From bugzilla at redhat.com Thu Feb 1 02:56:28 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 31 Jan 2007 21:56:28 -0500 Subject: [Bug 221023] CVE-2006-6808: wordpress 2.0.5 XSS vulnerability In-Reply-To: Message-ID: <200702010256.l112uS3Q006791@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-6808: wordpress 2.0.5 XSS vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=221023 jwb at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |NEXTRELEASE ------- Additional Comments From jwb at redhat.com 2007-01-31 21:56 EST ------- updated to 2.1-0 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Feb 1 02:57:23 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 31 Jan 2007 21:57:23 -0500 Subject: [Bug 223101] CVE-2007-0{106, 107, 109, 262}: Wordpress < 2.0.7 multiple vulnerabilities In-Reply-To: Message-ID: <200702010257.l112vNWL006849@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-0{106,107,109,262}: Wordpress < 2.0.7 multiple vulnerabilities https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=223101 jwb at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |NEXTRELEASE ------- Additional Comments From jwb at redhat.com 2007-01-31 21:57 EST ------- updated to 2.1-0 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Feb 1 02:58:09 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 31 Jan 2007 21:58:09 -0500 Subject: [Bug 225469] wordpress < 2.1 multiple vulnerabilities In-Reply-To: Message-ID: <200702010258.l112w9qS006890@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: wordpress < 2.1 multiple vulnerabilities https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=225469 jwb at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |NEXTRELEASE ------- Additional Comments From jwb at redhat.com 2007-01-31 21:58 EST ------- updated to 2.1-0 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Feb 1 12:25:39 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 1 Feb 2007 07:25:39 -0500 Subject: [Bug 225919] CVE-2007-0619: chmlib < 0.3.9 arbitrary code execution In-Reply-To: Message-ID: <200702011225.l11CPdLW008512@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-0619: chmlib < 0.3.9 arbitrary code execution https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=225919 lemenkov at gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |NEXTRELEASE ------- Additional Comments From lemenkov at gmail.com 2007-02-01 07:25 EST ------- Thanks for mentioning this. I uploaded new version into FE several minutes ago. Let's wait a little ) -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Feb 2 15:32:12 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 2 Feb 2007 10:32:12 -0500 Subject: [Bug 214820] CVE-2006-5815: proftpd unspecified vulnerability In-Reply-To: Message-ID: <200702021532.l12FWCaa017043@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5815: proftpd unspecified vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820 ------- Additional Comments From matthias at rpmforge.net 2007-02-02 10:31 EST ------- I have to admit that I've been mostly lost lost with all these reports... Is it OK with how things stand now? (1.3.0a for F5 & F6, 1.3.1rc for F7) Is it still possible to rebuild for F3 and F4 at all? -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Feb 2 19:26:16 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 2 Feb 2007 14:26:16 -0500 Subject: [Bug 194511] CVE-2006-2894 arbitrary file read vulnerability In-Reply-To: Message-ID: <200702021926.l12JQGoa002284@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-2894 arbitrary file read vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=194511 ------- Additional Comments From kengert at redhat.com 2007-02-02 14:26 EST ------- Adding reference to Mozilla bug. Looks like nobody is working on backporting the fix to the branch. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Feb 5 13:18:58 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 5 Feb 2007 08:18:58 -0500 Subject: [Bug 214820] CVE-2006-5815: proftpd unspecified vulnerability In-Reply-To: Message-ID: <200702051318.l15DIwoA025486@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5815: proftpd unspecified vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820 matthias at rpmforge.net changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |CURRENTRELEASE Fixed In Version| |1.3.0a-1 ------- Additional Comments From matthias at rpmforge.net 2007-02-05 08:18 EST ------- CVE-2006-5815 is the remote code execution detailed here : http://www.securityfocus.com/archive/1/archive/1/452760/100/200/threaded It was fixed in 1.3.0a, which all supported branches (FC-5, FC-6 and FC-7) have been updated too, so I'll be closing this bug. For any other vulnerabilities, please open new bug reports (the mod_ctrls buffer overflow is already bug #219938). -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Feb 5 13:22:47 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 5 Feb 2007 08:22:47 -0500 Subject: [Bug 219938] CVE-2006-6563: proftpd < 1.3.1rc1 mod_ctrls buffer overflow In-Reply-To: Message-ID: <200702051322.l15DMlMd025686@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-6563: proftpd < 1.3.1rc1 mod_ctrls buffer overflow https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219938 matthias at rpmforge.net changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |CURRENTRELEASE Fixed In Version| |1.3.0a-1 ------- Additional Comments From matthias at rpmforge.net 2007-02-05 08:22 EST ------- As already written, the 1.3.0a + patches builds in all supported branches (FC-5, FC-6 and devel) have this bug fixed. If you feel this isn't the case and are able to reproduce the problem with those builds, please reopen this report. BTW, the latest 1.3.1rc still doesn't build for me on devel (soon to be Fedora 7)... but that's a different problem. Patches to my email address are welcome, though, as well as pointers to upstream bug reports which might contain some. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Feb 5 19:50:17 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 5 Feb 2007 14:50:17 -0500 Subject: [Bug 219938] CVE-2006-6563: proftpd < 1.3.1rc1 mod_ctrls buffer overflow In-Reply-To: Message-ID: <200702051950.l15JoHnu030681@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-6563: proftpd < 1.3.1rc1 mod_ctrls buffer overflow https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219938 ville.skytta at iki.fi changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |Reopened Resolution|CURRENTRELEASE | ------- Additional Comments From ville.skytta at iki.fi 2007-02-05 14:50 EST ------- No reproducer here and this could use reviewing by someone better versed with C than myself, but reopening based on an observation: The patch which I gather fixes the reported issue in 1.3.1rc1, committed to CVS with log entry "Bug#2867 - Local authorized user buffer overflow in Controls request handling." is not yet applied in the current FE packages: http://proftp.cvs.sourceforge.net/proftp/proftpd/src/ctrls.c?r1=1.14&r2=1.15 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Feb 5 19:52:11 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 5 Feb 2007 14:52:11 -0500 Subject: [Bug 219938] CVE-2006-6563: proftpd < 1.3.1rc1 mod_ctrls buffer overflow In-Reply-To: Message-ID: <200702051952.l15JqBOn030919@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-6563: proftpd < 1.3.1rc1 mod_ctrls buffer overflow https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219938 ------- Additional Comments From ville.skytta at iki.fi 2007-02-05 14:51 EST ------- Eh? I ticked the "reopen bug" radio button but all it did was added a "Reopened" keyword, bug status is still closed. Trying again. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Feb 5 20:14:36 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 5 Feb 2007 15:14:36 -0500 Subject: [Bug 219938] CVE-2006-6563: proftpd < 1.3.1rc1 mod_ctrls buffer overflow In-Reply-To: Message-ID: <200702052014.l15KEaQK032693@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-6563: proftpd < 1.3.1rc1 mod_ctrls buffer overflow https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219938 ------- Additional Comments From bugzilla at redhat.com 2007-02-05 15:14 EST ------- Please try reopening again. Should be fixed now. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Feb 5 20:39:48 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 5 Feb 2007 15:39:48 -0500 Subject: [Bug 219938] CVE-2006-6563: proftpd < 1.3.1rc1 mod_ctrls buffer overflow In-Reply-To: Message-ID: <200702052039.l15KdmR9002279@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-6563: proftpd < 1.3.1rc1 mod_ctrls buffer overflow https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219938 ville.skytta at iki.fi changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |ASSIGNED -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Feb 5 21:06:39 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 5 Feb 2007 16:06:39 -0500 Subject: [Bug 227415] New: CVE-2007-0657 - vulnerability in Nexuiz 2.2.2 Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=227415 Summary: CVE-2007-0657 - vulnerability in Nexuiz 2.2.2 Product: Fedora Extras Version: fc5 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: nexuiz AssignedTo: adrian at lisas.de ReportedBy: deisenst at gtw.net QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com According to http://www.alientrap.org/devwiki/index.php?n=Nexuiz.Patch, Nexuiz 2.2.3 fixes a remote file read/write security hole: "fix severe remote file read/overwrite security hole in 'gamedir' command (2.2.1 was NOT affected as the command was new in 2.2.2)." It is CVE-2007-0657. Although it claims 2.2.1 (the current Fedora Extras release) is not affected, we may want to upgrade anyway? -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Feb 5 21:47:48 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 5 Feb 2007 16:47:48 -0500 Subject: [Bug 227415] CVE-2007-0657 - vulnerability in Nexuiz 2.2.2 In-Reply-To: Message-ID: <200702052147.l15LlmY6010232@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-0657 - vulnerability in Nexuiz 2.2.2 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=227415 ville.skytta at iki.fi changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|Security | CC|fedora-security- | |list at redhat.com | ------- Additional Comments From ville.skytta at iki.fi 2007-02-05 16:47 EST ------- We discussed this a few days ago in PM with Adrian, and he said he'd take a look at bumping to 2.2.3 sometime, 2.2.2 will not be shipped. Given the above plan and non-affectedness of 2.2.1, this CVE is already marked as "ignore" in the CVS audit files -> removing security keyword and list from Cc. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Tue Feb 6 11:27:06 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 6 Feb 2007 06:27:06 -0500 Subject: [Bug 219938] CVE-2006-6563: proftpd < 1.3.1rc1 mod_ctrls buffer overflow In-Reply-To: Message-ID: <200702061127.l16BR6lG020091@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-6563: proftpd < 1.3.1rc1 mod_ctrls buffer overflow https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219938 matthias at rpmforge.net changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |CURRENTRELEASE Fixed In Version|1.3.0a-1 |1.3.0a-3 ------- Additional Comments From matthias at rpmforge.net 2007-02-06 06:26 EST ------- Thanks a lot for the details, Ville. I've included the patch in FC-5, FC-6 and devel branches, and rebuilds are waiting for the next push. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From mjc at redhat.com Tue Feb 6 11:51:40 2007 From: mjc at redhat.com (Mark J Cox) Date: Tue, 6 Feb 2007 11:51:40 +0000 (GMT) Subject: Merging Core and Extras affecting security updates In-Reply-To: <20070128000845.932.0@paddy.troja.mff.cuni.cz> References: <20070128000845.932.0@paddy.troja.mff.cuni.cz> Message-ID: On Sun, 28 Jan 2007, Pavel Kankovsky wrote: > How much time does it take to get a new CVE number? Hours? Days? > How do you handle duplicate CVEs? (I don't know how often it happens > nowadays but they had some duplicate entries in the past.) Red Hat is a Candidate Naming Authority which means that for issues that are not already public we can assign names from our pool. Where an issue is public Mitre usually respond within a day or two. We can get them to respond faster if it's urgent (like some new issue that's critcial and going to get a lot of attention) >> NVD say these are "user complicit" and marked as local. > I think they got it wrong. See above. A severity rating system is useless to us if it reaches a level of complexity where 1) it's unlikely two researchers will assign the same values given the same conditions and 2) it takes longer to assign a severity rating than triage and fix the flaw. But based on your comments we do plan on looking at a sampling of more recent CVSS examples on NVD again and seeing if they're getting closer to being useful. Thanks, Mark -- Mark J Cox / Red Hat Security Response Team From mjc at redhat.com Tue Feb 6 11:55:31 2007 From: mjc at redhat.com (Mark J Cox) Date: Tue, 6 Feb 2007 11:55:31 +0000 (GMT) Subject: Merging Core and Extras affecting security updates In-Reply-To: <45BDC12B.3040000@gtw.net> References: <20070121110252.932.0@paddy.troja.mff.cuni.cz> <45BDC12B.3040000@gtw.net> Message-ID: > Does the Fedora Security Team maintain a database (or "flat file") stored out > in a Fedora CVS server somewhere that indicates status of any given CVE > issue? If it is there, is the "how to use it" documented anywhere? Is > manipulating this flat file the best way to get security bugs "into the > system" for review? Well there's a file in CVS for each Fedora: http://cvs.fedora.redhat.com/viewcvs/fedora-security/audit/fc6?root=fedora&view=markup It's actually more up to date than the header states though :) Thanks, Mark -- Mark J Cox / Red Hat Security Response Team From bugzilla at redhat.com Thu Feb 8 05:19:26 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 8 Feb 2007 00:19:26 -0500 Subject: [Bug 227791] New: CVE-2007-160: centericq buffer overflow Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=227791 Summary: CVE-2007-160: centericq buffer overflow Product: Fedora Extras Version: devel Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: centericq AssignedTo: andreas.bierfert at lowlatency.de ReportedBy: kevin at tummy.com QAContact: extras-qa at fedoraproject.org CC: fedora-security-list at redhat.com Description of problem: centericq is vulnerable to a buffer overflow in it's livejournal support. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0160 All fedora extras versions seem to be vulnerable. More info, and a patch that debian is using is at: http://mailman.linuxpl.org/pipermail/cicq/2007-January/004866.html -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Feb 8 06:33:13 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 8 Feb 2007 01:33:13 -0500 Subject: [Bug 227791] CVE-2007-160: centericq buffer overflow In-Reply-To: Message-ID: <200702080633.l186XDQp026968@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-160: centericq buffer overflow https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=227791 ------- Additional Comments From andy at smile.org.ua 2007-02-08 01:33 EST ------- The patches are not allowed. Received error like following: "Can not connect to host www2.speedblue.org". I think the patches would be attached here directly. P.S. Just my 2 cents. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Feb 8 09:40:18 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 8 Feb 2007 04:40:18 -0500 Subject: [Bug 227791] CVE-2007-160: centericq buffer overflow In-Reply-To: Message-ID: <200702080940.l189eI4s005508@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-160: centericq buffer overflow https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=227791 andreas.bierfert at lowlatency.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED Severity|normal |high ------- Additional Comments From andreas.bierfert at lowlatency.de 2007-02-08 04:40 EST ------- Will look into the issue and try the debian patches asap. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Feb 8 16:13:42 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 8 Feb 2007 11:13:42 -0500 Subject: [Bug 227791] CVE-2007-160: centericq buffer overflow In-Reply-To: Message-ID: <200702081613.l18GDgNb004429@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-160: centericq buffer overflow https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=227791 ------- Additional Comments From kevin at tummy.com 2007-02-08 11:13 EST ------- In reply to comment #1: yeah, those links look dead. ;( Hopefully the patches can be fetched via the debian package? -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Feb 8 16:21:44 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 8 Feb 2007 11:21:44 -0500 Subject: [Bug 227791] CVE-2007-160: centericq buffer overflow In-Reply-To: Message-ID: <200702081621.l18GLivt005227@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-160: centericq buffer overflow https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=227791 ------- Additional Comments From andreas.bierfert at lowlatency.de 2007-02-08 11:21 EST ------- Thats not a problem... I am just waiting to get home to grep them and make a test build +) -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Feb 9 21:08:37 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 9 Feb 2007 16:08:37 -0500 Subject: [Bug 227791] CVE-2007-160: centericq buffer overflow In-Reply-To: Message-ID: <200702092108.l19L8boC012296@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-160: centericq buffer overflow https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=227791 ville.skytta at iki.fi changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |Security -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sat Feb 10 07:20:36 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sat, 10 Feb 2007 02:20:36 -0500 Subject: [Bug 227791] CVE-2007-160: centericq buffer overflow In-Reply-To: Message-ID: <200702100720.l1A7Ka5G009819@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-160: centericq buffer overflow https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=227791 andreas.bierfert at lowlatency.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |NEXTRELEASE ------- Additional Comments From andreas.bierfert at lowlatency.de 2007-02-10 02:20 EST ------- Builds for fc{5,6} and devel have been queued. Thanks for reporting. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sat Feb 10 08:54:59 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sat, 10 Feb 2007 03:54:59 -0500 Subject: [Bug 228138] New: CVE-2006-6979: amarok shell escaping issue Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228138 Summary: CVE-2006-6979: amarok shell escaping issue Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: amarok AssignedTo: gauret at free.fr ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: fedora-security-list at redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6979 "The ruby handlers in Amarok do not properly quote text in certain contexts, probably including construction of an unzip command line, which allows attackers to execute arbitrary commands via shell metacharacters." Not clear to me which, if any, versions of amarok in FE or upstream are affected. The referenced bugs.kde.org entry is open and there are no comments at the moment. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sat Feb 10 08:59:45 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sat, 10 Feb 2007 03:59:45 -0500 Subject: [Bug 228139] New: CVE-2007-0857: moin < 1.5.7 XSS issues Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228139 Summary: CVE-2007-0857: moin < 1.5.7 XSS issues Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: moin AssignedTo: matthias at rpmforge.net ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: fedora-security-list at redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0857 "Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin before 1.5.7 allow remote attackers to inject arbitrary web script or HTML via (1) the page info, or the page name in a (2) AttachFile, (3) RenamePage, or (4) LocalSiteMap action." FC-5 and FC-6 seem affected, devel has been updated to 1.5.7 already. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Feb 12 10:51:01 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 12 Feb 2007 05:51:01 -0500 Subject: [Bug 228139] CVE-2007-0857: moin < 1.5.7 XSS issues In-Reply-To: Message-ID: <200702121051.l1CAp144016385@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-0857: moin < 1.5.7 XSS issues https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228139 matthias at rpmforge.net changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Additional Comments From matthias at rpmforge.net 2007-02-12 05:50 EST ------- Thanks a lot for pointing this out, as I had understood it was a regular "bugfix" update... rebuilds are tested and on their way. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Feb 12 16:27:11 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 12 Feb 2007 11:27:11 -0500 Subject: [Bug 216706] CVE-2006-5793 libpng, libpng10 DoS In-Reply-To: Message-ID: <200702121627.l1CGRBxC006960@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5793 libpng, libpng10 DoS https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216706 tgl at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |RAWHIDE ------- Additional Comments From tgl at redhat.com 2007-02-12 11:27 EST ------- libpng is updated to 1.2.16 for Fedora 7. As per bz #211705, the security issue is not considered serious enough to warrant back-patching. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Feb 12 19:30:37 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 12 Feb 2007 14:30:37 -0500 Subject: [Bug 228139] CVE-2007-0857: moin < 1.5.7 XSS issues In-Reply-To: Message-ID: <200702121930.l1CJUb4N024293@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-0857: moin < 1.5.7 XSS issues https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228139 matthias at rpmforge.net changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |CURRENTRELEASE Fixed In Version| |1.5.7-1 ------- Additional Comments From matthias at rpmforge.net 2007-02-12 14:30 EST ------- Updates have now been pushed to FC-5 and FC-6 branches. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed Feb 14 19:15:56 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 14 Feb 2007 14:15:56 -0500 Subject: [Bug 228138] CVE-2006-6979: amarok shell escaping issue In-Reply-To: Message-ID: <200702141915.l1EJFuxu032423@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-6979: amarok shell escaping issue https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228138 ------- Additional Comments From gauret at free.fr 2007-02-14 14:15 EST ------- Bug fixed in amarok SVN, backported to amarok-1.4.5-2 and rebuilt for devel, FC-6 and FC-5. For reference : http://bugs.kde.org/show_bug.cgi?id=138499 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed Feb 14 20:38:50 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 14 Feb 2007 15:38:50 -0500 Subject: [Bug 228757] New: CVE-2007-0884: mimedefang 2.59, 2.60 buffer overflow Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228757 Summary: CVE-2007-0884: mimedefang 2.59, 2.60 buffer overflow Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: medium Priority: normal Component: mimedefang AssignedTo: redhat-bugzilla at linuxnetz.de ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: fedora-security-list at redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0884 "Buffer overflow in Roaring Penguin MIMEDefang 2.59 and 2.60 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via unspecified vectors." All FE releases are currently at 2.58 - it is unclear to me if that's affected. 2.61 is available in any case. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed Feb 14 20:41:27 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 14 Feb 2007 15:41:27 -0500 Subject: [Bug 228757] CVE-2007-0884: mimedefang 2.59, 2.60 buffer overflow In-Reply-To: Message-ID: <200702142041.l1EKfRIt007969@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-0884: mimedefang 2.59, 2.60 buffer overflow https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228757 redhat-bugzilla at linuxnetz.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed Feb 14 20:43:07 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 14 Feb 2007 15:43:07 -0500 Subject: [Bug 228758] New: CVE-2007-0770: GraphicsMagick buffer overflow Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228758 Summary: CVE-2007-0770: GraphicsMagick buffer overflow Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: medium Priority: normal Component: GraphicsMagick AssignedTo: andreas at bawue.net ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: fedora-security-list at redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0770 "Buffer overflow in GraphicsMagick and ImageMagick allows user-assisted remote attackers to cause a denial of service and possibly execute arbitrary code via a PALM image that is not properly handled by the ReadPALMImage function in coders/palm.c. NOTE: this issue is due to an incomplete patch for CVE-2006-5456." CVE-2006-5456 says that it is an issue with < 1.1.7, but the discussion in bug 210921 refers to a post-1.1.7 GraphicsMagick, so whether this affects the FE GraphicsMagick package should be investigated. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed Feb 14 20:46:54 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 14 Feb 2007 15:46:54 -0500 Subject: [Bug 228757] CVE-2007-0884: mimedefang 2.59, 2.60 buffer overflow In-Reply-To: Message-ID: <200702142046.l1EKks05008461@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-0884: mimedefang 2.59, 2.60 buffer overflow https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228757 ------- Additional Comments From redhat-bugzilla at linuxnetz.de 2007-02-14 15:46 EST ------- "Please note that versions 2.58 and earlier do NOT have the vulnerability." (from http://lists.roaringpenguin.com/pipermail/mimedefang/2007-February/ 032011.html) - I'll update mimedefang anyway to 2.61. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed Feb 14 20:50:26 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 14 Feb 2007 15:50:26 -0500 Subject: [Bug 228763] New: CVE-2007-0894: mediawiki full path disclosure Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228763 Summary: CVE-2007-0894: mediawiki full path disclosure Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: medium Priority: normal Component: mediawiki AssignedTo: Axel.Thimm at ATrpms.net ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: fedora-security- list at redhat.com,fedora at theholbrooks.org,roozbeh at farsiweb .info http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0894 "MediaWiki before 1.9.2 allows remote attackers to obtain sensitive information via a direct request to (1) Simple.deps.php, (2) MonoBook.deps.php, (3) MySkin.deps.php, or (4) Chick.deps.php in wiki/skins, which shows the installation path in the resulting error message." 1.8.3 (current FE6) in the CVE entry is not listed as vulnerable, don't know if the omission is intentional. And whether installation path disclosure is an issue with Fedora packages can also be debated, reporting here just in case there's more to it. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed Feb 14 20:54:40 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 14 Feb 2007 15:54:40 -0500 Subject: [Bug 228764] New: CVE-2007-0901, CVE-2007-0902: moin 1.5.7 XSS, information disclosure Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228764 Summary: CVE-2007-0901, CVE-2007-0902: moin 1.5.7 XSS, information disclosure Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: medium Priority: normal Component: moin AssignedTo: matthias at rpmforge.net ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: fedora-security-list at redhat.com CVE's against moin 1.5.7, with little useful information available at the moment: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0901 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0902 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed Feb 14 21:45:42 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 14 Feb 2007 16:45:42 -0500 Subject: [Bug 228763] CVE-2007-0894: mediawiki full path disclosure In-Reply-To: Message-ID: <200702142145.l1ELjgNQ012842@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-0894: mediawiki full path disclosure https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228763 Axel.Thimm at ATrpms.net changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Additional Comments From Axel.Thimm at ATrpms.net 2007-02-14 16:45 EST ------- Thanks for the heads-up (1.8.3 should be vulerable as well, it was probably forgotten in the list of vulnerable versions). Indeed for the package we aren't losing any more information than the attacker would already know (unless he doesn't even know he's attacking a Fedora server). For F7 upwards (and most possibly backporting to FC6/FC5) the code and data are being separated (code moves to %{_datadir}), so there won't be any direct requests possible at all. But this still needs some testing in F7/devel. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Feb 15 10:11:48 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 15 Feb 2007 05:11:48 -0500 Subject: [Bug 228757] CVE-2007-0884: mimedefang 2.59, 2.60 buffer overflow In-Reply-To: Message-ID: <200702151011.l1FABmGe016959@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-0884: mimedefang 2.59, 2.60 buffer overflow https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228757 redhat-bugzilla at linuxnetz.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |NEXTRELEASE ------- Additional Comments From redhat-bugzilla at linuxnetz.de 2007-02-15 05:11 EST ------- 27596 (mimedefang): Build on target fedora-development-extras succeeded. 27600 (mimedefang): Build on target fedora-6-extras succeeded. 27599 (mimedefang): Build on target fedora-5-extras succeeded. Building mimedefang for EPEL isn't possible yet as a build requirement package is missing - but checked in the update there, too. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Feb 19 19:08:46 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 19 Feb 2007 14:08:46 -0500 Subject: [Bug 229205] 0.90 fixes CVE-2007-0897 (MIME Header Handling) and CVE-2007-0898 (CAB File Processing) Denials of Service In-Reply-To: Message-ID: <200702191908.l1JJ8kcb002142@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: 0.90 fixes CVE-2007-0897 (MIME Header Handling) and CVE-2007-0898 (CAB File Processing) Denials of Service https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229205 ville.skytta at iki.fi changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |Security CC| |fedora-security- | |list at redhat.com -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Feb 19 19:08:45 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 19 Feb 2007 14:08:45 -0500 Subject: [Bug 229202] 0.90 fixes CVE-2007-0897 (MIME Header Handling) and CVE-2007-0898 (CAB File Processing) Denials of Service In-Reply-To: Message-ID: <200702191908.l1JJ8jTI002138@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: 0.90 fixes CVE-2007-0897 (MIME Header Handling) and CVE-2007-0898 (CAB File Processing) Denials of Service https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229202 ville.skytta at iki.fi changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |Security CC| |fedora-security- | |list at redhat.com -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Feb 19 19:24:56 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 19 Feb 2007 14:24:56 -0500 Subject: [Bug 229253] New: CVE-2007-0981: seamonkey cookie setting / same-domain bypass vulnerability Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229253 Summary: CVE-2007-0981: seamonkey cookie setting / same-domain bypass vulnerability Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: medium Priority: normal Component: seamonkey AssignedTo: kengert at redhat.com ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: fedora-security-list at redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0981 "Mozilla based browsers allows remote attackers to bypass the same origin policy, steal cookies, and conduct other attacks by writing a URI with a null byte to the hostname (location.hostname) DOM property, due to interactions with DNS resolver code." Seamonkey seems vulnerable. See also https://bugzilla.mozilla.org/show_bug.cgi?id=370445 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Feb 19 20:34:12 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 19 Feb 2007 15:34:12 -0500 Subject: [Bug 229265] CVE-2006-5276 Vulnerability in Snort DCE/RPC Preprocessor In-Reply-To: Message-ID: <200702192034.l1JKYClM008989@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5276 Vulnerability in Snort DCE/RPC Preprocessor https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229265 dennis at ausil.us changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fedora-security- | |list at redhat.com -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Feb 22 09:03:08 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 22 Feb 2007 04:03:08 -0500 Subject: [Bug 229202] 0.90 fixes CVE-2007-0897 (MIME Header Handling) and CVE-2007-0898 (CAB File Processing) Denials of Service In-Reply-To: Message-ID: <200702220903.l1M938Fw032581@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: 0.90 fixes CVE-2007-0897 (MIME Header Handling) and CVE-2007-0898 (CAB File Processing) Denials of Service https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229202 abuse at basmevissen.nl changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |abuse at basmevissen.nl -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Feb 22 09:05:46 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 22 Feb 2007 04:05:46 -0500 Subject: [Bug 229202] 0.90 fixes CVE-2007-0897 (MIME Header Handling) and CVE-2007-0898 (CAB File Processing) Denials of Service In-Reply-To: Message-ID: <200702220905.l1M95kuA000651@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: 0.90 fixes CVE-2007-0897 (MIME Header Handling) and CVE-2007-0898 (CAB File Processing) Denials of Service https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229202 ------- Additional Comments From abuse at basmevissen.nl 2007-02-22 04:05 EST ------- This update will also fix the following warning in the logs: Last Status: WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.88.7 Recommended version: 0.90 DON'T PANIC! Read http://www.clamav.net/faq.html main.cvd is up to date (version: 42, sigs: 83951, f-level: 10, builder: tkojm) daily.cvd updated (version: 2623, sigs: 9598, f-level: 13, builder: ccordes) WARNING: Your ClamAV installation is OUTDATED! WARNING: Current functionality level = 10, recommended = 13 DON'T PANIC! Read http://www.clamav.net/faq.html Database updated (93549 signatures) from db.NL.clamav.net (IP: 145.58.27.1 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Feb 22 10:17:03 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 22 Feb 2007 05:17:03 -0500 Subject: [Bug 229202] 0.90 fixes CVE-2007-0897 (MIME Header Handling) and CVE-2007-0898 (CAB File Processing) Denials of Service In-Reply-To: Message-ID: <200702221017.l1MAH3WZ005032@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: 0.90 fixes CVE-2007-0897 (MIME Header Handling) and CVE-2007-0898 (CAB File Processing) Denials of Service https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229202 enrico.scholz at informatik.tu-chemnitz.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |CURRENTRELEASE Fixed In Version| |0.88.7-2 ------- Additional Comments From enrico.scholz at informatik.tu-chemnitz.de 2007-02-22 05:17 EST ------- CVEs should be fixed by 0.88.7-2; freshclam warning is only a warning and I do not plan to update version FC-5/6 to 0.90 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Feb 22 10:18:45 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 22 Feb 2007 05:18:45 -0500 Subject: [Bug 229205] 0.90 fixes CVE-2007-0897 (MIME Header Handling) and CVE-2007-0898 (CAB File Processing) Denials of Service In-Reply-To: Message-ID: <200702221018.l1MAIjv0005168@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: 0.90 fixes CVE-2007-0897 (MIME Header Handling) and CVE-2007-0898 (CAB File Processing) Denials of Service https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229205 enrico.scholz at informatik.tu-chemnitz.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |CURRENTRELEASE Fixed In Version| |0.88.7-2 ------- Additional Comments From enrico.scholz at informatik.tu-chemnitz.de 2007-02-22 05:18 EST ------- thx, should be fixed by current release -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Feb 22 11:50:55 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 22 Feb 2007 06:50:55 -0500 Subject: [Bug 228763] CVE-2007-0894: mediawiki full path disclosure In-Reply-To: Message-ID: <200702221150.l1MBotdA010656@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-0894: mediawiki full path disclosure https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228763 ------- Additional Comments From Axel.Thimm at ATrpms.net 2007-02-22 06:50 EST ------- There is an update of mediawiki which among other fixes this. FC-5 and FC-6 will be updated to 1.8.4. F7 will be updated to 1.9.3. I'll close this bug once the packages make it to the master repo. Thanks! -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From deisenst at gtw.net Fri Feb 23 03:17:52 2007 From: deisenst at gtw.net (David Eisenstein) Date: Thu, 22 Feb 2007 21:17:52 -0600 Subject: Seamonkey issues for FC5? re: Bug# 229253, CVE-2007-0981: seamonkey cookie ... vulnerability In-Reply-To: References: Message-ID: <45DE5CE0.8030407@gtw.net> Regarding this new security issue in Bugzilla, #229253, at This same issue ought to also exist in the FC5 seamonkey, which has been created and maintained as a Fedora Core Mozilla replacement, replacing a former seamonkey package in Fedora Extras. But now that seamonkey is in core, I don't see how we can file a bug for CVE-2007-0981 against FC5's Seamonkey? There exists no "seamonkey" component in Bugzilla for Fedora Core 5. Martin Stransky appears to be the fellow who has taken on work regarding Seamonkey for FC5, as the Mozilla replacement. Who should address fixing up Bugzilla's package database, so this so a bug can be properly filed on the FC5 version of Seamonkey for this CVE-2007-0981 issue and future issues, and an errata issued? The bug on "seamonkey missing as Fedora Core component," Bug #222811, has been open for a month with no response. Who properly owns it? . Thanks! Regards, David Eisenstein > Summary: CVE-2007-0981: seamonkey cookie setting / same-domain > bypass vulnerability > Product: Fedora Extras > Version: fc6 > Platform: All > OS/Version: Linux > Status: NEW > Severity: medium > Priority: normal > Component: seamonkey > AssignedTo: kengert at redhat.com > ReportedBy: ville.skytta at iki.fi > QAContact: extras-qa at fedoraproject.org > CC: fedora-security-list at redhat.com > > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0981 > > "Mozilla based browsers allows remote attackers to bypass the same origin > policy, steal cookies, and conduct other attacks by writing a URI with a null > byte to the hostname (location.hostname) DOM property, due to interactions with > DNS resolver code." > > Seamonkey seems vulnerable. See also > https://bugzilla.mozilla.org/show_bug.cgi?id=370445 From bugzilla at redhat.com Fri Feb 23 08:48:20 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 23 Feb 2007 03:48:20 -0500 Subject: [Bug 229202] 0.90 fixes CVE-2007-0897 (MIME Header Handling) and CVE-2007-0898 (CAB File Processing) Denials of Service In-Reply-To: Message-ID: <200702230848.l1N8mKc3030751@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: 0.90 fixes CVE-2007-0897 (MIME Header Handling) and CVE-2007-0898 (CAB File Processing) Denials of Service https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229202 ------- Additional Comments From abuse at basmevissen.nl 2007-02-23 03:48 EST ------- Hmmm, I regard this as quite lousy... -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Feb 23 15:21:29 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 23 Feb 2007 10:21:29 -0500 Subject: [Bug 229202] 0.90 fixes CVE-2007-0897 (MIME Header Handling) and CVE-2007-0898 (CAB File Processing) Denials of Service In-Reply-To: Message-ID: <200702231521.l1NFLTkV000455@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: 0.90 fixes CVE-2007-0897 (MIME Header Handling) and CVE-2007-0898 (CAB File Processing) Denials of Service https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229202 ------- Additional Comments From tibbs at math.uh.edu 2007-02-23 10:21 EST ------- Why? Maintenance is not about always pushing out the absolute latest version. If you have a compelling argument to make regarding why all machines should get 0.90 then please make it. If you have questions about why 0.90 is not appropriate to push out to all machines then please ask them. The bottom line is that it is the maintainer's decision. You can always grab the devel SRPM or check the source out from CVS and build it yourself if you disagree. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sun Feb 25 13:41:43 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sun, 25 Feb 2007 08:41:43 -0500 Subject: [Bug 229202] 0.90 fixes CVE-2007-0897 (MIME Header Handling) and CVE-2007-0898 (CAB File Processing) Denials of Service In-Reply-To: Message-ID: <200702251341.l1PDfhxi028689@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: 0.90 fixes CVE-2007-0897 (MIME Header Handling) and CVE-2007-0898 (CAB File Processing) Denials of Service https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229202 ------- Additional Comments From ville.skytta at iki.fi 2007-02-25 08:41 EST ------- Enrico, there are references and patches related to CVE-2007-0899 in the 0.88.7-2 update, however I'm not able to find any real info about that CVE anywhere; in MITRE it's just reserved, and in NVD it's empty. Any links to publicized info about the issue? -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sun Feb 25 14:12:09 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sun, 25 Feb 2007 09:12:09 -0500 Subject: [Bug 229202] 0.90 fixes CVE-2007-0897 (MIME Header Handling) and CVE-2007-0898 (CAB File Processing) Denials of Service In-Reply-To: Message-ID: <200702251412.l1PEC9lG031104@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: 0.90 fixes CVE-2007-0897 (MIME Header Handling) and CVE-2007-0898 (CAB File Processing) Denials of Service https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229202 ------- Additional Comments From enrico.scholz at informatik.tu-chemnitz.de 2007-02-25 09:12 EST ------- I took it from the Debian changelog | [CVE-2007-0899] Possible heap overflow in libclamav/fsg.c I do not have more details. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sun Feb 25 16:26:45 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sun, 25 Feb 2007 11:26:45 -0500 Subject: [Bug 229990] New: CVE-2007-1030: libevent < 1.3 DoS Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229990 Summary: CVE-2007-1030: libevent < 1.3 DoS Product: Fedora Extras Version: devel Platform: All OS/Version: Linux Status: NEW Severity: medium Priority: normal Component: libevent AssignedTo: redhat-bugzilla at camperquake.de ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: fedora-security-list at redhat.com,steved at redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1030 "Niels Provos libevent 1.2 and 1.2a allows remote attackers to cause a denial of service (infinite loop) via a DNS response containing a label pointer that references its own offset." FE5 and FC6 are at 1.1a, not clear if those versions are affected. Rawhide was updated to 1.2a a few days ago, however (unlike the changelog says) the latest upstream is 1.3a, not 1.2a. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Sun Feb 25 16:37:50 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Sun, 25 Feb 2007 11:37:50 -0500 Subject: [Bug 229991] New: CVE-2007-1049: wordpress < 2.1.1 XSS Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229991 Summary: CVE-2007-1049: wordpress < 2.1.1 XSS Product: Fedora Extras Version: devel Platform: All URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1049 OS/Version: Linux Status: NEW Severity: medium Priority: normal Component: wordpress AssignedTo: jwb at redhat.com ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: fedora-security-list at redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1049 "Cross-site scripting (XSS) vulnerability in the wp_explain_nonce function in the nonce AYS functionality (wp-includes/functions.php) for WordPress 2.0 before 2.0.9 and 2.1 before 2.1.1 allows remote attackers to inject arbitrary web script or HTML via the file parameter to wp-admin/templates.php, and possibly other vectors involving the action variable." FE5+ apparently affected. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From mattdm at mattdm.org Mon Feb 26 20:20:54 2007 From: mattdm at mattdm.org (Matthew Miller) Date: Mon, 26 Feb 2007 15:20:54 -0500 Subject: firefox 1.5.0.10 update timeframe? Message-ID: <20070226202054.GA11121@jadzia.bu.edu> As I'm sure everyone knows, the Red Hat Enterprise Linux errata for this is already out, and marked as critical. No sign of a corresponding update for any of the supported Fedora versions. Please let's not have this be another one of those cases where Fedora's Firefox is vulnerable for weeks. It is, frankly, embarrassing. -- Matthew Miller mattdm at mattdm.org Boston University Linux ------> From jkeating at redhat.com Mon Feb 26 20:36:04 2007 From: jkeating at redhat.com (Jesse Keating) Date: Mon, 26 Feb 2007 15:36:04 -0500 Subject: firefox 1.5.0.10 update timeframe? In-Reply-To: <20070226202054.GA11121@jadzia.bu.edu> References: <20070226202054.GA11121@jadzia.bu.edu> Message-ID: <200702261536.04915.jkeating@redhat.com> On Monday 26 February 2007 15:20, Matthew Miller wrote: > As I'm sure everyone knows, the Red Hat Enterprise Linux errata for this is > already out, and marked as critical. No sign of a corresponding update for > any of the supported Fedora versions. Please let's not have this be another > one of those cases where Fedora's Firefox is vulnerable for weeks. It is, > frankly, embarrassing. I'm working on a push right now. However I think some build issues on ppc64 is preventing the fc6 to go out. Stransky is still working on it. -- Jesse Keating Release Engineer: Fedora -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From mattdm at mattdm.org Mon Feb 26 20:34:57 2007 From: mattdm at mattdm.org (Matthew Miller) Date: Mon, 26 Feb 2007 15:34:57 -0500 Subject: firefox 1.5.0.10 update timeframe? In-Reply-To: <200702261536.04915.jkeating@redhat.com> References: <20070226202054.GA11121@jadzia.bu.edu> <200702261536.04915.jkeating@redhat.com> Message-ID: <20070226203457.GA12866@jadzia.bu.edu> On Mon, Feb 26, 2007 at 03:36:04PM -0500, Jesse Keating wrote: > I'm working on a push right now. However I think some build issues on ppc64 > is preventing the fc6 to go out. Stransky is still working on it. Glad to hear it. Thanks for the update. And mark this down under yet another reason to move ppc to secondary arch status. :) -- Matthew Miller mattdm at mattdm.org Boston University Linux ------> From mattdm at mattdm.org Mon Feb 26 20:36:17 2007 From: mattdm at mattdm.org (Matthew Miller) Date: Mon, 26 Feb 2007 15:36:17 -0500 Subject: firefox 1.5.0.10 update timeframe? In-Reply-To: <20070226203457.GA12866@jadzia.bu.edu> References: <20070226202054.GA11121@jadzia.bu.edu> <200702261536.04915.jkeating@redhat.com> <20070226203457.GA12866@jadzia.bu.edu> Message-ID: <20070226203617.GA13136@jadzia.bu.edu> On Mon, Feb 26, 2007 at 03:34:57PM -0500, Matthew Miller wrote: > > I'm working on a push right now. However I think some build issues on > > ppc64 is preventing the fc6 to go out. Stransky is still working on it. > Glad to hear it. Thanks for the update. > And mark this down under yet another reason to move ppc to secondary arch > status. :) Actually -- is it possible to put updates into updates/testing even if there's build problems on any specific arch? That might be a way to approach this in the future. (Or this time, even, if the ppc64 build issue can't be resolved quickly.) -- Matthew Miller mattdm at mattdm.org Boston University Linux ------> From jkeating at redhat.com Mon Feb 26 20:44:35 2007 From: jkeating at redhat.com (Jesse Keating) Date: Mon, 26 Feb 2007 15:44:35 -0500 Subject: firefox 1.5.0.10 update timeframe? In-Reply-To: <20070226203617.GA13136@jadzia.bu.edu> References: <20070226202054.GA11121@jadzia.bu.edu> <20070226203457.GA12866@jadzia.bu.edu> <20070226203617.GA13136@jadzia.bu.edu> Message-ID: <200702261544.36153.jkeating@redhat.com> On Monday 26 February 2007 15:36, Matthew Miller wrote: > Actually -- is it possible to put updates into updates/testing even if > there's build problems on any specific arch? That might be a way to > approach this in the future. (Or this time, even, if the ppc64 build issue > can't be resolved quickly.) Eeew. While technically there is, I'd rather not go down this road. -- Jesse Keating Release Engineer: Fedora -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From mattdm at mattdm.org Mon Feb 26 20:48:02 2007 From: mattdm at mattdm.org (Matthew Miller) Date: Mon, 26 Feb 2007 15:48:02 -0500 Subject: firefox 1.5.0.10 update timeframe? In-Reply-To: <200702261544.36153.jkeating@redhat.com> References: <20070226202054.GA11121@jadzia.bu.edu> <20070226203457.GA12866@jadzia.bu.edu> <20070226203617.GA13136@jadzia.bu.edu> <200702261544.36153.jkeating@redhat.com> Message-ID: <20070226204802.GA13949@jadzia.bu.edu> On Mon, Feb 26, 2007 at 03:44:35PM -0500, Jesse Keating wrote: > > Actually -- is it possible to put updates into updates/testing even if > > there's build problems on any specific arch? That might be a way to > > approach this in the future. (Or this time, even, if the ppc64 build issue > > can't be resolved quickly.) > Eeew. While technically there is, I'd rather not go down this road. I understand your Release Ninja disgust. :) However, from the user-supporting point of view it sucks to completely hold up security updates for platform specific build problems. -- Matthew Miller mattdm at mattdm.org Boston University Linux ------> From jkeating at redhat.com Mon Feb 26 20:54:25 2007 From: jkeating at redhat.com (Jesse Keating) Date: Mon, 26 Feb 2007 15:54:25 -0500 Subject: firefox 1.5.0.10 update timeframe? In-Reply-To: <20070226204802.GA13949@jadzia.bu.edu> References: <20070226202054.GA11121@jadzia.bu.edu> <200702261544.36153.jkeating@redhat.com> <20070226204802.GA13949@jadzia.bu.edu> Message-ID: <200702261554.25698.jkeating@redhat.com> On Monday 26 February 2007 15:48, Matthew Miller wrote: > I understand your Release Ninja disgust. :) However, from the > user-supporting point of view it sucks to completely hold up security > updates for platform specific build problems. Yes it does. It also sucks for the ppc users to tell them right now that they don't matter as much to us. If we can't get this resolved today/tomorrow, we'll probably have to look at something like doing the other arches first. -- Jesse Keating Release Engineer: Fedora -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From mattdm at mattdm.org Mon Feb 26 21:04:32 2007 From: mattdm at mattdm.org (Matthew Miller) Date: Mon, 26 Feb 2007 16:04:32 -0500 Subject: firefox 1.5.0.10 update timeframe? In-Reply-To: <200702261554.25698.jkeating@redhat.com> References: <20070226202054.GA11121@jadzia.bu.edu> <200702261544.36153.jkeating@redhat.com> <20070226204802.GA13949@jadzia.bu.edu> <200702261554.25698.jkeating@redhat.com> Message-ID: <20070226210432.GA15418@jadzia.bu.edu> On Mon, Feb 26, 2007 at 03:54:25PM -0500, Jesse Keating wrote: > Yes it does. It also sucks for the ppc users to tell them right now that > they don't matter as much to us. Well, it's not like you're not working on it. I'd say the same thing if it were x86_64. Or, uh, if it built on x86_64 but not i386. -- Matthew Miller mattdm at mattdm.org Boston University Linux ------> From tibbs at math.uh.edu Mon Feb 26 21:05:50 2007 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: 26 Feb 2007 15:05:50 -0600 Subject: firefox 1.5.0.10 update timeframe? In-Reply-To: <200702261554.25698.jkeating@redhat.com> References: <20070226202054.GA11121@jadzia.bu.edu> <200702261544.36153.jkeating@redhat.com> <20070226204802.GA13949@jadzia.bu.edu> <200702261554.25698.jkeating@redhat.com> Message-ID: >>>>> "JK" == Jesse Keating writes: JK> It also sucks for the ppc users to tell them right now that they JK> don't matter as much to us. I'm having trouble getting from: A) We're sorry, but currently we're currently not able to build the updated firefox on PPC64. We've released it to other architectures now and are still working on getting it to build on all of them. to: B) You don't matter as much to us. This isn't about secondary arches. If the roles were reversed and it build fine on PPC64 but not i386, I'd advocate shipping it for PPC64. - J< From bugzilla at redhat.com Tue Feb 27 16:00:48 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 27 Feb 2007 11:00:48 -0500 Subject: [Bug 229991] CVE-2007-1049: wordpress < 2.1.1 XSS In-Reply-To: Message-ID: <200702271600.l1RG0mHD000896@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-1049: wordpress < 2.1.1 XSS https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229991 jwb at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Tue Feb 27 16:12:53 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 27 Feb 2007 11:12:53 -0500 Subject: [Bug 229991] CVE-2007-1049: wordpress < 2.1.1 XSS In-Reply-To: Message-ID: <200702271612.l1RGCre0002319@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-1049: wordpress < 2.1.1 XSS https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229991 jwb at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |NEXTRELEASE ------- Additional Comments From jwb at redhat.com 2007-02-27 11:12 EST ------- New packages uploaded / built -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bressers at redhat.com Wed Feb 28 18:30:46 2007 From: bressers at redhat.com (Josh Bressers) Date: Wed, 28 Feb 2007 13:30:46 -0500 Subject: Seamonkey issues for FC5? re: Bug# 229253, CVE-2007-0981: seamonkey cookie ... vulnerability In-Reply-To: <45DE5CE0.8030407@gtw.net> References: <45DE5CE0.8030407@gtw.net> Message-ID: <200702281830.l1SIUkA4032228@devserv.devel.redhat.com> > > Who should address fixing up Bugzilla's package database, so this so a bug > can be properly filed on the FC5 version of Seamonkey for this > CVE-2007-0981 issue and future issues, and an errata issued? The bug on > "seamonkey missing as Fedora Core component," Bug #222811, has been open > for a month with no response. Who properly owns it? > . Sorry for the delay in responding for this, I'm currently terribly busy with many things. I just mailed our bugzilla maintainer with the request to add this component. It should be added in the next few days. Thanks. -- JB