From bugzilla at redhat.com Thu Nov 2 17:41:06 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 2 Nov 2006 12:41:06 -0500 Subject: [Bug 209167] seamonkey < 1.0.5 multiple vulnerabilities; to replace Mozilla In-Reply-To: Message-ID: <200611021741.kA2Hf6ek009522@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: seamonkey < 1.0.5 multiple vulnerabilities; to replace Mozilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209167 ------- Additional Comments From kengert at redhat.com 2006-11-02 12:40 EST ------- David, thanks for your explanation. I fear the task to provide mozilla -> seamonkey replacement packages is not a priority for me. I propose you file a separate bug for that task, which might be everything from a little to a lot work to get it right. At this time my offer is limited to help getting the separate seamonkey FC4 package as is updated to 1.0.5. I learn that you use your own build environment, and that you can use a .src.rpm as an input. I have produced such a source rpm and uploaded it to: http://kuix.de/misc/seamonkey-1.0.5-0.4.fc4.src.rpm (Please allow 20 minutes after this post for my upload to complete) 35940238 bytes sha1sum: f0f5ef5cd6b70504acd8124bef605443fa5792e0 In the hope this works and helps you to produce a binary update package for seamonkey fc4. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Nov 3 14:44:19 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 3 Nov 2006 09:44:19 -0500 Subject: [Bug 209167] seamonkey < 1.0.5 multiple vulnerabilities; to replace Mozilla In-Reply-To: Message-ID: <200611031444.kA3EiJsW004580@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: seamonkey < 1.0.5 multiple vulnerabilities; to replace Mozilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209167 ------- Additional Comments From michal at harddata.com 2006-11-03 09:44 EST ------- I peeked into a spec of http://kuix.de/misc/seamonkey-1.0.5-0.4.fc4.src.rpm from comment $5. It does not look to me that what this produces will work as a replacement and a security update of mozilla. Results could be installed side-by-side with an old mozilla, extras style, and do not provide 'mozilla' named binary. This leaves all problems open as it is not possible on FC4 and earlier to delete 'mozilla' without doing the same with a number of other packages. Did I miss something in that spec? A package given in http://www.redhat.com/archives/fedora-legacy-list/2006-September/msg00019.html may need improvents but it does not suffer from the affliction above. It is true that replacing 'mozilla' requires new versions/recompilation of other things (yelp for sure, thunderbird I think, maybe more) but they use at least mozilla provided libraries and if there are security holes there then these old versions are affected in the same way. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Nov 3 14:52:56 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 3 Nov 2006 09:52:56 -0500 Subject: [Bug 209167] seamonkey < 1.0.5 multiple vulnerabilities; to replace Mozilla In-Reply-To: Message-ID: <200611031452.kA3EquB0005402@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: seamonkey < 1.0.5 multiple vulnerabilities; to replace Mozilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209167 ------- Additional Comments From kengert at redhat.com 2006-11-03 09:52 EST ------- You did not miss something. I was NOT attempting to update or replace mozilla. All this does is: provide an update to seamonkey package 1.0.4, currently available in fedora extras. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Nov 3 16:56:22 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 3 Nov 2006 11:56:22 -0500 Subject: [Bug 209167] seamonkey < 1.0.5 multiple vulnerabilities; to replace Mozilla In-Reply-To: Message-ID: <200611031656.kA3GuMNb017382@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: seamonkey < 1.0.5 multiple vulnerabilities; to replace Mozilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209167 ------- Additional Comments From michal at harddata.com 2006-11-03 11:56 EST ------- OK, thanks, but an update to a seamonkey package from extras is, frankly, trivial and solves zilch in installation security issues. Yes, I realize that bug 195318 is still sitting there as NEW but it is hard for Legacy to worry about FC5. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sat Nov 4 09:36:06 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sat, 4 Nov 2006 04:36:06 -0500 Subject: [Bug 213985] New: CVE-2006-5705: wordpress < 2.0.5 directory traversal vulnerability Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=213985 Summary: CVE-2006-5705: wordpress < 2.0.5 directory traversal vulnerability Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: wordpress AssignedTo: jwb at redhat.com ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5705 "Directory traversal vulnerability in plugins/wp-db-backup.php in WordPress before 2.0.5 allows remote attackers to read arbitrary files via directory traversal sequences in unspecified parameters related to the backup of fragment files." Based on the version number, all FE releases are affected. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Nov 6 13:39:57 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 6 Nov 2006 08:39:57 -0500 Subject: [Bug 201688] Clam AntiVirus Win32-UPX Heap Overflow In-Reply-To: Message-ID: <200611061339.kA6DdvbB011041@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Clam AntiVirus Win32-UPX Heap Overflow https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=201688 dnehring at gmx.net changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |CURRENTRELEASE Fixed In Version| |0.88.5-1 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed Nov 8 20:39:07 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 8 Nov 2006 15:39:07 -0500 Subject: [Bug 214676] New: CVE-2006-480[6-9] imlib2 multiple vulnerabilities Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214676 Summary: CVE-2006-480[6-9] imlib2 multiple vulnerabilities Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: imlib2 AssignedTo: j.w.r.degoede at hhs.nl ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com Multiple vulnerabilities in imlib2: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4806 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4807 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4808 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4809 Some of the reports mention "before 1.2.1", but at least some of the issues seem to be present in 1.2.2 and 1.3.0 too. FreeBSD's patches (apparently originally from Ubuntu) for these issues are available at http://www.freebsd.org/cgi/cvsweb.cgi/ports/graphics/imlib2/files/ -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed Nov 8 20:42:24 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 8 Nov 2006 15:42:24 -0500 Subject: [Bug 212355] CVE-2006-5453, CVE-2006-5454, CVE-2006-5455 bugzilla vulnerabilities In-Reply-To: Message-ID: <200611082042.kA8KgOGE006255@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5453, CVE-2006-5454, CVE-2006-5455 bugzilla vulnerabilities https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212355 ------- Additional Comments From ville.skytta at iki.fi 2006-11-08 15:42 EST ------- ping -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed Nov 8 22:30:57 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 8 Nov 2006 17:30:57 -0500 Subject: [Bug 212355] CVE-2006-5453, CVE-2006-5454, CVE-2006-5455 bugzilla vulnerabilities In-Reply-To: Message-ID: <200611082230.kA8MUvbh015476@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5453, CVE-2006-5454, CVE-2006-5455 bugzilla vulnerabilities https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212355 ------- Additional Comments From jwb at redhat.com 2006-11-08 17:30 EST ------- Sorry, haven't had time to look at this with my travel schedule. I'll try to get it taken care of soon. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Nov 9 10:33:44 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 9 Nov 2006 05:33:44 -0500 Subject: [Bug 214676] CVE-2006-480[6-9] imlib2 multiple vulnerabilities In-Reply-To: Message-ID: <200611091033.kA9AXiAg020513@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-480[6-9] imlib2 multiple vulnerabilities https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214676 j.w.r.degoede at hhs.nl changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |NEXTRELEASE ------- Additional Comments From j.w.r.degoede at hhs.nl 2006-11-09 05:33 EST ------- Thanks for reporting this. I've pushed imlib2 updates for FC-3 - FC-6 and devel and I'll start writing an advisory right away. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From fedora at leemhuis.info Thu Nov 9 11:34:05 2006 From: fedora at leemhuis.info (Thorsten Leemhuis) Date: Thu, 09 Nov 2006 12:34:05 +0100 Subject: Disturbing lack of FE security updates announcements! In-Reply-To: <45530A78.7040908@hhs.nl> References: <45530A78.7040908@hhs.nl> Message-ID: <4553122D.7020604@leemhuis.info> https://www.redhat.com/archives/fedora-extras-list/2006-November/msg00148.html Hans de Goede schrieb: > This morning I've been working on fixing several security flaws in imlib2. > When I was done with fixing and building these, I started writing a > security update notification mail to send to fedora-package-announce at redhat.com > In the usual format for updates send to this list. > [...] > FESco, can you please mandate sending a mail to fedora-package-announce at redhat.com for > security related updates? I agree with the idea. Hans, can you or maybe someone else (from the Security SIG, sorry, Response Team?) work out a proposal an integrate it into http://www.fedoraproject.org/wiki/Extras/Schedule/SecurityAnnoucements (that will be later moved to http://www.fedoraproject.org/wiki/Extras/Policy ) In an ideal world it would look a bit like http://www.fedoraproject.org/wiki/Extras/Policy/WhoIsAllowedToModifyWhichPackages e.g. a *short* section in the beginning that allows new contributors to get an idea of our processes and rules without wasting to much time reading details. Then a more detailed section witch describes the thing (Why? How?) in detail. thx CU thl From bugzilla at redhat.com Thu Nov 9 16:50:41 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 9 Nov 2006 11:50:41 -0500 Subject: [Bug 212355] CVE-2006-5453, CVE-2006-5454, CVE-2006-5455 bugzilla vulnerabilities In-Reply-To: Message-ID: <200611091650.kA9GofWr021511@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5453, CVE-2006-5454, CVE-2006-5455 bugzilla vulnerabilities https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212355 ------- Additional Comments From ville.skytta at iki.fi 2006-11-09 11:50 EST ------- Hm, I see devel was updated to 2.22.1. But FC-5 and FC-6 were patched with a patch that is the complete diff between 2.22 and 2.22.1 except for some CVS cruft in the tarball and a PDF doc - yet they're labeled as 2.22. Was that on purpose? -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Nov 9 17:10:10 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 9 Nov 2006 12:10:10 -0500 Subject: [Bug 214820] New: CVE-2006-5815: proftpd unspecified vulnerability Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820 Summary: CVE-2006-5815: proftpd unspecified vulnerability Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: proftpd AssignedTo: matthias at rpmforge.net ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5815 Very little information available at the moment. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Nov 9 17:14:34 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 9 Nov 2006 12:14:34 -0500 Subject: [Bug 214822] New: seamonkey < 1.0.6 multiple vulnerabilities Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214822 Summary: seamonkey < 1.0.6 multiple vulnerabilities Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: seamonkey AssignedTo: kengert at redhat.com ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5463 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5464 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5747 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5748 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Nov 9 17:40:22 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 9 Nov 2006 12:40:22 -0500 Subject: [Bug 214820] CVE-2006-5815: proftpd unspecified vulnerability In-Reply-To: Message-ID: <200611091740.kA9HeMBw028367@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5815: proftpd unspecified vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820 ------- Additional Comments From matthias at rpmforge.net 2006-11-09 12:40 EST ------- Indeed... please keep me posted if you manage to get more information. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Nov 9 18:37:16 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 9 Nov 2006 13:37:16 -0500 Subject: [Bug 214822] seamonkey < 1.0.6 multiple vulnerabilities In-Reply-To: Message-ID: <200611091837.kA9IbGtc002241@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: seamonkey < 1.0.6 multiple vulnerabilities https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214822 kengert at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Nov 10 00:57:19 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 9 Nov 2006 19:57:19 -0500 Subject: [Bug 212355] CVE-2006-5453, CVE-2006-5454, CVE-2006-5455 bugzilla vulnerabilities In-Reply-To: Message-ID: <200611100057.kAA0vJus004838@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5453, CVE-2006-5454, CVE-2006-5455 bugzilla vulnerabilities https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212355 ------- Additional Comments From jwb at redhat.com 2006-11-09 19:57 EST ------- Yes. I'm trying to follow the RHEL example of keeping versions the same and backporting patches for any distros already released. FE-4 is also about to get the same treatment as 5 and 6. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Nov 10 01:09:17 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 9 Nov 2006 20:09:17 -0500 Subject: [Bug 212355] CVE-2006-5453, CVE-2006-5454, CVE-2006-5455 bugzilla vulnerabilities In-Reply-To: Message-ID: <200611100109.kAA19HAg005480@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5453, CVE-2006-5454, CVE-2006-5455 bugzilla vulnerabilities https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212355 jwb at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |NEXTRELEASE -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Nov 10 06:51:52 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 10 Nov 2006 01:51:52 -0500 Subject: [Bug 212355] CVE-2006-5453, CVE-2006-5454, CVE-2006-5455 bugzilla vulnerabilities In-Reply-To: Message-ID: <200611100651.kAA6pqsK020528@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5453, CVE-2006-5454, CVE-2006-5455 bugzilla vulnerabilities https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212355 ------- Additional Comments From ville.skytta at iki.fi 2006-11-10 01:51 EST ------- Yes, I understand that part of the intention. But the patch contains *everything* between 2.22 and 2.22.1, not just a subset of selected fixes, eg. security ones. So, the patched version is actually 2.22.1, but its Version tag says 2.22 - the same effect would have been achieved by using the upstream 2.22.1 tarball and labeling it as 2.22. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Nov 10 11:59:24 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 10 Nov 2006 06:59:24 -0500 Subject: [Bug 214820] CVE-2006-5815: proftpd unspecified vulnerability In-Reply-To: Message-ID: <200611101159.kAABxOJT006149@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5815: proftpd unspecified vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820 lkundrak at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- URL| |http://elegerov.blogspot.com | |/ CC| |lkundrak at redhat.com ------- Additional Comments From lkundrak at redhat.com 2006-11-10 06:59 EST ------- Gentoo person suggested, that this might be related to this. Though I didn't give it a look... But it seema unlikely to me, because this looks like related to a configuration file parsing bug. http://proftp.cvs.sourceforge.net/proftp/proftpd/src/main.c?r1=1.292&r2=1.293&sortby=date http://bugs.gentoo.org/show_bug.cgi?id=152473 I'm puzzled at all... did Evgeny report it in silence or not at all? -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Nov 10 12:25:58 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 10 Nov 2006 07:25:58 -0500 Subject: [Bug 214820] CVE-2006-5815: proftpd unspecified vulnerability In-Reply-To: Message-ID: <200611101225.kAACPwR5007668@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5815: proftpd unspecified vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820 ------- Additional Comments From lkundrak at redhat.com 2006-11-10 07:25 EST ------- Aah, this is the line that is added: cmd_buf_size = 512; Buffer size limit was not set correctly in case CommandBufferSize had been specified in the config file. But it is present neither in any of sample config files from proftpd distribution nor in Fedora Core default one. Thus I assume this is not related with the issue, or is it? -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Nov 10 20:22:02 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 10 Nov 2006 15:22:02 -0500 Subject: [Bug 215077] New: CVE-2006-5848: trac < 0.10.1 cross site request forgery vulnerability Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=215077 Summary: CVE-2006-5848: trac < 0.10.1 cross site request forgery vulnerability Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: high Priority: high Component: trac AssignedTo: fedora at soeterbroek.com ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5848 "Cross-site request forgery (CSRF) vulnerability in Edgewall Trac 0.10 and earlier allows remote attackers to perform unauthorized actions as other users via unknown vectors." Affects all FC-3+ FE versions. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sat Nov 11 10:46:57 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sat, 11 Nov 2006 05:46:57 -0500 Subject: [Bug 215136] New: CVE-2006-5864: gv <= 3.6.2 stack-based buffer overflow Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=215136 Summary: CVE-2006-5864: gv <= 3.6.2 stack-based buffer overflow Product: Fedora Extras Version: fc6 Platform: All URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5864 OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: gv AssignedTo: orion at cora.nwra.com ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5864 "Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv 3.6.2, and possibly earlier versions, allows user-assisted attackers to execute arbitrary code via a PostScript (PS) file with certain headers that contain long comments, as demonstrated using the DocumentMedia header." -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sat Nov 11 16:35:38 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sat, 11 Nov 2006 11:35:38 -0500 Subject: [Bug 215077] CVE-2006-5848: trac < 0.10.1 cross site request forgery vulnerability In-Reply-To: Message-ID: <200611111635.kABGZcKC028768@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5848: trac < 0.10.1 cross site request forgery vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=215077 joost.soeterbroek at gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |NEXTRELEASE ------- Additional Comments From joost.soeterbroek at gmail.com 2006-11-11 11:35 EST ------- Trac package rebuild with upstream version 0.10.1 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sun Nov 12 01:17:37 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sat, 11 Nov 2006 20:17:37 -0500 Subject: [Bug 214822] seamonkey < 1.0.6 multiple vulnerabilities In-Reply-To: Message-ID: <200611120117.kAC1HbJ3014282@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: seamonkey < 1.0.6 multiple vulnerabilities https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214822 kengert at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |CURRENTRELEASE Fixed In Version| |1.0.6-0.6.2.fc6 ------- Additional Comments From kengert at redhat.com 2006-11-11 20:17 EST ------- fixed in Extras for FC6 and Rawhide -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sun Nov 12 09:36:38 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sun, 12 Nov 2006 04:36:38 -0500 Subject: [Bug 212700] CVE-2006-5601: xsupplicant < 1.2.8 (?) stack smashing vulnerability In-Reply-To: Message-ID: <200611120936.kAC9ac3r014649@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5601: xsupplicant < 1.2.8 (?) stack smashing vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212700 ville.skytta at iki.fi changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|normal |high ------- Additional Comments From ville.skytta at iki.fi 2006-11-12 04:36 EST ------- ping? -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Nov 13 03:44:31 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sun, 12 Nov 2006 22:44:31 -0500 Subject: [Bug 215136] CVE-2006-5864: gv <= 3.6.2 stack-based buffer overflow In-Reply-To: Message-ID: <200611130344.kAD3iVl4020111@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5864: gv <= 3.6.2 stack-based buffer overflow https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=215136 deisenst at gtw.net changed: What |Removed |Added ---------------------------------------------------------------------------- OtherBugsDependingO| |215265 nThis| | -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Nov 13 12:26:14 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 13 Nov 2006 07:26:14 -0500 Subject: [Bug 214820] CVE-2006-5815: proftpd unspecified vulnerability In-Reply-To: Message-ID: <200611131226.kADCQEZc016505@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5815: proftpd unspecified vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820 matthias at rpmforge.net changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Flag| |needinfo?(ville.skytta at iki.f | |i) ------- Additional Comments From matthias at rpmforge.net 2006-11-13 07:26 EST ------- Strange report... one seems to have to pay in order to get access to the code that supposedly triggers the exploit and the proftpd devs seem completely silent about the issue. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Nov 13 16:06:30 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 13 Nov 2006 11:06:30 -0500 Subject: [Bug 214820] CVE-2006-5815: proftpd unspecified vulnerability In-Reply-To: Message-ID: <200611131606.kADG6U44008743@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5815: proftpd unspecified vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820 ville.skytta at iki.fi changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED Flag|needinfo?(ville.skytta at iki.f| |i) | ------- Additional Comments From ville.skytta at iki.fi 2006-11-13 11:06 EST ------- The FrSIRT advisory has more info: http://www.frsirt.com/english/advisories/2006/4451 "ProFTPD version 1.3.0rc5 and prior" may be incorrect though as the CVS change the advisory points to was made on Oct 31 but 1.3.0 final has been packaged for half a year already. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Nov 13 16:08:38 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 13 Nov 2006 11:08:38 -0500 Subject: [Bug 214820] CVE-2006-5815: proftpd unspecified vulnerability In-Reply-To: Message-ID: <200611131608.kADG8cvc008914@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5815: proftpd unspecified vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820 ------- Additional Comments From ville.skytta at iki.fi 2006-11-13 11:08 EST ------- Oh, and the FrSIRT advisory implies that this would indeed be the same issue that Lubomir mentioned in comments 2 and 3. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Nov 13 16:27:38 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 13 Nov 2006 11:27:38 -0500 Subject: [Bug 214820] CVE-2006-5815: proftpd unspecified vulnerability In-Reply-To: Message-ID: <200611131627.kADGRchv011186@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5815: proftpd unspecified vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820 ------- Additional Comments From lkundrak at redhat.com 2006-11-13 11:27 EST ------- Do you think, that Evgeny would sell an exploit for something, that is so unlikely (if possible at all) to exploit. I guess not. Please rethink it :) -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Nov 13 16:38:35 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 13 Nov 2006 11:38:35 -0500 Subject: [Bug 214820] CVE-2006-5815: proftpd unspecified vulnerability In-Reply-To: Message-ID: <200611131638.kADGcZFf012471@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5815: proftpd unspecified vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820 ------- Additional Comments From ville.skytta at iki.fi 2006-11-13 11:38 EST ------- In this case, I don't think, I report findings ;) -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Nov 13 18:12:15 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 13 Nov 2006 13:12:15 -0500 Subject: [Bug 214820] CVE-2006-5815: proftpd unspecified vulnerability In-Reply-To: Message-ID: <200611131812.kADICFTR022588@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5815: proftpd unspecified vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820 ------- Additional Comments From matthias at rpmforge.net 2006-11-13 13:12 EST ------- OK, I've queued a rebuild for devel with the patch applied. After some testing, I'll backport the patch to FC5 and FC6 branches too. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Nov 13 18:20:28 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 13 Nov 2006 13:20:28 -0500 Subject: [Bug 214820] CVE-2006-5815: proftpd unspecified vulnerability In-Reply-To: Message-ID: <200611131820.kADIKSAB023508@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5815: proftpd unspecified vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820 ------- Additional Comments From lkundrak at redhat.com 2006-11-13 13:20 EST ------- (In reply to comment #10) Excuse me, but how can you apply a patch and enqueue a build for devel, backport to FC5 and FC6, when we/you do not know what the issue is? -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Nov 13 18:24:59 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 13 Nov 2006 13:24:59 -0500 Subject: [Bug 214820] CVE-2006-5815: proftpd unspecified vulnerability In-Reply-To: Message-ID: <200611131824.kADIOxb3024083@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5815: proftpd unspecified vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820 ------- Additional Comments From matthias at rpmforge.net 2006-11-13 13:24 EST ------- See the FrSIRT advisory, the section "A fix is available via CVS", which links to the change you already suggested. Since it does not say when exactly the "remote exploit" is available, it might be with non default settings, who knows (not me). -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Nov 16 09:54:07 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 16 Nov 2006 04:54:07 -0500 Subject: [Bug 214820] CVE-2006-5815: proftpd unspecified vulnerability In-Reply-To: Message-ID: <200611160954.kAG9s7nW025407@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5815: proftpd unspecified vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820 ------- Additional Comments From lkundrak at redhat.com 2006-11-16 04:54 EST ------- Created an attachment (id=141353) --> (https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=141353&action=view) contrib/mod_tls.c buffer overflow patch Hi Matthias, I have one more patch for you :) This one is from the OpenPKG project and it fixes the mod_tls issue i mentioned in Comment #5. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Nov 17 17:31:47 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 17 Nov 2006 12:31:47 -0500 Subject: [Bug 216186] New: CVE-2006-5705 Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216186 Summary: CVE-2006-5705 Product: Fedora Extras Version: devel Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: wordpress AssignedTo: jwb at redhat.com ReportedBy: dennis at ausil.us QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com Description of problem: wordpress 2.04 has a multiple security Vulnerabilities little detail is available 2.05 is reported to be not Vunerable. Please update FC-4 FC-5 FC-6 and devel to the newer version. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Nov 17 17:33:50 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 17 Nov 2006 12:33:50 -0500 Subject: [Bug 216186] CVE-2006-5705 In-Reply-To: Message-ID: <200611171733.kAHHXotB009469@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5705 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216186 dennis at ausil.us changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |DUPLICATE ------- Additional Comments From dennis at ausil.us 2006-11-17 12:33 EST ------- Closing as a dupe sorry for the noise *** This bug has been marked as a duplicate of 213985 *** -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Nov 17 17:34:12 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 17 Nov 2006 12:34:12 -0500 Subject: [Bug 213985] CVE-2006-5705: wordpress < 2.0.5 directory traversal vulnerability In-Reply-To: Message-ID: <200611171734.kAHHYCaa009535@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5705: wordpress < 2.0.5 directory traversal vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=213985 dennis at ausil.us changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dennis at ausil.us ------- Additional Comments From dennis at ausil.us 2006-11-17 12:34 EST ------- *** Bug 216186 has been marked as a duplicate of this bug. *** -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Nov 17 18:41:37 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 17 Nov 2006 13:41:37 -0500 Subject: [Bug 214820] CVE-2006-5815: proftpd unspecified vulnerability In-Reply-To: Message-ID: <200611171841.kAHIfb39016086@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5815: proftpd unspecified vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820 ------- Additional Comments From paul at city-fan.org 2006-11-17 13:41 EST ------- Created an attachment (id=141513) --> (https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=141513&action=view) Revised version of proftpd-1.3.0-cmdbufsize.patch The patch in CVS (Comment #2) appears to dereference a null pointer in the default case where the config file doesn't have a CommandBufferSize specified: > if (cmd_buf_size == -1) { > - long *buf_size = get_param_ptr(main_server->conf, > - "CommandBufferSize", FALSE); > + int *bufsz = get_param_ptr(main_server->conf, "CommandBufferSize", > + FALSE); > > - if (buf_size == NULL || *buf_size <= 0) > - cmd_buf_size = 512; > + if (bufsz == NULL || > + *bufsz <= 0) { > + pr_log_pri(PR_LOG_WARNING, "invalid CommandBufferSize size (%d) " > + "given, resetting to default buffer size (%u)", > + *bufsz, (unsigned int) PR_DEFAULT_CMD_BUFSZ); > + cmd_buf_size = PR_DEFAULT_CMD_BUFSZ; In the case where bufsz is NULL, there is a reference to *bufsz when the log message is done. I found this caused a segfault immediately on connection. Attached patch handles the cases of "buf_size == NULL" and "*buf_size <= 0" separately. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sat Nov 18 10:13:45 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sat, 18 Nov 2006 05:13:45 -0500 Subject: [Bug 216263] New: CVE-2006-5793: libpng10 < 1.0.21 DoS vulnerability Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216263 Summary: CVE-2006-5793: libpng10 < 1.0.21 DoS vulnerability Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: libpng10 AssignedTo: paul at city-fan.org ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5793 "The sPLT chunk handling code (png_set_sPLT function in pngset.c) in libpng 1.0.6 through 1.2.12 uses a sizeof operator on the wrong data type, which allows context-dependent attackers to cause a denial of service (crash) via malformed sPLT chunks that trigger an out-of-bounds read." Appears to be fixed in 1.0.21. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sun Nov 19 14:04:56 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sun, 19 Nov 2006 09:04:56 -0500 Subject: [Bug 216263] CVE-2006-5793: libpng10 < 1.0.21 DoS vulnerability In-Reply-To: Message-ID: <200611191404.kAJE4uOA010229@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5793: libpng10 < 1.0.21 DoS vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216263 paul at city-fan.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Additional Comments From paul at city-fan.org 2006-11-19 09:04 EST ------- I have 1.0.21 packages prepared, but can't import and build yet due to the cvs outage. If anyone would like a preview, I have packages here: http://www.city-fan.org/~paul/extras/libpng10/ (no ppc packages as I don't have a ppc builder) Note that libpng10 is a Core package for all releases prior to FC6 (and presumably RHEL too) so separate bugs will need raising for those releases. http://www.fedoraproject.org/wiki/Extras/Schedule/SecurityAnnoucements has disappeared from the wiki, so is there a document somewhere stating how to prepare and send out a securiry announcement? -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Tue Nov 21 09:25:40 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 21 Nov 2006 04:25:40 -0500 Subject: [Bug 212700] CVE-2006-5601: xsupplicant < 1.2.8 (?) stack smashing vulnerability In-Reply-To: Message-ID: <200611210925.kAL9PeAE004424@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5601: xsupplicant < 1.2.8 (?) stack smashing vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212700 ondrejj at salstar.sk changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ondrejj at salstar.sk ------- Additional Comments From ondrejj at salstar.sk 2006-11-21 04:25 EST ------- It is not possible to connect with xsupplicant 1.2.7, but works fine with version 1.2.8. Please can somebody rebuild this package? Thank you. You can found a new (working) rpm package at: http://ftp.upjs.sk/pub/users/SAL/Fedora/SRPMS/6/xsupplicant-1.2.8-0.src.rpm Release version is changed by me to automatically update after fedora extras release. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Tue Nov 21 10:17:58 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 21 Nov 2006 05:17:58 -0500 Subject: [Bug 216263] CVE-2006-5793: libpng10 < 1.0.21 DoS vulnerability In-Reply-To: Message-ID: <200611211017.kALAHwk8008120@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5793: libpng10 < 1.0.21 DoS vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216263 ------- Additional Comments From paul at city-fan.org 2006-11-21 05:17 EST ------- 1.0.21-1 has built successfully for Rawhide and FC6, and should be released later today. A fix is still needed for FC5 and earlier releases of course. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Tue Nov 21 16:03:22 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 21 Nov 2006 11:03:22 -0500 Subject: [Bug 212700] CVE-2006-5601: xsupplicant < 1.2.8 (?) stack smashing vulnerability In-Reply-To: Message-ID: <200611211603.kALG3MpM007209@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5601: xsupplicant < 1.2.8 (?) stack smashing vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212700 ------- Additional Comments From tcallawa at redhat.com 2006-11-21 11:03 EST ------- FE4, FE5, FE6 all bumped to 1.2.8. Thanks for the new SRPM Jan. :) -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Tue Nov 21 16:03:40 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 21 Nov 2006 11:03:40 -0500 Subject: [Bug 212700] CVE-2006-5601: xsupplicant < 1.2.8 (?) stack smashing vulnerability In-Reply-To: Message-ID: <200611211603.kALG3e5r007277@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5601: xsupplicant < 1.2.8 (?) stack smashing vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212700 tcallawa at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |RAWHIDE -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Tue Nov 21 16:55:11 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 21 Nov 2006 11:55:11 -0500 Subject: [Bug 216706] New: CVE-2006-5793 libpng, libpng10 DoS Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216706 Summary: CVE-2006-5793 libpng, libpng10 DoS Product: Fedora Core Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: libpng AssignedTo: tgl at redhat.com ReportedBy: ville.skytta at iki.fi CC: fedora-security-list at redhat.com,mclasen at redhat.com +++ This bug was initially created as a clone of Bug #215405 +++ Tavis Ormandy told vendor-sec about a OOB memory read flaw in libpng. This flaw is a denial of service flaw. quoting the mail from Tavis: Hello, there's a typo in the sPLT chunk handling code in libpng, potentially resulting in an OOB read. AFAICT, the extent of the vulnerability is denial of service, but would appreciate a second pair of eyes to verify. Around line ~983 of pngset.c, in png_set_sPLT() to->entries =3D (png_sPLT_entryp)png_malloc(png_ptr,=20 from->nentries * png_sizeof(png_sPLT_t)); should be `png_sizeof(png_sPLT_entry)` and the same on this line: png_memcpy(to->entries, from->entries, from->nentries * png_sizeof(png_sPLT_t)); This issue also affects RHEL2.1 and RHEL3 -- Additional comment from bressers at redhat.com on 2006-11-14 16:28 EST -- This issue is now public: http://bugs.gentoo.org/show_bug.cgi?id=154380 --- Possibly affected: libpng in FC5, FC6, and devel, and libpng10 in FC5. (libpng10 in Extras has been updated, see bug 216263) -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Tue Nov 21 16:56:42 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 21 Nov 2006 11:56:42 -0500 Subject: [Bug 216263] CVE-2006-5793: libpng10 < 1.0.21 DoS vulnerability In-Reply-To: Message-ID: <200611211656.kALGugwA012551@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5793: libpng10 < 1.0.21 DoS vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216263 ------- Additional Comments From ville.skytta at iki.fi 2006-11-21 11:56 EST ------- FC report is in bug 216706, and today's FE push is in progress. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From opensource at till.name Wed Nov 22 14:02:50 2006 From: opensource at till.name (Till Maas) Date: Wed, 22 Nov 2006 15:02:50 +0100 Subject: [Bug 216706] New: CVE-2006-5793 libpng, libpng10 DoS In-Reply-To: References: Message-ID: <200611221502.58525.opensource@till.name> The core maintainer of libpng did not respond for a month to another security related bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=211705 According to the reporter it describes a bug that is now already nearly 5 months known. Please do something now to fix this, Regards, Till -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From bressers at redhat.com Wed Nov 22 18:00:43 2006 From: bressers at redhat.com (Josh Bressers) Date: Wed, 22 Nov 2006 13:00:43 -0500 Subject: [Bug 216706] New: CVE-2006-5793 libpng, libpng10 DoS In-Reply-To: <200611221502.58525.opensource@till.name> References: <200611221502.58525.opensource@till.name> Message-ID: <200611221800.kAMI0h33001035@devserv.devel.redhat.com> > > The core maintainer of libpng did not respond for a month to another > security related bug: > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=211705 > > According to the reporter it describes a bug that is now already nearly 5 > months known. Please do something now to fix this, > I'm going to presume you're claiming that since Fedora Core doesn't have the latest libpng, it's vulnerable to the issues fixed in the upstream new version. libpng in Fedora Core has all relevant security issues backported into it. CVE-2006-5793 is not currently fixed, but I suspect we won't be fixing it as it's simply a client crash and should not have been called a security issue in the first place. Even if we do consider it a security flaw, it represents an extremely low severity flaw. If you have concerns regarding a specific issue, feel free to bring that up, but bug 211705 in no way represents a security flaw. -- JB From opensource at till.name Wed Nov 22 19:08:55 2006 From: opensource at till.name (Till Maas) Date: Wed, 22 Nov 2006 20:08:55 +0100 Subject: [Bug 216706] New: CVE-2006-5793 libpng, libpng10 DoS In-Reply-To: <200611221800.kAMI0h33001035@devserv.devel.redhat.com> References: <200611221502.58525.opensource@till.name> <200611221800.kAMI0h33001035@devserv.devel.redhat.com> Message-ID: <200611222009.06812.opensource@till.name> On Wednesday 22 November 2006 19:00, Josh Bressers wrote: > I'm going to presume you're claiming that since Fedora Core doesn't have > the latest libpng, it's vulnerable to the issues fixed in the upstream > new version. Actually I downloaded the libpng src.rpm with yumdownloader --source libpng and took a look into it, it contains the spec, the upstream tarball and two patches: libpng-1.2.10-multilib.patch libpng-1.2.10-pngconf.patch Description of CVE-2006-3334 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3334 | Buffer overflow in the png_decompress_chunk function in pngrutil.c in libpng | before 1.2.12 allows context-dependent attackers to cause a denial of | service and possibly execute arbitrary code via unspecified vectors related | to "chunk error processing," possibly involving the "chunk_name". > libpng in Fedora Core has all relevant security issues backported into it. $ grep pngrutil.c libpng-1.2.10-pngconf.patch libpng-1.2.10-multilib.patch $ So it is not backported. The libpng homepage also states for release 1.2.12: | The same releases (and their immediate predecessors) also fix an | out-of-bounds (by one) memory read and a second buffer overrun, this one in | the code that writes the sCAL ("physical scale of subject") chunk (which is | rather rare in any case). The patch for this is not backported, either. I do not know how relevant above vulnerabilites are, since novel states that CVE-2006-3334 is not that important in http://www.novell.com/linux/security/advisories/2006_16_sr.html > If you have concerns regarding a specific issue, feel free to bring that > up, but bug 211705 in no way represents a security flaw. But if the mentioned issues are no security flaws please document it in bugzilla, so it does not seem to be ignored. Regards, Till -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From bugzilla at redhat.com Wed Nov 22 22:19:29 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 22 Nov 2006 17:19:29 -0500 Subject: [Bug 198106] CVE-2006-3458: Zope local information disclosure In-Reply-To: Message-ID: <200611222219.kAMMJTnI011154@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-3458: Zope local information disclosure https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198106 stickster at gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|gauret at free.fr |extras- | |orphan at fedoraproject.org -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed Nov 22 22:20:38 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 22 Nov 2006 17:20:38 -0500 Subject: [Bug 198106] CVE-2006-3458: Zope local information disclosure In-Reply-To: Message-ID: <200611222220.kAMMKcpt011290@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-3458: Zope local information disclosure https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198106 stickster at gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|extras- |jonathansteffan at gmail.com |orphan at fedoraproject.org | -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Nov 23 00:53:34 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 22 Nov 2006 19:53:34 -0500 Subject: [Bug 198106] CVE-2006-3458: Zope local information disclosure In-Reply-To: Message-ID: <200611230053.kAN0rYqE017025@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-3458: Zope local information disclosure https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198106 jonathansteffan at gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |NEXTRELEASE ------- Additional Comments From jonathansteffan at gmail.com 2006-11-22 19:53 EST ------- Hot has been applied for some time. Closing bug. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Nov 23 16:30:52 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 23 Nov 2006 11:30:52 -0500 Subject: [Bug 198106] CVE-2006-3458: Zope local information disclosure In-Reply-To: Message-ID: <200611231630.kANGUq83028480@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-3458: Zope local information disclosure https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198106 ------- Additional Comments From ville.skytta at iki.fi 2006-11-23 11:30 EST ------- FWIW, it doesn't seem to me that zope in FE-3 and FE-4 would have been fixed. See comment 2. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Nov 23 21:00:41 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 23 Nov 2006 16:00:41 -0500 Subject: [Bug 198106] CVE-2006-3458: Zope local information disclosure In-Reply-To: Message-ID: <200611232100.kANL0fck005712@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-3458: Zope local information disclosure https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198106 ------- Additional Comments From jonathansteffan at gmail.com 2006-11-23 16:00 EST ------- Hotfix 20060821 applied. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sat Nov 25 15:31:14 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sat, 25 Nov 2006 10:31:14 -0500 Subject: [Bug 217238] New: CVE-2006-6085: kile < 1.9.3 information disclosure Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=217238 Summary: CVE-2006-6085: kile < 1.9.3 information disclosure Product: Fedora Extras Version: fc6 Platform: All URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6085 OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: kile AssignedTo: rdieter at math.unl.edu ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6085 "Kile before 1.9.3 does not assign a backup file the same permissions as the original file, which might allow local users to obtain sensitive information." All FE releases currently have kile < 1.9.3. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sat Nov 25 15:56:48 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sat, 25 Nov 2006 10:56:48 -0500 Subject: [Bug 217238] CVE-2006-6085: kile < 1.9.3 information disclosure In-Reply-To: Message-ID: <200611251556.kAPFumWB021630@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-6085: kile < 1.9.3 information disclosure https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=217238 rdieter at math.unl.edu changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sat Nov 25 16:25:36 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sat, 25 Nov 2006 11:25:36 -0500 Subject: [Bug 217238] CVE-2006-6085: kile < 1.9.3 information disclosure In-Reply-To: Message-ID: <200611251625.kAPGPZjT022384@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-6085: kile < 1.9.3 information disclosure https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=217238 rdieter at math.unl.edu changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |NEXTRELEASE ------- Additional Comments From rdieter at math.unl.edu 2006-11-25 11:25 EST ------- building for devel/FC-7 back to FC-3. %changelog * Sat Nov 25 2006 Rex Dieter 1.9.3-1 - kile-1.9.3, CVE-2006-6085 (#217238) -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sun Nov 26 03:01:05 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sat, 25 Nov 2006 22:01:05 -0500 Subject: [Bug 216263] CVE-2006-5793: libpng10 < 1.0.21 DoS vulnerability In-Reply-To: Message-ID: <200611260301.kAQ315N3009413@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5793: libpng10 < 1.0.21 DoS vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216263 thorjansen at gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |thorjansen at gmail.com -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sun Nov 26 06:53:41 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sun, 26 Nov 2006 01:53:41 -0500 Subject: [Bug 216263] CVE-2006-5793: libpng10 < 1.0.21 DoS vulnerability In-Reply-To: Message-ID: <200611260653.kAQ6rfTx016783@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5793: libpng10 < 1.0.21 DoS vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216263 ville.skytta at iki.fi changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |ERRATA Fixed In Version| |1.0.21-1 ------- Additional Comments From ville.skytta at iki.fi 2006-11-26 01:53 EST ------- Looks like this has been fixed for a while now. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Nov 27 16:53:59 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 27 Nov 2006 11:53:59 -0500 Subject: [Bug 214820] CVE-2006-5815: proftpd unspecified vulnerability In-Reply-To: Message-ID: <200611271653.kARGrxCI018017@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5815: proftpd unspecified vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820 kas at fi.muni.cz changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kas at fi.muni.cz ------- Additional Comments From kas at fi.muni.cz 2006-11-27 11:53 EST ------- It seems the bug has already been disclosed to the public (like myself :-). Also proftpd-1.3.0a which fixes this problem is available. So far it seems that unpacking proftpd-1.3.0-6.src.rpm, and changing the Version: from 1.3.0 to 1.3.0a (and Release: to 1) is sufficient to build an updated package. Please make a new RPM as soon as possible. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Nov 27 16:58:42 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 27 Nov 2006 11:58:42 -0500 Subject: [Bug 214820] CVE-2006-5815: proftpd unspecified vulnerability In-Reply-To: Message-ID: <200611271658.kARGwgig018404@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5815: proftpd unspecified vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820 mattdm at mattdm.org changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mattdm at mattdm.org -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Nov 27 20:46:09 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 27 Nov 2006 15:46:09 -0500 Subject: [Bug 217420] New: CVE-2006-6122: tin < 1.8.2 buffer overflow vulnerabilities Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=217420 Summary: CVE-2006-6122: tin < 1.8.2 buffer overflow vulnerabilities Product: Fedora Extras Version: fc5 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: tin AssignedTo: adrian at lisas.de ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6122 "Multiple buffer overflows in TIN before 1.8.2 have unspecified impact and attack vectors, a different vulnerability than CVE-2006-0804." FE-[345] currently have tin < 1.8.2. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Nov 27 20:48:56 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 27 Nov 2006 15:48:56 -0500 Subject: [Bug 217422] New: CVE-2006-0804: tin <= 1.8.0 arbitrary code execution vulnerability Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=217422 Summary: CVE-2006-0804: tin <= 1.8.0 arbitrary code execution vulnerability Product: Fedora Extras Version: fc3 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: tin AssignedTo: adrian at lisas.de ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-0804 "Off-by-one error in TIN 1.8.0 and earlier might allow attackers to execute arbitrary code via unknown vectors that trigger a buffer overflow." Based on the version numbers, FE-3 seems affected. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Nov 27 21:56:23 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 27 Nov 2006 16:56:23 -0500 Subject: [Bug 217420] CVE-2006-6122: tin < 1.8.2 buffer overflow vulnerabilities In-Reply-To: Message-ID: <200611272156.kARLuNIK008362@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-6122: tin < 1.8.2 buffer overflow vulnerabilities https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=217420 adrian at lisas.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |NEXTRELEASE ------- Additional Comments From adrian at lisas.de 2006-11-27 16:56 EST ------- tin update to 1.8.2 for FE-[345] -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Nov 27 21:58:21 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 27 Nov 2006 16:58:21 -0500 Subject: [Bug 217422] CVE-2006-0804: tin <= 1.8.0 arbitrary code execution vulnerability In-Reply-To: Message-ID: <200611272158.kARLwLIb008556@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-0804: tin <= 1.8.0 arbitrary code execution vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=217422 adrian at lisas.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |NEXTRELEASE ------- Additional Comments From adrian at lisas.de 2006-11-27 16:57 EST ------- tin update to 1.8.2 for FE-3 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Tue Nov 28 10:29:21 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 28 Nov 2006 05:29:21 -0500 Subject: [Bug 214820] CVE-2006-5815: proftpd unspecified vulnerability In-Reply-To: Message-ID: <200611281029.kASATLnF006728@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5815: proftpd unspecified vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820 ------- Additional Comments From lkundrak at redhat.com 2006-11-28 05:28 EST ------- Okay, just so to summarize what was discovered by Evgeny Legerov, disclosed and now fixed: There are two issues: sreplace() stack overflow, which is the vd_proftpd.pm VulnDisco metasploit exploit -- http://www.gleg.net/proftpd.txt. This is fixed in 1.3.0a mod_tls pre-auth buffer overflow. This is in VulnDisco since January 2006 and is not yet fixed in 1.3.0a. So I disagree with Jan's comment #15, updating to 1.3.0a is _not_ sufficient. It is needed to patch for also for the mod_tls issue, because mod_tls.c module is included in Fedora package by default. An attachment #141353 should fix that. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed Nov 29 15:46:22 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 29 Nov 2006 10:46:22 -0500 Subject: [Bug 210825] RSA signature forgery issues in BouncyCastle < 1.34 In-Reply-To: Message-ID: <200611291546.kATFkM4D004254@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: RSA signature forgery issues in BouncyCastle < 1.34 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=210825 ------- Additional Comments From fitzsim at redhat.com 2006-11-29 10:46 EST ------- I've imported Bouncy Castle 1.34 into FC-5 update-testing: java-1.4.2-gcj-compat-1.4.2.0-40jpp_83rh.3 and FC-6 updates-testing: bouncycastle-1.34-1 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bressers at redhat.com Wed Nov 29 20:16:15 2006 From: bressers at redhat.com (Josh Bressers) Date: Wed, 29 Nov 2006 15:16:15 -0500 Subject: [Bug 216706] New: CVE-2006-5793 libpng, libpng10 DoS In-Reply-To: <200611222009.06812.opensource@till.name> References: <200611221502.58525.opensource@till.name> <200611221800.kAMI0h33001035@devserv.devel.redhat.com> <200611222009.06812.opensource@till.name> Message-ID: <200611292016.kATKGF52007761@devserv.devel.redhat.com> Sorry for the horribly delayed response. I've been away on holiday. > > Actually I downloaded the libpng src.rpm with yumdownloader --source > libpng and took a look into it, it contains the spec, the upstream > tarball and two patches: > > libpng-1.2.10-multilib.patch > libpng-1.2.10-pngconf.patch > All known libpng CVE ids are tracked via the following files: http://cvs.fedora.redhat.com/viewcvs/fedora-security/audit/?root=fedora If there are any CVE ids we're missing please let us know. There are a number of CVE ids that are simply client crashes. We do not consider client side crashes security issues, they are bugs. Some of them get CVE ids. This is something MITRE is currently working on a policy for. Right now they have a blanket policy of assigning a CVE id to anything anyone calls a security flaw. It's then our job to weed through them and find the relevant ones. > > > If you have concerns regarding a specific issue, feel free to bring that > > up, but bug 211705 in no way represents a security flaw. > > But if the mentioned issues are no security flaws please document it in=20 > bugzilla, so it does not seem to be ignored. > I've updated that bug with a statement regarding those CVE ids. The two mentioned in the bug are client crashes, thus are just bugs. Thanks. -- JB From opensource at till.name Wed Nov 29 23:16:03 2006 From: opensource at till.name (Till Maas) Date: Thu, 30 Nov 2006 00:16:03 +0100 Subject: [Bug 216706] New: CVE-2006-5793 libpng, libpng10 DoS In-Reply-To: <200611292016.kATKGF52007761@devserv.devel.redhat.com> References: <200611222009.06812.opensource@till.name> <200611292016.kATKGF52007761@devserv.devel.redhat.com> Message-ID: <200611300016.11797.opensource@till.name> On Wednesday 29 November 2006 21:16, Josh Bressers wrote: > Sorry for the horribly delayed response. I've been away on holiday. I hope you enjoyed your holiday and thanks for responding and answering to the bugzilla ticket, Regards, Till -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From bugzilla at redhat.com Thu Nov 30 15:04:09 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 30 Nov 2006 10:04:09 -0500 Subject: [Bug 214820] CVE-2006-5815: proftpd unspecified vulnerability In-Reply-To: Message-ID: <200611301504.kAUF49kr013083@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5815: proftpd unspecified vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820 jwm at horde.net changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jwm at horde.net -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Nov 30 15:20:12 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 30 Nov 2006 10:20:12 -0500 Subject: [Bug 214820] CVE-2006-5815: proftpd unspecified vulnerability In-Reply-To: Message-ID: <200611301520.kAUFKCXu014569@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5815: proftpd unspecified vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820 ------- Additional Comments From mattdm at mattdm.org 2006-11-30 10:20 EST ------- That patch appears to be in the Extras package as of Nov. 16th. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Nov 30 15:38:47 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 30 Nov 2006 10:38:47 -0500 Subject: [Bug 214820] CVE-2006-5815: proftpd unspecified vulnerability In-Reply-To: Message-ID: <200611301538.kAUFclQJ016618@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5815: proftpd unspecified vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820 ------- Additional Comments From matthias at rpmforge.net 2006-11-30 10:38 EST ------- Yes, and the update to 1.3.0a has been pushed to FC-5 and FC-6 as of today, so I'll be closing this bug report, unless someone has yet another patch for yet another (possible) exploit to have included in the package ;-) -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Nov 30 15:40:23 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 30 Nov 2006 10:40:23 -0500 Subject: [Bug 214820] CVE-2006-5815: proftpd unspecified vulnerability In-Reply-To: Message-ID: <200611301540.kAUFeNrv016844@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5815: proftpd unspecified vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820 ------- Additional Comments From mattdm at mattdm.org 2006-11-30 10:40 EST ------- > Yes, and the update to 1.3.0a has been pushed to FC-5 and FC-6 as of today, so > I'll be closing this bug report, unless someone has yet another patch for yet > another (possible) exploit to have included in the package ;-) I think anything new probably can get its *own* bug. :) -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Nov 30 17:41:47 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 30 Nov 2006 12:41:47 -0500 Subject: [Bug 214820] CVE-2006-5815: proftpd unspecified vulnerability In-Reply-To: Message-ID: <200611301741.kAUHflRc028873@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5815: proftpd unspecified vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820 ------- Additional Comments From ville.skytta at iki.fi 2006-11-30 12:41 EST ------- Just a note, FE-3 and 4 seem to still ship < 1.3.0a. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Nov 30 20:57:49 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 30 Nov 2006 15:57:49 -0500 Subject: [Bug 214820] CVE-2006-5815: proftpd unspecified vulnerability In-Reply-To: Message-ID: <200611302057.kAUKvnnK014482@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5815: proftpd unspecified vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820 ------- Additional Comments From ville.skytta at iki.fi 2006-11-30 15:57 EST ------- The mod_tls issue is now CVE-2006-6170 and cmdbufsize CVE-2006-6171 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Nov 30 21:08:59 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 30 Nov 2006 16:08:59 -0500 Subject: [Bug 217950] New: CVE-2006-6169: gnupg2 < 2.0.1 buffer overflow Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=217950 Summary: CVE-2006-6169: gnupg2 < 2.0.1 buffer overflow Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: gnupg2 AssignedTo: rdieter at math.unl.edu ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6171 "Buffer overflow in the ask_outfile_name function in openfile.c for GnuPG (gpg) 1.4 and 2.0, when running interactively, might allow attackers to execute arbitrary code via messages that cause the make_printable_string function to return a longer string than expected while constructing a prompt." FE[3456] seem affected, devel looks ok. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Nov 30 21:19:29 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 30 Nov 2006 16:19:29 -0500 Subject: [Bug 217950] CVE-2006-6169: gnupg2 < 2.0.1 buffer overflow In-Reply-To: Message-ID: <200611302119.kAULJTO9016528@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-6169: gnupg2 < 2.0.1 buffer overflow https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=217950 rdieter at math.unl.edu changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Additional Comments From rdieter at math.unl.edu 2006-11-30 16:19 EST ------- Yucky. FC-6+ should already be fine. Older releases need patching. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Nov 30 22:13:57 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 30 Nov 2006 17:13:57 -0500 Subject: [Bug 217950] CVE-2006-6169: gnupg2 < 2.0.1 buffer overflow In-Reply-To: Message-ID: <200611302213.kAUMDvo1022058@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-6169: gnupg2 < 2.0.1 buffer overflow https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=217950 ------- Additional Comments From ville.skytta at iki.fi 2006-11-30 17:13 EST ------- Unless I'm missing something, the upstream fix is not in FE6's 2.0.1rc1, but only in devel's 2.0.1 final. http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/branches/STABLE-BRANCH-1-4/g10/openfile.c?rev=4349&r1=4215&r2=4349 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.