security-list mailing list
> Fedora-security-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-security-list
>



From bressers at redhat.com  Fri Jun 30 10:46:41 2006
From: bressers at redhat.com (Josh Bressers)
Date: Fri, 30 Jun 2006 06:46:41 -0400
Subject: Extras errata
In-Reply-To: Your message of "Thu, 29 Jun 2006 22:54:37 CDT."
	<019501c69bf9$18f35500$6401a8c0@vdavide>
Message-ID: <200606301046.k5UAkfWW027078@devserv.devel.redhat.com>

> So is this errata system also available for folks in Legacy to work with as well?

If you want it to be I don't see why not.  The source uses FEDORA-EXTRAS as
part of the unique identifier, that would have to be modified to support
more than one distribution.

Keep in mind that this is meant to be a band aid until a fancier update
system is available (which is being worked on, but has no expected date
yet).

Let me know if you need any help with anything.  The source is rather
short, you shouldn't have much trouble understanding it (It's all shell).

-- 
    JB