From lkundrak at redhat.com Mon Oct 8 14:34:38 2007 From: lkundrak at redhat.com (Lubomir Kundrak) Date: Mon, 08 Oct 2007 16:34:38 +0200 Subject: Separate list for commits In-Reply-To: <1190042867.7861.22.camel@localhost.localdomain> References: <1190042867.7861.22.camel@localhost.localdomain> Message-ID: <1191854078.4653.4.camel@localhost.localdomain> On Mon, 2007-09-17 at 17:27 +0200, Lubomir Kundrak wrote: > Hi all, > > Wit the volume of the commit messagaes and bugzilla mails this list > became less suited for discussions. Would anyone mind creating another > list, say fedora-security-commits-list, where would that sort of mails > go? The list was created: fedora-security-commits at redhat.com https://www.redhat.com/mailman/listinfo/fedora-security-commits Josh: The passwords are the same as for this list. -- Lubomir Kundrak (Red Hat Security Response Team) From bugzilla at redhat.com Tue Oct 9 17:51:24 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 9 Oct 2007 13:51:24 -0400 Subject: [Bug 237533] CVE-2007-2165: proftpd auth bypass vulnerability In-Reply-To: Message-ID: <200710091751.l99HpOUv006133@bz-web2.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-2165: proftpd auth bypass vulnerability https://bugzilla.redhat.com/show_bug.cgi?id=237533 ------- Additional Comments From matthias at rpmforge.net 2007-10-09 13:51 EST ------- I've updated devel to 1.3.1 final, now that it's out. I don't think updating from 1.3.0 to 1.3.1 is too disruptive, but I'm not sure it won't break on some complex setups... -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Oct 18 08:04:22 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 18 Oct 2007 04:04:22 -0400 Subject: [Bug 237882] CVE-2007-2245: phpMyAdmin < 2.10.1 XSS vulnerabilities In-Reply-To: Message-ID: <200710180804.l9I84MPg014971@bz-web1.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-2245: phpMyAdmin < 2.10.1 XSS vulnerabilities https://bugzilla.redhat.com/show_bug.cgi?id=237882 bugzilla at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Product|Fedora Extras |Fedora ------- Additional Comments From thoger at redhat.com 2007-10-18 04:04 EST ------- As both F7 and FC6 extras have 2.11.0, I believe this should be fixed now. Mike? -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Oct 18 08:06:14 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 18 Oct 2007 04:06:14 -0400 Subject: [Bug 221694] CVE-2007-0095: phpMyAdmin <= 2.9.1.1 information disclosure In-Reply-To: Message-ID: <200710180806.l9I86EXU015602@bz-web1.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-0095: phpMyAdmin <= 2.9.1.1 information disclosure https://bugzilla.redhat.com/show_bug.cgi?id=221694 bugzilla at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|normal |medium Product|Fedora Extras |Fedora ------- Additional Comments From thoger at redhat.com 2007-10-18 04:06 EST ------- The demo server in comment 4 now advertises usage of 2.11.1.2 and the problem still occurs. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Oct 22 14:37:17 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 22 Oct 2007 10:37:17 -0400 Subject: [Bug 237533] CVE-2007-2165: proftpd auth bypass vulnerability In-Reply-To: Message-ID: <200710221437.l9MEbH37013184@bz-web1.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-2165: proftpd auth bypass vulnerability https://bugzilla.redhat.com/show_bug.cgi?id=237533 ------- Additional Comments From matthias at rpmforge.net 2007-10-22 10:37 EST ------- I've had no reports of any problems with 1.3.1, so I'll push it in F-7 testing updates. If everything looks good once it's there, then it should be possible to push it to stable. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed Oct 24 07:05:05 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 24 Oct 2007 03:05:05 -0400 Subject: [Bug 237533] CVE-2007-2165: proftpd auth bypass vulnerability In-Reply-To: Message-ID: <200710240705.l9O755ql010826@bz-web1.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-2165: proftpd auth bypass vulnerability https://bugzilla.redhat.com/show_bug.cgi?id=237533 ------- Additional Comments From updates at fedoraproject.org 2007-10-24 03:05 EST ------- proftpd-1.3.1-2.fc7 has been pushed to the Fedora 7 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update proftpd' -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From lmacken at redhat.com Fri Oct 26 17:22:00 2007 From: lmacken at redhat.com (Luke Macken) Date: Fri, 26 Oct 2007 13:22:00 -0400 Subject: security livecd Message-ID: <20071026172200.GF10053@crow.myhome.westell.com> I was wondering if anyone was against having the Security LiveCD[0] become an official project of the Security SIG? I've done a bunch of work on it recently, and turned it into a minimal openbox-based distro. See my blog[1] post for more details/screenshots. luke [0]: http://fedoraproject.org/wiki/LukeMacken/SecurityLiveCD [1]: http://lewk.org/blog/securitylivecd From metcalfegreg at qwest.net Sat Oct 27 01:24:24 2007 From: metcalfegreg at qwest.net (Greg Metcalfe) Date: Fri, 26 Oct 2007 18:24:24 -0700 Subject: security livecd In-Reply-To: <20071026172200.GF10053@crow.myhome.westell.com> References: <20071026172200.GF10053@crow.myhome.westell.com> Message-ID: <200710261824.24760.metcalfegreg@qwest.net> On Friday 26 October 2007 10:22:00 am Luke Macken wrote: > I was wondering if anyone was against having the Security LiveCD[0] > become an official project of the Security SIG? > > I've done a bunch of work on it recently, and turned it into a > minimal openbox-based distro. See my blog[1] post for more > details/screenshots. > It looks like a win to me. Gnome/KDE neutral. I have a couple of issues with your package list. But nothing I'd scream about. I didn't know about sdd vice dd, for one thing. OTOH, I question the value of iisemulator. I'd be inclined to tell you to do what you think best, get some press, and use that to ignite a discussion of what an optmized package list might look like. > luke > > [0]: http://fedoraproject.org/wiki/LukeMacken/SecurityLiveCD > [1]: http://lewk.org/blog/securitylivecd > > -- > Fedora-security-list mailing list > Fedora-security-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-security-list From lmacken at redhat.com Sun Oct 28 16:07:54 2007 From: lmacken at redhat.com (Luke Macken) Date: Sun, 28 Oct 2007 12:07:54 -0400 Subject: security livecd In-Reply-To: <200710261824.24760.metcalfegreg@qwest.net> References: <20071026172200.GF10053@crow.myhome.westell.com> <200710261824.24760.metcalfegreg@qwest.net> Message-ID: <20071028160754.GB3375@crow.myhome.westell.com> On Fri, Oct 26, 2007 at 06:24:24PM -0700, Greg Metcalfe wrote: > On Friday 26 October 2007 10:22:00 am Luke Macken wrote: > > I was wondering if anyone was against having the Security LiveCD[0] > > become an official project of the Security SIG? > > > > I've done a bunch of work on it recently, and turned it into a > > minimal openbox-based distro. See my blog[1] post for more > > details/screenshots. > > > It looks like a win to me. Gnome/KDE neutral. I have a couple of issues with > your package list. But nothing I'd scream about. I didn't know about sdd vice > dd, for one thing. OTOH, I question the value of iisemulator. The package list is definitely subject to change, feel free to make suggestions. I've cut the final package list down to 661 packages, which produces a 413mb iso. There's much room for improvement :) The initial value that I saw in iisemulator was that it can emulate IIS as a module within honeyd, but we don't even seem to ship it, so I threw it on the wishlist. luke From bugzilla at redhat.com Mon Oct 29 13:12:17 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 29 Oct 2007 09:12:17 -0400 Subject: [Bug 237882] CVE-2007-2245: phpMyAdmin < 2.10.1 XSS vulnerabilities In-Reply-To: Message-ID: <200710291312.l9TDCHNR012596@bz-web2.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-2245: phpMyAdmin < 2.10.1 XSS vulnerabilities https://bugzilla.redhat.com/show_bug.cgi?id=237882 ------- Additional Comments From mmcgrath at redhat.com 2007-10-29 09:12 EST ------- *** Bug 356291 has been marked as a duplicate of this bug. *** -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Oct 29 18:13:26 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 29 Oct 2007 14:13:26 -0400 Subject: [Bug 357051] New: Django 0.96 i18n DoS Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/show_bug.cgi?id=357051 Summary: Django 0.96 i18n DoS Product: Fedora Version: f7 Platform: All OS/Version: Linux Status: NEW Severity: low Priority: low Component: Django AssignedTo: michel.sylvan at gmail.com ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: fedora-security-list at redhat.com http://www.djangoproject.com/weblog/2007/oct/26/security-fix/ "A per-process cache used by Django's internationalization ("i18n") system to store the results of translation lookups for particular values of the HTTP Accept-Language header used the full value of that header as a key. An attacker could take advantage of this by sending repeated requests with extremely large strings in the Accept-Language header, potentially causing a denial of service by filling available memory. Due to limitations imposed by Web server software on the size of HTTP header fields, combined with reasonable limits on the number of requests which may be handled by a single server process over its lifetime, this vulnerability may be difficult to exploit. Additionally, it is only present when the "USE_I18N" setting in Django is "True" and the i18n middleware component is enabled*. Nonetheless, all users of affected versions of Django are encouraged to update." All Fedora and EPEL branches are at 0.96 (which is vulnerable) at the moment. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Mon Oct 29 18:15:13 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 29 Oct 2007 14:15:13 -0400 Subject: [Bug 357051] Django 0.96 i18n DoS In-Reply-To: Message-ID: <200710291815.l9TIFDmO024657@bz-web1.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Django 0.96 i18n DoS https://bugzilla.redhat.com/show_bug.cgi?id=357051 ------- Additional Comments From ville.skytta at iki.fi 2007-10-29 14:15 EST ------- Credit where it's due: found at http://www.vuxml.org/freebsd/d2c2952d-85a1-11dc-bfff-003048705d5a.html -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed Oct 31 12:59:07 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 31 Oct 2007 08:59:07 -0400 Subject: [Bug 357051] CVE-2007-5712 Django 0.96 i18n DoS In-Reply-To: Message-ID: <200710311259.l9VCx77v008173@bz-web2.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-5712 Django 0.96 i18n DoS Alias: CVE-2007-5712 https://bugzilla.redhat.com/show_bug.cgi?id=357051 thoger at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Alias| |CVE-2007-5712 Summary|Django 0.96 i18n DoS |CVE-2007-5712 Django 0.96 | |i18n DoS ------- Additional Comments From thoger at redhat.com 2007-10-31 08:59 EST ------- CVE id CVE-2007-5712 was assigned to this issue. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed Oct 31 13:20:31 2007 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 31 Oct 2007 09:20:31 -0400 Subject: [Bug 237449] CVE-2007-5715 Login attempts as root may go unnoticed In-Reply-To: Message-ID: <200710311320.l9VDKVC0012691@bz-web1.app.phx.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2007-5715 Login attempts as root may go unnoticed Alias: CVE-2007-5715 https://bugzilla.redhat.com/show_bug.cgi?id=237449 bugzilla at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Product|Fedora Extras |Fedora thoger at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Alias| |CVE-2007-5715 Summary|Login attempts as root may |CVE-2007-5715 Login attempts |go unnoticed |as root may go unnoticed ------- Additional Comments From thoger at redhat.com 2007-10-31 09:20 EST ------- CVE id CVE-2007-5715 was assigned to this old issue. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.