From bugzilla at redhat.com Wed Aug 1 14:24:42 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 1 Aug 2007 10:24:42 -0400 Subject: [Bug 245211] Wordpress 2.2(.1): SQL injection, XSS, unrestricted file upload vulnerabilities In-Reply-To: Message-ID: <200708011424.l71EOgUD014267@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Wordpress 2.2(.1): SQL injection, XSS, unrestricted file upload vulnerabilities Alias: CVE-2007-3544 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=245211 ------- Additional Comments From lkundrak at redhat.com 2007-08-01 10:24 EST ------- John: What about CVE-2007-3544? Will this ever get updated? -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From fedora-extras-commits at redhat.com Wed Aug 1 15:19:34 2007 From: fedora-extras-commits at redhat.com (Lubomir Kundrak (lkundrak)) Date: Wed, 1 Aug 2007 11:19:34 -0400 Subject: fedora-security/audit fc7,1.54,1.55 Message-ID: <200708011519.l71FJYot001945@cvs-int.fedora.redhat.com> Author: lkundrak Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv1903 Modified Files: fc7 Log Message: Updated to match FEDORA-2007-1070 Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.54 retrieving revision 1.55 diff -u -r1.54 -r1.55 --- fc7 27 Jul 2007 15:56:53 -0000 1.54 +++ fc7 1 Aug 2007 15:19:31 -0000 1.55 @@ -1,35 +1,44 @@ # $Id$ -** are items that need attention +# ** are items that need attention +# *CVE are items that need verification for Fedora 7 +# (mozilla) = (firefox, seamonkey, thunderbird, yelp, devhelp, galeon, liferea. epiphany) +# A couple of first F7 updates were marked as FEDORA-2007-0001 -*CVE are items that need verification for Fedora 7 +# Version: FEDORA-2007-1070 CVE-NOID VULNERABLE (tor, fixed 0.1.2.15) #249840 -CVE-2007-4168 VULNERABLE (libexif) #243890 +CVE-2007-4168 backport (libexif) #243892 [since FEDORA-2007-0414] CVE-2007-4029 VULNERABLE (libvorbis) #245991 -CVE-2007-3950 version (lighttpd, fixed 1.4.16) #249162 -CVE-2007-3949 version (lighttpd, fixed 1.4.16) #249162 -CVE-2007-3948 version (lighttpd, fixed 1.4.16) #249162 -CVE-2007-3947 version (lighttpd, fixed 1.4.16) #249162 -CVE-2007-3946 version (lighttpd, fixed 1.4.16) #249162 +CVE-2007-3950 version (lighttpd, fixed 1.4.16) #249162 [since FEDORA-2007-1299] +CVE-2007-3949 version (lighttpd, fixed 1.4.16) #249162 [since FEDORA-2007-1299] +CVE-2007-3948 version (lighttpd, fixed 1.4.16) #249162 [since FEDORA-2007-1299] +CVE-2007-3947 version (lighttpd, fixed 1.4.16) #249162 [since FEDORA-2007-1299] +CVE-2007-3946 version (lighttpd, fixed 1.4.16) #249162 [since FEDORA-2007-1299] CVE-2007-3841 WTF (pidgin) CVE-2007-3820 ** (kdebase) #248537 CVE-2007-3799 ** (php) CVE-2007-3781 ** (mysql) CVE-2007-3782 ** (mysql) CVE-2007-3770 ** (xfce-utils) +CVE-2007-3738 version (mozilla) #248518 [since FEDORA-2007-1138] +CVE-2007-3737 version (mozilla) #248518 [since FEDORA-2007-1138] +CVE-2007-3736 version (mozilla) #248518 [since FEDORA-2007-1138] +CVE-2007-3735 version (mozilla) #248518 [since FEDORA-2007-1138] CVE-2007-3728 ignore (libsilc, 1.1.1 only) CVE-2007-3725 ** (clamav) -CVE-2007-3713 VULNERABLE (centericq) #247979 +CVE-2007-3713 backport (centericq) #247979 [since FEDORA-2007-1160] +CVE-2007-3656 version (mozilla) #248518 [since FEDORA-2007-1138] +CVE-2007-3642 version (kernel, fixed 2.6.22.1) [since FEDORA-2007-1130] CVE-2007-3628 version (php-pear-Structures-DataGrid-DataSource-MDB2, fixed 0.1.10) CVE-2007-3555 VULNERABLE (moodle) #247528 CVE-2007-3546 ignore (nessus-core) Windows only -CVE-2007-3528 VULNERABLE (dar, fixed 2.3.4) #246760 -CVE-2007-3544 ** (wordpress) #245211 -CVE-2007-3543 ** (wordpress) #245211 +CVE-2007-3528 version (dar, fixed 2.3.4) #246760 [since FEDORA-2007-0904] +CVE-2007-3544 VULNERABLE (wordpress, NOT fixed 2.2.1) #245211 Incomplete fix for CVE-2007-3543 +CVE-2007-3543 version (wordpress, fixed 2.2.1) #245211 [since FEDORA-2007-0894] CVE-2007-3508 ignore (glibc) not an issue CVE-2007-3506 version (freetype, fixed 2.3.4) #235479 [since FEDORA-2007-0033] -CVE-2007-3507 version (flac123, fixed 0.0.10) #246322 +CVE-2007-3507 version (flac123, fixed 0.0.10) #246322 [since FEDORA-2007-1045] CVE-2007-3478 ** (gd) CVE-2007-3477 ** (gd) CVE-2007-3476 ** (gd) @@ -37,65 +46,74 @@ CVE-2007-3474 ** (gd) CVE-2007-3473 ** (gd) CVE-2007-3472 ** (gd) -CVE-2007-3410 VULNERABLE (HelixPlayer) #245838 +CVE-2007-3410 backport (HelixPlayer) #245838 [since CVE-2007-3410] CVE-2007-3409 version (perl-Net-DNS, fixed 0.60) #245807 -CVE-2007-3393 VULNERABLE (wireshark) -CVE-2007-3392 VULNERABLE (wireshark) -CVE-2007-3391 VULNERABLE (wireshark) -CVE-2007-3390 VULNERABLE (wireshark) -CVE-2007-3389 VULNERABLE (wireshark) +CVE-2007-3393 version (wireshark, fixed 0.99.6) [since FEDORA-2007-0982] +CVE-2007-3392 version (wireshark, fixed 0.99.6) [since FEDORA-2007-0982] +CVE-2007-3391 version (wireshark, fixed 0.99.6) [since FEDORA-2007-0982] +CVE-2007-3390 version (wireshark, fixed 0.99.6) [since FEDORA-2007-0982] +CVE-2007-3389 version (wireshark, fixed 0.99.6) [since FEDORA-2007-0982] +CVE-2007-3381 version (gdm, fixed 2.18.4) #250277 [since FEDORA-2007-1362] CVE-2007-3378 ignore (php) safe mode escape -CVE-2007-3377 version (perl-Net-DNS, fixed 0.60) #245612 -CVE-2007-3241 ** (wordpress) #245211 -CVE-2007-3240 ** (wordpress) #245211 -CVE-2007-3239 ** (wordpress) #245211 -CVE-2007-3238 ** (wordpress) #245211 +CVE-2007-3377 version (perl-Net-DNS, fixed 0.60) #245612 [since EDORA-2007-0668] +CVE-2007-3257 backport (evolution) #244283 [since FEDORA-2007-0464] +CVE-2007-3241 version (wordpress, fixed 2.2.1) #245211 [since FEDORA-2007-0894] +CVE-2007-3240 version (wordpress, fixed 2.2.1) #245211 [since FEDORA-2007-0894] +CVE-2007-3239 version (wordpress, fixed 2.2.1) #245211 [since FEDORA-2007-0894] +CVE-2007-3238 version (wordpress, fixed 2.2.1) #245211 [since FEDORA-2007-0894] +CVE-2007-3140 version (wordpress, fixed 2.2.1) #245211 [since FEDORA-2007-0894] +CVE-2007-3231 version (mecab, fixed 0.96) [since FEDORA-2007-0366] CVE-2007-3209 ignore (mail-notification, shipped with SSL enabled) CVE-2007-3106 VULNERABLE (libvorbis) #245991 -CVE-2007-3100 version (iscsi-initiator-utils, fixed 6.2.0.865) -CVE-2007-3099 version (iscsi-initiator-utils, fixed 6.2.0.865) +CVE-2007-3100 version (iscsi-initiator-utils, fixed 6.2.0.865) [since FEDORA-2007-0543] +CVE-2007-3099 version (iscsi-initiator-utils, fixed 6.2.0.865) [since FEDORA-2007-0543] CVE-2007-3165 VULNERABLE (tor, fixed 0.1.2.14) #244502 -CVE-2007-3153 version (c-ares, fixed 1.4.0) #243591 -CVE-2007-3152 version (c-ares, fixed 1.4.0) #243591 +CVE-2007-3153 version (c-ares, fixed 1.4.0) #243591 [since FEDORA-2007-0724] +CVE-2007-3152 version (c-ares, fixed 1.4.0) #243591 [since FEDORA-2007-0724] CVE-2007-3145 VULNERABLE (galeon) ** -CVE-2007-3140 ** (wordpress) #245211 +CVE-2007-3140 version (wordpress, fixed 2.2.1) #245211 [since FEDORA-2007-0894] CVE-2007-3126 ignore (gimp) just a crash CVE-2007-3123 VULNERABLE (clamav, fixed 0.90.3) #245219 CVE-2007-3122 VULNERABLE (clamav, fixed 0.90.3) #245219 -CVE-2007-3121 version (zvbi, fixed 0.2.25) +CVE-2007-3121 version (zvbi, fixed 0.2.25) [since FEDORA-2007-0175] *CVE-2007-3113 VULNERABLE (cacti) #243592 *CVE-2007-3112 VULNERABLE (cacti) #243592 +CVE-2007-3089 version (mozilla) #248518 [since FEDORA-2007-1138] CVE-2007-3025 ignore (clamav, Solaris only) CVE-2007-3024 VULNERABLE (clamav, fixed 0.90.3) #245219 CVE-2007-3023 VULNERABLE (clamav, fixed 0.90.3) #245219 CVE-2007-3007 ignore (php) safe mode isn't safe *CVE-2007-2975 (openfire) +CVE-2007-2949 version (gimp, fixed, 2.2.16) [since FEDORA-2007-0725] +CVE-2007-2926 version (bind, fixed 9.4.1) [since FEDORA-2007-1247] +CVE-2007-2925 version (bind, fixed 9.4.1) [since FEDORA-2007-1247] *CVE-2007-2894 VULNERABLE (bochs) #241799 CVE-2007-2894 ignore (bochs, unreproducible) #241799 -CVE-2007-2893 patch (bochs, fixed 2.3-5) #241799 +CVE-2007-2893 patch (bochs, fixed 2.3-5) #241799 [since FEDORA-2007-1153] CVE-2007-2876 version (kernel, fixed 2.6.21.5) [ since FEDORA-2007-0409 ] -*CVE-2007-2874 (wpa_supplicant) #242455 -CVE-2007-2873 version (spamassassin, fixed 3.2.1) -CVE-2007-2871 version (seamonkey, fixed 1.0.9) -CVE-2007-2870 version (seamonkey, fixed 1.0.9) -CVE-2007-2869 (firefox) -CVE-2007-2868 version (seamonkey, fixed 1.0.9) -CVE-2007-2867 version (seamonkey, fixed 1.0.9) -CVE-2007-2865 version (phpPgAdmin, fixed 4.1.2) #241489 +CVE-2007-2874 remove-patch (wpa_supplicant) #242455 [since FEDORA-2007-0185] +CVE-2007-2873 version (spamassassin, fixed 3.2.1) [since FEDORA-2007-0390] +CVE-2007-2871 version (mozilla) #241840 +CVE-2007-2870 version (mozilla) #241840 +CVE-2007-2869 version (mozilla) #241840 +CVE-2007-2868 version (mozilla) #241840 +CVE-2007-2867 version (mozilla) #241840 +CVE-2007-2865 version (phpPgAdmin, fixed 4.1.2) #241489 [since FEDORA-2007-0469] CVE-2007-2844 ignore (php) #241641 CVE-2007-2843 ignore (konqueror) safari specific -*CVE-2007-2821 VULNERABLE (wordpress, fixed 2.2) #240970 -*CVE-2007-2799 (file) +CVE-2007-2821 version (wordpress, fixed 2.2) #245211 [since FEDORA-2007-0894] +CVE-2007-2799 version (file, fixed 4.21) #241034 [since FEDORA-2007-0836] +CVE-2007-2798 version (krb5, 1.6.1) [since FEDORA-2007-0740] CVE-2007-2768 ignore (openssh) needs pam OPIE which is not shipped. CVE-2007-2756 ignore (gd) DoS only -*CVE-2007-2754 (freetype) +CVE-2007-2754 backport (freetype) [since FEDORA-2007-0033] CVE-2007-2721 patch (jasper, fixed 1.900.1-2) #240397 -*CVE-2007-2683 (mutt) +CVE-2007-2683 backport (mutt) *CVE-2007-2654 VULNERABLE (xfsdump) #240396 -CVE-2007-2650 version (clamav, fixed 0.90.3) #240395 -CVE-2007-2645 ignore (libexif) #240055 DoS only +CVE-2007-2650 version (clamav, fixed 0.90.3) #240395 [since FEDORA-2007-1154] +CVE-2007-2645 backport (libexif) #240055 [since FEDORA-2007-0414] *CVE-2007-2637 patch (moin, fixed 1.5.7-2) -*CVE-2007-2627 ** (wordpress) #239904 +CVE-2007-2627 version (wordpress, fixed 2.2.1) #239904 [since FEDORA-2007-0894] *CVE-2007-2589 (squirrelmail) *CVE-2007-2583 (mysql) CVE-2007-2519 ignore (php-pear) no trust boundary is crossed @@ -113,6 +131,8 @@ *CVE-2007-2446 (samba) CVE-2007-2445 version (libpng10, fixed 1.0.25) #240398 *CVE-2007-2444 (samba) +CVE-2007-2443 version (krb5, 1.6.1) [since FEDORA-2007-0740] +CVE-2007-2442 version (krb5, 1.6.1) [since FEDORA-2007-0740] *CVE-2007-2438 VULNERABLE (vim) #238734 CVE-2007-2437 ignore (xorg-x11) DoS only *CVE-2007-2435 (java) @@ -123,18 +143,18 @@ *CVE-2007-2353 (axis) *CVE-2007-2245 VULNERABLE (phpMyAdmin, fixed 2.10.1) #237882 CVE-2007-2243 ignore (openssh, fixed 4.6) needs S/KEY support which is not shipped. -*CVE-2007-2241 (bind) +CVE-2007-2241 backport (bind) [since FEDORA-2007-0300] CVE-2007-2176 ignore (firefox) only affects the java quicktime interaction CVE-2007-2172 version (kernel, fixed 2.6.21-rc6) *CVE-2007-2165 VULNERABLE (proftpd) #237533 -*CVE-2007-2138 (postgresql) +CVE-2007-2138 version (postgresql, fixed 8.2.4) #237682 [since FEDORA-2007-0174] CVE-2007-2057 version (aircrack-ng, fixed 0.8-0.1) CVE-2007-2029 VULNERABLE (clamav, fixed 0.90.3) #245219 *CVE-2007-2028 (freeradius) *CVE-2007-2026 (file) CVE-2007-2016 ignore (phpMyAdmin, < 2.8.0.2 never shipped) CVE-2007-1997 version (clamav, fixed in 0.90.2) -*CVE-2007-1995 (quagga) #240488 +CVE-2007-1995 version (quagga, fixed CVE-2007-1995) #240488 CVE-2007-1897 version (wordpress, fixed 2.1.3) #235912 CVE-2007-1894 version (wordpress, fixed 2.1.3-0.rc2) CVE-2007-1893 version (wordpress, fixed 2.1.3) #235912 @@ -148,6 +168,7 @@ *CVE-2007-1841 VULNERABLE (ipsec-tools) #238052 *CVE-2007-1804 VULNERABLE (pulseaudio) #235013 CVE-2007-1799 version (ktorrent, fixed 2.1.3) #235014 +CVE-2007-1797 version (GraphicsMagick, fixed 1.1.8) [since FEDORA-2007-1340] CVE-2007-1745 version (clamav, fixed in 0.90.2) #236703 *CVE-2007-1743 (httpd) *CVE-2007-1742 (httpd) @@ -159,9 +180,9 @@ CVE-2007-1710 version (php, fixed 5.2.2) CVE-2007-1709 ignore (php) no security impact *CVE-2007-1667 (xorg-x11) -CVE-2007-1665 VULNERABLE (ekg) #246034 -CVE-2007-1664 VULNERABLE (ekg) #246034 -CVE-2007-1663 VULNERABLE (ekg) #246034 +CVE-2007-1665 version (ekg) #246034 [since FEDORA-2007-0791] +CVE-2007-1664 version (ekg) #246034 [since FEDORA-2007-0791] +CVE-2007-1663 version (ekg) #246034 [since FEDORA-2007-0791] CVE-2007-1649 version (php, fixed 5.2.2) CVE-2007-1622 version (wordpress, fixed 2.1.3-0.rc2) #233703 CVE-2007-1614 version (zziplib, fixed 0.13.49) #233700 @@ -169,7 +190,7 @@ CVE-2007-1583 version (php, fixed 5.2.2) CVE-2007-1565 ignore (konqueror) client crash CVE-2007-1564 vulnerable (konqueror) [#CVE-2007-1564] -CVE-2007-1562 (firefox, seamonkey, thunderbird) +CVE-2007-1562 version (firefox, seamonkey, thunderbird) #241840 CVE-2007-1560 version (squid, fixed 2.6.STABLE12) CVE-2007-1558 version (claws-mail, fixed 2.9.1) #237293 *CVE-2007-1558 backport (sylpheed, fixed 2.3.1-1) @@ -208,12 +229,13 @@ *CVE-2007-1384 version (ktorrent, fixed 2.1.2) CVE-2007-1375 version (php, fixed 5.2.2) *CVE-2007-1366 ** (qemu) #238723 -*CVE-2007-1362 version (seamonkey, fixed 1.0.9) +CVE-2007-1362 version (seamonkey, fixed 1.0.9) #241840 *CVE-2007-1359 patch (mod_security, fixed 2.1.0-3) #231728 CVE-2007-1358 ** (tomcat5) #244810 *CVE-2007-1354 (jboss) *CVE-2007-1352 VULNERABLE (libXfont) #235265 *CVE-2007-1351 VULNERABLE (libXfont) #235265 +CVE-2007-1349 backport (mod_perl) [since FEDORA-2007-0316] CVE-2007-1325 version (phpMyAdmin, fixed 2.10.0.2) *CVE-2007-1322 ** (qemu) #238723 *CVE-2007-1321 ** (qemu) #238723 @@ -281,7 +303,7 @@ *CVE-2007-0774 (mod_jk) VE-2007-0772 version (kernel, fixed 2.6.20.1) [since FEDORA-2007-291] CVE-2007-0771 patch (kernel, fixed 2.6.20-1.2933) #227952 -*CVE-2007-0770 patch (GraphicsMagick, fixed 1.1.7-7) #228758 +CVE-2007-0770 patch (GraphicsMagick, fixed 1.1.7-7) #228758 CVE-2007-0770 ignore (ImageMagick) only if incomplete CVE-2006-5456 CVE-2007-0720 ignore (cups, fixed 1.2.7) cups is already updated CVE-2007-0657 ignore (nexuiz, 2.2.2 only (not shipped), fixed 2.2.3) @@ -318,6 +340,7 @@ *CVE-2007-0262 version (wordpress, fixed 2.1-0) #223101 CVE-2007-0248 version (squid, fixed 2.6.STABLE7) [since FEDORA-2007-073] CVE-2007-0247 version (squid, fixed 2.6.STABLE7) #222883 [since FEDORA-2007-073] +CVE-2007-0245 backport (openoffice.org) [since FEDORA-2007-0410] CVE-2007-0243 ignore, no-ship (java-ibm) *CVE-2007-0242 patch (qt4, fixed 4.2.3-7) *CVE-2007-0240 patch (zope, fixed 2.9.6-2) #233378 @@ -510,6 +533,7 @@ CVE-2006-5462 version (firefox, fixed 1.5.0.8) [since FEDORA-2006-1191] *CVE-2006-5461 VULNERABLE (avahi, fixed 0.6.15) *CVE-2006-5456 backport (ImageMagick) #210921 [since FEDORA-2006-1285] +CVE-2006-5456 version (GraphicsMagick, fixed 1.1.7) [since FEDORA-2007-1340] *CVE-2006-5455 patch (bugzilla, fixed 2.22-7) #212355 *CVE-2006-5454 patch (bugzilla, fixed 2.22-7) #212355 *CVE-2006-5453 patch (bugzilla, fixed 2.22-7) #212355 @@ -599,7 +623,7 @@ CVE-2006-4561 VULNERABLE (firefox) CVE-2006-4538 version (kernel, fixed after 2.6.18-rc6) CVE-2006-4535 version (kernel, fixed 2.6.18-rc6) -CVE-2006-4519 VULNERABLE (gimp) #247566 +CVE-2006-4519 version (gimp, fixed 2.2.16) #247566 [since FEDORA-2007-1044] *CVE-2006-4514 backport (libgsf) [since FEDORA-2006-1417] CVE-2006-4513 version (wv, fixed 1.2.4) #212696 *CVE-2006-4513 ** (abiword) #212698 @@ -649,6 +673,7 @@ CVE-2006-4146 backport (gdb) CVE-2006-4145 version (kernel, fixed 2.6.17.10, fixed 2.6.18-rc5) needs a better upstream fix *CVE-2006-4144 backport (ImageMagick, fixed 6.2.9) +CVE-2006-4144 version (GraphicsMagick, fixed 1.1.8) [since FEDORA-2007-1340] *CVE-2006-4124 (lesstif) CVE-2006-4096 version (bind, fixed 9.3.2-P1) CVE-2006-4095 version (bind, fixed 9.3.2-P1) @@ -665,42 +690,19 @@ CVE-2006-3816 version (krusader, fixed 1.70.1) #200323 CVE-2006-3815 version (heartbeat, fixed 2.0.6) CVE-2006-3813 version (perl) only Red Hat Enterprise Linux affected -CVE-2006-3812 version (thunderbird, fixed 1.5.0.5) -CVE-2006-3812 version (seamonkey, fixed 1.0.4) #200455 -CVE-2006-3812 version (firefox, fixed 1.5.0.5) -CVE-2006-3811 version (thunderbird, fixed 1.5.0.5) -CVE-2006-3811 version (seamonkey, fixed 1.0.4) #200455 -CVE-2006-3811 version (firefox, fixed 1.5.0.5) -CVE-2006-3810 version (thunderbird, fixed 1.5.0.5) -CVE-2006-3810 version (seamonkey, fixed 1.0.4) #200455 -CVE-2006-3810 version (firefox, fixed 1.5.0.5) -CVE-2006-3809 version (thunderbird, fixed 1.5.0.5) -CVE-2006-3809 version (seamonkey, fixed 1.0.4) #200455 -CVE-2006-3809 version (firefox, fixed 1.5.0.5) -CVE-2006-3808 version (thunderbird, fixed 1.5.0.5) -CVE-2006-3808 version (seamonkey, fixed 1.0.4) #200455 -CVE-2006-3808 version (firefox, fixed 1.5.0.5) -CVE-2006-3807 version (thunderbird, fixed 1.5.0.5) -CVE-2006-3807 version (seamonkey, fixed 1.0.4) #200455 -CVE-2006-3807 version (firefox, fixed 1.5.0.5) -CVE-2006-3806 version (thunderbird, fixed 1.5.0.5) -CVE-2006-3806 version (seamonkey, fixed 1.0.4) #200455 -CVE-2006-3806 version (firefox, fixed 1.5.0.5) -CVE-2006-3805 version (thunderbird, fixed 1.5.0.5) -CVE-2006-3805 version (seamonkey, fixed 1.0.4) #200455 -CVE-2006-3805 version (firefox, fixed 1.5.0.5) -CVE-2006-3804 version (thunderbird, fixed 1.5.0.5) -CVE-2006-3804 version (seamonkey, fixed 1.0.4) #200455 -CVE-2006-3804 version (firefox, fixed 1.5.0.5) -CVE-2006-3803 version (thunderbird, fixed 1.5.0.5) -CVE-2006-3803 version (seamonkey, fixed 1.0.4) #200455 -CVE-2006-3803 version (firefox, fixed 1.5.0.5) -CVE-2006-3802 version (thunderbird, fixed 1.5.0.5) -CVE-2006-3802 version (seamonkey, fixed 1.0.4) #200455 -CVE-2006-3802 version (firefox, fixed 1.5.0.5) -CVE-2006-3801 version (thunderbird, fixed 1.5.0.5) -CVE-2006-3801 version (seamonkey, fixed 1.0.4) #200455 -CVE-2006-3801 version (firefox, fixed 1.5.0.5) +CVE-2006-3812 version (mozilla) #200455 +CVE-2006-3811 version (mozilla) #200455 +CVE-2006-3810 version (mozilla) #200455 +CVE-2006-3809 version (mozilla) #200455 +CVE-2006-3808 version (mozilla) #200455 +CVE-2006-3807 version (mozilla) #200455 +CVE-2006-3806 version (mozilla) #200455 +CVE-2006-3805 version (mozilla) #200455 +CVE-2006-3804 version (mozilla) #200455 +CVE-2006-3803 version (mozilla) #200455 +CVE-2006-3802 version (mozilla) #200455 +CVE-2006-3801 version (mozilla) #200455 +CVE-2007-3798 version (tcpdump, fixed 3.9.7) #244860 [since FEDORA-2007-1361] CVE-2006-3747 version (httpd, fixed 2.2.3) CVE-2006-3746 version (gnupg, fixed 1.4.5) CVE-2006-3745 version (kernel, fixed 2.6.17.10, fixed 2.6.18-rc5) @@ -711,6 +713,7 @@ CVE-2006-3740 version (libXfont, fixed 1.2.2) CVE-2006-3739 version (libXfont, fixed 1.2.2) *CVE-2006-3738 backport (openssl, fixed 0.9.8d) +CVE-2007-3734 version (mozilla) #248518 [since FEDORA-2007-1138] *CVE-2006-3733 ignore (jboss) cisco only CVE-2006-3731 ignore (firefox) just a user complicit crash CVE-2006-3694 version (ruby, fixed 1.8.5) @@ -855,8 +858,8 @@ *CVE-2006-2366 ignore (openobex) we don't ship ircp CVE-2006-2362 ignore (binutils) minor crash (not exploitable) CVE-2006-2332 ignore (firefox) disputed -CVE-2006-2314 version (postgresql, fixed 8.1.4) -CVE-2006-2313 version (postgresql, fixed 8.1.4) +CVE-2006-2314 version (postgresql, fixed 8.1.4) [since FEDORA-2007-0249] +CVE-2006-2313 version (postgresql, fixed 8.1.4) [since FEDORA-2007-0249] CVE-2006-2276 version (quagga, fixed 0.98.6) CVE-2006-2275 version (kernel, fixed 2.6.16.15) CVE-2006-2274 version (kernel, fixed 2.6.16.15) @@ -1156,6 +1159,7 @@ CVE-2006-0096 ignore (kernel) minor and requires root CVE-2006-0095 version (kernel, fixed 2.6.16) CVE-2006-0082 version (ImageMagick, not 6.2.5.4) +CVE-2006-0082 version (GraphicsMagick, fixed 1.1.8) [since FEDORA-2007-1340] CVE-2006-0071 ignore (pinentry, Gentoo-specific problem) CVE-2006-0058 version (sendmail, fixed 8.13.6) CVE-2006-0052 version (mailman, fixed 2.1.6) @@ -1196,6 +1200,7 @@ CVE-2005-4618 version (kernel, fixed 2.6.15) CVE-2005-4605 version (kernel, fixed 2.6.15) *CVE-2005-4601 (ImageMagick) +CVE-2005-4601 version (GraphicsMagick, fixed 1.1.8) [since FEDORA-2007-1340] CVE-2005-4585 version (wireshark, fixed 0.10.14) CVE-2005-4442 version (openldap) gentoo only CVE-2005-4352 version (kernel, fixed 2.6.18.3) [since FEDORA-2006-1471] -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits From fedora-extras-commits at redhat.com Thu Aug 2 09:39:08 2007 From: fedora-extras-commits at redhat.com (Lubomir Kundrak (lkundrak)) Date: Thu, 2 Aug 2007 05:39:08 -0400 Subject: fedora-security/audit fc6,1.226,1.227 Message-ID: <200708020939.l729d81B010960@cvs-int.fedora.redhat.com> Author: lkundrak Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv10940 Modified Files: fc6 Log Message: Up to date CVE as of CVE email 20070801 Up to date FC6 as of 20070802 Index: fc6 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc6,v retrieving revision 1.226 retrieving revision 1.227 diff -u -r1.226 -r1.227 --- fc6 27 Jul 2007 12:57:04 -0000 1.226 +++ fc6 2 Aug 2007 09:39:05 -0000 1.227 @@ -1,7 +1,11 @@ -Up to date CVE as of CVE email 20061123 -Up to date FC6 as of 20061123 +# $Id$ -** are items that need attention +# ** are items that need attention +# *CVE are items that need verification for Fedora Core 6 +# (mozilla) = (firefox, seamonkey, thunderbird, yelp, devhelp, galeon, liferea. epiphany) + +# Up to date CVE as of CVE email 20070801 +# Up to date FC6 as of 20070802 CVE-2007-4029 VULNERABLE (libvorbis) #245991 CVE-2007-4168 VULNERABLE (libexif) #243892 @@ -14,19 +18,49 @@ CVE-2007-3508 ignore (glibc) not an issue CVE-2007-3506 backport (freetype, fixed 2.3.4) #235479 [since FEDORA-2007-561] CVE-2007-3409 version (perl-Net-DNS, fixed 0.60) #245809 +CVE-2007-3393 version (wireshark, fixed 0.99.6) [since FEDORA-2007-628] +CVE-2007-3392 version (wireshark, fixed 0.99.6) [since FEDORA-2007-628] +CVE-2007-3391 version (wireshark, fixed 0.99.6) [since FEDORA-2007-628] +CVE-2007-3390 version (wireshark, fixed 0.99.6) [since FEDORA-2007-628] +CVE-2007-3389 version (wireshark, fixed 0.99.6) [since FEDORA-2007-628] CVE-2007-3378 ignore (php) safe mode escape -CVE-2007-3377 version (perl-Net-DNS, fixed 0.60) #245614 +CVE-2007-3377 version (perl-Net-DNS, fixed 0.60) #245614 [since FEDORA-2007-609] +CVE-2007-3304 backport (httpd) #244660 [since FEDORA-2007-615] +CVE-2007-3257 backport (evolution) #244287 [since FEDORA-2007-594] CVE-2007-3126 ignore (gimp) just a crash CVE-2007-3106 VULNERABLE (libvorbis) #245991 +CVE-2007-2926 backport (bind, fixed 9.4.1) [since FEDORA-2007-647] *CVE-2007-2894 VULNERABLE (bochs) #241799 -CVE-2007-2876 version (kernel, fixed 2.6.21.5?) [since ?] +CVE-2007-2876 version (kernel, fixed 2.6.21.5) [since FEDORA-2007-600] +CVE-2007-2875 version (kernel) [since FEDORA-2007-600] *CVE-2007-2874 (wpa_supplicant) #242455 -CVE-2007-2873 version (spamassassin, fixed 3.1.9) +CVE-2007-2873 version (spamassassin, fixed 3.1.9) [since FEDORA-2007-582] +CVE-2007-2871 version (mozilla) #241840 [since FEDORA-2007-549] +CVE-2007-2870 version (mozilla) #241840 [since FEDORA-2007-549] +CVE-2007-2869 version (mozilla) #241840 [since FEDORA-2007-549] +CVE-2007-2868 version (mozilla) #241840 [since FEDORA-2007-549] +CVE-2007-2867 version (mozilla) #241840 [since FEDORA-2007-549] +CVE-2007-2799 version (file, fixed 4.21) #241034 [since FEDORA-2007-538] +CVE-2007-2453 version (kernel) [since FEDORA-2007-600] +CVE-2007-2451 version (kernel, fixed 2.6.21.4) [since FEDORA-2007-600] +CVE-2007-2445 backport (libpng) #239542 [since FEDORA-2007-529] CVE-2007-2438 VULNERABLE (vim) #238734 +CVE-2007-2242 version (kernel) [since FEDORA-2007-482] +CVE-2007-2138 version (postgresql, fixed 8.1.9) [since FEDORA-2007-565] +CVE-2007-2028 backport (freeradius) [since FEDORA-2007-499] +CVE-2007-1995 version (quagga, fixed 0.99.7) [since FEDORA-2007-525] +CVE-2007-1863 backport (httpd) #244660 [since FEDORA-2007-615] +CVE-2007-1862 backport (httpd) #244660 [since FEDORA-2007-615] +CVE-2007-1861 version (kernel) [since FEDORA-2007-482] CVE-2007-1856 VULNERABLE (vixie-cron) #235882 CVE-2007-1841 VULNERABLE (ipsec-tools) #238052 +CVE-2007-1797 backport (ImageMagick) #235075 [since FEDORA-2007-413] +CVE-2007-1667 backport (libX11) [since FEDORA-2007-426] CVE-2007-1565 ignore (konqueror) client crash -CVE-2007-1564 vulnerable (konqueror) [#CVE-2007-1564] +CVE-2007-1564 vulnerable (konqueror) +CVE-2007-1562 version (mozilla) #241840 [since FEDORA-2007-549] +CVE-2007-1558 backport (evolution) #235290 [since FEDORA-2007-484] +CVE-2007-1536 backport (file, fixed 4.20) #233164 [since FEDORA-2007-391] CVE-2007-1475 ignore (php) unshipped ibase extension CVE-2007-1420 VULNERABLE (mysql, fixed 5.0.36) #232604 CVE-2007-1413 ignore (php) Windows NT SNMP specific @@ -34,14 +68,18 @@ CVE-2007-1411 ignore (php) unshipped mssql extension CVE-2007-1401 ignore (php) unshipped cracklib extension CVE-2007-1396 ignore (php) feature, not a flaw +CVE-2007-1362 version (mozilla) #241840 [since FEDORA-2007-549] +CVE-2007-1357 version (kernel) [since FEDORA-2007-432] CVE-2007-1352 VULNERABLE (libXfont) #235265 CVE-2007-1351 VULNERABLE (libXfont) #235265 +CVE-2007-1349 backport (mod_perl) [since FEDORA-2007-577] CVE-2007-1263 version (gnupg, fixed 1.4.7) [since FEDORA-2007-315] +CVE-2007-1262 version (squirrelmail, fixed 1.4.10a) #239704 [since FEDORA-2007-505] CVE-2007-1218 backport (tcpdump) 232349 [since FEDORA-2007-347] CVE-2007-1006 version (ekiga, fixed 2.0.5) #229259 [since FEDORA-2007-322] CVE-2007-1004 VULNERABLE (firefox, ...) -CVE-2007-1003 VULNERABLE (xorg-x11-server, fixed > X11R7.2) #235263 -CVE-2007-1002 VULNERABLE (evolution) #233587 +CVE-2007-1003 backport (xorg-x11-server, fixed > X11R7.2) #235263 [since FEDORA-2007-425] +CVE-2007-1002 backport (evolution) #233587 [since FEDORA-2007-393] CVE-2007-1000 version (kernel, fixed 2.6.20) [since FEDORA-2007-335] CVE-2007-0998 backport (xen) #230295 [since FEDORA-2007-343] CVE-2007-0981 VULNERABLE (firefox, ...) @@ -54,10 +92,10 @@ CVE-2007-0537 VULNERABLE (kdebase) #225420 CVE-2007-0494 version (bind, fixed 9.3.4) #225268 [since FEDORA-2007-147] CVE-2007-0493 version (bind, fixed 9.3.4) #224443 [since FEDORA-2007-147] -CVE-2007-0459 VULNERABLE (wireshark, fixed 0.99.5) #227140 -CVE-2007-0458 VULNERABLE (wireshark, fixed 0.99.5) #227140 -CVE-2007-0457 VULNERABLE (wireshark, fixed 0.99.5) #227140 -CVE-2007-0456 VULNERABLE (wireshark, fixed 0.99.5) #227140 +CVE-2007-0459 version (wireshark, fixed 0.99.5) #227140 +CVE-2007-0458 version (wireshark, fixed 0.99.5) #227140 +CVE-2007-0457 version (wireshark, fixed 0.99.5) #227140 +CVE-2007-0456 version (wireshark, fixed 0.99.5) #227140 CVE-2007-0455 VULNERABLE (gd) #224610 CVE-2007-0451 version (spamassassin, fixed 3.1.8) [since FEDORA-2007-241] CVE-2007-0248 version (squid, fixed 2.6.STABLE7) [since FEDORA-2007-073] @@ -117,11 +155,12 @@ CVE-2006-5864 VULNERABLE (evince) #217672 CVE-2006-5823 version (kernel, fixed 2.6.19.2) [since FEDORA-2007-058] was backport since FEDORA-2006-1223 CVE-2006-5794 backport (openssh, fixed 4.5) #214641 [since FEDORA-2006-1215] -CVE-2006-5793 ignore (libpng, fixed 1.2.13) just a client crash +CVE-2006-5793 backport (libpng, fixed 1.2.13) #215405 [since FEDORA-2007-529] CVE-2006-5783 ignore (firefox) disputed CVE-2006-5779 VULNERABLE (openldap, 2.3.29) #214768 CVE-2006-5757 version (kernel, fixed 2.6.19) [since FEDORA-2007-058] was backport since FEDORA-2006-1223 CVE-2006-5753 backport (kernel, fixed 2.6.20.1) [since FEDORA-2007-291] +CVE-2006-5752 backport (httpd) #244660 [since FEDORA-2007-615] CVE-2006-5751 version (kernel, fixed 2.6.19, fixed 2.6.18.4) [since FEDORA-2006-1471] CVE-2006-5749 VULNERABLE (kernel, fixed 2.6.20-rc2) CVE-2006-5748 version (thunderbird, fixed 1.5.0.8) [since FEDORA-2006-1192] @@ -169,7 +208,7 @@ CVE-2006-5159 ignore (firefox) unverified CVE-2006-5158 version (kernel, fixed 2.6.15) CVE-2006-5072 backport (mono) -CVE-2006-5052 VULNERABLE (openssh, fixed 4.4) +CVE-2006-5052 backport (openssh, fixed 4.4) [since FEDORA-2007-394] CVE-2006-5051 backport (openssh, fixed 4.4) CVE-2006-4997 version (kernel, fixed 2.6.18) CVE-2006-4980 version (python, fixed 2.4.4 at least) [since FEDORA-2006-1050] was backport since GA -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits From bugzilla at redhat.com Thu Aug 2 10:24:05 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 2 Aug 2007 06:24:05 -0400 Subject: [Bug 200357] major (public) security flaws fixed in firefox 1.5.0.5: CVE-2006-3113, CVE-2006-3677, CVE-2006-3801, CVE-2006-3802, CVE-2006-3803, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3808, CVE-2006-3809, CVE-2006-3810, CVE-2006-3811, CVE-2006-3812 In-Reply-To: Message-ID: <200708021024.l72AO5lx026399@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: major (public) security flaws fixed in firefox 1.5.0.5: CVE-2006-3113, CVE-2006-3677, CVE-2006-3801, CVE-2006-3802, CVE-2006-3803,CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3808, CVE-2006-3809, CVE-2006-3810, CVE-2006-3811, CVE-2006-3812 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200357 bugzilla at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|normal |medium Product|Fedora Core |Fedora -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Aug 2 12:38:43 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 2 Aug 2007 08:38:43 -0400 Subject: [Bug 241799] CVE-2007-2894: bochs guest OS local user DoS In-Reply-To: Message-ID: <200708021238.l72Cchjt012663@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-2894: bochs guest OS local user DoS https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=241799 lkundrak at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lkundrak at redhat.com ------- Additional Comments From lkundrak at redhat.com 2007-08-02 08:38 EST ------- Reopening this. Hans: this bug was reported against FC6. Could you please also update the FC6 version? Thanks. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From fedora-extras-commits at redhat.com Thu Aug 2 12:58:56 2007 From: fedora-extras-commits at redhat.com (Lubomir Kundrak (lkundrak)) Date: Thu, 2 Aug 2007 08:58:56 -0400 Subject: fedora-security/audit fc6,1.227,1.228 Message-ID: <200708021258.l72CwuEf015612@cvs-int.fedora.redhat.com> Author: lkundrak Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv15592 Modified Files: fc6 Log Message: Walk through VULNERABLEs, clean them up a bit and ping developers. Index: fc6 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc6,v retrieving revision 1.227 retrieving revision 1.228 diff -u -r1.227 -r1.228 --- fc6 2 Aug 2007 09:39:05 -0000 1.227 +++ fc6 2 Aug 2007 12:58:54 -0000 1.228 @@ -7,14 +7,13 @@ # Up to date CVE as of CVE email 20070801 # Up to date FC6 as of 20070802 -CVE-2007-4029 VULNERABLE (libvorbis) #245991 -CVE-2007-4168 VULNERABLE (libexif) #243892 -CVE-2007-3841 WTF (pidgin) +CVE-2007-4029 VULNERABLE (libvorbis) #250600 +CVE-2007-4168 backport (libexif) #243892 [since FEDORA-2007-614] +CVE-2007-3841 ignore (pidgin) ethically disclosed CVE-2007-3820 ** (kdebase) #248537 CVE-2007-3799 ** (php) CVE-2007-3782 ** (mysql) CVE-2007-3781 ** (mysql) -CVE-2007-3713 VULNERABLE (centericq) #247979 CVE-2007-3508 ignore (glibc) not an issue CVE-2007-3506 backport (freetype, fixed 2.3.4) #235479 [since FEDORA-2007-561] CVE-2007-3409 version (perl-Net-DNS, fixed 0.60) #245809 @@ -28,9 +27,9 @@ CVE-2007-3304 backport (httpd) #244660 [since FEDORA-2007-615] CVE-2007-3257 backport (evolution) #244287 [since FEDORA-2007-594] CVE-2007-3126 ignore (gimp) just a crash -CVE-2007-3106 VULNERABLE (libvorbis) #245991 +CVE-2007-3106 VULNERABLE (libvorbis) #250600 CVE-2007-2926 backport (bind, fixed 9.4.1) [since FEDORA-2007-647] -*CVE-2007-2894 VULNERABLE (bochs) #241799 +CVE-2007-2894 VULNERABLE (bochs) #241799 CVE-2007-2876 version (kernel, fixed 2.6.21.5) [since FEDORA-2007-600] CVE-2007-2875 version (kernel) [since FEDORA-2007-600] *CVE-2007-2874 (wpa_supplicant) #242455 @@ -44,7 +43,7 @@ CVE-2007-2453 version (kernel) [since FEDORA-2007-600] CVE-2007-2451 version (kernel, fixed 2.6.21.4) [since FEDORA-2007-600] CVE-2007-2445 backport (libpng) #239542 [since FEDORA-2007-529] -CVE-2007-2438 VULNERABLE (vim) #238734 +CVE-2007-2438 version (vim, fixed 7.0.235) #238734 [since FEDORA-2007-492] CVE-2007-2242 version (kernel) [since FEDORA-2007-482] CVE-2007-2138 version (postgresql, fixed 8.1.9) [since FEDORA-2007-565] CVE-2007-2028 backport (freeradius) [since FEDORA-2007-499] @@ -56,13 +55,13 @@ CVE-2007-1841 VULNERABLE (ipsec-tools) #238052 CVE-2007-1797 backport (ImageMagick) #235075 [since FEDORA-2007-413] CVE-2007-1667 backport (libX11) [since FEDORA-2007-426] -CVE-2007-1565 ignore (konqueror) client crash -CVE-2007-1564 vulnerable (konqueror) +CVE-2007-1565 ignore (kdebase) client crash +CVE-2007-1564 ignore (kdebase) Correct behavior according to RFC CVE-2007-1562 version (mozilla) #241840 [since FEDORA-2007-549] CVE-2007-1558 backport (evolution) #235290 [since FEDORA-2007-484] CVE-2007-1536 backport (file, fixed 4.20) #233164 [since FEDORA-2007-391] CVE-2007-1475 ignore (php) unshipped ibase extension -CVE-2007-1420 VULNERABLE (mysql, fixed 5.0.36) #232604 +CVE-2007-1420 ignore (mysql, fixed 5.0.36) #232604 mysql_safe keeps the server alive CVE-2007-1413 ignore (php) Windows NT SNMP specific CVE-2007-1412 ignore (php) unshipped cpdf extension CVE-2007-1411 ignore (php) unshipped mssql extension @@ -89,18 +88,18 @@ CVE-2007-0770 ignore (ImageMagick) only if incomplete CVE-2006-5456 CVE-2007-0720 ignore (cups, fixed 1.2.7) cups is already updated CVE-2007-0650 ignore (tetex) needs user's assistance -CVE-2007-0537 VULNERABLE (kdebase) #225420 +CVE-2007-0537 backport (kdebase) #225420 [since FEDORA-2007-195] CVE-2007-0494 version (bind, fixed 9.3.4) #225268 [since FEDORA-2007-147] CVE-2007-0493 version (bind, fixed 9.3.4) #224443 [since FEDORA-2007-147] CVE-2007-0459 version (wireshark, fixed 0.99.5) #227140 CVE-2007-0458 version (wireshark, fixed 0.99.5) #227140 CVE-2007-0457 version (wireshark, fixed 0.99.5) #227140 CVE-2007-0456 version (wireshark, fixed 0.99.5) #227140 -CVE-2007-0455 VULNERABLE (gd) #224610 +CVE-2007-0455 backport (gd) #224610 [since FEDORA-2007-149] CVE-2007-0451 version (spamassassin, fixed 3.1.8) [since FEDORA-2007-241] CVE-2007-0248 version (squid, fixed 2.6.STABLE7) [since FEDORA-2007-073] CVE-2007-0247 version (squid, fixed 2.6.STABLE7) #222883 [since FEDORA-2007-073] -CVE-2007-0235 VULNERABLE (libgtop2) #222637 not sure, will triage +CVE-2007-0235 VULNERABLE (libgtop2) #222637 CVE-2007-0104 ignore (poppler) only client DoS CVE-2007-0104 ignore (kdegraphics) only client DoS CVE-2007-0086 ignore (apache) not a security issue @@ -111,12 +110,12 @@ CVE-2007-0006 backport (kernel, fixed in -mm) [since FEDORA-2007-226] CVE-2007-0005 version (kernel, fixed 2.6.20) [since FEDORA-2007-335] CVE-2007-0002 version (libwpd, fixed 0.8.9) #222808 [since FEDORA-2007-351] -CVE-2006-6939 VULNERABLE (ed, fixed 0.3) #223075 +CVE-2006-6939 version (ed, fixed 0.3) #223075 [since FEDORA-2007-100] CVE-2006-6899 version (bluez-utils, fixed 2.23) CVE-2006-6870 version (avahi, fixed 0.6.16) #221440 [since FEDORA-2007-019] CVE-2006-6772 backport (w3m) #221484 [since FEDORA-2007-077] CVE-2006-6719 backport (wget) #221469 [since FEDORA-2007-043] -CVE-2006-6698 VULNERABLE (GConf2) #219280 +CVE-2006-6698 VULNERABLE (GConf2) #219280 wontfix CVE-2006-6660 ignore (kdelibs) client Dos only, not reproducible CVE-2006-6385 ignore (kernel) windows only CVE-2006-6383 ignore (php) safe mode isn't safe @@ -137,7 +136,7 @@ CVE-2006-6105 version (gdm, fixed 2.14.11) [since FEDORA-2006-1468] CVE-2006-6104 backport (mono, fixed 1.1.13.8.2) #220853 [since FEDORA-2007-067] CVE-2006-6097 backport (tar) [since FEDORA-2006-1393] -CVE-2006-6077 VULNERABLE (firefox) +CVE-2006-6077 version (firefox, fixed 1.5.0.10) [since FEDORA-2007-293] CVE-2006-6060 ignore (kernel, fixed 2.6.19-rc2) no NTFS support CVE-2006-6058 VULNERABLE (kernel, fixed **) CVE-2006-6057 VULNERABLE (kernel, fixed **) @@ -146,23 +145,23 @@ CVE-2006-6053 version (kernel, fixed 2.6.19.2) [since FEDORA-2007-058] was backport since FEDORA-2006-1223 CVE-2006-5989 ignore (mod_auth_kerb) did not affect fc6 CVE-2006-5974 ignore (fetchmail, fixed 6.3.6) only 6.3.5 -CVE-2006-5973 VULNERABLE (dovecot, fixed 1.0.rc15) #216508 +CVE-2006-5973 version (dovecot, fixed 1.0.rc15) #216508 [since ???] CVE-2006-5925 backport (elinks) [since FEDORA-2006-1278] but was never vulneable as didn't have smbclient support CVE-2006-5876 version (libsoup) #223144 [since FEDORA-2007-109] CVE-2006-5871 version (kernel, fixed 2.6.10) CVE-2006-5868 VULNERABLE (ImageMagick, fixed 6.2.9.1) #217560 CVE-2006-5867 version (fetchmail, fixed 6.3.6) #221984 [since FEDORA-2007-042] -CVE-2006-5864 VULNERABLE (evince) #217672 +CVE-2006-5864 backport (evince) #217672 [since ???] CVE-2006-5823 version (kernel, fixed 2.6.19.2) [since FEDORA-2007-058] was backport since FEDORA-2006-1223 CVE-2006-5794 backport (openssh, fixed 4.5) #214641 [since FEDORA-2006-1215] CVE-2006-5793 backport (libpng, fixed 1.2.13) #215405 [since FEDORA-2007-529] CVE-2006-5783 ignore (firefox) disputed -CVE-2006-5779 VULNERABLE (openldap, 2.3.29) #214768 +CVE-2006-5779 version (openldap, fixed 2.3.29) #214768 [since FEDORA-2007-467] CVE-2006-5757 version (kernel, fixed 2.6.19) [since FEDORA-2007-058] was backport since FEDORA-2006-1223 CVE-2006-5753 backport (kernel, fixed 2.6.20.1) [since FEDORA-2007-291] CVE-2006-5752 backport (httpd) #244660 [since FEDORA-2007-615] CVE-2006-5751 version (kernel, fixed 2.6.19, fixed 2.6.18.4) [since FEDORA-2006-1471] -CVE-2006-5749 VULNERABLE (kernel, fixed 2.6.20-rc2) +CVE-2006-5749 version (kernel, fixed 2.6.20-rc2) [since FEDORA-2007-335] CVE-2006-5748 version (thunderbird, fixed 1.5.0.8) [since FEDORA-2006-1192] CVE-2006-5748 version (firefox, fixed 1.5.0.8) [since FEDORA-2006-1191] CVE-2006-5747 version (thunderbird, fixed 1.5.0.8) [since FEDORA-2006-1192] @@ -187,9 +186,9 @@ CVE-2006-5463 version (firefox, fixed 1.5.0.8) [since FEDORA-2006-1191] CVE-2006-5462 version (thunderbird, fixed 1.5.0.8) [since FEDORA-2006-1192] CVE-2006-5462 version (firefox, fixed 1.5.0.8) [since FEDORA-2006-1191] -CVE-2006-5461 VULNERABLE (avahi, fixed 0.6.15) +CVE-2006-5461 version (avahi, fixed 0.6.15) [since FEDORA-2007-019] CVE-2006-5456 backport (ImageMagick) #210921 [since FEDORA-2006-1285] -CVE-2006-5397 VULNERABLE (libX11, 1.0.2 and 1.0.3 only) #213280 +CVE-2006-5397 backport (libX11, 1.0.2 and 1.0.3 only) #213280 [since FEDORA-2007-162] CVE-2006-5331 version (kernel, fixed 2.6.19) [since FEDORA-2007-058] CVE-2006-5298 backport (mutt) [since FEDORA-2006-1063] CVE-2006-5297 backport (mutt) [since FEDORA-2006-1063] @@ -203,7 +202,7 @@ CVE-2006-5178 VULNERABLE (php) can't be fixed CVE-2006-5174 ignore (kernel, fixed 2.6.19-rc1) s390 only CVE-2006-5173 ignore (kernel, fixed 2.6.18) protected by exec-shield -CVE-2006-5170 VULNERABLE (nss_ldap, fixed 183) +CVE-2006-5170 version (nss_ldap, fixed 183) CVE-2006-5160 ignore (firefox) unverified CVE-2006-5159 ignore (firefox) unverified CVE-2006-5158 version (kernel, fixed 2.6.15) @@ -228,7 +227,7 @@ CVE-2006-4623 version (kernel, fixed 2.6.18-rc1) CVE-2006-4600 version (openldap, fixed 2.3.25) CVE-2006-4574 version (wireshark, fixed 0.99.4) [since FEDORA-2006-1140] -CVE-2006-4573 VULNERABLE (screen) #212057 +CVE-2006-4573 version (screen, fixed 4.0.3) #212057 [since FEDORA-2007-106] CVE-2006-4572 version (kernel, fixed 2.6.19) [since FEDORA-2007-058] CVE-2006-4571 version (thunderbird, fixed 1.5.0.7) CVE-2006-4571 version (firefox, fixed 1.5.0.7) @@ -707,7 +706,7 @@ CVE-2005-3753 version (kernel, fixed 2.6.14) CVE-2005-3745 ignore (struts, fixed 1.2.8) but not through tomcat CVE-2005-3732 version (ipsec-tools, fixed 0.6.3) -CVE-2005-3675 VULNERABLE (kernel) optack, no upstream fix +CVE-2005-3675 ignore (kernel) optack, not a bug CVE-2005-3671 version (openswan, fixed 2.4.4) CVE-2005-3662 version (netpbm) CVE-2005-3656 version (mod_auth_pgsql, fixed 2.0.3) @@ -1639,7 +1638,6 @@ CVE-2003-1303 version (php, fixed 4.3.3) CVE-2003-1302 version (php, fixed 4.3.1) CVE-2003-1265 VULNERABLE (thunderbird) https://bugzilla.mozilla.org/show_bug.cgi?id=198442 -CVE-2003-1265 VULNERABLE (firefox) https://bugzilla.mozilla.org/show_bug.cgi?id=198442 CVE-2003-1232 version (emacs, fixed 21.3) CVE-2003-1201 version (openldap, not 2.2) CVE-2003-1161 version (kernel, not released version) -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits From fedora-extras-commits at redhat.com Thu Aug 2 15:19:35 2007 From: fedora-extras-commits at redhat.com (Lubomir Kundrak (lkundrak)) Date: Thu, 2 Aug 2007 11:19:35 -0400 Subject: fedora-security/audit fc6,1.228,1.229 Message-ID: <200708021519.l72FJZfb019873@cvs-int.fedora.redhat.com> Author: lkundrak Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv19784 Modified Files: fc6 Log Message: Updated the updated updates :) Index: fc6 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc6,v retrieving revision 1.228 retrieving revision 1.229 diff -u -r1.228 -r1.229 --- fc6 2 Aug 2007 12:58:54 -0000 1.228 +++ fc6 2 Aug 2007 15:19:32 -0000 1.229 @@ -12,6 +12,7 @@ CVE-2007-3841 ignore (pidgin) ethically disclosed CVE-2007-3820 ** (kdebase) #248537 CVE-2007-3799 ** (php) +CVE-2007-3798 version (tcpdump, fixed 3.9.7) #250290 [since FEDORA-2007-654] CVE-2007-3782 ** (mysql) CVE-2007-3781 ** (mysql) CVE-2007-3508 ignore (glibc) not an issue @@ -22,8 +23,10 @@ CVE-2007-3391 version (wireshark, fixed 0.99.6) [since FEDORA-2007-628] CVE-2007-3390 version (wireshark, fixed 0.99.6) [since FEDORA-2007-628] CVE-2007-3389 version (wireshark, fixed 0.99.6) [since FEDORA-2007-628] +CVE-2007-3381 version (gdm, fixed 2.18.4) #250277 [since FEDORA-2007-653] CVE-2007-3378 ignore (php) safe mode escape CVE-2007-3377 version (perl-Net-DNS, fixed 0.60) #245614 [since FEDORA-2007-609] +CVE-2007-3741 version (gimp, fixed 2.2.16) #247567 [since FEDORA-2007-627] CVE-2007-3304 backport (httpd) #244660 [since FEDORA-2007-615] CVE-2007-3257 backport (evolution) #244287 [since FEDORA-2007-594] CVE-2007-3126 ignore (gimp) just a crash @@ -76,12 +79,12 @@ CVE-2007-1262 version (squirrelmail, fixed 1.4.10a) #239704 [since FEDORA-2007-505] CVE-2007-1218 backport (tcpdump) 232349 [since FEDORA-2007-347] CVE-2007-1006 version (ekiga, fixed 2.0.5) #229259 [since FEDORA-2007-322] -CVE-2007-1004 VULNERABLE (firefox, ...) +CVE-2007-1004 VULNERABLE (firefox) https://bugzilla.mozilla.org/show_bug.cgi?id=390627 CVE-2007-1003 backport (xorg-x11-server, fixed > X11R7.2) #235263 [since FEDORA-2007-425] CVE-2007-1002 backport (evolution) #233587 [since FEDORA-2007-393] CVE-2007-1000 version (kernel, fixed 2.6.20) [since FEDORA-2007-335] CVE-2007-0998 backport (xen) #230295 [since FEDORA-2007-343] -CVE-2007-0981 VULNERABLE (firefox, ...) +CVE-2007-0981 version (mozilla) CVE-2007-0823 ignore (xterm) feature, not a bug CVE-2007-0822 ignore (util-linux) NULL dereference CVE-2007-0772 version (kernel) [since FEDORA-2007-291] @@ -130,7 +133,7 @@ CVE-2006-6144 ** krb5 CVE-2006-6143 ** krb5 CVE-2006-6142 backport (squirrelmail) #218297 [since FEDORA-2007-089] -CVE-2006-6128 VULNERABLE (kernel, fixed **) +CVE-2006-6128 VULNERABLE (kernel) #250625 CVE-2006-6107 VULNERABLE (dbus, fixed 1.0.2) #219665 CVE-2006-6106 version (kernel, fixed 2.6.19.2, fixed 2.6.20-rc5) [since FEDORA-2006-1471] CVE-2006-6105 version (gdm, fixed 2.14.11) [since FEDORA-2006-1468] @@ -138,8 +141,8 @@ CVE-2006-6097 backport (tar) [since FEDORA-2006-1393] CVE-2006-6077 version (firefox, fixed 1.5.0.10) [since FEDORA-2007-293] CVE-2006-6060 ignore (kernel, fixed 2.6.19-rc2) no NTFS support -CVE-2006-6058 VULNERABLE (kernel, fixed **) -CVE-2006-6057 VULNERABLE (kernel, fixed **) +CVE-2006-6058 VULNERABLE (kernel) #250623 +CVE-2006-6057 version (kernel, fixed kernel-2_6_20-1_2924_fc6) [since FEDORA-2007-432] CVE-2006-6056 version (kernel, fixed 2.6.19) [since FEDORA-2007-058] was backport since FEDORA-2006-1471 CVE-2006-6054 version (kernel, fixed fixed 2.6.19.2) [since FEDORA-2007-058] CVE-2006-6053 version (kernel, fixed 2.6.19.2) [since FEDORA-2007-058] was backport since FEDORA-2006-1223 @@ -167,7 +170,7 @@ CVE-2006-5747 version (thunderbird, fixed 1.5.0.8) [since FEDORA-2006-1192] CVE-2006-5747 version (firefox, fixed 1.5.0.8) [since FEDORA-2006-1191] CVE-2006-5706 ignore (php, fixed 5.2.0) safe mode isn't safe -CVE-2006-5701 VULNERABLE (kernel) squashfs is not included upstream +CVE-2006-5701 version (kernel, fixed kernel-2_6_20-1_2927_fc6) #219534 [since FEDORA-2007-600] CVE-2006-5633 ignore (firefox) just a client DoS CVE-2006-5619 version (kernel, fixed 2.6.18.2, fixed 2.6.19-rc4) [since FEDORA-2006-1223] CVE-2006-5595 version (wireshark, fixed 0.99.4) [since FEDORA-2006-1140] @@ -199,7 +202,7 @@ CVE-2006-5214 version (xorg-x11-xdm) CVE-2006-5214 ignore (kdebase) #212166 links to xinit Xsession CVE-2006-5214 VULNERABLE (xorg-x11-xinit) #212167 -CVE-2006-5178 VULNERABLE (php) can't be fixed +CVE-2006-5178 ignore (php) safe mode escape CVE-2006-5174 ignore (kernel, fixed 2.6.19-rc1) s390 only CVE-2006-5173 ignore (kernel, fixed 2.6.18) protected by exec-shield CVE-2006-5170 version (nss_ldap, fixed 183) @@ -240,10 +243,10 @@ CVE-2006-4566 version (firefox, fixed 1.5.0.7) CVE-2006-4565 version (thunderbird, fixed 1.5.0.7) CVE-2006-4565 version (firefox, fixed 1.5.0.7) -CVE-2006-4561 VULNERABLE (firefox) +CVE-2006-4561 ignore (firefox) An attacker needs to control DNS CVE-2006-4538 version (kernel, fixed after 2.6.18-rc6) CVE-2006-4535 version (kernel, fixed 2.6.18-rc6) -CVE-2006-4519 VULNERABLE (gimp) #247567 +CVE-2006-4519 version (gimp, fixed 2.2.16) #247567 [since FEDORA-2007-627] CVE-2006-4514 backport (libgsf) [since FEDORA-2006-1417] CVE-2006-4507 ignore (libtiff) can't reproduce CVE-2006-4486 version (php, fixed 5.1.6) @@ -660,7 +663,7 @@ CVE-2006-0035 version (kernel, only 2.6.14 and 2.6.15) CVE-2006-0019 version (kdelibs, fixed 3.5.1) CVE-2005-4811 version (kernel, fixed 2.6.13) -CVE-2005-4809 VULNERABLE (firefox) +CVE-2005-4809 VULNERABLE (firefox) https://bugzilla.mozilla.org/show_bug.cgi?id=390630 CVE-2005-4808 ignore (binutils, gas fixed 20050714) this is a bug CVE-2005-4807 ignore (binutils, gas fixed 20050721) this is a bug CVE-2005-4798 version (kernel, not 2.6) -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits From bugzilla at redhat.com Thu Aug 2 22:13:33 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 2 Aug 2007 18:13:33 -0400 Subject: [Bug 241799] CVE-2007-2894: bochs guest OS local user DoS In-Reply-To: Message-ID: <200708022213.l72MDXI7009560@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-2894: bochs guest OS local user DoS https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=241799 j.w.r.degoede at hhs.nl changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|ERRATA |CURRENTRELEASE Fixed In Version|2.3-5.fc7 |2.3-5 ------- Additional Comments From j.w.r.degoede at hhs.nl 2007-08-02 18:13 EST ------- The FC-6 version was fixed at the same time as the F-7 version, but no bodhi, so no anouncement, closing again. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From fedora-extras-commits at redhat.com Fri Aug 3 07:20:33 2007 From: fedora-extras-commits at redhat.com (Lubomir Kundrak (lkundrak)) Date: Fri, 3 Aug 2007 03:20:33 -0400 Subject: fedora-security/audit fc6,1.229,1.230 fc7,1.55,1.56 Message-ID: <200708030720.l737KXm0023972@cvs-int.fedora.redhat.com> Author: lkundrak Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv15790 Modified Files: fc6 fc7 Log Message: Updates Index: fc6 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc6,v retrieving revision 1.229 retrieving revision 1.230 diff -u -r1.229 -r1.230 --- fc6 2 Aug 2007 15:19:32 -0000 1.229 +++ fc6 3 Aug 2007 07:20:30 -0000 1.230 @@ -5,7 +5,7 @@ # (mozilla) = (firefox, seamonkey, thunderbird, yelp, devhelp, galeon, liferea. epiphany) # Up to date CVE as of CVE email 20070801 -# Up to date FC6 as of 20070802 +# Up to date FC6 as of 20070803 CVE-2007-4029 VULNERABLE (libvorbis) #250600 CVE-2007-4168 backport (libexif) #243892 [since FEDORA-2007-614] @@ -32,7 +32,6 @@ CVE-2007-3126 ignore (gimp) just a crash CVE-2007-3106 VULNERABLE (libvorbis) #250600 CVE-2007-2926 backport (bind, fixed 9.4.1) [since FEDORA-2007-647] -CVE-2007-2894 VULNERABLE (bochs) #241799 CVE-2007-2876 version (kernel, fixed 2.6.21.5) [since FEDORA-2007-600] CVE-2007-2875 version (kernel) [since FEDORA-2007-600] *CVE-2007-2874 (wpa_supplicant) #242455 @@ -72,8 +71,8 @@ CVE-2007-1396 ignore (php) feature, not a flaw CVE-2007-1362 version (mozilla) #241840 [since FEDORA-2007-549] CVE-2007-1357 version (kernel) [since FEDORA-2007-432] -CVE-2007-1352 VULNERABLE (libXfont) #235265 -CVE-2007-1351 VULNERABLE (libXfont) #235265 +CVE-2007-1352 fixed (libXfont) #235265 [since FEDORA-2007-423] +CVE-2007-1351 fixed (libXfont) #235265 [since FEDORA-2007-423] CVE-2007-1349 backport (mod_perl) [since FEDORA-2007-577] CVE-2007-1263 version (gnupg, fixed 1.4.7) [since FEDORA-2007-315] CVE-2007-1262 version (squirrelmail, fixed 1.4.10a) #239704 [since FEDORA-2007-505] Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.55 retrieving revision 1.56 diff -u -r1.55 -r1.56 --- fc7 1 Aug 2007 15:19:31 -0000 1.55 +++ fc7 3 Aug 2007 07:20:30 -0000 1.56 @@ -5,7 +5,8 @@ # (mozilla) = (firefox, seamonkey, thunderbird, yelp, devhelp, galeon, liferea. epiphany) # A couple of first F7 updates were marked as FEDORA-2007-0001 -# Version: FEDORA-2007-1070 +# Up to date CVE as of CVE email 20070801 +# Up to date FC7 as of 20070802 CVE-NOID VULNERABLE (tor, fixed 0.1.2.15) #249840 CVE-2007-4168 backport (libexif) #243892 [since FEDORA-2007-0414] @@ -56,6 +57,7 @@ CVE-2007-3381 version (gdm, fixed 2.18.4) #250277 [since FEDORA-2007-1362] CVE-2007-3378 ignore (php) safe mode escape CVE-2007-3377 version (perl-Net-DNS, fixed 0.60) #245612 [since EDORA-2007-0668] +CVE-2007-3304 backport (httpd) #244665 [since FEDORA-2007-0704] CVE-2007-3257 backport (evolution) #244283 [since FEDORA-2007-0464] CVE-2007-3241 version (wordpress, fixed 2.2.1) #245211 [since FEDORA-2007-0894] CVE-2007-3240 version (wordpress, fixed 2.2.1) #245211 [since FEDORA-2007-0894] @@ -161,7 +163,8 @@ CVE-2007-1870 version (lighttpd, fixed 1.4.14) #236489 CVE-2007-1869 version (lighttpd, fixed 1.4.14) #236489 CVE-2007-1864 version (php, fixed 5.2.2) -*CVE-2007-1862 (httpd) +CVE-2007-1863 backport (httpd) #244665 [since FEDORA-2007-0704] +CVE-2007-1862 backport (httpd) #242606 [since FEDORA-2007-0704] *CVE-2007-1859 (xscreensaver) *CVE-2007-1858 (tomcat) CVE-2007-1856 backport (vixie-cron) #235882 vixie-cron-4.1-hardlink.patch @@ -190,10 +193,11 @@ CVE-2007-1583 version (php, fixed 5.2.2) CVE-2007-1565 ignore (konqueror) client crash CVE-2007-1564 vulnerable (konqueror) [#CVE-2007-1564] -CVE-2007-1562 version (firefox, seamonkey, thunderbird) #241840 +CVE-2007-1562 version (mozilla) #241840 CVE-2007-1560 version (squid, fixed 2.6.STABLE12) CVE-2007-1558 version (claws-mail, fixed 2.9.1) #237293 *CVE-2007-1558 backport (sylpheed, fixed 2.3.1-1) +*CVE-2007-1558 VULNERABLE (evolution) CVE-2007-1547 version (nas, fixed 1.8a-2) #233353 CVE-2007-1546 version (nas, fixed 1.8a-2) #233353 CVE-2007-1545 version (nas, fixed 1.8a-2) #233353 @@ -497,6 +501,7 @@ CVE-2006-5757 version (kernel, fixed 2.6.19) [since FEDORA-2007-058] was backport since FEDORA-2006-1223 *CVE-2006-5754 (kernel) *CVE-2006-5753 backport (kernel, fixed 2.6.20.1) [since FEDORA-2007-291] +CVE-2006-5752 backport (httpd) #244665 [since FEDORA-2007-0704] CVE-2006-5751 version (kernel, fixed 2.6.19, fixed 2.6.18.4) [since FEDORA-2006-1471] *CVE-2006-5750 (jboss) *CVE-2006-5749 VULNERABLE (kernel, fixed 2.6.20-rc2) @@ -545,7 +550,7 @@ VE-2006-5295 version (clamav, fixed 0.88.5) #210973 *CVE-2006-5276 VULNERABLE (snort) #229265 CVE-2006-5229 ignore (openssh) not reproduced -*CVE-2006-5215 VULNERABLE (xorg-x11-xinit) #212167 +CVE-2006-5215 backport (xorg-x11-xinit) #212167 [since FEDORA-2007-1409] *CVE-2006-5215 version (xorg-x11-xdm) CVE-2006-5215 ignore (kdebase) #212166 links to xinit Xsession *CVE-2006-5214 VULNERABLE (xorg-x11-xinit) #212167 @@ -2210,7 +2215,7 @@ *CVE-2003-1295 (xscreensaver) *CVE-2003-1294 (xscreensaver) CVE-2003-1265 VULNERABLE (thunderbird) https://bugzilla.mozilla.org/show_bug.cgi?id=198442 -CVE-2003-1265 VULNERABLE (firefox) https://bugzilla.mozilla.org/show_bug.cgi?id=198442 +CVE-2003-1265 VULNERABLE (seamonkey) https://bugzilla.mozilla.org/show_bug.cgi?id=198442 CVE-2003-1232 version (emacs, fixed 21.3) CVE-2003-1201 version (openldap, not 2.2) CVE-2003-1161 version (kernel, not released version) -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits From fedora-extras-commits at redhat.com Fri Aug 3 14:21:09 2007 From: fedora-extras-commits at redhat.com (Lubomir Kundrak (lkundrak)) Date: Fri, 3 Aug 2007 10:21:09 -0400 Subject: fedora-security/audit fc7,1.56,1.57 Message-ID: <200708031421.l73EL9Ch027133@cvs-int.fedora.redhat.com> Author: lkundrak Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv27096 Modified Files: fc7 Log Message: wordpress Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.56 retrieving revision 1.57 diff -u -r1.56 -r1.57 --- fc7 3 Aug 2007 07:20:30 -0000 1.56 +++ fc7 3 Aug 2007 14:21:06 -0000 1.57 @@ -10,6 +10,7 @@ CVE-NOID VULNERABLE (tor, fixed 0.1.2.15) #249840 CVE-2007-4168 backport (libexif) #243892 [since FEDORA-2007-0414] +CVE-2007-4139 VULNERABLE (wordpress) #250751 CVE-2007-4029 VULNERABLE (libvorbis) #245991 CVE-2007-3950 version (lighttpd, fixed 1.4.16) #249162 [since FEDORA-2007-1299] CVE-2007-3949 version (lighttpd, fixed 1.4.16) #249162 [since FEDORA-2007-1299] -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits From bugzilla at redhat.com Mon Aug 6 13:45:38 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 6 Aug 2007 09:45:38 -0400 Subject: [Bug 245211] Wordpress 2.2(.1): SQL injection, XSS, unrestricted file upload vulnerabilities In-Reply-To: Message-ID: <200708061345.l76DjcV9017718@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Wordpress 2.2(.1): SQL injection, XSS, unrestricted file upload vulnerabilities Alias: CVE-2007-3544 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=245211 ------- Additional Comments From john at ncphotography.com 2007-08-06 09:45 EST ------- There has been no patch from upstream for this issue, and no response from them in response to my latest query on this issue. When upstream generates a patch, or replies that the current release is not vulnerable, I will update this bug. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From fedora-extras-commits at redhat.com Mon Aug 6 13:46:38 2007 From: fedora-extras-commits at redhat.com (Lubomir Kundrak (lkundrak)) Date: Mon, 6 Aug 2007 09:46:38 -0400 Subject: fedora-security/audit fc7,1.57,1.58 Message-ID: <200708061346.l76DkcgS028625@cvs-int.fedora.redhat.com> Author: lkundrak Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv27482 Modified Files: fc7 Log Message: wordpress Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.57 retrieving revision 1.58 diff -u -r1.57 -r1.58 --- fc7 3 Aug 2007 14:21:06 -0000 1.57 +++ fc7 6 Aug 2007 13:46:35 -0000 1.58 @@ -10,6 +10,8 @@ CVE-NOID VULNERABLE (tor, fixed 0.1.2.15) #249840 CVE-2007-4168 backport (libexif) #243892 [since FEDORA-2007-0414] +CVE-2007-4153 ignore (wordpress) "remote authenticated administrators" +CVE-2007-4154 ignore (wordpress) "remote authenticated administrators" CVE-2007-4139 VULNERABLE (wordpress) #250751 CVE-2007-4029 VULNERABLE (libvorbis) #245991 CVE-2007-3950 version (lighttpd, fixed 1.4.16) #249162 [since FEDORA-2007-1299] -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits From fedora-extras-commits at redhat.com Mon Aug 6 13:48:33 2007 From: fedora-extras-commits at redhat.com (Lubomir Kundrak (lkundrak)) Date: Mon, 6 Aug 2007 09:48:33 -0400 Subject: fedora-security/audit fc7,1.58,1.59 Message-ID: <200708061348.l76DmXcS029089@cvs-int.fedora.redhat.com> Author: lkundrak Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv29051 Modified Files: fc7 Log Message: mediawiki was incorrectly tracked Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.58 retrieving revision 1.59 diff -u -r1.58 -r1.59 --- fc7 6 Aug 2007 13:46:35 -0000 1.58 +++ fc7 6 Aug 2007 13:48:30 -0000 1.59 @@ -265,7 +265,7 @@ *CVE-2007-1103 VULNERABLE (tor) #230927 CVE-2007-1092 version (seamonkey, fixed 1.0.8) CVE-2007-1055 version (mediawiki, fixed 1.8.3) -CVE-2007-1054 version (mediawiki, fixed 1.8.4) +CVE-2007-1054 VULNERABLE (mediawiki, fixed 1.9.3) CVE-2007-1049 version (wordpress, fixed 2.1.1) #229991 *CVE-2007-1036 (jboss) *CVE-2007-1030 (libevent) -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits From fedora-extras-commits at redhat.com Mon Aug 6 15:08:45 2007 From: fedora-extras-commits at redhat.com (Lubomir Kundrak (lkundrak)) Date: Mon, 6 Aug 2007 11:08:45 -0400 Subject: fedora-security/audit fc6,1.230,1.231 fc7,1.59,1.60 Message-ID: <200708061508.l76F8jas025490@cvs-int.fedora.redhat.com> Author: lkundrak Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv24701 Modified Files: fc6 fc7 Log Message: dovecot Index: fc6 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc6,v retrieving revision 1.230 retrieving revision 1.231 diff -u -r1.230 -r1.231 --- fc6 3 Aug 2007 07:20:30 -0000 1.230 +++ fc6 6 Aug 2007 15:08:43 -0000 1.231 @@ -7,6 +7,7 @@ # Up to date CVE as of CVE email 20070801 # Up to date FC6 as of 20070803 +GENERIC-MAP-NOMATCH VULNERABLE (dovecot, fixed 1.0.3) #251009 CVE-2007-4029 VULNERABLE (libvorbis) #250600 CVE-2007-4168 backport (libexif) #243892 [since FEDORA-2007-614] CVE-2007-3841 ignore (pidgin) ethically disclosed Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.59 retrieving revision 1.60 diff -u -r1.59 -r1.60 --- fc7 6 Aug 2007 13:48:30 -0000 1.59 +++ fc7 6 Aug 2007 15:08:43 -0000 1.60 @@ -8,7 +8,8 @@ # Up to date CVE as of CVE email 20070801 # Up to date FC7 as of 20070802 -CVE-NOID VULNERABLE (tor, fixed 0.1.2.15) #249840 +GENERIC-MAP-NOMATCH VULNERABLE (dovecot, 1.0.3) #251008 +GENERIC-MAP-NOMATCH VULNERABLE (tor, fixed 0.1.2.15) #249840 CVE-2007-4168 backport (libexif) #243892 [since FEDORA-2007-0414] CVE-2007-4153 ignore (wordpress) "remote authenticated administrators" CVE-2007-4154 ignore (wordpress) "remote authenticated administrators" -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits From bugzilla at redhat.com Mon Aug 6 17:58:10 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 6 Aug 2007 13:58:10 -0400 Subject: [Bug 247528] CVE-2007-3555: moodle cross site scripting vulnerability In-Reply-To: Message-ID: <200708061758.l76HwA00027999@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-3555: moodle cross site scripting vulnerability Alias: CVE-2007-3555 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=247528 ------- Additional Comments From updates at fedoraproject.org 2007-08-06 13:58 EST ------- moodle-1.8.2-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Aug 6 17:58:14 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 6 Aug 2007 13:58:14 -0400 Subject: [Bug 247528] CVE-2007-3555: moodle cross site scripting vulnerability In-Reply-To: Message-ID: <200708061758.l76HwEv2028058@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-3555: moodle cross site scripting vulnerability Alias: CVE-2007-3555 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=247528 updates at fedoraproject.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |ERRATA Fixed In Version| |1.8.2-1.fc7 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From fedora-extras-commits at redhat.com Wed Aug 8 14:59:59 2007 From: fedora-extras-commits at redhat.com (Lubomir Kundrak (lkundrak)) Date: Wed, 8 Aug 2007 10:59:59 -0400 Subject: fedora-security/audit fc6,1.231,1.232 Message-ID: <200708081459.l78ExxtY014708@cvs-int.fedora.redhat.com> Author: lkundrak Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv14500 Modified Files: fc6 Log Message: Good developers, good. Index: fc6 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc6,v retrieving revision 1.231 retrieving revision 1.232 diff -u -r1.231 -r1.232 --- fc6 6 Aug 2007 15:08:43 -0000 1.231 +++ fc6 8 Aug 2007 14:59:57 -0000 1.232 @@ -31,6 +31,7 @@ CVE-2007-3304 backport (httpd) #244660 [since FEDORA-2007-615] CVE-2007-3257 backport (evolution) #244287 [since FEDORA-2007-594] CVE-2007-3126 ignore (gimp) just a crash +CVE-2007-3108 VULNERABLE (openssl) #250574 CVE-2007-3106 VULNERABLE (libvorbis) #250600 CVE-2007-2926 backport (bind, fixed 9.4.1) [since FEDORA-2007-647] CVE-2007-2876 version (kernel, fixed 2.6.21.5) [since FEDORA-2007-600] @@ -54,8 +55,8 @@ CVE-2007-1863 backport (httpd) #244660 [since FEDORA-2007-615] CVE-2007-1862 backport (httpd) #244660 [since FEDORA-2007-615] CVE-2007-1861 version (kernel) [since FEDORA-2007-482] -CVE-2007-1856 VULNERABLE (vixie-cron) #235882 -CVE-2007-1841 VULNERABLE (ipsec-tools) #238052 +CVE-2007-1856 backport (vixie-cron) #235882 [since ???] +CVE-2007-1841 VULNERABLE (ipsec-tools) #238052 [sconklin] Developer busy -- next week. CVE-2007-1797 backport (ImageMagick) #235075 [since FEDORA-2007-413] CVE-2007-1667 backport (libX11) [since FEDORA-2007-426] CVE-2007-1565 ignore (kdebase) client crash @@ -102,7 +103,7 @@ CVE-2007-0451 version (spamassassin, fixed 3.1.8) [since FEDORA-2007-241] CVE-2007-0248 version (squid, fixed 2.6.STABLE7) [since FEDORA-2007-073] CVE-2007-0247 version (squid, fixed 2.6.STABLE7) #222883 [since FEDORA-2007-073] -CVE-2007-0235 VULNERABLE (libgtop2) #222637 +CVE-2007-0235 version (libgtop2, fixed 2.14.9) #222637 [since ???] CVE-2007-0104 ignore (poppler) only client DoS CVE-2007-0104 ignore (kdegraphics) only client DoS CVE-2007-0086 ignore (apache) not a security issue @@ -134,7 +135,7 @@ CVE-2006-6143 ** krb5 CVE-2006-6142 backport (squirrelmail) #218297 [since FEDORA-2007-089] CVE-2006-6128 VULNERABLE (kernel) #250625 -CVE-2006-6107 VULNERABLE (dbus, fixed 1.0.2) #219665 +CVE-2006-6107 backport (dbus, fixed 1.0.2) #219665 [since FEDORA-2006-1475] CVE-2006-6106 version (kernel, fixed 2.6.19.2, fixed 2.6.20-rc5) [since FEDORA-2006-1471] CVE-2006-6105 version (gdm, fixed 2.14.11) [since FEDORA-2006-1468] CVE-2006-6104 backport (mono, fixed 1.1.13.8.2) #220853 [since FEDORA-2007-067] -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits From fedora-extras-commits at redhat.com Wed Aug 8 17:11:28 2007 From: fedora-extras-commits at redhat.com (Lubomir Kundrak (lkundrak)) Date: Wed, 8 Aug 2007 13:11:28 -0400 Subject: fedora-security/audit fc6,1.232,1.233 fc7,1.60,1.61 Message-ID: <200708081711.l78HBSH7014737@cvs-int.fedora.redhat.com> Author: lkundrak Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv14717 Modified Files: fc6 fc7 Log Message: Up to date as of today's CVENEW mails and Fedora updates. Index: fc6 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc6,v retrieving revision 1.232 retrieving revision 1.233 diff -u -r1.232 -r1.233 --- fc6 8 Aug 2007 14:59:57 -0000 1.232 +++ fc6 8 Aug 2007 17:11:26 -0000 1.233 @@ -4,12 +4,14 @@ # *CVE are items that need verification for Fedora Core 6 # (mozilla) = (firefox, seamonkey, thunderbird, yelp, devhelp, galeon, liferea. epiphany) -# Up to date CVE as of CVE email 20070801 -# Up to date FC6 as of 20070803 +# Up to date CVE as of CVE email 20070808 +# Up to date FC6 as of 20070808 -GENERIC-MAP-NOMATCH VULNERABLE (dovecot, fixed 1.0.3) #251009 +CVE-2007-4211 VULNERABLE (dovecot, fixed 1.0.3) #251009 CVE-2007-4029 VULNERABLE (libvorbis) #250600 CVE-2007-4168 backport (libexif) #243892 [since FEDORA-2007-614] +CVE-2007-3845 VULNERABLE (firefox) https://bugzilla.mozilla.org/show_bug.cgi?id=389580 +CVE-2007-3844 VULNERABLE (firefox) #250648 "fixed on next update" CVE-2007-3841 ignore (pidgin) ethically disclosed CVE-2007-3820 ** (kdebase) #248537 CVE-2007-3799 ** (php) @@ -24,6 +26,7 @@ CVE-2007-3391 version (wireshark, fixed 0.99.6) [since FEDORA-2007-628] CVE-2007-3390 version (wireshark, fixed 0.99.6) [since FEDORA-2007-628] CVE-2007-3389 version (wireshark, fixed 0.99.6) [since FEDORA-2007-628] +CVE-2007-3384 ignore (tomcat) only affects 3.3.x and just affects an example CVE-2007-3381 version (gdm, fixed 2.18.4) #250277 [since FEDORA-2007-653] CVE-2007-3378 ignore (php) safe mode escape CVE-2007-3377 version (perl-Net-DNS, fixed 0.60) #245614 [since FEDORA-2007-609] Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.60 retrieving revision 1.61 diff -u -r1.60 -r1.61 --- fc7 6 Aug 2007 15:08:43 -0000 1.60 +++ fc7 8 Aug 2007 17:11:26 -0000 1.61 @@ -5,10 +5,11 @@ # (mozilla) = (firefox, seamonkey, thunderbird, yelp, devhelp, galeon, liferea. epiphany) # A couple of first F7 updates were marked as FEDORA-2007-0001 -# Up to date CVE as of CVE email 20070801 -# Up to date FC7 as of 20070802 +# Up to date CVE as of CVE email 20070808 +# Up to date FC7 as of 20070808 -GENERIC-MAP-NOMATCH VULNERABLE (dovecot, 1.0.3) #251008 +CVE-2007-4211 version (dovecot, 1.0.3) #251008 [since FEDORA-2007-1485] +CVE-2007-4174 VULNERABLE (tor, fixed 0.1.2.16) GENERIC-MAP-NOMATCH VULNERABLE (tor, fixed 0.1.2.15) #249840 CVE-2007-4168 backport (libexif) #243892 [since FEDORA-2007-0414] CVE-2007-4153 ignore (wordpress) "remote authenticated administrators" @@ -20,7 +21,9 @@ CVE-2007-3948 version (lighttpd, fixed 1.4.16) #249162 [since FEDORA-2007-1299] CVE-2007-3947 version (lighttpd, fixed 1.4.16) #249162 [since FEDORA-2007-1299] CVE-2007-3946 version (lighttpd, fixed 1.4.16) #249162 [since FEDORA-2007-1299] -CVE-2007-3841 WTF (pidgin) +CVE-2007-3845 VULNERABLE (firefox, fixed 2.0.0.6) https://bugzilla.mozilla.org/show_bug.cgi?id=389580 +CVE-2007-3844 VULNERABLE (firefox) #250648 "fixed on next update" +CVE-2007-3841 ignore (pidgin) ethically disclosed CVE-2007-3820 ** (kdebase) #248537 CVE-2007-3799 ** (php) CVE-2007-3781 ** (mysql) @@ -36,7 +39,7 @@ CVE-2007-3656 version (mozilla) #248518 [since FEDORA-2007-1138] CVE-2007-3642 version (kernel, fixed 2.6.22.1) [since FEDORA-2007-1130] CVE-2007-3628 version (php-pear-Structures-DataGrid-DataSource-MDB2, fixed 0.1.10) -CVE-2007-3555 VULNERABLE (moodle) #247528 +CVE-2007-3555 version (moodle) #247528 [since FEDORA-2007-1445] CVE-2007-3546 ignore (nessus-core) Windows only CVE-2007-3528 version (dar, fixed 2.3.4) #246760 [since FEDORA-2007-0904] CVE-2007-3544 VULNERABLE (wordpress, NOT fixed 2.2.1) #245211 Incomplete fix for CVE-2007-3543 @@ -58,6 +61,7 @@ CVE-2007-3391 version (wireshark, fixed 0.99.6) [since FEDORA-2007-0982] CVE-2007-3390 version (wireshark, fixed 0.99.6) [since FEDORA-2007-0982] CVE-2007-3389 version (wireshark, fixed 0.99.6) [since FEDORA-2007-0982] +CVE-2007-3384 ignore (tomcat) only affects 3.3.x and just affects an example CVE-2007-3381 version (gdm, fixed 2.18.4) #250277 [since FEDORA-2007-1362] CVE-2007-3378 ignore (php) safe mode escape CVE-2007-3377 version (perl-Net-DNS, fixed 0.60) #245612 [since EDORA-2007-0668] @@ -70,9 +74,10 @@ CVE-2007-3140 version (wordpress, fixed 2.2.1) #245211 [since FEDORA-2007-0894] CVE-2007-3231 version (mecab, fixed 0.96) [since FEDORA-2007-0366] CVE-2007-3209 ignore (mail-notification, shipped with SSL enabled) +CVE-2007-3108 backport (openssl) #250574 [since FEDORA-2007-1444] CVE-2007-3106 VULNERABLE (libvorbis) #245991 -CVE-2007-3100 version (iscsi-initiator-utils, fixed 6.2.0.865) [since FEDORA-2007-0543] CVE-2007-3099 version (iscsi-initiator-utils, fixed 6.2.0.865) [since FEDORA-2007-0543] +CVE-2007-3100 version (iscsi-initiator-utils, fixed 6.2.0.865) [since FEDORA-2007-0543] CVE-2007-3165 VULNERABLE (tor, fixed 0.1.2.14) #244502 CVE-2007-3153 version (c-ares, fixed 1.4.0) #243591 [since FEDORA-2007-0724] CVE-2007-3152 version (c-ares, fixed 1.4.0) #243591 [since FEDORA-2007-0724] @@ -199,6 +204,7 @@ CVE-2007-1564 vulnerable (konqueror) [#CVE-2007-1564] CVE-2007-1562 version (mozilla) #241840 CVE-2007-1560 version (squid, fixed 2.6.STABLE12) +CVE-2007-1558 version (balsa) [since FEDORA-2007-1447] CVE-2007-1558 version (claws-mail, fixed 2.9.1) #237293 *CVE-2007-1558 backport (sylpheed, fixed 2.3.1-1) *CVE-2007-1558 VULNERABLE (evolution) @@ -266,7 +272,7 @@ *CVE-2007-1103 VULNERABLE (tor) #230927 CVE-2007-1092 version (seamonkey, fixed 1.0.8) CVE-2007-1055 version (mediawiki, fixed 1.8.3) -CVE-2007-1054 VULNERABLE (mediawiki, fixed 1.9.3) +CVE-2007-1054 version (mediawiki, fixed 1.9.3) [since FEDORA-2007-1442] CVE-2007-1049 version (wordpress, fixed 2.1.1) #229991 *CVE-2007-1036 (jboss) *CVE-2007-1030 (libevent) @@ -480,7 +486,7 @@ *CVE-2006-6015 (pcre) CVE-2006-5989 ignore (mod_auth_kerb) did not affect fc6 CVE-2006-5974 ignore (fetchmail, fixed 6.3.6) only 6.3.5 -*CVE-2006-5973 VULNERABLE (dovecot, fixed 1.0.rc15) #216508 +CVE-2006-5973 version (dovecot, fixed 1.0.rc15) #216508 [since ???] *CVE-2006-5969 (fvwm) CVE-2006-5941 ignore (net-snmp) dupe CVE-2005-2177 *CVE-2006-5925 backport (elinks) [since FEDORA-2006-1278] but was never vulneable as didn't have smbclient support -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits From fedora-extras-commits at redhat.com Thu Aug 9 15:53:22 2007 From: fedora-extras-commits at redhat.com (Tomas Hoger (thoger)) Date: Thu, 9 Aug 2007 11:53:22 -0400 Subject: fedora-security/audit fc6, 1.233, 1.234 fc7, 1.61, 1.62 fe6, 1.131, 1.132 Message-ID: <200708091553.l79FrMGZ013240@cvs-int.fedora.redhat.com> Author: thoger Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv13200/audit Modified Files: fc6 fc7 fe6 Log Message: Add CVE-2007-3387 - xpdf integer overflow - which affects several packages Index: fc6 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc6,v retrieving revision 1.233 retrieving revision 1.234 diff -u -r1.233 -r1.234 --- fc6 8 Aug 2007 17:11:26 -0000 1.233 +++ fc6 9 Aug 2007 15:53:20 -0000 1.234 @@ -26,6 +26,10 @@ CVE-2007-3391 version (wireshark, fixed 0.99.6) [since FEDORA-2007-628] CVE-2007-3390 version (wireshark, fixed 0.99.6) [since FEDORA-2007-628] CVE-2007-3389 version (wireshark, fixed 0.99.6) [since FEDORA-2007-628] +CVE-2007-3387 VULNERABLE (poppler) #251513 +CVE-2007-3387 VULNERABLE (tetex) #251515 +CVE-2007-3387 VULNERABLE (kdegraphics) #251511 +CVE-2007-3387 VULNERABLE (cups) #251518 CVE-2007-3384 ignore (tomcat) only affects 3.3.x and just affects an example CVE-2007-3381 version (gdm, fixed 2.18.4) #250277 [since FEDORA-2007-653] CVE-2007-3378 ignore (php) safe mode escape Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.61 retrieving revision 1.62 diff -u -r1.61 -r1.62 --- fc7 8 Aug 2007 17:11:26 -0000 1.61 +++ fc7 9 Aug 2007 15:53:20 -0000 1.62 @@ -61,6 +61,13 @@ CVE-2007-3391 version (wireshark, fixed 0.99.6) [since FEDORA-2007-0982] CVE-2007-3390 version (wireshark, fixed 0.99.6) [since FEDORA-2007-0982] CVE-2007-3389 version (wireshark, fixed 0.99.6) [since FEDORA-2007-0982] +CVE-2007-3387 version (xpdf, fixed 3.02pl1) [since FEDORA-2007-1383] +CVE-2007-3387 VULNERABLE (tetex) #251514 +CVE-2007-3387 VULNERABLE (poppler) #251512 +CVE-2007-3387 VULNERABLE (kdegraphics) #251509 +CVE-2007-3387 VULNERABLE (koffice) #251522 +CVE-2007-3387 VULNERABLE (cups) #251519 +CVE-2007-3387 ** (libextractor) CVE-2007-3384 ignore (tomcat) only affects 3.3.x and just affects an example CVE-2007-3381 version (gdm, fixed 2.18.4) #250277 [since FEDORA-2007-1362] CVE-2007-3378 ignore (php) safe mode escape Index: fe6 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fe6,v retrieving revision 1.131 retrieving revision 1.132 diff -u -r1.131 -r1.132 --- fe6 27 Jul 2007 15:56:53 -0000 1.131 +++ fe6 9 Aug 2007 15:53:20 -0000 1.132 @@ -14,6 +14,9 @@ CVE-2007-3543 ** (wordpress) #245211 CVE-2007-3528 VULNERABLE (dar, fixed 2.3.4) #246760 CVE-2007-3507 version (flac123, fixed 0.0.10) #246322 +CVE-2007-3387 version (xpdf, fixed 3.02pl1) +CVE-2007-3387 VULNERABLE (koffice) #251524 +CVE-2007-3387 ** (libextractor) CVE-2007-3241 ** (wordpress) #245211 CVE-2007-3240 ** (wordpress) #245211 CVE-2007-3239 ** (wordpress) #245211 -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits From fedora-extras-commits at redhat.com Thu Aug 9 16:00:16 2007 From: fedora-extras-commits at redhat.com (Lubomir Kundrak (lkundrak)) Date: Thu, 9 Aug 2007 12:00:16 -0400 Subject: fedora-security/audit fc6,1.234,1.235 fc7,1.62,1.63 Message-ID: <200708091600.l79G0GTa014705@cvs-int.fedora.redhat.com> Author: lkundrak Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv14661 Modified Files: fc6 fc7 Log Message: ignores, ignores, ignores Index: fc6 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc6,v retrieving revision 1.234 retrieving revision 1.235 diff -u -r1.234 -r1.235 --- fc6 9 Aug 2007 15:53:20 -0000 1.234 +++ fc6 9 Aug 2007 16:00:14 -0000 1.235 @@ -7,6 +7,11 @@ # Up to date CVE as of CVE email 20070808 # Up to date FC6 as of 20070808 +CVE-2007-4255 ignore (php) msql extension not shipped +CVE-2007-4251 ignore (openoffice.org) just a crash +CVE-2007-4229 ignore (kdebase) just an ASSERT fail +CVE-2007-4225 ignore (kdebase) caused by fix to CVE-2007-3820 which we never shipped +CVE-2007-4224 ignore (kdebase) too obvious -- mouse pointer indicates script activity CVE-2007-4211 VULNERABLE (dovecot, fixed 1.0.3) #251009 CVE-2007-4029 VULNERABLE (libvorbis) #250600 CVE-2007-4168 backport (libexif) #243892 [since FEDORA-2007-614] Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.62 retrieving revision 1.63 diff -u -r1.62 -r1.63 --- fc7 9 Aug 2007 15:53:20 -0000 1.62 +++ fc7 9 Aug 2007 16:00:14 -0000 1.63 @@ -8,6 +8,11 @@ # Up to date CVE as of CVE email 20070808 # Up to date FC7 as of 20070808 +CVE-2007-4255 ignore (php) msql extension not shipped +CVE-2007-4251 ignore (openoffice.org) just a crash +CVE-2007-4229 ignore (kdebase) just an ASSERT fail +CVE-2007-4225 ignore (kdebase) caused by fix to CVE-2007-3820 which we never shipped +CVE-2007-4224 ignore (kdebase) too obvious -- mouse pointer indicates script activity CVE-2007-4211 version (dovecot, 1.0.3) #251008 [since FEDORA-2007-1485] CVE-2007-4174 VULNERABLE (tor, fixed 0.1.2.16) GENERIC-MAP-NOMATCH VULNERABLE (tor, fixed 0.1.2.15) #249840 -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits From fedora-extras-commits at redhat.com Fri Aug 10 02:11:04 2007 From: fedora-extras-commits at redhat.com (Christoph Trassl (trassl)) Date: Thu, 9 Aug 2007 22:11:04 -0400 Subject: fedora-security/audit fc7,1.63,1.64 Message-ID: <200708100211.l7A2B4uC005584@cvs-int.fedora.redhat.com> Author: trassl Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv5508 Modified Files: fc7 Log Message: Added CVE-2007-3388 qt vulnerable Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.63 retrieving revision 1.64 diff -u -r1.63 -r1.64 --- fc7 9 Aug 2007 16:00:14 -0000 1.63 +++ fc7 10 Aug 2007 02:11:01 -0000 1.64 @@ -66,6 +66,7 @@ CVE-2007-3391 version (wireshark, fixed 0.99.6) [since FEDORA-2007-0982] CVE-2007-3390 version (wireshark, fixed 0.99.6) [since FEDORA-2007-0982] CVE-2007-3389 version (wireshark, fixed 0.99.6) [since FEDORA-2007-0982] +CVE-2007-3388 VULNERABLE (qt, fixed qt-3.3.8-20070727) patch available: 170529.diff CVE-2007-3387 version (xpdf, fixed 3.02pl1) [since FEDORA-2007-1383] CVE-2007-3387 VULNERABLE (tetex) #251514 CVE-2007-3387 VULNERABLE (poppler) #251512 -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits From fedora-extras-commits at redhat.com Fri Aug 10 11:38:14 2007 From: fedora-extras-commits at redhat.com (Lubomir Kundrak (lkundrak)) Date: Fri, 10 Aug 2007 07:38:14 -0400 Subject: fedora-security/audit fc7,1.64,1.65 Message-ID: <200708101138.l7ABcEBp005088@cvs-int.fedora.redhat.com> Author: lkundrak Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv5065 Modified Files: fc7 Log Message: qtpfsgui Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.64 retrieving revision 1.65 diff -u -r1.64 -r1.65 --- fc7 10 Aug 2007 02:11:01 -0000 1.64 +++ fc7 10 Aug 2007 11:38:12 -0000 1.65 @@ -108,6 +108,7 @@ CVE-2007-3023 VULNERABLE (clamav, fixed 0.90.3) #245219 CVE-2007-3007 ignore (php) safe mode isn't safe *CVE-2007-2975 (openfire) +CVE-2007-2956 VULNERABLE (qtpfsgui) #251674 CVE-2007-2949 version (gimp, fixed, 2.2.16) [since FEDORA-2007-0725] CVE-2007-2926 version (bind, fixed 9.4.1) [since FEDORA-2007-1247] CVE-2007-2925 version (bind, fixed 9.4.1) [since FEDORA-2007-1247] -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits From fedora-extras-commits at redhat.com Fri Aug 10 14:48:43 2007 From: fedora-extras-commits at redhat.com (Tomas Hoger (thoger)) Date: Fri, 10 Aug 2007 10:48:43 -0400 Subject: fedora-security/audit fc6,1.235,1.236 fc7,1.65,1.66 Message-ID: <200708101448.l7AEmhEQ032376@cvs-int.fedora.redhat.com> Author: thoger Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv32280/audit Modified Files: fc6 fc7 Log Message: Add fsplib issues affecting gftp 2.0.18 - see NVD for explanation of ignore Index: fc6 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc6,v retrieving revision 1.235 retrieving revision 1.236 diff -u -r1.235 -r1.236 --- fc6 9 Aug 2007 16:00:14 -0000 1.235 +++ fc6 10 Aug 2007 14:48:41 -0000 1.236 @@ -15,6 +15,8 @@ CVE-2007-4211 VULNERABLE (dovecot, fixed 1.0.3) #251009 CVE-2007-4029 VULNERABLE (libvorbis) #250600 CVE-2007-4168 backport (libexif) #243892 [since FEDORA-2007-614] +CVE-2007-3962 ignore (gftp) multiple buffer overflows in fsplib, not on Linux +CVE-2007-3961 ignore (gftp) off-by-one error in fsplib CVE-2007-3845 VULNERABLE (firefox) https://bugzilla.mozilla.org/show_bug.cgi?id=389580 CVE-2007-3844 VULNERABLE (firefox) #250648 "fixed on next update" CVE-2007-3841 ignore (pidgin) ethically disclosed @@ -126,6 +128,7 @@ CVE-2007-0006 backport (kernel, fixed in -mm) [since FEDORA-2007-226] CVE-2007-0005 version (kernel, fixed 2.6.20) [since FEDORA-2007-335] CVE-2007-0002 version (libwpd, fixed 0.8.9) #222808 [since FEDORA-2007-351] +CVE-2006-7221 ignore (gftp) single zero byte overflow in fsplib CVE-2006-6939 version (ed, fixed 0.3) #223075 [since FEDORA-2007-100] CVE-2006-6899 version (bluez-utils, fixed 2.23) CVE-2006-6870 version (avahi, fixed 0.6.16) #221440 [since FEDORA-2007-019] Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.65 retrieving revision 1.66 diff -u -r1.65 -r1.66 --- fc7 10 Aug 2007 11:38:12 -0000 1.65 +++ fc7 10 Aug 2007 14:48:41 -0000 1.66 @@ -21,6 +21,8 @@ CVE-2007-4154 ignore (wordpress) "remote authenticated administrators" CVE-2007-4139 VULNERABLE (wordpress) #250751 CVE-2007-4029 VULNERABLE (libvorbis) #245991 +CVE-2007-3962 ignore (gftp) multiple buffer overflows in fsplib, not on Linux +CVE-2007-3961 ignore (gftp) off-by-one error in fsplib CVE-2007-3950 version (lighttpd, fixed 1.4.16) #249162 [since FEDORA-2007-1299] CVE-2007-3949 version (lighttpd, fixed 1.4.16) #249162 [since FEDORA-2007-1299] CVE-2007-3948 version (lighttpd, fixed 1.4.16) #249162 [since FEDORA-2007-1299] @@ -401,6 +403,7 @@ CVE-2007-0005 version (kernel, fixed 2.6.20) [since FEDORA-2007-335] CVE-2007-0002 version (libwpd, fixed 0.8.9) #222808 [since FEDORA-2007-351] CVE-2007-0001 ignore (kernel) rhel4 2.6.9 only known affected +CVE-2006-7221 ignore (gftp) single zero byte overflow in fsplib CVE-2006-7205 ignore (php) See NVD CVE-2006-7204 ignore (php) See NVD *CVE-2006-7197 (tomcat) -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits From fedora-extras-commits at redhat.com Mon Aug 13 12:22:25 2007 From: fedora-extras-commits at redhat.com (Lubomir Kundrak (lkundrak)) Date: Mon, 13 Aug 2007 08:22:25 -0400 Subject: fedora-security/audit fc6,1.236,1.237 fc7,1.66,1.67 Message-ID: <200708131222.l7DCMP8d005300@cvs-int.fedora.redhat.com> Author: lkundrak Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv5215 Modified Files: fc6 fc7 Log Message: New kernel issue, some stuff fixed. Index: fc6 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc6,v retrieving revision 1.236 retrieving revision 1.237 diff -u -r1.236 -r1.237 --- fc6 10 Aug 2007 14:48:41 -0000 1.236 +++ fc6 13 Aug 2007 12:22:22 -0000 1.237 @@ -19,12 +19,14 @@ CVE-2007-3961 ignore (gftp) off-by-one error in fsplib CVE-2007-3845 VULNERABLE (firefox) https://bugzilla.mozilla.org/show_bug.cgi?id=389580 CVE-2007-3844 VULNERABLE (firefox) #250648 "fixed on next update" +CVE-2007-3843 VULNERABLE (kernel) #246595 CVE-2007-3841 ignore (pidgin) ethically disclosed CVE-2007-3820 ** (kdebase) #248537 CVE-2007-3799 ** (php) CVE-2007-3798 version (tcpdump, fixed 3.9.7) #250290 [since FEDORA-2007-654] CVE-2007-3782 ** (mysql) CVE-2007-3781 ** (mysql) +CVE-2007-3642 version (kernel, fixed 2.6.22) [since FEDORA-2007-655] CVE-2007-3508 ignore (glibc) not an issue CVE-2007-3506 backport (freetype, fixed 2.3.4) #235479 [since FEDORA-2007-561] CVE-2007-3409 version (perl-Net-DNS, fixed 0.60) #245809 @@ -69,7 +71,7 @@ CVE-2007-1863 backport (httpd) #244660 [since FEDORA-2007-615] CVE-2007-1862 backport (httpd) #244660 [since FEDORA-2007-615] CVE-2007-1861 version (kernel) [since FEDORA-2007-482] -CVE-2007-1856 backport (vixie-cron) #235882 [since ???] +CVE-2007-1856 backport (vixie-cron) #235882 [since FEDORA-2007-662] CVE-2007-1841 VULNERABLE (ipsec-tools) #238052 [sconklin] Developer busy -- next week. CVE-2007-1797 backport (ImageMagick) #235075 [since FEDORA-2007-413] CVE-2007-1667 backport (libX11) [since FEDORA-2007-426] @@ -117,7 +119,7 @@ CVE-2007-0451 version (spamassassin, fixed 3.1.8) [since FEDORA-2007-241] CVE-2007-0248 version (squid, fixed 2.6.STABLE7) [since FEDORA-2007-073] CVE-2007-0247 version (squid, fixed 2.6.STABLE7) #222883 [since FEDORA-2007-073] -CVE-2007-0235 version (libgtop2, fixed 2.14.9) #222637 [since ???] +CVE-2007-0235 version (libgtop2, fixed 2.14.9) #222637 [since FEDORA-2007-657] CVE-2007-0104 ignore (poppler) only client DoS CVE-2007-0104 ignore (kdegraphics) only client DoS CVE-2007-0086 ignore (apache) not a security issue @@ -149,7 +151,7 @@ CVE-2006-6144 ** krb5 CVE-2006-6143 ** krb5 CVE-2006-6142 backport (squirrelmail) #218297 [since FEDORA-2007-089] -CVE-2006-6128 VULNERABLE (kernel) #250625 +CVE-2006-6128 patch (kernel) #250625 [since FEDORA-2007-226] This was bug in our patch, not upstream CVE-2006-6107 backport (dbus, fixed 1.0.2) #219665 [since FEDORA-2006-1475] CVE-2006-6106 version (kernel, fixed 2.6.19.2, fixed 2.6.20-rc5) [since FEDORA-2006-1471] CVE-2006-6105 version (gdm, fixed 2.14.11) [since FEDORA-2006-1468] @@ -217,7 +219,7 @@ CVE-2006-5215 VULNERABLE (xorg-x11-xinit) #212167 CVE-2006-5214 version (xorg-x11-xdm) CVE-2006-5214 ignore (kdebase) #212166 links to xinit Xsession -CVE-2006-5214 VULNERABLE (xorg-x11-xinit) #212167 +CVE-2006-5214 backport (xorg-x11-xinit) #212167 [since FEDORA-2007-659] CVE-2006-5178 ignore (php) safe mode escape CVE-2006-5174 ignore (kernel, fixed 2.6.19-rc1) s390 only CVE-2006-5173 ignore (kernel, fixed 2.6.18) protected by exec-shield Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.66 retrieving revision 1.67 diff -u -r1.66 -r1.67 --- fc7 10 Aug 2007 14:48:41 -0000 1.66 +++ fc7 13 Aug 2007 12:22:22 -0000 1.67 @@ -30,6 +30,7 @@ CVE-2007-3946 version (lighttpd, fixed 1.4.16) #249162 [since FEDORA-2007-1299] CVE-2007-3845 VULNERABLE (firefox, fixed 2.0.0.6) https://bugzilla.mozilla.org/show_bug.cgi?id=389580 CVE-2007-3844 VULNERABLE (firefox) #250648 "fixed on next update" +CVE-2007-3843 VULNERABLE (kernel) #246595 CVE-2007-3841 ignore (pidgin) ethically disclosed CVE-2007-3820 ** (kdebase) #248537 CVE-2007-3799 ** (php) -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits From fedora-extras-commits at redhat.com Mon Aug 13 12:29:53 2007 From: fedora-extras-commits at redhat.com (Lubomir Kundrak (lkundrak)) Date: Mon, 13 Aug 2007 08:29:53 -0400 Subject: fedora-security/audit fc7,1.67,1.68 Message-ID: <200708131229.l7DCTr7M005743@cvs-int.fedora.redhat.com> Author: lkundrak Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv5720 Modified Files: fc7 Log Message: xpdf issue fixed for tetex and cups Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.67 retrieving revision 1.68 diff -u -r1.67 -r1.68 --- fc7 13 Aug 2007 12:22:22 -0000 1.67 +++ fc7 13 Aug 2007 12:29:51 -0000 1.68 @@ -71,11 +71,11 @@ CVE-2007-3389 version (wireshark, fixed 0.99.6) [since FEDORA-2007-0982] CVE-2007-3388 VULNERABLE (qt, fixed qt-3.3.8-20070727) patch available: 170529.diff CVE-2007-3387 version (xpdf, fixed 3.02pl1) [since FEDORA-2007-1383] -CVE-2007-3387 VULNERABLE (tetex) #251514 +CVE-2007-3387 backport (tetex) #251514 [since FEDORA-2007-1547] CVE-2007-3387 VULNERABLE (poppler) #251512 CVE-2007-3387 VULNERABLE (kdegraphics) #251509 CVE-2007-3387 VULNERABLE (koffice) #251522 -CVE-2007-3387 VULNERABLE (cups) #251519 +CVE-2007-3387 backport (cups) #251519 [since FEDORA-2007-1541] CVE-2007-3387 ** (libextractor) CVE-2007-3384 ignore (tomcat) only affects 3.3.x and just affects an example CVE-2007-3381 version (gdm, fixed 2.18.4) #250277 [since FEDORA-2007-1362] -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits From fedora-extras-commits at redhat.com Mon Aug 13 13:05:49 2007 From: fedora-extras-commits at redhat.com (Lubomir Kundrak (lkundrak)) Date: Mon, 13 Aug 2007 09:05:49 -0400 Subject: fedora-security/audit fc6,1.237,1.238 fc7,1.68,1.69 Message-ID: <200708131305.l7DD5nLc015187@cvs-int.fedora.redhat.com> Author: lkundrak Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv15057 Modified Files: fc6 fc7 Log Message: Firefox NUL injection was Windows specific. Index: fc6 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc6,v retrieving revision 1.237 retrieving revision 1.238 diff -u -r1.237 -r1.238 --- fc6 13 Aug 2007 12:22:22 -0000 1.237 +++ fc6 13 Aug 2007 13:05:46 -0000 1.238 @@ -17,7 +17,7 @@ CVE-2007-4168 backport (libexif) #243892 [since FEDORA-2007-614] CVE-2007-3962 ignore (gftp) multiple buffer overflows in fsplib, not on Linux CVE-2007-3961 ignore (gftp) off-by-one error in fsplib -CVE-2007-3845 VULNERABLE (firefox) https://bugzilla.mozilla.org/show_bug.cgi?id=389580 +CVE-2007-3845 ignore (firefox) windows specific CVE-2007-3844 VULNERABLE (firefox) #250648 "fixed on next update" CVE-2007-3843 VULNERABLE (kernel) #246595 CVE-2007-3841 ignore (pidgin) ethically disclosed Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.68 retrieving revision 1.69 diff -u -r1.68 -r1.69 --- fc7 13 Aug 2007 12:29:51 -0000 1.68 +++ fc7 13 Aug 2007 13:05:46 -0000 1.69 @@ -28,7 +28,7 @@ CVE-2007-3948 version (lighttpd, fixed 1.4.16) #249162 [since FEDORA-2007-1299] CVE-2007-3947 version (lighttpd, fixed 1.4.16) #249162 [since FEDORA-2007-1299] CVE-2007-3946 version (lighttpd, fixed 1.4.16) #249162 [since FEDORA-2007-1299] -CVE-2007-3845 VULNERABLE (firefox, fixed 2.0.0.6) https://bugzilla.mozilla.org/show_bug.cgi?id=389580 +CVE-2007-3845 ignore (firefox) windows specific CVE-2007-3844 VULNERABLE (firefox) #250648 "fixed on next update" CVE-2007-3843 VULNERABLE (kernel) #246595 CVE-2007-3841 ignore (pidgin) ethically disclosed -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits From fedora-extras-commits at redhat.com Wed Aug 15 07:17:14 2007 From: fedora-extras-commits at redhat.com (Lubomir Kundrak (lkundrak)) Date: Wed, 15 Aug 2007 03:17:14 -0400 Subject: fedora-security/audit fc6,1.238,1.239 fc7,1.69,1.70 Message-ID: <200708150717.l7F7HE5e026109@cvs-int.fedora.redhat.com> Author: lkundrak Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv26082 Modified Files: fc6 fc7 Log Message: Up to date as of todays CVENEW Index: fc6 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc6,v retrieving revision 1.238 retrieving revision 1.239 diff -u -r1.238 -r1.239 --- fc6 13 Aug 2007 13:05:46 -0000 1.238 +++ fc6 15 Aug 2007 07:17:12 -0000 1.239 @@ -4,9 +4,11 @@ # *CVE are items that need verification for Fedora Core 6 # (mozilla) = (firefox, seamonkey, thunderbird, yelp, devhelp, galeon, liferea. epiphany) -# Up to date CVE as of CVE email 20070808 +# Up to date CVE as of CVE email 20070814 # Up to date FC6 as of 20070808 +GENERIC-MAP-NOMATCH VULNERABLE (tomboy) #252294 +CVE-2007-4357 ignore (firefox) status bar can be overwrittten CVE-2007-4255 ignore (php) msql extension not shipped CVE-2007-4251 ignore (openoffice.org) just a crash CVE-2007-4229 ignore (kdebase) just an ASSERT fail @@ -17,6 +19,7 @@ CVE-2007-4168 backport (libexif) #243892 [since FEDORA-2007-614] CVE-2007-3962 ignore (gftp) multiple buffer overflows in fsplib, not on Linux CVE-2007-3961 ignore (gftp) off-by-one error in fsplib +CVE-2007-3852 VULNERABLE (sysstat) #252296 CVE-2007-3845 ignore (firefox) windows specific CVE-2007-3844 VULNERABLE (firefox) #250648 "fixed on next update" CVE-2007-3843 VULNERABLE (kernel) #246595 Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.69 retrieving revision 1.70 diff -u -r1.69 -r1.70 --- fc7 13 Aug 2007 13:05:46 -0000 1.69 +++ fc7 15 Aug 2007 07:17:12 -0000 1.70 @@ -5,9 +5,13 @@ # (mozilla) = (firefox, seamonkey, thunderbird, yelp, devhelp, galeon, liferea. epiphany) # A couple of first F7 updates were marked as FEDORA-2007-0001 -# Up to date CVE as of CVE email 20070808 +# Up to date CVE as of CVE email 20070814 # Up to date FC7 as of 20070808 +GENERIC-MAP-NOMATCH VULNERABLE (tomboy) #252294 +CVE-2007-4357 ignore (firefox) status bar can be overwrittten +CVE-2007-4323 VULNERABLE (denyhosts) #252291 +CVE-2007-4321 VULNERABLE (fail2ban) #252290 CVE-2007-4255 ignore (php) msql extension not shipped CVE-2007-4251 ignore (openoffice.org) just a crash CVE-2007-4229 ignore (kdebase) just an ASSERT fail @@ -23,6 +27,7 @@ CVE-2007-4029 VULNERABLE (libvorbis) #245991 CVE-2007-3962 ignore (gftp) multiple buffer overflows in fsplib, not on Linux CVE-2007-3961 ignore (gftp) off-by-one error in fsplib +CVE-2007-3852 VULNERABLE (sysstat) #252295 CVE-2007-3950 version (lighttpd, fixed 1.4.16) #249162 [since FEDORA-2007-1299] CVE-2007-3949 version (lighttpd, fixed 1.4.16) #249162 [since FEDORA-2007-1299] CVE-2007-3948 version (lighttpd, fixed 1.4.16) #249162 [since FEDORA-2007-1299] -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits From fedora-extras-commits at redhat.com Wed Aug 15 08:13:32 2007 From: fedora-extras-commits at redhat.com (Tomas Hoger (thoger)) Date: Wed, 15 Aug 2007 04:13:32 -0400 Subject: fedora-security/audit fc6,1.239,1.240 fc7,1.70,1.71 Message-ID: <200708150813.l7F8DW2O001353@cvs-int.fedora.redhat.com> Author: thoger Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv1331/audit Modified Files: fc6 fc7 Log Message: Various cleanups. Index: fc6 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc6,v retrieving revision 1.239 retrieving revision 1.240 diff -u -r1.239 -r1.240 --- fc6 15 Aug 2007 07:17:12 -0000 1.239 +++ fc6 15 Aug 2007 08:13:30 -0000 1.240 @@ -41,7 +41,7 @@ CVE-2007-3387 VULNERABLE (poppler) #251513 CVE-2007-3387 VULNERABLE (tetex) #251515 CVE-2007-3387 VULNERABLE (kdegraphics) #251511 -CVE-2007-3387 VULNERABLE (cups) #251518 +CVE-2007-3387 VULNERABLE (cups) #251519 CVE-2007-3384 ignore (tomcat) only affects 3.3.x and just affects an example CVE-2007-3381 version (gdm, fixed 2.18.4) #250277 [since FEDORA-2007-653] CVE-2007-3378 ignore (php) safe mode escape Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.70 retrieving revision 1.71 diff -u -r1.70 -r1.71 --- fc7 15 Aug 2007 07:17:12 -0000 1.70 +++ fc7 15 Aug 2007 08:13:30 -0000 1.71 @@ -41,7 +41,7 @@ CVE-2007-3799 ** (php) CVE-2007-3781 ** (mysql) CVE-2007-3782 ** (mysql) -CVE-2007-3770 ** (xfce-utils) +CVE-2007-3770 backport (terminal/xfce) update pending CVE-2007-3738 version (mozilla) #248518 [since FEDORA-2007-1138] CVE-2007-3737 version (mozilla) #248518 [since FEDORA-2007-1138] CVE-2007-3736 version (mozilla) #248518 [since FEDORA-2007-1138] @@ -78,9 +78,9 @@ CVE-2007-3387 version (xpdf, fixed 3.02pl1) [since FEDORA-2007-1383] CVE-2007-3387 backport (tetex) #251514 [since FEDORA-2007-1547] CVE-2007-3387 VULNERABLE (poppler) #251512 -CVE-2007-3387 VULNERABLE (kdegraphics) #251509 +CVE-2007-3387 backport (kdegraphics) #251509 [since FEDORA-2007-1594] CVE-2007-3387 VULNERABLE (koffice) #251522 -CVE-2007-3387 backport (cups) #251519 [since FEDORA-2007-1541] +CVE-2007-3387 backport (cups) #251518 [since FEDORA-2007-1541] CVE-2007-3387 ** (libextractor) CVE-2007-3384 ignore (tomcat) only affects 3.3.x and just affects an example CVE-2007-3381 version (gdm, fixed 2.18.4) #250277 [since FEDORA-2007-1362] @@ -166,7 +166,7 @@ *CVE-2007-2444 (samba) CVE-2007-2443 version (krb5, 1.6.1) [since FEDORA-2007-0740] CVE-2007-2442 version (krb5, 1.6.1) [since FEDORA-2007-0740] -*CVE-2007-2438 VULNERABLE (vim) #238734 +CVE-2007-2438 version (vim, 7.0.235) #238734 [since FEDORA-2007-492] CVE-2007-2437 ignore (xorg-x11) DoS only *CVE-2007-2435 (java) *CVE-2007-2423 patch (moin, fixed 1.5.7-2) #238722 -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits From fedora-extras-commits at redhat.com Wed Aug 15 10:46:46 2007 From: fedora-extras-commits at redhat.com (Lubomir Kundrak (lkundrak)) Date: Wed, 15 Aug 2007 06:46:46 -0400 Subject: fedora-security/audit fc6,1.240,1.241 fc7,1.71,1.72 Message-ID: <200708151046.l7FAkkq4024913@cvs-int.fedora.redhat.com> Author: lkundrak Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv24878 Modified Files: fc6 fc7 Log Message: kdegraphics, denyhosts -- up to date as of today Index: fc6 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc6,v retrieving revision 1.240 retrieving revision 1.241 diff -u -r1.240 -r1.241 --- fc6 15 Aug 2007 08:13:30 -0000 1.240 +++ fc6 15 Aug 2007 10:46:44 -0000 1.241 @@ -4,8 +4,8 @@ # *CVE are items that need verification for Fedora Core 6 # (mozilla) = (firefox, seamonkey, thunderbird, yelp, devhelp, galeon, liferea. epiphany) -# Up to date CVE as of CVE email 20070814 -# Up to date FC6 as of 20070808 +# Up to date CVE as of CVE email 20070815 +# Up to date FC6 as of 20070815 GENERIC-MAP-NOMATCH VULNERABLE (tomboy) #252294 CVE-2007-4357 ignore (firefox) status bar can be overwrittten Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.71 retrieving revision 1.72 diff -u -r1.71 -r1.72 --- fc7 15 Aug 2007 08:13:30 -0000 1.71 +++ fc7 15 Aug 2007 10:46:44 -0000 1.72 @@ -5,12 +5,12 @@ # (mozilla) = (firefox, seamonkey, thunderbird, yelp, devhelp, galeon, liferea. epiphany) # A couple of first F7 updates were marked as FEDORA-2007-0001 -# Up to date CVE as of CVE email 20070814 -# Up to date FC7 as of 20070808 +# Up to date CVE as of CVE email 20070815 +# Up to date FC7 as of 20070815 GENERIC-MAP-NOMATCH VULNERABLE (tomboy) #252294 CVE-2007-4357 ignore (firefox) status bar can be overwrittten -CVE-2007-4323 VULNERABLE (denyhosts) #252291 +CVE-2007-4323 backport (denyhosts) #252291 [since FEDORA-2007-0589] CVE-2007-4321 VULNERABLE (fail2ban) #252290 CVE-2007-4255 ignore (php) msql extension not shipped CVE-2007-4251 ignore (openoffice.org) just a crash @@ -116,7 +116,7 @@ CVE-2007-3023 VULNERABLE (clamav, fixed 0.90.3) #245219 CVE-2007-3007 ignore (php) safe mode isn't safe *CVE-2007-2975 (openfire) -CVE-2007-2956 VULNERABLE (qtpfsgui) #251674 +CVE-2007-2956 backport (qtpfsgui) #251674 [since FEDORA-2007-1581] CVE-2007-2949 version (gimp, fixed, 2.2.16) [since FEDORA-2007-0725] CVE-2007-2926 version (bind, fixed 9.4.1) [since FEDORA-2007-1247] CVE-2007-2925 version (bind, fixed 9.4.1) [since FEDORA-2007-1247] -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits From fedora-extras-commits at redhat.com Thu Aug 16 06:34:32 2007 From: fedora-extras-commits at redhat.com (Tomas Hoger (thoger)) Date: Thu, 16 Aug 2007 02:34:32 -0400 Subject: fedora-security/audit fc7,1.72,1.73 Message-ID: <200708160634.l7G6YWBC009501@cvs-int.fedora.redhat.com> Author: thoger Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv9481 Modified Files: fc7 Log Message: Note resolved issues. Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.72 retrieving revision 1.73 diff -u -r1.72 -r1.73 --- fc7 15 Aug 2007 10:46:44 -0000 1.72 +++ fc7 16 Aug 2007 06:34:29 -0000 1.73 @@ -41,7 +41,7 @@ CVE-2007-3799 ** (php) CVE-2007-3781 ** (mysql) CVE-2007-3782 ** (mysql) -CVE-2007-3770 backport (terminal/xfce) update pending +CVE-2007-3770 backport (terminal/xfce) [since FEDORA-2007-1620] CVE-2007-3738 version (mozilla) #248518 [since FEDORA-2007-1138] CVE-2007-3737 version (mozilla) #248518 [since FEDORA-2007-1138] CVE-2007-3736 version (mozilla) #248518 [since FEDORA-2007-1138] @@ -67,7 +67,7 @@ CVE-2007-3474 ** (gd) CVE-2007-3473 ** (gd) CVE-2007-3472 ** (gd) -CVE-2007-3410 backport (HelixPlayer) #245838 [since CVE-2007-3410] +CVE-2007-3410 backport (HelixPlayer) #245838 [since FEDORA-2007-0756] CVE-2007-3409 version (perl-Net-DNS, fixed 0.60) #245807 CVE-2007-3393 version (wireshark, fixed 0.99.6) [since FEDORA-2007-0982] CVE-2007-3392 version (wireshark, fixed 0.99.6) [since FEDORA-2007-0982] @@ -79,13 +79,13 @@ CVE-2007-3387 backport (tetex) #251514 [since FEDORA-2007-1547] CVE-2007-3387 VULNERABLE (poppler) #251512 CVE-2007-3387 backport (kdegraphics) #251509 [since FEDORA-2007-1594] -CVE-2007-3387 VULNERABLE (koffice) #251522 +CVE-2007-3387 backport (koffice) #251522 [since FEDORA-2007-1614] CVE-2007-3387 backport (cups) #251518 [since FEDORA-2007-1541] CVE-2007-3387 ** (libextractor) CVE-2007-3384 ignore (tomcat) only affects 3.3.x and just affects an example CVE-2007-3381 version (gdm, fixed 2.18.4) #250277 [since FEDORA-2007-1362] CVE-2007-3378 ignore (php) safe mode escape -CVE-2007-3377 version (perl-Net-DNS, fixed 0.60) #245612 [since EDORA-2007-0668] +CVE-2007-3377 version (perl-Net-DNS, fixed 0.60) #245612 [since FEDORA-2007-0668] CVE-2007-3304 backport (httpd) #244665 [since FEDORA-2007-0704] CVE-2007-3257 backport (evolution) #244283 [since FEDORA-2007-0464] CVE-2007-3241 version (wordpress, fixed 2.2.1) #245211 [since FEDORA-2007-0894] -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits From bugzilla at redhat.com Sun Aug 19 15:15:49 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sun, 19 Aug 2007 11:15:49 -0400 Subject: [Bug 244502] CVE-2007-3165: tor < 0.1.2.14 information disclosure In-Reply-To: Message-ID: <200708191515.l7JFFnst030443@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-3165: tor < 0.1.2.14 information disclosure https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244502 ------- Additional Comments From updates at fedoraproject.org 2007-08-19 11:15 EST ------- tor-0.1.2.16-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sun Aug 19 15:15:55 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sun, 19 Aug 2007 11:15:55 -0400 Subject: [Bug 244502] CVE-2007-3165: tor < 0.1.2.14 information disclosure In-Reply-To: Message-ID: <200708191515.l7JFFtZ5030513@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-3165: tor < 0.1.2.14 information disclosure https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244502 updates at fedoraproject.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |ERRATA Fixed In Version| |0.1.2.16-1.fc7 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sun Aug 19 16:22:22 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sun, 19 Aug 2007 12:22:22 -0400 Subject: [Bug 237533] CVE-2007-2165: proftpd auth bypass vulnerability In-Reply-To: Message-ID: <200708191622.l7JGMMLt000870@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-2165: proftpd auth bypass vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=237533 bugzilla at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Product|Fedora Extras |Fedora ------- Additional Comments From matthias at rpmforge.net 2007-08-19 12:22 EST ------- Still no patches backported to 1.3.0a, so I've at least pushed 1.3.1rc3 to devel (F8) since it fixes all know vulnerabilities, and should be more than stable enough for inclusion. Maybe later backporting it to all current releases would make sense... -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From fedora-extras-commits at redhat.com Mon Aug 20 09:44:40 2007 From: fedora-extras-commits at redhat.com (Tomas Hoger (thoger)) Date: Mon, 20 Aug 2007 05:44:40 -0400 Subject: fedora-security/audit fc7,1.73,1.74 Message-ID: <200708200944.l7K9ieTj007118@cvs-int.fedora.redhat.com> Author: thoger Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv7100/audit Modified Files: fc7 Log Message: Updated tor package was released Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.73 retrieving revision 1.74 diff -u -r1.73 -r1.74 --- fc7 16 Aug 2007 06:34:29 -0000 1.73 +++ fc7 20 Aug 2007 09:44:37 -0000 1.74 @@ -18,8 +18,8 @@ CVE-2007-4225 ignore (kdebase) caused by fix to CVE-2007-3820 which we never shipped CVE-2007-4224 ignore (kdebase) too obvious -- mouse pointer indicates script activity CVE-2007-4211 version (dovecot, 1.0.3) #251008 [since FEDORA-2007-1485] -CVE-2007-4174 VULNERABLE (tor, fixed 0.1.2.16) -GENERIC-MAP-NOMATCH VULNERABLE (tor, fixed 0.1.2.15) #249840 +CVE-2007-4174 version (tor, fixed 0.1.2.16) [since FEDORA-2007-1674] +GENERIC-MAP-NOMATCH version (tor, fixed 0.1.2.15) #249840 [since FEDORA-2007-1674] CVE-2007-4168 backport (libexif) #243892 [since FEDORA-2007-0414] CVE-2007-4153 ignore (wordpress) "remote authenticated administrators" CVE-2007-4154 ignore (wordpress) "remote authenticated administrators" @@ -99,7 +99,7 @@ CVE-2007-3106 VULNERABLE (libvorbis) #245991 CVE-2007-3099 version (iscsi-initiator-utils, fixed 6.2.0.865) [since FEDORA-2007-0543] CVE-2007-3100 version (iscsi-initiator-utils, fixed 6.2.0.865) [since FEDORA-2007-0543] -CVE-2007-3165 VULNERABLE (tor, fixed 0.1.2.14) #244502 +CVE-2007-3165 version (tor, fixed 0.1.2.14) #244502 [since FEDORA-2007-1674] CVE-2007-3153 version (c-ares, fixed 1.4.0) #243591 [since FEDORA-2007-0724] CVE-2007-3152 version (c-ares, fixed 1.4.0) #243591 [since FEDORA-2007-0724] CVE-2007-3145 VULNERABLE (galeon) ** -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits From fedora-extras-commits at redhat.com Mon Aug 20 16:01:59 2007 From: fedora-extras-commits at redhat.com (Lubomir Kundrak (lkundrak)) Date: Mon, 20 Aug 2007 12:01:59 -0400 Subject: fedora-security/audit fc6,1.241,1.242 fc7,1.74,1.75 Message-ID: <200708201601.l7KG1xIE027242@cvs-int.fedora.redhat.com> Author: lkundrak Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv27214 Modified Files: fc6 fc7 Log Message: Up-to-date as of today Index: fc6 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc6,v retrieving revision 1.241 retrieving revision 1.242 diff -u -r1.241 -r1.242 --- fc6 15 Aug 2007 10:46:44 -0000 1.241 +++ fc6 20 Aug 2007 16:01:57 -0000 1.242 @@ -4,8 +4,8 @@ # *CVE are items that need verification for Fedora Core 6 # (mozilla) = (firefox, seamonkey, thunderbird, yelp, devhelp, galeon, liferea. epiphany) -# Up to date CVE as of CVE email 20070815 -# Up to date FC6 as of 20070815 +# Up to date CVE as of CVE email 20070820 +# Up to date FC6 as of 20070820 GENERIC-MAP-NOMATCH VULNERABLE (tomboy) #252294 CVE-2007-4357 ignore (firefox) status bar can be overwrittten @@ -14,7 +14,7 @@ CVE-2007-4229 ignore (kdebase) just an ASSERT fail CVE-2007-4225 ignore (kdebase) caused by fix to CVE-2007-3820 which we never shipped CVE-2007-4224 ignore (kdebase) too obvious -- mouse pointer indicates script activity -CVE-2007-4211 VULNERABLE (dovecot, fixed 1.0.3) #251009 +CVE-2007-4211 version (dovecot, fixed 1.0.3) #251009 [since FEDORA-2007-664] CVE-2007-4029 VULNERABLE (libvorbis) #250600 CVE-2007-4168 backport (libexif) #243892 [since FEDORA-2007-614] CVE-2007-3962 ignore (gftp) multiple buffer overflows in fsplib, not on Linux @@ -39,9 +39,9 @@ CVE-2007-3390 version (wireshark, fixed 0.99.6) [since FEDORA-2007-628] CVE-2007-3389 version (wireshark, fixed 0.99.6) [since FEDORA-2007-628] CVE-2007-3387 VULNERABLE (poppler) #251513 -CVE-2007-3387 VULNERABLE (tetex) #251515 +CVE-2007-3387 backport (tetex) #251515 [since FEDORA-2007-669] CVE-2007-3387 VULNERABLE (kdegraphics) #251511 -CVE-2007-3387 VULNERABLE (cups) #251519 +CVE-2007-3387 backport (cups) #251519 [since FEDORA-2007-644] CVE-2007-3384 ignore (tomcat) only affects 3.3.x and just affects an example CVE-2007-3381 version (gdm, fixed 2.18.4) #250277 [since FEDORA-2007-653] CVE-2007-3378 ignore (php) safe mode escape @@ -50,7 +50,7 @@ CVE-2007-3304 backport (httpd) #244660 [since FEDORA-2007-615] CVE-2007-3257 backport (evolution) #244287 [since FEDORA-2007-594] CVE-2007-3126 ignore (gimp) just a crash -CVE-2007-3108 VULNERABLE (openssl) #250574 +CVE-2007-3108 backport (openssl) #250574 [since FEDORA-2007-661] CVE-2007-3106 VULNERABLE (libvorbis) #250600 CVE-2007-2926 backport (bind, fixed 9.4.1) [since FEDORA-2007-647] CVE-2007-2876 version (kernel, fixed 2.6.21.5) [since FEDORA-2007-600] Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.74 retrieving revision 1.75 diff -u -r1.74 -r1.75 --- fc7 20 Aug 2007 09:44:37 -0000 1.74 +++ fc7 20 Aug 2007 16:01:57 -0000 1.75 @@ -5,10 +5,13 @@ # (mozilla) = (firefox, seamonkey, thunderbird, yelp, devhelp, galeon, liferea. epiphany) # A couple of first F7 updates were marked as FEDORA-2007-0001 -# Up to date CVE as of CVE email 20070815 -# Up to date FC7 as of 20070815 +# Up to date CVE as of CVE email 20070820 +# Up to date FC7 as of 20070820 +GENERIC-MAP-NOMATCH VULNERABLE (id3lib) #253553 +GENERIC-MAP-NOMATCH VULNERABLE (po4a) #253541 GENERIC-MAP-NOMATCH VULNERABLE (tomboy) #252294 +CVE-2007-4400 VULNERABLE (konversation) #253545 CVE-2007-4357 ignore (firefox) status bar can be overwrittten CVE-2007-4323 backport (denyhosts) #252291 [since FEDORA-2007-0589] CVE-2007-4321 VULNERABLE (fail2ban) #252290 -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits From fedora-extras-commits at redhat.com Tue Aug 21 08:39:08 2007 From: fedora-extras-commits at redhat.com (Tomas Hoger (thoger)) Date: Tue, 21 Aug 2007 04:39:08 -0400 Subject: fedora-security/audit fc6,1.242,1.243 fc7,1.75,1.76 Message-ID: <200708210839.l7L8d8s3000705@cvs-int.fedora.redhat.com> Author: thoger Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv681 Modified Files: fc6 fc7 Log Message: Add CVE-2007-4131 - tar directory traversal. Update status of resolved issues. Index: fc6 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc6,v retrieving revision 1.242 retrieving revision 1.243 diff -u -r1.242 -r1.243 --- fc6 20 Aug 2007 16:01:57 -0000 1.242 +++ fc6 21 Aug 2007 08:39:05 -0000 1.243 @@ -15,6 +15,7 @@ CVE-2007-4225 ignore (kdebase) caused by fix to CVE-2007-3820 which we never shipped CVE-2007-4224 ignore (kdebase) too obvious -- mouse pointer indicates script activity CVE-2007-4211 version (dovecot, fixed 1.0.3) #251009 [since FEDORA-2007-664] +CVE-2007-4131 VULNERABLE (tar) #253684 CVE-2007-4029 VULNERABLE (libvorbis) #250600 CVE-2007-4168 backport (libexif) #243892 [since FEDORA-2007-614] CVE-2007-3962 ignore (gftp) multiple buffer overflows in fsplib, not on Linux Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.75 retrieving revision 1.76 diff -u -r1.75 -r1.76 --- fc7 20 Aug 2007 16:01:57 -0000 1.75 +++ fc7 21 Aug 2007 08:39:05 -0000 1.76 @@ -14,12 +14,12 @@ CVE-2007-4400 VULNERABLE (konversation) #253545 CVE-2007-4357 ignore (firefox) status bar can be overwrittten CVE-2007-4323 backport (denyhosts) #252291 [since FEDORA-2007-0589] -CVE-2007-4321 VULNERABLE (fail2ban) #252290 +CVE-2007-4321 backport (fail2ban) #252290 [since FEDORA-2007-0621] version since FEDORA-2007-1643 CVE-2007-4255 ignore (php) msql extension not shipped CVE-2007-4251 ignore (openoffice.org) just a crash CVE-2007-4229 ignore (kdebase) just an ASSERT fail -CVE-2007-4225 ignore (kdebase) caused by fix to CVE-2007-3820 which we never shipped -CVE-2007-4224 ignore (kdebase) too obvious -- mouse pointer indicates script activity +CVE-2007-4225 backport (kdebase) [since FEDORA-2007-1700] +CVE-2007-4224 backport (kdebase) [since FEDORA-2007-1700] CVE-2007-4211 version (dovecot, 1.0.3) #251008 [since FEDORA-2007-1485] CVE-2007-4174 version (tor, fixed 0.1.2.16) [since FEDORA-2007-1674] GENERIC-MAP-NOMATCH version (tor, fixed 0.1.2.15) #249840 [since FEDORA-2007-1674] @@ -27,10 +27,11 @@ CVE-2007-4153 ignore (wordpress) "remote authenticated administrators" CVE-2007-4154 ignore (wordpress) "remote authenticated administrators" CVE-2007-4139 VULNERABLE (wordpress) #250751 +CVE-2007-4131 VULNERABLE (tar) #253684 CVE-2007-4029 VULNERABLE (libvorbis) #245991 CVE-2007-3962 ignore (gftp) multiple buffer overflows in fsplib, not on Linux CVE-2007-3961 ignore (gftp) off-by-one error in fsplib -CVE-2007-3852 VULNERABLE (sysstat) #252295 +CVE-2007-3852 backport (sysstat) #252295 [since FEDORA-2007-1697] CVE-2007-3950 version (lighttpd, fixed 1.4.16) #249162 [since FEDORA-2007-1299] CVE-2007-3949 version (lighttpd, fixed 1.4.16) #249162 [since FEDORA-2007-1299] CVE-2007-3948 version (lighttpd, fixed 1.4.16) #249162 [since FEDORA-2007-1299] @@ -40,7 +41,7 @@ CVE-2007-3844 VULNERABLE (firefox) #250648 "fixed on next update" CVE-2007-3843 VULNERABLE (kernel) #246595 CVE-2007-3841 ignore (pidgin) ethically disclosed -CVE-2007-3820 ** (kdebase) #248537 +CVE-2007-3820 backport (kdebase) #248537 [since FEDORA-2007-1700] CVE-2007-3799 ** (php) CVE-2007-3781 ** (mysql) CVE-2007-3782 ** (mysql) -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits From bugzilla at redhat.com Wed Aug 22 07:52:47 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 22 Aug 2007 03:52:47 -0400 Subject: [Bug 241799] CVE-2007-2894: bochs guest OS local user DoS In-Reply-To: Message-ID: <200708220752.l7M7qlId007217@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-2894: bochs guest OS local user DoS https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=241799 ------- Additional Comments From j.w.r.degoede at hhs.nl 2007-08-22 03:52 EST ------- Upstream wasn't happy about the report of a divide by zero error when feeding random data to the floppy driver (happened / reported only once). So they have investigated this issue again, and managed to find one divide by zero condition after all. That should explain and really fix: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2894 See: https://sourceforge.net/tracker/?func=detail&atid=112580&aid=1729822&group_id=12580 A new version of bochs with a fix for this included is building for all 3 supported Fedora releases as I type this. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From fedora-extras-commits at redhat.com Wed Aug 22 12:49:17 2007 From: fedora-extras-commits at redhat.com (Lubomir Kundrak (lkundrak)) Date: Wed, 22 Aug 2007 08:49:17 -0400 Subject: fedora-security/audit fc6,1.243,1.244 fc7,1.76,1.77 Message-ID: <200708221249.l7MCnH82005926@cvs-int.fedora.redhat.com> Author: lkundrak Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv5806 Modified Files: fc6 fc7 Log Message: po4a, tomboy and id3lib got CVE names Index: fc6 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc6,v retrieving revision 1.243 retrieving revision 1.244 diff -u -r1.243 -r1.244 --- fc6 21 Aug 2007 08:39:05 -0000 1.243 +++ fc6 22 Aug 2007 12:49:15 -0000 1.244 @@ -7,7 +7,6 @@ # Up to date CVE as of CVE email 20070820 # Up to date FC6 as of 20070820 -GENERIC-MAP-NOMATCH VULNERABLE (tomboy) #252294 CVE-2007-4357 ignore (firefox) status bar can be overwrittten CVE-2007-4255 ignore (php) msql extension not shipped CVE-2007-4251 ignore (openoffice.org) just a crash @@ -689,6 +688,7 @@ CVE-2005-4808 ignore (binutils, gas fixed 20050714) this is a bug CVE-2005-4807 ignore (binutils, gas fixed 20050721) this is a bug CVE-2005-4798 version (kernel, not 2.6) +CVE-2005-4790 (tomboy) #252294 CVE-2005-4784 ignore (glibc) struct dirent is big enough CVE-2005-4746 version (freeradius, fixed 1.0.5) CVE-2005-4745 version (freeradius, fixed 1.0.5) Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.76 retrieving revision 1.77 diff -u -r1.76 -r1.77 --- fc7 21 Aug 2007 08:39:05 -0000 1.76 +++ fc7 22 Aug 2007 12:49:15 -0000 1.77 @@ -8,9 +8,8 @@ # Up to date CVE as of CVE email 20070820 # Up to date FC7 as of 20070820 -GENERIC-MAP-NOMATCH VULNERABLE (id3lib) #253553 -GENERIC-MAP-NOMATCH VULNERABLE (po4a) #253541 -GENERIC-MAP-NOMATCH VULNERABLE (tomboy) #252294 +CVE-2007-4462 VULNERABLE (po4a) #253541 +CVE-2007-4460 VULNERABLE (id3lib) #253553 CVE-2007-4400 VULNERABLE (konversation) #253545 CVE-2007-4357 ignore (firefox) status bar can be overwrittten CVE-2007-4323 backport (denyhosts) #252291 [since FEDORA-2007-0589] @@ -1226,6 +1225,7 @@ CVE-2005-4807 ignore (binutils, gas fixed 20050721) this is a bug CVE-2005-4803 version (graphviz, fixed 2.2.1) CVE-2005-4798 version (kernel, not 2.6) +CVE-2005-4790 VULNERABLE (tomboy) #252294 CVE-2005-4784 ignore (glibc) struct dirent is big enough CVE-2005-4746 version (freeradius, fixed 1.0.5) CVE-2005-4745 version (freeradius, fixed 1.0.5) -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits From bugzilla at redhat.com Wed Aug 22 19:09:15 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 22 Aug 2007 15:09:15 -0400 Subject: [Bug 240396] CVE-2007-2654: xfsdump file permissions issue In-Reply-To: Message-ID: <200708221909.l7MJ9FOl000432@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-2654: xfsdump file permissions issue https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240396 esandeen at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|cattelan at thebarn.com |esandeen at redhat.com ------- Additional Comments From esandeen at redhat.com 2007-08-22 15:09 EST ------- This is fixed in most recent xfsprogs 2.2.45, as of a couple months ago: http://oss.sgi.com/cgi-bin/cvsweb.cgi/xfs-cmds/xfsdump/fsr/xfs_fsr.c.diff?r1=1.27;r2=1.28 I've got most recent xfsprogs in F8test and F7 updates-testing; I'll try to get it pushed to F6 as well. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From fedora-extras-commits at redhat.com Thu Aug 23 10:30:41 2007 From: fedora-extras-commits at redhat.com (Tomas Hoger (thoger)) Date: Thu, 23 Aug 2007 06:30:41 -0400 Subject: fedora-security/audit fc6,1.244,1.245 fc7,1.77,1.78 Message-ID: <200708231030.l7NAUfhs025558@cvs-int.fedora.redhat.com> Author: thoger Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv25528/audit Modified Files: fc6 fc7 Log Message: Update - latest CVE feed. Index: fc6 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc6,v retrieving revision 1.244 retrieving revision 1.245 diff -u -r1.244 -r1.245 --- fc6 22 Aug 2007 12:49:15 -0000 1.244 +++ fc6 23 Aug 2007 10:30:39 -0000 1.245 @@ -4,7 +4,7 @@ # *CVE are items that need verification for Fedora Core 6 # (mozilla) = (firefox, seamonkey, thunderbird, yelp, devhelp, galeon, liferea. epiphany) -# Up to date CVE as of CVE email 20070820 +# Up to date CVE as of CVE email 20070822 # Up to date FC6 as of 20070820 CVE-2007-4357 ignore (firefox) status bar can be overwrittten Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.77 retrieving revision 1.78 diff -u -r1.77 -r1.78 --- fc7 22 Aug 2007 12:49:15 -0000 1.77 +++ fc7 23 Aug 2007 10:30:39 -0000 1.78 @@ -5,7 +5,7 @@ # (mozilla) = (firefox, seamonkey, thunderbird, yelp, devhelp, galeon, liferea. epiphany) # A couple of first F7 updates were marked as FEDORA-2007-0001 -# Up to date CVE as of CVE email 20070820 +# Up to date CVE as of CVE email 20070822 # Up to date FC7 as of 20070820 CVE-2007-4462 VULNERABLE (po4a) #253541 @@ -332,6 +332,7 @@ CVE-2007-0894 version (mediawiki, fixed 1.8.4) #228763 CVE-2007-0884 ignore (mimedefang 2.59/2.60 not shipped) #228757 CVE-2007-0857 version (moin, fixed 1.5.7) #228139 +CVE-2007-0844 VULNERABLE (pam_ssh, fixed 1.92) #253959 CVE-2007-0823 ignore (xterm) feature, not a bug CVE-2007-0822 ignore (util-linux) NULL dereference CVE-2007-0780 version (seamonkey, fixed 1.0.8) -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits From bugzilla at redhat.com Thu Aug 23 19:04:51 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 23 Aug 2007 15:04:51 -0400 Subject: [Bug 245219] clamav < 0.90.3 multiple vulnerabilities In-Reply-To: Message-ID: <200708231904.l7NJ4p8A010585@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: clamav < 0.90.3 multiple vulnerabilities Alias: CVE-2007-3123 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=245219 crow at orangeblood.org changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |crow at orangeblood.org -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Aug 24 05:41:28 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 24 Aug 2007 01:41:28 -0400 Subject: [Bug 241799] CVE-2007-2894: bochs guest OS local user DoS In-Reply-To: Message-ID: <200708240541.l7O5fSZ6019704@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-2894: bochs guest OS local user DoS https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=241799 ------- Additional Comments From updates at fedoraproject.org 2007-08-24 01:41 EST ------- bochs-2.3-7.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Aug 24 05:41:34 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 24 Aug 2007 01:41:34 -0400 Subject: [Bug 241799] CVE-2007-2894: bochs guest OS local user DoS In-Reply-To: Message-ID: <200708240541.l7O5fYng019739@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-2894: bochs guest OS local user DoS https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=241799 updates at fedoraproject.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |CLOSED Resolution|CURRENTRELEASE |ERRATA Fixed In Version|2.3-5 |2.3-7.fc7 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From fedora-extras-commits at redhat.com Fri Aug 24 10:27:39 2007 From: fedora-extras-commits at redhat.com (Tomas Hoger (thoger)) Date: Fri, 24 Aug 2007 06:27:39 -0400 Subject: fedora-security/audit fc6, 1.245, 1.246 fc7, 1.78, 1.79 fe6, 1.132, 1.133 Message-ID: <200708241027.l7OARdGQ003692@cvs-int.fedora.redhat.com> Author: thoger Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv3670/audit Modified Files: fc6 fc7 fe6 Log Message: - CVE update - Fedora update - add CVE-2007-2958 Index: fc6 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc6,v retrieving revision 1.245 retrieving revision 1.246 diff -u -r1.245 -r1.246 --- fc6 23 Aug 2007 10:30:39 -0000 1.245 +++ fc6 24 Aug 2007 10:27:36 -0000 1.246 @@ -4,8 +4,8 @@ # *CVE are items that need verification for Fedora Core 6 # (mozilla) = (firefox, seamonkey, thunderbird, yelp, devhelp, galeon, liferea. epiphany) -# Up to date CVE as of CVE email 20070822 -# Up to date FC6 as of 20070820 +# Up to date CVE as of CVE email 20070823 +# Up to date FC6 as of 20070823 CVE-2007-4357 ignore (firefox) status bar can be overwrittten CVE-2007-4255 ignore (php) msql extension not shipped @@ -20,6 +20,7 @@ CVE-2007-3962 ignore (gftp) multiple buffer overflows in fsplib, not on Linux CVE-2007-3961 ignore (gftp) off-by-one error in fsplib CVE-2007-3852 VULNERABLE (sysstat) #252296 +CVE-2007-3847 VULNERABLE (httpd) #250756 CVE-2007-3845 ignore (firefox) windows specific CVE-2007-3844 VULNERABLE (firefox) #250648 "fixed on next update" CVE-2007-3843 VULNERABLE (kernel) #246595 Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.78 retrieving revision 1.79 diff -u -r1.78 -r1.79 --- fc7 23 Aug 2007 10:30:39 -0000 1.78 +++ fc7 24 Aug 2007 10:27:37 -0000 1.79 @@ -5,11 +5,12 @@ # (mozilla) = (firefox, seamonkey, thunderbird, yelp, devhelp, galeon, liferea. epiphany) # A couple of first F7 updates were marked as FEDORA-2007-0001 -# Up to date CVE as of CVE email 20070822 -# Up to date FC7 as of 20070820 +# Up to date CVE as of CVE email 20070823 +# Up to date FC7 as of 20070823 -CVE-2007-4462 VULNERABLE (po4a) #253541 -CVE-2007-4460 VULNERABLE (id3lib) #253553 +CVE-2007-4510 VULNERABLE (clamav, 0.91.2) #253780 +CVE-2007-4462 version (po4a) #253541 [since FEDORA-2007-1763] +CVE-2007-4460 backport (id3lib) #253553 [since FEDORA-2007-1774] CVE-2007-4400 VULNERABLE (konversation) #253545 CVE-2007-4357 ignore (firefox) status bar can be overwrittten CVE-2007-4323 backport (denyhosts) #252291 [since FEDORA-2007-0589] @@ -27,7 +28,7 @@ CVE-2007-4154 ignore (wordpress) "remote authenticated administrators" CVE-2007-4139 VULNERABLE (wordpress) #250751 CVE-2007-4131 VULNERABLE (tar) #253684 -CVE-2007-4029 VULNERABLE (libvorbis) #245991 +CVE-2007-4029 backport (libvorbis) #245991 [since FEDORA-2007-1765] CVE-2007-3962 ignore (gftp) multiple buffer overflows in fsplib, not on Linux CVE-2007-3961 ignore (gftp) off-by-one error in fsplib CVE-2007-3852 backport (sysstat) #252295 [since FEDORA-2007-1697] @@ -36,6 +37,8 @@ CVE-2007-3948 version (lighttpd, fixed 1.4.16) #249162 [since FEDORA-2007-1299] CVE-2007-3947 version (lighttpd, fixed 1.4.16) #249162 [since FEDORA-2007-1299] CVE-2007-3946 version (lighttpd, fixed 1.4.16) #249162 [since FEDORA-2007-1299] +CVE-2007-3848 version (kernel) [since FEDORA-2007-1785] +CVE-2007-3847 VULNERABLE (httpd) #250755 CVE-2007-3845 ignore (firefox) windows specific CVE-2007-3844 VULNERABLE (firefox) #250648 "fixed on next update" CVE-2007-3843 VULNERABLE (kernel) #246595 @@ -99,7 +102,7 @@ CVE-2007-3231 version (mecab, fixed 0.96) [since FEDORA-2007-0366] CVE-2007-3209 ignore (mail-notification, shipped with SSL enabled) CVE-2007-3108 backport (openssl) #250574 [since FEDORA-2007-1444] -CVE-2007-3106 VULNERABLE (libvorbis) #245991 +CVE-2007-3106 backport (libvorbis) #245991 [since FEDORA-2007-1765] CVE-2007-3099 version (iscsi-initiator-utils, fixed 6.2.0.865) [since FEDORA-2007-0543] CVE-2007-3100 version (iscsi-initiator-utils, fixed 6.2.0.865) [since FEDORA-2007-0543] CVE-2007-3165 version (tor, fixed 0.1.2.14) #244502 [since FEDORA-2007-1674] @@ -119,12 +122,13 @@ CVE-2007-3023 VULNERABLE (clamav, fixed 0.90.3) #245219 CVE-2007-3007 ignore (php) safe mode isn't safe *CVE-2007-2975 (openfire) +CVE-2007-2958 VULNERABLE (claws-mail) #254121 +CVE-2007-2958 VULNERABLE (sylpheed) #254123 CVE-2007-2956 backport (qtpfsgui) #251674 [since FEDORA-2007-1581] CVE-2007-2949 version (gimp, fixed, 2.2.16) [since FEDORA-2007-0725] CVE-2007-2926 version (bind, fixed 9.4.1) [since FEDORA-2007-1247] CVE-2007-2925 version (bind, fixed 9.4.1) [since FEDORA-2007-1247] -*CVE-2007-2894 VULNERABLE (bochs) #241799 -CVE-2007-2894 ignore (bochs, unreproducible) #241799 +CVE-2007-2894 backport (bochs) #241799 [since FEDORA-2007-1778] CVE-2007-2893 patch (bochs, fixed 2.3-5) #241799 [since FEDORA-2007-1153] CVE-2007-2876 version (kernel, fixed 2.6.21.5) [ since FEDORA-2007-0409 ] CVE-2007-2874 remove-patch (wpa_supplicant) #242455 [since FEDORA-2007-0185] @@ -332,7 +336,7 @@ CVE-2007-0894 version (mediawiki, fixed 1.8.4) #228763 CVE-2007-0884 ignore (mimedefang 2.59/2.60 not shipped) #228757 CVE-2007-0857 version (moin, fixed 1.5.7) #228139 -CVE-2007-0844 VULNERABLE (pam_ssh, fixed 1.92) #253959 +CVE-2007-0844 version (pam_ssh, fixed 1.92) #253959 [since FEDORA-2007-1793] CVE-2007-0823 ignore (xterm) feature, not a bug CVE-2007-0822 ignore (util-linux) NULL dereference CVE-2007-0780 version (seamonkey, fixed 1.0.8) Index: fe6 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fe6,v retrieving revision 1.132 retrieving revision 1.133 diff -u -r1.132 -r1.133 --- fe6 9 Aug 2007 15:53:20 -0000 1.132 +++ fe6 24 Aug 2007 10:27:37 -0000 1.133 @@ -2,6 +2,7 @@ ** are items that need attention +CVE-2007-4510 VULNERABLE (clamav, 0.91.2) #253780 CVE-2007-3950 version (lighttpd, fixed 1.4.16) #249162 CVE-2007-3949 version (lighttpd, fixed 1.4.16) #249162 CVE-2007-3948 version (lighttpd, fixed 1.4.16) #249162 -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits From fedora-extras-commits at redhat.com Fri Aug 24 13:06:24 2007 From: fedora-extras-commits at redhat.com (Tomas Hoger (thoger)) Date: Fri, 24 Aug 2007 09:06:24 -0400 Subject: fedora-security/audit fc6,1.246,1.247 fc7,1.79,1.80 Message-ID: <200708241306.l7OD6OZ9031672@cvs-int.fedora.redhat.com> Author: thoger Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv31650/audit Modified Files: fc6 fc7 Log Message: add star directory traversal Index: fc6 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc6,v retrieving revision 1.246 retrieving revision 1.247 diff -u -r1.246 -r1.247 --- fc6 24 Aug 2007 10:27:36 -0000 1.246 +++ fc6 24 Aug 2007 13:06:22 -0000 1.247 @@ -14,6 +14,7 @@ CVE-2007-4225 ignore (kdebase) caused by fix to CVE-2007-3820 which we never shipped CVE-2007-4224 ignore (kdebase) too obvious -- mouse pointer indicates script activity CVE-2007-4211 version (dovecot, fixed 1.0.3) #251009 [since FEDORA-2007-664] +CVE-2007-4134 VULNERABLE (star, fixed 1.5a84) #254129 CVE-2007-4131 VULNERABLE (tar) #253684 CVE-2007-4029 VULNERABLE (libvorbis) #250600 CVE-2007-4168 backport (libexif) #243892 [since FEDORA-2007-614] Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.79 retrieving revision 1.80 diff -u -r1.79 -r1.80 --- fc7 24 Aug 2007 10:27:37 -0000 1.79 +++ fc7 24 Aug 2007 13:06:22 -0000 1.80 @@ -27,6 +27,7 @@ CVE-2007-4153 ignore (wordpress) "remote authenticated administrators" CVE-2007-4154 ignore (wordpress) "remote authenticated administrators" CVE-2007-4139 VULNERABLE (wordpress) #250751 +CVE-2007-4134 VULNERABLE (star, fixed 1.5a84) #254128 CVE-2007-4131 VULNERABLE (tar) #253684 CVE-2007-4029 backport (libvorbis) #245991 [since FEDORA-2007-1765] CVE-2007-3962 ignore (gftp) multiple buffer overflows in fsplib, not on Linux -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits From fedora-extras-commits at redhat.com Tue Aug 28 07:21:55 2007 From: fedora-extras-commits at redhat.com (Tomas Hoger (thoger)) Date: Tue, 28 Aug 2007 03:21:55 -0400 Subject: fedora-security/audit fc6,1.247,1.248 fc7,1.80,1.81 Message-ID: <200708280721.l7S7LtKg015580@cvs-int.fedora.redhat.com> Author: thoger Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv15556/audit Modified Files: fc6 fc7 Log Message: Mostly Fedora updates. Index: fc6 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc6,v retrieving revision 1.247 retrieving revision 1.248 diff -u -r1.247 -r1.248 --- fc6 24 Aug 2007 13:06:22 -0000 1.247 +++ fc6 28 Aug 2007 07:21:53 -0000 1.248 @@ -5,7 +5,7 @@ # (mozilla) = (firefox, seamonkey, thunderbird, yelp, devhelp, galeon, liferea. epiphany) # Up to date CVE as of CVE email 20070823 -# Up to date FC6 as of 20070823 +# Up to date FC6 as of 20070827 CVE-2007-4357 ignore (firefox) status bar can be overwrittten CVE-2007-4255 ignore (php) msql extension not shipped @@ -20,7 +20,7 @@ CVE-2007-4168 backport (libexif) #243892 [since FEDORA-2007-614] CVE-2007-3962 ignore (gftp) multiple buffer overflows in fsplib, not on Linux CVE-2007-3961 ignore (gftp) off-by-one error in fsplib -CVE-2007-3852 VULNERABLE (sysstat) #252296 +CVE-2007-3852 backport (sysstat) #252296 [since FEDORA-2007-675] CVE-2007-3847 VULNERABLE (httpd) #250756 CVE-2007-3845 ignore (firefox) windows specific CVE-2007-3844 VULNERABLE (firefox) #250648 "fixed on next update" @@ -77,7 +77,7 @@ CVE-2007-1862 backport (httpd) #244660 [since FEDORA-2007-615] CVE-2007-1861 version (kernel) [since FEDORA-2007-482] CVE-2007-1856 backport (vixie-cron) #235882 [since FEDORA-2007-662] -CVE-2007-1841 VULNERABLE (ipsec-tools) #238052 [sconklin] Developer busy -- next week. +CVE-2007-1841 backport (ipsec-tools) #238052 [since FEDORA-2007-665] CVE-2007-1797 backport (ImageMagick) #235075 [since FEDORA-2007-413] CVE-2007-1667 backport (libX11) [since FEDORA-2007-426] CVE-2007-1565 ignore (kdebase) client crash @@ -204,7 +204,7 @@ CVE-2006-5469 version (wireshark, fixed 0.99.4) [since FEDORA-2006-1140] CVE-2006-5468 version (wireshark, fixed 0.99.4) [since FEDORA-2006-1140] CVE-2006-5467 backport (ruby) #212396 [since FEDORA-2006-1109] -CVE-2006-5466 VULNERABLE (rpm) #212833 +CVE-2006-5466 version (rpm) #212833 [since FEDORA-2007-668] CVE-2006-5465 backport (php, fixed 5.2.0) #213732 [since FEDOA-2006-1169] CVE-2006-5464 version (thunderbird, fixed 1.5.0.8) [since FEDORA-2006-1192] CVE-2006-5464 version (firefox, fixed 1.5.0.8) [since FEDORA-2006-1191] Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.80 retrieving revision 1.81 diff -u -r1.80 -r1.81 --- fc7 24 Aug 2007 13:06:22 -0000 1.80 +++ fc7 28 Aug 2007 07:21:53 -0000 1.81 @@ -6,8 +6,12 @@ # A couple of first F7 updates were marked as FEDORA-2007-0001 # Up to date CVE as of CVE email 20070823 -# Up to date FC7 as of 20070823 +# Up to date FC7 as of 20070827 +CVE-2007-4559 VULNERABLE (python) tarfile module - directory traversal +CVE-2007-4543 version (bugzilla, 3.0.1) #256021 [since FEDORA-2007-1853] +CVE-2007-4539 version (bugzilla, 3.0.1) #256021 [since FEDORA-2007-1853] +CVE-2007-4538 version (bugzilla, 3.0.1) #256021 [since FEDORA-2007-1853] CVE-2007-4510 VULNERABLE (clamav, 0.91.2) #253780 CVE-2007-4462 version (po4a) #253541 [since FEDORA-2007-1763] CVE-2007-4460 backport (id3lib) #253553 [since FEDORA-2007-1774] @@ -27,7 +31,7 @@ CVE-2007-4153 ignore (wordpress) "remote authenticated administrators" CVE-2007-4154 ignore (wordpress) "remote authenticated administrators" CVE-2007-4139 VULNERABLE (wordpress) #250751 -CVE-2007-4134 VULNERABLE (star, fixed 1.5a84) #254128 +CVE-2007-4134 version (star, fixed 1.5a84) #254128 [since FEDORA-2007-1852] CVE-2007-4131 VULNERABLE (tar) #253684 CVE-2007-4029 backport (libvorbis) #245991 [since FEDORA-2007-1765] CVE-2007-3962 ignore (gftp) multiple buffer overflows in fsplib, not on Linux @@ -124,7 +128,7 @@ CVE-2007-3007 ignore (php) safe mode isn't safe *CVE-2007-2975 (openfire) CVE-2007-2958 VULNERABLE (claws-mail) #254121 -CVE-2007-2958 VULNERABLE (sylpheed) #254123 +CVE-2007-2958 backport (sylpheed) #254123 [since FEDORA-2007-1841] CVE-2007-2956 backport (qtpfsgui) #251674 [since FEDORA-2007-1581] CVE-2007-2949 version (gimp, fixed, 2.2.16) [since FEDORA-2007-0725] CVE-2007-2926 version (bind, fixed 9.4.1) [since FEDORA-2007-1247] -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits From fedora-extras-commits at redhat.com Tue Aug 28 09:02:12 2007 From: fedora-extras-commits at redhat.com (Tomas Hoger (thoger)) Date: Tue, 28 Aug 2007 05:02:12 -0400 Subject: fedora-security/audit fc6,1.248,1.249 fc7,1.81,1.82 Message-ID: <200708280902.l7S92Cp9001562@cvs-int.fedora.redhat.com> Author: thoger Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv1491/audit Modified Files: fc6 fc7 Log Message: More issues from CVE mail. Index: fc6 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc6,v retrieving revision 1.248 retrieving revision 1.249 diff -u -r1.248 -r1.249 --- fc6 28 Aug 2007 07:21:53 -0000 1.248 +++ fc6 28 Aug 2007 09:02:09 -0000 1.249 @@ -65,6 +65,7 @@ CVE-2007-2868 version (mozilla) #241840 [since FEDORA-2007-549] CVE-2007-2867 version (mozilla) #241840 [since FEDORA-2007-549] CVE-2007-2799 version (file, fixed 4.21) #241034 [since FEDORA-2007-538] +CVE-2007-2797 version (xterm) CVE-2007-2453 version (kernel) [since FEDORA-2007-600] CVE-2007-2451 version (kernel, fixed 2.6.21.4) [since FEDORA-2007-600] CVE-2007-2445 backport (libpng) #239542 [since FEDORA-2007-529] Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.81 retrieving revision 1.82 diff -u -r1.81 -r1.82 --- fc7 28 Aug 2007 07:21:53 -0000 1.81 +++ fc7 28 Aug 2007 09:02:09 -0000 1.82 @@ -9,10 +9,11 @@ # Up to date FC7 as of 20070827 CVE-2007-4559 VULNERABLE (python) tarfile module - directory traversal -CVE-2007-4543 version (bugzilla, 3.0.1) #256021 [since FEDORA-2007-1853] -CVE-2007-4539 version (bugzilla, 3.0.1) #256021 [since FEDORA-2007-1853] -CVE-2007-4538 version (bugzilla, 3.0.1) #256021 [since FEDORA-2007-1853] -CVE-2007-4510 VULNERABLE (clamav, 0.91.2) #253780 +CVE-2007-4543 version (bugzilla, fixed 3.0.1) #256021 [since FEDORA-2007-1853] +CVE-2007-4542 VULNERABLE (mapserver, fixed 4.10.3) #256561 +CVE-2007-4539 version (bugzilla, fixed 3.0.1) #256021 [since FEDORA-2007-1853] +CVE-2007-4538 version (bugzilla, fixed 3.0.1) #256021 [since FEDORA-2007-1853] +CVE-2007-4510 VULNERABLE (clamav, fixed 0.91.2) #253780 CVE-2007-4462 version (po4a) #253541 [since FEDORA-2007-1763] CVE-2007-4460 backport (id3lib) #253553 [since FEDORA-2007-1774] CVE-2007-4400 VULNERABLE (konversation) #253545 @@ -24,7 +25,7 @@ CVE-2007-4229 ignore (kdebase) just an ASSERT fail CVE-2007-4225 backport (kdebase) [since FEDORA-2007-1700] CVE-2007-4224 backport (kdebase) [since FEDORA-2007-1700] -CVE-2007-4211 version (dovecot, 1.0.3) #251008 [since FEDORA-2007-1485] +CVE-2007-4211 version (dovecot, fixed 1.0.3) #251008 [since FEDORA-2007-1485] CVE-2007-4174 version (tor, fixed 0.1.2.16) [since FEDORA-2007-1674] GENERIC-MAP-NOMATCH version (tor, fixed 0.1.2.15) #249840 [since FEDORA-2007-1674] CVE-2007-4168 backport (libexif) #243892 [since FEDORA-2007-0414] @@ -149,6 +150,7 @@ CVE-2007-2821 version (wordpress, fixed 2.2) #245211 [since FEDORA-2007-0894] CVE-2007-2799 version (file, fixed 4.21) #241034 [since FEDORA-2007-0836] CVE-2007-2798 version (krb5, 1.6.1) [since FEDORA-2007-0740] +CVE-2007-2797 version (xterm) fixed in fc5 and fc6 before f7 release CVE-2007-2768 ignore (openssh) needs pam OPIE which is not shipped. CVE-2007-2756 ignore (gd) DoS only CVE-2007-2754 backport (freetype) [since FEDORA-2007-0033] -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits From fedora-extras-commits at redhat.com Tue Aug 28 10:19:24 2007 From: fedora-extras-commits at redhat.com (Lubomir Kundrak (lkundrak)) Date: Tue, 28 Aug 2007 06:19:24 -0400 Subject: fedora-security/audit fc7,1.82,1.83 Message-ID: <200708281019.l7SAJOFi017311@cvs-int.fedora.redhat.com> Author: lkundrak Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17223 Modified Files: fc7 Log Message: 12:17 kto necommituje, bude pocas dlhych zimnych vecerov riesit konflikty... Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.82 retrieving revision 1.83 diff -u -r1.82 -r1.83 --- fc7 28 Aug 2007 09:02:09 -0000 1.82 +++ fc7 28 Aug 2007 10:19:21 -0000 1.83 @@ -13,6 +13,9 @@ CVE-2007-4542 VULNERABLE (mapserver, fixed 4.10.3) #256561 CVE-2007-4539 version (bugzilla, fixed 3.0.1) #256021 [since FEDORA-2007-1853] CVE-2007-4538 version (bugzilla, fixed 3.0.1) #256021 [since FEDORA-2007-1853] +CVE-2007-4534 VULNERABLE (vavoom) #256621 +CVE-2007-4533 VULNERABLE (vavoom) #256621 +CVE-2007-4532 VULNERABLE (vavoom) #256621 CVE-2007-4510 VULNERABLE (clamav, fixed 0.91.2) #253780 CVE-2007-4462 version (po4a) #253541 [since FEDORA-2007-1763] CVE-2007-4460 backport (id3lib) #253553 [since FEDORA-2007-1774] @@ -23,7 +26,9 @@ CVE-2007-4255 ignore (php) msql extension not shipped CVE-2007-4251 ignore (openoffice.org) just a crash CVE-2007-4229 ignore (kdebase) just an ASSERT fail +CVE-2007-4255 backport (kdelibs) [since FEDORA-2007-1699] CVE-2007-4225 backport (kdebase) [since FEDORA-2007-1700] +CVE-2007-4224 backport (kdelibs) [since FEDORA-2007-1699] CVE-2007-4224 backport (kdebase) [since FEDORA-2007-1700] CVE-2007-4211 version (dovecot, fixed 1.0.3) #251008 [since FEDORA-2007-1485] CVE-2007-4174 version (tor, fixed 0.1.2.16) [since FEDORA-2007-1674] @@ -34,6 +39,8 @@ CVE-2007-4139 VULNERABLE (wordpress) #250751 CVE-2007-4134 version (star, fixed 1.5a84) #254128 [since FEDORA-2007-1852] CVE-2007-4131 VULNERABLE (tar) #253684 +CVE-2007-4066 backport (libvorbis) #245991 [since FEDORA-2007-1765] +CVE-2007-4065 backport (libvorbis) #245991 [since FEDORA-2007-1765] CVE-2007-4029 backport (libvorbis) #245991 [since FEDORA-2007-1765] CVE-2007-3962 ignore (gftp) multiple buffer overflows in fsplib, not on Linux CVE-2007-3961 ignore (gftp) off-by-one error in fsplib @@ -49,6 +56,7 @@ CVE-2007-3844 VULNERABLE (firefox) #250648 "fixed on next update" CVE-2007-3843 VULNERABLE (kernel) #246595 CVE-2007-3841 ignore (pidgin) ethically disclosed +CVE-2007-3820 backport (kdelibs) [since FEDORA-2007-1699] CVE-2007-3820 backport (kdebase) #248537 [since FEDORA-2007-1700] CVE-2007-3799 ** (php) CVE-2007-3781 ** (mysql) @@ -135,7 +143,7 @@ CVE-2007-2926 version (bind, fixed 9.4.1) [since FEDORA-2007-1247] CVE-2007-2925 version (bind, fixed 9.4.1) [since FEDORA-2007-1247] CVE-2007-2894 backport (bochs) #241799 [since FEDORA-2007-1778] -CVE-2007-2893 patch (bochs, fixed 2.3-5) #241799 [since FEDORA-2007-1153] +CVE-2007-2893 backport (bochs, fixed 2.3-5) #241799 [since FEDORA-2007-1153] CVE-2007-2876 version (kernel, fixed 2.6.21.5) [ since FEDORA-2007-0409 ] CVE-2007-2874 remove-patch (wpa_supplicant) #242455 [since FEDORA-2007-0185] CVE-2007-2873 version (spamassassin, fixed 3.2.1) [since FEDORA-2007-0390] -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits From bugzilla at redhat.com Tue Aug 28 14:36:44 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 28 Aug 2007 10:36:44 -0400 Subject: [Bug 194511] CVE-2006-2894 arbitrary file read vulnerability In-Reply-To: Message-ID: <200708281436.l7SEaiA5012464@bz-web2.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-2894 arbitrary file read vulnerability https://bugzilla.redhat.com/show_bug.cgi?id=194511 mcepl at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |CLOSED Resolution| |INSUFFICIENT_DATA ------- Additional Comments From mcepl at redhat.com 2007-08-28 10:36 EST ------- We haven't got any reply to the last question about reproducability of the bug with Fedora Core 6, Fedora 7, or Fedora devel. Mass closing this bug, so if you have new information that would help us fix this bug, please reopen it with the additional information. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From fedora-extras-commits at redhat.com Tue Aug 28 16:44:22 2007 From: fedora-extras-commits at redhat.com (Lubomir Kundrak (lkundrak)) Date: Tue, 28 Aug 2007 12:44:22 -0400 Subject: fedora-security/audit fc6,1.249,1.250 fc7,1.83,1.84 Message-ID: <200708281644.l7SGiMEm016044@cvs-int.fedora.redhat.com> Author: lkundrak Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv16021 Modified Files: fc6 fc7 Log Message: fetchmail and clamav Index: fc6 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc6,v retrieving revision 1.249 retrieving revision 1.250 diff -u -r1.249 -r1.250 --- fc6 28 Aug 2007 09:02:09 -0000 1.249 +++ fc6 28 Aug 2007 16:44:20 -0000 1.250 @@ -7,6 +7,7 @@ # Up to date CVE as of CVE email 20070823 # Up to date FC6 as of 20070827 +CVE-2007-4565 VULNERABLE (fetchmail) #260881 CVE-2007-4357 ignore (firefox) status bar can be overwrittten CVE-2007-4255 ignore (php) msql extension not shipped CVE-2007-4251 ignore (openoffice.org) just a crash Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.83 retrieving revision 1.84 diff -u -r1.83 -r1.84 --- fc7 28 Aug 2007 10:19:21 -0000 1.83 +++ fc7 28 Aug 2007 16:44:20 -0000 1.84 @@ -8,6 +8,8 @@ # Up to date CVE as of CVE email 20070823 # Up to date FC7 as of 20070827 +CVE-2007-4565 VULNERABLE (fetchmail) #260861 +CVE-2007-4560 VULNERABLE (clamav) #260583 CVE-2007-4559 VULNERABLE (python) tarfile module - directory traversal CVE-2007-4543 version (bugzilla, fixed 3.0.1) #256021 [since FEDORA-2007-1853] CVE-2007-4542 VULNERABLE (mapserver, fixed 4.10.3) #256561 -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits From fedora-extras-commits at redhat.com Tue Aug 28 16:48:32 2007 From: fedora-extras-commits at redhat.com (Kevin Fenzi (kevin)) Date: Tue, 28 Aug 2007 12:48:32 -0400 Subject: fedora-security/audit fc7,1.84,1.85 Message-ID: <200708281648.l7SGmWNe016271@cvs-int.fedora.redhat.com> Author: kevin Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv16253 Modified Files: fc7 Log Message: Add star fixed cve Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.84 retrieving revision 1.85 diff -u -r1.84 -r1.85 --- fc7 28 Aug 2007 16:44:20 -0000 1.84 +++ fc7 28 Aug 2007 16:48:30 -0000 1.85 @@ -11,6 +11,7 @@ CVE-2007-4565 VULNERABLE (fetchmail) #260861 CVE-2007-4560 VULNERABLE (clamav) #260583 CVE-2007-4559 VULNERABLE (python) tarfile module - directory traversal +CVE-2007-4558 version (star, fixed 1.5a84) [since FEDORA-2007-1852] CVE-2007-4543 version (bugzilla, fixed 3.0.1) #256021 [since FEDORA-2007-1853] CVE-2007-4542 VULNERABLE (mapserver, fixed 4.10.3) #256561 CVE-2007-4539 version (bugzilla, fixed 3.0.1) #256021 [since FEDORA-2007-1853] -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits From lkundrak at redhat.com Wed Aug 29 15:19:39 2007 From: lkundrak at redhat.com (Lubomir Kundrak) Date: Wed, 29 Aug 2007 17:19:39 +0200 Subject: Fedora 8 security flaws in Bugzilla Message-ID: <1188400779.26377.156.camel@pluto.englab.brq.redhat.com> Hi all, When Fedora 8 is out, the number of issues that affect two supported Fedora releases will raise. Currently issues are usually either common for Fedora Core 6 and some releases RHEL, (where the package is typically owned by a Red Hat employee who has to care about fixing the bug in supported products) or specific to what used to be Fedora Extras and Fedora 7. Traditionally, I did not use to care about Extras, but situation changed when Fedora 7 was out with Extras merged in. With Fedora 8 most issues will affect two Fedora releases and I am curious how are we going to track the issues in Bugzilla, and how will Bodhi -- the update system deal with it. 1.) We could clone bug for each supported release. This would be a bit impractical, because of redundant information and comments that would go to two different places. But this will play nicely with Bodhi and references in the update mails. 2.) We could file a bug in the Security Response product and create private tracking bugs. For Bodhi to be happy we would reference both parent bug and tracking bugs. Downside would be that developer would be confused with three bugs filed for one issue. Maybe the Description in the tracking bug would clarify this to him. 3.) Create a bug for Fedora devel and then use flags to denote which releases need fixing and/or were fixed; Maybe something like fc7-fixed, fc8-fixed with values like " " = don't know if is affected, "-" = doesn't need fixing, "?" = need fixing, "+" fixed. Bodhi could be made to respect the flags and only close the bugs if nothing = "?". Downside would be assignee -- packages don't have to be owned by the same owner in all branches. Or are we going to handle that in another way? SFM? Cheers, -- Lubomir Kundrak (Security Response Team) Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic Registered in Brno under #CZ27690016 From tibbs at math.uh.edu Wed Aug 29 15:40:32 2007 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: 29 Aug 2007 10:40:32 -0500 Subject: Fedora 8 security flaws in Bugzilla In-Reply-To: <1188400779.26377.156.camel@pluto.englab.brq.redhat.com> References: <1188400779.26377.156.camel@pluto.englab.brq.redhat.com> Message-ID: >>>>> "LK" == Lubomir Kundrak writes: LK> Or are we going to handle that in another way? SFM? If the problem is bodhi closing bugs that may need to remain open to track the issue in different branches, wouldn't it be far simpler for bodhi to grow the option to just not close referenced tickets? That way we could record information about which branches have been fixed in a freeform manner and not push a ton of flags or cloned tickets. - J< From lkundrak at redhat.com Wed Aug 29 16:02:21 2007 From: lkundrak at redhat.com (Lubomir Kundrak) Date: Wed, 29 Aug 2007 18:02:21 +0200 Subject: Fedora 8 security flaws in Bugzilla In-Reply-To: References: <1188400779.26377.156.camel@pluto.englab.brq.redhat.com> Message-ID: <1188403341.26377.157.camel@pluto.englab.brq.redhat.com> On Wed, 2007-08-29 at 10:40 -0500, Jason L Tibbitts III wrote: > >>>>> "LK" == Lubomir Kundrak writes: > > LK> Or are we going to handle that in another way? SFM? > > If the problem is bodhi closing bugs that may need to remain open to > track the issue in different branches, wouldn't it be far simpler for > bodhi to grow the option to just not close referenced tickets? That > way we could record information about which branches have been fixed > in a freeform manner and not push a ton of flags or cloned tickets. If we went the flags way, it would imply modification similar to this to Bodhi. > - J< -- Lubomir Kundrak (Security Response Team) Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic Registered in Brno under #CZ27690016 From kevin at tummy.com Wed Aug 29 19:41:01 2007 From: kevin at tummy.com (Kevin Fenzi) Date: Wed, 29 Aug 2007 13:41:01 -0600 Subject: Fedora 8 security flaws in Bugzilla In-Reply-To: <1188403341.26377.157.camel@pluto.englab.brq.redhat.com> References: <1188400779.26377.156.camel@pluto.englab.brq.redhat.com> <1188403341.26377.157.camel@pluto.englab.brq.redhat.com> Message-ID: <20070829134101.01c94d91@ghistelwchlohm.scrye.com> On Wed, 29 Aug 2007 18:02:21 +0200 Lubomir Kundrak wrote: > On Wed, 2007-08-29 at 10:40 -0500, Jason L Tibbitts III wrote: > > >>>>> "LK" == Lubomir Kundrak writes: > > > > LK> Or are we going to handle that in another way? SFM? > > > > If the problem is bodhi closing bugs that may need to remain open to > > track the issue in different branches, wouldn't it be far simpler > > for bodhi to grow the option to just not close referenced tickets? > > That way we could record information about which branches have been > > fixed in a freeform manner and not push a ton of flags or cloned > > tickets. > > If we went the flags way, it would imply modification similar to this > to Bodhi. So there would need to be a flag for each supported release? Not sure if bugzilla can handle that. I seem to remember that the number of flags that can exist was limited. If however it can do this that might be a nice way to track things... Also, it would be nice if we added an alias for the CVE for a bug... so we could go to https://bugzilla.redhat.com/CVE-2007-NNNNN and get the bug. There was discussion about having someone from the security team ack 'Security' marked bugs in bodhi before they are pushed out. If we get that in place, we could just have that person close the bug, rather than have bodhi do so. kevin -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From kevin at tummy.com Wed Aug 29 19:44:26 2007 From: kevin at tummy.com (Kevin Fenzi) Date: Wed, 29 Aug 2007 13:44:26 -0600 Subject: epel security Message-ID: <20070829134426.4f8d571c@ghistelwchlohm.scrye.com> Would it be possible and/or advisable for us to add some audit files for epel? EPEL has quite a few less packages than Fedora does, but we still need a way to track security issues, etc. If they are all in the same place then we can update them at the same time that Fedora releases audit files are updated. Thoughts? Concerns? Shall I just make them? kevin -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From opensource at till.name Wed Aug 29 21:27:07 2007 From: opensource at till.name (Till Maas) Date: Wed, 29 Aug 2007 23:27:07 +0200 Subject: Fedora 8 security flaws in Bugzilla In-Reply-To: References: <1188400779.26377.156.camel@pluto.englab.brq.redhat.com> Message-ID: <200708292327.18614.opensource@till.name> On Mi August 29 2007, Jason L Tibbitts III wrote: > track the issue in different branches, wouldn't it be far simpler for > bodhi to grow the option to just not close referenced tickets? This option will be in Fedora's Bodhi once it gets updated afaik, which was planned for last week iirc. Regards, Till -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 827 bytes Desc: This is a digitally signed message part. URL: From bugzilla at redhat.com Thu Aug 30 07:39:34 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 30 Aug 2007 03:39:34 -0400 Subject: [Bug 245219] clamav < 0.90.3 multiple vulnerabilities In-Reply-To: Message-ID: <200708300739.l7U7dYDt024179@bz-web1.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: clamav < 0.90.3 multiple vulnerabilities Alias: CVE-2007-3123 https://bugzilla.redhat.com/show_bug.cgi?id=245219 ------- Additional Comments From ondrejj at salstar.sk 2007-08-30 03:39 EST ------- Another problem is, that freshclam is writing to logs this: Reading CVD header (daily.cvd): Ignoring mirror 212.7.0.71 (too often connection s with outdated version) I think updating is not working properly. This does not happen always and I am unable to reproduce this on other machine. And last problem, libclamav is loading it's database a long time (aprox. 2-5 minutes). This bug can be also fixed with upgrade to clamav 0.91. What is the problem with releasing clamav-0.91.2 built in Koji? How can I help to release clamav updates with less time? My Fedora system is vulnerable to some vulnerabilities with old clamav. :-( -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Aug 30 07:45:30 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 30 Aug 2007 03:45:30 -0400 Subject: [Bug 245219] clamav < 0.90.3 multiple vulnerabilities In-Reply-To: Message-ID: <200708300745.l7U7jUhP030496@bz-web2.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: clamav < 0.90.3 multiple vulnerabilities Alias: CVE-2007-3123 https://bugzilla.redhat.com/show_bug.cgi?id=245219 ondrejj at salstar.sk changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ondrejj at salstar.sk -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From lkundrak at redhat.com Thu Aug 30 09:55:56 2007 From: lkundrak at redhat.com (Lubomir Kundrak) Date: Thu, 30 Aug 2007 11:55:56 +0200 Subject: epel security In-Reply-To: <20070829134426.4f8d571c@ghistelwchlohm.scrye.com> References: <20070829134426.4f8d571c@ghistelwchlohm.scrye.com> Message-ID: <1188467756.26377.164.camel@pluto.englab.brq.redhat.com> Hi Kevin, On Wed, 2007-08-29 at 13:44 -0600, Kevin Fenzi wrote: > Would it be possible and/or advisable for us to add some audit files > for epel? > > EPEL has quite a few less packages than Fedora does, but we still need > a way to track security issues, etc. If they are all in the same place > then we can update them at the same time that Fedora releases audit > files are updated. > > Thoughts? Concerns? > Shall I just make them? I still have no idea about how is EPEL securit ygoing to be handled. If it is going to be the same way as Fedora, please do add the audit files, and also generate manifests for epel. > > kevin Cheers, -- Lubomir Kundrak (Security Response Team) Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic Registered in Brno under #CZ27690016 From lkundrak at redhat.com Thu Aug 30 10:03:07 2007 From: lkundrak at redhat.com (Lubomir Kundrak) Date: Thu, 30 Aug 2007 12:03:07 +0200 Subject: Fedora 8 security flaws in Bugzilla In-Reply-To: <20070829134101.01c94d91@ghistelwchlohm.scrye.com> References: <1188400779.26377.156.camel@pluto.englab.brq.redhat.com> <1188403341.26377.157.camel@pluto.englab.brq.redhat.com> <20070829134101.01c94d91@ghistelwchlohm.scrye.com> Message-ID: <1188468187.26377.173.camel@pluto.englab.brq.redhat.com> On Wed, 2007-08-29 at 13:41 -0600, Kevin Fenzi wrote: > On Wed, 29 Aug 2007 18:02:21 +0200 > Lubomir Kundrak wrote: > > > On Wed, 2007-08-29 at 10:40 -0500, Jason L Tibbitts III wrote: > > > >>>>> "LK" == Lubomir Kundrak writes: > > > > > > LK> Or are we going to handle that in another way? SFM? > > > > > > If the problem is bodhi closing bugs that may need to remain open to > > > track the issue in different branches, wouldn't it be far simpler > > > for bodhi to grow the option to just not close referenced tickets? > > > That way we could record information about which branches have been > > > fixed in a freeform manner and not push a ton of flags or cloned > > > tickets. > > > > If we went the flags way, it would imply modification similar to this > > to Bodhi. > > So there would need to be a flag for each supported release? > Not sure if bugzilla can handle that. I seem to remember that the > number of flags that can exist was limited. > > If however it can do this that might be a nice way to track things... I am thinking that when FC-34 comes out, it won't be nice to see empty flags for the unsupported releases. Probably the tracking bugs way with explanation for developer how to handle the security issue (and link to wiki page about handling Fedora security issues) would be nicer. > Also, it would be nice if we added an alias for the CVE for a bug... so > we could go to https://bugzilla.redhat.com/CVE-2007-NNNNN and get the > bug. Yes, we do that already. Moreover, we get most bugs we file against Fedora from CVE. I'll commit a script that clones bugs from CVE into bugzilla just as I make it independent from internal Red Hat tools. > There was discussion about having someone from the security team ack > 'Security' marked bugs in bodhi before they are pushed out. If we get > that in place, we could just have that person close the bug, rather > than have bodhi do so. The ack from security response would be in place primarily to ensure that all references to CVE and bugzilla are in place and correct. I'd rather prefer Bodhi do that and also add a nice comment. There are also other things I'd like Bodhi to do to make the process more consistent, I'll post that list once it is complete and request feature enhancement. > kevin Regards, -- Lubomir Kundrak (Security Response Team) Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic Registered in Brno under #CZ27690016 From kevin at tummy.com Thu Aug 30 16:21:47 2007 From: kevin at tummy.com (Kevin Fenzi) Date: Thu, 30 Aug 2007 10:21:47 -0600 Subject: epel security In-Reply-To: <1188467756.26377.164.camel@pluto.englab.brq.redhat.com> References: <20070829134426.4f8d571c@ghistelwchlohm.scrye.com> <1188467756.26377.164.camel@pluto.englab.brq.redhat.com> Message-ID: <20070830102147.77d76996@ghistelwchlohm.scrye.com> On Thu, 30 Aug 2007 11:55:56 +0200 Lubomir Kundrak wrote: > Hi Kevin, > > On Wed, 2007-08-29 at 13:44 -0600, Kevin Fenzi wrote: > > Would it be possible and/or advisable for us to add some audit files > > for epel? > > > > EPEL has quite a few less packages than Fedora does, but we still > > need a way to track security issues, etc. If they are all in the > > same place then we can update them at the same time that Fedora > > releases audit files are updated. > > > > Thoughts? Concerns? > > Shall I just make them? > > I still have no idea about how is EPEL securit ygoing to be handled. > If it is going to be the same way as Fedora, please do add the audit > files, and also generate manifests for epel. Well, It needs to be handled some way. I think adding it into the same framework as we use for Fedora is the best way to go now. I will go ahead and look at making audit and manifest files for epel this weekend perhaps and try an inital pass at checking packages against the audit. Unless someone comes up with a better idea before then. ;) kevin -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From fedora-extras-commits at redhat.com Thu Aug 30 19:09:14 2007 From: fedora-extras-commits at redhat.com (Lubomir Kundrak (lkundrak)) Date: Thu, 30 Aug 2007 15:09:14 -0400 Subject: fedora-security/audit fc7,1.85,1.86 Message-ID: <200708301909.l7UJ9EC6001995@cvs-int.fedora.redhat.com> Author: lkundrak Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv1977 Modified Files: fc7 Log Message: gqit Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.85 retrieving revision 1.86 diff -u -r1.85 -r1.86 --- fc7 28 Aug 2007 16:48:30 -0000 1.85 +++ fc7 30 Aug 2007 19:09:11 -0000 1.86 @@ -8,6 +8,7 @@ # Up to date CVE as of CVE email 20070823 # Up to date FC7 as of 20070827 +GENERIC-MAP-NOMATCH VULNERABLE (qgit) #268381 CVE-2007-4565 VULNERABLE (fetchmail) #260861 CVE-2007-4560 VULNERABLE (clamav) #260583 CVE-2007-4559 VULNERABLE (python) tarfile module - directory traversal -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits From lmacken at redhat.com Thu Aug 30 19:44:43 2007 From: lmacken at redhat.com (Luke Macken) Date: Thu, 30 Aug 2007 15:44:43 -0400 Subject: Fedora 8 security flaws in Bugzilla In-Reply-To: References: <1188400779.26377.156.camel@pluto.englab.brq.redhat.com> Message-ID: <20070830194443.GC2944@crow.myhome.westell.com> On Wed, Aug 29, 2007 at 10:40:32AM -0500, Jason L Tibbitts III wrote: > >>>>> "LK" == Lubomir Kundrak writes: > > LK> Or are we going to handle that in another way? SFM? > > If the problem is bodhi closing bugs that may need to remain open to > track the issue in different branches, wouldn't it be far simpler for > bodhi to grow the option to just not close referenced tickets? That > way we could record information about which branches have been fixed > in a freeform manner and not push a ton of flags or cloned tickets. I implemented this feature a little while back. You'll see it in the next production upgrade. luke From lmacken at redhat.com Thu Aug 30 19:49:53 2007 From: lmacken at redhat.com (Luke Macken) Date: Thu, 30 Aug 2007 15:49:53 -0400 Subject: Fedora 8 security flaws in Bugzilla In-Reply-To: <20070829134101.01c94d91@ghistelwchlohm.scrye.com> References: <1188400779.26377.156.camel@pluto.englab.brq.redhat.com> <1188403341.26377.157.camel@pluto.englab.brq.redhat.com> <20070829134101.01c94d91@ghistelwchlohm.scrye.com> Message-ID: <20070830194953.GD2944@crow.myhome.westell.com> On Wed, Aug 29, 2007 at 01:41:01PM -0600, Kevin Fenzi wrote: > There was discussion about having someone from the security team ack > 'Security' marked bugs in bodhi before they are pushed out. If we get > that in place, we could just have that person close the bug, rather > than have bodhi do so. This needs to get approved by FESCo before it is implemented in bodhi. (It's actually partially implemented, and commented out at the moment). luke From bugzilla at redhat.com Thu Aug 30 19:57:15 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 30 Aug 2007 15:57:15 -0400 Subject: [Bug 215136] CVE-2006-5864: gv <= 3.6.2 stack-based buffer overflow In-Reply-To: Message-ID: <200708301957.l7UJvFcW009862@bz-web2.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5864: gv <= 3.6.2 stack-based buffer overflow https://bugzilla.redhat.com/show_bug.cgi?id=215136 bugzilla at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|normal |medium Product|Fedora Extras |Fedora -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Aug 30 20:00:57 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 30 Aug 2007 16:00:57 -0400 Subject: [Bug 192830] CVE-2006-2453 Additional dia format string flaws In-Reply-To: Message-ID: <200708302000.l7UK0vt4011447@bz-web2.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-2453 Additional dia format string flaws https://bugzilla.redhat.com/show_bug.cgi?id=192830 bugzilla at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|normal |medium Priority|normal |medium Product|Fedora Extras |Fedora -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Aug 30 20:37:42 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 30 Aug 2007 16:37:42 -0400 Subject: [Bug 235013] CVE-2007-1804: pulseaudio 0.9.5 DoS In-Reply-To: Message-ID: <200708302037.l7UKbgpK020205@bz-web2.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-1804: pulseaudio 0.9.5 DoS https://bugzilla.redhat.com/show_bug.cgi?id=235013 bugzilla at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Product|Fedora Extras |Fedora drzeus-bugzilla at drzeus.cx changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |drzeus-bugzilla at drzeus.cx AssignedTo|drzeus-bugzilla at drzeus.cx |lpoetter at redhat.com -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From lkundrak at redhat.com Fri Aug 31 10:44:42 2007 From: lkundrak at redhat.com (Lubomir Kundrak) Date: Fri, 31 Aug 2007 12:44:42 +0200 Subject: Fedora 8 security flaws in Bugzilla In-Reply-To: <20070830194953.GD2944@crow.myhome.westell.com> References: <1188400779.26377.156.camel@pluto.englab.brq.redhat.com> <1188403341.26377.157.camel@pluto.englab.brq.redhat.com> <20070829134101.01c94d91@ghistelwchlohm.scrye.com> <20070830194953.GD2944@crow.myhome.westell.com> Message-ID: <1188557083.32578.6.camel@pluto.englab.brq.redhat.com> On Thu, 2007-08-30 at 15:49 -0400, Luke Macken wrote: > On Wed, Aug 29, 2007 at 01:41:01PM -0600, Kevin Fenzi wrote: > > There was discussion about having someone from the security team ack > > 'Security' marked bugs in bodhi before they are pushed out. If we get > > that in place, we could just have that person close the bug, rather > > than have bodhi do so. > > This needs to get approved by FESCo before it is implemented in bodhi. > (It's actually partially implemented, and commented out at the moment). I know. It wasn't discussed in FESCo due to time shortage, I was told to post it for comments on fedora-devel-list@ (by Jessie Keating) and I will do that shortly. > luke > > -- > Fedora-security-list mailing list > Fedora-security-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-security-list -- Lubomir Kundrak (Security Response Team) Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic Registered in Brno under #CZ27690016 From fedora-extras-commits at redhat.com Fri Aug 31 16:23:05 2007 From: fedora-extras-commits at redhat.com (Lubomir Kundrak (lkundrak)) Date: Fri, 31 Aug 2007 12:23:05 -0400 Subject: fedora-security/audit fc7,1.86,1.87 Message-ID: <200708311623.l7VGN5rS016774@cvs-int.fedora.redhat.com> Author: lkundrak Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv16753 Modified Files: fc7 Log Message: mapserver Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.86 retrieving revision 1.87 diff -u -r1.86 -r1.87 --- fc7 30 Aug 2007 19:09:11 -0000 1.86 +++ fc7 31 Aug 2007 16:23:03 -0000 1.87 @@ -8,6 +8,7 @@ # Up to date CVE as of CVE email 20070823 # Up to date FC7 as of 20070827 +CVE-2007-4629 VULNERABLE (mapserver, fixed 4.10.3) #272081 GENERIC-MAP-NOMATCH VULNERABLE (qgit) #268381 CVE-2007-4565 VULNERABLE (fetchmail) #260861 CVE-2007-4560 VULNERABLE (clamav) #260583 -- fedora-extras-commits mailing list fedora-extras-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits