From marcdeslauriers at videotron.ca Fri Oct 1 01:09:21 2004 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Thu, 30 Sep 2004 21:09:21 -0400 Subject: Fedora Legacy Test Update Notification: apache In-Reply-To: <415BE8CC.1030707@gmx.ch> References: <1096540078.6762.13.camel@mdlinux> <415BE8CC.1030707@gmx.ch> Message-ID: <1096592961.6997.1.camel@mdlinux> On Thu, 2004-09-30 at 07:06, Tobias Sager wrote: > Hi Marc, > I always get a "BAD signature" from you (I am using Thunderbird). > Can anyone confirm this as well? Argh. Sorry about that. I'll repost one to see if it's any better. Marc From marcdeslauriers at videotron.ca Fri Oct 1 01:13:12 2004 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Thu, 30 Sep 2004 21:13:12 -0400 Subject: Repost: Fedora Legacy Test Update Notification: apache Message-ID: <1096593192.6997.3.camel@mdlinux> Reposted due to broken gpg signature. --------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2004-1737 Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=1737 2004-09-30 --------------------------------------------------------------------- Name : apache Versions : 7.3: 1.3.27-5.legacy Summary : The most widely used Web server on the Internet. Description : Apache is a powerful, full-featured, efficient, and freely-available Web server. Apache is also the most popular Web server on the Internet. --------------------------------------------------------------------- Update Information: A buffer overflow was found in the Apache proxy module, mod_proxy, which can be triggered by receiving an invalid Content-Length header. In order to exploit this issue, an attacker would need an Apache installation that was configured as a proxy to connect to a malicious site. This would cause the Apache child processing the request to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0492 to this issue. --------------------------------------------------------------------- 7.3 changelog: * Fri Jun 11 2004 Dominic Hargreaves 1.3.27-5.legacy - add security fix for CVE CAN-2004-0492 --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/redhat/ (sha1sums) 2e1f8e6bafbbbe02ac26ccc98b73631e62c889ce 7.3/updates-testing/i386/apache-1.3.27-5.legacy.i386.rpm 27a716974163c739784e09992f1d84a1996041d9 7.3/updates-testing/i386/apache-devel-1.3.27-5.legacy.i386.rpm ab688996e12f0364a50b58c2b120d933b403ce6b 7.3/updates-testing/i386/apache-manual-1.3.27-5.legacy.i386.rpm e2fadeb9a430a5dbda28076cd850180fbb95c2b8 7.3/updates-testing/SRPMS/apache-1.3.27-5.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From bdm at fenrir.org.uk Fri Oct 1 06:33:42 2004 From: bdm at fenrir.org.uk (Brian Morrison) Date: Fri, 1 Oct 2004 07:33:42 +0100 Subject: Fedora Legacy Test Update Notification: apache In-Reply-To: <1096592961.6997.1.camel@mdlinux> References: <1096540078.6762.13.camel@mdlinux> <415BE8CC.1030707@gmx.ch> <1096592961.6997.1.camel@mdlinux> Message-ID: <20041001073342.2da12bb4@ickx.fenrir.org.uk> On Thu, 30 Sep 2004 21:09:21 -0400 in 1096592961.6997.1.camel at mdlinux Marc Deslauriers wrote: > On Thu, 2004-09-30 at 07:06, Tobias Sager wrote: > > Hi Marc, > > > I always get a "BAD signature" from you (I am using Thunderbird). > > Can anyone confirm this as well? > > Argh. Sorry about that. > > I'll repost one to see if it's any better. The signature on the repost is good, so you seem to have fixed it. -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html From dom at earth.li Fri Oct 1 09:11:39 2004 From: dom at earth.li (Dominic Hargreaves) Date: Fri, 1 Oct 2004 10:11:39 +0100 Subject: Fedora Legacy Test Update Notification: glibc Message-ID: <20041001091136.GA2774@home.thedom.org> Please test these packages and report to bugzilla. Note these packages are for Redhat 7.3. --------------------------------------------------------------------- Fedora Test Update Notification FEDORALEGACY-2004-1947 Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=1947 2004-10-01 --------------------------------------------------------------------- Name : glibc Version : 2.2.5-44.legacy.2 Summary : The GNU libc libraries. Description : The glibc package contains standard libraries which are used by multiple programs on the system. In order to save disk space and memory, as well as to make upgrading easier, common system code is kept in one place and shared between programs. This particular package contains the most important sets of shared libraries: the standard C library and the standard math library. Without these two libraries, a Linux system will not function. --------------------------------------------------------------------- Update Information: A security audit of glibc revealed a flaw in the resolver library which was originally reported as affecting versions of ISC BIND 4.9. This flaw also applied to glibc versions before 2.3.2. An attacker who is able to send DNS responses (perhaps by creating a malicious DNS server) could remotely exploit this vulnerability to execute arbitrary code or cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0029 to this issue. --------------------------------------------------------------------- Changelog: * Thu Sep 30 2004 Dominic Hargreaves - BuildRequires on texinfo, gettext * Thu Aug 12 2004 Dave Botsch - Added legacy keyword - Fix CAN-2002-0029 (getnetby{name,addr} buffer overflow) - Uses Michal Jaegermann's rediffed patch from AS2.1 --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/redhat/ 08c9c6aa0cebb8d0ed280dfd3369375bc0fdd0f2 7.3/updates-testing/SRPMS/glibc-2.2.5-44.legacy.2.src.rpm 2abf89e74a49b8dcb5f3f628ea66b18950df3948 7.3/updates-testing/i386/glibc-2.2.5-44.legacy.2.i386.rpm 71341d10531371a5b428ec2c852f1c765d3d9025 7.3/updates-testing/i386/glibc-common-2.2.5-44.legacy.2.i386.rpm 5040054be5f8a5724576134053a70f9d07980f70 7.3/updates-testing/i386/glibc-debug-2.2.5-44.legacy.2.i386.rpm 2c90103b45117d01671ee3f84fdc4ac313eab41b 7.3/updates-testing/i386/glibc-debug-static-2.2.5-44.legacy.2.i386.rpm 0f2743f0034390ca656fb541c5d2af2fa3165cf6 7.3/updates-testing/i386/glibc-devel-2.2.5-44.legacy.2.i386.rpm 07cdc5b3865438f6980607c4dfb3c21b6bbc2d28 7.3/updates-testing/i386/glibc-profile-2.2.5-44.legacy.2.i386.rpm 81f0ed02459debffaadc02214efd0911a05b0028 7.3/updates-testing/i386/glibc-utils-2.2.5-44.legacy.2.i386.rpm 35c609e2d824d67fe7b4f3286fed60f9900f7adb 7.3/updates-testing/i386/nscd-2.2.5-44.legacy.2.i386.rpm Please note that this update is also available via yum and apt through the updates-testing channel. Many people find this an easier way to apply updates. --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From marcdeslauriers at videotron.ca Fri Oct 1 10:21:26 2004 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Fri, 01 Oct 2004 06:21:26 -0400 Subject: Fedora Legacy Test Update Notification: php Message-ID: <1096626086.8912.1.camel@mdlinux> This is to fix the missing mail support in yesterday's php update --------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2004-1868 Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=1868 2004-10-01 --------------------------------------------------------------------- Name : php Versions : 7.3: 4.1.2-7.3.10.legacy, 9: 4.2.2-17.6.legacy Summary : The PHP HTML-embedded scripting language. Description : PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated webpages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The mod_php module enables the Apache Web server to understand and process the embedded PHP language in Web pages. --------------------------------------------------------------------- Update Information: Stefan Esser discovered a flaw when memory_limit is enabled in versions of PHP 4 before 4.3.8. If a remote attacker could force the PHP interpreter to allocate more memory than the memory_limit setting before script execution begins, then the attacker may be able to supply the contents of a PHP hash table remotely. This hash table could then be used to execute arbitrary code as the 'apache' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0594 to this issue. This issue has a higher risk when PHP is running on an instance of Apache which is vulnerable to CAN-2004-0493. It may also be possible to exploit this issue if using a non-default PHP configuration with the "register_defaults" setting is changed to "On". Stefan Esser discovered a flaw in the strip_tags function in versions of PHP before 4.3.8. The strip_tags function is commonly used by PHP scripts to prevent Cross-Site-Scripting attacks by removing HTML tags from user-supplied form data. By embedding NUL bytes into form data, HTML tags can in some cases be passed intact through the strip_tags function, which may allow a Cross-Site-Scripting attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0595 to this issue. --------------------------------------------------------------------- 7.3 changelog: * Thu Sep 30 2004 Marc Deslauriers 4.1.2-7.3.10.legacy - Added missing BuildRequires: sendmail * Sun Aug 01 2004 John Dalbec 4.1.2-7.3.9.legacy - Added missing BuildRequires: flex mm-devel libtool * Mon Jul 26 2004 Marc Deslauriers 4.1.2-7.3.8.legacy - Added better security fix for CAN-2004-0594 - Added fixes for various compiler warnings * Thu Jul 15 2004 Marc Deslauriers 4.1.2-7.3.7.legacy - Added security fix for CAN-2004-0594 - Added security fix for CAN-2004-0595 - Added a few more fixes - Added imap-devel BuildRequires 9 changelog: * Thu Sep 30 2004 Marc Deslauriers 4.2.2-17.6.legacy - Added sendmail to BuildRequires * Tue Sep 28 2004 Marc Deslauriers 4.2.2-17.5.legacy - Added flex and libtool to BuildRequires * Mon Jul 26 2004 Marc Deslauriers 4.2.2-17.4.legacy - Added better security fix for CAN-2004-0594 * Thu Jul 15 2004 Marc Deslauriers 4.2.2-17.3.legacy - Added security fix for CAN-2004-0594 - Added security fix for CAN-2004-0595 - Added a few more fixes --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/redhat/ (sha1sums) 6aaefdbf687f8dbf9ffc7b2ab0a0ff2914a13028 7.3/updates-testing/i386/php-4.1.2-7.3.10.legacy.i386.rpm 3f38e8929822edc377f61a05c31e45c8599a4ba6 7.3/updates-testing/i386/php-devel-4.1.2-7.3.10.legacy.i386.rpm 8c9ac5e7c5040b2d9cf75848acc1260842a5e4aa 7.3/updates-testing/i386/php-imap-4.1.2-7.3.10.legacy.i386.rpm d01be5026d335032486eee9f91fdc72e43d78f54 7.3/updates-testing/i386/php-ldap-4.1.2-7.3.10.legacy.i386.rpm 20ed3b170959f47061fbf688bd0bf6c2380cee6c 7.3/updates-testing/i386/php-manual-4.1.2-7.3.10.legacy.i386.rpm 66413adf5bf185326ea1658d837bbd34a4c2e59b 7.3/updates-testing/i386/php-mysql-4.1.2-7.3.10.legacy.i386.rpm 5fd105b2b8e9aea72d4e34f4800218b40fe844b9 7.3/updates-testing/i386/php-odbc-4.1.2-7.3.10.legacy.i386.rpm 3c9152d075afc06ffb2ac64deeca3b331f3a6c06 7.3/updates-testing/i386/php-pgsql-4.1.2-7.3.10.legacy.i386.rpm 58027e3f2bd1485bae158cf99aebc63b631972ec 7.3/updates-testing/i386/php-snmp-4.1.2-7.3.10.legacy.i386.rpm bd2e823603fab8b75a17647ac396263cc1ad6d7e 7.3/updates-testing/SRPMS/php-4.1.2-7.3.10.legacy.src.rpm 3507dd3165e3e397a352dedadfdac0b0c3d7fdc6 9/updates-testing/i386/php-4.2.2-17.6.legacy.i386.rpm 32b33c0e780746969475151f5f6f26b1d8a5903d 9/updates-testing/i386/php-devel-4.2.2-17.6.legacy.i386.rpm 2ba36c0b30493a3db6dd3a6bbd3f768f3daf4cf1 9/updates-testing/i386/php-imap-4.2.2-17.6.legacy.i386.rpm 63fb9ab7574deea72561f40d7c4b02a16fd97178 9/updates-testing/i386/php-ldap-4.2.2-17.6.legacy.i386.rpm 2c7b5e0a66aa3546fb52b56550b06d9be5a14523 9/updates-testing/i386/php-manual-4.2.2-17.6.legacy.i386.rpm 79e95e24fe05c4a5a27f46ad71567d49aac884e8 9/updates-testing/i386/php-mysql-4.2.2-17.6.legacy.i386.rpm 28a7da3cf299a44f83eeb8a89a6384cea33541e9 9/updates-testing/i386/php-odbc-4.2.2-17.6.legacy.i386.rpm 2847bc6f77054db273fba96e7c1aa5cca5172ba8 9/updates-testing/i386/php-pgsql-4.2.2-17.6.legacy.i386.rpm bba2c27aee02d6bf5e56b41f46a94d49e1c7ef5e 9/updates-testing/i386/php-snmp-4.2.2-17.6.legacy.i386.rpm dd9b309c802e4501eb98c1d25aef2c4aa745fa92 9/updates-testing/SRPMS/php-4.2.2-17.6.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From info at coolzero.info Fri Oct 1 10:24:50 2004 From: info at coolzero.info (Jim van Wel) Date: Fri, 1 Oct 2004 12:24:50 +0200 Subject: Fedora Legacy Test Update Notification: php In-Reply-To: <1096626086.8912.1.camel@mdlinux> Message-ID: <200410011024.i91AOnnc021664@vmx40.multikabel.net> Thank you for fixing the problem of mail() so quickly! It's working fine now! Jim -----Oorspronkelijk bericht----- Van: fedora-legacy-list-bounces at redhat.com [mailto:fedora-legacy-list-bounces at redhat.com] Namens Marc Deslauriers Verzonden: vrijdag 1 oktober 2004 12:21 Aan: fedora-legacy-list at redhat.com Onderwerp: Fedora Legacy Test Update Notification: php This is to fix the missing mail support in yesterday's php update --------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2004-1868 Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=1868 2004-10-01 --------------------------------------------------------------------- Name : php Versions : 7.3: 4.1.2-7.3.10.legacy, 9: 4.2.2-17.6.legacy Summary : The PHP HTML-embedded scripting language. Description : PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated webpages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The mod_php module enables the Apache Web server to understand and process the embedded PHP language in Web pages. --------------------------------------------------------------------- Update Information: Stefan Esser discovered a flaw when memory_limit is enabled in versions of PHP 4 before 4.3.8. If a remote attacker could force the PHP interpreter to allocate more memory than the memory_limit setting before script execution begins, then the attacker may be able to supply the contents of a PHP hash table remotely. This hash table could then be used to execute arbitrary code as the 'apache' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0594 to this issue. This issue has a higher risk when PHP is running on an instance of Apache which is vulnerable to CAN-2004-0493. It may also be possible to exploit this issue if using a non-default PHP configuration with the "register_defaults" setting is changed to "On". Stefan Esser discovered a flaw in the strip_tags function in versions of PHP before 4.3.8. The strip_tags function is commonly used by PHP scripts to prevent Cross-Site-Scripting attacks by removing HTML tags from user-supplied form data. By embedding NUL bytes into form data, HTML tags can in some cases be passed intact through the strip_tags function, which may allow a Cross-Site-Scripting attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0595 to this issue. --------------------------------------------------------------------- 7.3 changelog: * Thu Sep 30 2004 Marc Deslauriers 4.1.2-7.3.10.legacy - Added missing BuildRequires: sendmail * Sun Aug 01 2004 John Dalbec 4.1.2-7.3.9.legacy - Added missing BuildRequires: flex mm-devel libtool * Mon Jul 26 2004 Marc Deslauriers 4.1.2-7.3.8.legacy - Added better security fix for CAN-2004-0594 - Added fixes for various compiler warnings * Thu Jul 15 2004 Marc Deslauriers 4.1.2-7.3.7.legacy - Added security fix for CAN-2004-0594 - Added security fix for CAN-2004-0595 - Added a few more fixes - Added imap-devel BuildRequires 9 changelog: * Thu Sep 30 2004 Marc Deslauriers 4.2.2-17.6.legacy - Added sendmail to BuildRequires * Tue Sep 28 2004 Marc Deslauriers 4.2.2-17.5.legacy - Added flex and libtool to BuildRequires * Mon Jul 26 2004 Marc Deslauriers 4.2.2-17.4.legacy - Added better security fix for CAN-2004-0594 * Thu Jul 15 2004 Marc Deslauriers 4.2.2-17.3.legacy - Added security fix for CAN-2004-0594 - Added security fix for CAN-2004-0595 - Added a few more fixes --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/redhat/ (sha1sums) 6aaefdbf687f8dbf9ffc7b2ab0a0ff2914a13028 7.3/updates-testing/i386/php-4.1.2-7.3.10.legacy.i386.rpm 3f38e8929822edc377f61a05c31e45c8599a4ba6 7.3/updates-testing/i386/php-devel-4.1.2-7.3.10.legacy.i386.rpm 8c9ac5e7c5040b2d9cf75848acc1260842a5e4aa 7.3/updates-testing/i386/php-imap-4.1.2-7.3.10.legacy.i386.rpm d01be5026d335032486eee9f91fdc72e43d78f54 7.3/updates-testing/i386/php-ldap-4.1.2-7.3.10.legacy.i386.rpm 20ed3b170959f47061fbf688bd0bf6c2380cee6c 7.3/updates-testing/i386/php-manual-4.1.2-7.3.10.legacy.i386.rpm 66413adf5bf185326ea1658d837bbd34a4c2e59b 7.3/updates-testing/i386/php-mysql-4.1.2-7.3.10.legacy.i386.rpm 5fd105b2b8e9aea72d4e34f4800218b40fe844b9 7.3/updates-testing/i386/php-odbc-4.1.2-7.3.10.legacy.i386.rpm 3c9152d075afc06ffb2ac64deeca3b331f3a6c06 7.3/updates-testing/i386/php-pgsql-4.1.2-7.3.10.legacy.i386.rpm 58027e3f2bd1485bae158cf99aebc63b631972ec 7.3/updates-testing/i386/php-snmp-4.1.2-7.3.10.legacy.i386.rpm bd2e823603fab8b75a17647ac396263cc1ad6d7e 7.3/updates-testing/SRPMS/php-4.1.2-7.3.10.legacy.src.rpm 3507dd3165e3e397a352dedadfdac0b0c3d7fdc6 9/updates-testing/i386/php-4.2.2-17.6.legacy.i386.rpm 32b33c0e780746969475151f5f6f26b1d8a5903d 9/updates-testing/i386/php-devel-4.2.2-17.6.legacy.i386.rpm 2ba36c0b30493a3db6dd3a6bbd3f768f3daf4cf1 9/updates-testing/i386/php-imap-4.2.2-17.6.legacy.i386.rpm 63fb9ab7574deea72561f40d7c4b02a16fd97178 9/updates-testing/i386/php-ldap-4.2.2-17.6.legacy.i386.rpm 2c7b5e0a66aa3546fb52b56550b06d9be5a14523 9/updates-testing/i386/php-manual-4.2.2-17.6.legacy.i386.rpm 79e95e24fe05c4a5a27f46ad71567d49aac884e8 9/updates-testing/i386/php-mysql-4.2.2-17.6.legacy.i386.rpm 28a7da3cf299a44f83eeb8a89a6384cea33541e9 9/updates-testing/i386/php-odbc-4.2.2-17.6.legacy.i386.rpm 2847bc6f77054db273fba96e7c1aa5cca5172ba8 9/updates-testing/i386/php-pgsql-4.2.2-17.6.legacy.i386.rpm bba2c27aee02d6bf5e56b41f46a94d49e1c7ef5e 9/updates-testing/i386/php-snmp-4.2.2-17.6.legacy.i386.rpm dd9b309c802e4501eb98c1d25aef2c4aa745fa92 9/updates-testing/SRPMS/php-4.2.2-17.6.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla. From marcdeslauriers at videotron.ca Sat Oct 2 13:15:19 2004 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Sat, 02 Oct 2004 09:15:19 -0400 Subject: Fedora Legacy Test Update Notification: cups Message-ID: <1096722919.11508.1.camel@mdlinux> --------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2004-2072 Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=2072 2004-10-02 --------------------------------------------------------------------- Name : cups Versions : 9: 1.1.17-13.3.0.5.legacy, fc1: 1.1.19-13.1.legacy Summary : Common Unix Printing System Description : The Common UNIX Printing System provides a portable printing layer for UNIX(R) operating systems. It has been developed by Easy Software Products to promote a standard printing solution for all UNIX vendors and users. CUPS provides the System V and Berkeley command-line interfaces. --------------------------------------------------------------------- Update Information: Alvaro Martinez Echevarria reported a bug in the CUPS Internet Printing Protocol (IPP) implementation in versions of CUPS prior to 1.1.21. An attacker could send a carefully crafted UDP packet to the IPP port which could cause CUPS to stop listening to the port and result in a denial of service. In order to exploit this bug, an attacker would need to have the ability to send a UDP packet to the IPP port (by default 631). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0558 to this issue. --------------------------------------------------------------------- 9 changelog: * Fri Oct 01 2004 Marc Deslauriers 1.1.17-13.3.0.5.legacy - Added autoconf, zlib-devel, libtiff-devel, libjpeg-devel, libpng-devel to BuildPrereq * Fri Sep 17 2004 Marc Deslauriers 1.1.17-13.3.0.4.legacy - Apply patch to fix CAN-2004-0558 fc1 changelog: * Fri Oct 01 2004 Marc Deslauriers 1:1.1.19-13.1.legacy - Added legacy to release tag - Added missing autoconf zlib-devel libjpeg-devel libtiff-devel libpng-devel to BuildPrereq * Mon Aug 23 2004 Tim Waugh 1:1.1.19-13.1 - Add version to LPRng obsoletes: tag. - Apply patch to fix CAN-2004-0558 (bug #130646). --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) cd1d515a2a8a3034432d2622ba599b950bceec8d redhat/9/updates-testing/i386/cups-1.1.17-13.3.0.5.legacy.i386.rpm e7cbc64cd33fb4be6d125d5d3af0e3848a3def2f redhat/9/updates-testing/i386/cups-devel-1.1.17-13.3.0.5.legacy.i386.rpm a74625862bf967575205b9dc32da67ca55600f29 redhat/9/updates-testing/i386/cups-libs-1.1.17-13.3.0.5.legacy.i386.rpm 7000c65242faeb28e154248eade62d066dd9adf8 redhat/9/updates-testing/SRPMS/cups-1.1.17-13.3.0.5.legacy.src.rpm b311d69c18aa1842cd1850573bee15bdc9bc6991 fedora/1/updates-testing/i386/cups-1.1.19-13.1.legacy.i386.rpm 2e2b2703ef2717bc2c8003d01947e0e1b36bb922 fedora/1/updates-testing/i386/cups-devel-1.1.19-13.1.legacy.i386.rpm 2c3b34ef202a3c84bc47bbd94426c8d4045e2c65 fedora/1/updates-testing/i386/cups-libs-1.1.19-13.1.legacy.i386.rpm 3e47e02e02ad75bf2906036749110e6831bff399 fedora/1/updates-testing/SRPMS/cups-1.1.19-13.1.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From dom at earth.li Sat Oct 2 14:09:03 2004 From: dom at earth.li (Dominic Hargreaves) Date: Sat, 2 Oct 2004 15:09:03 +0100 Subject: [FLSA-2004:1733] Updated squirrelmail resolves security vulnerabilities Message-ID: <20041002140859.GA10111@home.thedom.org> ----------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated squirrelmail resolves security vulnerabilities Advisory ID: FLSA:1733 Issue date: 2004-10-02 Product: Red Hat Linux Keywords: Security Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1733 CVE Names: CAN-2004-0519, CAN-2004-0520, CAN-2004-0521 ----------------------------------------------------------------------- ----------------------------------------------------------------------- 1. Topic: Updated squirrelmail packages that fix a security vulnerability are now available. SquirrelMail is a standards-based webmail package written in PHP4. 2. Relevant releases/architectures: Red Hat Linux 9 - i386 3. Problem description: An SQL injection flaw was found in SquirrelMail version 1.4.2 and earlier. If SquirrelMail is configured to store user addressbooks in the database, a remote attacker could use this flaw to execute arbitrary SQL statements. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0521 to this issue. A number of cross-site scripting (XSS) flaws in SquirrelMail version 1.4.2 and earlier could allow remote attackers to execute script as other web users. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0519 and CAN-2004-0520 to these issues. Users of squirrelmail should upgrade to this updated package which contains a new version of the software and is not vulnerable to this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs/ for directions on how to configure yum and apt-get. 5. Bug IDs fixed: http://bugzilla.fedora.us - 1733 - SquirrelMail Folder Name Cross-Site Scripting Vulnerability 6. RPMs required: Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/squirrelmail-1.4.3-0.f0.9.1.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/i386/squirrelmail-1.4.3-0.f0.9.1.legacy.noarch.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------------- c11465630aac1834c37b9af25dc77bccfd1785be 9/updates/SRPMS/squirrelmail-1.4.3-0.f0.9.1.legacy.src.rpm de580a0c9f0b5d8129b0dc5b11671ce9c8e8446f 9/updates/i386/squirrelmail-1.4.3-0.f0.9.1.legacy.noarch.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://www.gentoo.org/security/en/glsa/glsa-200405-16.xml 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org 10. Special Notes: Since this release is a version upgrade, care should be taken in applying the update in a production environment. --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From leonard at den.ottolander.nl Sat Oct 2 16:32:31 2004 From: leonard at den.ottolander.nl (Leonard den Ottolander) Date: Sat, 02 Oct 2004 18:32:31 +0200 Subject: openssl-0.9.6m rpm for RHL 7.3 Message-ID: <1096734751.4751.80.camel@athlon.localdomain> Hi, Last week I've spent some time producing a few packages based on recent tarballs for RHL 7.3. These are apache-1.3.31 (I will update this to 1.3.32 soon), mod_ssl-2.8.19 (will also this one against apache-1.3.32) and openssl-0.9.6m. I've put a lot of effort in fixing all relevant patches to be functionally similar to the originals. Is there any interest in these rpms? I know my approach is somewhat different from the "original tarball plus patches" approach, but to avoid incompatibilities I've stuck with the 0.9.6 branch. Tested the resulting rpm on an SME box, and at first sight I see no regression (I can still read mail via the https webmail frontend). Where should I submit my srpm? Leonard. -- mount -t life -o ro /dev/dna /genetic/research From dom at earth.li Sat Oct 2 18:43:10 2004 From: dom at earth.li (Dominic Hargreaves) Date: Sat, 2 Oct 2004 19:43:10 +0100 Subject: Fedora Legacy Test Update Notification: glibc In-Reply-To: <20041001091136.GA2774@home.thedom.org> References: <20041001091136.GA2774@home.thedom.org> Message-ID: <20041002184310.GW15895@tirian.magd.ox.ac.uk> On Fri, Oct 01, 2004 at 10:11:39AM +0100, Dominic Hargreaves wrote: > Please test these packages and report to bugzilla. Note these packages are > for Redhat 7.3. > > --------------------------------------------------------------------- > Fedora Test Update Notification > FEDORALEGACY-2004-1947 > Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=1947 > 2004-10-01 > --------------------------------------------------------------------- > > Name : glibc Just before anyone gets confused; this update was missing i686 packages. Unfortunately we are having problems building i686 packages on the build system at the moment so please bear with us if you have an i686 system. Cheers, Dominic. From mh at samurajdata.se Sat Oct 2 20:25:33 2004 From: mh at samurajdata.se (Markus =?ISO-8859-1?Q?H=E5kansson?=) Date: Sat, 02 Oct 2004 22:25:33 +0200 Subject: md5sum for entire filesystem? In-Reply-To: References: Message-ID: <1096748733.13966.4.camel@vega.galaxy.se> tor 2004-09-30 klockan 14:27 -0400 skrev Randall A. Jones: > To verify all RPMs installed on a system you can do something like: > > rpm -V `rpm -qa` > I would recommend using this command instead of doing it in the two steps above. rpm -Va or the equivalent rpm --verify --all > You should get a lot of messages about files modified or different in > various ways. See "man rpm" and search for "VERIFY OPTIONS" to find the > meanings of the flags that show up to the left of the file path. > You might want to send the output to a file ( with "> rpmV.out" ) to > collect it before examining. > > You can ignore log files or various status files that show up here > like /var/lib/nfs/rmtab, /var/log/messages, /var/log/wtmp, ... > > Look for executables or config files that may have changed like > /etc/ssh/sshd_config, /usr/bin/ssh, /bin/ls ... > > > ... one example output line from "rpm -V `rpm -qa`" ... > S.5....T c /var/lib/nfs/rmtab > ... > > If you see a suspicious file modification and you want to know what > package contains that file you can do: > rpm -qf /var/lib/nfs/rmtab > > > Randall > -- > > On Thu, 30 Sep 2004, Josep L. Guallar-Esteve wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > On Thursday 30 September 2004 01:50 pm, Jiann-Ming Su wrote: > > > Is there a md5sum for all the files in the FC1 distribution? I know > > > there's md5sums for the iso and rpm packages. But, I'm looking for > > > md5sum for each of the files. > > > > There is a built-in fle checking system in rpm-based systems. To check if > > files have been modified since 'foobar' was installed, use: > > > > rpm -V foobar > > > > > > > > Regards, > > Josep > > - -- > > Josep L. Guallar-Esteve Eastern Radiologists, Inc. > > Systems and PACS Administration http://www.easternrad.com > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.2.4 (GNU/Linux) > > > > iD8DBQFBXEr8SGQa4/zQ9e8RAswyAKCEaQnCcYcldKhd3nvhzKEM3Wnq0wCfcJt5 > > D9T1pV0JgHEUoODv5ND88yU= > > =5lCs > > -----END PGP SIGNATURE----- > > > > > > -- > > fedora-legacy-list mailing list > > fedora-legacy-list at redhat.com > > http://www.redhat.com/mailman/listinfo/fedora-legacy-list > > > > -- > fedora-legacy-list mailing list > fedora-legacy-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-legacy-list > From marcdeslauriers at videotron.ca Sun Oct 3 03:58:09 2004 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Sat, 02 Oct 2004 23:58:09 -0400 Subject: Fedora Legacy Test Update Notification: httpd Message-ID: <1096775888.19395.1.camel@mdlinux> --------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2004-2068 Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=2068 2004-10-02 --------------------------------------------------------------------- Name : httpd Versions : 9: 2.0.40-21.15.legacy, fc1: httpd-2.0.51-1.3.legacy Summary : The httpd Web server Description : This package contains a powerful, full-featured, efficient, and freely-available Web server based on work done by the Apache Software Foundation. It is also the most popular Web server on the Internet. --------------------------------------------------------------------- Update Information: Problems that apply to Red Hat Linux 9 only: A stack buffer overflow was discovered in mod_ssl that could be triggered if using the FakeBasicAuth option. If mod_ssl was sent a client certificate with a subject DN field longer than 6000 characters, a stack overflow occured if FakeBasicAuth had been enabled. In order to exploit this issue the carefully crafted malicious certificate would have had to be signed by a Certificate Authority which mod_ssl is configured to trust. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0488 to this issue. A remotely triggered memory leak in the Apache HTTP Server earlier than version 2.0.50 was also discovered. This allowed a remote attacker to perform a denial of service attack against the server by forcing it to consume large amounts of memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0493 to this issue. Problems that apply to Fedora Core 1 only: Testing using the Codenomicon HTTP Test Tool performed by the Apache Software Foundation security group and Red Hat uncovered an input validation issue in the IPv6 URI parsing routines in the apr-util library. If a remote attacker sent a request including a carefully crafted URI, an httpd child process could be made to crash. This issue is not believed to allow arbitrary code execution on Red Hat Enterprise Linux. This issue also does not represent a significant denial of service attack as requests will continue to be handled by other Apache child processes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0786 to this issue. An input filter bug in mod_ssl was discovered in Apache httpd version 2.0.50 and earlier. A remote attacker could force an SSL connection to be aborted in a particular state and cause an Apache child process to enter an infinite loop, consuming CPU resources. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0748 to this issue. Note that these packages do also contain the fix for a regression in Satisfy handling in the 2.0.51 release (CAN-2004-0811). Problems that apply to both Red Hat Linux 9 and Fedora Core 1: The Swedish IT Incident Centre (SITIC) reported a buffer overflow in the expansion of environment variables during configuration file parsing. This issue could allow a local user to gain 'apache' privileges if an httpd process can be forced to parse a carefully crafted .htaccess file written by a local user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0747 to this issue. An issue was discovered in the mod_ssl module which could be triggered if the server is configured to allow proxying to a remote SSL server. A malicious remote SSL server could force an httpd child process to crash by sending a carefully crafted response header. This issue is not believed to allow execution of arbitrary code. This issue also does not represent a significant Denial of Service attack as requests will continue to be handled by other Apache child processes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0751 to this issue. An issue was discovered in the mod_dav module which could be triggered for a location where WebDAV authoring access has been configured. A malicious remote client which is authorized to use the LOCK method could force an httpd child process to crash by sending a particular sequence of LOCK requests. This issue does not allow execution of arbitrary code. This issue also does not represent a significant Denial of Service attack as requests will continue to be handled by other Apache child processes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0809 to this issue. --------------------------------------------------------------------- 9 changelog: * Sat Oct 02 2004 Marc Deslauriers 2.0.40-21.15.legacy - added missing autoconf, libtool, zlib-devel, gdbm-devel BuildPrereq * Thu Sep 16 2004 Marc Deslauriers 2.0.40-21.14.legacy - add security fixes for CVE CAN-2004-0747, CAN-2004-0751, CAN-2004-0809 * Fri Jul 02 2004 Marc Deslauriers 2.0.40-21.13.legacy - add security fix for CVE CAN-2004-0493 * Wed Jun 02 2004 Marc Deslauriers 2.0.40-21.12.legacy - add security fix for CVE CAN-2004-0488 fc1 changelog: * Sat Oct 02 2004 Marc Deslauriers 2.0.51-1.3.legacy - added missing autoconf, libtool, zlib-devel, gdbm-devel BuildPrereq * Fri Sep 24 2004 Marc Deslauriers 2.0.51-1.2.legacy - fix 2.0.51 regression in Satisfy merging (CAN-2004-0811) - ap_rgetline_core fix from Rici Lake * Wed Sep 15 2004 Joe Orton 2.0.51-1.1 - update to 2.0.51, including security fixes for: * core: CAN-2004-0747 * mod_dav_fs: CAN-2004-0809 * mod_ssl: CAN-2004-0751, CAN-2004-0748 --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) 61997e8996a1b23033ae454de71a9e91b055d1a8 redhat/9/updates-testing/i386/httpd-2.0.40-21.15.legacy.i386.rpm cf9f084087b218e92a0bfab70b3a609ab1d5000e redhat/9/updates-testing/i386/httpd-devel-2.0.40-21.15.legacy.i386.rpm d066d847375e027c357b4d5d63da29e1b586c4eb redhat/9/updates-testing/i386/httpd-manual-2.0.40-21.15.legacy.i386.rpm 8f33bda286bf7ffd5bf3d50a7a31a0e90fa5b9ee redhat/9/updates-testing/i386/mod_ssl-2.0.40-21.15.legacy.i386.rpm 5937d27e764a0175af86f7e9932a8eca2c959641 redhat/9/updates-testing/SRPMS/httpd-2.0.40-21.15.legacy.src.rpm facbb28a24a911ab3cfadc94a1ce13b50b15ceff fedora/1/updates-testing/i386/httpd-2.0.51-1.3.legacy.i386.rpm 9738f329a9e5648a3cde3f6a91573d56d29ffd44 fedora/1/updates-testing/i386/httpd-devel-2.0.51-1.3.legacy.i386.rpm ec6918ffb15517a85de6447e2b272a9d1afc3fd3 fedora/1/updates-testing/i386/httpd-manual-2.0.51-1.3.legacy.i386.rpm 777911d1c311c84e0df4aa4589a47a327c63b125 fedora/1/updates-testing/i386/mod_ssl-2.0.51-1.3.legacy.i386.rpm 6e224a7fcca8e6fc383022dcc092b930352b4e1c fedora/1/updates-testing/SRPMS/httpd-2.0.51-1.3.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From marcdeslauriers at videotron.ca Sun Oct 3 04:04:41 2004 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Sun, 03 Oct 2004 00:04:41 -0400 Subject: [FLSA-2004:1372] Updated sysstat packages fix security vulnerabilities Message-ID: <1096776281.19395.8.camel@mdlinux> ------------------------------------------------------------------------ Fedora Legacy Update Advisory Synopsis: Updated sysstat packages fix security vulnerabilities Advisory ID: FLSA:1372 Issue date: 2004-10-03 Product: Red Hat Linux Keywords: Bugfix Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1372 CVE Names: CAN-2004-0107 ------------------------------------------------------------------------ ------------------------------------------------------------------------ 1. Topic: Updated sysstat packages that fix various bugs and a minor security issue are now available. Sysstat is a tool for gathering system statistics. 2. Relevent releases/architectures: Red Hat Linux 7.3 - i386 3. Problem description: A bug was found in the Red Hat sysstat package post and trigger scripts, which used insecure temporary file names. A local attacker could overwrite system files using carefully-crafted symbolic links in the /tmp directory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0107 to this issue. Other issues addressed in this advisory include: * iostat -x should return all partitions on the system (up to a maximum of 1024) * sar should handle network device names with more than 8 characters properly Users of sysstat should upgrade to these updated packages, which contain patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: http://bugzilla.fedora.us - bug #1372 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/sysstat-4.0.3-4.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/sysstat-4.0.3-4.legacy.i386.rpm 7. Verification: SHA1 sum Package Name ---------------------------------------------------------------------------- b2d1ced29b39cd024169b173d01db6fa99327bfb 7.3/updates/i386/sysstat-4.0.3-4.legacy.i386.rpm 5bd937c2c0d643ba5a4dcab9c1f5ded2d67c9fb5 7.3/updates/SRPMS/sysstat-4.0.3-4.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0107 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org ---------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From cra at WPI.EDU Sun Oct 3 06:07:59 2004 From: cra at WPI.EDU (Charles R. Anderson) Date: Sun, 3 Oct 2004 02:07:59 -0400 Subject: mach builds are not being stripped Message-ID: <20041003060759.GN5537@angus.ind.WPI.EDU> I've noticed that recently released testing updates are different from their predecessors (previous updates or packages tested during QA). They have full symbol tables in them. It appears that the mach build system isn't stripping binaries. This is usually caused by missing requirements of /usr/lib/rpm/find-debuginfo.sh, such as the eu-strip program from the elfutils package. I know that httpd-2.0.40-21.15.legacy and cups-1.1.17-13.3.0.5.legacy are affected. I suspect that more RH9 and FC1 packages may be affected if they were built on mach with missing elfutils. https://bugzilla.fedora.us/show_bug.cgi?id=2068 https://bugzilla.fedora.us/show_bug.cgi?id=2072 From cra at WPI.EDU Sun Oct 3 06:37:26 2004 From: cra at WPI.EDU (Charles R. Anderson) Date: Sun, 3 Oct 2004 02:37:26 -0400 Subject: improved rpm-build-compare.sh Message-ID: <20041003063726.GO5537@angus.ind.WPI.EDU> Here is my rpm-build-compare.sh script which compares two binary or source rpm packages for important differences. I use it during QA to catch common errors, such as missing buildrequires (ldd diffs), etc. This version is improved over the last one I posted. It checks for the following differences: RPM Provides RPM Requires File Types (file) - so you can see if files are not stripped Dynamic Link Libraries (ldd) Symbol Tables (nm) - ignoring symbol addresses RPM File Lists - ignoring timestamps and the rpm-approximated link counts RPM Packaged Files - actual file contents You run the script as follows: rpm-build-compare.sh pkg-ver-oldrelease.rpm pkg-ver-newrelease.rpm and the output report is put into: pkg-ver-newrelease.rpm-diff.txt I hope this is useful for some folks. I think it would be nice to have something like this be a required checklist item during QA, or perhaps even automated in the buildsystem, since it could prevent common mistakes from making it into released packages, such as the recent problem with php missing mail() due to a missing BuildRequires: sendmail. Along these same lines, it would be nice if buildsystem output was posted somewhere, since it can help with debugging packaging/build issues. -------------- next part -------------- A non-text attachment was scrubbed... Name: rpm-build-compare.sh Type: application/x-sh Size: 3853 bytes Desc: not available URL: From jkeating at j2solutions.net Sun Oct 3 06:54:51 2004 From: jkeating at j2solutions.net (Jesse Keating) Date: Sat, 2 Oct 2004 23:54:51 -0700 Subject: mach builds are not being stripped In-Reply-To: <20041003060759.GN5537@angus.ind.WPI.EDU> References: <20041003060759.GN5537@angus.ind.WPI.EDU> Message-ID: <200410022354.53045.jkeating@j2solutions.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 02 October 2004 23:07, Charles R. Anderson wrote: > I've noticed that recently released testing updates are different from > their predecessors (previous updates or packages tested during QA). > They have full symbol tables in them. ?It appears that the mach build > system isn't stripping binaries. ?This is usually caused by missing > requirements of /usr/lib/rpm/find-debuginfo.sh, such as the eu-strip > program from the elfutils package. > > I know that httpd-2.0.40-21.15.legacy and cups-1.1.17-13.3.0.5.legacy > are affected. ?I suspect that more RH9 and FC1 packages may be > affected if they were built on mach with missing elfutils. > > https://bugzilla.fedora.us/show_bug.cgi?id=2068 > https://bugzilla.fedora.us/show_bug.cgi?id=2072 Seems redhat-rpm-config is needed. I have added that to the build list of mach, can the builders please rebuild httpd/cups and any other 9 builds they may have done recently? Or do you think this is a non-issue enough to just continue on from here having things stripped? - -- Jesse Keating RHCE (http://geek.j2solutions.net) Fedora Legacy Team (http://www.fedoralegacy.org) GPG Public Key (http://geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBX6I74v2HLvE71NURAijyAJ42h61cxQs9/iIWj0ahUGEkVP43NwCeJYEZ tBLUwfV/TqoxYwxFsawKBbM= =m/L4 -----END PGP SIGNATURE----- From marcdeslauriers at videotron.ca Sun Oct 3 13:51:09 2004 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Sun, 03 Oct 2004 09:51:09 -0400 Subject: improved rpm-build-compare.sh In-Reply-To: <20041003063726.GO5537@angus.ind.WPI.EDU> References: <20041003063726.GO5537@angus.ind.WPI.EDU> Message-ID: <1096811469.3123.0.camel@mdlinux> On Sun, 2004-10-03 at 02:37, Charles R. Anderson wrote: > Here is my rpm-build-compare.sh script which compares two binary or > source rpm packages for important differences. I use it during QA to > catch common errors, such as missing buildrequires (ldd diffs), etc. > This version is improved over the last one I posted. It checks for > the following differences: Thank you for your script, it does a lot of stuff I was doing by and before. I will be using it from now on when preparing packages for updates-testing. Marc. From dom at earth.li Sun Oct 3 12:47:53 2004 From: dom at earth.li (Dominic Hargreaves) Date: Sun, 3 Oct 2004 13:47:53 +0100 Subject: [FLSA-2004:1325] Updated mod_python packages fix security vulnerability Message-ID: <20041003124751.GA4329@home.thedom.org> ----------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated mod_python resolves security vulnerability Advisory ID: FLSA:1325 Issue date: 2004-10-03 Product: Red Hat Linux Keywords: Security Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1325 CVE Names: CAN-2003-0973 ----------------------------------------------------------------------- ----------------------------------------------------------------------- 1. Topic: Updated mod_python packages that fix a security vulnerability are now available. mod_python embeds the Python language interpreter within the Apache httpd server. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 3. Problem description: A bug has been found in mod_python versions 3.0.3 and earlier that can lead to a denial of service vulnerability. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0973 to this issue. mod_python users are advised to upgrade to these errata packages, which contain a backported patch that corrects this bug. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs/ for directions on how to configure yum and apt-get. 5. Bug IDs fixed: http://bugzilla.fedora.us - 1325 - mod_python: denial of service vulnerability. 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/mod_python-2.7.8-1.7.3.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/mod_python-2.7.8-1.7.3.2.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------------- 49aa1436fc8982e616b5957554485e278d772f9b 7.3/updates/SRPMS/mod_python-2.7.8-1.7.3.2.legacy.src.rpm 1cb0e3eccd14fbfb220bf26259b509ff17ed9eec 7.3/updates/i386/mod_python-2.7.8-1.7.3.2.legacy.i386.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: https://rhn.redhat.com/errata/RHSA-2004-063.html http://www.modpython.org/pipermail/mod_python/2003-November/014532.html 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From marcdeslauriers at videotron.ca Mon Oct 4 03:36:58 2004 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Sun, 03 Oct 2004 23:36:58 -0400 Subject: Fedora Legacy Test Update Notification: cups Message-ID: <1096861018.4148.1.camel@mdlinux> RH9 packages were updated to provide stripped binaries. RH7.3 packages are unchanged. --------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2004-2072 Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=2072 2004-10-04 --------------------------------------------------------------------- Name : cups Versions : 9: 1.1.17-13.3.0.6.legacy, fc1: 1.1.19-13.2.legacy Summary : Common Unix Printing System Description : The Common UNIX Printing System provides a portable printing layer for UNIX(R) operating systems. It has been developed by Easy Software Products to promote a standard printing solution for all UNIX vendors and users. CUPS provides the System V and Berkeley command-line interfaces. --------------------------------------------------------------------- Update Information: Alvaro Martinez Echevarria reported a bug in the CUPS Internet Printing Protocol (IPP) implementation in versions of CUPS prior to 1.1.21. An attacker could send a carefully crafted UDP packet to the IPP port which could cause CUPS to stop listening to the port and result in a denial of service. In order to exploit this bug, an attacker would need to have the ability to send a UDP packet to the IPP port (by default 631). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0558 to this issue. --------------------------------------------------------------------- 9 changelog: * Sun Oct 03 2004 Marc Deslauriers 1.1.17-13.3.0.6.legacy - Rebuilt * Fri Oct 01 2004 Marc Deslauriers 1.1.17-13.3.0.5.legacy - Added autoconf, zlib-devel, libtiff-devel, libjpeg-devel, libpng-devel to BuildPrereq * Fri Sep 17 2004 Marc Deslauriers 1.1.17-13.3.0.4.legacy - Apply patch to fix CAN-2004-0558 fc1 changelog: * Sun Oct 03 2004 Marc Deslauriers 1:1.1.19-13.2.legacy - Rebuilt * Fri Oct 01 2004 Marc Deslauriers 1:1.1.19-13.1.legacy - Added legacy to release tag - Added missing autoconf zlib-devel libjpeg-devel libtiff-devel libpng-devel to BuildPrereq * Mon Aug 23 2004 Tim Waugh 1:1.1.19-13.1 - Add version to LPRng obsoletes: tag. - Apply patch to fix CAN-2004-0558 (bug #130646). --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) dc9e67863c6ed358eca94f36f04c2549be49bee7 redhat/9/updates-testing/i386/cups-1.1.17-13.3.0.6.legacy.i386.rpm fc7fd1c2c7ad79e2c419b5440e6b0e0a88b2e276 redhat/9/updates-testing/i386/cups-devel-1.1.17-13.3.0.6.legacy.i386.rpm 39f6b741f82f6e566351d15f7ec384f0cde9a17e redhat/9/updates-testing/i386/cups-libs-1.1.17-13.3.0.6.legacy.i386.rpm ff063b1392b2841153d5dc234c5f3ed6d54d63e4 redhat/9/updates-testing/SRPMS/cups-1.1.17-13.3.0.6.legacy.src.rpm e7684dfcd7142714848be20e318e5c58aed2b481 fedora/1/updates-testing/i386/cups-1.1.19-13.2.legacy.i386.rpm 8dbb4ea34d20de5b70e1672e60794fcfe5021f4b fedora/1/updates-testing/i386/cups-devel-1.1.19-13.2.legacy.i386.rpm 369439d5c253a361ffd64f892efc448c62d54e94 fedora/1/updates-testing/i386/cups-libs-1.1.19-13.2.legacy.i386.rpm 8b69b1f1c661a5c75dfadcfb85a19fd712e5f904 fedora/1/updates-testing/SRPMS/cups-1.1.19-13.2.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From marcdeslauriers at videotron.ca Mon Oct 4 03:38:50 2004 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Sun, 03 Oct 2004 23:38:50 -0400 Subject: Fedora Legacy Test Update Notification: httpd Message-ID: <1096861130.4148.4.camel@mdlinux> Packages were updated to provide stripped binaries. --------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2004-2068 Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=2068 2004-10-04 --------------------------------------------------------------------- Name : httpd Versions : 9: 2.0.40-21.16.legacy, fc1: httpd-2.0.51-1.4.legacy Summary : The httpd Web server Description : This package contains a powerful, full-featured, efficient, and freely-available Web server based on work done by the Apache Software Foundation. It is also the most popular Web server on the Internet. --------------------------------------------------------------------- Update Information: Problems that apply to Red Hat Linux 9 only: A stack buffer overflow was discovered in mod_ssl that could be triggered if using the FakeBasicAuth option. If mod_ssl was sent a client certificate with a subject DN field longer than 6000 characters, a stack overflow occured if FakeBasicAuth had been enabled. In order to exploit this issue the carefully crafted malicious certificate would have had to be signed by a Certificate Authority which mod_ssl is configured to trust. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0488 to this issue. A remotely triggered memory leak in the Apache HTTP Server earlier than version 2.0.50 was also discovered. This allowed a remote attacker to perform a denial of service attack against the server by forcing it to consume large amounts of memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0493 to this issue. Problems that apply to Fedora Core 1 only: Testing using the Codenomicon HTTP Test Tool performed by the Apache Software Foundation security group and Red Hat uncovered an input validation issue in the IPv6 URI parsing routines in the apr-util library. If a remote attacker sent a request including a carefully crafted URI, an httpd child process could be made to crash. This issue is not believed to allow arbitrary code execution on this platform. This issue also does not represent a significant denial of service attack as requests will continue to be handled by other Apache child processes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0786 to this issue. An input filter bug in mod_ssl was discovered in Apache httpd version 2.0.50 and earlier. A remote attacker could force an SSL connection to be aborted in a particular state and cause an Apache child process to enter an infinite loop, consuming CPU resources. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0748 to this issue. Note that these packages do also contain the fix for a regression in Satisfy handling in the 2.0.51 release (CAN-2004-0811). Problems that apply to both Red Hat Linux 9 and Fedora Core 1: The Swedish IT Incident Centre (SITIC) reported a buffer overflow in the expansion of environment variables during configuration file parsing. This issue could allow a local user to gain 'apache' privileges if an httpd process can be forced to parse a carefully crafted .htaccess file written by a local user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0747 to this issue. An issue was discovered in the mod_ssl module which could be triggered if the server is configured to allow proxying to a remote SSL server. A malicious remote SSL server could force an httpd child process to crash by sending a carefully crafted response header. This issue is not believed to allow execution of arbitrary code. This issue also does not represent a significant Denial of Service attack as requests will continue to be handled by other Apache child processes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0751 to this issue. An issue was discovered in the mod_dav module which could be triggered for a location where WebDAV authoring access has been configured. A malicious remote client which is authorized to use the LOCK method could force an httpd child process to crash by sending a particular sequence of LOCK requests. This issue does not allow execution of arbitrary code. This issue also does not represent a significant Denial of Service attack as requests will continue to be handled by other Apache child processes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0809 to this issue. --------------------------------------------------------------------- 9 changelog: * Sun Oct 03 2004 Marc Deslauriers 2.0.40-21.16.legacy - Rebuilt * Sat Oct 02 2004 Marc Deslauriers 2.0.40-21.15.legacy - added missing autoconf, libtool, zlib-devel, gdbm-devel BuildPrereq * Thu Sep 16 2004 Marc Deslauriers 2.0.40-21.14.legacy - add security fixes for CVE CAN-2004-0747, CAN-2004-0751, CAN-2004-0809 * Fri Jul 02 2004 Marc Deslauriers 2.0.40-21.13.legacy - add security fix for CVE CAN-2004-0493 * Wed Jun 02 2004 Marc Deslauriers 2.0.40-21.12.legacy - add security fix for CVE CAN-2004-0488 fc1 changelog: * Sun Oct 03 2004 Marc Deslauriers 2.0.51-1.4.legacy - Rebuilt * Sat Oct 02 2004 Marc Deslauriers 2.0.51-1.3.legacy - added missing autoconf, libtool, zlib-devel, gdbm-devel BuildPrereq * Fri Sep 24 2004 Marc Deslauriers 2.0.51-1.2.legacy - fix 2.0.51 regression in Satisfy merging (CAN-2004-0811) - ap_rgetline_core fix from Rici Lake * Wed Sep 15 2004 Joe Orton 2.0.51-1.1 - update to 2.0.51, including security fixes for: * core: CAN-2004-0747 * mod_dav_fs: CAN-2004-0809 * mod_ssl: CAN-2004-0751, CAN-2004-0748 --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) 4e087267eecc22511da946cfa48bbc323eca06c9 fedora/1/updates-testing/i386/httpd-2.0.51-1.4.legacy.i386.rpm 6e93aa37526472d11a8c2f31e58e89b920dac08c fedora/1/updates-testing/i386/httpd-devel-2.0.51-1.4.legacy.i386.rpm 09af35f59d8bfd42a4b2988af5ce869e0daf4fcc fedora/1/updates-testing/i386/httpd-manual-2.0.51-1.4.legacy.i386.rpm 2c125be93507e8ed0e672f0459b06b719678264b fedora/1/updates-testing/i386/mod_ssl-2.0.51-1.4.legacy.i386.rpm 5629ec56b7b4935f8540c5884ec3d03a4d5e09cd fedora/1/updates-testing/SRPMS/httpd-2.0.51-1.4.legacy.src.rpm 24afb48553b515210d3169791dcdd7d39a5d48d6 redhat/9/updates-testing/i386/httpd-2.0.40-21.16.legacy.i386.rpm 6e331ab50f8ddfc5674941a624cb9964863e5375 redhat/9/updates-testing/i386/httpd-devel-2.0.40-21.16.legacy.i386.rpm 0f173510cd129e3705bfaef42e29ff0534ceb4a3 redhat/9/updates-testing/i386/httpd-manual-2.0.40-21.16.legacy.i386.rpm 3983d36be504848260d839f9da54987fd6ec5bc6 redhat/9/updates-testing/i386/mod_ssl-2.0.40-21.16.legacy.i386.rpm 985775546a6372e6593735521e1729baefde46ba redhat/9/updates-testing/SRPMS/httpd-2.0.40-21.16.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From marcdeslauriers at videotron.ca Mon Oct 4 03:39:49 2004 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Sun, 03 Oct 2004 23:39:49 -0400 Subject: Fedora Legacy Test Update Notification: php Message-ID: <1096861189.4148.6.camel@mdlinux> RH9 packages were updated to provide stripped binaries. RH7.3 packages are unchanged. --------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2004-1868 Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=1868 2004-10-04 --------------------------------------------------------------------- Name : php Versions : 7.3: 4.1.2-7.3.10.legacy, 9: 4.2.2-17.7.legacy Summary : The PHP HTML-embedded scripting language. Description : PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated webpages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The mod_php module enables the Apache Web server to understand and process the embedded PHP language in Web pages. --------------------------------------------------------------------- Update Information: Stefan Esser discovered a flaw when memory_limit is enabled in versions of PHP 4 before 4.3.8. If a remote attacker could force the PHP interpreter to allocate more memory than the memory_limit setting before script execution begins, then the attacker may be able to supply the contents of a PHP hash table remotely. This hash table could then be used to execute arbitrary code as the 'apache' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0594 to this issue. This issue has a higher risk when PHP is running on an instance of Apache which is vulnerable to CAN-2004-0493. It may also be possible to exploit this issue if using a non-default PHP configuration with the "register_defaults" setting is changed to "On". Stefan Esser discovered a flaw in the strip_tags function in versions of PHP before 4.3.8. The strip_tags function is commonly used by PHP scripts to prevent Cross-Site-Scripting attacks by removing HTML tags from user-supplied form data. By embedding NUL bytes into form data, HTML tags can in some cases be passed intact through the strip_tags function, which may allow a Cross-Site-Scripting attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0595 to this issue. --------------------------------------------------------------------- 7.3 changelog: * Thu Sep 30 2004 Marc Deslauriers 4.1.2-7.3.10.legacy - Added missing BuildRequires: sendmail * Sun Aug 01 2004 John Dalbec 4.1.2-7.3.9.legacy - Added missing BuildRequires: flex mm-devel libtool * Mon Jul 26 2004 Marc Deslauriers 4.1.2-7.3.8.legacy - Added better security fix for CAN-2004-0594 - Added fixes for various compiler warnings * Thu Jul 15 2004 Marc Deslauriers 4.1.2-7.3.7.legacy - Added security fix for CAN-2004-0594 - Added security fix for CAN-2004-0595 - Added a few more fixes - Added imap-devel BuildRequires 9 changelog: * Sun Oct 03 2004 Marc Deslauriers 4.2.2-17.7.legacy - Rebuilt * Thu Sep 30 2004 Marc Deslauriers 4.2.2-17.6.legacy - Added sendmail to BuildRequires * Tue Sep 28 2004 Marc Deslauriers 4.2.2-17.5.legacy - Added flex and libtool to BuildRequires * Mon Jul 26 2004 Marc Deslauriers 4.2.2-17.4.legacy - Added better security fix for CAN-2004-0594 * Thu Jul 15 2004 Marc Deslauriers 4.2.2-17.3.legacy - Added security fix for CAN-2004-0594 - Added security fix for CAN-2004-0595 - Added a few more fixes --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/redhat/ (sha1sums) 6aaefdbf687f8dbf9ffc7b2ab0a0ff2914a13028 redhat/7.3/updates-testing/i386/php-4.1.2-7.3.10.legacy.i386.rpm 3f38e8929822edc377f61a05c31e45c8599a4ba6 redhat/7.3/updates-testing/i386/php-devel-4.1.2-7.3.10.legacy.i386.rpm 8c9ac5e7c5040b2d9cf75848acc1260842a5e4aa redhat/7.3/updates-testing/i386/php-imap-4.1.2-7.3.10.legacy.i386.rpm d01be5026d335032486eee9f91fdc72e43d78f54 redhat/7.3/updates-testing/i386/php-ldap-4.1.2-7.3.10.legacy.i386.rpm 20ed3b170959f47061fbf688bd0bf6c2380cee6c redhat/7.3/updates-testing/i386/php-manual-4.1.2-7.3.10.legacy.i386.rpm 66413adf5bf185326ea1658d837bbd34a4c2e59b redhat/7.3/updates-testing/i386/php-mysql-4.1.2-7.3.10.legacy.i386.rpm 5fd105b2b8e9aea72d4e34f4800218b40fe844b9 redhat/7.3/updates-testing/i386/php-odbc-4.1.2-7.3.10.legacy.i386.rpm 3c9152d075afc06ffb2ac64deeca3b331f3a6c06 redhat/7.3/updates-testing/i386/php-pgsql-4.1.2-7.3.10.legacy.i386.rpm 58027e3f2bd1485bae158cf99aebc63b631972ec redhat/7.3/updates-testing/i386/php-snmp-4.1.2-7.3.10.legacy.i386.rpm bd2e823603fab8b75a17647ac396263cc1ad6d7e redhat/7.3/updates-testing/SRPMS/php-4.1.2-7.3.10.legacy.src.rpm 594a4c87bf2b073b681b1c94a7bcf7ee7d5bc0dd redhat/9/updates-testing/i386/php-4.2.2-17.7.legacy.i386.rpm e1f076f96cfce7d687ad67f26f5e1c33f5993270 redhat/9/updates-testing/i386/php-devel-4.2.2-17.7.legacy.i386.rpm d349ace9d0a8514cd563217d56ef1f25261f2c92 redhat/9/updates-testing/i386/php-imap-4.2.2-17.7.legacy.i386.rpm 176e15f14ec6045aefd9c924dfa383c58598e16d redhat/9/updates-testing/i386/php-ldap-4.2.2-17.7.legacy.i386.rpm a6cda124e7a2de4083bec0a78f6758ab9f36a374 redhat/9/updates-testing/i386/php-manual-4.2.2-17.7.legacy.i386.rpm 42a87a54e0502721eec4907a8cb1c8db196c442a redhat/9/updates-testing/i386/php-mysql-4.2.2-17.7.legacy.i386.rpm 117bc0f478babf8317812fc35c763e8afeccca49 redhat/9/updates-testing/i386/php-odbc-4.2.2-17.7.legacy.i386.rpm c52bb318d8b217c02b61bd277f662a483e05e61b redhat/9/updates-testing/i386/php-pgsql-4.2.2-17.7.legacy.i386.rpm 6ec57d0958666d97532099d7f1118a52727db02b redhat/9/updates-testing/i386/php-snmp-4.2.2-17.7.legacy.i386.rpm 40e6bb2279a9154ecf0c313c39ab563c6de5a8ad redhat/9/updates-testing/SRPMS/php-4.2.2-17.7.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla. From marcdeslauriers at videotron.ca Mon Oct 4 03:41:12 2004 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Sun, 03 Oct 2004 23:41:12 -0400 Subject: Fedora Legacy Test Update Notification: gaim Message-ID: <1096861272.4148.9.camel@mdlinux> RH9 packages were updated to provide stripped binaries. RH7.3 packages are unchanged. --------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2004-1237 Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=1237 2004-10-04 --------------------------------------------------------------------- Name : gaim Versions : 7.3: 0.82.1-0.73.2, 9: 0.82.1-0.90.3 Summary : A GTK+ clone of the AOL Instant Messenger client. Description : Gaim is a clone of America Online's Instant Messenger client. It features nearly all of the functionality of the official AIM client while also being smaller, faster, and commercial-free. --------------------------------------------------------------------- Update Information: Issues fixed with this gaim release include: Multiple buffer overflows that affect versions of Gaim 0.75 and earlier. 1) When parsing cookies in a Yahoo web connection, 2) YMSG protocol overflows parsing the Yahoo login webpage, 3) a YMSG packet overflow, 4) flaws in the URL parser, and 5) flaws in HTTP Proxy connect. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0006 to these issues. A buffer overflow in Gaim 0.74 and earlier in the Extract Info Field Function used for MSN and YMSG protocol handlers. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0007 to this issue. An integer overflow in Gaim 0.74 and earlier, when allocating memory for a directIM packet results in heap overflow. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0008 to this issue. Buffer overflow bugs were found in the Gaim MSN protocol handler. In order to exploit these bugs, an attacker would have to perform a man in the middle attack between the MSN server and the vulnerable Gaim client. Such an attack could allow arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0500 to this issue. An integer overflow bug has been found in the Gaim Groupware message receiver. It is possible that if a user connects to a malicious server, an attacker could send carefully crafted data which could lead to arbitrary code execution on the victims machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0754 to this issue. A shell escape bug has been found in the Gaim smiley theme file installation. When a user installs a smiley theme, which is contained within a tar file, the unarchiving of the data is done in an unsafe manner. An attacker could create a malicious smiley theme that would execute arbitrary commands if the theme was installed by the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0784 to this issue. Buffer overflow bugs have been found in the Gaim URL decoder, local hostname resolver, and the RTF message parser. It is possible that a remote attacker could send carefully crafted data to a vulnerable client and lead to a crash or arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0785 to this issue. --------------------------------------------------------------------- 7.3 changelog: * Mon Sep 27 2004 Marc Deslauriers 0.82.1-0.73.2.legacy - Added mozilla-nspr-devel and mozilla-nss BuildRequires - Specify mozilla version * Sun Sep 05 2004 Marc Deslauriers 0.82.1-0.73.1.legacy - Updated to 0.82.1 * Sat Jun 12 2004 Marc Deslauriers 0.78-0.73.1.legacy - Rebuilt as Fedora Legacy update for rh73 (FL#1237) - Disabled some requirements not available on rh73 - Removed Fedora specific config file and patches - Created a desktop file for rh73 - Removed docklet.so plugin as it doesn't work in rh73 9 changelog: * Sun Oct 03 2004 Marc Deslauriers 0.82.1-0.90.3.legacy - Rebuilt * Mon Sep 27 2004 Marc Deslauriers 0.82.1-0.90.2.legacy - Added mozilla-nspr-devel and mozilla-nss BuildRequires * Sun Sep 05 2004 Marc Deslauriers 0.82.1-0.90.1.legacy - Updated to 0.82.1 * Sat Jun 12 2004 Marc Deslauriers 0.78-0.90.1.legacy - Rebuilt as Fedora Legacy update for rh9 (FL#1237) - Disabled some requirements not available on rh9 --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/redhat/ (sha1sums) cda084b78e263bb725ad92fdef0fc4b329b705d5 7.3/updates-testing/i386/gaim-0.82.1-0.73.2.legacy.i386.rpm e28d0c278324c7a508af7a30565cc5741b7ec4f0 7.3/updates-testing/SRPMS/gaim-0.82.1-0.73.2.legacy.src.rpm 958a8c9d2077ae068af20c282e69e64ec8f1a4e7 9/updates-testing/i386/gaim-0.82.1-0.90.3.legacy.i386.rpm 211c4e944d0b1178e53f0f1dd8bd303eeee1a6cf 9/updates-testing/SRPMS/gaim-0.82.1-0.90.3.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla. From marcdeslauriers at videotron.ca Mon Oct 4 03:42:03 2004 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Sun, 03 Oct 2004 23:42:03 -0400 Subject: Fedora Legacy Test Update Notification: lha Message-ID: <1096861322.4148.11.camel@mdlinux> RH9 packages were updated to provide stripped binaries. RH7.3 packages are unchanged. --------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2004-1833 Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=1833 2004-10-04 --------------------------------------------------------------------- Name : lha Versions : 7.3: 1.14i-4.7.3.3.legacy, 9: 1.14i-9.4.legacy Summary : An archiving and compression utility for LHarc format archives. Description : LHA is an archiving and compression utility for LHarc format archives. LHA is mostly used in the DOS world, but can be used under Linux to extract DOS files from LHA archives. Install the lha package if you need to extract DOS files from LHA archives. --------------------------------------------------------------------- Update Information: Ulf Harnhammar discovered two stack buffer overflows and two directory traversal flaws in LHA. An attacker could exploit the buffer overflows by creating a carefully crafted LHA archive in such a way that arbitrary code would be executed when the archive is tested or extracted by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0234 to this issue. An attacker could exploit the directory traversal issues to create files as the victim outside of the expected directory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0235 to this issue. Lukasz Wojtow discovered a stack-based buffer overflow in all versions of lha up to and including version 1.14. A carefully created archive could allow an attacker to execute arbitrary code when a victim extracts or tests the archive. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0769 to this issue. Buffer overflows were discovered in the command line processing of all versions of lha up to and including version 1.14. If a malicious user could trick a victim into passing a specially crafted command line to the lha command, it is possible that arbitrary code could be executed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0771 and CAN-2004-0694 to these issues. Thomas Biege discovered a shell meta character command execution vulnerability in all versions of lha up to and including 1.14. An attacker could create a directory with shell meta characters in its name which could lead to arbitrary command execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0745 to this issue. --------------------------------------------------------------------- 7.3 changelog: * Wed Sep 08 2004 Marc Deslauriers 1.14i-4.7.3.3.legacy - Rebuilt as Fedora Legacy security update * Tue Aug 03 2004 Than Ngo 1.14i-10.4 - another LHA buffer overflow * Fri Jun 25 2004 Than Ngo 1.14i-10.3 - fix LHA buffer overflow 9 changelog: * Sun Oct 03 2004 Marc Deslauriers 1.14i-9.4.legacy - Rebuilt * Wed Sep 08 2004 Marc Deslauriers 1.14i-9.3.legacy - Rebuilt as Fedora Legacy security update * Tue Aug 03 2004 Than Ngo 1.14i-10.4 - another LHA buffer overflow * Fri Jun 25 2004 Than Ngo 1.14i-10.3 - fix LHA buffer overflow --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/redhat/ (sha1sums) 421a0998d84a2b75ebaa0bb334273ce1dad2be88 7.3/updates-testing/i386/lha-1.14i-4.7.3.3.legacy.i386.rpm aa6033fd436ea908b38b2035f096223f92ed780d 7.3/updates-testing/SRPMS/lha-1.14i-4.7.3.3.legacy.src.rpm 4458d9eec9f7706070f67e0263aab497bced075a 9/updates-testing/i386/lha-1.14i-9.4.legacy.i386.rpm b1ae50a84ca44b9e515757b6e0363ce5bf53d8ab 9/updates-testing/SRPMS/lha-1.14i-9.4.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla. From marcdeslauriers at videotron.ca Mon Oct 4 03:43:38 2004 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Sun, 03 Oct 2004 23:43:38 -0400 Subject: Fedora Legacy Test Update Notification: tripwire Message-ID: <1096861418.4148.14.camel@mdlinux> New packages were released with a downgraded release number in order to preserve the upgrade cycle to Fedora Core 1. --------------------------------------------------------------------- Fedora Test Update Notification FEDORA-2004-1719 Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=1719 2004-10-04 --------------------------------------------------------------------- Name : tripwire Version 7.3 : 2.3.1-10.1.legacy.7x Version 9 : 2.3.1-17.1.legacy.9 Summary : A system integrity assessment tool. Description : Tripwire is a very valuable security tool for Linux systems, if it is installed to a clean system. Tripwire should be installed right after the OS installation, and before you have connected your system to a network (i.e., before any possibility exists that someone could alter files on your system). --------------------------------------------------------------------- Update Information: Updated Tripwire packages that fix a format string security vulnerability are now available. Tripwire is a system integrity assessment tool. Paul Herman discovered a format string vulnerability in Tripwire version 2.3.1 and earlier. If Tripwire is configured to send reports via email, a local user could gain privileges by creating a carefully crafted file. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0536 to this issue. Users of Tripwire are advised to upgrade to this erratum package which contains a backported security patch to correct this issue. --------------------------------------------------------------------- Changelog: 7.3: * Mon Oct 04 2004 Marc Deslauriers 2.3.1-10.1.legacy.7x - Removed gcc-c++ as a BuildReq - Downgraded version number so we don't break upgrade cycle to fc1 * Tue Jun 15 2004 Jesse Keating 2.3.1-20.legacy.7x - Added gcc-c++ as a BuildReq - Changed version number to allow for 7.x to bump w/out touching 9 * Fri Jun 04 2004 Marc Deslauriers 2.3.1-18.legacy - Added patch for format string vulnerability (FL #1719) 9: * Mon Oct 04 2004 Marc Deslauriers 2.3.1-17.1.legacy.9 - Removed gcc-c++ BuildRequires - Downgraded release number so we don't break the upgrade cycle to fc1 * Tue Jun 15 2004 Jesse Keating 2.3.1-20.legacy.9 - Added gcc-c++ - Altered version for 7.x/9 independence. * Fri Jun 04 2004 Marc Deslauriers 2.3.1-19.legacy - Added patch for format string vulnerability (FL #1719) --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/redhat/ 1b2a8875e86492065f53db69d04de4a452fb1c5f 7.3/updates-testing/i386/tripwire-2.3.1-10.1.legacy.7x.i386.rpm 3d1d0f2a2b4b27c1e5d3b05dbea78d95c70ddcc2 7.3/updates-testing/SRPMS/tripwire-2.3.1-10.1.legacy.7x.src.rpm 0ef679e248881f02452b5ab4c7f58cd6e603a30e 9/updates-testing/i386/tripwire-2.3.1-17.1.legacy.9.i386.rpm 6e62d981a2ffe149196af4b35b8d1962f76dc367 9/updates-testing/SRPMS/tripwire-2.3.1-17.1.legacy.9.src.rpm Please note that this update is also available via yum and apt through the updates-testing channel. Many people find this an easier way to apply updates. --------------------------------------------------------------------- Please test these new packages and add comments to Bugzilla. From marcdeslauriers at videotron.ca Mon Oct 4 03:57:11 2004 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Sun, 03 Oct 2004 23:57:11 -0400 Subject: Missing signatures Message-ID: <1096862231.4148.22.camel@mdlinux> Hi all, I just sent out 4 update notifications without signatures. In case anyone is interested, here are the sha1sums again in this signed message. Sorry about that, my caffeine is a bit low right now :) Marc. php: 6aaefdbf687f8dbf9ffc7b2ab0a0ff2914a13028 redhat/7.3/updates-testing/i386/php-4.1.2-7.3.10.legacy.i386.rpm 3f38e8929822edc377f61a05c31e45c8599a4ba6 redhat/7.3/updates-testing/i386/php-devel-4.1.2-7.3.10.legacy.i386.rpm 8c9ac5e7c5040b2d9cf75848acc1260842a5e4aa redhat/7.3/updates-testing/i386/php-imap-4.1.2-7.3.10.legacy.i386.rpm d01be5026d335032486eee9f91fdc72e43d78f54 redhat/7.3/updates-testing/i386/php-ldap-4.1.2-7.3.10.legacy.i386.rpm 20ed3b170959f47061fbf688bd0bf6c2380cee6c redhat/7.3/updates-testing/i386/php-manual-4.1.2-7.3.10.legacy.i386.rpm 66413adf5bf185326ea1658d837bbd34a4c2e59b redhat/7.3/updates-testing/i386/php-mysql-4.1.2-7.3.10.legacy.i386.rpm 5fd105b2b8e9aea72d4e34f4800218b40fe844b9 redhat/7.3/updates-testing/i386/php-odbc-4.1.2-7.3.10.legacy.i386.rpm 3c9152d075afc06ffb2ac64deeca3b331f3a6c06 redhat/7.3/updates-testing/i386/php-pgsql-4.1.2-7.3.10.legacy.i386.rpm 58027e3f2bd1485bae158cf99aebc63b631972ec redhat/7.3/updates-testing/i386/php-snmp-4.1.2-7.3.10.legacy.i386.rpm bd2e823603fab8b75a17647ac396263cc1ad6d7e redhat/7.3/updates-testing/SRPMS/php-4.1.2-7.3.10.legacy.src.rpm 594a4c87bf2b073b681b1c94a7bcf7ee7d5bc0dd redhat/9/updates-testing/i386/php-4.2.2-17.7.legacy.i386.rpm e1f076f96cfce7d687ad67f26f5e1c33f5993270 redhat/9/updates-testing/i386/php-devel-4.2.2-17.7.legacy.i386.rpm d349ace9d0a8514cd563217d56ef1f25261f2c92 redhat/9/updates-testing/i386/php-imap-4.2.2-17.7.legacy.i386.rpm 176e15f14ec6045aefd9c924dfa383c58598e16d redhat/9/updates-testing/i386/php-ldap-4.2.2-17.7.legacy.i386.rpm a6cda124e7a2de4083bec0a78f6758ab9f36a374 redhat/9/updates-testing/i386/php-manual-4.2.2-17.7.legacy.i386.rpm 42a87a54e0502721eec4907a8cb1c8db196c442a redhat/9/updates-testing/i386/php-mysql-4.2.2-17.7.legacy.i386.rpm 117bc0f478babf8317812fc35c763e8afeccca49 redhat/9/updates-testing/i386/php-odbc-4.2.2-17.7.legacy.i386.rpm c52bb318d8b217c02b61bd277f662a483e05e61b redhat/9/updates-testing/i386/php-pgsql-4.2.2-17.7.legacy.i386.rpm 6ec57d0958666d97532099d7f1118a52727db02b redhat/9/updates-testing/i386/php-snmp-4.2.2-17.7.legacy.i386.rpm 40e6bb2279a9154ecf0c313c39ab563c6de5a8ad redhat/9/updates-testing/SRPMS/php-4.2.2-17.7.legacy.src.rpm gaim: cda084b78e263bb725ad92fdef0fc4b329b705d5 7.3/updates-testing/i386/gaim-0.82.1-0.73.2.legacy.i386.rpm e28d0c278324c7a508af7a30565cc5741b7ec4f0 7.3/updates-testing/SRPMS/gaim-0.82.1-0.73.2.legacy.src.rpm 958a8c9d2077ae068af20c282e69e64ec8f1a4e7 9/updates-testing/i386/gaim-0.82.1-0.90.3.legacy.i386.rpm 211c4e944d0b1178e53f0f1dd8bd303eeee1a6cf 9/updates-testing/SRPMS/gaim-0.82.1-0.90.3.legacy.src.rpm lha: 421a0998d84a2b75ebaa0bb334273ce1dad2be88 7.3/updates-testing/i386/lha-1.14i-4.7.3.3.legacy.i386.rpm aa6033fd436ea908b38b2035f096223f92ed780d 7.3/updates-testing/SRPMS/lha-1.14i-4.7.3.3.legacy.src.rpm 4458d9eec9f7706070f67e0263aab497bced075a 9/updates-testing/i386/lha-1.14i-9.4.legacy.i386.rpm b1ae50a84ca44b9e515757b6e0363ce5bf53d8ab 9/updates-testing/SRPMS/lha-1.14i-9.4.legacy.src.rpm tripwire: 1b2a8875e86492065f53db69d04de4a452fb1c5f 7.3/updates-testing/i386/tripwire-2.3.1-10.1.legacy.7x.i386.rpm 3d1d0f2a2b4b27c1e5d3b05dbea78d95c70ddcc2 7.3/updates-testing/SRPMS/tripwire-2.3.1-10.1.legacy.7x.src.rpm 0ef679e248881f02452b5ab4c7f58cd6e603a30e 9/updates-testing/i386/tripwire-2.3.1-17.1.legacy.9.i386.rpm 6e62d981a2ffe149196af4b35b8d1962f76dc367 9/updates-testing/SRPMS/tripwire-2.3.1-17.1.legacy.9.src.rpm -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From dom at earth.li Mon Oct 4 09:54:25 2004 From: dom at earth.li (Dominic Hargreaves) Date: Mon, 4 Oct 2004 10:54:25 +0100 Subject: Fedora Legacy Test Update Notification: netpbm Message-ID: <20041004095423.GA15542@home.thedom.org> --------------------------------------------------------------------- Fedora Test Update Notification FEDORALEGACY-2004-1257 Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=1257 2004-10-04 --------------------------------------------------------------------- Name : netbpm Version (7.3) : 9.24-9.73.4.legacy Version (9) : 9.24-10.90.3.legacy Summary : A library for handling different graphics file formats. Description : The netpbm package contains a library of functions that support programs for handling various graphics file formats, including .pbm (portable bitmaps), .pgm (portable graymaps), .pnm (portable anymaps), .ppm (portable pixmaps), and others. --------------------------------------------------------------------- Update Information: Updated NetPBM packages are available that fix a number of temporary file vulnerabilities in the netpbm libraries. The netpbm package contains a library of functions that support programs for handling various graphics file formats, including .pbm (portable bitmaps), .pgm (portable graymaps), .pnm (portable anymaps), .ppm (portable pixmaps), and others. A number of temporary file bugs have been found in versions of NetPBM. These could make it possible for a local user to overwrite or create files as a different user who happens to run one of the the vulnerable utilities. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0924 to this issue. --------------------------------------------------------------------- 7.3 Changelog: * Sun Jun 27 2004 John Dalbec 9.24-10.90.3.legacy - Changed BuildPrereq to BuildRequires - Added missing BuildRequires: flex * Fri Jun 11 2004 Marc Deslauriers 9.24-10.90.2.l egacy - Added security patches for CAN-2003-0924 9 Changelog: * Sun Jun 27 2004 John Dalbec 9.24-9.73.4.legacy - Changed BuildPrereq to BuildRequires - Added missing BuildRequires: flex * Fri Jun 11 2004 Marc Deslauriers 9.24-9.73.3.le gacy - Added security patches for CAN-2003-0924 --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/redhat/ 79c8c3e9e4ef5c60eb0dd243b38775cb24c49e18 7.3/updates-testing/SRPMS/netpbm-9.24-9.73.4.legacy.src.rpm 4a0e11ad855172ce86042d0f85991b6f28f4811b 7.3/updates-testing/i386/netpbm-9.24-9.73.4.legacy.i386.rpm d69d449139408cf50de7557f38fd9f3a3f86b4c3 7.3/updates-testing/i386/netpbm-devel-9.24-9.73.4.legacy.i386.rpm 173fa566ed92e222581817c4326b3dd501f24313 7.3/updates-testing/i386/netpbm-progs-9.24-9.73.4.legacy.i386.rpm 729fd0be3b7f6ff031436cd8a563edbc57b76ad6 9/updates-testing/SRPMS/netpbm-9.24-10.90.3.legacy.src.rpm ac5ee4489c0632057ef6d9844ad2c935e5754053 9/updates-testing/i386/netpbm-9.24-10.90.3.legacy.i386.rpm 0d59209ef7e8e4d7630d8f23c372f01adeddeea5 9/updates-testing/i386/netpbm-devel-9.24-10.90.3.legacy.i386.rpm 8076a88d1c299a80db24e7559d0ea6853e6520b9 9/updates-testing/i386/netpbm-progs-9.24-10.90.3.legacy.i386.rpm Please note that this update is also available via yum and apt through the updates-testing channel. Many people find this an easier way to apply updates. --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From wleutwyl at columbus.rr.com Mon Oct 4 11:08:20 2004 From: wleutwyl at columbus.rr.com (Wayne Leutwyler) Date: Mon, 4 Oct 2004 07:08:20 -0400 Subject: Repositories info at Fedora Legacy / Download Page Message-ID: <200410040708.21185.wleutwyl@columbus.rr.com> Do we need to update the Download page with the apt-get and yum Repositories info? As it stands right now all the locations point to Red Hat releases, and none point to the new Fedora Core 1 release. Just thought I would bring this to someone attention. -Wayne From leonard at den.ottolander.nl Mon Oct 4 14:32:01 2004 From: leonard at den.ottolander.nl (Leonard den Ottolander) Date: Mon, 04 Oct 2004 16:32:01 +0200 Subject: openssl-0.9.6m rpm for RHL 7.3 In-Reply-To: <1096734751.4751.80.camel@athlon.localdomain> References: <1096734751.4751.80.camel@athlon.localdomain> Message-ID: <1096900320.4777.43.camel@athlon.localdomain> Hi, On Sat, 2004-10-02 at 18:32, I wrote: > Last week I've spent some time producing a few packages based on recent > tarballs for RHL 7.3. These are apache-1.3.31 (I will update this to > 1.3.32 soon), mod_ssl-2.8.19 (will also this one against apache-1.3.32) > and openssl-0.9.6m. (No apache-1.3.32 yet.) > I've put a lot of effort in fixing all relevant patches to be > functionally similar to the originals. For those who are interested I've made the srpms available under http://www.ottolander.nl/opensource/srpms/rhl73/ . Leonard. -- mount -t life -o ro /dev/dna /genetic/research From rostetter at mail.utexas.edu Mon Oct 4 15:50:48 2004 From: rostetter at mail.utexas.edu (Eric Rostetter) Date: Mon, 4 Oct 2004 10:50:48 -0500 Subject: Repositories info at Fedora Legacy / Download Page In-Reply-To: <200410040708.21185.wleutwyl@columbus.rr.com> References: <200410040708.21185.wleutwyl@columbus.rr.com> Message-ID: <1096905048.4fcf5f57df2ed@mail.ph.utexas.edu> Quoting Wayne Leutwyler : > Do we need to update the Download page with the apt-get and yum Repositories > info? Done (to the best of my guesses). Comments/corrections appreciated. -- Eric Rostetter From wleutwyl at columbus.rr.com Mon Oct 4 16:33:39 2004 From: wleutwyl at columbus.rr.com (Wayne Leutwyler) Date: Mon, 4 Oct 2004 12:33:39 -0400 Subject: Repositories info at Fedora Legacy / Download Page In-Reply-To: <1096905048.4fcf5f57df2ed@mail.ph.utexas.edu> References: <200410040708.21185.wleutwyl@columbus.rr.com> <1096905048.4fcf5f57df2ed@mail.ph.utexas.edu> Message-ID: <200410041233.39298.wleutwyl@columbus.rr.com> On Monday 04 October 2004 11:50 am, Eric Rostetter wrote: > Quoting Wayne Leutwyler : > > Do we need to update the Download page with the apt-get and yum > > Repositories info? > > Done (to the best of my guesses). Comments/corrections appreciated. Thanks Eric. If you need a hand with the site, I would be more than happy to lend it. -Wayne From sebenste at weather.admin.niu.edu Tue Oct 5 15:28:46 2004 From: sebenste at weather.admin.niu.edu (Gilbert Sebenste) Date: Tue, 5 Oct 2004 10:28:46 -0500 (CDT) Subject: Yum and RPM's hang after install of Apache and cups on FC 1 Message-ID: Hello all, I can't get "yum update" to work on Fedora Core 1 after I: 1. Installed cups and httpd from: http://download.fedoralegacy.org/fedora/1/updates-testing/i386/ (by downloading them and doing a "rpm -Fvh *.rpm"; the installs seem to have gone fine. 2. Typed "yum update". Here is my yum.conf file: [main] cachedir=/var/cache/yum debuglevel=4 logfile=/var/log/yum.log pkgpolicy=newest distroverpkg=fedora-release #distroverpkg=fedora-legacy tolerant=1 exactarch=0 retries=1 [base] name=Fedora Core $releasever base #baseurl=http://download.fedoralegacy.org/fedora/$releasever/os/$basearch baseurl=http://mirror.cs.wisc.edu/pub/mirrors/linux/download.fedoralegacy.org/fedora/$releasever/os/$basearch #[updates] #name=Fedora Core $releasever updates #baseurl=http://mirror.cs.wisc.edu/pub/mirrors/linux/download.fedoralegacy.org/fedora/$releasever/updates/$basearch [legacy-utils] name=Fedora Legacy utilities for Fedora Core $releasever baseurl=http://mirror.cs.wisc.edu/pub/mirrors/linux/download.fedoralegacy.org/fedora/$releasever/legacy-utils/$basearch [updates-testing] name=Fedora Core $releasever updates baseurl=http://mirror.cs.wisc.edu/pub/mirrors/linux/download.fedoralegacy.org/fedora/$releasever/updates-testing/$basearch 3. When I type "yum update", the following output occurs (debug level set to "4"... # yum update Unable to find pid Gathering header information file(s) from server(s) Server: Fedora Core 1 base CacheDir: /var/cache/yum/base Getting header.info from server failover: baseURL = http://mirror.cs.wisc.edu/pub/mirrors/linux/download.fedoralegacy.org/fedora/1/os/i386 failover: path = /headers/header.info headerinfofn: /var/cache/yum/base/header.info Server: Fedora Legacy utilities for Fedora Core 1 CacheDir: /var/cache/yum/legacy-utils Getting header.info from server failover: baseURL = http://mirror.cs.wisc.edu/pub/mirrors/linux/download.fedoralegacy.org/fedora/1/legacy-utils/i386 failover: path = /headers/header.info headerinfofn: /var/cache/yum/legacy-utils/header.info Server: Fedora Core 1 updates CacheDir: /var/cache/yum/updates-testing Getting header.info from server failover: baseURL = http://mirror.cs.wisc.edu/pub/mirrors/linux/download.fedoralegacy.org/fedora/1/updates-testing/i386 failover: path = /headers/header.info headerinfofn: /var/cache/yum/updates-testing/header.info I have also tried this with the default URLs from the http://www.fedoralegacy.org/download/ site for FC1. Doesn't work. It also hangs after the part where it tries to find the "[updates]". Now, I also notice this morning that several processes have hung on my system: 29442 ? S 0:00 /bin/bash /usr/bin/run-parts /etc/cron.daily 31730 ? S 0:00 /bin/sh /etc/cron.daily/rpm 31731 ? S 0:00 awk -v progname=/etc/cron.daily/rpm progname {????? 31732 ? S 0:05 /usr/lib/rpm/rpmq -q --all --qf %{name}-%{version}-%{ I have also typed "yum clean" but that hangs too. What's going on? Any help appreciated. ******************************************************************************* Gilbert Sebenste ******** (My opinions only!) ****** Staff Meteorologist, Northern Illinois University **** E-mail: sebenste at weather.admin.niu.edu *** web: http://weather.admin.niu.edu ** Work phone: 815-753-5492 * ******************************************************************************* From alexander.dalloz at uni-bielefeld.de Tue Oct 5 15:43:31 2004 From: alexander.dalloz at uni-bielefeld.de (Alexander Dalloz) Date: Tue, 05 Oct 2004 17:43:31 +0200 Subject: Yum and RPM's hang after install of Apache and cups on FC 1 In-Reply-To: References: Message-ID: <1096991011.9063.439.camel@serendipity.dogma.lan> Am Di, den 05.10.2004 schrieb Gilbert Sebenste um 17:28: > I can't get "yum update" to work on Fedora Core 1 after I: > Now, I also notice this morning that several processes have hung on my > system: > > 29442 ? S 0:00 /bin/bash /usr/bin/run-parts /etc/cron.daily > 31730 ? S 0:00 /bin/sh /etc/cron.daily/rpm > 31731 ? S 0:00 awk -v progname=/etc/cron.daily/rpm progname {????? > 31732 ? S 0:05 /usr/lib/rpm/rpmq -q --all --qf %{name}-%{version}-%{ > > I have also typed "yum clean" but that hangs too. What's going on? Any > help appreciated. > Gilbert Sebenste You will first have to stop the running rpm jobs. Seems that the nightly cronjob running and creating a list of installed packages is still sitting there. Kill the processes. Then run rpm by hand to see whether there is a basic problem with rpm. I.e. run "rpm -q httpd". If that succeeds then try again your "yum update". Alexander -- Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13 Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.8-1.521smp Serendipity 17:39:28 up 5 days, 20:05, load average: 0.25, 0.25, 0.30 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Dies ist ein digital signierter Nachrichtenteil URL: From sebenste at weather.admin.niu.edu Tue Oct 5 15:57:54 2004 From: sebenste at weather.admin.niu.edu (Gilbert Sebenste) Date: Tue, 5 Oct 2004 10:57:54 -0500 (CDT) Subject: Yum and RPM's hang after install of Apache and cups on FC 1 In-Reply-To: <1096991011.9063.439.camel@serendipity.dogma.lan> References: <1096991011.9063.439.camel@serendipity.dogma.lan> Message-ID: > Am Di, den 05.10.2004 schrieb Cool Alexander Dalloz um 17:55: > You will first have to stop the running rpm jobs. Seems that the nightly > cronjob running and creating a list of installed packages is still > sitting there. Kill the processes. Then run rpm by hand to see whether > there is a basic problem with rpm. I.e. run "rpm -q httpd". If that > succeeds then try again your "yum update". > > Alexander Well, this is interesting. I noticed new httpd and cups packages out there today. So, I just downloaded them to a temporary directory and made sure file permissions were correct. But, when I type "rpm -Fvh *.rpm" now, I get: Preparing... And then it hangs. ******************************************************************************* Gilbert Sebenste ******** (My opinions only!) ****** Staff Meteorologist, Northern Illinois University **** E-mail: sebenste at weather.admin.niu.edu *** web: http://weather.admin.niu.edu ** Work phone: 815-753-5492 * ******************************************************************************* From alexander.dalloz at uni-bielefeld.de Tue Oct 5 16:08:48 2004 From: alexander.dalloz at uni-bielefeld.de (Alexander Dalloz) Date: Tue, 05 Oct 2004 18:08:48 +0200 Subject: Yum and RPM's hang after install of Apache and cups on FC 1 In-Reply-To: References: <1096991011.9063.439.camel@serendipity.dogma.lan> Message-ID: <1096992528.9063.443.camel@serendipity.dogma.lan> Am Di, den 05.10.2004 schrieb Gilbert Sebenste um 17:57: > Well, this is interesting. I noticed new httpd and cups packages out there > today. So, I just downloaded them to a temporary directory and made sure > file permissions were correct. But, when I type "rpm -Fvh *.rpm" now, > I get: > > Preparing... > > And then it hangs. > Gilbert Sebenste So it seems to be an RPM problem. Stop all rpm processes and then run 1) rm -f /var/lib/rpm/__db.00? 2) rpm --rebuilddb Then rerun commands with rpm showing that it works again properly. Alexander -- Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13 Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.8-1.521smp Serendipity 18:06:44 up 5 days, 20:32, load average: 1.18, 0.99, 0.74 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Dies ist ein digital signierter Nachrichtenteil URL: From sebenste at weather.admin.niu.edu Tue Oct 5 16:16:36 2004 From: sebenste at weather.admin.niu.edu (Gilbert Sebenste) Date: Tue, 5 Oct 2004 11:16:36 -0500 (CDT) Subject: Yum and RPM's hang after install of Apache and cups on FC 1 In-Reply-To: <1096992528.9063.443.camel@serendipity.dogma.lan> References: <1096991011.9063.439.camel@serendipity.dogma.lan> <1096992528.9063.443.camel@serendipity.dogma.lan> Message-ID: On Tue, 5 Oct 2004, Alexander Dalloz wrote: > > Preparing... > > > > And then it hangs. > > > Gilbert Sebenste > > So it seems to be an RPM problem. Stop all rpm processes and then run > > 1) rm -f /var/lib/rpm/__db.00? > 2) rpm --rebuilddb > > Then rerun commands with rpm showing that it works again properly. I did step 1. When I did step 2, it hangs! Wow. I don';t know what to do. I've never had a meltdown of rpm like this. Should I just uninstall it and then reinstall it? Hmmm. I need to find out where it is if I do this, but that shouldn't take much time. I can say that it hangs because the job time just increases, instead of showing "0:00". ******************************************************************************* Gilbert Sebenste ******** (My opinions only!) ****** Staff Meteorologist, Northern Illinois University **** E-mail: sebenste at weather.admin.niu.edu *** web: http://weather.admin.niu.edu ** Work phone: 815-753-5492 * ******************************************************************************* From alexander.dalloz at uni-bielefeld.de Tue Oct 5 16:22:01 2004 From: alexander.dalloz at uni-bielefeld.de (Alexander Dalloz) Date: Tue, 05 Oct 2004 18:22:01 +0200 Subject: Yum and RPM's hang after install of Apache and cups on FC 1 In-Reply-To: References: <1096991011.9063.439.camel@serendipity.dogma.lan> <1096992528.9063.443.camel@serendipity.dogma.lan> Message-ID: <1096993320.9063.446.camel@serendipity.dogma.lan> Am Di, den 05.10.2004 schrieb Gilbert Sebenste um 18:16: > > 1) rm -f /var/lib/rpm/__db.00? > > 2) rpm --rebuilddb > > > > Then rerun commands with rpm showing that it works again properly. > > I did step 1. When I did step 2, it hangs! Wow. I don';t know what to do. > I've never had a meltdown of rpm like this. Should I just uninstall it > and then reinstall it? Hmmm. I need to find out where it is if I do > this, but that shouldn't take much time. > > I can say that it hangs because the job time just increases, instead of > showing "0:00". > Gilbert Sebenste You can run the rebuilddb with "-v" or multiple v's like "-vv" to increase verbosity and see what is going on. Alexander -- Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13 Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.8-1.521smp Serendipity 18:20:43 up 5 days, 20:46, load average: 0.95, 0.86, 0.78 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Dies ist ein digital signierter Nachrichtenteil URL: From sebenste at weather.admin.niu.edu Tue Oct 5 16:43:46 2004 From: sebenste at weather.admin.niu.edu (Gilbert Sebenste) Date: Tue, 5 Oct 2004 11:43:46 -0500 (CDT) Subject: Yum and RPM's hang after install of Apache and cups on FC 1 In-Reply-To: <1096993320.9063.446.camel@serendipity.dogma.lan> References: <1096991011.9063.439.camel@serendipity.dogma.lan> <1096992528.9063.443.camel@serendipity.dogma.lan> <1096993320.9063.446.camel@serendipity.dogma.lan> Message-ID: On Tue, 5 Oct 2004, Alexander Dalloz wrote: > You can run the rebuilddb with "-v" or multiple v's like "-vv" to > increase verbosity and see what is going on. I did a -vv. All seems well but then it hits: D: adding 2 entries to Filemd5s index. And then it hangs. I wonder if a lack of a V3 DSA signature on the cups-1.1.19-13.2.legacy.i386.rpm package (I see that error when I installed it) is giving RPM fits. ******************************************************************************* Gilbert Sebenste ******** (My opinions only!) ****** Staff Meteorologist, Northern Illinois University **** E-mail: sebenste at weather.admin.niu.edu *** web: http://weather.admin.niu.edu ** Work phone: 815-753-5492 * ******************************************************************************* From ckelley at ibnads.com Tue Oct 5 20:24:06 2004 From: ckelley at ibnads.com (Craig Kelley) Date: Tue, 05 Oct 2004 14:24:06 -0600 Subject: Yum and RPM's hang after install of Apache and cups on FC 1 In-Reply-To: References: <1096991011.9063.439.camel@serendipity.dogma.lan> <1096992528.9063.443.camel@serendipity.dogma.lan> <1096993320.9063.446.camel@serendipity.dogma.lan> Message-ID: <416302E6.9070000@ibnads.com> Gilbert Sebenste wrote: >I wonder if a lack of a V3 DSA signature on the >cups-1.1.19-13.2.legacy.i386.rpm package (I see that error when I >installed it) is giving RPM fits. > > FWIW, I've "melted down" RPM many times on Redhat 8/9. I've never seen a problem under 7.3 or Fedora Core, though. -- Craig Kelley In-Store Broadcasting Network -------------- next part -------------- An HTML attachment was scrubbed... URL: From dom at earth.li Wed Oct 6 00:25:45 2004 From: dom at earth.li (Dominic Hargreaves) Date: Wed, 6 Oct 2004 01:25:45 +0100 Subject: Round-up, 2004-10-06 Message-ID: <20041006002545.GA28357@home.thedom.org> Hi all, We are making good progress in getting rid of the huge backlog that had built up, and no doubt a raising a few eyebrows with ours advisories of month-old issues ;) However, we still have a little way to go, so if people could look at, for example, verifying the packages listed as to verify below (ignoring the ones marked as superceded) that would be great. Of course, if you have a little more time, addressing the issues in the section entitled "Packages in state UNCONFIRMED, NEW, ASSIGNED or REOPENED" would be excellent. Cheers, List follows. $Id: issues.txt,v 1.84 2004/10/06 00:25:23 dom Exp $ See bottom for changes This list is also available at http://www-astro.physics.ox.ac.uk/~dom/legacy/issues.txt Packages that have been verified and should be fully released ------------------------------------------------------------- cvs - https://bugzilla.fedora.us/show_bug.cgi?id=1735 Packages waiting to be built for updates-testing ------------------------------------------------ gdk-pixbuf - https://bugzilla.fedora.us/show_bug.cgi?id=1371 (rh73,superceded) abiword - https://bugzilla.fedora.us/show_bug.cgi?id=1906 glibc - https://bugzilla.fedora.us/show_bug.cgi?id=1947 (fixed builds) mozilla - https://bugzilla.fedora.us/show_bug.cgi?id=2089 Packages in state RESOLVED (ie exist in updates-testing) that need active work. ------------------------------------------------------------------ gaim - https://bugzilla.fedora.us/show_bug.cgi?id=1237 Needs 2 VERIFY before release. netpbm - https://bugzilla.fedora.us/show_bug.cgi?id=1257 Needs 2 VERIFY XFree86 - https://bugzilla.fedora.us/show_bug.cgi?id=1289 Needs VERIFY before release (superceded). mailman - https://bugzilla.fedora.us/show_bug.cgi?id=1269 There were some unconfirmed reports of breakage with the candidate. This needs more QA before release. kernel - https://bugzilla.fedora.us/show_bug.cgi?id=1484 Needs missing file rebuilt for verification - but preferentially put work into later kernel ticket mozilla - https://bugzilla.fedora.us/show_bug.cgi?id=1532 Needs 2 VERIFY but has been superceded lha - https://bugzilla.fedora.us/show_bug.cgi?id=1547 Needs 2 VERIFY but has been superceded tripwire - https://bugzilla.fedora.us/show_bug.cgi?id=1719 Needs 2 VERIFY squid - https://bugzilla.fedora.us/show_bug.cgi?id=1732 Needs 1 VERIFY before release (but about to be superceded?) mod_proxy - https://bugzilla.fedora.us/show_bug.cgi?id=1737 Needs 1 VERIFY kernel - https://bugzilla.fedora.us/show_bug.cgi?id=1804 Needs 2 VERIFY XFree86 - https://bugzilla.fedora.us/show_bug.cgi?id=1831 Needs VERIFY for rh9 (superceded) lha - https://bugzilla.fedora.us/show_bug.cgi?id=1833 Needs 1 VERIFY especially for rh9 php - https://bugzilla.fedora.us/show_bug.cgi?id=1868 Needs 2 VERIFY mod_ssl - https://bugzilla.fedora.us/show_bug.cgi?id=1888 Needs 1 VERIFY apache - https://bugzilla.fedora.us/show_bug.cgi?id=2068 Needs 2 VERIFY cups - https://bugzilla.fedora.us/show_bug.cgi?id=2072 Needs 2 VERIFY Packages in state UNCONFIRMED, NEW, ASSIGNED or REOPENED: -------------------------------------------------------- * readline - https://bugzilla.fedora.us/show_bug.cgi?id=2017 Another not fixed before EOL (rh9). WONTFIX? kdelibs - https://bugzilla.fedora.us/show_bug.cgi?id=1373 Needs 2 PUBLISH (superceded) yum - https://bugzilla.fedora.us/show_bug.cgi?id=1604 Needs 2 PUBLISH krb5 - https://bugzilla.fedora.us/show_bug.cgi?id=1726 Obsoleted libxml - https://bugzilla.fedora.us/show_bug.cgi?id=1324 Sort out confusion over status over version in updates-testing and add RESOLVED flag. mc - https://bugzilla.fedora.us/show_bug.cgi?id=1548 Need 1 PUBLISH (but superceded?) libpng - https://bugzilla.fedora.us/show_bug.cgi?id=1550 Superceded libpng - https://bugzilla.fedora.us/show_bug.cgi?id=1943 Need 1 PUBLISH for rh9 apache - https://bugzilla.fedora.us/show_bug.cgi?id=1805 Superceded. mysql - https://bugzilla.fedora.us/show_bug.cgi?id=1832 Needs 1 PUBLISH but superceded? mozilla - https://bugzilla.fedora.us/show_bug.cgi?id=1834 Needs PUBLISH especially for rh73 and FC1, but superceded. samba - https://bugzilla.fedora.us/show_bug.cgi?id=1924 Needs PUBLISH, especially for rh9 gnome vfs - https://bugzilla.fedora.us/show_bug.cgi?id=1944 Needs PUBLISH, especially for rh9 sox - https://bugzilla.fedora.us/show_bug.cgi?id=1945 Needs possible renaming of rh7.3 package qt - https://bugzilla.fedora.us/show_bug.cgi?id=2002 Needs 2 PUBLISH gdk-pixbuf - https://bugzilla.fedora.us/show_bug.cgi?id=2005 Needs 2 PUBLISH mysql - https://bugzilla.fedora.us/show_bug.cgi?id=2006 Needs 2 PUBLISH ruby - https://bugzilla.fedora.us/show_bug.cgi?id=2007 needs work kdelibs - https://bugzilla.fedora.us/show_bug.cgi?id=2008 Needs 2 PUBLISH mc - https://bugzilla.fedora.us/show_bug.cgi?id=2009 Needs 2 PUBLISH pam_wheel - https://bugzilla.fedora.us/show_bug.cgi?id=2010 Needs PUBLISH and full auditing? krb5 - https://bugzilla.fedora.us/show_bug.cgi?id=2040 Needs 1 PUBLISH for rh9 / investigate possible bug introduced imlib - https://bugzilla.fedora.us/show_bug.cgi?id=2051 Needs PUBLISH [rh73,rh9] ImageMagick - https://bugzilla.fedora.us/show_bug.cgi?id=2052 Needs 2 PUBLISH squid - https://bugzilla.fedora.us/show_bug.cgi?id=2053 Needs 2 PUBLISH for rh9, packages for fc1 samba - https://bugzilla.fedora.us/show_bug.cgi?id=2057 Need maybe another PUBLISH for 7.3 otherwise building (superceded) cdrecord - https://bugzilla.fedora.us/show_bug.cgi?id=2058 Needs 2 PUBLISH for rh9 gtk2 - https://bugzilla.fedora.us/show_bug.cgi?id=2073 Needs 2 PUBLISH openoffice - https://bugzilla.fedora.us/show_bug.cgi?id=2074 Needs 2 PUBLISH for rh9 and fc1 libxpm - https://bugzilla.fedora.us/show_bug.cgi?id=2075 Needs PUBLISH for rh73,rh9 cupsomatic - https://bugzilla.fedora.us/show_bug.cgi?id=2076 Needs 1 PUBLISH redhat-config-nfs - https://bugzilla.fedora.us/show_bug.cgi?id=2086 Need 1 or 2 PUBLISH samba - https://bugzilla.fedora.us/show_bug.cgi?id=2102 Needs PUBLISH for rh73 rp-pppoe - https://bugzilla.fedora.us/show_bug.cgi?id=2116 Needs packages cups - https://bugzilla.fedora.us/show_bug.cgi?id=2127 Needs QA [rh9,fc1] General (non-package bugs) -------------------------- website docs - https://bugzilla.fedora.us/show_bug.cgi?id=2111 FC1 docs missing Notes ----- Needs PUBLISH means that there are packages available for QA that need to be QAd at the source level. Needs VERIFY means that there are updates-testing packages that need testing. This is the easy bit, let's get this old ones out of the way ASAP. * means that there is a judgement call that can be made on the bug system immediately. Please follow up onlist with opinions. Changes ------- $Log: issues.txt,v $ Revision 1.84 2004/10/06 00:25:23 dom update mozilla Revision 1.83 2004/10/05 22:55:17 dom more updates Revision 1.82 2004/10/05 22:53:17 dom update lots of stuff Revision 1.81 2004/10/03 23:35:51 dom add doc bug Revision 1.80 2004/10/03 23:33:53 dom update httpd, cups, netpbm Revision 1.79 2004/10/03 13:03:33 dom update mod_python, apache, sysstat, mod_ssl, sysstat Revision 1.78 2004/10/02 23:29:39 dom misc Revision 1.77 2004/10/02 23:21:52 dom update XFree86 Revision 1.76 2004/10/02 23:16:07 dom update XFree86 Revision 1.75 2004/10/02 23:14:04 dom update apache, libxpm Revision 1.74 2004/10/02 16:33:14 dom update php Revision 1.73 2004/10/02 14:51:51 dom update cups, squirrelmail .# Revision 1.72 2004/10/02 01:36:06 dom update glibc, mod_python, cvs, fc1 stuff Revision 1.71 2004/10/02 00:14:25 dom updates glibc, mozilla, xfree86 Revision 1.70 2004/09/30 23:39:43 dom remove built packages Revision 1.69 2004/09/30 21:52:07 dom many updates Revision 1.68 2004/09/30 12:39:17 dom delete flim, xchat -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From sebenste at weather.admin.niu.edu Wed Oct 6 15:17:58 2004 From: sebenste at weather.admin.niu.edu (Gilbert Sebenste) Date: Wed, 6 Oct 2004 10:17:58 -0500 (CDT) Subject: Yum and RPM's hang after install of Apache and cups on FC 1 In-Reply-To: <416302E6.9070000@ibnads.com> References: <1096991011.9063.439.camel@serendipity.dogma.lan> <1096992528.9063.443.camel@serendipity.dogma.lan> <1096993320.9063.446.camel@serendipity.dogma.lan> <416302E6.9070000@ibnads.com> Message-ID: On Tue, 5 Oct 2004, Craig Kelley wrote: > Gilbert Sebenste wrote: > > >I wonder if a lack of a V3 DSA signature on the > >cups-1.1.19-13.2.legacy.i386.rpm package (I see that error when I > >installed it) is giving RPM fits. > > > > > FWIW, I've "melted down" RPM many times on Redhat 8/9. I've never seen > a problem under 7.3 or Fedora Core, though. Yes, I have never had one myself under FC1. Is there a way to get the cups package GPG signed? I am thinking that is the problem. Alexander or others, do you have any ideas? I can't even get "rpm -Fvh" to work anymore. ******************************************************************************* Gilbert Sebenste ******** (My opinions only!) ****** Staff Meteorologist, Northern Illinois University **** E-mail: sebenste at weather.admin.niu.edu *** web: http://weather.admin.niu.edu ** Work phone: 815-753-5492 * ******************************************************************************* From alexander.dalloz at uni-bielefeld.de Wed Oct 6 15:42:42 2004 From: alexander.dalloz at uni-bielefeld.de (Alexander Dalloz) Date: Wed, 06 Oct 2004 17:42:42 +0200 Subject: Yum and RPM's hang after install of Apache and cups on FC 1 In-Reply-To: References: <1096991011.9063.439.camel@serendipity.dogma.lan> <1096992528.9063.443.camel@serendipity.dogma.lan> <1096993320.9063.446.camel@serendipity.dogma.lan> <416302E6.9070000@ibnads.com> Message-ID: <1097077362.9063.574.camel@serendipity.dogma.lan> Am Mi, den 06.10.2004 schrieb Gilbert Sebenste um 17:17: > > FWIW, I've "melted down" RPM many times on Redhat 8/9. I've never seen > > a problem under 7.3 or Fedora Core, though. So do I. > Yes, I have never had one myself under FC1. Is there a way to get the cups > package GPG signed? I am thinking that is the problem. Alexander or > others, do you have any ideas? I can't even get "rpm -Fvh" to work > anymore. > Gilbert Sebenste Gilbert, I can offer to install test packages on my FC1 "test" system - please advise me then which to try. A missing GPG signing of a package like cups is certainly doing no harm. Did you already install the cups and httpd test packages from Fedora Legacy on your FC1 system? Your RPM is working as long as you don't try to install the testing packages? Alexander -- Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13 Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.8-1.521smp Serendipity 17:35:47 up 6 days, 20:01, load average: 1.37, 1.47, 1.42 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Dies ist ein digital signierter Nachrichtenteil URL: From sebenste at weather.admin.niu.edu Wed Oct 6 15:54:31 2004 From: sebenste at weather.admin.niu.edu (Gilbert Sebenste) Date: Wed, 6 Oct 2004 10:54:31 -0500 (CDT) Subject: Yum and RPM's hang after install of Apache and cups on FC 1 In-Reply-To: <1097077362.9063.574.camel@serendipity.dogma.lan> References: <1096991011.9063.439.camel@serendipity.dogma.lan> <1096992528.9063.443.camel@serendipity.dogma.lan> <1096993320.9063.446.camel@serendipity.dogma.lan> <416302E6.9070000@ibnads.com> <1097077362.9063.574.camel@serendipity.dogma.lan> Message-ID: Hi Alexander, > Gilbert, > > I can offer to install test packages on my FC1 "test" system - please > advise me then which to try. A missing GPG signing of a package like > cups is certainly doing no harm. Did you already install the cups and > httpd test packages from Fedora Legacy on your FC1 system? Your RPM is > working as long as you don't try to install the testing packages? No, it doesn't work, and daily cron jobs are crashing as a result: ----------------------------------------------------------------------------- /usr/bin/run-parts: line 36: 6339 Killed $i 2>&1 6340 | awk -v "progname=$i" 'progname { print progname ":\n" progname=""; } { print; }' /usr/bin/run-parts: line 36: 19569 Hangup $i 2>&1 19570 | awk -v "progname=$i" 'progname { print progname ":\n" progname=""; } { print; } ----------------------------------------------------------------------------- What happens is that when I run rpm -Fvh, it says that it can't find a V3 DSA signature for cups. Then it says "Preapring"...and then it hangs. Erasing the database, as you suggested, didn't help; when I rebuilt it, or tried to rebuilt it, it hung. My system otherwise works fine. What I did to cause this mess: 1. I put the httpd and cups RPMs in a temporary directory. I did an "rpm -Fvh". They installed fine. httpd and cups work great. Then, I edited my yum.conf to grab them when I type "yum update". When I did that, it hung looking for updates. Yum or rpm haven't worked since. ******************************************************************************* Gilbert Sebenste ******** (My opinions only!) ****** Staff Meteorologist, Northern Illinois University **** E-mail: sebenste at weather.admin.niu.edu *** web: http://weather.admin.niu.edu ** Work phone: 815-753-5492 * ******************************************************************************* From sebenste at weather.admin.niu.edu Wed Oct 6 16:23:23 2004 From: sebenste at weather.admin.niu.edu (Gilbert Sebenste) Date: Wed, 6 Oct 2004 11:23:23 -0500 (CDT) Subject: Yum and RPM's hang after install of Apache and cups on FC 1 In-Reply-To: <1096993320.9063.446.camel@serendipity.dogma.lan> References: <1096991011.9063.439.camel@serendipity.dogma.lan> <1096992528.9063.443.camel@serendipity.dogma.lan> <1096993320.9063.446.camel@serendipity.dogma.lan> Message-ID: On Tue, 5 Oct 2004, Alexander Dalloz wrote: > > Gilbert Sebenste > > You can run the rebuilddb with "-v" or multiple v's like "-vv" to > increase verbosity and see what is going on. > > Alexander Guess what I just did. I just rebooted the machine. It fixed the problem. I don't understand, but I am happy now. :-) ******************************************************************************* Gilbert Sebenste ******** (My opinions only!) ****** Staff Meteorologist, Northern Illinois University **** E-mail: sebenste at weather.admin.niu.edu *** web: http://weather.admin.niu.edu ** Work phone: 815-753-5492 * ******************************************************************************* From alexander.dalloz at uni-bielefeld.de Wed Oct 6 16:36:29 2004 From: alexander.dalloz at uni-bielefeld.de (Alexander Dalloz) Date: Wed, 06 Oct 2004 18:36:29 +0200 Subject: Yum and RPM's hang after install of Apache and cups on FC 1 In-Reply-To: References: <1096991011.9063.439.camel@serendipity.dogma.lan> <1096992528.9063.443.camel@serendipity.dogma.lan> <1096993320.9063.446.camel@serendipity.dogma.lan> Message-ID: <1097080589.9063.592.camel@serendipity.dogma.lan> Am Mi, den 06.10.2004 schrieb Gilbert Sebenste um 18:23: > Guess what I just did. > > I just rebooted the machine. > > It fixed the problem. > > I don't understand, but I am happy now. :-) Glad to hear that - though I do not understand that either. Because the init script does nothing else than what you already did manually: rm -f /var/lib/rpm/__db* [ in /etc/rc.sysinit line 657 ] You then manually did the "rpm --rebuilddb" even. > Gilbert Sebenste What I conclude from one of your last postings is, that the new Apache2 package does not involve any trouble. I am longing for an update fixing the numerous CVE CAN registered bugs. Alexander -- Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13 Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.8-1.521smp Serendipity 18:30:01 up 6 days, 20:56, load average: 2.08, 2.01, 2.04 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Dies ist ein digital signierter Nachrichtenteil URL: From euckew at sierraelectronics.com Wed Oct 6 18:23:31 2004 From: euckew at sierraelectronics.com (Eucke Warren) Date: Wed, 6 Oct 2004 11:23:31 -0700 Subject: Upgrading RH9 Kernel and Promise SATA Raid Message-ID: <000c01c4abd1$95d67170$3f01a8c0@Eucke> Hello all, I have googled and am working with Promise Tech Support...but their reply...thus far has not been very..."promising"... I am, by the way, fighting with a Promise S150 SX4 SATA RAID controller Card and 2 drives in RAID1. I am running a stock RH9 kernel presently 2.4.20-8 and am trying to upgrade to 2.4.20-31.9...however, when I try to rpm -ivh the new kernel package I get the following error message: No module FastTrak found for kernal 2.4.20-31.9 mkinitdrd failed error: %post (kernel - 2.4.20-31.9) scriptlet failed, exit status 1 I have tried scouring the /boot directory to see if there is a script I could later to point at the same driver that the stock 2.4.20-8 kernel uses but no good. I have tried manually invoking the /sbin/mkinitdrd script with -v and -r switches to see if I could force it to prompt me for the missing drivers....no good.....I manually added the new Kernel to the grub.conf and it, of course, fails for the missing img file...or at least an unusable one. I feel like I am nibbling all around this without hitting something meaty enough to let me see the direction I need to go. Here is what I suspect...I suspect that I may need to recompile a custom 31.9 kernel with the Fastrak controller....never done that before...so...anyone experience this pain? What path did you take? Any good walkthroughs that I have not stumbled into yet? This machine is not on the public network....yet...but is fully updated presently via apt-get...aside from the kernel... Your wisdom and guidance, as always, is greatly appreciated. Eucke -------------- next part -------------- An HTML attachment was scrubbed... URL: From simon at nzservers.com Wed Oct 6 18:32:37 2004 From: simon at nzservers.com (Simon Weller) Date: Wed, 6 Oct 2004 13:32:37 -0500 Subject: Upgrading RH9 Kernel and Promise SATA Raid In-Reply-To: <000c01c4abd1$95d67170$3f01a8c0@Eucke> References: <000c01c4abd1$95d67170$3f01a8c0@Eucke> Message-ID: <200410061332.38020.simon@nzservers.com> On Wednesday 06 October 2004 01:23 pm, Eucke Warren wrote: Hi Eucke, You're probably not going to like my suggestion, but I'll put it forward anyway: http://www.3ware.com/products/serial_ata.asp 3ware controllers work out of the box and I've never had any problems with them. The Promise and Highpoint controllers often use software based RAID techniques in the drivers themselves, hence why they refuse to open source them. The 3ware cards are full hardware RAID. I can just see someone is going to correct me here and tell me I'm wrong ;-) I've lost at least 3 arrays using highpoint based controllers after the new drivers they released decided to bliz my data...very frustrating. The 3ware controllers have been my choice since and I have yet (touch wood) to have any issues with them at all...they just work. - Si > Hello all, > > I have googled and am working with Promise Tech Support...but their > reply...thus far has not been very..."promising"... I am, by the way, > fighting with a Promise S150 SX4 SATA RAID controller Card and 2 drives in > RAID1. > > I am running a stock RH9 kernel presently 2.4.20-8 and am trying to > upgrade to 2.4.20-31.9...however, when I try to rpm -ivh the new kernel > package I get the following error message: > > No module FastTrak found for kernal 2.4.20-31.9 > mkinitdrd failed > error: %post (kernel - 2.4.20-31.9) scriptlet failed, exit status 1 > > I have tried scouring the /boot directory to see if there is a script I > could later to point at the same driver that the stock 2.4.20-8 kernel uses > but no good. I have tried manually invoking the /sbin/mkinitdrd script > with -v and -r switches to see if I could force it to prompt me for the > missing drivers....no good.....I manually added the new Kernel to the > grub.conf and it, of course, fails for the missing img file...or at least > an unusable one. I feel like I am nibbling all around this without hitting > something meaty enough to let me see the direction I need to go. > > Here is what I suspect...I suspect that I may need to recompile a custom > 31.9 kernel with the Fastrak controller....never done that > before...so...anyone experience this pain? What path did you take? Any > good walkthroughs that I have not stumbled into yet? > > This machine is not on the public network....yet...but is fully updated > presently via apt-get...aside from the kernel... > > Your wisdom and guidance, as always, is greatly appreciated. > > Eucke -- Simon Weller LPIC-2 Systems Engineer NZServers LTD http://www.nzservers.com/ U.S. Branch <- To mess up a Linux box, you need to work at it; to mess up your Windows box, you just need to work on it. - Scott Granneman, Security Focus -> From euckew at sierraelectronics.com Wed Oct 6 19:37:49 2004 From: euckew at sierraelectronics.com (Eucke Warren) Date: Wed, 6 Oct 2004 12:37:49 -0700 Subject: Upgrading RH9 Kernel and Promise SATA Raid References: <000c01c4abd1$95d67170$3f01a8c0@Eucke> <200410061332.38020.simon@nzservers.com> Message-ID: <001601c4abdb$f684eab0$3f01a8c0@Eucke> ----- Original Message ----- From: "Simon Weller" To: "Discussion of the Fedora Legacy Project" Sent: Wednesday, October 06, 2004 11:32 AM Subject: Re: Upgrading RH9 Kernel and Promise SATA Raid > On Wednesday 06 October 2004 01:23 pm, Eucke Warren wrote: > > Hi Eucke, > > You're probably not going to like my suggestion, but I'll put it forward > anyway: > > http://www.3ware.com/products/serial_ata.asp > > 3ware controllers work out of the box and I've never had any problems with > them. > The Promise and Highpoint controllers often use software based RAID techniques > in the drivers themselves, hence why they refuse to open source them. > > The 3ware cards are full hardware RAID. I can just see someone is going to > correct me here and tell me I'm wrong ;-) > > > I've lost at least 3 arrays using highpoint based controllers after the new > drivers they released decided to bliz my data...very frustrating. The 3ware > controllers have been my choice since and I have yet (touch wood) to have any > issues with them at all...they just work. > > > - Si > Hello Simon, That makes sense actually. Not to distrust 3ware specifically but I tend to be leery of any mfr who only has two distributors with whom they work...how can I best determine if anyone else is doing true hardware RAID in SATA? Like ADAPTEC or Mylex or anyone else? -Eucke From simon at nzservers.com Wed Oct 6 19:53:12 2004 From: simon at nzservers.com (Simon Weller) Date: Wed, 6 Oct 2004 14:53:12 -0500 Subject: Upgrading RH9 Kernel and Promise SATA Raid In-Reply-To: <001601c4abdb$f684eab0$3f01a8c0@Eucke> References: <000c01c4abd1$95d67170$3f01a8c0@Eucke> <200410061332.38020.simon@nzservers.com> <001601c4abdb$f684eab0$3f01a8c0@Eucke> Message-ID: <200410061453.12802.simon@nzservers.com> On Wednesday 06 October 2004 02:37 pm, Eucke Warren wrote: > > Hello Simon, > > That makes sense actually. Not to distrust 3ware specifically but I tend > to be leery of any mfr who only has two distributors with whom they > work...how can I best determine if anyone else is doing true hardware RAID > in SATA? Like ADAPTEC or Mylex or anyone else? > > -Eucke > Adaptec do some nice controllers, but stay away from the cheaper ones, as they often use third party chipsets from the likes of Promise. I don't have a lot of experience with Mylex cards, although from memory some of them use Symbios based chipsets, and I haven't had a good run with them either. Those two distributors you mentioned in regards to 3ware are master channel distributors. You will find 3ware products available through most general distributors as they buy their product from their upstream. regards, Simon -- Simon Weller LPIC-2 Systems Engineer NZServers LTD http://www.nzservers.com/ U.S. Branch <- To mess up a Linux box, you need to work at it; to mess up your Windows box, you just need to work on it. - Scott Granneman, Security Focus -> From ckelley at ibnads.com Wed Oct 6 20:00:05 2004 From: ckelley at ibnads.com (Craig Kelley) Date: Wed, 06 Oct 2004 14:00:05 -0600 Subject: Upgrading RH9 Kernel and Promise SATA Raid In-Reply-To: <200410061453.12802.simon@nzservers.com> References: <000c01c4abd1$95d67170$3f01a8c0@Eucke> <200410061332.38020.simon@nzservers.com> <001601c4abdb$f684eab0$3f01a8c0@Eucke> <200410061453.12802.simon@nzservers.com> Message-ID: <41644EC5.3010805@ibnads.com> Simon Weller wrote: >Adaptec do some nice controllers, but stay away from the cheaper ones, as they >often use third party chipsets from the likes of Promise. >I don't have a lot of experience with Mylex cards, although from memory some >of them use Symbios based chipsets, and I haven't had a good run with them >either. > >Those two distributors you mentioned in regards to 3ware are master channel >distributors. You will find 3ware products available through most general >distributors as they buy their product from their upstream. > > Adaptec's aacraid controllers are horrible with kernel/bios matching. We currently have 30-some-odd Dell Poweredge 2650's with Perc3/Di controllers. You can only run BIOS XXX with kernel YYY from Redhat 7.3 and such (hence fedora-legacy -- ;-). We hate them, and are planning on using LSI (megaraid series) from here on out. As for IDE; we've used 3ware twice, and have been impressed. -- Craig Kelley In-Store Broadcasting Network -------------- next part -------------- An HTML attachment was scrubbed... URL: From simon at nzservers.com Wed Oct 6 20:10:34 2004 From: simon at nzservers.com (Simon Weller) Date: Wed, 6 Oct 2004 15:10:34 -0500 Subject: Upgrading RH9 Kernel and Promise SATA Raid In-Reply-To: <41644EC5.3010805@ibnads.com> References: <000c01c4abd1$95d67170$3f01a8c0@Eucke> <200410061453.12802.simon@nzservers.com> <41644EC5.3010805@ibnads.com> Message-ID: <200410061510.35001.simon@nzservers.com> On Wednesday 06 October 2004 03:00 pm, Craig Kelley wrote: > Simon Weller wrote: > >Adaptec do some nice controllers, but stay away from the cheaper ones, as > > they often use third party chipsets from the likes of Promise. > >I don't have a lot of experience with Mylex cards, although from memory > > some of them use Symbios based chipsets, and I haven't had a good run > > with them either. > > > >Those two distributors you mentioned in regards to 3ware are master > > channel distributors. You will find 3ware products available through most > > general distributors as they buy their product from their upstream. > > Adaptec's aacraid controllers are horrible with kernel/bios matching. > We currently have 30-some-odd Dell Poweredge 2650's with Perc3/Di > controllers. You can only run BIOS XXX with kernel YYY from Redhat 7.3 > and such (hence fedora-legacy -- ;-). We hate them, and are planning on > using LSI (megaraid series) from here on out. > LSI gear looks pretty nice, haven't had the chance to play with it much yet though. - Si > As for IDE; we've used 3ware twice, and have been impressed. -- Simon Weller LPIC-2 Systems Engineer NZServers LTD http://www.nzservers.com/ U.S. Branch <- To mess up a Linux box, you need to work at it; to mess up your Windows box, you just need to work on it. - Scott Granneman, Security Focus -> From sebenste at weather.admin.niu.edu Wed Oct 6 20:52:06 2004 From: sebenste at weather.admin.niu.edu (Gilbert Sebenste) Date: Wed, 6 Oct 2004 15:52:06 -0500 (CDT) Subject: Yum and RPM's hang after install of Apache and cups on FC 1 In-Reply-To: <1097080589.9063.592.camel@serendipity.dogma.lan> References: <1096991011.9063.439.camel@serendipity.dogma.lan> <1096992528.9063.443.camel@serendipity.dogma.lan> <1096993320.9063.446.camel@serendipity.dogma.lan> <1097080589.9063.592.camel@serendipity.dogma.lan> Message-ID: Am Mi, den 06.10.2004 schrieb Cool Alexander Dalloz um 21:50: > > Guess what I just did. > > > > I just rebooted the machine. > > > > It fixed the problem. > > > > I don't understand, but I am happy now. :-) > > Glad to hear that - though I do not understand that either. Because the > init script does nothing else than what you already did manually: > > rm -f /var/lib/rpm/__db* [ in /etc/rc.sysinit line 657 ] > You then manually did the "rpm --rebuilddb" even. You know what? This happened to me about 3 years ago under Redhat 8 or 9, I can't remember now, and...I had to do the same thing. > What I conclude from one of your last postings is, that the new Apache2 > package does not involve any trouble. That is correct. > I am longing for an update fixing the numerous CVE CAN registered bugs. I think you have it for FC-1. That is in updates-testing. ******************************************************************************* Gilbert Sebenste ******** (My opinions only!) ****** Staff Meteorologist, Northern Illinois University **** E-mail: sebenste at weather.admin.niu.edu *** web: http://weather.admin.niu.edu ** Work phone: 815-753-5492 * ******************************************************************************* From diyan at mitra.net.id Thu Oct 7 06:52:43 2004 From: diyan at mitra.net.id (Diyan Christian) Date: Thu, 7 Oct 2004 13:52:43 +0700 Subject: Upgrading RH9 Kernel and Promise SATA Raid In-Reply-To: <000c01c4abd1$95d67170$3f01a8c0@Eucke> References: <000c01c4abd1$95d67170$3f01a8c0@Eucke> Message-ID: <20041007065243.GD8711@nitrous.mitra.net.id> > I have googled and am working with Promise Tech Support...but their reply...thus far has not been very..."promising"... I am, by the way, fighting with a Promise S150 SX4 SATA RAID controller Card and 2 drives in RAID1. > > I am running a stock RH9 kernel presently 2.4.20-8 and am trying to upgrade to 2.4.20-31.9...however, when I try to rpm -ivh the new kernel package I get the following error message: > > No module FastTrak found for kernal 2.4.20-31.9 > mkinitdrd failed > error: %post (kernel - 2.4.20-31.9) scriptlet failed, exit status 1 Hi, this URL might help, http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/Linux-Promise-RAID1-HOWTO.html http://www.promise.com/support/download/download2_eng.asp?productId=112&category=All&os=3 esp, with the troubleshooting section. From cra at WPI.EDU Thu Oct 7 14:23:55 2004 From: cra at WPI.EDU (Charles R. Anderson) Date: Thu, 7 Oct 2004 10:23:55 -0400 Subject: Yum and RPM's hang after install of Apache and cups on FC 1 In-Reply-To: References: <1096991011.9063.439.camel@serendipity.dogma.lan> <1096992528.9063.443.camel@serendipity.dogma.lan> <1096993320.9063.446.camel@serendipity.dogma.lan> <1097080589.9063.592.camel@serendipity.dogma.lan> Message-ID: <20041007142355.GT17571@angus.ind.WPI.EDU> On Wed, Oct 06, 2004 at 03:52:06PM -0500, Gilbert Sebenste wrote: > Am Mi, den 06.10.2004 schrieb Cool Alexander Dalloz um 21:50: > > rm -f /var/lib/rpm/__db* [ in /etc/rc.sysinit line 657 ] > > You then manually did the "rpm --rebuilddb" even. > > You know what? This happened to me about 3 years ago under Redhat 8 or 9, > I can't remember now, and...I had to do the same thing. The author of RPM released a fixed rpm at rpm.org that works great on RH9. RH9 comes with a very old rpm-4.2-0.69. The new one is rpm-4.2-1 and contains many many bugfixes over the one in RH9, including fixes for the hang issue. For some reason unknown to many (including the author, Jeff Johnson) Red Hat management did not accept it as an errata update for RH9. However, I install it on every RH9 machine I have, because it always fixes the hang issue for me, and it has never introduced any new issues. It would be nice if Fedora Legacy would release this package as an official, long-overdue update to RH9. We could just add our signature to the binary distributed here: ftp://ftp.rpm.org/pub/rpm/dist/rpm-4.2.x/ If people don't trust the author JBJ, then I don't know who we should trust. From fedora-list at fumika.jp Thu Oct 7 16:25:04 2004 From: fedora-list at fumika.jp (TSUDA, Fumika) Date: Fri, 08 Oct 2004 01:25:04 +0900 Subject: Self-Introduction: TSUDA, Fumika Message-ID: <41656DE0.9040402@fumika.jp> 1. Full legal name TSUCHIDA, Fumitaka (Real name) TSUDA, Fumika (Nickname) 2. Location (Country, City, etc) Country: Japan City: Toyama prefecture 3. Profession or Student status Security, Network, Systems Administrator / Programmer 4. Company or School Toyama Hospital 5. Your goals in the Fedora Legacy Project * Which OS versions are you interested in? RH9 * Do you want to do QA for packages? Yes 6. Historical qualifications * What other projects have you worked on in the past? Few minor projects in Japan. * What computer languages and other skills do you know? Delphi, Java, Perl, PHP * Why should we trust you? It's a difficult question. I published RPMs built by me in my website. (http://rpm.fumika.jp/ -- It's only Japanese.) 7. GPG KEYID and fingerprint pub 1024D/0855A95A 2004-01-07 TSUDA Fumika (fumika.jp) Key fingerprint = 6377 1759 225A 6115 06FF E249 B996 1BE4 0855 A95A sub 1024g/316ABDC3 2004-01-07 TSUDA, Fumika From marcdeslauriers at videotron.ca Mon Oct 4 12:00:34 2004 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Mon, 04 Oct 2004 08:00:34 -0400 Subject: [FLSA-2004:1324] Updated libxml2 resolves security vulnerability Message-ID: <1096891234.5437.2.camel@mdlinux> ----------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated libxml2 resolves security vulnerability Advisory ID: FLSA:1324 Issue date: 2004-10-04 Product: Red Hat Linux Keywords: Security Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1324 CVE Names: CAN-2004-0110 ----------------------------------------------------------------------- ----------------------------------------------------------------------- 1. Topic: [Updated 4th October 2004] The packages contained in the original release of this advisory were missing python 2.2 support. These updated packages restore the missing functionality. Updated libxml2 packages that fix an overflow when parsing remote resources are now available. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 3. Problem description: libxml2 is a library for manipulating XML files. Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0110 to this issue. All users are advised to upgrade to these updated packages, which contain a backported fix and are not vulnerable to this issue. Fedora Legacy would like to thank Johnny Strom for reporting this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: http://bugzilla.fedora.us - 1324 - libxml2: an overflow when parsing remote resources. 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/libxml2-2.4.19-6.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/libxml2-2.4.19-6.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/libxml2-python-2.4.19-6.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/libxml2-devel-2.4.19-6.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------------- 41e9e0daaf643f9d3ec96cbba7b050a397d1907e 7.3/updates/i386/libxml2-2.4.19-6.legacy.i386.rpm 130e6e03b76891959e58a3ddd56bc99777d76981 7.3/updates/i386/libxml2-devel-2.4.19-6.legacy.i386.rpm 42087ae0d2e5ee16c4ecf32478991d96ce0500cb 7.3/updates/i386/libxml2-python-2.4.19-6.legacy.i386.rpm 8a1d844bfb9494c00bd4a6dd2d95a0829daf9f42 7.3/updates/SRPMS/libxml2-2.4.19-6.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0110 https://www.redhat.com/archives/redhat-watch-list/2004-February/msg00007.html http://mail.gnome.org/archives/xml/2004-February/msg00070.html 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From dom at earth.li Thu Oct 7 17:12:44 2004 From: dom at earth.li (Dominic Hargreaves) Date: Thu, 7 Oct 2004 18:12:44 +0100 Subject: [FLSA-2004:1735] Updated cvs packages fix security vulnerabilities Message-ID: <20041007171242.GA6277@home.thedom.org> ----------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated cvs resolves security vulnerabilities Advisory ID: FLSA:1735 Issue date: 2004-10-07 Product: Red Hat Linux Keywords: Security Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1735 CVE Names: CAN-2004-0414, CAN-2004-0416, CAN-2004-0417, CAN-2004-0418, CAN-2004-0778 ----------------------------------------------------------------------- ----------------------------------------------------------------------- 1. Topic: Updated cvs packages that fix a security vulnerabilities are now available. CVS is a version control system frequently used to manage source code repositories. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 3. Problem description: While investigating a previously fixed vulnerability, Derek Price discovered a flaw relating to malformed "Entry" lines which lead to a missing NULL terminator. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0414 to this issue. Stefan Esser and Sebastian Krahmer conducted an audit of CVS and fixed a number of issues that may have had security consequences. Among the issues deemed likely to be exploitable were: - a double-free relating to the error_prog_name string (CAN-2004-0416) - an argument integer overflow (CAN-2004-0417) - out-of-bounds writes in serv_notify (CAN-2004-0418). An attacker who has access to a CVS server may be able to execute arbitrary code under the UID on which the CVS server is executing. Users of CVS are advised to upgrade to this updated package, which contains backported patches correcting these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs/ for directions on how to configure yum and apt-get. 5. Bug IDs fixed: http://bugzilla.fedora.us - 1735 - cvs package fixes security issues CAN-2004-0414,0416,0417,0418 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/cvs-1.11.1p1-16.legacy.2.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/cvs-1.11.1p1-16.legacy.2.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/cvs-1.11.2-24.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/cvs-1.11.2-24.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------------- d309756c60dcf33235581f2174db39fe103bac27 7.3/updates/SRPMS/cvs-1.11.1p1-16.legacy.2.src.rpm 9620756fc080096881f062b6272306a1ba57fb40 7.3/updates/i386/cvs-1.11.1p1-16.legacy.2.i386.rpm ffa2ea4c2689dbbd304364a14517a0e9f1747be2 9/updates/SRPMS/cvs-1.11.2-24.legacy.src.rpm 9f3eac397a31464cc39bad75877e6f5a11c7c31d 9/updates/i386/cvs-1.11.2-24.legacy.i386.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: https://rhn.redhat.com/errata/RHSA-2004-233.html https://ccvs.cvshome.org/source/browse/ccvs/src/history.c?r1=1.73&r2=1.74 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From dom at earth.li Thu Oct 7 17:42:15 2004 From: dom at earth.li (Dominic Hargreaves) Date: Thu, 7 Oct 2004 18:42:15 +0100 Subject: Fedora Legacy Test Update Notification: samba Message-ID: <20041007174215.GA6395@home.thedom.org> --------------------------------------------------------------------- Fedora Test Update Notification FEDORALEGACY-2004-2102 Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=2102 2004-10-07 --------------------------------------------------------------------- Name : samba Version (7.3) : 2.2.12-0.73.2.legacy Version (9) : 2.2.12-0.90.1.legacy Summary : The Samba SMB server. Description : Samba is the protocol by which a lot of PC-related machines share files, printers, and other information (such as lists of available files and printers). The Windows NT, OS/2, and Linux operating systems support this natively, and add-on packages can enable the same thing for DOS, Windows, VMS, UNIX of all kinds, MVS, and more. This package provides an SMB server that can be used to provide network services to SMB (sometimes called "Lan Manager") clients. Samba uses NetBIOS over TCP/IP (NetBT) protocols and does NOT need the NetBEUI (Microsoft Raw NetBIOS frame) protocol. --------------------------------------------------------------------- Update Information: Karol Wiesek discovered an input validation issue in Samba prior to 3.0.6. An authenticated user could send a carefully crafted request to the Samba server, which would allow access to files outside of the configured file share. Note: Such files would have to be readable by the account used for the connection. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0815 to this issue. Users of Samba should upgrade to these updated packages, which contain an upgrade to Samba-2.2.12, which is not vulnerable to this issue. --------------------------------------------------------------------- 7.3 changelog: * Thu Oct 07 2004 Dominic Hargreaves 2.2.12-0.73.2.legacy - Add BuildRequires: libtool * Mon Oct 04 2004 Craig Kelley 2.2.12-0.73.1.legacy - Updated to samba-2.2.12 to fix CAN-2004-0815 * Tue Sep 14 2004 Craig Kelley 2.2.11-0.73.0.legacy - Updated to samba-2.2.11 to fix the PrintChangeNotify bug (samba bug #1520) * Thu Aug 05 2004 Marc Deslauriers 2.2.10-0.73.1. legacy - Rebuilt as Fedora Legacy update. * Wed Jul 21 2004 Jay Fenlason 2.2.9-1.21as.1 - Upgrade to 2.2.10 to fix CAN-2004-0686 9 changelog: * Thu Oct 07 2004 Dominic Hargreaves 2.2.12-0.90.1.legacy - Add BuildRequires: libtool * Mon Oct 04 2004 Marc Deslauriers 2.2.12-0.90.0. legacy - Updated to samba-2.2.12 to fix CAN-2004-0815 * Tue Sep 14 2004 Marc Deslauriers 2.2.11-0.90.0. legacy - Updated to samba-2.2.11 to fix the PrintChangeNotify bug (samba bug #1520) * Thu Aug 05 2004 Marc Deslauriers 2.2.10-0.90.1. legacy - Upgrade to 2.2.10 to fix CAN-2004-0686 - Include an explicit epoch on all requires lines. - chmod +x the configure in examples/VFS since it seems to have lost its execute permissions somewhere. --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/redhat/ 664447fbbf1371174b601099d18102023537ecbf 7.3/updates-testing/SRPMS/samba-2.2.12-0.73.2.legacy.src.rpm ab34e621cdaa5ad567276244eb2ed2234c418890 7.3/updates-testing/i386/samba-2.2.12-0.73.2.legacy.i386.rpm aaae87969ae3287e432503cee8fbcb83525d020e 7.3/updates-testing/i386/samba-client-2.2.12-0.73.2.legacy.i386.rpm 728d7f6d68dc837fd874ac870e5d2241e2514a6d 7.3/updates-testing/i386/samba-common-2.2.12-0.73.2.legacy.i386.rpm 3cb01bb47a5fa55151637050f01769898b7dc89c 7.3/updates-testing/i386/samba-swat-2.2.12-0.73.2.legacy.i386.rpm 2968358eb51a4342b520f5494a4013643ba73e1b 9/updates-testing/SRPMS/samba-2.2.12-0.90.1.legacy.src.rpm dcafbbcb96a0848e8b4017bdf1745c275681db35 9/updates-testing/i386/samba-2.2.12-0.90.1.legacy.i386.rpm e7fe4b9425d535768fc17464f7879dd1f048a8b2 9/updates-testing/i386/samba-client-2.2.12-0.90.1.legacy.i386.rpm f590e48b6a9ad6841f7ea96070d08c8151ae12d7 9/updates-testing/i386/samba-common-2.2.12-0.90.1.legacy.i386.rpm 75fbf38b5381ee7cf9b91c5723aa8d66f8e92fbc 9/updates-testing/i386/samba-swat-2.2.12-0.90.1.legacy.i386.rpm Please note that this update is also available via yum and apt through the updates-testing channel. Many people find this an easier way to apply updates. --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From fedora-list at fumika.jp Thu Oct 7 23:03:27 2004 From: fedora-list at fumika.jp (TSUDA, Fumika) Date: Fri, 08 Oct 2004 08:03:27 +0900 Subject: Yum and RPM's hang after install of Apache and cups on FC 1 In-Reply-To: <20041007142355.GT17571@angus.ind.WPI.EDU> References: <1096991011.9063.439.camel@serendipity.dogma.lan> <1096992528.9063.443.camel@serendipity.dogma.lan> <1096993320.9063.446.camel@serendipity.dogma.lan> <1097080589.9063.592.camel@serendipity.dogma.lan> <20041007142355.GT17571@angus.ind.WPI.EDU> Message-ID: <4165CB3F.4050204@fumika.jp> Charles R. Anderson wrote: Thanks for your useful information. Rpm command hung many times on my RH9 system until now. > ftp://ftp.rpm.org/pub/rpm/dist/rpm-4.2.x/ I installed them, and tested several times. No problem happened. > It would be nice if Fedora Legacy would release this package as an > official, long-overdue update to RH9. It's nice idea. TSUDA, Fumika From marcdeslauriers at videotron.ca Fri Oct 8 00:34:14 2004 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Thu, 07 Oct 2004 20:34:14 -0400 Subject: Fedora Legacy Test Update Notification: foomatic Message-ID: <1097195654.4208.0.camel@mdlinux> --------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2004-2076 Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=2076 2004-10-07 --------------------------------------------------------------------- Name : foomatic Versions : fc1: 3.0.0-21.5.legacy Summary : Foomatic printer database. Description : Foomatic is a comprehensive, spooler-independent database of printers, printer drivers, and driver descriptions. It contains utilities to generate driver description files and printer queues for CUPS, LPD, LPRng, and PDQ using the database. There is also the possibility to read the PJL options out of PJL-capable laser printers and take them into account at the driver description file generation. There are spooler-independent command line interfaces to manipulate queues (foomatic-configure) and to print files/manipulate jobs (foomatic printjob). The site http://www.linuxprinting.org/ is based on this database. --------------------------------------------------------------------- Update Information: Sebastian Krahmer reported a bug in the cupsomatic and foomatic-rip print filters, used by the CUPS print spooler. An attacker who has printing access could send a carefully named file to the print server causing arbitrary commands to be executed as root. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0801 to this issue. --------------------------------------------------------------------- fc1 changelog: * Thu Oct 07 2004 Marc Deslauriers 3.0.0-21.5.legacy - Added missing BuildRequires: a2ps, enscript, mpage, cups, automake, autoconf, ghostscript * Wed Sep 22 2004 Rob Myers 3.0.0-21.4.legacy - Fix security issue (CAN-2004-0801, bug #130951). Patch from Till Kamppeter. --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) 8a425a8debf0be9be2dbbc0f028ed1eb8350e833 fedora/1/updates-testing/i386/foomatic-3.0.0-21.5.legacy.i386.rpm a684fc034e1cde9ee35185f5db9e3da4446104b3 fedora/1/updates-testing/SRPMS/foomatic-3.0.0-21.5.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From marcdeslauriers at videotron.ca Fri Oct 8 00:38:42 2004 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Thu, 07 Oct 2004 20:38:42 -0400 Subject: [FLSA-2004:1868] Updated php packages fix security issues Message-ID: <1097195922.4208.3.camel@mdlinux> ----------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated php packages fix security issues Advisory ID: FLSA:1868 Issue date: 2004-10-07 Product: Red Hat Linux Keywords: Bugfix Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1868 CVE Names: CAN-2004-0594 CAN-2004-0595 ----------------------------------------------------------------------- ----------------------------------------------------------------------- 1. Topic: Updated php packages that fix various security issues are now available. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP server. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 3. Problem description: Stefan Esser discovered a flaw when memory_limit is enabled in versions of PHP 4 before 4.3.8. If a remote attacker could force the PHP interpreter to allocate more memory than the memory_limit setting before script execution begins, then the attacker may be able to supply the contents of a PHP hash table remotely. This hash table could then be used to execute arbitrary code as the 'apache' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0594 to this issue. This issue has a higher risk when PHP is running on an instance of Apache which is vulnerable to CAN-2004-0493. It may also be possible to exploit this issue if using a non-default PHP configuration with the "register_defaults" setting is changed to "On". Stefan Esser discovered a flaw in the strip_tags function in versions of PHP before 4.3.8. The strip_tags function is commonly used by PHP scripts to prevent Cross-Site-Scripting attacks by removing HTML tags from user-supplied form data. By embedding NUL bytes into form data, HTML tags can in some cases be passed intact through the strip_tags function, which may allow a Cross-Site-Scripting attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0595 to this issue. All users of PHP are advised to upgrade to these updated packages, which contain backported patches that address these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: http://bugzilla.fedora.us - 1868 - CAN-2004-0594, 0595 - PHP multiple vulnerabilities 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/php-4.1.2-7.3.10.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-4.1.2-7.3.10.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-devel-4.1.2-7.3.10.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-imap-4.1.2-7.3.10.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-ldap-4.1.2-7.3.10.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-manual-4.1.2-7.3.10.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-mysql-4.1.2-7.3.10.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-odbc-4.1.2-7.3.10.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-pgsql-4.1.2-7.3.10.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-snmp-4.1.2-7.3.10.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/php-4.2.2-17.7.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/php-4.2.2-17.7.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-devel-4.2.2-17.7.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-imap-4.2.2-17.7.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-ldap-4.2.2-17.7.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-manual-4.2.2-17.7.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-mysql-4.2.2-17.7.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-odbc-4.2.2-17.7.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-pgsql-4.2.2-17.7.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-snmp-4.2.2-17.7.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------------- 6aaefdbf687f8dbf9ffc7b2ab0a0ff2914a13028 redhat/7.3/updates/i386/php-4.1.2-7.3.10.legacy.i386.rpm 3f38e8929822edc377f61a05c31e45c8599a4ba6 redhat/7.3/updates/i386/php-devel-4.1.2-7.3.10.legacy.i386.rpm 8c9ac5e7c5040b2d9cf75848acc1260842a5e4aa redhat/7.3/updates/i386/php-imap-4.1.2-7.3.10.legacy.i386.rpm d01be5026d335032486eee9f91fdc72e43d78f54 redhat/7.3/updates/i386/php-ldap-4.1.2-7.3.10.legacy.i386.rpm 20ed3b170959f47061fbf688bd0bf6c2380cee6c redhat/7.3/updates/i386/php-manual-4.1.2-7.3.10.legacy.i386.rpm 66413adf5bf185326ea1658d837bbd34a4c2e59b redhat/7.3/updates/i386/php-mysql-4.1.2-7.3.10.legacy.i386.rpm 5fd105b2b8e9aea72d4e34f4800218b40fe844b9 redhat/7.3/updates/i386/php-odbc-4.1.2-7.3.10.legacy.i386.rpm 3c9152d075afc06ffb2ac64deeca3b331f3a6c06 redhat/7.3/updates/i386/php-pgsql-4.1.2-7.3.10.legacy.i386.rpm 58027e3f2bd1485bae158cf99aebc63b631972ec redhat/7.3/updates/i386/php-snmp-4.1.2-7.3.10.legacy.i386.rpm bd2e823603fab8b75a17647ac396263cc1ad6d7e redhat/7.3/updates/SRPMS/php-4.1.2-7.3.10.legacy.src.rpm 594a4c87bf2b073b681b1c94a7bcf7ee7d5bc0dd redhat/9/updates/i386/php-4.2.2-17.7.legacy.i386.rpm e1f076f96cfce7d687ad67f26f5e1c33f5993270 redhat/9/updates/i386/php-devel-4.2.2-17.7.legacy.i386.rpm d349ace9d0a8514cd563217d56ef1f25261f2c92 redhat/9/updates/i386/php-imap-4.2.2-17.7.legacy.i386.rpm 176e15f14ec6045aefd9c924dfa383c58598e16d redhat/9/updates/i386/php-ldap-4.2.2-17.7.legacy.i386.rpm a6cda124e7a2de4083bec0a78f6758ab9f36a374 redhat/9/updates/i386/php-manual-4.2.2-17.7.legacy.i386.rpm 42a87a54e0502721eec4907a8cb1c8db196c442a redhat/9/updates/i386/php-mysql-4.2.2-17.7.legacy.i386.rpm 117bc0f478babf8317812fc35c763e8afeccca49 redhat/9/updates/i386/php-odbc-4.2.2-17.7.legacy.i386.rpm c52bb318d8b217c02b61bd277f662a483e05e61b redhat/9/updates/i386/php-pgsql-4.2.2-17.7.legacy.i386.rpm 6ec57d0958666d97532099d7f1118a52727db02b redhat/9/updates/i386/php-snmp-4.2.2-17.7.legacy.i386.rpm 40e6bb2279a9154ecf0c313c39ab563c6de5a8ad redhat/9/updates/SRPMS/php-4.2.2-17.7.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0594 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0595 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From dom at earth.li Fri Oct 8 08:58:46 2004 From: dom at earth.li (Dominic Hargreaves) Date: Fri, 8 Oct 2004 09:58:46 +0100 Subject: Fedora Legacy Test Update Notification: mozilla Message-ID: <20041008085843.GA13517@home.thedom.org> --------------------------------------------------------------------- Fedora Test Update Notification FEDORALEGACY-2004-2089 Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=2089 2004-10-08 --------------------------------------------------------------------- Name : mozilla Version (7.3) : 1.4.3-0.7.1.legacy Version (9) : 1.4.3-0.9.1.legacy Version (fc1) : 1.4.3-1.fc1.1.legacy Summary : A Web browser. Description : Mozilla is an open-source Web browser, designed for standards compliance, performance, and portability. --------------------------------------------------------------------- Update Information: NISCC testing of implementations of the S/MIME protocol uncovered a number of bugs in NSS versions prior to 3.9. The parsing of unexpected ASN.1 constructs within S/MIME data could cause Mozilla to crash or consume large amounts of memory. A remote attacker could potentially trigger these bugs by sending a carefully-crafted S/MIME message to a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0564 to this issue. Andreas Sandblad discovered a cross-site scripting issue that affects various versions of Mozilla. When linking to a new page it is still possible to interact with the old page before the new page has been successfully loaded. Any Javascript events will be invoked in the context of the new page, making cross-site scripting possible if the different pages belong to different domains. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0191 to this issue. Flaws have been found in the cookie path handling between a number of Web browsers and servers. The HTTP cookie standard allows a Web server supplying a cookie to a client to specify a subset of URLs on the origin server to which the cookie applies. Web servers such as Apache do not filter returned cookies and assume that the client will only send back cookies for requests that fall within the server-supplied subset of URLs. However, by supplying URLs that use path traversal (/../) and character encoding, it is possible to fool many browsers into sending a cookie to a path outside of the originally-specified subset. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0594 to this issue. Zen Parse reported improper input validation to the SOAPParameter object constructor leading to an integer overflow and controllable heap corruption. Malicious JavaScript could be written to utilize this flaw and could allow arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0722 to this issue. During a source code audit, Chris Evans discovered a buffer overflow and integer overflows which affect the libpng code inside Mozilla. An attacker could create a carefully crafted PNG file in such a way that it would cause Mozilla to crash or execute arbitrary code when the image was viewed. (CAN-2004-0597, CAN-2004-0599) Zen Parse reported a flaw in the POP3 capability. A malicious POP3 server could send a carefully crafted response that would cause a heap overflow and potentially allow execution of arbitrary code as the user running Mozilla. (CAN-2004-0757) Marcel Boesch found a flaw that allows a CA certificate to be imported with a DN the same as that of the built-in CA root certificates, which can cause a denial of service to SSL pages, as the malicious certificate is treated as invalid. (CAN-2004-0758) Met - Martin Hassman reported a flaw in Mozilla that could allow malicious Javascript code to upload local files from a users machine without requiring confirmation. (CAN-2004-0759) Mindlock Security reported a flaw in ftp URI handling. By using a NULL character (%00) in a ftp URI, Mozilla can be confused into opening a resource as a different MIME type. (CAN-2004-0760) Mozilla does not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates website spoofing and other attacks, also known as the frame injection vulnerability. (CAN-2004-0718) Tolga Tarhan reported a flaw that can allow a malicious webpage to use a redirect sequence to spoof the security lock icon that makes a webpage appear to be encrypted. (CAN-2004-0761) Jesse Ruderman reported a security issue that affects a number of browsers including Mozilla that could allow malicious websites to install arbitrary extensions by using interactive events to manipulate the XPInstall Security dialog box. (CAN-2004-0762) Emmanouel Kellinis discovered a caching flaw in Mozilla which allows malicious websites to spoof certificates of trusted websites via redirects and Javascript that uses the "onunload" method. (CAN-2004-0763) Mozilla allowed malicious websites to hijack the user interface via the "chrome" flag and XML User Interface Language (XUL) files. (CAN-2004-0764) The cert_TestHostName function in Mozilla only checks the hostname portion of a certificate when the hostname portion of the URI is not a fully qualified domain name (FQDN). This flaw could be used for spoofing if an attacker had control of machines on a default DNS search path. (CAN-2004-0765) Jesse Ruderman discovered a cross-domain scripting bug in Mozilla. If a user is tricked into dragging a javascript link into another frame or page, it becomes possible for an attacker to steal or modify sensitive information from that site. Additionally, if a user is tricked into dragging two links in sequence to another window (not frame), it is possible for the attacker to execute arbitrary commands. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0905 to this issue. Gael Delalleau discovered an integer overflow which affects the BMP handling code inside Mozilla. An attacker could create a carefully crafted BMP file in such a way that it would cause Mozilla to crash or execute arbitrary code when the image is viewed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0904 to this issue. Georgi Guninski discovered a stack-based buffer overflow in the vCard display routines. An attacker could create a carefully crafted vCard file in such a way that it would cause Mozilla to crash or execute arbitrary code when viewed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0903 to this issue. Wladimir Palant discovered a flaw in the way javascript interacts with the clipboard. It is possible that an attacker could use malicious javascript code to steal sensitive data which has been copied into the clipboard. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0908 to this issue. Georgi Guninski discovered a heap based buffer overflow in the "Send Page" feature. It is possible that an attacker could construct a link in such a way that a user attempting to forward it could result in a crash or arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0902 to this issue. --------------------------------------------------------------------- 7.3 Changelog: * Thu Sep 30 2004 Dominic Hargreaves 37:1.4.3-0.7.1.legacy - Rebuild for Red Hat Linux 7.3 * Mon Sep 20 2004 Christpoher Aillon 37:1.4.3-2.1.3 - Backport security fixes from http://mozilla.org/projects/security/known-vulner abilities.html * Tue Aug 03 2004 Christopher Aillon 37:1.4.3-2.1.2 - Final 1.4.3 release * Fri Jul 30 2004 Christopher Aillon 37:1.4.3-2.1.1.SNAP - Add libpng fix * Fri Jul 30 2004 Christopher Aillon 37:1.4.3-2.1.0.SNAP - Update to a 1.4 snapshot for security fixes. * Wed Mar 24 2004 Chris Blizzard 37:1.4.2-3.0.0.SNAP - Update to a 1.4.2. - Time for a new changelog. 9 Changelog: * Sun Oct 03 2004 Marc Deslauriers 37:1.4.3-0.9.1 .legacy - Added backported security fixes from mozilla 1.7.3 * Tue Sep 21 2004 John Dalbec 37:1.4.3-0.9.0.legacy.2 - Added BuildRequires: compat-gcc for gcc296 program (%ifarch i386 only). - Added BuildRequires: compat-gcc-c++ for g++296 program (%ifarch i386 only). - Added BuildRequires: gtk+-devel. - Added BuildRequires: ORBit-devel. - Added %dir /usr/lib/mozilla to %files. - Added /usr/include/mozilla-1.4.3 to %files devel. * Mon Aug 30 2004 Marc Deslauriers 37:1.4.3-0.9.0 .legacy - Update to latest 1.4 branch for security fixes. FC1 Changelog: * Thu Sep 30 2004 Rob Myers 37:1.4.3-1.fc1.1.legacy - rebuild FC1 * Mon Sep 20 2004 Christpoher Aillon 37:1.4.3-3.0.3 - Backport security fixes from http://mozilla.org/projects/security/known-vulner abilities.html * Fri Jul 30 2004 Christopher Aillon 37:1.4.3-3.0.1.SNAP - Add libpng fix * Fri Jul 30 2004 Christopher Aillon 37:1.4.3-3.0.0.SNAP - Update to latest 1.4 branch for security fixes. --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ 8b26049e02b8ba752151edbbda3a7ac13550f419 redhat/7.3/updates-testing/SRPMS/mozil la-1.4.3-0.7.1.legacy.src.rpm d21e84f5b3d17317424b521fe5bb6a1771187532 redhat/7.3/updates-testing/SRPMS/galeo n-1.2.13-0.7.1.legacy.src.rpm 367a2c8360f0e8f984a63da7e3e6ccadc692341c redhat/7.3/updates-testing/i386/mozill a-1.4.3-0.7.1.legacy.i386.rpm 3675dc6ec08f513dca4a56b5c26b2632d1d9081e redhat/7.3/updates-testing/i386/mozill a-chat-1.4.3-0.7.1.legacy.i386.rpm 7765e5bf8d219a2337396b65e6983c79a44c9d7b redhat/7.3/updates-testing/i386/mozill a-devel-1.4.3-0.7.1.legacy.i386.rpm 5e363fe99cbad7745de8e93b2420e7281a08c038 redhat/7.3/updates-testing/i386/mozill a-dom-inspector-1.4.3-0.7.1.legacy.i386.rpm cffefef5b6b67d5e40a4f988503982af9a4cb49b redhat/7.3/updates-testing/i386/mozill a-js-debugger-1.4.3-0.7.1.legacy.i386.rpm e6d7563bf90f5f6bd4246e2b07097d37ac18e256 redhat/7.3/updates-testing/i386/mozill a-mail-1.4.3-0.7.1.legacy.i386.rpm e04ab6de0904386e881541234a8604e6283fbd00 redhat/7.3/updates-testing/i386/mozill a-nspr-1.4.3-0.7.1.legacy.i386.rpm a333e23e084b9d59488db7451b991b3775d3c774 redhat/7.3/updates-testing/i386/mozill a-nspr-devel-1.4.3-0.7.1.legacy.i386.rpm 0611c836e192bed899e30c261e17736c4a5a1b78 redhat/7.3/updates-testing/i386/mozill a-nss-1.4.3-0.7.1.legacy.i386.rpm 04789c2b7516018e0fdbae8c0c24edba98a373b7 redhat/7.3/updates-testing/i386/mozill a-nss-devel-1.4.3-0.7.1.legacy.i386.rpm 14287024fbe57fc555c5e8fa2736d2a708ae2dc6 redhat/7.3/updates-testing/i386/galeon -1.2.13-0.7.1.legacy.i386.rpm 4cba85b2190de4bbd96505a0433cad388e3a2e26 redhat/9/updates-testing/SRPMS/mozilla -1.4.3-0.9.1.legacy.src.rpm f5cf30105dbec5d0f24270e418141ba556df7db0 redhat/9/updates-testing/SRPMS/galeon- 1.2.13-0.9.2.legacy.src.rpm 5623fba5418718a38eb47a334866833d5705f809 redhat/9/updates-testing/i386/mozilla- 1.4.3-0.9.1.legacy.i386.rpm 17a567dc4151929cd998fa145631a939edb658ea redhat/9/updates-testing/i386/mozilla- chat-1.4.3-0.9.1.legacy.i386.rpm c94427f671fc72f3198c3947feb1a55e14cb285f redhat/9/updates-testing/i386/mozilla- devel-1.4.3-0.9.1.legacy.i386.rpm a11eecf474c891edcc64dcb07e85ffef0af17b42 redhat/9/updates-testing/i386/mozilla- dom-inspector-1.4.3-0.9.1.legacy.i386.rpm eff086a513ad6a62c64e0f5875c8407e706360ed redhat/9/updates-testing/i386/mozilla- js-debugger-1.4.3-0.9.1.legacy.i386.rpm f11ac30cfc4ef65c0670c381f47b69a342e4db22 redhat/9/updates-testing/i386/mozilla- mail-1.4.3-0.9.1.legacy.i386.rpm 1b69070ca96ef10c60ce7fdb115b730bdf17a5ca redhat/9/updates-testing/i386/mozilla- nspr-1.4.3-0.9.1.legacy.i386.rpm aa8c04f0b2d3cefed5222c2940240ecfc3780315 redhat/9/updates-testing/i386/mozilla- nspr-devel-1.4.3-0.9.1.legacy.i386.rpm 5cf1c268091e7b88732e8efa58d48cf225e70800 redhat/9/updates-testing/i386/mozilla- nss-1.4.3-0.9.1.legacy.i386.rpm 6911b2dc76ef48c309c425bd2b8d620941b5c023 redhat/9/updates-testing/i386/mozilla- nss-devel-1.4.3-0.9.1.legacy.i386.rpm d99fb9b15188b9d58ad67051cd3e3468ac02681c redhat/9/updates-testing/i386/galeon-1 .2.13-0.9.2.legacy.i386.rpm 861196199b25fe56d2f2d990c4eb74fad537a643 fedora/1/updates-testing/SRPMS/mozilla -1.4.3-1.fc1.1.legacy.src.rpm 14d466452ca157aae05bdb51edc83fff18bc8c1e fedora/1/updates-testing/SRPMS/epiphan y-1.0.4-2.2.legacy.src.rpm 346049a0d8835253ee9f97249b0ac834cb664bfc fedora/1/updates-testing/i386/mozilla- 1.4.3-1.fc1.1.legacy.i386.rpm 4898da95488b5fbb6962613c383f42faaf5ff4ba fedora/1/updates-testing/i386/mozilla- chat-1.4.3-1.fc1.1.legacy.i386.rpm edc0eeeaf12cc95c4838375c61140c0a12df423b fedora/1/updates-testing/i386/mozilla- devel-1.4.3-1.fc1.1.legacy.i386.rpm 871e5ea09920d2844acd74188202c5f99b177bc9 fedora/1/updates-testing/i386/mozilla- dom-inspector-1.4.3-1.fc1.1.legacy.i386.rpm 75d8796d1e902fa56fc8665850a7027d189bd809 fedora/1/updates-testing/i386/mozilla- js-debugger-1.4.3-1.fc1.1.legacy.i386.rpm 08a55541cc0062892b4ae7e11f12ea041dfdc5c2 fedora/1/updates-testing/i386/mozilla- mail-1.4.3-1.fc1.1.legacy.i386.rpm a00c8f63b2ac924794e533582adecd979ca5aebb fedora/1/updates-testing/i386/mozilla- nspr-1.4.3-1.fc1.1.legacy.i386.rpm a3e31f50a30ce3bb9d280bbcd0a941c2910534bd fedora/1/updates-testing/i386/mozilla- nspr-devel-1.4.3-1.fc1.1.legacy.i386.rpm df50478720c9430b1e9edbcd96323db6bf15c48b fedora/1/updates-testing/i386/mozilla- nss-1.4.3-1.fc1.1.legacy.i386.rpm ebefb845a937bca2c0655f5dd6d43bdf9759a871 fedora/1/updates-testing/i386/mozilla- nss-devel-1.4.3-1.fc1.1.legacy.i386.rpm 2f43425bf02823553d958bd9858ba03dbe960e7e fedora/1/updates-testing/i386/epiphany -1.0.4-2.2.legacy.i386.rpm Please note that this update is also available via yum and apt through the updates-testing channel. Many people find this an easier way to apply updates. --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From b.pennacchi at istc.cnr.it Fri Oct 8 14:18:26 2004 From: b.pennacchi at istc.cnr.it (Barbara Pennacchi) Date: Fri, 08 Oct 2004 16:18:26 +0200 Subject: Round-up, 2004-10-06 In-Reply-To: <20041006160028.3599274966@hormel.redhat.com> References: <20041006160028.3599274966@hormel.redhat.com> Message-ID: <20041008141826.GI2438@sibannac> On 06.10.04 18:00, fedora-legacy-list-request at redhat.com wrote: Hi dominic, sorry to chime in so late: got hold of my mailbox only now. > Packages in state RESOLVED (ie exist in updates-testing) that need > active work. > ------------------------------------------------------------------ [...] > XFree86 - https://bugzilla.fedora.us/show_bug.cgi?id=1289 > Needs VERIFY before release (superceded). [...] > kernel - https://bugzilla.fedora.us/show_bug.cgi?id=1484 > Needs missing file rebuilt for verification - but preferentially put > work into later kernel ticket [...] > kernel - https://bugzilla.fedora.us/show_bug.cgi?id=1804 > Needs 2 VERIFY sorry dominic, but when you list multiple entries in this way it is a bit hard to find the correct entries -- could you at least specify WHICH kernel they refer to? (same goes for XFree86 below) > XFree86 - https://bugzilla.fedora.us/show_bug.cgi?id=1831 > Needs VERIFY for rh9 (superceded) I had downloaded the rpm of XFree86-4.3.0-2.90.57.legacy and used it so far without problems (even with GIMP) but, in reading the new bugreport, I'm now a bit confused. What should I do? cool off while waiting for the more expert testers to come up with usable&testable rpms for RH9 or download the srpm and try to build the whole shebang on my own (yikes ;) or should I go ahead with my report on XFree86 rpms related to ver 4.3.0-2.90.57.legacy or what? :p I don't know whether to feel happy or embarrassed for this renewed feeling of newbieness :D b. -- +--------------------------------------------------------------------+ | WARNING WARNING WARNING *** EMAIL ADDRESS CHANGED! | | USE EMAIL ADDRESS PROVIDED BELOW | | IF YOU KEEP WRITING TO THE OLD ADDRESS IT IS NOT MY FAULT! | +--------------------------------------------------------------------+ | Barbara Pennacchi b.pennacchi at istc.cnr.it | | Consiglio Nazionale delle Ricerche | | Istituto di Scienze e Tecnologie della Cognizione | | V.le Marx 15, 00137 Roma, Italia | | http://www.istc.cnr.it/ | +--------------------------------------------------------------------+ From dom at earth.li Fri Oct 8 09:01:22 2004 From: dom at earth.li (Dominic Hargreaves) Date: Fri, 8 Oct 2004 10:01:22 +0100 Subject: [FLSA-2004:1257] Updated netpbm packages fix security vulnerabilities Message-ID: <20041008090121.GB13517@home.thedom.org> ----------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated netpbm resolves security vulnerabilities Advisory ID: FLSA:1257 Issue date: 2004-10-08 Product: Red Hat Linux Keywords: Security Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1257 CVE Names: CVE-2003-0924 ----------------------------------------------------------------------- ----------------------------------------------------------------------- 1. Topic: Updated netpbm packages that fix security vulnerabilities are now available. The netpbm package contains a library of functions that support programs for handling various graphics file formats, including .pbm (portable bitmaps), .pgm (portable graymaps), .pnm (portable anymaps), .ppm (portable pixmaps), and others. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 3. Problem description: A number of temporary file bugs have been found in versions of NetPBM. These could make it possible for a local user to overwrite or create files as a different user who happens to run one of the the vulnerable utilities. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0924 to this issue. Users are advised to upgrade to the erratum packages, which contain patches from Debian that correct these bugs. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs/ for directions on how to configure yum and apt-get. 5. Bug IDs fixed: http://bugzilla.fedora.us - 1257 - CAN-2003-0924: Temp file vuln in NetPBM 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/netpbm-9.24-9.73.4.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/netpbm-9.24-9.73.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/netpbm-devel-9.24-9.73.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/netpbm-progs-9.24-9.73.4.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/netpbm-9.24-10.90.3.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/netpbm-9.24-10.90.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/netpbm-devel-9.24-10.90.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/netpbm-progs-9.24-10.90.3.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------------- 79c8c3e9e4ef5c60eb0dd243b38775cb24c49e18 7.3/updates/SRPMS/netpbm-9.24-9.73.4.legacy.src.rpm 4a0e11ad855172ce86042d0f85991b6f28f4811b 7.3/updates/i386/netpbm-9.24-9.73.4.legacy.i386.rpm d69d449139408cf50de7557f38fd9f3a3f86b4c3 7.3/updates/i386/netpbm-devel-9.24-9.73.4.legacy.i386.rpm 173fa566ed92e222581817c4326b3dd501f24313 7.3/updates/i386/netpbm-progs-9.24-9.73.4.legacy.i386.rpm 729fd0be3b7f6ff031436cd8a563edbc57b76ad6 9/updates/SRPMS/netpbm-9.24-10.90.3.legacy.src.rpm ac5ee4489c0632057ef6d9844ad2c935e5754053 9/updates/i386/netpbm-9.24-10.90.3.legacy.i386.rpm 0d59209ef7e8e4d7630d8f23c372f01adeddeea5 9/updates/i386/netpbm-devel-9.24-10.90.3.legacy.i386.rpm 8076a88d1c299a80db24e7559d0ea6853e6520b9 9/updates/i386/netpbm-progs-9.24-10.90.3.legacy.i386.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://www.kb.cert.org/vuls/id/487102 https://rhn.redhat.com/errata/RHSA-2004-031.html 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From sebenste at weather.admin.niu.edu Fri Oct 8 15:08:16 2004 From: sebenste at weather.admin.niu.edu (Gilbert Sebenste) Date: Fri, 8 Oct 2004 10:08:16 -0500 (CDT) Subject: [FLSA-2004:1257] Updated netpbm packages fix security vulnerabilities In-Reply-To: <20041008090121.GB13517@home.thedom.org> References: <20041008090121.GB13517@home.thedom.org> Message-ID: On Fri, 8 Oct 2004, Dominic Hargreaves wrote: > ----------------------------------------------------------------------- > Fedora Legacy Update Advisory > > Synopsis: Updated netpbm resolves security vulnerabilities > Advisory ID: FLSA:1257 > Issue date: 2004-10-08 > Product: Red Hat Linux > Keywords: Security > Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1257 > CVE Names: CVE-2003-0924 I just wanted to say way to go Dominic!!! You have been very busy over the last 24 hours. Thank you for doing this! Just to let you know, I have tested your apache/httpd, foomatic, and cups patches. They are all working fine. ******************************************************************************* Gilbert Sebenste ******** (My opinions only!) ****** Staff Meteorologist, Northern Illinois University **** E-mail: sebenste at weather.admin.niu.edu *** web: http://weather.admin.niu.edu ** Work phone: 815-753-5492 * ******************************************************************************* From dom at earth.li Fri Oct 8 15:25:04 2004 From: dom at earth.li (Dominic Hargreaves) Date: Fri, 8 Oct 2004 16:25:04 +0100 Subject: Round-up, 2004-10-06 In-Reply-To: <20041008141826.GI2438@sibannac> References: <20041006160028.3599274966@hormel.redhat.com> <20041008141826.GI2438@sibannac> Message-ID: <20041008152504.GI15895@tirian.magd.ox.ac.uk> On Fri, Oct 08, 2004 at 04:18:26PM +0200, Barbara Pennacchi wrote: > sorry dominic, but when you list multiple entries in this way it is a bit > hard to find the correct entries -- could you at least specify WHICH > kernel they refer to? (same goes for XFree86 below) It's beyond what I'd want to maintain manually to include version numbers of all relevant patches. The short of it is that there should only be one non-"superceded" bug relevant for each. In fact, I will remove the superceded packages from the listing as it is true that they obscure the useful parts of the list to some extent. > >XFree86 - https://bugzilla.fedora.us/show_bug.cgi?id=1831 > >Needs VERIFY for rh9 (superceded) > > I had downloaded the rpm of XFree86-4.3.0-2.90.57.legacy and used it so > far without problems (even with GIMP) but, in reading the new bugreport, > I'm now a bit confused. > > What should I do? cool off while waiting for the more expert testers to > come up with usable&testable rpms for RH9 or download the srpm and try to > build the whole shebang on my own (yikes ;) or should I go ahead with my > report on XFree86 rpms related to ver 4.3.0-2.90.57.legacy or what? :p If you look at the bottom of that bug it gives a link to the new bug on which work on packages are currently being done: https://bugzilla.fedora.us/show_bug.cgi?id=2075 Cheers, Dominic. From simon at nzservers.com Fri Oct 8 15:39:59 2004 From: simon at nzservers.com (Simon Weller) Date: Fri, 8 Oct 2004 10:39:59 -0500 Subject: 2 PHP vulnerabilities Message-ID: <200410081039.59885.simon@nzservers.com> Hi all, I see Gentoo has just release a new version of PHP to take care of a parse error in php_variables.c leading to an memory read when passing a specially crafted parameter. Also commented in the advisory was a method of overwriting the $_FILES array using a specially crafted header. Reading between the lines of the various advisories it seems that 4.1.2 isn't affected by the parse error issue, but all versions later are (according to the Gentoo advisory). Details: http://www.securityfocus.com/archive/1/375294 http://www.securityfocus.com/archive/1/375370 http://secunia.com/advisories/12560 As I didn't QA the recent PHP release, I'm not sure whether either of these were covered in the new FL release. I can't find any mention of these on Bugzilla either (for FL or Fedora Stable). Doing a quick grep through the 4.2.2 patch doesn't seem to show any fixes for the php_variables.c parse error. Any comments? - Si -- Simon Weller LPIC-2 Systems Engineer NZServers LTD http://www.nzservers.com/ U.S. Branch <- To mess up a Linux box, you need to work at it; to mess up your Windows box, you just need to work on it. - Scott Granneman, Security Focus -> From cra at WPI.EDU Fri Oct 8 15:40:14 2004 From: cra at WPI.EDU (Charles R. Anderson) Date: Fri, 8 Oct 2004 11:40:14 -0400 Subject: Round-up, 2004-10-06 In-Reply-To: <20041008152504.GI15895@tirian.magd.ox.ac.uk> References: <20041006160028.3599274966@hormel.redhat.com> <20041008141826.GI2438@sibannac> <20041008152504.GI15895@tirian.magd.ox.ac.uk> Message-ID: <20041008154014.GG17146@angus.ind.WPI.EDU> On Fri, Oct 08, 2004 at 04:25:04PM +0100, Dominic Hargreaves wrote: > If you look at the bottom of that bug it gives a link to the new bug on > which work on packages are currently being done: Could you sort the list in order of highest priority at the top? Thanks. From mule at umich.edu Fri Oct 8 16:18:46 2004 From: mule at umich.edu (Stephen E. Dudek) Date: Fri, 08 Oct 2004 12:18:46 -0400 Subject: Round-up, 2004-10-06 In-Reply-To: <20041008152504.GI15895@tirian.magd.ox.ac.uk> References: <20041006160028.3599274966@hormel.redhat.com> <20041008141826.GI2438@sibannac> <20041008152504.GI15895@tirian.magd.ox.ac.uk> Message-ID: <1097252325.6116.1.camel@pestilence.themule.net> Dominic, I would like to take the opportunity to thank you again for compiling and maintaining this list. I use it constantly to maintain my own list of what I am using for QA. Steve Dudek On Fri, 2004-10-08 at 11:25, Dominic Hargreaves wrote: > On Fri, Oct 08, 2004 at 04:18:26PM +0200, Barbara Pennacchi wrote: > > > sorry dominic, but when you list multiple entries in this way it is a bit > > hard to find the correct entries -- could you at least specify WHICH > > kernel they refer to? (same goes for XFree86 below) > > It's beyond what I'd want to maintain manually to include version > numbers of all relevant patches. The short of it is that there should > only be one non-"superceded" bug relevant for each. > > In fact, I will remove the superceded packages from the listing as it is > true that they obscure the useful parts of the list to some extent. > > > >XFree86 - https://bugzilla.fedora.us/show_bug.cgi?id=1831 > > >Needs VERIFY for rh9 (superceded) > > > > I had downloaded the rpm of XFree86-4.3.0-2.90.57.legacy and used it so > > far without problems (even with GIMP) but, in reading the new bugreport, > > I'm now a bit confused. > > > > What should I do? cool off while waiting for the more expert testers to > > come up with usable&testable rpms for RH9 or download the srpm and try to > > build the whole shebang on my own (yikes ;) or should I go ahead with my > > report on XFree86 rpms related to ver 4.3.0-2.90.57.legacy or what? :p > > If you look at the bottom of that bug it gives a link to the new bug on > which work on packages are currently being done: > > https://bugzilla.fedora.us/show_bug.cgi?id=2075 > > Cheers, > > Dominic. > > -- > fedora-legacy-list mailing list > fedora-legacy-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-legacy-list > > !DSPAM:4166b19b81721412413577! > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From b.pennacchi at istc.cnr.it Fri Oct 8 16:35:42 2004 From: b.pennacchi at istc.cnr.it (Barbara Pennacchi) Date: Fri, 08 Oct 2004 18:35:42 +0200 Subject: Round-up, 2004-10-06 In-Reply-To: <20041008152504.GI15895@tirian.magd.ox.ac.uk> References: <20041006160028.3599274966@hormel.redhat.com> <20041008141826.GI2438@sibannac> <20041008152504.GI15895@tirian.magd.ox.ac.uk> Message-ID: <20041008163542.GG10638@sibannac> On 08.10.04 17:25, Dominic Hargreaves wrote: > In fact, I will remove the superceded packages from the listing as it is > true that they obscure the useful parts of the list to some extent. I agree, that would be the sensible thing to do :-). Last thing: sorting the list in order of priority (as proposed by someone in the ML) would be more clear together with grouping the "duplicate" entries. (Uh -- well, I feel pretty stupid now, probably thanks to a sudden shortage of caffeine in my bloodstream :) so feel free to ignore me! > > >XFree86 - https://bugzilla.fedora.us/show_bug.cgi?id=1831 > > >Needs VERIFY for rh9 (superceded) > > I had downloaded the rpm of XFree86-4.3.0-2.90.57.legacy and used it > > so far without problems (even with GIMP) but, in reading the new > > bugreport, I'm now a bit confused. > If you look at the bottom of that bug it gives a link to the new bug on > which work on packages are currently being done: > > https://bugzilla.fedora.us/show_bug.cgi?id=2075 That's the bugreport I was talking about :-) I've re-read it but I'm still confused about what I should do with the version of XFree86 I'm currently using/testing now :p (If I've read it correctly, only gtk+ and libXpm are the elements affected by this specific security issue and I have a handful of X-related programs that uses one or both of them -- fortunately I'm the only one using the RH9 box used for QA and I have a tight firewall in it, but still, I don't know what I should do :-) -- +--------------------------------------------------------------------+ | WARNING WARNING WARNING *** EMAIL ADDRESS CHANGED! | | USE EMAIL ADDRESS PROVIDED BELOW | | IF YOU KEEP WRITING TO THE OLD ADDRESS IT IS NOT MY FAULT! | +--------------------------------------------------------------------+ | Barbara Pennacchi b.pennacchi at istc.cnr.it | | Consiglio Nazionale delle Ricerche | | Istituto di Scienze e Tecnologie della Cognizione | | V.le Marx 15, 00137 Roma, Italia | | http://www.istc.cnr.it/ | +--------------------------------------------------------------------+ From marcdeslauriers at videotron.ca Fri Oct 8 16:47:27 2004 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Fri, 08 Oct 2004 12:47:27 -0400 Subject: 2 PHP vulnerabilities In-Reply-To: <200410081039.59885.simon@nzservers.com> References: <200410081039.59885.simon@nzservers.com> Message-ID: <1097254047.2546.0.camel@mdlinux> On Fri, 2004-10-08 at 11:39, Simon Weller wrote: > As I didn't QA the recent PHP release, I'm not sure whether either of these > were covered in the new FL release. I can't find any mention of these on > Bugzilla either (for FL or Fedora Stable). > > Doing a quick grep through the 4.2.2 patch doesn't seem to show any fixes for > the php_variables.c parse error. > > Any comments? The recent PHP release does not cover these issues. I have opened a new bug for them: https://bugzilla.fedora.us/show_bug.cgi?id=2141 Marc. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From simon at nzservers.com Fri Oct 8 16:55:20 2004 From: simon at nzservers.com (Simon Weller) Date: Fri, 8 Oct 2004 11:55:20 -0500 Subject: 2 PHP vulnerabilities In-Reply-To: <1097254047.2546.0.camel@mdlinux> References: <200410081039.59885.simon@nzservers.com> <1097254047.2546.0.camel@mdlinux> Message-ID: <200410081155.20933.simon@nzservers.com> On Friday 08 October 2004 11:47 am, Marc Deslauriers wrote: > On Fri, 2004-10-08 at 11:39, Simon Weller wrote: > > As I didn't QA the recent PHP release, I'm not sure whether either of > > these were covered in the new FL release. I can't find any mention of > > these on Bugzilla either (for FL or Fedora Stable). > > > > Doing a quick grep through the 4.2.2 patch doesn't seem to show any fixes > > for the php_variables.c parse error. > > > > Any comments? > > The recent PHP release does not cover these issues. > > I have opened a new bug for them: > > https://bugzilla.fedora.us/show_bug.cgi?id=2141 > > Marc. ok thanks Marc....I would have opened one, but I just wanted some clarification on them first. - Si -- Simon Weller LPIC-2 Systems Engineer NZServers LTD http://www.nzservers.com/ U.S. Branch <- To mess up a Linux box, you need to work at it; to mess up your Windows box, you just need to work on it. - Scott Granneman, Security Focus -> From ckelley at ibnads.com Fri Oct 8 18:53:36 2004 From: ckelley at ibnads.com (Craig Kelley) Date: Fri, 08 Oct 2004 12:53:36 -0600 Subject: [FLSA-2004:1257] Updated netpbm packages fix security vulnerabilities In-Reply-To: References: <20041008090121.GB13517@home.thedom.org> Message-ID: <4166E230.6020207@ibnads.com> Gilbert Sebenste wrote: >On Fri, 8 Oct 2004, Dominic Hargreaves wrote: > > > >>----------------------------------------------------------------------- >> Fedora Legacy Update Advisory >> >>Synopsis: Updated netpbm resolves security vulnerabilities >>Advisory ID: FLSA:1257 >>Issue date: 2004-10-08 >>Product: Red Hat Linux >>Keywords: Security >>Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1257 >>CVE Names: CVE-2003-0924 >> >> > >I just wanted to say way to go Dominic!!! You have been very busy over the >last 24 hours. Thank you for doing this! > >Just to let you know, I have tested your apache/httpd, foomatic, and cups >patches. They are all working fine. > > Here! Here! And eveyrone else too :-) -- Craig Kelley In-Store Broadcasting Network -------------- next part -------------- An HTML attachment was scrubbed... URL: From rostetter at mail.utexas.edu Fri Oct 8 21:53:26 2004 From: rostetter at mail.utexas.edu (Eric Rostetter) Date: Fri, 8 Oct 2004 16:53:26 -0500 Subject: http://www.fedoralegacy.org/wiki/index.php/QaTesting In-Reply-To: <415BFB85.60101@ysu.edu> References: <415BFB85.60101@ysu.edu> Message-ID: <1097272406.c2cc2d5f21f04@mail.ph.utexas.edu> Quoting John Dalbec : > > 3. Check for missing BuildRequires. For more information, see this posting. > > Should "this posting" be a link? Yes, it was suppose to be, but it was never linked to one, and I don't have a clue anymore what it was supposed to link to. So I've simply removed that sentence. If anyone can find the link it was supposed to go to, we can add it back in. > John -- Eric Rostetter From rostetter at mail.utexas.edu Fri Oct 8 21:58:33 2004 From: rostetter at mail.utexas.edu (Eric Rostetter) Date: Fri, 8 Oct 2004 16:58:33 -0500 Subject: improved rpm-build-compare.sh In-Reply-To: <20041003063726.GO5537@angus.ind.WPI.EDU> References: <20041003063726.GO5537@angus.ind.WPI.EDU> Message-ID: <1097272713.ce386c5fe24f3@mail.ph.utexas.edu> Quoting "Charles R. Anderson" : > Here is my rpm-build-compare.sh script which compares two binary or > source rpm packages for important differences. I use it during QA to > catch common errors, such as missing buildrequires (ldd diffs), etc. > This version is improved over the last one I posted. It checks for > the following differences: This would be, IMHO, a good thing to add to the FL wiki site. A wiki is a decent place for such "user contributed" stuff... I'd love to see a "user contributed" section on the wiki. Best would be if it only contained links to other sites hosting the contributed software, so it remains clear that it is not official FL stuff. This program, plus the "up2date" patch for RH9 w/ FL, would be great things for such a site... -- Eric Rostetter From sheltren at cs.ucsb.edu Fri Oct 8 22:04:52 2004 From: sheltren at cs.ucsb.edu (Jeff Sheltren) Date: Fri, 08 Oct 2004 15:04:52 -0700 Subject: http://www.fedoralegacy.org/wiki/index.php/QaTesting In-Reply-To: <1097272406.c2cc2d5f21f04@mail.ph.utexas.edu> Message-ID: Could it have been intended to point here? http://www.fedora.us/wiki/HOWTOFindMissingBuildRequires -Jeff On 10/8/04 2:53 PM, "Eric Rostetter" wrote: > Quoting John Dalbec : > >>> 3. Check for missing BuildRequires. For more information, see this posting. >> >> Should "this posting" be a link? > > Yes, it was suppose to be, but it was never linked to one, and I don't > have a clue anymore what it was supposed to link to. So I've simply > removed that sentence. > > If anyone can find the link it was supposed to go to, we can add it back > in. > >> John From rostetter at mail.utexas.edu Fri Oct 8 22:07:34 2004 From: rostetter at mail.utexas.edu (Eric Rostetter) Date: Fri, 8 Oct 2004 17:07:34 -0500 Subject: http://www.fedoralegacy.org/wiki/index.php/QaTesting In-Reply-To: References: Message-ID: <1097273254.7610fbfe04d0f@mail.ph.utexas.edu> Quoting Jeff Sheltren : > Could it have been intended to point here? > http://www.fedora.us/wiki/HOWTOFindMissingBuildRequires > > -Jeff No. While that may be a reasonable place to point it, and while it may be a good thing to point it there (I'll let others decide), it was originally meant to point to a mailing list posting... -- Eric Rostetter From buso at fbinfo.com.br Sat Oct 9 03:40:21 2004 From: buso at fbinfo.com.br (BYTE SAVE INF. LTDA ME) Date: Sat, 9 Oct 2004 00:40:21 -0300 Subject: Duvida Message-ID: <008901c4adb1$b4369870$f002010a@intel> Preciso dos modulos ip_nat_pptp, ip_conntrack_pptp, ip_conntrack_proto_gre, ip_nat_proto_gre, para o kernel 2.4 e 2.6 das distribui??es Fedora, alguem poderia me ajudar. Obrigado -------------- next part -------------- An HTML attachment was scrubbed... URL: From marcdeslauriers at videotron.ca Sat Oct 9 20:06:16 2004 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Sat, 09 Oct 2004 16:06:16 -0400 Subject: Fedora Legacy Test Update Notification: tripwire Message-ID: <1097352376.5747.3.camel@mdlinux> This release fixes a duplicate patch entry in the rh9 packages. --------------------------------------------------------------------- Fedora Test Update Notification FEDORA-2004-1719 Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=1719 2004-10-09 --------------------------------------------------------------------- Name : tripwire Version 7.3 : 2.3.1-10.1.legacy.7x Version 9 : 2.3.1-17.2.legacy.9 Summary : A system integrity assessment tool. Description : Tripwire is a very valuable security tool for Linux systems, if it is installed to a clean system. Tripwire should be installed right after the OS installation, and before you have connected your system to a network (i.e., before any possibility exists that someone could alter files on your system). --------------------------------------------------------------------- Update Information: Updated Tripwire packages that fix a format string security vulnerability are now available. Tripwire is a system integrity assessment tool. Paul Herman discovered a format string vulnerability in Tripwire version 2.3.1 and earlier. If Tripwire is configured to send reports via email, a local user could gain privileges by creating a carefully crafted file. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0536 to this issue. Users of Tripwire are advised to upgrade to this erratum package which contains a backported security patch to correct this issue. --------------------------------------------------------------------- Changelog: 7.3: * Mon Oct 04 2004 Marc Deslauriers 2.3.1-10.1.legacy.7x - Removed gcc-c++ as a BuildReq - Downgraded version number so we don't break upgrade cycle to fc1 * Tue Jun 15 2004 Jesse Keating 2.3.1-20.legacy.7x - Added gcc-c++ as a BuildReq - Changed version number to allow for 7.x to bump w/out touching 9 * Fri Jun 04 2004 Marc Deslauriers 2.3.1-18.legacy - Added patch for format string vulnerability (FL #1719) 9: * Sat Oct 09 2004 Marc Deslauriers 2.3.1-17.2.legacy.9 - Removed duplicate Patch4 entry * Mon Oct 04 2004 Marc Deslauriers 2.3.1-17.1.legacy.9 - Removed gcc-c++ BuildRequires - Downgraded release number so we don't break the upgrade cycle to fc1 * Tue Jun 15 2004 Jesse Keating 2.3.1-20.legacy.9 - Added gcc-c++ - Altered version for 7.x/9 independence. * Fri Jun 04 2004 Marc Deslauriers 2.3.1-19.legacy - Added patch for format string vulnerability (FL #1719) --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/redhat/ 1b2a8875e86492065f53db69d04de4a452fb1c5f 7.3/updates-testing/i386/tripwire-2.3.1-10.1.legacy.7x.i386.rpm 3d1d0f2a2b4b27c1e5d3b05dbea78d95c70ddcc2 7.3/updates-testing/SRPMS/tripwire-2.3.1-10.1.legacy.7x.src.rpm cdc032af7c3fa3cfbe153c85a0044bdbbb6326b5 9/updates-testing/i386/tripwire-2.3.1-17.2.legacy.9.i386.rpm 263704b1799204e8ee98b4329cddf7b492d8fff2 9/updates-testing/SRPMS/tripwire-2.3.1-17.2.legacy.9.src.rpm Please note that this update is also available via yum and apt through the updates-testing channel. Many people find this an easier way to apply updates. --------------------------------------------------------------------- Please test these new packages and add comments to Bugzilla. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From marcdeslauriers at videotron.ca Sat Oct 9 20:05:15 2004 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Sat, 09 Oct 2004 16:05:15 -0400 Subject: [FLSA-2004:2068] Updated httpd packages fix security issues Message-ID: <1097352315.5747.1.camel@mdlinux> ----------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated httpd packages fix security issues Advisory ID: FLSA:2068 Issue date: 2004-10-09 Product: Red Hat Linux, Fedora Core Keywords: Bugfix Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=2068 CVE Names: CAN-2004-0488 CAN-2004-0493 CAN-2004-0747 CVE Names: CAN-2004-0748 CAN-2004-0751 CAN-2004-0786 CVE Names: CAN-2004-0809 CAN-2004-0811 ----------------------------------------------------------------------- ----------------------------------------------------------------------- 1. Topic: Updated httpd packages that include fixes for security issues are now available. The Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server. 2. Relevant releases/architectures: Red Hat Linux 9 - i386 Fedora Core 1 - i386 3. Problem description: Problems that apply to Red Hat Linux 9 only: A stack buffer overflow was discovered in mod_ssl that could be triggered if using the FakeBasicAuth option. If mod_ssl was sent a client certificate with a subject DN field longer than 6000 characters, a stack overflow occured if FakeBasicAuth had been enabled. In order to exploit this issue the carefully crafted malicious certificate would have had to be signed by a Certificate Authority which mod_ssl is configured to trust. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0488 to this issue. A remotely triggered memory leak in the Apache HTTP Server earlier than version 2.0.50 was also discovered. This allowed a remote attacker to perform a denial of service attack against the server by forcing it to consume large amounts of memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0493 to this issue. Problems that apply to Fedora Core 1 only: An input filter bug in mod_ssl was discovered in Apache httpd version 2.0.50 and earlier. A remote attacker could force an SSL connection to be aborted in a particular state and cause an Apache child process to enter an infinite loop, consuming CPU resources. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0748 to this issue. Testing using the Codenomicon HTTP Test Tool performed by the Apache Software Foundation security group and Red Hat uncovered an input validation issue in the IPv6 URI parsing routines in the apr-util library. If a remote attacker sent a request including a carefully crafted URI, an httpd child process could be made to crash. This issue is not believed to allow arbitrary code execution on this version of Linux. This issue also does not represent a significant denial of service attack as requests will continue to be handled by other Apache child processes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0786 to this issue. Note that these packages do also contain the fix for a regression in Satisfy handling in the 2.0.51 release (CAN-2004-0811). Problems that apply to both Red Hat Linux 9 and Fedora Core 1: The Swedish IT Incident Centre (SITIC) reported a buffer overflow in the expansion of environment variables during configuration file parsing. This issue could allow a local user to gain 'apache' privileges if an httpd process can be forced to parse a carefully crafted .htaccess file written by a local user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0747 to this issue. An issue was discovered in the mod_ssl module which could be triggered if the server is configured to allow proxying to a remote SSL server. A malicious remote SSL server could force an httpd child process to crash by sending a carefully crafted response header. This issue is not believed to allow execution of arbitrary code. This issue also does not represent a significant Denial of Service attack as requests will continue to be handled by other Apache child processes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0751 to this issue. An issue was discovered in the mod_dav module which could be triggered for a location where WebDAV authoring access has been configured. A malicious remote client which is authorized to use the LOCK method could force an httpd child process to crash by sending a particular sequence of LOCK requests. This issue does not allow execution of arbitrary code. This issue also does not represent a significant Denial of Service attack as requests will continue to be handled by other Apache child processes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0809 to this issue. Users of the Apache HTTP server should upgrade to these updated packages, which contain patches that address these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: http://bugzilla.fedora.us - 2068 - CAN-2004-0747,0786,0809 - httpd multiple vulnerabilities http://bugzilla.fedora.us - 1708 - CAN-2004-0488 - remote attack in mod_ssl http://bugzilla.fedora.us - 1805 - CAN-2004-0493 - denial of service in ap_get_mime_headers_core function in Apache 6. RPMs required: Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/httpd-2.0.40-21.16.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-2.0.40-21.16.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-devel-2.0.40-21.16.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-manual-2.0.40-21.16.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mod_ssl-2.0.40-21.16.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/httpd-2.0.51-1.4.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-2.0.51-1.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-devel-2.0.51-1.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-manual-2.0.51-1.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mod_ssl-2.0.51-1.4.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------------- 24afb48553b515210d3169791dcdd7d39a5d48d6 redhat/9/updates/i386/httpd-2.0.40-21.16.legacy.i386.rpm 6e331ab50f8ddfc5674941a624cb9964863e5375 redhat/9/updates/i386/httpd-devel-2.0.40-21.16.legacy.i386.rpm 0f173510cd129e3705bfaef42e29ff0534ceb4a3 redhat/9/updates/i386/httpd-manual-2.0.40-21.16.legacy.i386.rpm 3983d36be504848260d839f9da54987fd6ec5bc6 redhat/9/updates/i386/mod_ssl-2.0.40-21.16.legacy.i386.rpm 985775546a6372e6593735521e1729baefde46ba redhat/9/updates/SRPMS/httpd-2.0.40-21.16.legacy.src.rpm 4e087267eecc22511da946cfa48bbc323eca06c9 fedora/1/updates/i386/httpd-2.0.51-1.4.legacy.i386.rpm 6e93aa37526472d11a8c2f31e58e89b920dac08c fedora/1/updates/i386/httpd-devel-2.0.51-1.4.legacy.i386.rpm 09af35f59d8bfd42a4b2988af5ce869e0daf4fcc fedora/1/updates/i386/httpd-manual-2.0.51-1.4.legacy.i386.rpm 2c125be93507e8ed0e672f0459b06b719678264b fedora/1/updates/i386/mod_ssl-2.0.51-1.4.legacy.i386.rpm 5629ec56b7b4935f8540c5884ec3d03a4d5e09cd fedora/1/updates/SRPMS/httpd-2.0.51-1.4.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://www.apacheweek.com/features/security-20 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0493 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0747 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0748 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0751 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0786 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0809 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0811 http://nagoya.apache.org/bugzilla/show_bug.cgi?id=29964 http://nagoya.apache.org/bugzilla/show_bug.cgi?id=31183 http://nagoya.apache.org/bugzilla/show_bug.cgi?id=29964 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From ghost at motherlode.fsck.no-ip.org Sat Oct 9 22:14:17 2004 From: ghost at motherlode.fsck.no-ip.org (ghost at motherlode.fsck.no-ip.org) Date: Sat, 9 Oct 2004 23:14:17 +0100 Subject: typo in your redhat9 yum.conf as posted on website Message-ID: <200410092214.i99MEHbX024958@motherlode.fsck.no-ip.org> Thought you would like to know that at http://www.fedoralegacy.org/docs/yum-rh9.php your yum.conf has an error in the updates section: [updates] name=Red Hat Linux $releasever - $basearch - updates baseurl=http://download.fedoralegacy/redhat/$releasever/updates/$basearch gpgcheck=1 the baseurl line should read: baseurl=http://download.fedoralegacy.org/redhat/... I think that the missing .org could be causing some people slight problems with updating. You can't return mail to this address. Hope this was helpful to you, regards Mat From rostetter at mail.utexas.edu Mon Oct 11 17:51:26 2004 From: rostetter at mail.utexas.edu (Eric Rostetter) Date: Mon, 11 Oct 2004 12:51:26 -0500 Subject: typo in your redhat9 yum.conf as posted on website In-Reply-To: <200410092214.i99MEHbX024958@motherlode.fsck.no-ip.org> References: <200410092214.i99MEHbX024958@motherlode.fsck.no-ip.org> Message-ID: <1097517086.67ab1b53fa4bd@mail.ph.utexas.edu> Quoting ghost at motherlode.fsck.no-ip.org: > Thought you would like to know that at > http://www.fedoralegacy.org/docs/yum-rh9.php your yum.conf has an error in > the updates section: Thanks! It is fixed now. -- Eric Rostetter From b-nordquist at bethel.edu Mon Oct 11 19:56:20 2004 From: b-nordquist at bethel.edu (Brent J. Nordquist) Date: Mon, 11 Oct 2004 14:56:20 -0500 Subject: libxml2 for RHL 9? (bug 1324) Message-ID: <20041011195616.GA23135@bethel.edu> The bug description says libxml2 prior to 2.6.6 is affected. RHL 9 has libxml2 2.5.4, but the bug only fixes RHL 7.x/8 -- is RHL 9 affected or unaffected, anyone know? -- Brent J. Nordquist N0BJN Other contact information: http://kepler.its.bethel.edu/~bjn/contact.html From dom at earth.li Mon Oct 11 22:03:57 2004 From: dom at earth.li (Dominic Hargreaves) Date: Mon, 11 Oct 2004 23:03:57 +0100 Subject: Round-up, 2004-10-06 In-Reply-To: <20041008163542.GG10638@sibannac> References: <20041006160028.3599274966@hormel.redhat.com> <20041008141826.GI2438@sibannac> <20041008152504.GI15895@tirian.magd.ox.ac.uk> <20041008163542.GG10638@sibannac> Message-ID: <20041011220357.GQ15895@tirian.magd.ox.ac.uk> On Fri, Oct 08, 2004 at 06:35:42PM +0200, Barbara Pennacchi wrote: > That's the bugreport I was talking about :-) I've re-read it but I'm still > confused about what I should do with the version of XFree86 I'm currently > using/testing now :p The best thing to do would be to QA the new packages posted at . Dominic. From marcdeslauriers at videotron.ca Mon Oct 11 22:22:37 2004 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Mon, 11 Oct 2004 18:22:37 -0400 Subject: libxml2 for RHL 9? (bug 1324) In-Reply-To: <20041011195616.GA23135@bethel.edu> References: <20041011195616.GA23135@bethel.edu> Message-ID: <1097533357.5517.1.camel@mdlinux> On Mon, 2004-10-11 at 15:56, Brent J. Nordquist wrote: > The bug description says libxml2 prior to 2.6.6 is affected. RHL 9 has > libxml2 2.5.4, but the bug only fixes RHL 7.x/8 -- is RHL 9 affected or > unaffected, anyone know? RHL 9 is affected, but Red Hat already came out with an advisory for this issue before RHL9's end-of-life. https://rhn.redhat.com/errata/RHSA-2004-091.html Marc. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From dom at earth.li Tue Oct 12 00:28:07 2004 From: dom at earth.li (Dominic Hargreaves) Date: Tue, 12 Oct 2004 01:28:07 +0100 Subject: Duvida In-Reply-To: <008901c4adb1$b4369870$f002010a@intel> References: <008901c4adb1$b4369870$f002010a@intel> Message-ID: <20041012002807.GU15895@tirian.magd.ox.ac.uk> On Sat, Oct 09, 2004 at 12:40:21AM -0300, BYTE SAVE INF. LTDA ME wrote: > Preciso dos modulos ip_nat_pptp, ip_conntrack_pptp, ip_conntrack_proto_gre, ip_nat_proto_gre, para o kernel 2.4 e 2.6 das distribui??es Fedora, alguem poderia me ajudar. Hello, This is an English language mailing list, and to the best of my knowledge there are no Portugese speakers here. We probably can't help you unless you repost your query in English. Thanks, Dominic. From b.pennacchi at istc.cnr.it Tue Oct 12 11:38:06 2004 From: b.pennacchi at istc.cnr.it (Barbara Pennacchi) Date: Tue, 12 Oct 2004 13:38:06 +0200 Subject: suggestion about using yum for QA in updates-testing Message-ID: <20041012113806.GC2497@sibannac> Hi, maybe it's something blatantly obvious, but if I'm not the only one relatively new to testing for QA the various packages, it could be useful to other QA newbies. Putting the lines related to the updates-testing directory in the default yum conf file (usually is /etc/yum.conf) may cause some slight confusion when one wishes to update ONLY from /updates-testing/ or from /updates/ with the global command "yum update", or download from only ONE of the two dirs some packages (that happen to be in BOTH directories). That's what happened to me one or two times. So I put in /etc/ another file called testyum.conf containing only the urls for updates-testing, leaving alone the "normal" repos (base, legacy- utils and updates) in yum.conf. When I want to download packages from /updates-testing/ I use the command yum -c /etc/testyum.conf [check-]update Calling yum without the -c option lets it behave normally as if you were a normal user. If you use bash, you might insert into .bashrc the line: alias testyum='yum -c /etc/testyum.conf' so that "testyum" will spare you specifying every time the other config file. Any correction/suggestion is welcome :) cheers, b. -- +--------------------------------------------------------------------+ | WARNING WARNING WARNING *** EMAIL ADDRESS CHANGED! | | USE EMAIL ADDRESS PROVIDED BELOW | | IF YOU KEEP WRITING TO THE OLD ADDRESS IT IS NOT MY FAULT! | +--------------------------------------------------------------------+ | Barbara Pennacchi b.pennacchi at istc.cnr.it | | Consiglio Nazionale delle Ricerche | | Istituto di Scienze e Tecnologie della Cognizione | | V.le Marx 15, 00137 Roma, Italia | | http://www.istc.cnr.it/ | +--------------------------------------------------------------------+ From guallar at easternrad.com Tue Oct 12 12:49:06 2004 From: guallar at easternrad.com (Josep L. Guallar-Esteve) Date: Tue, 12 Oct 2004 08:49:06 -0400 Subject: Duvida In-Reply-To: <20041012002807.GU15895@tirian.magd.ox.ac.uk> References: <008901c4adb1$b4369870$f002010a@intel> <20041012002807.GU15895@tirian.magd.ox.ac.uk> Message-ID: <200410120849.10611.guallar@easternrad.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday 11 October 2004 08:28 pm, Dominic Hargreaves wrote: > On Sat, Oct 09, 2004 at 12:40:21AM -0300, BYTE SAVE INF. LTDA ME wrote: > > Preciso dos modulos ip_nat_pptp, ip_conntrack_pptp, > > ip_conntrack_proto_gre, ip_nat_proto_gre, para o kernel 2.4 e 2.6 das > > distribui??es Fedora, alguem poderia me ajudar. > > Hello, > > This is an English language mailing list, and to the best of my > knowledge there are no Portugese speakers here. We probably can't help > you unless you repost your query in English. Hi Dominic, "BYTE SAVE INF. LTDA ME" says: "I need ip_nat_pptp, ip_conntrack_pptp, ip_conntrack_proto_gre, ip_nat_proto_gre for Fedora kernels 2.4 and 2.6. Can someone help me?" All latin languages are similar enough :) Regards, Josep - -- Josep L. Guallar-Esteve Eastern Radiologists, Inc. Systems and PACS Administration http://www.easternrad.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBa9LFSGQa4/zQ9e8RAl3kAJ4yoU+20JCBMcPMB6w1rHYb7cRJjQCgpXmt I9IRc28tBSj9thBIqF38U1g= =ym3O -----END PGP SIGNATURE----- From scytale at eircom.net Tue Oct 12 13:52:18 2004 From: scytale at eircom.net (scytale) Date: Tue, 12 Oct 2004 06:52:18 -0700 Subject: Duvida In-Reply-To: <200410120849.10611.guallar@easternrad.com> References: <008901c4adb1$b4369870$f002010a@intel> <20041012002807.GU15895@tirian.magd.ox.ac.uk> <200410120849.10611.guallar@easternrad.com> Message-ID: <1097589123.3733.342.camel@nfinstaller1.prod.google.com> http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-pptp-conntrack-nat t On Tue, 2004-10-12 at 05:49, Josep L. Guallar-Esteve wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Monday 11 October 2004 08:28 pm, Dominic Hargreaves wrote: > > On Sat, Oct 09, 2004 at 12:40:21AM -0300, BYTE SAVE INF. LTDA ME wrote: > > > Preciso dos modulos ip_nat_pptp, ip_conntrack_pptp, > > > ip_conntrack_proto_gre, ip_nat_proto_gre, para o kernel 2.4 e 2.6 das > > > distribui??es Fedora, alguem poderia me ajudar. > > > > Hello, > > > > This is an English language mailing list, and to the best of my > > knowledge there are no Portugese speakers here. We probably can't help > > you unless you repost your query in English. > > Hi Dominic, "BYTE SAVE INF. LTDA ME" says: > > "I need ip_nat_pptp, ip_conntrack_pptp, ip_conntrack_proto_gre, > ip_nat_proto_gre for Fedora kernels 2.4 and 2.6. Can someone help me?" > > All latin languages are similar enough :) > > > Regards, > Josep > - -- > Josep L. Guallar-Esteve Eastern Radiologists, Inc. > Systems and PACS Administration http://www.easternrad.com > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > > iD8DBQFBa9LFSGQa4/zQ9e8RAl3kAJ4yoU+20JCBMcPMB6w1rHYb7cRJjQCgpXmt > I9IRc28tBSj9thBIqF38U1g= > =ym3O > -----END PGP SIGNATURE----- > > > -- > fedora-legacy-list mailing list > fedora-legacy-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-legacy-list > From fedoraleg_form at mm-vanecek.cc Tue Oct 12 14:25:35 2004 From: fedoraleg_form at mm-vanecek.cc (Mike Vanecek) Date: Tue, 12 Oct 2004 09:25:35 -0500 Subject: typo in your redhat9 yum.conf as posted on website In-Reply-To: <1097517086.67ab1b53fa4bd@mail.ph.utexas.edu> References: <200410092214.i99MEHbX024958@motherlode.fsck.no-ip.org> <1097517086.67ab1b53fa4bd@mail.ph.utexas.edu> Message-ID: <20041012141512.M19966@mm-vanecek.cc> On Mon, 11 Oct 2004 12:51:26 -0500, Eric Rostetter wrote > Quoting ghost at motherlode.fsck.no-ip.org: > > > Thought you would like to know that at > > http://www.fedoralegacy.org/docs/yum-rh9.php your yum.conf has an error in > > the updates section: > > Thanks! It is fixed now. When I first set my yum up, along with base, I had updates-released and legacy-utils, i.e., [updates-released] name=Red Hat Linux $releasever - Released Updates baseurl=http://download.fedoralegacy.org/redhat/$releasever/updates/$basearch/ gpgcheck=1 [legacy-utils] name=Fedora Legacy utilities for Red Hat Linux $releasever baseurl=http://download.fedoralegacy.org/redhat/$releasever/legacy-utils/ $basearch gpgcheck=1 The web site says [updates] name=Red Hat Linux $releasever - $basearch - updates baseurl=http://download.fedoralegacy.org/redhat/$releasever/updates/$basearch gpgcheck=1 I can change the updates-released to updates, but what about the legacy- utils? That directory is sorta empty? From cra at WPI.EDU Tue Oct 12 14:31:22 2004 From: cra at WPI.EDU (Charles R. Anderson) Date: Tue, 12 Oct 2004 10:31:22 -0400 Subject: typo in your redhat9 yum.conf as posted on website In-Reply-To: <20041012141512.M19966@mm-vanecek.cc> References: <200410092214.i99MEHbX024958@motherlode.fsck.no-ip.org> <1097517086.67ab1b53fa4bd@mail.ph.utexas.edu> <20041012141512.M19966@mm-vanecek.cc> Message-ID: <20041012143122.GD17571@angus.ind.WPI.EDU> On Tue, Oct 12, 2004 at 09:25:35AM -0500, Mike Vanecek wrote: > I can change the updates-released to updates, but what about the legacy- > utils? That directory is sorta empty? It doesn't really matter what the [name] is, but it might cause a re-download of headers (i.e. the cache is per [name]'d section). The legacy-utils directory is for things like the official FL yum package, which is waiting to be QA'd here: https://bugzilla.fedora.us/show_bug.cgi?id=1604 From dom at earth.li Wed Oct 13 17:40:41 2004 From: dom at earth.li (Dominic Hargreaves) Date: Wed, 13 Oct 2004 18:40:41 +0100 Subject: [FLSA-2004:2102] Updated samba packages fix security vulnerability Message-ID: <20041013174038.GA6869@home.thedom.org> ----------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated samba resolves security vulnerabilities Advisory ID: FLSA:2102 Issue date: 2004-10-13 Product: Red Hat Linux Keywords: Security Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=2102 CVE Names: CAN-2004-0815 ----------------------------------------------------------------------- ----------------------------------------------------------------------- 1. Topic: Updated samba packages that fix an input validation vulnerability are now available. Samba provides file and printer sharing services to SMB/CIFS clients. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 3. Problem description: Karol Wiesek discovered an input validation issue in Samba prior to 3.0.6. An authenticated user could send a carefully crafted request to the Samba server, which would allow access to files outside of the configured file share. Note: Such files would have to be readable by the account used for the connection. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0815 to this issue. Users of Samba should upgrade to these updated packages, which contain an upgrade to Samba-2.2.12, which is not vulnerable to this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs/ for directions on how to configure yum and apt-get. 5. Bug IDs fixed: http://bugzilla.fedora.us - 2102 - CAN-2004-0815 samba Potential Arbitrary File Access 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/samba-2.2.12-0.73.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/samba-2.2.12-0.73.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/samba-client-2.2.12-0.73.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/samba-common-2.2.12-0.73.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/samba-swat-2.2.12-0.73.2.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/samba-2.2.12-0.90.1.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/samba-2.2.12-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/samba-client-2.2.12-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/samba-common-2.2.12-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/samba-swat-2.2.12-0.90.1.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------------- 664447fbbf1371174b601099d18102023537ecbf 7.3/updates/SRPMS/samba-2.2.12-0.73.2.legacy.src.rpm ab34e621cdaa5ad567276244eb2ed2234c418890 7.3/updates/i386/samba-2.2.12-0.73.2.legacy.i386.rpm aaae87969ae3287e432503cee8fbcb83525d020e 7.3/updates/i386/samba-client-2.2.12-0.73.2.legacy.i386.rpm 728d7f6d68dc837fd874ac870e5d2241e2514a6d 7.3/updates/i386/samba-common-2.2.12-0.73.2.legacy.i386.rpm 3cb01bb47a5fa55151637050f01769898b7dc89c 7.3/updates/i386/samba-swat-2.2.12-0.73.2.legacy.i386.rpm 2968358eb51a4342b520f5494a4013643ba73e1b 9/updates/SRPMS/samba-2.2.12-0.90.1.legacy.src.rpm dcafbbcb96a0848e8b4017bdf1745c275681db35 9/updates/i386/samba-2.2.12-0.90.1.legacy.i386.rpm e7fe4b9425d535768fc17464f7879dd1f048a8b2 9/updates/i386/samba-client-2.2.12-0.90.1.legacy.i386.rpm f590e48b6a9ad6841f7ea96070d08c8151ae12d7 9/updates/i386/samba-common-2.2.12-0.90.1.legacy.i386.rpm 75fbf38b5381ee7cf9b91c5723aa8d66f8e92fbc 9/updates/i386/samba-swat-2.2.12-0.90.1.legacy.i386.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://us4.samba.org/samba/news/#security_2.2.12 http://rhn.redhat.com/errata/RHSA-2004-498.html 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From sopwith at redhat.com Wed Oct 6 19:51:08 2004 From: sopwith at redhat.com (Elliot Lee) Date: Wed, 6 Oct 2004 15:51:08 -0400 Subject: Fedora Project Mailing Lists reminder Message-ID: This is a reminder of the mailing lists for the Fedora Project, and the purpose of each list. You can view this information at http://fedora.redhat.com/participate/communicate/ When you're using these mailing lists, please take the time to choose the one that is most appropriate to your post. If you don't know the right mailing list to use for a question or discussion, please contact me. This will help you get the best possible answer for your question, and keep other list subscribers happy! Mailing Lists Mailing lists are email addresses which send email to all users subscribed to the mailing list. Sending an email to a mailing list reaches all users interested in discussing a specific topic and users available to help other users with the topic. The following mailing lists are available. To subscribe, send email to -request at redhat.com (replace with the desired mailing list name such as fedora-list) with the word subscribe in the subject. fedora-announce-list - Announcements of changes and events. To stay aware of news, subscribe to this list. fedora-list - For users of releases. If you want help with a problem installing or using , this is the list for you. fedora-test-list - For testers of test releases. If you would like to discuss experiences using TEST releases, this is the list for you. fedora-devel-list - For developers, developers, developers. If you are interested in helping create releases, this is the list for you. fedora-docs-list - For participants of the docs project fedora-desktop-list - For discussions about desktop issues such as user interfaces, artwork, and usability fedora-config-list - For discussions about the development of configuration tools fedora-legacy-announce - For announcements about the Fedora Legacy Project fedora-legacy-list - For discussions about the Fedora Legacy Project fedora-selinux-list - For discussions about the Fedora SELinux Project fedora-de-list - For discussions about Fedora in the German language fedora-es-list - For discussions about Fedora in the Spanish language fedora-ja-list - For discussions about Fedora in the Japanese language fedora-i18n-list - For discussions about the internationalization of Fedora Core fedora-trans-list - For discussions about translating the software and documentation associated with the Fedora Project German: fedora-trans-de French: fedora-trans-fr Spanish: fedora-trans-es Italian: fedora-trans-it Brazilian Portuguese: fedora-trans-pt_br Japanese: fedora-trans-ja Korean: fedora-trans-ko Simplified Chinese: fedora-trans-zh_cn Traditional Chinese: fedora-trans-zh_tw From marcdeslauriers at videotron.ca Wed Oct 13 22:47:50 2004 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Wed, 13 Oct 2004 18:47:50 -0400 Subject: [FLSA-2004:1833] Updated lha resolves security vulnerabilities Message-ID: <1097707670.10558.2.camel@mdlinux> ----------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated lha resolves security vulnerabilities Advisory ID: FLSA:1833 Issue date: 2004-10-13 Product: Red Hat Linux Keywords: Security Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1833 CVE Names: CAN-2004-0234, CAN-2004-0235, CAN-2004-0694, CAN-2004-0745, CAN-2004-0769, CAN-2004-0771 ----------------------------------------------------------------------- ----------------------------------------------------------------------- 1. Topic: Updated lha packages that fix multiple security vulnerabilities are now available. LHA is an archiving and compression utility for LHarc format archives. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 3. Problem description: Ulf Harnhammar discovered two stack buffer overflows and two directory traversal flaws in LHA. An attacker could exploit the buffer overflows by creating a carefully crafted LHA archive in such a way that arbitrary code would be executed when the archive is tested or extracted by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0234 to this issue. An attacker could exploit the directory traversal issues to create files as the victim outside of the expected directory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0235 to this issue. Lukasz Wojtow discovered a stack-based buffer overflow in all versions of lha up to and including version 1.14. A carefully created archive could allow an attacker to execute arbitrary code when a victim extracts or tests the archive. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0769 to this issue. Buffer overflows were discovered in the command line processing of all versions of lha up to and including version 1.14. If a malicious user could trick a victim into passing a specially crafted command line to the lha command, it is possible that arbitrary code could be executed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0771 and CAN-2004-0694 to these issues. Thomas Biege discovered a shell meta character command execution vulnerability in all versions of lha up to and including 1.14. An attacker could create a directory with shell meta characters in its name which could lead to arbitrary command execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0745 to this issue. All users are advised to upgrade to these updated packages, which contain a backported fix and are not vulnerable to this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: http://bugzilla.fedora.us - 1833 - CAN-2004-0694,0745,0769,0771 - Another buffer overflow in LHA http://bugzilla.fedora.us - 1547 - LHA directory traversal, buffer overflow vulns 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/lha-1.14i-4.7.3.3.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/lha-1.14i-4.7.3.3.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/lha-1.14i-9.4.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/lha-1.14i-9.4.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------------- 421a0998d84a2b75ebaa0bb334273ce1dad2be88 7.3/updates/i386/lha-1.14i-4.7.3.3.legacy.i386.rpm aa6033fd436ea908b38b2035f096223f92ed780d 7.3/updates/SRPMS/lha-1.14i-4.7.3.3.legacy.src.rpm 4458d9eec9f7706070f67e0263aab497bced075a 9/updates/i386/lha-1.14i-9.4.legacy.i386.rpm b1ae50a84ca44b9e515757b6e0363ce5bf53d8ab 9/updates/SRPMS/lha-1.14i-9.4.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://marc.theaimsgroup.com/?l=bugtraq&m=108668791510153 http://lw.ftw.zamosc.pl/lha-exploit.txt 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From marcdeslauriers at videotron.ca Wed Oct 13 22:49:24 2004 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Wed, 13 Oct 2004 18:49:24 -0400 Subject: [FLSA-2004:1737] Updated httpd packages fix a mod_proxy security vulnerability Message-ID: <1097707764.10558.5.camel@mdlinux> ----------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated httpd packages fix a mod_proxy security vulnerability Advisory ID: FLSA:1737 Issue date: 2004-10-13 Product: Red Hat Linux Keywords: Bugfix Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1737 CVE Names: CAN-2004-0492 ----------------------------------------------------------------------- ----------------------------------------------------------------------- 1. Topic: Updated httpd packages that fix a security issue in the Apache Web server are now available. The Apache HTTP Server is a powerful, full-featured, efficient, and freely-available Web server. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 3. Problem description: A buffer overflow was found in the Apache proxy module, mod_proxy, which can be triggered by receiving an invalid Content-Length header. In order to exploit this issue, an attacker would need an Apache installation that was configured as a proxy to connect to a malicious site. This would cause the Apache child processing the request to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0492 to this issue. All users of the Apache HTTP Server are advised to upgrade to these erratum packages, which contain a backported fix and are not vulnerable to this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: http://bugzilla.fedora.us - bug #1737 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/apache-1.3.27-5.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/apache-1.3.27-5.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/apache-devel-1.3.27-5.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/apache-manual-1.3.27-5.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------------- 2e1f8e6bafbbbe02ac26ccc98b73631e62c889ce 7.3/updates/i386/apache-1.3.27-5.legacy.i386.rpm 27a716974163c739784e09992f1d84a1996041d9 7.3/updates/i386/apache-devel-1.3.27-5.legacy.i386.rpm ab688996e12f0364a50b58c2b120d933b403ce6b 7.3/updates/i386/apache-manual-1.3.27-5.legacy.i386.rpm e2fadeb9a430a5dbda28076cd850180fbb95c2b8 7.3/updates/SRPMS/apache-1.3.27-5.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://www.apacheweek.com/issues/04-06-11#security http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From marcdeslauriers at videotron.ca Wed Oct 13 22:51:07 2004 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Wed, 13 Oct 2004 18:51:07 -0400 Subject: [FLSA-2004:1888] Updated mod_ssl package fixes Apache security vulnerabilities Message-ID: <1097707867.10558.8.camel@mdlinux> ----------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated mod_ssl package fixes Apache security vulnerabilities Advisory ID: FLSA:1888 Issue date: 2004-10-13 Product: Red Hat Linux Keywords: Bugfix Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1888 CVE Names: CAN-2004-0488 CAN-2004-0700 ----------------------------------------------------------------------- ----------------------------------------------------------------------- 1. Topic: Updated mod_ssl packages that fix minor security issues in the Apache Web server are now available. The Apache HTTP Server is a powerful, full-featured, efficient, and freely-available Web server. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 3. Problem description: A stack buffer overflow was discovered in mod_ssl which can be triggered if using the FakeBasicAuth option. If mod_ssl is sent a client certificate with a subject DN field longer than 6000 characters, a stack overflow can occur if FakeBasicAuth has been enabled. In order to exploit this issue the carefully crafted malicious certificate would have to be signed by a Certificate Authority which mod_ssl is configured to trust. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0488 to this issue. A format string issue was discovered in mod_ssl for Apache 1.3 which can be triggered if mod_ssl is configured to allow a client to proxy to remote SSL sites. In order to exploit this issue, a user who is authorized to use Apache as a proxy would have to attempt to connect to a carefully crafted hostname via SSL. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0700 to this issue. All users of the Apache HTTP Server are advised to upgrade to these erratum packages, which contain a backported fix and are not vulnerable to these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: http://bugzilla.fedora.us - bug #1708 http://bugzilla.fedora.us - bug #1888 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/mod_ssl-2.8.12-6.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/mod_ssl-2.8.12-6.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------------- 211714e3a8faab1152e76471f1085f3d8ef30400 7.3/updates/i386/mod_ssl-2.8.12-6.legacy.i386.rpm 027bf3500924d4bb58bd8bb0ed452420a0e134bc 7.3/updates/SRPMS/mod_ssl-2.8.12-6.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0700 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From dom at earth.li Wed Oct 13 23:27:57 2004 From: dom at earth.li (Dominic Hargreaves) Date: Thu, 14 Oct 2004 00:27:57 +0100 Subject: Round-up, 2004-10-14 Message-ID: <20041013232755.GA9696@home.thedom.org> Hi, Good work, but they just keep on coming... I'd quite like to get the kernel and mozilla out soon - the kernel fixes *loads* of vulnerabilities, some of them ~ 6 months old. The mozilla one is potentially quite high risk. I've ordered the "Packages in state RESOLVED" list in vague order of priority. $Id: issues.txt,v 1.104 2004/10/13 23:24:45 dom Exp $ See bottom for changes This list is also available at http://www-astro.physics.ox.ac.uk/~dom/legacy/issues.txt Packages that have been verified and should be fully released ------------------------------------------------------------- Packages waiting to be built for updates-testing ------------------------------------------------ gdk-pixbuf - https://bugzilla.fedora.us/show_bug.cgi?id=1371 (rh73,superceded) glibc - https://bugzilla.fedora.us/show_bug.cgi?id=1947 (fixed builds) Packages in state RESOLVED (ie exist in updates-testing) that need active work. ------------------------------------------------------------------ kernel - https://bugzilla.fedora.us/show_bug.cgi?id=1804 Needs VERIFY for rh73, and maybe a non-i686 arch rh9? mozilla - https://bugzilla.fedora.us/show_bug.cgi?id=2089 Needs VERIFY [rh9,fc1] cupsomatic - https://bugzilla.fedora.us/show_bug.cgi?id=2076 Needs VERIFY for fc1 tripwire - https://bugzilla.fedora.us/show_bug.cgi?id=1719 Needs VERIFY for rh73 gaim - https://bugzilla.fedora.us/show_bug.cgi?id=1237 Needs 2 VERIFY before release. mailman - https://bugzilla.fedora.us/show_bug.cgi?id=1269 There were some unconfirmed reports of breakage with the candidate. This needs more QA before release. squid - https://bugzilla.fedora.us/show_bug.cgi?id=1732 Needs 1 VERIFY before release (but about to be superceded?) abiword - https://bugzilla.fedora.us/show_bug.cgi?id=1906 Needs quick re-VERIFY for rh9 cups - https://bugzilla.fedora.us/show_bug.cgi?id=2072 Needs VERIFY for fc1 Packages in state UNCONFIRMED, NEW, ASSIGNED or REOPENED: -------------------------------------------------------- * readline - https://bugzilla.fedora.us/show_bug.cgi?id=2017 Another not fixed before EOL (rh9). WONTFIX? yum - https://bugzilla.fedora.us/show_bug.cgi?id=1604 Needs 2 PUBLISH libpng - https://bugzilla.fedora.us/show_bug.cgi?id=1943 Need 1 PUBLISH for rh9 gnome vfs - https://bugzilla.fedora.us/show_bug.cgi?id=1944 Needs PUBLISH, especially for rh9 sox - https://bugzilla.fedora.us/show_bug.cgi?id=1945 Needs possible renaming of rh7.3 package qt - https://bugzilla.fedora.us/show_bug.cgi?id=2002 Needs 2 PUBLISH gdk-pixbuf - https://bugzilla.fedora.us/show_bug.cgi?id=2005 Needs 2 PUBLISH mysql - https://bugzilla.fedora.us/show_bug.cgi?id=2006 Needs 2 PUBLISH ruby - https://bugzilla.fedora.us/show_bug.cgi?id=2007 Needs PUBLISH [rh73,rh9,fc1] kdelibs - https://bugzilla.fedora.us/show_bug.cgi?id=2008 Needs 2 PUBLISH mc - https://bugzilla.fedora.us/show_bug.cgi?id=2009 Needs PUBLISH pam_wheel - https://bugzilla.fedora.us/show_bug.cgi?id=2010 Needs PUBLISH and full auditing? krb5 - https://bugzilla.fedora.us/show_bug.cgi?id=2040 Needs 1 PUBLISH for rh9 / investigate possible bug introduced imlib - https://bugzilla.fedora.us/show_bug.cgi?id=2051 Needs PUBLISH [rh73,rh9] ImageMagick - https://bugzilla.fedora.us/show_bug.cgi?id=2052 Needs 2 PUBLISH squid - https://bugzilla.fedora.us/show_bug.cgi?id=2053 Needs 2 PUBLISH for rh9, fc1 (superceded) cdrecord - https://bugzilla.fedora.us/show_bug.cgi?id=2058 Needs 2 PUBLISH for rh9 gtk2 - https://bugzilla.fedora.us/show_bug.cgi?id=2073 Needs 2 PUBLISH openoffice - https://bugzilla.fedora.us/show_bug.cgi?id=2074 Needs PUBLISH for rh9 libxpm - https://bugzilla.fedora.us/show_bug.cgi?id=2075 Needs PUBLISH for rh73,rh9 redhat-config-nfs - https://bugzilla.fedora.us/show_bug.cgi?id=2086 Need PUBLISH for rh9 rp-pppoe - https://bugzilla.fedora.us/show_bug.cgi?id=2116 Need PUBLISH for rh73, rh9 cups - https://bugzilla.fedora.us/show_bug.cgi?id=2127 Needs QA [rh9] kernel - https://bugzilla.fedora.us/show_bug.cgi?id=2128 Needs investigation/packages mysql - https://bugzilla.fedora.us/show_bug.cgi?id=2129 Needs investigation/packages gtk2 - https://bugzilla.fedora.us/show_bug.cgi?id=2134 Needs investigation cyrus-sasl - https://bugzilla.fedora.us/show_bug.cgi?id=2137 Needs QA [7.3,9,fc1], work to fix problem introduced lesstiff - https://bugzilla.fedora.us/show_bug.cgi?id=2142 Needs investigation/packages openmotif - https://bugzilla.fedora.us/show_bug.cgi?id=2143 Needs investigation/packages security.conf - https://bugzilla.fedora.us/show_bug.cgi?id=2146 Needs QA [fc1], packages [rh9] httpd - http://bugzilla.fedora.us/show_bug.cgi?id=2148 Needs packages [rh9,fc1] squid - https://bugzilla.fedora.us/show_bug.cgi?id=2150 Needs investigation/packages [rh73,rh9] and QA [fc1] gettext - https://bugzilla.fedora.us/show_bug.cgi?id=2151 Needs investigation/packages sharutils - https://bugzilla.fedora.us/show_bug.cgi?id=2155 Needs investigatio/packages General (non-package bugs) -------------------------- sample yum.conf - https://bugzilla.fedora.us/show_bug.cgi?id=2140 FLSA broken - http://bugzilla.fedora.us/show_bug.cgi?id=2147 yum.conf - http://bugzilla.fedora.us/show_bug.cgi?id=2149 Notes ----- Needs PUBLISH means that there are packages available for QA that need to be QAd at the source level. Needs VERIFY means that there are updates-testing packages that need testing. This is the easy bit, let's get this old ones out of the way ASAP. * means that there is a judgement call that can be made on the bug system immediately. Please follow up onlist with opinions. Changes ------- $Log: issues.txt,v $ Revision 1.104 2004/10/13 23:24:45 dom add new bugs Revision 1.103 2004/10/13 17:57:18 dom release samba Revision 1.102 2004/10/13 00:17:37 dom move various to updates queue, update others. Revision 1.101 2004/10/12 00:24:28 dom add squid Revision 1.100 2004/10/11 22:15:38 dom reorder to-VERIFY pile Revision 1.99 2004/10/11 22:11:37 dom add new mod_ssl/httpd problem, and another couple of web site bugs Revision 1.98 2004/10/11 22:00:55 dom updates Revision 1.97 2004/10/10 22:19:22 dom add new bugs Revision 1.96 2004/10/10 21:50:53 dom updates for the weekend Revision 1.95 2004/10/08 15:28:13 dom update Revision 1.94 2004/10/08 12:31:56 dom update kernel, mozilla Revision 1.93 2004/10/08 11:26:55 dom update stuff Revision 1.92 2004/10/08 11:19:34 dom update cupsomatic, mozilla, netpbm Revision 1.91 2004/10/07 22:01:57 dom move lha Revision 1.90 2004/10/07 21:49:00 dom update pppoe. Revision 1.89 2004/10/07 21:25:38 dom add cyrus-sasl Revision 1.88 2004/10/07 17:45:49 dom update many packages. Revision 1.87 2004/10/07 00:20:48 dom add kernel, mysql Revision 1.86 2004/10/06 16:01:15 dom samba still needs rh9 publish Revision 1.85 2004/10/06 11:30:42 dom update abiword, samba, squid -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From sebenste at weather.admin.niu.edu Thu Oct 14 03:37:50 2004 From: sebenste at weather.admin.niu.edu (Gilbert Sebenste) Date: Wed, 13 Oct 2004 22:37:50 -0500 (CDT) Subject: Round-up, 2004-10-14 In-Reply-To: <20041013232755.GA9696@home.thedom.org> References: <20041013232755.GA9696@home.thedom.org> Message-ID: Hi Dominic, > Packages in state RESOLVED (ie exist in updates-testing) that need > active work. > ------------------------------------------------------------------ > > mozilla - https://bugzilla.fedora.us/show_bug.cgi?id=2089 > Needs VERIFY [rh9,fc1] I am using it on FC1. No problems noted. > cups - https://bugzilla.fedora.us/show_bug.cgi?id=2072 > Needs VERIFY for fc1 Ditto here. No problems noted, and I use it heavily on my machine. ******************************************************************************* Gilbert Sebenste ******** (My opinions only!) ****** Staff Meteorologist, Northern Illinois University **** E-mail: sebenste at weather.admin.niu.edu *** web: http://weather.admin.niu.edu ** Work phone: 815-753-5492 * ******************************************************************************* From deisenst at gtw.net Thu Oct 14 11:40:00 2004 From: deisenst at gtw.net (David Eisenstein) Date: Thu, 14 Oct 2004 06:40:00 -0500 (CDT) Subject: Self Introduction: David Eisenstein Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 1. Full name: David D. Eisenstein 1a. IRC Nick : on Freenode IRC 2. Location : St. Louis, Missouri, USA 3. Status : Consultant / Part-time Sysadmin. 4. Company : Self-Employed 5. Goals : Wish to do QA on existing test packages, either source RPMs and/or the updates-testing binaries. Would also like to dip my toes in being a test RPM packager. I have also done some patching on my home Fedora Core of some annoying errors (for example, an error in the libgtkhtml-2.4.0 that prevented GnoCHM from operating properly, adapting patches by the authors from their CVS tree to Fedora Core 1's version of libgtkhtml). OS Version: Fedora Core 1. Do QA?: Yes, I want to do QA. 6. History/ : Other projects: This is my first open-source project. Qualific-: ations : Languages/skills: o Know how to read and debug C; but not a lot of experience writing programs from scratch. o BASH shell scripting o HTML o Know my way around spec & patch files; have upgraded and patched SRPMs. o Have used Linux since 1995 - Slackware 3 or so. 7. GPG KEYID & Fingerprint: $ gpg --fingerprint F8FD5D9C pub 1024D/F8FD5D9C 2002-06-11 Dave Eisenstein Key fingerprint = AC9A 4E8B DDB6 13A6 68C2 E4E2 C68B B557 F8FD 5D9C uid Dave Eisenstein sub 2048g/3D471C7C 2002-06-11 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBbmWbxou1V/j9XZwRAu5KAKDjM7hVdA61H2tjQG3rh8pDLE2xBgCguOBZ 4e9XglrAiCmh0ePH/si+hRk= =G0ch -----END PGP SIGNATURE----- From dom at earth.li Thu Oct 14 12:57:17 2004 From: dom at earth.li (Dominic Hargreaves) Date: Thu, 14 Oct 2004 13:57:17 +0100 Subject: Round-up, 2004-10-14 In-Reply-To: References: <20041013232755.GA9696@home.thedom.org> Message-ID: <20041014125717.GZ15895@tirian.magd.ox.ac.uk> On Wed, Oct 13, 2004 at 10:37:50PM -0500, Gilbert Sebenste wrote: > > Needs VERIFY [rh9,fc1] > > I am using it on FC1. No problems noted. > > > cups - https://bugzilla.fedora.us/show_bug.cgi?id=2072 > > Needs VERIFY for fc1 > > Ditto here. No problems noted, and I use it heavily on my machine. Hi, Thanks for that report. If you can, could you put PGP-signed bugzilla comments in with the sha1sums of the files you have tested? Cheers, Dominic. From deisenst at gtw.net Thu Oct 14 13:28:54 2004 From: deisenst at gtw.net (David Eisenstein) Date: Thu, 14 Oct 2004 08:28:54 -0500 (CDT) Subject: test cases? Re: Fedora Legacy Test Update Notification: mozilla In-Reply-To: <20041008085843.GA13517@home.thedom.org> Message-ID: On Fri, 8 Oct 2004, Dominic Hargreaves wrote: > --------------------------------------------------------------------- > Fedora Test Update Notification > FEDORALEGACY-2004-2089 > Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=2089 > 2004-10-08 > --------------------------------------------------------------------- > > Name : mozilla > Version (7.3) : 1.4.3-0.7.1.legacy > Version (9) : 1.4.3-0.9.1.legacy > Version (fc1) : 1.4.3-1.fc1.1.legacy ^^^^^^^^^^^^^^^^^^^^ <> Hello Dominic and everyone, You wrote yesterday concerning getting the Mozilla packages QA'ed. I agree. I run FC1 & have been running Rob Myers' compiled packages (listed at since before they were pushed to updates-testing. I have downloaded and installed now from updates-testing all the pieces for the Fedora Core 1 version of the Mozilla 1.4.3-1.fc.1.legacy RPM's. So far everything is working fairly well. Very soon I will be satisfied & put in a +VERIFY vote on Bugzilla #2089, if that's okay. Question: As part of the QA for Mozilla, would it be a good idea to make sure the vulnerabilities are no longer vulnerable? That is, find test cases that test the vulnerabilities and make sure they have no effect on the programs in updates-testing? If so, any suggestions about how to go about finding such test cases on the Internet? -David Eisenstein From sebenste at weather.admin.niu.edu Thu Oct 14 15:18:34 2004 From: sebenste at weather.admin.niu.edu (Gilbert Sebenste) Date: Thu, 14 Oct 2004 10:18:34 -0500 (CDT) Subject: Round-up, 2004-10-14 In-Reply-To: <20041014125717.GZ15895@tirian.magd.ox.ac.uk> References: <20041013232755.GA9696@home.thedom.org> <20041014125717.GZ15895@tirian.magd.ox.ac.uk> Message-ID: On Thu, 14 Oct 2004, Dominic Hargreaves wrote: > On Wed, Oct 13, 2004 at 10:37:50PM -0500, Gilbert Sebenste wrote: > > > > Needs VERIFY [rh9,fc1] > > > > I am using it on FC1. No problems noted. > > > > > cups - https://bugzilla.fedora.us/show_bug.cgi?id=2072 > > > Needs VERIFY for fc1 > > > > Ditto here. No problems noted, and I use it heavily on my machine. > > Hi, > > Thanks for that report. If you can, could you put PGP-signed bugzilla > comments in with the sha1sums of the files you have tested? Well, I don't know how to. I guess I need to clarify test. I did a yum update on those packages, and then made sure they worked by going to various "difficult" web sites that are either very code intensive or are deemed "Internet Explorer" favored sites; and then with cups, I print jobs through cron as well as on-demand through scripts, and more. What's a shalsum? ******************************************************************************* Gilbert Sebenste ******** (My opinions only!) ****** Staff Meteorologist, Northern Illinois University **** E-mail: sebenste at weather.admin.niu.edu *** web: http://weather.admin.niu.edu ** Work phone: 815-753-5492 * ******************************************************************************* From bdm at fenrir.org.uk Thu Oct 14 16:08:01 2004 From: bdm at fenrir.org.uk (Brian Morrison) Date: Thu, 14 Oct 2004 17:08:01 +0100 Subject: Round-up, 2004-10-14 In-Reply-To: References: <20041013232755.GA9696@home.thedom.org> <20041014125717.GZ15895@tirian.magd.ox.ac.uk> Message-ID: <20041014170801.39aeeae9@ickx.fenrir.org.uk> On Thu, 14 Oct 2004 10:18:34 -0500 (CDT) in Pine.LNX.4.58.0410141013060.28830 at weather.admin.niu.edu Gilbert Sebenste wrote: > What's a shalsum? A hash value of a file's contents produced using the sha1sum program that is part of the coreutils package on rpm-based systems. SHA stands for secure hash algorithm, in this case SHA1 is a variant of it that produces a hash length of 160 bits. -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html From peak at argo.troja.mff.cuni.cz Thu Oct 14 21:12:41 2004 From: peak at argo.troja.mff.cuni.cz (Pavel Kankovsky) Date: Thu, 14 Oct 2004 23:12:41 +0200 (MET DST) Subject: test cases? Re: Fedora Legacy Test Update Notification: mozilla In-Reply-To: Message-ID: <20041014230805.5B23.0@argo.troja.mff.cuni.cz> On Thu, 14 Oct 2004, David Eisenstein wrote: > Question: As part of the QA for Mozilla, would it be a good idea to make > sure the vulnerabilities are no longer vulnerable? That is, find test > cases that test the vulnerabilities and make sure they have no effect on > the programs in updates-testing? If so, any suggestions about how to go > about finding such test cases on the Internet? Test cases for Mozilla bugs can often be found in Mozilla's own Bugzilla. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation." From dom at earth.li Thu Oct 14 23:20:06 2004 From: dom at earth.li (Dominic Hargreaves) Date: Fri, 15 Oct 2004 00:20:06 +0100 Subject: [FLSA-2004:2102] Updated samba packages fix security vulnerability [updated] Message-ID: <20041014232002.GA17657@home.thedom.org> ----------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated samba resolves security vulnerabilities Advisory ID: FLSA:2102 Issue date: 2004-10-14 Product: Red Hat Linux Keywords: Security Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=2102 CVE Names: CAN-2004-0686, CAN-2004-0815 ----------------------------------------------------------------------- ----------------------------------------------------------------------- 1. Topic: [Updated 14th October to correct broken packages and document further fixes] Updated samba packages that fix an input validation vulnerability are now available. Samba provides file and printer sharing services to SMB/CIFS clients. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 3. Problem description: The Samba team discovered a buffer overflow in the code used to support the 'mangling method = hash' smb.conf option. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0686 to this issue. Karol Wiesek discovered an input validation issue in Samba prior to 3.0.6. An authenticated user could send a carefully crafted request to the Samba server, which would allow access to files outside of the configured file share. Note: Such files would have to be readable by the account used for the connection. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0815 to this issue. Users of Samba should upgrade to these updated packages, which contain an upgrade to Samba-2.2.12, which is not vulnerable to these issues. A previous version of this advisory referred to packages which had been incorrectly built to not include some of the optional features which were previously enabled. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs/ for directions on how to configure yum and apt-get. 5. Bug IDs fixed: http://bugzilla.fedora.us - 2102 - CAN-2004-0815 samba Potential Arbitrary File Access 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/samba-2.2.12-0.73.3.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/samba-2.2.12-0.73.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/samba-client-2.2.12-0.73.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/samba-common-2.2.12-0.73.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/samba-swat-2.2.12-0.73.3.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/samba-2.2.12-0.90.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/samba-2.2.12-0.90.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/samba-client-2.2.12-0.90.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/samba-common-2.2.12-0.90.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/samba-swat-2.2.12-0.90.2.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------------- 780ea2a7d636d4cfee6a9c8c8b5bfe6af81ad82e 7.3/updates/SRPMS/samba-2.2.12-0.73.3.legacy.src.rpm c140b41cba68e46f3c90a2079aa7f6ea8b521ebd 7.3/updates/i386/samba-2.2.12-0.73.3.legacy.i386.rpm dd63b4ad6c403a047bae4bbe81dfd75f48f01f08 7.3/updates/i386/samba-client-2.2.12-0.73.3.legacy.i386.rpm 2f892a49daf3c697cdb02fc16de2a2fc81aa04f3 7.3/updates/i386/samba-common-2.2.12-0.73.3.legacy.i386.rpm ee604ea7806346255eb3c6b92e1a838e81454ca3 7.3/updates/i386/samba-swat-2.2.12-0.73.3.legacy.i386.rpm 2097a23c4ff2da4582423bd800784defe58d47ad 9/updates/SRPMS/samba-2.2.12-0.90.2.legacy.src.rpm f0e57bd0d503fc74336130229bbed573adb60ea5 9/updates/i386/samba-2.2.12-0.90.2.legacy.i386.rpm 96a623119fef8df0e76aef3ea486632eab8b4c2c 9/updates/i386/samba-client-2.2.12-0.90.2.legacy.i386.rpm d402939d7c87738c55494c8b4c0ad0e220add666 9/updates/i386/samba-common-2.2.12-0.90.2.legacy.i386.rpm 2f87ec8bbd4bdf3362c9c4906b4b09ffb4ec274e 9/updates/i386/samba-swat-2.2.12-0.90.2.legacy.i386.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://us4.samba.org/samba/news/#security_2.2.12 http://rhn.redhat.com/errata/RHSA-2004-498.html 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From Oisin.Curtin at PhoenixFltOps.com Fri Oct 15 23:00:02 2004 From: Oisin.Curtin at PhoenixFltOps.com (Oisin Curtin) Date: Fri, 15 Oct 2004 19:00:02 -0400 Subject: What gives with joining the list???? Message-ID: <41705672.90609@PhoenixFltOps.com> I've been trying for months to join the list from the Red Hat page: http://www.redhat.com/mailman/listinfo/fedora-legacy-list Nothing happens. Is it a closed list? Is the list software barfing the dot in my user name? Am I punished for squishing harmless spiders that frightened Miss Muffet? -- Oisin "If it weren't for bad luck..." Curtin From jkeating at j2solutions.net Fri Oct 15 23:16:34 2004 From: jkeating at j2solutions.net (Jesse Keating) Date: Fri, 15 Oct 2004 16:16:34 -0700 Subject: What gives with joining the list???? In-Reply-To: <41705672.90609@PhoenixFltOps.com> References: <41705672.90609@PhoenixFltOps.com> Message-ID: <200410151616.37495.jkeating@j2solutions.net> On Friday 15 October 2004 16:00, Oisin Curtin wrote: > I've been trying for months to join the list from the Red Hat page: > > http://www.redhat.com/mailman/listinfo/fedora-legacy-list > > Nothing happens. Is it a closed list? Is the list software barfing > the dot in my user name? Am I punished for squishing harmless > spiders that frightened Miss Muffet? I do not know why you're having trouble, however I have manually subscribed you to this list. -- Jesse Keating RHCE (geek.j2solutions.net) Fedora Legacy Team (www.fedoralegacy.org) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: signature URL: From andre.krajnik at sinius.com Sat Oct 16 17:02:55 2004 From: andre.krajnik at sinius.com (Andre Krajnik) Date: Sat, 16 Oct 2004 19:02:55 +0200 Subject: Andre Krajnik ist =?iso-8859-15?q?au=DFer_Haus=2E?= Message-ID: Ich werde ab 16.10.2004 nicht im B?ro sein. Ich kehre zur?ck am 04.11.2004. Ich werde Ihre Nachricht nach meiner R?ckkehr beantworten. In dringenden F?llen wenden Sie sich bitte an Stefan Hoenig 0211/6101-2109 -------------- next part -------------- An HTML attachment was scrubbed... URL: From jkeating at j2solutions.net Sat Oct 16 17:48:50 2004 From: jkeating at j2solutions.net (Jesse Keating) Date: Sat, 16 Oct 2004 10:48:50 -0700 Subject: Andre Krajnik ist =?iso-8859-1?q?au=DFer?= Haus. In-Reply-To: References: Message-ID: <200410161048.50380.jkeating@j2solutions.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 16 October 2004 10:02, Andre Krajnik wrote: > Ich werde ab ?16.10.2004 nicht im B?ro sein. Ich kehre zur?ck am > 04.11.2004. > > Ich werde Ihre Nachricht nach meiner R?ckkehr beantworten. In dringenden > F?llen wenden Sie sich bitte an Stefan Hoenig ?0211/6101-2109 This memeber is now moderated. Can somebody translate this and see if it's spam or not? - -- Jesse Keating RHCE (http://geek.j2solutions.net) Fedora Legacy Team (http://www.fedoralegacy.org) GPG Public Key (http://geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBcV8C4v2HLvE71NURAoW0AJ0VDkfeG9JYIyWKfRQD7Q8lPLlqFACgkT1r ZrlyMHMA/8KN7GB8qJJAd8w= =QnDL -----END PGP SIGNATURE----- From davej at redhat.com Sat Oct 16 17:47:54 2004 From: davej at redhat.com (Dave Jones) Date: Sat, 16 Oct 2004 13:47:54 -0400 Subject: Andre Krajnik ist =?iso-8859-1?q?au=DFer?= Haus. In-Reply-To: <200410161048.50380.jkeating@j2solutions.net> References: <200410161048.50380.jkeating@j2solutions.net> Message-ID: <20041016174754.GB15431@redhat.com> On Sat, Oct 16, 2004 at 10:48:50AM -0700, Jesse Keating wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Saturday 16 October 2004 10:02, Andre Krajnik wrote: > > Ich werde ab ?16.10.2004 nicht im B?ro sein. Ich kehre zur?ck am > > 04.11.2004. > > > > Ich werde Ihre Nachricht nach meiner R?ckkehr beantworten. In dringenden > > F?llen wenden Sie sich bitte an Stefan Hoenig ?0211/6101-2109 > > This memeber is now moderated. Can somebody translate this and see if it's > spam or not? German autoresponder. Babelfish does a pretty good job btw.. "I will not be starting from 16.10.2004 in the office. I turn back to 04.11.2004. I will answer your message after my return. In urgent cases you contact please Stefan Hoenig 0211/6101 2109" Dave From alexander.dalloz at uni-bielefeld.de Sat Oct 16 17:52:34 2004 From: alexander.dalloz at uni-bielefeld.de (Alexander Dalloz) Date: Sat, 16 Oct 2004 19:52:34 +0200 Subject: Andre Krajnik ist =?iso-8859-1?q?au=DFer?= Haus. In-Reply-To: <200410161048.50380.jkeating@j2solutions.net> References: <200410161048.50380.jkeating@j2solutions.net> Message-ID: <1097949154.28676.3.camel@serendipity.dogma.lan> Am Sa, den 16.10.2004 schrieb Jesse Keating um 19:48: > On Saturday 16 October 2004 10:02, Andre Krajnik wrote: > > Ich werde ab 16.10.2004 nicht im B?ro sein. Ich kehre zur?ck am > > 04.11.2004. > > > > Ich werde Ihre Nachricht nach meiner R?ckkehr beantworten. In dringenden > > F?llen wenden Sie sich bitte an Stefan Hoenig 0211/6101-2109 > > This memeber is now moderated. Can somebody translate this and see if it's > spam or not? > Jesse Keating RHCE (http://geek.j2solutions.net) Hi Jesse, this is a vacation message in German language: "I will be out of office from Oct. 16th 2004 on. I will be back on Oct. 4th 2004. I will answer your message when I am back. In urgent cases please call Stefan Hoenig at phone number 0211/6101-2109." It is spam in the sense of someone using a vacation tool which does not care for header tags like "Precedence: junk". Alexander -- Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13 Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.8-1.521smp Serendipity 19:48:41 up 2 days, 15:00, load average: 0.74, 0.28, 0.19 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Dies ist ein digital signierter Nachrichtenteil URL: From jkeating at j2solutions.net Sat Oct 16 18:09:04 2004 From: jkeating at j2solutions.net (Jesse Keating) Date: Sat, 16 Oct 2004 11:09:04 -0700 Subject: Andre Krajnik ist =?iso-8859-1?q?au=DFer?= Haus. In-Reply-To: <1097949154.28676.3.camel@serendipity.dogma.lan> References: <200410161048.50380.jkeating@j2solutions.net> <1097949154.28676.3.camel@serendipity.dogma.lan> Message-ID: <200410161109.04060.jkeating@j2solutions.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 16 October 2004 10:52, Alexander Dalloz wrote: > Hi Jesse, > > this is a vacation message in German language: > > "I will be out of office from Oct. 16th 2004 on. I will be back on Oct. > 4th 2004. > > I will answer your message when I am back. In urgent cases please call > Stefan Hoenig at phone number 0211/6101-2109." > > It is spam in the sense of someone using a vacation tool which does not > care for header tags like "Precedence: ?junk". Ok, thanks guys. I'll leave him on moderate until he gets back from vacation. - -- Jesse Keating RHCE (http://geek.j2solutions.net) Fedora Legacy Team (http://www.fedoralegacy.org) GPG Public Key (http://geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBcWPA4v2HLvE71NURAvO1AKCYtBU/BNk312sefR+vHLixLW0WMQCghJbZ R0aEVWk/UrMxHKB7hRzoW3Q= =/oz+ -----END PGP SIGNATURE----- From marcdeslauriers at videotron.ca Sat Oct 16 18:01:27 2004 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Sat, 16 Oct 2004 14:01:27 -0400 Subject: [FLSA-2004:2072] Updated CUPS packages fix security vulnerability Message-ID: <1097949686.32657.1.camel@mdlinux> ----------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated CUPS packages fix security vulnerability Advisory ID: FLSA:2072 Issue date: 2004-10-16 Product: Red Hat Linux, Fedora Core Keywords: Bugfix Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=2072 CVE Names: CAN-2004-0558 ----------------------------------------------------------------------- ----------------------------------------------------------------------- 1. Topic: Updated cups packages that fix a denial of service vulnerability are now available. The Common UNIX Printing System (CUPS) is a print spooler. 2. Relevant releases/architectures: Red Hat Linux 9 - i386 Fedora Core 1 - i386 3. Problem description: Alvaro Martinez Echevarria reported a bug in the CUPS Internet Printing Protocol (IPP) implementation in versions of CUPS prior to 1.1.21. An attacker could send a carefully crafted UDP packet to the IPP port which could cause CUPS to stop listening to the port and result in a denial of service. In order to exploit this bug, an attacker would need to have the ability to send a UDP packet to the IPP port (by default 631). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0558 to this issue. All users of cups should upgrade to these updated packages, which contain a backported patch as well as a fix for a non-exploitable off-by-one bug. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: http://bugzilla.fedora.us - 2072 - CAN-2004-0558 - CUPS denial of service 6. RPMs required: Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/cups-1.1.17-13.3.0.6.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/cups-1.1.17-13.3.0.6.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/cups-devel-1.1.17-13.3.0.6.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/cups-libs-1.1.17-13.3.0.6.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/cups-1.1.19-13.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/cups-1.1.19-13.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/cups-devel-1.1.19-13.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/cups-libs-1.1.19-13.2.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------------- dc9e67863c6ed358eca94f36f04c2549be49bee7 redhat/9/updates/i386/cups-1.1.17-13.3.0.6.legacy.i386.rpm fc7fd1c2c7ad79e2c419b5440e6b0e0a88b2e276 redhat/9/updates/i386/cups-devel-1.1.17-13.3.0.6.legacy.i386.rpm 39f6b741f82f6e566351d15f7ec384f0cde9a17e redhat/9/updates/i386/cups-libs-1.1.17-13.3.0.6.legacy.i386.rpm ff063b1392b2841153d5dc234c5f3ed6d54d63e4 redhat/9/updates/SRPMS/cups-1.1.17-13.3.0.6.legacy.src.rpm e7684dfcd7142714848be20e318e5c58aed2b481 fedora/1/updates/i386/cups-1.1.19-13.2.legacy.i386.rpm 8dbb4ea34d20de5b70e1672e60794fcfe5021f4b fedora/1/updates/i386/cups-devel-1.1.19-13.2.legacy.i386.rpm 369439d5c253a361ffd64f892efc448c62d54e94 fedora/1/updates/i386/cups-libs-1.1.19-13.2.legacy.i386.rpm 8b69b1f1c661a5c75dfadcfb85a19fd712e5f904 fedora/1/updates/SRPMS/cups-1.1.19-13.2.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0558 http://www.cups.org/str.php?L863 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From marcdeslauriers at videotron.ca Sat Oct 16 18:02:36 2004 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Sat, 16 Oct 2004 14:02:36 -0400 Subject: [FLSA-2004:1237] Updated gaim package resolves security issues Message-ID: <1097949755.32657.3.camel@mdlinux> ----------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated gaim package resolves security issues Advisory ID: FLSA:1237 Issue date: 2004-10-16 Product: Red Hat Linux Keywords: Bugfix Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1237 CVE Names: CAN-2004-0006 CAN-2004-0007 CAN-2004-0008 CAN-2004-0500 CAN-2004-0754 CAN-2004-0784 CAN-2004-0785 ----------------------------------------------------------------------- ----------------------------------------------------------------------- 1. Topic: An updated gaim package that fixes several security issues is now available. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 3. Problem description: Issues fixed with this gaim release include: Multiple buffer overflows that affect versions of Gaim 0.75 and earlier. 1) When parsing cookies in a Yahoo web connection, 2) YMSG protocol overflows parsing the Yahoo login webpage, 3) a YMSG packet overflow, 4) flaws in the URL parser, and 5) flaws in HTTP Proxy connect. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0006 to these issues. A buffer overflow in Gaim 0.74 and earlier in the Extract Info Field Function used for MSN and YMSG protocol handlers. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0007 to this issue. An integer overflow in Gaim 0.74 and earlier, when allocating memory for a directIM packet results in heap overflow. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0008 to this issue. Buffer overflow bugs were found in the Gaim MSN protocol handler. In order to exploit these bugs, an attacker would have to perform a man in the middle attack between the MSN server and the vulnerable Gaim client. Such an attack could allow arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0500 to this issue. An integer overflow bug has been found in the Gaim Groupware message receiver. It is possible that if a user connects to a malicious server, an attacker could send carefully crafted data which could lead to arbitrary code execution on the victims machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0754 to this issue. A shell escape bug has been found in the Gaim smiley theme file installation. When a user installs a smiley theme, which is contained within a tar file, the unarchiving of the data is done in an unsafe manner. An attacker could create a malicious smiley theme that would execute arbitrary commands if the theme was installed by the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0784 to this issue. Buffer overflow bugs have been found in the Gaim URL decoder, local hostname resolver, and the RTF message parser. It is possible that a remote attacker could send carefully crafted data to a vulnerable client and lead to a crash or arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0785 to this issue. Users of Gaim are advised to upgrade to this updated package which contains Gaim version 0.82.1 and is not vulnerable to these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: http://bugzilla.fedora.us - bug #1237 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/gaim-0.82.1-0.73.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/gaim-0.82.1-0.73.2.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/gaim-0.82.1-0.90.3.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/gaim-0.82.1-0.90.3.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------------- cda084b78e263bb725ad92fdef0fc4b329b705d5 7.3/updates/i386/gaim-0.82.1-0.73.2.legacy.i386.rpm e28d0c278324c7a508af7a30565cc5741b7ec4f0 7.3/updates/SRPMS/gaim-0.82.1-0.73.2.legacy.src.rpm 958a8c9d2077ae068af20c282e69e64ec8f1a4e7 9/updates/i386/gaim-0.82.1-0.90.3.legacy.i386.rpm 211c4e944d0b1178e53f0f1dd8bd303eeee1a6cf 9/updates/SRPMS/gaim-0.82.1-0.90.3.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://security.e-matters.de/advisories/012004.html http://gaim.sourceforge.net/security/index.php?id=0 http://gaim.sourceforge.net/security/index.php?id=1 http://gaim.sourceforge.net/security/index.php?id=2 http://gaim.sourceforge.net/security/index.php?id=3 http://gaim.sourceforge.net/security/index.php?id=4 http://gaim.sourceforge.net/security/index.php?id=5 http://gaim.sourceforge.net/security/index.php?id=6 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0006 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0007 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0008 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0500 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0754 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0784 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0785 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From marcdeslauriers at videotron.ca Sat Oct 16 22:01:58 2004 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Sat, 16 Oct 2004 18:01:58 -0400 Subject: Fedora Legacy Test Update Notification: glibc Message-ID: <1097964118.1333.0.camel@mdlinux> This test release adds the missing i686 packages and language files. Please test and add comment to bugzilla. --------------------------------------------------------------------- Fedora Test Update Notification FEDORALEGACY-2004-1947 Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=1947 2004-10-16 --------------------------------------------------------------------- Name : glibc Version : 2.2.5-44.legacy.3 Summary : The GNU libc libraries. Description : The glibc package contains standard libraries which are used by multiple programs on the system. In order to save disk space and memory, as well as to make upgrading easier, common system code is kept in one place and shared between programs. This particular package contains the most important sets of shared libraries: the standard C library and the standard math library. Without these two libraries, a Linux system will not function. --------------------------------------------------------------------- Update Information: A security audit of glibc revealed a flaw in the resolver library which was originally reported as affecting versions of ISC BIND 4.9. This flaw also applied to glibc versions before 2.3.2. An attacker who is able to send DNS responses (perhaps by creating a malicious DNS server) could remotely exploit this vulnerability to execute arbitrary code or cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0029 to this issue. --------------------------------------------------------------------- Changelog: * Wed Oct 13 2004 Marc Deslauriers 2.2.4-44.legacy.3 - Added texinfo and gettext BuildPreReq * Thu Aug 12 2004 Dave Botsch - Added legacy keyword - Fix CAN-2002-0029 (getnetby{name,addr} buffer overflow) - Uses Michal Jaegermann's rediffed patch from AS2.1 --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/redhat/ 787b02c547d9578eab2112b681d58ce40589dd37 7.3/updates-testing/i386/glibc-2.2.5-44.legacy.3.i386.rpm d73f3bf9fd6c094dbf3d7c0409c0d34de40a1cfd 7.3/updates-testing/i386/glibc-2.2.5-44.legacy.3.i686.rpm df3fdb0f5d327b10bb285b06a5f1422642b980b7 7.3/updates-testing/i386/glibc-common-2.2.5-44.legacy.3.i386.rpm 61e6c8521d67f38e96c679b3d263f6dccfb43b75 7.3/updates-testing/i386/glibc-debug-2.2.5-44.legacy.3.i386.rpm d5b070b85a0a57702f3259790e59707dd8d67ef1 7.3/updates-testing/i386/glibc-debug-2.2.5-44.legacy.3.i686.rpm e8988fb212ad671469f190f01b35c7664298ea58 7.3/updates-testing/i386/glibc-debug-static-2.2.5-44.legacy.3.i386.rpm f2043d369aeb8a8a39b0f1e429fdbcf08dcefd5b 7.3/updates-testing/i386/glibc-devel-2.2.5-44.legacy.3.i386.rpm 5902d254f9926b0c532e8af5e0fe3ed22e105215 7.3/updates-testing/i386/glibc-profile-2.2.5-44.legacy.3.i386.rpm 6c8b2d53b0626265c180ba09a1a6161e4be6765d 7.3/updates-testing/i386/glibc-utils-2.2.5-44.legacy.3.i386.rpm 26282373e4cd3770b40b3cf10dc17b7f6f23ce6a 7.3/updates-testing/i386/nscd-2.2.5-44.legacy.3.i386.rpm b8f02cd099305c9866715493147ca9c9dcecfff0 7.3/updates-testing/SRPMS/glibc-2.2.5-44.legacy.3.src.rpm Please note that this update is also available via yum and apt through the updates-testing channel. Many people find this an easier way to apply updates. --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From grant at davies.id.au Sun Oct 17 07:28:01 2004 From: grant at davies.id.au (Grant Davies) Date: Sun, 17 Oct 2004 17:28:01 +1000 Subject: ImageMagick Message-ID: <200410170728.i9H7SoAY015778@mx3.redhat.com> Hi there, Wondering why a newer version of ImageMagick is not available for RH 7.3: HYPERLINK "http://www.imagemagick.net/download/linux/redhat-7.x/i386/ImageMagick-5.5.7 -10.i386.rpm"http://www.imagemagick.net/download/linux/redhat-7.x/i386/Image Magick-5.5.7-10.i386.rpm I can only get Ver. 5.4 using yum and the newer version has some handy options. Kindest Regards Grant Davies ------------------------------ --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.778 / Virus Database: 525 - Release Date: 15/10/2004 -------------- next part -------------- An HTML attachment was scrubbed... URL: From dom at earth.li Sun Oct 17 12:58:42 2004 From: dom at earth.li (Dominic Hargreaves) Date: Sun, 17 Oct 2004 13:58:42 +0100 Subject: ImageMagick In-Reply-To: <200410170728.i9H7SoAY015778@mx3.redhat.com> References: <200410170728.i9H7SoAY015778@mx3.redhat.com> Message-ID: <20041017125842.GN15895@tirian.magd.ox.ac.uk> On Sun, Oct 17, 2004 at 05:28:01PM +1000, Grant Davies wrote: > Wondering why a newer version of ImageMagick is not available for RH 7.3: > I can only get Ver. 5.4 using yum and the newer version has some handy > options. Hi, The Fedora Legacy project doesn't have the resources, or aim, to release packages for new features; it is for the maintainance of a stable platform (ie security and major bugfixes only). Your best bet will be to look at repackaging the fedora core packages, or find someone who has already done this. Cheers, Dominic. From gregt at maths.otago.ac.nz Mon Oct 18 00:41:57 2004 From: gregt at maths.otago.ac.nz (Greg Trounson) Date: Mon, 18 Oct 2004 13:41:57 +1300 Subject: Updates for RedHat 9? Message-ID: <41731155.3080807@maths.otago.ac.nz> Gidday, I'm wondering when two bug fixes are going to be applied to Redhat 9. In particular, kworldclock (a part of kdetoys) has a serious bug[1], and Tux Racer has been compiled with no sound[2]. It would appear that fixes have been available for some time, yet neither kdetoys or tuxracer have had any updates since the release of RH9 in 2003. Is there some other reason these fixes haven't been applied to the Fedora Legacy project? thanks, Greg [1]: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=88143 [2]: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=85466 From skvidal at phy.duke.edu Mon Oct 18 00:43:43 2004 From: skvidal at phy.duke.edu (seth vidal) Date: Sun, 17 Oct 2004 20:43:43 -0400 Subject: Updates for RedHat 9? In-Reply-To: <41731155.3080807@maths.otago.ac.nz> References: <41731155.3080807@maths.otago.ac.nz> Message-ID: <1098060223.23856.1.camel@binkley> On Mon, 2004-10-18 at 13:41 +1300, Greg Trounson wrote: > Gidday, > > I'm wondering when two bug fixes are going to be applied to Redhat 9. > > In particular, kworldclock (a part of kdetoys) has a serious bug[1], and > Tux Racer has been compiled with no sound[2]. > > It would appear that fixes have been available for some time, yet > neither kdetoys or tuxracer have had any updates since the release of > RH9 in 2003. Is there some other reason these fixes haven't been > applied to the Fedora Legacy project? > > thanks, > Greg > > [1]: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=88143 > [2]: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=85466 > [1] is a non-security bug in a minor application - I doubt it will ever get patched by fedora legacy. [2] Is a problem with sound in tuxracer that has no effect on security at all. Neither of these will be fixed, You should just upgrade to one of the fedora core releases. -sv From drees at greenhydrant.com Mon Oct 18 00:55:52 2004 From: drees at greenhydrant.com (David Rees) Date: Sun, 17 Oct 2004 17:55:52 -0700 Subject: Updates for RedHat 9? In-Reply-To: <1098060223.23856.1.camel@binkley> References: <41731155.3080807@maths.otago.ac.nz> <1098060223.23856.1.camel@binkley> Message-ID: <41731498.7020303@greenhydrant.com> seth vidal wrote, On 10/17/2004 5:43 PM: >> >>[1]: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=88143 >>[2]: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=85466 > > [1] is a non-security bug in a minor application - I doubt it will ever > get patched by fedora legacy. > > [2] Is a problem with sound in tuxracer that has no effect on security > at all. > > Neither of these will be fixed, You should just upgrade to one of the > fedora core releases. Reading between the lines of what Seth wrote, the primary goal of the Fedora Legacy project is to provide security and critical bug fix updates for packages and not to provide bug fixes and application upgrades. See the project home page for more information. -Dave From byte at aeon.com.my Mon Oct 18 13:07:25 2004 From: byte at aeon.com.my (Colin Charles) Date: Mon, 18 Oct 2004 23:07:25 +1000 Subject: Website: updates-testing changes Message-ID: <1098101497.18799.22.camel@albus.aeon.com.my> Patch for the yum-testing.php file - we need to change that, if people are yum testing for FC1 updates-testing Also, I notice the website is in CVS... Err, its non anonymous, so I can't check it out with a valid password (doh!), so hope the patch below applies easily diff -urN yum-testing.php~ yum-testing.php --- yum-testing.php~ 2004-10-18 21:52:48.000000000 +1000 +++ yum-testing.php 2004-10-18 21:53:57.000000000 +1000 @@ -83,7 +83,7 @@ 
 [updates-testing]
 name=Red Hat Linux $releasever - $basearch - updates-testing
-baseurl=http://download.fedoralegacy.org/fedora/redhat/$releasever/$basearch/yum/updates-testing/
+baseurl=http://download.fedoralegacy.org/fedora/$releasever/updates-testing/$basearch
 gpgcheck=1
-- Colin Charles, byte at aeon.com.my http://www.bytebot.net/ "First they ignore you, then they laugh at you, then they fight you, then you win." -- Mohandas Gandhi From dom at earth.li Mon Oct 18 09:40:36 2004 From: dom at earth.li (Dominic Hargreaves) Date: Mon, 18 Oct 2004 10:40:36 +0100 Subject: [FLSA-2004:1804] Updated kernel resolves security vulnerabilities Message-ID: <20041018094034.GA14851@home.thedom.org> ----------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated kernel resolves security vulnerabilities Advisory ID: FLSA:1804 Issue date: 2004-10-18 Product: Red Hat Linux Keywords: Security Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1804 CVE Names: CAN-2004-0619, CAN-2004-0497, CAN-2004-0587, CAN-2004-0658, CAN-2004-0415, CAN-2004-0427, CAN-2004-0495, CAN-2004-0535, CAN-2004-0554, CAN-2004-0228, CAN-2004-0178, CAN-2004-0181, CAN-2004-0394, CAN-2004-0003, CAN-2004-0109, CAN-2004-0133 ----------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated kernel packages that fix security vulnerabilities which may allow local users to gain root privileges are now available. These packages also resolve other minor issues. 2. Relevent releases/architectures: Red Hat Linux 7.3 - i386, i586, i686, athlon Red Hat Linux 9 - i386, i586, i686, athlon 3. Problem description: The Linux kernel handles the basic functions of the operating system. iDefense reported a buffer overflow flaw in the ISO9660 filesystem code. An attacker could create a malicious filesystem in such a way that they could gain root privileges if that filesystem is mounted. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0109 to this issue. This issue is addressed in the Red Hat 7.3 packages referenced in this advisory, having been previously fixed for Red Hat 9. These packages also contain an updated fix with additional checks for issues in the R128 Direct Render Infrastructure. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0003 to this issue. This issue was addressed in the Red Hat 7.3 packages referenced in this advisory, having been previously fixed for Red Hat 9. A bug in the SoundBlaster 16 code which did not properly handle certain sample sizes has been fixed. This flaw could be used by local users to crash a system. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0178 to this issue. Paul Starzetz discovered flaws in the Linux kernel when handling file offset pointers. These consist of invalid conversions of 64 to 32-bit file offset pointers and possible race conditions. A local unprivileged user could make use of these flaws to access large portions of kernel memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0415 to this issue. During an audit of the Linux kernel, SUSE discovered a flaw that allowed a user to make unauthorized changes to the group ID of files in certain circumstances. In the 2.4 kernel, as shipped with Red Hat Enterprise Linux, the only way this could happen is through the kernel nfs server. A user on a system that mounted a remote file system from a vulnerable machine may be able to make unauthorized changes to the group ID of exported files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0497 to this issue. A flaw was found in Linux kernel versions 2.4 and 2.6 for x86 and x86_64 that allowed local users to cause a denial of service (system crash) by triggering a signal handler with a certain sequence of fsave and frstor instructions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0554 to this issue. Enhancements were committed to the 2.6 kernel by Al Viro which enabled the Sparse source code checking tool to check for a certain class of kernel bugs. A subset of these fixes also applies to various drivers in the 2.4 kernel. These flaws could lead to privilege escalation or access to kernel memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0495 to these issues. Integer overflow in the Linux Broadcom 5820 cryptonet driver allows local users to cause a denial of service (crash) and possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0619 to this issue. This driver has been removed from this release. Integer overflow in the IEEE 1394 (Firewire) driver allows local users to cause a denial of service (crash) and possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0658 to this issue. The do_fork function in Linux 2.4.x before 2.4.26 had a bug which could trigger a memory leak leading to a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0427 to this issue. An integer signedness error in the cpufreq proc handle allowed local users to gain privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0228 to this issue. The JFS file system code in Linux 2.4.x had an information leak in which in-memory data is written to the device for the JFS file system, which allowed local users to obtain sensitive information by reading the raw device. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0181 to this issue. The XFS file system code in Linux 2.4.x had an information leak in which in-memory data is written to the device for the XFS file system, which allowed local users to obtain sensitive information by reading the raw device. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0133 to this issue. In addition, these packages correct further minor issues: An bug in the e1000 network driver. This bug could be used by local users to leak small amounts of kernel memory (CAN-2004-0535). Inappropriate permissions on /proc/scsi/qla2300/HbaApiNode (CAN-2004-0587). Potential buffer overflow in the panic() function (CAN-2004-0394). All users are advised to upgrade to these errata packages, which contain backported security patches that correct these issues. Fedora Legacy would like to thank all those who reported the various issues discussed here. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To install kernel packages manually, use "rpm -ivh " and modify system settings to boot the kernel you have installed. To do this, edit /boot/grub/grub.conf and change the default entry to "default=0" (or, if you have chosen to use LILO as your boot loader, edit /etc/lilo.conf and run lilo) Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/download for directions on how to configure yum and apt-get. Note that this may not automatically pull the new kernel in if you have configured apt/yum to ignore kernels. If so, follow the manual instructions above. 5. Bug IDs fixed: https://bugzilla.fedora.us/show_bug.cgi?id=1804 - CAN-2004-0619,0497,0587,0658,0415 Kernel fixes https://bugzilla.fedora.us/show_bug.cgi?id=1484 - various security - related fixes for the kernel 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/kernel-2.4.20-37.7.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-2.4.20-37.7.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-BOOT-2.4.20-37.7.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-doc-2.4.20-37.7.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-source-2.4.20-37.7.legacy.i386.rpm i568: http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-2.4.20-37.7.legacy.i586.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-smp-2.4.20-37.7.legacy.i586.rpm i686: http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-2.4.20-37.7.legacy.i686.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-bigmem-2.4.20-37.7.legacy.i686.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-smp-2.4.20-37.7.legacy.i686.rpm athlon: http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-2.4.20-37.7.legacy.athlon.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-smp-2.4.20-37.7.legacy.athlon.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/kernel-2.4.20-37.9.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-2.4.20-37.9.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-BOOT-2.4.20-39.7.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-doc-2.4.20-39.7.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-source-2.4.20-39.7.legacy.i386.rpm i586: http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-2.4.20-37.9.legacy.i586.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-smp-2.4.20-37.9.legacy.i586.rpm i686: http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-2.4.20-37.9.legacy.i686.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-bigmem-2.4.20-37.9.legacy.i686.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-smp-2.4.20-37.9.legacy.i686.rpm athlon: http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-2.4.20-37.9.legacy.athlon.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-smp-2.4.20-37.9.legacy.athlon.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------------- d5122c56d20371d25921a789f20b4a429f0ed0ee 7.3/updates/SRPMS/kernel-2.4.20-37.7.legacy.src.rpm 8a1c65a280190c3fc5102bb5a37db4a6d38dc38c 7.3/updates/i386/kernel-2.4.20-37.7.legacy.athlon.rpm b7a9696838f7c981fa9dc7f016c626f068d77f32 7.3/updates/i386/kernel-2.4.20-37.7.legacy.i386.rpm b01d2fc73b95e89a67b9490b7f7c4261be0b2d92 7.3/updates/i386/kernel-2.4.20-37.7.legacy.i586.rpm 2c64ea0f6f088eeb2a47eed62f20fce086695f1f 7.3/updates/i386/kernel-2.4.20-37.7.legacy.i686.rpm e76f2bbdb94c0baa2d8c81df33f1f001b4eb6515 7.3/updates/i386/kernel-bigmem-2.4.20-37.7.legacy.i686.rpm 302b9f0ae8e4b8dc975b0243ada68287508d85e9 7.3/updates/i386/kernel-BOOT-2.4.20-37.7.legacy.i386.rpm c63c54ec6da4d10a21cd768d9596edb463dab3f3 7.3/updates/i386/kernel-doc-2.4.20-37.7.legacy.i386.rpm ca0abce4704e89972b4d55edc615d1ac77c9038a 7.3/updates/i386/kernel-smp-2.4.20-37.7.legacy.athlon.rpm e151c2fe55bfb2ecc802ccbc82b176b6e6e32e27 7.3/updates/i386/kernel-smp-2.4.20-37.7.legacy.i586.rpm 8cddf2b85c8e0aa6442d111a4190c2b2ebc65d45 7.3/updates/i386/kernel-smp-2.4.20-37.7.legacy.i686.rpm 40595f8d08b8b631742cfb891168a96de36364f0 7.3/updates/i386/kernel-source-2.4.20-37.7.legacy.i386.rpm 4fdcc24dba64ef30ce49b170f6bbd3be98a129d8 9/updates/SRPMS/kernel-2.4.20-37.9.legacy.src.rpm f93b63bc5a40f24351a2d7855aaa66aacf6b1349 9/updates/i386/kernel-2.4.20-37.9.legacy.athlon.rpm 15c94e731201db0ad89b41d9b2c35e7f85d6f517 9/updates/i386/kernel-2.4.20-37.9.legacy.i386.rpm 5ee67818d1902c1e7ef919e1986c4c6f5cb58b6c 9/updates/i386/kernel-2.4.20-37.9.legacy.i586.rpm 4a61fc7fd41a7d35cfcc25178ec5cb659ed3f6fe 9/updates/i386/kernel-2.4.20-37.9.legacy.i686.rpm 790eef91cb194f60ab6c9ec5b0c4f08365b02022 9/updates/i386/kernel-bigmem-2.4.20-37.9.legacy.i686.rpm dd464f337d30580cd60b279d3b28f1ff972b718c 9/updates/i386/kernel-BOOT-2.4.20-37.9.legacy.i386.rpm 6283845b3af07cf065902f3e75312a3ef7b5c90a 9/updates/i386/kernel-doc-2.4.20-37.9.legacy.i386.rpm 25f86ab0bb3cfb9e1cf03e71af16c3d58e3db12b 9/updates/i386/kernel-smp-2.4.20-37.9.legacy.athlon.rpm c3f2461bd36aba58139e3cb29e34ecf9e97f6daf 9/updates/i386/kernel-smp-2.4.20-37.9.legacy.i586.rpm d03acba749f539607b3068670d8d2b12e7a98c02 9/updates/i386/kernel-smp-2.4.20-37.9.legacy.i686.rpm 65079b01af9d60ca90b6650690634aa5d0c79cfa 9/updates/i386/kernel-source-2.4.20-37.9.legacy.i386.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: https://bugzilla.fedora.us/show_bug.cgi?id=1484 https://bugzilla.fedora.us/show_bug.cgi?id=1804 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org 10. Special Notes: If you use lilo, you will have to edit your lilo.conf file and shorten the label of this kernel. The label is too long for lilo, but not for grub. This update removes support for the Broadcom 5820 cryptonet hardware. If you need support for this device, you will need to make special arrangements before applying this update. ------------------------------------------------------------------------ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From dom at earth.li Mon Oct 18 21:57:14 2004 From: dom at earth.li (Dominic Hargreaves) Date: Mon, 18 Oct 2004 22:57:14 +0100 Subject: [FLSA-2004:1804] Updated kernel resolves security vulnerabilities In-Reply-To: <20041018094034.GA14851@home.thedom.org> References: <20041018094034.GA14851@home.thedom.org> Message-ID: <20041018215714.GY15895@tirian.magd.ox.ac.uk> On Mon, Oct 18, 2004 at 10:40:36AM +0100, Dominic Hargreaves wrote: > http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-BOOT-2.4.20-39.7.legacy.i386.rpm > http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-doc-2.4.20-39.7.legacy.i386.rpm > http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-source-2.4.20-39.7.legacy.i386.rpm s/39.7/37.9/ of course. Dominic. From tux at linux-sp.com Tue Oct 19 19:37:31 2004 From: tux at linux-sp.com (Jim Robinson) Date: Tue, 19 Oct 2004 15:37:31 -0400 (EDT) Subject: XInetd & /etc/services Issue Message-ID: <39456.192.168.1.15.1098214651.squirrel@192.168.1.15> Hi Folks, I have pulled my hair out on this issue for a week or so now and wondered if anyone else knows of any issues regarding this. I am trying to configure xinetd to use a 3rd party daemon. The entries are as follows in /etc/xinetd.d/platypusd service platypusd { disable = no flags = REUSE socket_type = stream wait = no user = root port = 5124 protocol = tcp server = /private/platypusd/platypusd log_on_failure += USERID } (please note I know that stating port & protocol should make the lookup to /etc/services not needed but it still calls...) Now in /etc/services I create the port & protocol entries:- platypusd 5124/tcp # Platypus user utility daemon When I restart xinetd however I get this error: Oct 19 15:32:25 venus xinetd[7520]: Exiting... Oct 19 15:32:25 venus xinetd: xinetd shutdown succeeded Oct 19 15:32:25 venus xinetd: xinetd startup succeeded Oct 19 15:32:25 venus xinetd[13568]: service/protocol combination not in /etc/services: platypusd/tcp Oct 19 15:32:26 venus xinetd[13568]: xinetd Version 2.3.12 started with libwrap loadavg options compiled in. Oct 19 15:32:26 venus xinetd[13568]: Started working: 4 available services I have tried every which way I can think of to try and get xinetd to read the correct lines from /etc/services but it just does not want to jive. I thought I had a corrupt xinetd but I tried from another FC1 install on a side server and it did the same thing too! From what little I have played with xinetd it has always been a walk in the park. Does anyone else have any idea what might be going on here? If you could cc me in on replies at: jim-AT-linux-sp.com I would grateful. Regards, Jim From ben at burbong.com Tue Oct 19 23:42:17 2004 From: ben at burbong.com (Ben Stringer) Date: Wed, 20 Oct 2004 09:42:17 +1000 Subject: XInetd & /etc/services Issue In-Reply-To: <39456.192.168.1.15.1098214651.squirrel@192.168.1.15> References: <39456.192.168.1.15.1098214651.squirrel@192.168.1.15> Message-ID: <1098229336.1485.150.camel@hillary> On Wed, 2004-10-20 at 05:37, Jim Robinson wrote: > Now in /etc/services I create the port & protocol entries:- > platypusd 5124/tcp # Platypus user utility daemon > > When I restart xinetd however I get this error: > Oct 19 15:32:25 venus xinetd[7520]: Exiting... > Oct 19 15:32:25 venus xinetd: xinetd shutdown succeeded > Oct 19 15:32:25 venus xinetd: xinetd startup succeeded > Oct 19 15:32:25 venus xinetd[13568]: service/protocol combination not in > /etc/services: platypusd/tcp > Oct 19 15:32:26 venus xinetd[13568]: xinetd Version 2.3.12 started with > libwrap loadavg options compiled in. > Oct 19 15:32:26 venus xinetd[13568]: Started working: 4 available services > > I have tried every which way I can think of to try and get xinetd to read > the correct lines from /etc/services but it just does not want to jive. Do you use NIS or other alternative name services? The /etc/nsswitch.conf be be used to specify an alternative lookup service for the services mappings, however the default is to use /etc/services Otherwise, your configuration looks fine. Cheers, Ben From tux at linux-sp.com Wed Oct 20 12:06:45 2004 From: tux at linux-sp.com (Jim Robinson) Date: Wed, 20 Oct 2004 08:06:45 -0400 (EDT) Subject: XInetd & /etc/services Issue Message-ID: <41023.192.168.1.15.1098274005.squirrel@192.168.1.15> Thanks to everyone that posted back so quick and esp. to David and Ben for finding the solution. 'type = unlisted' fixed the issue! Thanks, Jim ---------------------------- Original Message ---------------------------- Subject: Re: XInetd & /etc/services Issue From: "Matthew Howard" Date: Wed, October 20, 2004 2:21 am To: "Discussion of the Fedora Legacy Project" Cc: tux at linux-sp.com jim at linux-sp.com -------------------------------------------------------------------------- Ben Stringer wrote: >On Wed, 2004-10-20 at 05:37, Jim Robinson wrote: > > > >>Now in /etc/services I create the port & protocol entries:- >>platypusd 5124/tcp # Platypus user utility daemon >> >>When I restart xinetd however I get this error: >>Oct 19 15:32:25 venus xinetd[7520]: Exiting... >>Oct 19 15:32:25 venus xinetd: xinetd shutdown succeeded >>Oct 19 15:32:25 venus xinetd: xinetd startup succeeded >>Oct 19 15:32:25 venus xinetd[13568]: service/protocol combination not in /etc/services: platypusd/tcp >>Oct 19 15:32:26 venus xinetd[13568]: xinetd Version 2.3.12 started with libwrap loadavg options compiled in. >>Oct 19 15:32:26 venus xinetd[13568]: Started working: 4 available services >> >>I have tried every which way I can think of to try and get xinetd to read the correct lines from /etc/services but it just does not want to jive. >> >> > >Do you use NIS or other alternative name services? > >The /etc/nsswitch.conf be be used to specify an alternative lookup service for the services mappings, however the default is to use >/etc/services > >Otherwise, your configuration looks fine. > > > You could also add the following attribute to your platypusd service config file: type = UNLISTED That will let xinetd know that it shouldn't try to lookup the service. Regards, Matthew From b.pennacchi at istc.cnr.it Wed Oct 20 13:48:05 2004 From: b.pennacchi at istc.cnr.it (Barbara Pennacchi) Date: Wed, 20 Oct 2004 15:48:05 +0200 Subject: [OT?] bugzilla and... (sigh) spam Message-ID: <20041020134805.GA3257@sibannac> I know, it might be really way OT, but some time after I posted two comments in FL's bugzilla, I received some darn spam. My email address was pristine (I never used it anywhere else) until I had to use it to register into bugzilla. I found out that FL's bugzilla didn't do anything to "mask" its debuggers' email addresses from anyone not logged in, at least. Is there a way to ask (nicely) abovesaid bugzilla's maintainers to set it ASAP to hide email addresses from harvesters? What bugs me is that probably my email address is now "fried". Sheesh. :( -- +--------------------------------------------------------------------+ | WARNING WARNING WARNING *** EMAIL ADDRESS CHANGED! | | USE EMAIL ADDRESS PROVIDED BELOW | | IF YOU KEEP WRITING TO THE OLD ADDRESS IT IS NOT MY FAULT! | +--------------------------------------------------------------------+ | Barbara Pennacchi b.pennacchi at istc.cnr.it | | Consiglio Nazionale delle Ricerche | | Istituto di Scienze e Tecnologie della Cognizione | | V.le Marx 15, 00137 Roma, Italia | | http://www.istc.cnr.it/ | +--------------------------------------------------------------------+ From mattdm at mattdm.org Wed Oct 20 13:53:36 2004 From: mattdm at mattdm.org (Matthew Miller) Date: Wed, 20 Oct 2004 09:53:36 -0400 Subject: [OT?] bugzilla and... (sigh) spam In-Reply-To: <20041020134805.GA3257@sibannac> References: <20041020134805.GA3257@sibannac> Message-ID: <20041020135336.GA27626@jadzia.bu.edu> On Wed, Oct 20, 2004 at 03:48:05PM +0200, Barbara Pennacchi wrote: > Is there a way to ask (nicely) abovesaid bugzilla's maintainers to set it > ASAP to hide email addresses from harvesters? File a bug in bugzilla -- there's a bugzilla product there. > What bugs me is that probably my email address is now "fried". Sheesh. :( Well, if it's the one you're using to post to this list, take consolation in the fact that since it's a public list, that was going to happen eventually anyway. -- Matthew Miller mattdm at mattdm.org Boston University Linux ------> From b.pennacchi at istc.cnr.it Wed Oct 20 14:49:01 2004 From: b.pennacchi at istc.cnr.it (Barbara Pennacchi) Date: Wed, 20 Oct 2004 16:49:01 +0200 Subject: [OT?] bugzilla and... (sigh) spam In-Reply-To: <20041020135336.GA27626@jadzia.bu.edu> References: <20041020134805.GA3257@sibannac> <20041020135336.GA27626@jadzia.bu.edu> Message-ID: <20041020144901.GC3257@sibannac> On 20.10.04 15:53, Matthew Miller wrote: > On Wed, Oct 20, 2004 at 03:48:05PM +0200, Barbara Pennacchi wrote: > > Is there a way to ask (nicely) abovesaid bugzilla's maintainers to set > > it ASAP to hide email addresses from harvesters? > > File a bug in bugzilla -- there's a bugzilla product there. > I don't think it is either the right bugzillasite (AFAIK redhat doesn't have much to do anymore with fedoralegacy except for telling 'em when it's time to take charge of EOL'ed distros ;) nor it is a bug. I checked on www.bugzilla.org (linked from bugzilla.fedora.us v.2.16.2) and they're at 2.16.6 (stable version). From what I could find they've put email munging in one of the later versions (couldn't find which one -- too much loss of caffeine) > > What bugs me is that probably my email address is now "fried". Sheesh. > :( > > Well, if it's the one you're using to post to this list, take > consolation in the fact that since it's a public list, that was going to > happen eventually anyway. Yes, it is the same I use to post here, but I sincerely doubt it for the following reasons: http://www.redhat.com/mailman/listinfo/fedora-legacy-list says clearly that "The subscribers list is only available to the list members." and web archives of this mailing list have email addresses munged off (checked 'em as a normal luser wandering around without logging in :). So I have to find out whoever's in charge of bugzilla.FEDORA.US (not redhat.com) and email him/her/it to please upgrade bugzilla to a mail- munging one :) -- +--------------------------------------------------------------------+ | WARNING WARNING WARNING *** EMAIL ADDRESS CHANGED! | | USE EMAIL ADDRESS PROVIDED BELOW | | IF YOU KEEP WRITING TO THE OLD ADDRESS IT IS NOT MY FAULT! | +--------------------------------------------------------------------+ | Barbara Pennacchi b.pennacchi at istc.cnr.it | | Consiglio Nazionale delle Ricerche | | Istituto di Scienze e Tecnologie della Cognizione | | V.le Marx 15, 00137 Roma, Italia | | http://www.istc.cnr.it/ | +--------------------------------------------------------------------+ From mattdm at mattdm.org Wed Oct 20 15:11:29 2004 From: mattdm at mattdm.org (Matthew Miller) Date: Wed, 20 Oct 2004 11:11:29 -0400 Subject: [OT?] bugzilla and... (sigh) spam In-Reply-To: <20041020144901.GC3257@sibannac> References: <20041020134805.GA3257@sibannac> <20041020135336.GA27626@jadzia.bu.edu> <20041020144901.GC3257@sibannac> Message-ID: <20041020151129.GA31082@jadzia.bu.edu> On Wed, Oct 20, 2004 at 04:49:01PM +0200, Barbara Pennacchi wrote: > I don't think it is either the right bugzillasite (AFAIK redhat doesn't > have much to do anymore with fedoralegacy except for telling 'em when it's > time to take charge of EOL'ed distros ;) nor it is a bug. Doh! Getting my lists mixed up. > Yes, it is the same I use to post here, but I sincerely doubt it for the > following reasons: > http://www.redhat.com/mailman/listinfo/fedora-legacy-list says clearly > that "The subscribers list is only available to the list members." and web > archives of this mailing list have email addresses munged off (checked 'em > as a normal luser wandering around without logging in :). Yeah, but a spammer could easily be subscribed -- it's an open list. Or someone else could be making archives available somewhere without munging. Trying to keep your e-mail address secret while actually using it is a losing battle. :) -- Matthew Miller mattdm at mattdm.org Boston University Linux ------> From moixa at gmx.ch Wed Oct 20 15:25:49 2004 From: moixa at gmx.ch (Tobias Sager) Date: Wed, 20 Oct 2004 17:25:49 +0200 Subject: [OT?] bugzilla and... (sigh) spam In-Reply-To: <20041020144901.GC3257@sibannac> References: <20041020134805.GA3257@sibannac> <20041020135336.GA27626@jadzia.bu.edu> <20041020144901.GC3257@sibannac> Message-ID: <20041020172549.3c7f9a69@saidar.toe.ch> On 20.10.04 16:49 Barbara Pennacchi wrote: > On 20.10.04 15:53, Matthew Miller wrote: > > On Wed, Oct 20, 2004 at 03:48:05PM +0200, Barbara Pennacchi wrote: > > > Is there a way to ask (nicely) abovesaid bugzilla's maintainers to > > > set it ASAP to hide email addresses from harvesters? > > > > File a bug in bugzilla -- there's a bugzilla product there. > > > a&> > > I don't think it is either the right bugzillasite (AFAIK redhat > doesn't have much to do anymore with fedoralegacy except for telling > 'em when it's time to take charge of EOL'ed distros ;) nor it is a > bug. Feature request for bugzilla is here: https://bugzilla.mozilla.org/show_bug.cgi?id=215439 Cheers, Tobias -- GPG-Key 0xEF37FF28 - 1024/4096 DSA/ELG-E - 16.11.2001 Fingerprint: 3C4B 155F 2621 CEAF D3A6 0CCB 937C 9597 EF37 FF28 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From michal at harddata.com Wed Oct 20 19:40:18 2004 From: michal at harddata.com (Michal Jaegermann) Date: Wed, 20 Oct 2004 13:40:18 -0600 Subject: [OT?] bugzilla and... (sigh) spam In-Reply-To: <20041020172549.3c7f9a69@saidar.toe.ch>; from moixa@gmx.ch on Wed, Oct 20, 2004 at 05:25:49PM +0200 References: <20041020134805.GA3257@sibannac> <20041020135336.GA27626@jadzia.bu.edu> <20041020144901.GC3257@sibannac> <20041020172549.3c7f9a69@saidar.toe.ch> Message-ID: <20041020134018.E18036@mail.harddata.com> On Wed, Oct 20, 2004 at 05:25:49PM +0200, Tobias Sager wrote: > On 20.10.04 16:49 Barbara Pennacchi wrote: > > > On 20.10.04 15:53, Matthew Miller wrote: > > > On Wed, Oct 20, 2004 at 03:48:05PM +0200, Barbara Pennacchi wrote: > > > > Is there a way to ask (nicely) abovesaid bugzilla's maintainers to > > > > set it ASAP to hide email addresses from harvesters? ... > > Feature request for bugzilla is here: > https://bugzilla.mozilla.org/show_bug.cgi?id=215439 I am not so sure about that. I found not once and not twice that lists which hide addresses make it quite hard to contact people where you may have a legitimate business to them, especially if you are coming back to some old issues, but do practically nothing to prevent spam. Unless this is a throwaway address on which you redirect all incoming traffic to /dev/null, making impossible to contact you at all, that address in practice will always "leak out"; quite often in an unexpected and/or funny way. On an average week on my various mail accounts about 5500 messages ends up in /dev/null without even peek. It does not mean that I am impossible to contact. :-) Michal From rostetter at mail.utexas.edu Wed Oct 20 21:00:27 2004 From: rostetter at mail.utexas.edu (Eric Rostetter) Date: Wed, 20 Oct 2004 16:00:27 -0500 Subject: Website: updates-testing changes In-Reply-To: <1098101497.18799.22.camel@albus.aeon.com.my> References: <1098101497.18799.22.camel@albus.aeon.com.my> Message-ID: <1098306027.e36305f4c8a20@mail.ph.utexas.edu> Quoting Colin Charles : > Patch for the yum-testing.php file - we need to change that, if people > are yum testing for FC1 updates-testing Well, they don't need this patch, we need a section for RHL and a separate section for FC1. Done... > Also, I notice the website is in CVS... Err, its non anonymous, so I > can't check it out with a valid password (doh!), so hope the patch below > applies easily It used to be anonymous, IIRC, but it changed when services were moved to a new hosting setup, and has never been fixed... Something for Jesse to add to his to-do list. -- Eric Rostetter From linuxcub at email.dk Wed Oct 20 21:22:28 2004 From: linuxcub at email.dk (Erling A. Jacobsen) Date: Wed, 20 Oct 2004 23:22:28 +0200 Subject: Can't "rpmbuild --rebuild kernel-2.4.20-37.7.legacy.src.rpm" on a RH7.3 system Message-ID: <4176D714.6080109@lorien.aman> Anyone else have this problem ? How did the binary packages available for download get built ? Erling Jacobsen -- Blutarsky's Axiom: Nothing is impossible for the man who will not listen to reason. From jkeating at j2solutions.net Wed Oct 20 21:29:19 2004 From: jkeating at j2solutions.net (Jesse Keating) Date: Wed, 20 Oct 2004 14:29:19 -0700 Subject: Website: updates-testing changes In-Reply-To: <1098306027.e36305f4c8a20@mail.ph.utexas.edu> References: <1098101497.18799.22.camel@albus.aeon.com.my> <1098306027.e36305f4c8a20@mail.ph.utexas.edu> Message-ID: <200410201429.21656.jkeating@j2solutions.net> On Wednesday 20 October 2004 14:00, Eric Rostetter wrote: > Well, they don't need this patch, we need a section for RHL and a > separate section for FC1. Done... > > > Also, I notice the website is in CVS... Err, its non anonymous, so > > I can't check it out with a valid password (doh!), so hope the > > patch below applies easily > > It used to be anonymous, IIRC, but it changed when services were > moved to a new hosting setup, and has never been fixed... Something > for Jesse to add to his to-do list. CVS never moved. It's the same place it always was. And it was never anon accessable. -- Jesse Keating RHCE (geek.j2solutions.net) Fedora Legacy Team (www.fedoralegacy.org) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: signature URL: From dom at earth.li Wed Oct 20 21:29:54 2004 From: dom at earth.li (Dominic Hargreaves) Date: Wed, 20 Oct 2004 22:29:54 +0100 Subject: Can't "rpmbuild --rebuild kernel-2.4.20-37.7.legacy.src.rpm" on a RH7.3 system In-Reply-To: <4176D714.6080109@lorien.aman> References: <4176D714.6080109@lorien.aman> Message-ID: <20041020212954.GE15895@tirian.magd.ox.ac.uk> On Wed, Oct 20, 2004 at 11:22:28PM +0200, Erling A. Jacobsen wrote: > Anyone else have this problem ? How did the binary packages available > for download get built ? In mach (a chroot environment for building RPMS). I have also built that precise SRPM "normally" with rpm -bb kernel.spec (not that the precise incantation should matter). Can you be more precise in how it fails? Dominic. From ral77 at bellsouth.net Wed Oct 20 23:51:26 2004 From: ral77 at bellsouth.net (ral77) Date: Wed, 20 Oct 2004 19:51:26 -0400 Subject: [FLSA-2004:1804] Updated kernel resolves security vulnerabilities In-Reply-To: <20041018215714.GY15895@tirian.magd.ox.ac.uk> References: <20041018094034.GA14851@home.thedom.org> <20041018215714.GY15895@tirian.magd.ox.ac.uk> Message-ID: <4176F9FE.1060605@bellsouth.net> Dominic Hargreaves wrote: > On Mon, Oct 18, 2004 at 10:40:36AM +0100, Dominic Hargreaves wrote: > > >>http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-BOOT-2.4.20-39.7.legacy.i386.rpm >>http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-doc-2.4.20-39.7.legacy.i386.rpm >>http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-source-2.4.20-39.7.legacy.i386.rpm > > > s/39.7/37.9/ of course. > > Dominic. > Dominic, I do not understand what you are trying to say on this post. The kernel update for redhat 9 is 2.4.20-37.9.legacy.x.rpm. Wouldn't the source be kernel-source-2.4.20-37.9.legacy.i386.rpm and kernel-doc-2.4.20-37.9.legacy.i386.rpm Anyway when I try the above links I get: Not Found The requested URL /redhat/9/updates/i386/kernel-source-2.4.20-39.7.legacy.i386.rpm was not found on this server. I need the source to recompile the nvidia drivers after the kernel update. thx's ral From jkeating at j2solutions.net Wed Oct 20 23:58:45 2004 From: jkeating at j2solutions.net (Jesse Keating) Date: Wed, 20 Oct 2004 16:58:45 -0700 Subject: [FLSA-2004:1804] Updated kernel resolves security vulnerabilities In-Reply-To: <4176F9FE.1060605@bellsouth.net> References: <20041018094034.GA14851@home.thedom.org> <20041018215714.GY15895@tirian.magd.ox.ac.uk> <4176F9FE.1060605@bellsouth.net> Message-ID: <200410201658.46205.jkeating@j2solutions.net> On Wednesday 20 October 2004 16:51, ral77 wrote: > Not Found > > The requested URL > /redhat/9/updates/i386/kernel-source-2.4.20-39.7.legacy.i386.rpm was > not found on this server. http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-source-2.4.20-37.9.legacy.i386.rpm The release is 37.9 not 39.7. -- Jesse Keating RHCE (geek.j2solutions.net) Fedora Legacy Team (www.fedoralegacy.org) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating From ral77 at bellsouth.net Thu Oct 21 00:13:48 2004 From: ral77 at bellsouth.net (ral77) Date: Wed, 20 Oct 2004 20:13:48 -0400 Subject: [FLSA-2004:1804] Updated kernel resolves security vulnerabilities In-Reply-To: <200410201658.46205.jkeating@j2solutions.net> References: <20041018094034.GA14851@home.thedom.org> <20041018215714.GY15895@tirian.magd.ox.ac.uk> <4176F9FE.1060605@bellsouth.net> <200410201658.46205.jkeating@j2solutions.net> Message-ID: <4176FF3C.6010303@bellsouth.net> Jesse Keating wrote: > On Wednesday 20 October 2004 16:51, ral77 wrote: > >>Not Found >> >>The requested URL >>/redhat/9/updates/i386/kernel-source-2.4.20-39.7.legacy.i386.rpm was >>not found on this server. > > > http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-source-2.4.20-37.9.legacy.i386.rpm > > The release is 37.9 not 39.7. > Thx's I just finished downloading everthing I need from the fedora legacy web site at http://download.fedoralegacy.org/redhat/9/updates/i386/ thanks again for your quick response. Best regards, ral From rostetter at mail.utexas.edu Thu Oct 21 03:48:29 2004 From: rostetter at mail.utexas.edu (Eric Rostetter) Date: Wed, 20 Oct 2004 22:48:29 -0500 Subject: Website: updates-testing changes In-Reply-To: <200410201429.21656.jkeating@j2solutions.net> References: <1098101497.18799.22.camel@albus.aeon.com.my> <1098306027.e36305f4c8a20@mail.ph.utexas.edu> <200410201429.21656.jkeating@j2solutions.net> Message-ID: <1098330509.ec686caa97a28@mail.ph.utexas.edu> Quoting Jesse Keating : > > It used to be anonymous, IIRC, but it changed when services were > > moved to a new hosting setup, and has never been fixed... Something > > for Jesse to add to his to-do list. > > CVS never moved. It's the same place it always was. And it was never > anon accessable. My mistake. Sorry, faulty memory... or wishful thinking? > -- > Jesse Keating RHCE (geek.j2solutions.net) > Fedora Legacy Team (www.fedoralegacy.org) > GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub) -- Eric Rostetter From hjp+fedora-legacy at wsr.ac.at Thu Oct 21 16:29:40 2004 From: hjp+fedora-legacy at wsr.ac.at (Peter J. Holzer) Date: Thu, 21 Oct 2004 18:29:40 +0200 Subject: [FLSA-2004:1804] Updated kernel resolves security vulnerabilities In-Reply-To: <4176F9FE.1060605@bellsouth.net> References: <20041018094034.GA14851@home.thedom.org> <20041018215714.GY15895@tirian.magd.ox.ac.uk> <4176F9FE.1060605@bellsouth.net> Message-ID: <20041021162940.GG29323@wsr.ac.at> On 2004-10-20 19:51:26 -0400, ral77 wrote: > Dominic Hargreaves wrote: > >On Mon, Oct 18, 2004 at 10:40:36AM +0100, Dominic Hargreaves wrote: > > > > > >>http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-BOOT-2.4.20-39.7.legacy.i386.rpm > >>http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-doc-2.4.20-39.7.legacy.i386.rpm > >>http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-source-2.4.20-39.7.legacy.i386.rpm > > > > > >s/39.7/37.9/ of course. > > > I do not understand what you are trying to say on this post. The > kernel update for redhat 9 is 2.4.20-37.9.legacy.x.rpm. Wouldn't the > source be kernel-source-2.4.20-37.9.legacy.i386.rpm and > kernel-doc-2.4.20-37.9.legacy.i386.rpm This is exaktly what Dominic wanted to say. s/A/B/ means "substitute A with B". It is a command in vi, the most common unix text editor and also some other unix tools. Thus s/39.7/37.9/ means, translated from unix-users-slang to plain English: "Oops, that is wrong, please replace each occurence of 39.7 in the text above with 37.9". (Actually, it doesn't mean that *exactly*, but it would go too far to discuss the subtleties of regular expressions and vi commands in this context). hp -- _ | Peter J. Holzer | Shooting the users in the foot is bad. |_|_) | Sysadmin WSR / LUGA | Giving them a gun isn't. | | | hjp at wsr.ac.at | -- Gordon Schumacher, __/ | http://www.hjp.at/ | mozilla bug #84128 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 388 bytes Desc: not available URL: From rob.myers at gtri.gatech.edu Thu Oct 21 17:24:08 2004 From: rob.myers at gtri.gatech.edu (Rob Myers) Date: Thu, 21 Oct 2004 13:24:08 -0400 Subject: FC1 bug Round-up 2004-10-21 Message-ID: <1098379448.5308.12.camel@rXm-581b.stl.gtri.gatech.edu> Below is a current list of outstanding Fedora Core 1 bugs current as of $Date: 2004/10/21 17:16:16 $. Help QA to speed along the process! Bugs are ordered by bug number. https://bugzilla.fedora.us/show_bug.cgi?id=2053 CAN-2004-0832 Squid - malformed NTLMSSP packets NTLM help... superseded by #2150 https://bugzilla.fedora.us/show_bug.cgi?id=2074 CAN-2004-0752 - openoffice.org temp file handling bug needs 1 QA for publish to updates-testing https://bugzilla.fedora.us/show_bug.cgi?id=2075 CAN-2004-0687,0688 libXpm stack and integer overflows needs to be built for updates-testing https://bugzilla.fedora.us/show_bug.cgi?id=2076 CAN-2004-0801 - cupsomatic, foomatic arbitrary command ex... needs 1 VERIFY for publish to updates https://bugzilla.fedora.us/show_bug.cgi?id=2086 CAN-2004-0750 - redhat-config-nfs incorrect permission on... needs to be built for updates-testing with spec patch from comment #6 https://bugzilla.fedora.us/show_bug.cgi?id=2089 Mozilla < 1.7.3 multiple flaws epiphany needs versioned build-depends mozilla needs 1 VERIFY for publish to updates https://bugzilla.fedora.us/show_bug.cgi?id=2116 privilege escalation with rp-pppoe in non-default configu... needs to be built for updates-testing https://bugzilla.fedora.us/show_bug.cgi?id=2127 CAN-2004-0923 Cups Log file information disclosure needs to be built for updates-testing https://bugzilla.fedora.us/show_bug.cgi?id=2129 MySQL Remote Buffer Overflow needs to be built for updates-testing https://bugzilla.fedora.us/show_bug.cgi?id=2137 CAN-2004-0884 cyrus-sasl setuid/setgid flaw needs to be built for updates-testing https://bugzilla.fedora.us/show_bug.cgi?id=2142 CAN-2004-0688- lesstiff integer overflows in libXpm needs packages https://bugzilla.fedora.us/show_bug.cgi?id=2143 CAN-2004-0687,0688 OpenMotif libxpm flaws needs packages https://bugzilla.fedora.us/show_bug.cgi?id=2146 CAN-2004-0813 Incorrect /etc/security/console.perms needs packages https://bugzilla.fedora.us/show_bug.cgi?id=2148 CAN-2004-0885 Apache httpd SSLCipherSuite bypass needs packages https://bugzilla.fedora.us/show_bug.cgi?id=2150 CAN-2004-0918 squid snmp DoS needs to be built for updates-testing https://bugzilla.fedora.us/show_bug.cgi?id=2155 GNU Sharutils Multiple Buffer Overflows needs packages https://bugzilla.fedora.us/show_bug.cgi?id=2163 CAN-2004-0803,0886 libtiff remote code execution needs 2 QA for publish to updates-testing https://bugzilla.fedora.us/show_bug.cgi?id=2164 CAN-2004-0803,0803,0886 kdefax libtiff remote code execution needs packages From dom at earth.li Fri Oct 22 00:05:27 2004 From: dom at earth.li (Dominic Hargreaves) Date: Fri, 22 Oct 2004 01:05:27 +0100 Subject: Round-up, 2004-10-22 Message-ID: <20041022000522.GA4396@home.thedom.org> $Id: issues.txt,v 1.116 2004/10/22 00:03:03 dom Exp $ See bottom for changes This list is also available at http://www-astro.physics.ox.ac.uk/~dom/legacy/issues.txt Packages that have been verified and should be fully released ------------------------------------------------------------- Packages waiting to be built for updates-testing ------------------------------------------------ Packages in state RESOLVED (ie exist in updates-testing) that need active work. ------------------------------------------------------------------ cupsomatic - https://bugzilla.fedora.us/show_bug.cgi?id=2076 One more VERIFY [fc1] mozilla - https://bugzilla.fedora.us/show_bug.cgi?id=2089 Needs fixed epiphany build glibc - https://bugzilla.fedora.us/show_bug.cgi?id=1947 Needs VERIFY abiword - https://bugzilla.fedora.us/show_bug.cgi?id=1906 Needs 2 VERIFY [rh73,rh9] tripwire - https://bugzilla.fedora.us/show_bug.cgi?id=1719 Needs VERIFY for rh73 mailman - https://bugzilla.fedora.us/show_bug.cgi?id=1269 There were some unconfirmed reports of breakage with the candidate. This needs more QA before release. Packages in state UNCONFIRMED, NEW, ASSIGNED or REOPENED: -------------------------------------------------------- readline - https://bugzilla.fedora.us/show_bug.cgi?id=2017 Needs QA and decision on whether to release [rh9] yum - https://bugzilla.fedora.us/show_bug.cgi?id=1604 Needs 2 PUBLISH libpng - https://bugzilla.fedora.us/show_bug.cgi?id=1943 Need 1 PUBLISH for rh9 gnome vfs - https://bugzilla.fedora.us/show_bug.cgi?id=1944 Needs PUBLISH, especially for rh9 sox - https://bugzilla.fedora.us/show_bug.cgi?id=1945 Needs possible renaming of rh7.3 package qt - https://bugzilla.fedora.us/show_bug.cgi?id=2002 Needs 2 PUBLISH gdk-pixbuf - https://bugzilla.fedora.us/show_bug.cgi?id=2005 Needs 2 PUBLISH mysql - https://bugzilla.fedora.us/show_bug.cgi?id=2006 Needs 2 PUBLISH ruby - https://bugzilla.fedora.us/show_bug.cgi?id=2007 Needs PUBLISH [rh73,rh9,fc1] kdelibs - https://bugzilla.fedora.us/show_bug.cgi?id=2008 Needs 2 PUBLISH mc - https://bugzilla.fedora.us/show_bug.cgi?id=2009 Needs PUBLISH pam_wheel - https://bugzilla.fedora.us/show_bug.cgi?id=2010 Needs PUBLISH and full auditing? krb5 - https://bugzilla.fedora.us/show_bug.cgi?id=2040 Needs 1 PUBLISH for rh9 / investigate possible bug introduced imlib - https://bugzilla.fedora.us/show_bug.cgi?id=2051 Needs PUBLISH [rh9] ImageMagick - https://bugzilla.fedora.us/show_bug.cgi?id=2052 Needs 2 PUBLISH/updated packages? cdrecord - https://bugzilla.fedora.us/show_bug.cgi?id=2058 Needs 2 PUBLISH for rh9 gtk2 - https://bugzilla.fedora.us/show_bug.cgi?id=2073 Needs PUBLISH [rh9] openoffice - https://bugzilla.fedora.us/show_bug.cgi?id=2074 Needs PUBLISH for rh9 libxpm - https://bugzilla.fedora.us/show_bug.cgi?id=2075 Needs PUBLISH for rh73,rh9 redhat-config-nfs - https://bugzilla.fedora.us/show_bug.cgi?id=2086 Need PUBLISH for rh9 rp-pppoe - https://bugzilla.fedora.us/show_bug.cgi?id=2116 Need PUBLISH for rh73, rh9 cups - https://bugzilla.fedora.us/show_bug.cgi?id=2127 Needs QA [rh9] kernel - https://bugzilla.fedora.us/show_bug.cgi?id=2128 Needs investigation/packages mysql - https://bugzilla.fedora.us/show_bug.cgi?id=2129 Needs QA [rh73,rh9] gtk2 - https://bugzilla.fedora.us/show_bug.cgi?id=2134 Needs investigation cyrus-sasl - https://bugzilla.fedora.us/show_bug.cgi?id=2137 Needs QA [7.3] lesstiff - https://bugzilla.fedora.us/show_bug.cgi?id=2142 Needs investigation/packages openmotif - https://bugzilla.fedora.us/show_bug.cgi?id=2143 Needs investigation/packages security.conf - https://bugzilla.fedora.us/show_bug.cgi?id=2146 Needs QA [fc1], packages [rh9], discussion of updated extras httpd - http://bugzilla.fedora.us/show_bug.cgi?id=2148 Needs packages [rh9,fc1] squid - https://bugzilla.fedora.us/show_bug.cgi?id=2150 Needs QA [rh9] gettext - https://bugzilla.fedora.us/show_bug.cgi?id=2151 Needs investigation/packages sharutils - https://bugzilla.fedora.us/show_bug.cgi?id=2155 Needs QA [rh73,rh9,fc1] libtiff - https://bugzilla.fedora.us/show_bug.cgi?id=2163 Needs QA [rh73,rh9,fc1] kdefax - https://bugzilla.fedora.us/show_bug.cgi?id=2164 Needs investigation/packages General (non-package bugs) -------------------------- sample yum.conf - https://bugzilla.fedora.us/show_bug.cgi?id=2140 FLSA broken - http://bugzilla.fedora.us/show_bug.cgi?id=2147 yum.conf - http://bugzilla.fedora.us/show_bug.cgi?id=2149 Notes ----- Needs PUBLISH means that there are packages available for QA that need to be QAd at the source level. Needs VERIFY means that there are updates-testing packages that need testing. This is the easy bit, let's get this old ones out of the way ASAP. * means that there is a judgement call that can be made on the bug system immediately. Please follow up onlist with opinions. Changes ------- $Log: issues.txt,v $ Revision 1.116 2004/10/22 00:03:03 dom updates Revision 1.115 2004/10/19 23:02:14 dom update more Revision 1.114 2004/10/19 18:02:45 dom readline, glibc Revision 1.113 2004/10/19 17:58:25 dom udpates Revision 1.112 2004/10/18 22:23:58 dom updates Revision 1.111 2004/10/18 12:08:38 dom update kernel, mysql Revision 1.110 2004/10/17 14:05:46 dom update glibc Revision 1.109 2004/10/17 13:18:21 dom updates Revision 1.108 2004/10/16 00:39:07 dom updates Revision 1.107 2004/10/14 21:10:57 dom update esquid Revision 1.106 2004/10/14 18:52:34 dom update kernel Revision 1.105 2004/10/14 11:42:11 dom updates -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From dom at earth.li Fri Oct 22 00:06:17 2004 From: dom at earth.li (Dominic Hargreaves) Date: Fri, 22 Oct 2004 01:06:17 +0100 Subject: Fedora Legacy Test Update Notification: abiword Message-ID: <20041022000614.GB4396@home.thedom.org> Please QA and report to bugzilla. --------------------------------------------------------------------- Fedora Test Update Notification FEDORALEGACY-2004-1906 Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=1906 2004-10-22 --------------------------------------------------------------------- Name : abiword Version (7.3) : 0.99.5-3.legacy Version (9) : 1.0.4-5.legacy Summary : A cross-platform word processor. Description : AbiWord is a cross-platform, open-source word processor. AbiWord supports basic character formatting (bold, underline, italics), paragraph alignment, spell checking, importing Word97 and RTF documents, interactive rulers and tabs, styles, unlimited undo/redo, multiple column control, widow/orphan control, find and replace, and inclusion of images. --------------------------------------------------------------------- Update Information: A buffer overflow in the wv library included in abiword allows remote attackers to execute arbitrary code via a document with a long DateTime field. --------------------------------------------------------------------- 7.3 Changelog: * Tue Oct 19 2004 Dominic Hargreaves - Added libtool BuildPrereq. * Tue Aug 31 2004 Dave Botsch - Added field.c.patch - added legacy to release 9 Changelog: * Tue Oct 19 2004 Dominic Hargreaves 1:1.0.4-5.legacy - Add BuildPrereq: libtool. * Tue Oct 05 2004 Marc Deslauriers 1:1.0.4-4.lega cy - Added a better wv security fix (CAN-2004-0645) * Wed Sep 01 2004 Marc Deslauriers 1:1.0.4-3.lega cy - wv security fix (CAN-2004-0645) --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ 1de1739c89ad268ad00407f792d4ae587fc12519 7.3/updates-testing/SRPMS/abiword-0.99.5-3.legacy.src.rpm 7f1f7f8a7fd6c0e4ab2a3820c494763d1f398b78 7.3/updates-testing/i386/abiword-0.99.5-3.legacy.i386.rpm 40ec194cf69f56ee176e6c7bb995a6b34bad5cb2 9/updates-testing/SRPMS/abiword-1.0.4-5.legacy.src.rpm fadc8f407110a121ced851d20748c7807f2f71a2 9/updates-testing/i386/abiword-1.0.4-5.legacy.i386.rpm Please note that this update is also available via yum and apt through the updates-testing channel. Many people find this an easier way to apply updates. --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From deisenst at gtw.net Fri Oct 22 00:16:47 2004 From: deisenst at gtw.net (David Eisenstein) Date: Thu, 21 Oct 2004 19:16:47 -0500 (CDT) Subject: mach? Re: Can't "rpmbuild --rebuild kernel-2.4.20-37.7.legacy.src.rpm" on a RH7.3 system In-Reply-To: <20041020212954.GE15895@tirian.magd.ox.ac.uk> Message-ID: On Wed, 20 Oct 2004, Dominic Hargreaves wrote: > On Wed, Oct 20, 2004 at 11:22:28PM +0200, Erling A. Jacobsen wrote: > > Anyone else have this problem ? How did the binary packages available > > for download get built ? > > In mach (a chroot environment for building RPMS). > Dominic, can you give us a little more information about mach? I've heard it mentioned in passing here on this email list, but I haven't seen any information about mach on the fedoralegacy.org web-site. Any URL's for it? Thanks! -David From dom at earth.li Fri Oct 22 00:22:12 2004 From: dom at earth.li (Dominic Hargreaves) Date: Fri, 22 Oct 2004 01:22:12 +0100 Subject: mach? Re: Can't "rpmbuild --rebuild kernel-2.4.20-37.7.legacy.src.rpm" on a RH7.3 system In-Reply-To: References: <20041020212954.GE15895@tirian.magd.ox.ac.uk> Message-ID: <20041022002212.GL15895@tirian.magd.ox.ac.uk> On Thu, Oct 21, 2004 at 07:16:47PM -0500, David Eisenstein wrote: > Dominic, can you give us a little more information about mach? I've heard > it mentioned in passing here on this email list, but I haven't seen any > information about mach on the fedoralegacy.org web-site. Any URL's for > it? I'm probably not the person to ask -- I only use the version already set up by Jesse on the build server -- but the short answer is that it is a python script to manage a bunch of chroots for different distributions for the purposes of building RPMS. So once you get a minmial chroot you can do: mach -r redhat-73-i386 rebuild foo.rpm and mach enters that chroot, installs all the build dependencies, and goes to build the package. The thing is that the minimal set of packages that are contained in the chroot often does not include packages that were evidently "assumed" to be there and so don't have missing build dependencies, causing the frequent cries of "does not build in mach". That last bit is someone superfluous to the particular topic of the kernel, since that doesn't have many dependencies to worry about. A google suggests that mach has a project home page at http://thomas.apestaart.org/projects/mach/ ] Hope that helps.. Cheers, Dominic. From IIN at triaton.com Fri Oct 22 11:27:51 2004 From: IIN at triaton.com (IIN at triaton.com) Date: Fri, 22 Oct 2004 13:27:51 +0200 Subject: SATA Drivers Message-ID: Hello, I have DELL PE750 with disc SATA and I do not have drivers SATA. Could somebody get them to me and to explain me how to install them? thank you Joris -------------- next part -------------- An HTML attachment was scrubbed... URL: From mch at happymoose.net Wed Oct 20 06:21:36 2004 From: mch at happymoose.net (Matthew Howard) Date: Wed, 20 Oct 2004 01:21:36 -0500 Subject: XInetd & /etc/services Issue In-Reply-To: <1098229336.1485.150.camel@hillary> References: <39456.192.168.1.15.1098214651.squirrel@192.168.1.15> <1098229336.1485.150.camel@hillary> Message-ID: <417603F0.7030106@happymoose.net> Ben Stringer wrote: >On Wed, 2004-10-20 at 05:37, Jim Robinson wrote: > > > >>Now in /etc/services I create the port & protocol entries:- >>platypusd 5124/tcp # Platypus user utility daemon >> >>When I restart xinetd however I get this error: >>Oct 19 15:32:25 venus xinetd[7520]: Exiting... >>Oct 19 15:32:25 venus xinetd: xinetd shutdown succeeded >>Oct 19 15:32:25 venus xinetd: xinetd startup succeeded >>Oct 19 15:32:25 venus xinetd[13568]: service/protocol combination not in >>/etc/services: platypusd/tcp >>Oct 19 15:32:26 venus xinetd[13568]: xinetd Version 2.3.12 started with >>libwrap loadavg options compiled in. >>Oct 19 15:32:26 venus xinetd[13568]: Started working: 4 available services >> >>I have tried every which way I can think of to try and get xinetd to read >>the correct lines from /etc/services but it just does not want to jive. >> >> > >Do you use NIS or other alternative name services? > >The /etc/nsswitch.conf be be used to specify an alternative lookup >service for the services mappings, however the default is to use >/etc/services > >Otherwise, your configuration looks fine. > > > You could also add the following attribute to your platypusd service config file: type = UNLISTED That will let xinetd know that it shouldn't try to lookup the service. Regards, Matthew From marcdeslauriers at videotron.ca Sat Oct 23 11:27:30 2004 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Sat, 23 Oct 2004 07:27:30 -0400 Subject: [FLSA-2004:1719] Updated Tripwire packages fix security flaw Message-ID: <1098530850.28446.1.camel@mdlinux> ----------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated Tripwire packages fix security flaw Advisory ID: FLSA:1719 Issue date: 2004-10-23 Product: Red Hat Linux Keywords: Security Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1719 CVE Names: CAN-2004-0536 ----------------------------------------------------------------------- ----------------------------------------------------------------------- 1. Topic: Updated Tripwire packages that fix a format string security vulnerability are now available. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 3. Problem description: Tripwire is a system integrity assessment tool. Paul Herman discovered a format string vulnerability in Tripwire version 2.3.1 and earlier. If Tripwire is configured to send reports via email, a local user could gain privileges by creating a carefully crafted file. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0536 to this issue. Users of Tripwire are advised to upgrade to this erratum package which contains a backported security patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: http://bugzilla.fedora.us - 1719 - Format String Vulnerability in Tripwire 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/tripwire-2.3.1-10.1.legacy.7x.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/tripwire-2.3.1-10.1.legacy.7x.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/tripwire-2.3.1-17.2.legacy.9.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/tripwire-2.3.1-17.2.legacy.9.i386.rpm 7. Verification: SHA1 sum Package Name ------------------------------------------------------------------------ 1b2a8875e86492065f53db69d04de4a452fb1c5f 7.3/updates/i386/tripwire-2.3.1-10.1.legacy.7x.i386.rpm 3d1d0f2a2b4b27c1e5d3b05dbea78d95c70ddcc2 7.3/updates/SRPMS/tripwire-2.3.1-10.1.legacy.7x.src.rpm cdc032af7c3fa3cfbe153c85a0044bdbbb6326b5 9/updates/i386/tripwire-2.3.1-17.2.legacy.9.i386.rpm 263704b1799204e8ee98b4329cddf7b492d8fff2 9/updates/SRPMS/tripwire-2.3.1-17.2.legacy.9.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://marc.theaimsgroup.com/?l=bugtraq&m=108668791510153 http://lw.ftw.zamosc.pl/lha-exploit.txt 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From marcdeslauriers at videotron.ca Sat Oct 23 11:28:43 2004 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Sat, 23 Oct 2004 07:28:43 -0400 Subject: [FLSA-2004:1947] Updated glibc packages fix flaws Message-ID: <1098530923.28446.3.camel@mdlinux> ----------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated glibc packages fix flaws Advisory ID: FLSA:1947 Issue date: 2004-10-23 Product: Red Hat Linux Keywords: Bugfix Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1947 CVE Names: CAN-2002-0029 ----------------------------------------------------------------------- ----------------------------------------------------------------------- 1. Topic: Updated glibc packages that fix a security flaw in the resolver as well as dlclose handling are now available. The GNU libc packages (known as glibc) contain the standard C libraries used by applications. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 3. Problem description: A security audit of glibc revealed a flaw in the resolver library which was originally reported as affecting versions of ISC BIND 4.9. This flaw also applied to glibc versions before 2.3.2. An attacker who is able to send DNS responses (perhaps by creating a malicious DNS server) could remotely exploit this vulnerability to execute arbitrary code or cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0029 to this issue. All users of glibc should upgrade to these updated packages, which resolve these issues. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: http://bugzilla.fedora.us - bug #1947 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/glibc-2.2.5-44.legacy.3.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-2.2.5-44.legacy.3.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-2.2.5-44.legacy.3.i686.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-common-2.2.5-44.legacy.3.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-debug-2.2.5-44.legacy.3.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-debug-2.2.5-44.legacy.3.i686.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-debug-static-2.2.5-44.legacy.3.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-devel-2.2.5-44.legacy.3.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-profile-2.2.5-44.legacy.3.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-utils-2.2.5-44.legacy.3.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/nscd-2.2.5-44.legacy.3.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------------- 787b02c547d9578eab2112b681d58ce40589dd37 7.3/updates/i386/glibc-2.2.5-44.legacy.3.i386.rpm d73f3bf9fd6c094dbf3d7c0409c0d34de40a1cfd 7.3/updates/i386/glibc-2.2.5-44.legacy.3.i686.rpm df3fdb0f5d327b10bb285b06a5f1422642b980b7 7.3/updates/i386/glibc-common-2.2.5-44.legacy.3.i386.rpm 61e6c8521d67f38e96c679b3d263f6dccfb43b75 7.3/updates/i386/glibc-debug-2.2.5-44.legacy.3.i386.rpm d5b070b85a0a57702f3259790e59707dd8d67ef1 7.3/updates/i386/glibc-debug-2.2.5-44.legacy.3.i686.rpm e8988fb212ad671469f190f01b35c7664298ea58 7.3/updates/i386/glibc-debug-static-2.2.5-44.legacy.3.i386.rpm f2043d369aeb8a8a39b0f1e429fdbcf08dcefd5b 7.3/updates/i386/glibc-devel-2.2.5-44.legacy.3.i386.rpm 5902d254f9926b0c532e8af5e0fe3ed22e105215 7.3/updates/i386/glibc-profile-2.2.5-44.legacy.3.i386.rpm 6c8b2d53b0626265c180ba09a1a6161e4be6765d 7.3/updates/i386/glibc-utils-2.2.5-44.legacy.3.i386.rpm 26282373e4cd3770b40b3cf10dc17b7f6f23ce6a 7.3/updates/i386/nscd-2.2.5-44.legacy.3.i386.rpm b8f02cd099305c9866715493147ca9c9dcecfff0 7.3/updates/SRPMS/glibc-2.2.5-44.legacy.3.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0029 http://www.kb.cert.org/vuls/id/844360 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From joey at clean.q7.com Sat Oct 23 21:05:33 2004 From: joey at clean.q7.com (Joe Pruett) Date: Sat, 23 Oct 2004 14:05:33 -0700 (PDT) Subject: how to apt-get upgrade kernel-source? Message-ID: i can't seem to figure out how to get the kernel-source package to upgrade. i can do the kernel with -o RPM::Upgrade-Kernel=yes, but i haven't discovered how to make kernel-source upgrade. are the apt files on the server correct? From marcdeslauriers at videotron.ca Sun Oct 24 13:47:29 2004 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Sun, 24 Oct 2004 09:47:29 -0400 Subject: Fedora Legacy Test Update Notification: mozilla Message-ID: <1098625649.21657.0.camel@mdlinux> This release corrects broken epiphany packages for FC1. Please re-test and report in bugzilla. --------------------------------------------------------------------- Fedora Test Update Notification FEDORALEGACY-2004-2089 Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=2089 2004-10-24 --------------------------------------------------------------------- Name : mozilla Version (7.3) : 1.4.3-0.7.1.legacy Version (9) : 1.4.3-0.9.1.legacy Version (fc1) : 1.4.3-1.fc1.1.legacy Summary : A Web browser. Description : Mozilla is an open-source Web browser, designed for standards compliance, performance, and portability. --------------------------------------------------------------------- Update Information: NISCC testing of implementations of the S/MIME protocol uncovered a number of bugs in NSS versions prior to 3.9. The parsing of unexpected ASN.1 constructs within S/MIME data could cause Mozilla to crash or consume large amounts of memory. A remote attacker could potentially trigger these bugs by sending a carefully-crafted S/MIME message to a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0564 to this issue. Andreas Sandblad discovered a cross-site scripting issue that affects various versions of Mozilla. When linking to a new page it is still possible to interact with the old page before the new page has been successfully loaded. Any Javascript events will be invoked in the context of the new page, making cross-site scripting possible if the different pages belong to different domains. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0191 to this issue. Flaws have been found in the cookie path handling between a number of Web browsers and servers. The HTTP cookie standard allows a Web server supplying a cookie to a client to specify a subset of URLs on the origin server to which the cookie applies. Web servers such as Apache do not filter returned cookies and assume that the client will only send back cookies for requests that fall within the server-supplied subset of URLs. However, by supplying URLs that use path traversal (/../) and character encoding, it is possible to fool many browsers into sending a cookie to a path outside of the originally-specified subset. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0594 to this issue. Zen Parse reported improper input validation to the SOAPParameter object constructor leading to an integer overflow and controllable heap corruption. Malicious JavaScript could be written to utilize this flaw and could allow arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0722 to this issue. During a source code audit, Chris Evans discovered a buffer overflow and integer overflows which affect the libpng code inside Mozilla. An attacker could create a carefully crafted PNG file in such a way that it would cause Mozilla to crash or execute arbitrary code when the image was viewed. (CAN-2004-0597, CAN-2004-0599) Zen Parse reported a flaw in the POP3 capability. A malicious POP3 server could send a carefully crafted response that would cause a heap overflow and potentially allow execution of arbitrary code as the user running Mozilla. (CAN-2004-0757) Marcel Boesch found a flaw that allows a CA certificate to be imported with a DN the same as that of the built-in CA root certificates, which can cause a denial of service to SSL pages, as the malicious certificate is treated as invalid. (CAN-2004-0758) Met - Martin Hassman reported a flaw in Mozilla that could allow malicious Javascript code to upload local files from a users machine without requiring confirmation. (CAN-2004-0759) Mindlock Security reported a flaw in ftp URI handling. By using a NULL character (%00) in a ftp URI, Mozilla can be confused into opening a resource as a different MIME type. (CAN-2004-0760) Mozilla does not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates website spoofing and other attacks, also known as the frame injection vulnerability. (CAN-2004-0718) Tolga Tarhan reported a flaw that can allow a malicious webpage to use a redirect sequence to spoof the security lock icon that makes a webpage appear to be encrypted. (CAN-2004-0761) Jesse Ruderman reported a security issue that affects a number of browsers including Mozilla that could allow malicious websites to install arbitrary extensions by using interactive events to manipulate the XPInstall Security dialog box. (CAN-2004-0762) Emmanouel Kellinis discovered a caching flaw in Mozilla which allows malicious websites to spoof certificates of trusted websites via redirects and Javascript that uses the "onunload" method. (CAN-2004-0763) Mozilla allowed malicious websites to hijack the user interface via the "chrome" flag and XML User Interface Language (XUL) files. (CAN-2004-0764) The cert_TestHostName function in Mozilla only checks the hostname portion of a certificate when the hostname portion of the URI is not a fully qualified domain name (FQDN). This flaw could be used for spoofing if an attacker had control of machines on a default DNS search path. (CAN-2004-0765) Jesse Ruderman discovered a cross-domain scripting bug in Mozilla. If a user is tricked into dragging a javascript link into another frame or page, it becomes possible for an attacker to steal or modify sensitive information from that site. Additionally, if a user is tricked into dragging two links in sequence to another window (not frame), it is possible for the attacker to execute arbitrary commands. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0905 to this issue. Gael Delalleau discovered an integer overflow which affects the BMP handling code inside Mozilla. An attacker could create a carefully crafted BMP file in such a way that it would cause Mozilla to crash or execute arbitrary code when the image is viewed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0904 to this issue. Georgi Guninski discovered a stack-based buffer overflow in the vCard display routines. An attacker could create a carefully crafted vCard file in such a way that it would cause Mozilla to crash or execute arbitrary code when viewed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0903 to this issue. Wladimir Palant discovered a flaw in the way javascript interacts with the clipboard. It is possible that an attacker could use malicious javascript code to steal sensitive data which has been copied into the clipboard. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0908 to this issue. Georgi Guninski discovered a heap based buffer overflow in the "Send Page" feature. It is possible that an attacker could construct a link in such a way that a user attempting to forward it could result in a crash or arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0902 to this issue. --------------------------------------------------------------------- 7.3 Changelog: * Thu Sep 30 2004 Dominic Hargreaves 37:1.4.3-0.7.1.legacy - Rebuild for Red Hat Linux 7.3 * Mon Sep 20 2004 Christpoher Aillon 37:1.4.3-2.1.3 - Backport security fixes from http://mozilla.org/projects/security/known-vulnerabilities.html * Tue Aug 03 2004 Christopher Aillon 37:1.4.3-2.1.2 - Final 1.4.3 release * Fri Jul 30 2004 Christopher Aillon 37:1.4.3-2.1.1.SNAP - Add libpng fix * Fri Jul 30 2004 Christopher Aillon 37:1.4.3-2.1.0.SNAP - Update to a 1.4 snapshot for security fixes. * Wed Mar 24 2004 Chris Blizzard 37:1.4.2-3.0.0.SNAP - Update to a 1.4.2. - Time for a new changelog. 9 Changelog: * Sun Oct 03 2004 Marc Deslauriers 37:1.4.3-0.9.1.legacy - Added backported security fixes from mozilla 1.7.3 * Tue Sep 21 2004 John Dalbec 37:1.4.3-0.9.0.legacy.2 - Added BuildRequires: compat-gcc for gcc296 program (%ifarch i386 only). - Added BuildRequires: compat-gcc-c++ for g++296 program (%ifarch i386 only). - Added BuildRequires: gtk+-devel. - Added BuildRequires: ORBit-devel. - Added %dir /usr/lib/mozilla to %files. - Added /usr/include/mozilla-1.4.3 to %files devel. * Mon Aug 30 2004 Marc Deslauriers 37:1.4.3-0.9.0.legacy - Update to latest 1.4 branch for security fixes. FC1 Changelog: * Thu Sep 30 2004 Rob Myers 37:1.4.3-1.fc1.1.legacy - rebuild FC1 * Mon Sep 20 2004 Christpoher Aillon 37:1.4.3-3.0.3 - Backport security fixes from http://mozilla.org/projects/security/known-vulnerabilities.html * Fri Jul 30 2004 Christopher Aillon 37:1.4.3-3.0.1.SNAP - Add libpng fix * Fri Jul 30 2004 Christopher Aillon 37:1.4.3-3.0.0.SNAP - Update to latest 1.4 branch for security fixes. --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ 8b26049e02b8ba752151edbbda3a7ac13550f419 redhat/7.3/updates-testing/SRPMS/mozilla-1.4.3-0.7.1.legacy.src.rpm d21e84f5b3d17317424b521fe5bb6a1771187532 redhat/7.3/updates-testing/SRPMS/galeon-1.2.13-0.7.1.legacy.src.rpm 367a2c8360f0e8f984a63da7e3e6ccadc692341c redhat/7.3/updates-testing/i386/mozilla-1.4.3-0.7.1.legacy.i386.rpm 3675dc6ec08f513dca4a56b5c26b2632d1d9081e redhat/7.3/updates-testing/i386/mozilla-chat-1.4.3-0.7.1.legacy.i386.rpm 7765e5bf8d219a2337396b65e6983c79a44c9d7b redhat/7.3/updates-testing/i386/mozilla-devel-1.4.3-0.7.1.legacy.i386.rpm 5e363fe99cbad7745de8e93b2420e7281a08c038 redhat/7.3/updates-testing/i386/mozilla-dom-inspector-1.4.3-0.7.1.legacy.i386.rpm cffefef5b6b67d5e40a4f988503982af9a4cb49b redhat/7.3/updates-testing/i386/mozilla-js-debugger-1.4.3-0.7.1.legacy.i386.rpm e6d7563bf90f5f6bd4246e2b07097d37ac18e256 redhat/7.3/updates-testing/i386/mozilla-mail-1.4.3-0.7.1.legacy.i386.rpm e04ab6de0904386e881541234a8604e6283fbd00 redhat/7.3/updates-testing/i386/mozilla-nspr-1.4.3-0.7.1.legacy.i386.rpm a333e23e084b9d59488db7451b991b3775d3c774 redhat/7.3/updates-testing/i386/mozilla-nspr-devel-1.4.3-0.7.1.legacy.i386.rpm 0611c836e192bed899e30c261e17736c4a5a1b78 redhat/7.3/updates-testing/i386/mozilla-nss-1.4.3-0.7.1.legacy.i386.rpm 04789c2b7516018e0fdbae8c0c24edba98a373b7 redhat/7.3/updates-testing/i386/mozilla-nss-devel-1.4.3-0.7.1.legacy.i386.rpm 14287024fbe57fc555c5e8fa2736d2a708ae2dc6 redhat/7.3/updates-testing/i386/galeon-1.2.13-0.7.1.legacy.i386.rpm 4cba85b2190de4bbd96505a0433cad388e3a2e26 redhat/9/updates-testing/SRPMS/mozilla-1.4.3-0.9.1.legacy.src.rpm f5cf30105dbec5d0f24270e418141ba556df7db0 redhat/9/updates-testing/SRPMS/galeon-1.2.13-0.9.2.legacy.src.rpm 5623fba5418718a38eb47a334866833d5705f809 redhat/9/updates-testing/i386/mozilla-1.4.3-0.9.1.legacy.i386.rpm 17a567dc4151929cd998fa145631a939edb658ea redhat/9/updates-testing/i386/mozilla-chat-1.4.3-0.9.1.legacy.i386.rpm c94427f671fc72f3198c3947feb1a55e14cb285f redhat/9/updates-testing/i386/mozilla-devel-1.4.3-0.9.1.legacy.i386.rpm a11eecf474c891edcc64dcb07e85ffef0af17b42 redhat/9/updates-testing/i386/mozilla-dom-inspector-1.4.3-0.9.1.legacy.i386.rpm eff086a513ad6a62c64e0f5875c8407e706360ed redhat/9/updates-testing/i386/mozilla-js-debugger-1.4.3-0.9.1.legacy.i386.rpm f11ac30cfc4ef65c0670c381f47b69a342e4db22 redhat/9/updates-testing/i386/mozilla-mail-1.4.3-0.9.1.legacy.i386.rpm 1b69070ca96ef10c60ce7fdb115b730bdf17a5ca redhat/9/updates-testing/i386/mozilla-nspr-1.4.3-0.9.1.legacy.i386.rpm aa8c04f0b2d3cefed5222c2940240ecfc3780315 redhat/9/updates-testing/i386/mozilla-nspr-devel-1.4.3-0.9.1.legacy.i386.rpm 5cf1c268091e7b88732e8efa58d48cf225e70800 redhat/9/updates-testing/i386/mozilla-nss-1.4.3-0.9.1.legacy.i386.rpm 6911b2dc76ef48c309c425bd2b8d620941b5c023 redhat/9/updates-testing/i386/mozilla-nss-devel-1.4.3-0.9.1.legacy.i386.rpm d99fb9b15188b9d58ad67051cd3e3468ac02681c redhat/9/updates-testing/i386/galeon-1.2.13-0.9.2.legacy.i386.rpm 861196199b25fe56d2f2d990c4eb74fad537a643 fedora/1/updates-testing/SRPMS/mozilla-1.4.3-1.fc1.1.legacy.src.rpm 8dd0c2479974060a9b4c64e7fb7bb7bfe08bfca0 fedora/1/updates-testing/SRPMS/epiphany-1.0.4-2.4.legacy.src.rpm 346049a0d8835253ee9f97249b0ac834cb664bfc fedora/1/updates-testing/i386/mozilla-1.4.3-1.fc1.1.legacy.i386.rpm 4898da95488b5fbb6962613c383f42faaf5ff4ba fedora/1/updates-testing/i386/mozilla-chat-1.4.3-1.fc1.1.legacy.i386.rpm edc0eeeaf12cc95c4838375c61140c0a12df423b fedora/1/updates-testing/i386/mozilla-devel-1.4.3-1.fc1.1.legacy.i386.rpm 871e5ea09920d2844acd74188202c5f99b177bc9 fedora/1/updates-testing/i386/mozilla-dom-inspector-1.4.3-1.fc1.1.legacy.i386.rpm 75d8796d1e902fa56fc8665850a7027d189bd809 fedora/1/updates-testing/i386/mozilla-js-debugger-1.4.3-1.fc1.1.legacy.i386.rpm 08a55541cc0062892b4ae7e11f12ea041dfdc5c2 fedora/1/updates-testing/i386/mozilla-mail-1.4.3-1.fc1.1.legacy.i386.rpm a00c8f63b2ac924794e533582adecd979ca5aebb fedora/1/updates-testing/i386/mozilla-nspr-1.4.3-1.fc1.1.legacy.i386.rpm a3e31f50a30ce3bb9d280bbcd0a941c2910534bd fedora/1/updates-testing/i386/mozilla-nspr-devel-1.4.3-1.fc1.1.legacy.i386.rpm df50478720c9430b1e9edbcd96323db6bf15c48b fedora/1/updates-testing/i386/mozilla-nss-1.4.3-1.fc1.1.legacy.i386.rpm ebefb845a937bca2c0655f5dd6d43bdf9759a871 fedora/1/updates-testing/i386/mozilla-nss-devel-1.4.3-1.fc1.1.legacy.i386.rpm 5885ec55134e6bffe7be6e0ec527b668e1f8b262 fedora/1/updates-testing/i386/epiphany-1.0.4-2.4.legacy.i386.rpm Please note that this update is also available via yum and apt through the updates-testing channel. Many people find this an easier way to apply updates. --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From mitchell at cuip.net Sun Oct 24 18:02:49 2004 From: mitchell at cuip.net (Mitchell Marks) Date: Sun, 24 Oct 2004 13:02:49 -0500 (CDT) Subject: Guide to versions was Re: Is there a guide or howto on 7.2 ==> 7.3 overall upgrade? In-Reply-To: References: <1098625649.21657.0.camel@mdlinux> Message-ID: To answer one of my own questions: On Sun, 24 Oct 2004, Mitch Marks wrote: ... > While I'm asking explanation favors, could someone please provide a > pointer into the list archives (or re-post the article) that explained the > different major-release and end-of-life versions and what key features > differentiate them? I saw it go by on this list, and saw it praised, but > unfortunately I saved it for later study and have forgotten > where I put it :( > That was Bryan J. Smith's guide, at http://www.vaporwarelabs.com/files/temp/RH-Distribution-FAQ.html (Thank you for this helpful information.) -- Mitchell Marks CUIP & WIT Tech Coordinator CUIP: Chicago Public Schools / Univ. of Chicago Internet Project WIT: Web Institute for Teachers http://cuip.net/cuip http://tech.cuip.net/ http://wit.uchicago.edu/wit 5640 S Ellis Ave AAC-045, Univ of Chgo, Chgo IL 60637 Phones: Area 773 (O) 702-6041 (F) 702-8212 (H) 241-7166 (C) 620-6744 Email: Primary address: mitchell at cuip.net Alternate UofC addresses (use especially to report problems with CUIP\WIT mail!): mitchell at cs.uchicago.edu and mmar at midway.uchicago.edu Off-campus (ISP) address: mmarks at pobox.com So which is more your cup of tea: DKNY or CSNY? And which of these butters your toast: Mos Def, MOS-FET, or Boba Fett? From mitchell at cuip.net Sun Oct 24 18:34:34 2004 From: mitchell at cuip.net (Mitchell Marks) Date: Sun, 24 Oct 2004 13:34:34 -0500 (CDT) Subject: Is there a guide or howto on 7.2 ==> 7.3 overall upgrade? Message-ID: I understand why 7.3 is supported tho 7.2 is not. On the Legacy website in one of the places where it mentions this, there is the suggestion "Users of RHL 7.2 are urged to upgrade to RHL 7.3. Users of RHL 8.0 are urged to upgrade to RHL 9 or newer." Could someone point me to some sort of guide on how to go about turning a 7.2 system into a 7.3? (Far enough to be able to use 7.3 updates, anyway.) Thanks very much. While I'm asking explanation favors, could someone please provide a pointer into the list archives (or re-post the article) that explained the different major-release and end-of-life versions and what key features differentiate them? I saw it go by on this list, and saw it praised, but unfortunately I saved it for later study and have forgotten where I put it :( [ This has been answered -- http://www.vaporwarelabs.com/files/temp/RH-Distribution-FAQ.html ] Oh, one more: Why do the advisories seem to suggest blanket updates for those using yum or apt-get? That is, things like this: " To use yum issue: " " yum update " " or to use apt: " " apt-get update; apt-get upgrade I prefer to handle packages one-by-one, and would thus prefer to see these commands in the one-package form with the applicable package name. Otherwise I need to dig out the package name from the advisory title or the RPM links (sometimes harder than it sounds, if there are version numbers built in) or face up to building an exception list. Thanks a lot, Mitch Marks -- Mitchell Marks CUIP & WIT Tech Coordinator CUIP: Chicago Public Schools / Univ. of Chicago Internet Project WIT: Web Institute for Teachers http://cuip.net/cuip http://tech.cuip.net/ http://wit.uchicago.edu/wit 5640 S Ellis Ave AAC-045, Univ of Chgo, Chgo IL 60637 Phones: Area 773 (O) 702-6041 (F) 702-8212 (H) 241-7166 (C) 620-6744 Email: Primary address: mitchell at cuip.net Alternate UofC addresses (use especially to report problems with CUIP\WIT mail!): mitchell at cs.uchicago.edu and mmar at midway.uchicago.edu Off-campus (ISP) address: mmarks at pobox.com So which is more your cup of tea: DKNY or CSNY? And which of these butters your toast: Mos Def, MOS-FET, or Boba Fett? From cra at WPI.EDU Tue Oct 26 03:15:30 2004 From: cra at WPI.EDU (Charles R. Anderson) Date: Mon, 25 Oct 2004 23:15:30 -0400 Subject: Website: bug in FC1 up2date docs Message-ID: <20041026031530.GM28232@angus.ind.WPI.EDU> I just helped someone with up2date on the IRC channel, we discovered a documentation bug: http://www.fedoralegacy.org/docs/up2date-fc1-reconfigure.php gives this configuration for /etc/sysconfig/rhn/sources: # Fedora Legacy FC1 os repository yum os http://download.fedoralegacy.org/fedora/1/os/i386/ # Fedora Legacy FC1 updates repository yum os http://download.fedoralegacy.org/fedora/1/updates/i386/ # Fedora Legacy FC1 legacy-utils repository yum os http://download.fedoralegacy.org/fedora/1/legacy-utils/i386/ Those three lines should have different repository names, like "os", "updates" and "legacy-utils", or up2date does weird things, like give errors such as "I/O error: Not a gzipped file". Here is the fixed config: # Fedora Legacy FC1 os repository yum os http://download.fedoralegacy.org/fedora/1/os/i386/ # Fedora Legacy FC1 updates repository yum updates http://download.fedoralegacy.org/fedora/1/updates/i386/ # Fedora Legacy FC1 legacy-utils repository yum legacy-utils http://download.fedoralegacy.org/fedora/1/legacy-utils/i386/ From listas at andreso.net Tue Oct 26 11:08:40 2004 From: listas at andreso.net (Andres Adrover Kvamsdal) Date: Tue, 26 Oct 2004 13:08:40 +0200 Subject: Is there a guide or howto on 7.2 ==> 7.3 overall upgrade? In-Reply-To: References: Message-ID: <417E3038.4070409@andreso.net> > Could someone point me to some sort of guide on how to go about turning a > 7.2 system into a 7.3? (Far enough to be able to use 7.3 updates, > anyway.) Thanks very much. I upgraded a RH 7.2 system to RH 7.3 by downloading from the fedora site the 7.3 redhat release rpm and upgrading it. I then executed yum upgrade. I still have to upgrade the kernel. I believe yum installs (as opposed to upgrade) the new kernel. > I prefer to handle packages one-by-one, and would thus prefer to see these > commands in the one-package form with the applicable package name. > Otherwise I need to dig out the package name from the advisory title or > the RPM links (sometimes harder than it sounds, if there are version > numbers built in) or face up to building an exception list. If you want to upgrade the packages one by one just download them manually from the fedora site. Yum can probably be configured to just download and to keep the rpms in its spool directory. > Thanks a lot, > > Mitch Marks > > From pekkas at netcore.fi Tue Oct 26 14:53:28 2004 From: pekkas at netcore.fi (Pekka Savola) Date: Tue, 26 Oct 2004 17:53:28 +0300 (EEST) Subject: XFree86 new issues [Re: Round-up, 2004-10-22] In-Reply-To: <20041022000522.GA4396@home.thedom.org> References: <20041022000522.GA4396@home.thedom.org> Message-ID: On Fri, 22 Oct 2004, Dominic Hargreaves wrote: > $Id: issues.txt,v 1.116 2004/10/22 00:03:03 dom Exp $ Umm, I'm confused. 2004-10-06 was the last round-up which mentioned XFree86 (fixing CAN-2004-0419). On 2004-10-04, RHEL3 released advisory https://rhn.redhat.com/errata/RHSA-2004-478.html with additional CAN's. The package with insufficient fixes is still in updates-testing. What should have happened or should happen? -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings From dom at earth.li Tue Oct 26 15:27:56 2004 From: dom at earth.li (Dominic Hargreaves) Date: Tue, 26 Oct 2004 16:27:56 +0100 Subject: XFree86 new issues [Re: Round-up, 2004-10-22] In-Reply-To: References: <20041022000522.GA4396@home.thedom.org> Message-ID: <20041026152756.GO15895@tirian.magd.ox.ac.uk> On Tue, Oct 26, 2004 at 05:53:28PM +0300, Pekka Savola wrote: > 2004-10-06 was the last round-up which mentioned XFree86 (fixing > CAN-2004-0419). On 2004-10-04, RHEL3 released advisory > https://rhn.redhat.com/errata/RHSA-2004-478.html with additional > CAN's. The package with insufficient fixes is still in > updates-testing. > > What should have happened or should happen? The relevant bug is https://bugzilla.fedora.us/show_bug.cgi?id=2075. It is listed under libxpm in the roundup. Builds are pending. Cheers, Dominic. From ral77 at bellsouth.net Tue Oct 26 15:17:34 2004 From: ral77 at bellsouth.net (ral77) Date: Tue, 26 Oct 2004 11:17:34 -0400 Subject: [Fwd: Fake RedHat - Fedora Security Patch / Trojan Source Code & Analysis] Message-ID: <417E6A8E.7050801@bellsouth.net> Received this today (10/26/2004) on the bugtraq at securityfocus.com mailing list. May be of interest to the Fedora legacy group. Best regards, ral -------------- next part -------------- An embedded message was scrubbed... From: K-OTiK Security Subject: Fake RedHat - Fedora Security Patch / Trojan Source Code & Analysis Date: 25 Oct 2004 19:06:37 -0000 Size: 1975 URL: From joey at clean.q7.com Wed Oct 27 02:58:13 2004 From: joey at clean.q7.com (Joe Pruett) Date: Tue, 26 Oct 2004 19:58:13 -0700 (PDT) Subject: followup to kernel-source issue Message-ID: i finally figured out that to get the kernel-source rpm to update with apt-get, you have to: rpm -e kernel-source apt-get install kernel-source#2.4.20-37.9.legacy given that you can actually do kernel upgrades via the RPM::Upgrade-Kernel option, it would certainly be nice to have a way to get the source updates automatically as well. even if it does like the kernel and does an install instead of an upgrade. i've peeked at the lua scripts and don't see any obvious way to make them get the sources if already installed. am i just out to lunch here? From mattdm at mattdm.org Wed Oct 27 03:09:28 2004 From: mattdm at mattdm.org (Matthew Miller) Date: Tue, 26 Oct 2004 23:09:28 -0400 Subject: followup to kernel-source issue In-Reply-To: References: Message-ID: <20041027030928.GA24867@jadzia.bu.edu> On Tue, Oct 26, 2004 at 07:58:13PM -0700, Joe Pruett wrote: > i finally figured out that to get the kernel-source rpm to update with > apt-get, you have to: > rpm -e kernel-source > apt-get install kernel-source#2.4.20-37.9.legacy > given that you can actually do kernel upgrades via the RPM::Upgrade-Kernel > option, it would certainly be nice to have a way to get the source > updates automatically as well. even if it does like the kernel and does > an install instead of an upgrade. i've peeked at the lua scripts and > don't see any obvious way to make them get the sources if already > installed. am i just out to lunch here? Well, the kernel-source package is going away in newer versions of Fedora. So, I wouldn't worry about it too much. Also, the "rpm -e" step should be unnecessary.... -- Matthew Miller mattdm at mattdm.org Boston University Linux ------> From joey at clean.q7.com Wed Oct 27 05:49:57 2004 From: joey at clean.q7.com (Joe Pruett) Date: Tue, 26 Oct 2004 22:49:57 -0700 (PDT) Subject: followup to kernel-source issue In-Reply-To: <20041027030928.GA24867@jadzia.bu.edu> Message-ID: kernel-source will probably stay around for versions that used to have it (rh7.3, rh9, etc), so this problem won't be going away anytime soon. From mattdm at mattdm.org Wed Oct 27 13:07:17 2004 From: mattdm at mattdm.org (Matthew Miller) Date: Wed, 27 Oct 2004 09:07:17 -0400 Subject: followup to kernel-source issue In-Reply-To: References: <20041027030928.GA24867@jadzia.bu.edu> Message-ID: <20041027130717.GA10084@jadzia.bu.edu> On Tue, Oct 26, 2004 at 10:49:57PM -0700, Joe Pruett wrote: > kernel-source will probably stay around for versions that used to have it > (rh7.3, rh9, etc), so this problem won't be going away anytime soon. In one way. In the other, you can just _pretend_ it doesn't exist. (I'm joking but I'm serious.) -- Matthew Miller mattdm at mattdm.org Boston University Linux ------> From bingo at netplaza.fi Sun Oct 24 10:43:24 2004 From: bingo at netplaza.fi (Heikki Kortti) Date: Sun, 24 Oct 2004 13:43:24 +0300 (EEST) Subject: [FLSA-2004:1804] Updated kernel resolves security vulnerabilities In-Reply-To: <20041018094034.GA14851@home.thedom.org> Message-ID: On Mon, 18 Oct 2004, Dominic Hargreaves wrote: > Please note that this update is also available via yum and apt. Many > people find this an easier way to apply updates. To use yum issue: > > yum update Hasn't anyone noticed that this does not really work for kernel packages? Yum 2.0.7-1 shows that the kernel update is available (with check-update), but "yum update" results in yum pulling up a blank: # yum --version 2.0.7 # yum check-update Gathering header information file(s) from server(s) Server: Red Hat Linux 9 - i386 - Base Server: Red Hat Linux 9 - Updates Finding updated packages Downloading needed headers Name Arch Version Repo ------------------------------------------------------------------------ kernel i386 2.4.20-37.9.legacy updates # yum update Gathering header information file(s) from server(s) Server: Red Hat Linux 9 - i386 - Base Server: Red Hat Linux 9 - Updates Finding updated packages Downloading needed headers Resolving dependencies Dependencies resolved I will do the following: Is this ok [y/N]: N Exiting on user command. Same goes also with "yum update kernel". Yum config is pretty much normal with only some additional mirrors set. Of course "yum install kernel" works OK (and should be recommended anyway), so it might be a good idea to advise users to do that instead. Although this does not solve that fact that the yum behaviour in the above case is downright counterintuitive... -- Heikki Kortti From eric.rostetter at physics.utexas.edu Tue Oct 26 13:40:53 2004 From: eric.rostetter at physics.utexas.edu (Eric Rostetter) Date: Tue, 26 Oct 2004 08:40:53 -0500 Subject: Website: bug in FC1 up2date docs In-Reply-To: <20041026031530.GM28232@angus.ind.WPI.EDU> References: <20041026031530.GM28232@angus.ind.WPI.EDU> Message-ID: <1098798053.8775f81628232@mail.ph.utexas.edu> Quoting "Charles R. Anderson" : > I just helped someone with up2date on the IRC channel, we discovered a > documentation bug: > > http://www.fedoralegacy.org/docs/up2date-fc1-reconfigure.php > Fixed. -- Eric Rostetter The Department of Physics The University of Texas at Austin Why get even? Get odd! From dom at earth.li Wed Oct 27 09:17:53 2004 From: dom at earth.li (Dominic Hargreaves) Date: Wed, 27 Oct 2004 10:17:53 +0100 Subject: [FLSA-2004:2089] Updated mozilla packages fix security vulnerabilities Message-ID: <20041027091751.GA28216@home.thedom.org> ----------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated mozilla resolves security vulnerabilities Advisory ID: FLSA:2089 Issue date: 2004-10-27 Product: Red Hat Linux Product: Fedora Core Keywords: Security Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=2089 CVE Names: CAN-2003-0564, CAN-2004-0191, CAN-2003-0594, CAN-2004-0722, CAN-2004-0597, CAN-2004-0599, CAN-2004-0757, CAN-2004-0758, CAN-2004-0759, CAN-2004-0760, CAN-2004-0718, CAN-2004-0761, CAN-2004-0762, CAN-2004-0763, CAN-2004-0764, CAN-2004-0765, CAN-2004-0905, CAN-2004-0904, CAN-2004-0903, CAN-2004-0908, CAN-2004-0902 ----------------------------------------------------------------------- ----------------------------------------------------------------------- 1. Topic: Updated mozilla, galeon and epiphany packages that fix multiple vulnerabilities are now available. Mozilla is an open-source Web browser, designed for standards compliance, performance, and portability. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 3. Problem description: Note that some of these issues have already been fixed in Redhat 9 and Fedora Core 1. Please refer to previous advisories for details. NISCC testing of implementations of the S/MIME protocol uncovered a number of bugs in NSS versions prior to 3.9. The parsing of unexpected ASN.1 constructs within S/MIME data could cause Mozilla to crash or consume large amounts of memory. A remote attacker could potentially trigger these bugs by sending a carefully-crafted S/MIME message to a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0564 to this issue. Andreas Sandblad discovered a cross-site scripting issue that affects various versions of Mozilla. When linking to a new page it is still possible to interact with the old page before the new page has been successfully loaded. Any Javascript events will be invoked in the context of the new page, making cross-site scripting possible if the different pages belong to different domains. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0191 to this issue. Flaws have been found in the cookie path handling between a number of Web browsers and servers. The HTTP cookie standard allows a Web server supplying a cookie to a client to specify a subset of URLs on the origin server to which the cookie applies. Web servers such as Apache do not filter returned cookies and assume that the client will only send back cookies for requests that fall within the server-supplied subset of URLs. However, by supplying URLs that use path traversal (/../) and character encoding, it is possible to fool many browsers into sending a cookie to a path outside of the originally-specified subset. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0594 to this issue. Zen Parse reported improper input validation to the SOAPParameter object constructor leading to an integer overflow and controllable heap corruption. Malicious JavaScript could be written to utilize this flaw and could allow arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0722 to this issue. During a source code audit, Chris Evans discovered a buffer overflow and integer overflows which affect the libpng code inside Mozilla. An attacker could create a carefully crafted PNG file in such a way that it would cause Mozilla to crash or execute arbitrary code when the image was viewed. (CAN-2004-0597, CAN-2004-0599) Zen Parse reported a flaw in the POP3 capability. A malicious POP3 server could send a carefully crafted response that would cause a heap overflow and potentially allow execution of arbitrary code as the user running Mozilla. (CAN-2004-0757) Marcel Boesch found a flaw that allows a CA certificate to be imported with a DN the same as that of the built-in CA root certificates, which can cause a denial of service to SSL pages, as the malicious certificate is treated as invalid. (CAN-2004-0758) Met - Martin Hassman reported a flaw in Mozilla that could allow malicious Javascript code to upload local files from a users machine without requiring confirmation. (CAN-2004-0759) Mindlock Security reported a flaw in ftp URI handling. By using a NULL character (%00) in a ftp URI, Mozilla can be confused into opening a resource as a different MIME type. (CAN-2004-0760) Mozilla does not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates website spoofing and other attacks, also known as the frame injection vulnerability. (CAN-2004-0718) Tolga Tarhan reported a flaw that can allow a malicious webpage to use a redirect sequence to spoof the security lock icon that makes a webpage appear to be encrypted. (CAN-2004-0761) Jesse Ruderman reported a security issue that affects a number of browsers including Mozilla that could allow malicious websites to install arbitrary extensions by using interactive events to manipulate the XPInstall Security dialog box. (CAN-2004-0762) Emmanouel Kellinis discovered a caching flaw in Mozilla which allows malicious websites to spoof certificates of trusted websites via redirects and Javascript that uses the "onunload" method. (CAN-2004-0763) Mozilla allowed malicious websites to hijack the user interface via the "chrome" flag and XML User Interface Language (XUL) files. (CAN-2004-0764) The cert_TestHostName function in Mozilla only checks the hostname portion of a certificate when the hostname portion of the URI is not a fully qualified domain name (FQDN). This flaw could be used for spoofing if an attacker had control of machines on a default DNS search path. (CAN-2004-0765) Jesse Ruderman discovered a cross-domain scripting bug in Mozilla. If a user is tricked into dragging a javascript link into another frame or page, it becomes possible for an attacker to steal or modify sensitive information from that site. Additionally, if a user is tricked into dragging two links in sequence to another window (not frame), it is possible for the attacker to execute arbitrary commands. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0905 to this issue. Gael Delalleau discovered an integer overflow which affects the BMP handling code inside Mozilla. An attacker could create a carefully crafted BMP file in such a way that it would cause Mozilla to crash or execute arbitrary code when the image is viewed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0904 to this issue. Georgi Guninski discovered a stack-based buffer overflow in the vCard display routines. An attacker could create a carefully crafted vCard file in such a way that it would cause Mozilla to crash or execute arbitrary code when viewed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0903 to this issue. Wladimir Palant discovered a flaw in the way javascript interacts with the clipboard. It is possible that an attacker could use malicious javascript code to steal sensitive data which has been copied into the clipboard. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0908 to this issue. Georgi Guninski discovered a heap based buffer overflow in the "Send Page" feature. It is possible that an attacker could construct a link in such a way that a user attempting to forward it could result in a crash or arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0902 to this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs/ for directions on how to configure yum and apt-get. 5. Bug IDs fixed: http://bugzilla.fedora.us - 1532 - Mozilla 1.4.2 fixes various vulns http://bugzilla.fedora.us - 1834 - Mozilla < 1.4.3 multiple flaws http://bugzilla.fedora.us - 2089 - Mozilla < 1.7.3 multiple flaws 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/mozilla-1.4.3-0.7.1.legacy.src.rpm http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/galeon-1.2.13-0.7.1.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-1.4.3-0.7.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-chat-1.4.3-0.7.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-devel-1.4.3-0.7.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-dom-inspector-1.4.3-0.7.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-js-debugger-1.4.3-0.7.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-mail-1.4.3-0.7.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nspr-1.4.3-0.7.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nspr-devel-1.4.3-0.7.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nss-1.4.3-0.7.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nss-devel-1.4.3-0.7.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/galeon-1.2.13-0.7.1.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/mozilla-1.4.3-0.9.1.legacy.src.rpm http://download.fedoralegacy.org/redhat/9/updates/SRPMS/galeon-1.2.13-0.9.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-1.4.3-0.9.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-chat-1.4.3-0.9.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-devel-1.4.3-0.9.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-dom-inspector-1.4.3-0.9.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-js-debugger-1.4.3-0.9.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-mail-1.4.3-0.9.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nspr-1.4.3-0.9.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nspr-devel-1.4.3-0.9.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nss-1.4.3-0.9.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nss-devel-1.4.3-0.9.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/galeon-1.2.13-0.9.2.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/mozilla-1.4.3-1.fc1.1.legacy.src.rpm http://download.fedoralegacy.org/fedora/1/updates/SRPMS/epiphany-1.0.4-2.4.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-1.4.3-1.fc1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-chat-1.4.3-1.fc1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-devel-1.4.3-1.fc1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-dom-inspector-1.4.3-1.fc1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-js-debugger-1.4.3-1.fc1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-mail-1.4.3-1.fc1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-nspr-1.4.3-1.fc1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-nspr-devel-1.4.3-1.fc1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-nss-1.4.3-1.fc1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-nss-devel-1.4.3-1.fc1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/epiphany-1.0.4-2.4.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------------- 8b26049e02b8ba752151edbbda3a7ac13550f419 redhat/7.3/updates/SRPMS/mozilla-1.4.3-0.7.1.legacy.src.rpm d21e84f5b3d17317424b521fe5bb6a1771187532 redhat/7.3/updates/SRPMS/galeon-1.2.13-0.7.1.legacy.src.rpm 367a2c8360f0e8f984a63da7e3e6ccadc692341c redhat/7.3/updates/i386/mozilla-1.4.3-0.7.1.legacy.i386.rpm 3675dc6ec08f513dca4a56b5c26b2632d1d9081e redhat/7.3/updates/i386/mozilla-chat-1.4.3-0.7.1.legacy.i386.rpm 7765e5bf8d219a2337396b65e6983c79a44c9d7b redhat/7.3/updates/i386/mozilla-devel-1.4.3-0.7.1.legacy.i386.rpm 5e363fe99cbad7745de8e93b2420e7281a08c038 redhat/7.3/updates/i386/mozilla-dom-inspector-1.4.3-0.7.1.legacy.i386.rpm cffefef5b6b67d5e40a4f988503982af9a4cb49b redhat/7.3/updates/i386/mozilla-js-debugger-1.4.3-0.7.1.legacy.i386.rpm e6d7563bf90f5f6bd4246e2b07097d37ac18e256 redhat/7.3/updates/i386/mozilla-mail-1.4.3-0.7.1.legacy.i386.rpm e04ab6de0904386e881541234a8604e6283fbd00 redhat/7.3/updates/i386/mozilla-nspr-1.4.3-0.7.1.legacy.i386.rpm a333e23e084b9d59488db7451b991b3775d3c774 redhat/7.3/updates/i386/mozilla-nspr-devel-1.4.3-0.7.1.legacy.i386.rpm 0611c836e192bed899e30c261e17736c4a5a1b78 redhat/7.3/updates/i386/mozilla-nss-1.4.3-0.7.1.legacy.i386.rpm 04789c2b7516018e0fdbae8c0c24edba98a373b7 redhat/7.3/updates/i386/mozilla-nss-devel-1.4.3-0.7.1.legacy.i386.rpm 14287024fbe57fc555c5e8fa2736d2a708ae2dc6 redhat/7.3/updates/i386/galeon-1.2.13-0.7.1.legacy.i386.rpm 4cba85b2190de4bbd96505a0433cad388e3a2e26 redhat/9/updates/SRPMS/mozilla-1.4.3-0.9.1.legacy.src.rpm f5cf30105dbec5d0f24270e418141ba556df7db0 redhat/9/updates/SRPMS/galeon-1.2.13-0.9.2.legacy.src.rpm 5623fba5418718a38eb47a334866833d5705f809 redhat/9/updates/i386/mozilla-1.4.3-0.9.1.legacy.i386.rpm 17a567dc4151929cd998fa145631a939edb658ea redhat/9/updates/i386/mozilla-chat-1.4.3-0.9.1.legacy.i386.rpm c94427f671fc72f3198c3947feb1a55e14cb285f redhat/9/updates/i386/mozilla-devel-1.4.3-0.9.1.legacy.i386.rpm a11eecf474c891edcc64dcb07e85ffef0af17b42 redhat/9/updates/i386/mozilla-dom-inspector-1.4.3-0.9.1.legacy.i386.rpm eff086a513ad6a62c64e0f5875c8407e706360ed redhat/9/updates/i386/mozilla-js-debugger-1.4.3-0.9.1.legacy.i386.rpm f11ac30cfc4ef65c0670c381f47b69a342e4db22 redhat/9/updates/i386/mozilla-mail-1.4.3-0.9.1.legacy.i386.rpm 1b69070ca96ef10c60ce7fdb115b730bdf17a5ca redhat/9/updates/i386/mozilla-nspr-1.4.3-0.9.1.legacy.i386.rpm aa8c04f0b2d3cefed5222c2940240ecfc3780315 redhat/9/updates/i386/mozilla-nspr-devel-1.4.3-0.9.1.legacy.i386.rpm 5cf1c268091e7b88732e8efa58d48cf225e70800 redhat/9/updates/i386/mozilla-nss-1.4.3-0.9.1.legacy.i386.rpm 6911b2dc76ef48c309c425bd2b8d620941b5c023 redhat/9/updates/i386/mozilla-nss-devel-1.4.3-0.9.1.legacy.i386.rpm d99fb9b15188b9d58ad67051cd3e3468ac02681c redhat/9/updates/i386/galeon-1.2.13-0.9.2.legacy.i386.rpm 861196199b25fe56d2f2d990c4eb74fad537a643 fedora/1/updates/SRPMS/mozilla-1.4.3-1.fc1.1.legacy.src.rpm 8dd0c2479974060a9b4c64e7fb7bb7bfe08bfca0 fedora/1/updates/SRPMS/epiphany-1.0.4-2.4.legacy.src.rpm 346049a0d8835253ee9f97249b0ac834cb664bfc fedora/1/updates/i386/mozilla-1.4.3-1.fc1.1.legacy.i386.rpm 4898da95488b5fbb6962613c383f42faaf5ff4ba fedora/1/updates/i386/mozilla-chat-1.4.3-1.fc1.1.legacy.i386.rpm edc0eeeaf12cc95c4838375c61140c0a12df423b fedora/1/updates/i386/mozilla-devel-1.4.3-1.fc1.1.legacy.i386.rpm 871e5ea09920d2844acd74188202c5f99b177bc9 fedora/1/updates/i386/mozilla-dom-inspector-1.4.3-1.fc1.1.legacy.i386.rpm 75d8796d1e902fa56fc8665850a7027d189bd809 fedora/1/updates/i386/mozilla-js-debugger-1.4.3-1.fc1.1.legacy.i386.rpm 08a55541cc0062892b4ae7e11f12ea041dfdc5c2 fedora/1/updates/i386/mozilla-mail-1.4.3-1.fc1.1.legacy.i386.rpm a00c8f63b2ac924794e533582adecd979ca5aebb fedora/1/updates/i386/mozilla-nspr-1.4.3-1.fc1.1.legacy.i386.rpm a3e31f50a30ce3bb9d280bbcd0a941c2910534bd fedora/1/updates/i386/mozilla-nspr-devel-1.4.3-1.fc1.1.legacy.i386.rpm df50478720c9430b1e9edbcd96323db6bf15c48b fedora/1/updates/i386/mozilla-nss-1.4.3-1.fc1.1.legacy.i386.rpm ebefb845a937bca2c0655f5dd6d43bdf9759a871 fedora/1/updates/i386/mozilla-nss-devel-1.4.3-1.fc1.1.legacy.i386.rpm 5885ec55134e6bffe7be6e0ec527b668e1f8b262 fedora/1/updates/i386/epiphany-1.0.4-2.4.legacy.i386.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: https://rhn.redhat.com/errata/RHSA-2004-110.html https://rhn.redhat.com/errata/RHSA-2004-383.html https://rhn.redhat.com/errata/RHSA-2004-486.html 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From list_fedoralegacy at 7global.com Wed Oct 27 11:21:47 2004 From: list_fedoralegacy at 7global.com (Jonathan Hunter) Date: Wed, 27 Oct 2004 12:21:47 +0100 Subject: followup to kernel-source issue Message-ID: Matthew Miller wrote: > Well, the kernel-source package is going away in newer > versions of Fedora. Does anybody know if the package is being replaced by an equivalent? Is the kernel source provided elsewhere? When building Compaq/HP servers, I've found that I need the kernel-source package in order to compile the hpasm drivers - HP invariably doesn't supply a version of hpasm to match the exact kernel package I'm using at the time. Cheers, Jonathan From dom at earth.li Wed Oct 27 16:02:54 2004 From: dom at earth.li (Dominic Hargreaves) Date: Wed, 27 Oct 2004 17:02:54 +0100 Subject: [FLSA-2004:1804] Updated kernel resolves security vulnerabilities In-Reply-To: References: <20041018094034.GA14851@home.thedom.org> Message-ID: <20041027160254.GW15895@tirian.magd.ox.ac.uk> On Sun, Oct 24, 2004 at 01:43:24PM +0300, Heikki Kortti wrote: > Hasn't anyone noticed that this does not really work for kernel packages? > Yum 2.0.7-1 shows that the kernel update is available (with check-update), > but "yum update" results in yum pulling up a blank: [snip] > Of course "yum install kernel" works OK (and should be recommended > anyway), so it might be a good idea to advise users to do that instead. > Although this does not solve that fact that the yum behaviour in the above > case is downright counterintuitive... Noted for future advisories. Cheers, Dominic. From skvidal at phy.duke.edu Wed Oct 27 17:01:58 2004 From: skvidal at phy.duke.edu (seth vidal) Date: Wed, 27 Oct 2004 13:01:58 -0400 Subject: [FLSA-2004:1804] Updated kernel resolves security vulnerabilities In-Reply-To: References: Message-ID: <1098896518.1834.15.camel@opus.phy.duke.edu> On Sun, 2004-10-24 at 06:43, Heikki Kortti wrote: > On Mon, 18 Oct 2004, Dominic Hargreaves wrote: > > > Please note that this update is also available via yum and apt. Many > > people find this an easier way to apply updates. To use yum issue: > > > > yum update > > Hasn't anyone noticed that this does not really work for kernel packages? > Yum 2.0.7-1 shows that the kernel update is available (with check-update), > but "yum update" results in yum pulling up a blank: > > # yum --version > 2.0.7 > # yum check-update > Gathering header information file(s) from server(s) > Server: Red Hat Linux 9 - i386 - Base > Server: Red Hat Linux 9 - Updates > Finding updated packages > Downloading needed headers > Name Arch Version Repo > ------------------------------------------------------------------------ > kernel i386 2.4.20-37.9.legacy updates > > # yum update > Gathering header information file(s) from server(s) > Server: Red Hat Linux 9 - i386 - Base > Server: Red Hat Linux 9 - Updates > Finding updated packages > Downloading needed headers > Resolving dependencies > Dependencies resolved > I will do the following: > Is this ok [y/N]: N > Exiting on user command. This means your system changed from i586->i686 or vice versa and now it is confused about what it is. If you install yum 2.0.8 you'll see why this is occurring. -sv From michal at harddata.com Wed Oct 27 18:55:46 2004 From: michal at harddata.com (Michal Jaegermann) Date: Wed, 27 Oct 2004 12:55:46 -0600 Subject: followup to kernel-source issue In-Reply-To: ; from list_fedoralegacy@7global.com on Wed, Oct 27, 2004 at 12:21:47PM +0100 References: Message-ID: <20041027125546.E13191@mail.harddata.com> On Wed, Oct 27, 2004 at 12:21:47PM +0100, Jonathan Hunter wrote: > Matthew Miller wrote: > > > Well, the kernel-source package is going away in newer > > versions of Fedora. > > Does anybody know if the package is being replaced by an equivalent? Is the > kernel source provided elsewhere? > > When building Compaq/HP servers, I've found that I need the kernel-source > package in order to compile the hpasm drivers Pieces you need to compile external modules are available, for current Fedora releases, in /lib/modules//build/ (you can use simply /lib/modules/$(uname -r)/build if this is for the currently running kernel) and "sane" modules, which in particular do not require patching your kernel, do build with that. This is just a part of 'kernel', or 'kernel-smp', packages you likely installed if you do not have some troubles with booting. :-) If every module you may want is "sane" this is a good question. If you really need sources (may happen, but probably not) then after rpm -i kernel.src.rpm rpmbuild -bp --arch=noarch /some/path/to/kernel.spec you have a source, with all patches applied, from which that kernel was build. It is highly advisable NOT to do things of that sort from a 'root' account but to define in ~/.rpmmacros your own %_topdir and work there. Do not forget to create required subdirectories; you may copy them from /usr/src/redhat/. Michal From leonard at den.ottolander.nl Sat Oct 30 12:10:45 2004 From: leonard at den.ottolander.nl (Leonard den Ottolander) Date: Sat, 30 Oct 2004 14:10:45 +0200 Subject: lslR in the download tree Message-ID: <1099138245.4788.55.camel@athlon.localdomain> Hi, Would it be a big trouble to put lslR files in the download tree at download.fedora.us? This might help in locating packages if one isn't sure whether they are stable or in testing. Leonard. -- mount -t life -o ro /dev/dna /genetic/research From leonard at den.ottolander.nl Sat Oct 30 12:13:30 2004 From: leonard at den.ottolander.nl (Leonard den Ottolander) Date: Sat, 30 Oct 2004 14:13:30 +0200 Subject: lslR in the download tree In-Reply-To: <1099138245.4788.55.camel@athlon.localdomain> References: <1099138245.4788.55.camel@athlon.localdomain> Message-ID: <1099138410.4788.61.camel@athlon.localdomain> Hi, I wrote: > Would it be a big trouble to put lslR files in the download tree at > download.fedora.us? This might help in locating packages if one isn't > sure whether they are stable or in testing. This question was actually meant to be about Fedora US, but hey, can't do any harm for Fedora Legacy either :) . Leonard. -- mount -t life -o ro /dev/dna /genetic/research From jkeating at j2solutions.net Sat Oct 30 18:53:11 2004 From: jkeating at j2solutions.net (Jesse Keating) Date: Sat, 30 Oct 2004 11:53:11 -0700 Subject: lslR in the download tree In-Reply-To: <1099138410.4788.61.camel@athlon.localdomain> References: <1099138245.4788.55.camel@athlon.localdomain> <1099138410.4788.61.camel@athlon.localdomain> Message-ID: <200410301153.16543.jkeating@j2solutions.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 30 October 2004 05:13, Leonard den Ottolander wrote: > This question was actually meant to be about Fedora US, but hey, can't > do any harm for Fedora Legacy either :) . Is something like this what you would want: http://download.fedoralegacy.org/tree - -- Jesse Keating RHCE (http://geek.j2solutions.net) Fedora Legacy Team (http://www.fedoralegacy.org) GPG Public Key (http://geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBg+Mb4v2HLvE71NURAtG6AKC0Z6Jm8/f9Xh0agDC+Yay1YXu4RwCcDq2V wt8UtRMsSkHj1B8OVN/s7hU= =4ZxB -----END PGP SIGNATURE----- From leonard at den.ottolander.nl Sun Oct 31 09:59:03 2004 From: leonard at den.ottolander.nl (Leonard den Ottolander) Date: Sun, 31 Oct 2004 10:59:03 +0100 Subject: lslR in the download tree In-Reply-To: <200410301153.16543.jkeating@j2solutions.net> References: <1099138245.4788.55.camel@athlon.localdomain> <1099138410.4788.61.camel@athlon.localdomain> <200410301153.16543.jkeating@j2solutions.net> Message-ID: <1099216742.4808.3.camel@athlon.localdomain> Hello Jesse, On Sat, 2004-10-30 at 20:53, Jesse Keating wrote: > Is something like this what you would want: > > http://download.fedoralegacy.org/tree Yes! Did you just put this up there or has it been there all along? Either way, please put a link on the root page. Leonard. -- mount -t life -o ro /dev/dna /genetic/research From jkeating at j2solutions.net Sun Oct 31 10:15:24 2004 From: jkeating at j2solutions.net (Jesse Keating) Date: Sun, 31 Oct 2004 03:15:24 -0700 Subject: lslR in the download tree In-Reply-To: <1099216742.4808.3.camel@athlon.localdomain> References: <1099138245.4788.55.camel@athlon.localdomain> <200410301153.16543.jkeating@j2solutions.net> <1099216742.4808.3.camel@athlon.localdomain> Message-ID: <200410310215.25628.jkeating@j2solutions.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday 31 October 2004 01:59, Leonard den Ottolander wrote: > Yes! Did you just put this up there or has it been there all along? > Either way, please put a link on the root page. I just put this up today, wanted to get opinions of the list before I made it a link and incorporated it into my upload scripts. - -- Jesse Keating RHCE (http://geek.j2solutions.net) Fedora Legacy Team (http://www.fedoralegacy.org) GPG Public Key (http://geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBhLs84v2HLvE71NURAlu8AKCzNZu/t70er+IUjtmEQOVFU/RjrwCZAW0b Dghltr6HFvHLkn/KT0UrUR4= =rHxN -----END PGP SIGNATURE----- From jonny.strom at netikka.fi Sun Oct 31 10:11:32 2004 From: jonny.strom at netikka.fi (Johnny Strom) Date: Sun, 31 Oct 2004 12:11:32 +0200 Subject: lslR in the download tree In-Reply-To: <200410310215.25628.jkeating@j2solutions.net> References: <1099138245.4788.55.camel@athlon.localdomain> <200410301153.16543.jkeating@j2solutions.net> <1099216742.4808.3.camel@athlon.localdomain> <200410310215.25628.jkeating@j2solutions.net> Message-ID: <4184BA54.9070502@netikka.fi> Hi Another thing is bugzilla down? Jesse Keating wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Sunday 31 October 2004 01:59, Leonard den Ottolander wrote: > >>Yes! Did you just put this up there or has it been there all along? >>Either way, please put a link on the root page. > > > I just put this up today, wanted to get opinions of the list before I made > it a link and incorporated it into my upload scripts. > > - -- > Jesse Keating RHCE (http://geek.j2solutions.net) > Fedora Legacy Team (http://www.fedoralegacy.org) > GPG Public Key (http://geek.j2solutions.net/jkeating.j2solutions.pub) > > Was I helpful? Let others know: > http://svcs.affero.net/rm.php?r=jkeating > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > > iD8DBQFBhLs84v2HLvE71NURAlu8AKCzNZu/t70er+IUjtmEQOVFU/RjrwCZAW0b > Dghltr6HFvHLkn/KT0UrUR4= > =rHxN > -----END PGP SIGNATURE----- > > -- > fedora-legacy-list mailing list > fedora-legacy-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-legacy-list From David at DAnthrope.com Sun Oct 31 21:02:11 2004 From: David at DAnthrope.com (David Anthrope) Date: Sun, 31 Oct 2004 16:02:11 -0500 Subject: installing yum Message-ID: <004c01c4bf8c$e440b8b0$330a0a0a@hal> I have an RH9 system that I want to configure to use yum (which I want to auto-update my system with Fedora Legacy's updates). I am reading intently, beginning with the setup How-To at http://fedoralegacy.org/docs/yum-rh9.php which claims in step 2 To install yum, use the following command as the root user on your machine: # rpm -ivh http://download.fedora.us/fedora/redhat/9/i386/RPMS.stable/yum-2.0.3-0.fdr.1 .rh90.noarch.rpm Unfortunately my system is responding with the following error: Retrieving http://download.fedora.us/fedora/redhat/9/i386/RPMS.stable/yum-2.0.3-0.fdr.1 .rh90.noarch.rpm error: skipping http://download.fedora.us/fedora/redhat/9/i386/RPMS.stable/yum-2.0.3-0.fdr.1 .rh90.noarch.rpm - transfer failed - Unknown or unexpected error I tried to poke around and find the package manually but to no avail. Can some kind soul PLEASE point me to the proper place? Regards, -- David Anthrope mailto://David at DAnthrope.com http://www.DAnthrope.com -- From limb at jcomserv.net Sun Oct 31 21:21:50 2004 From: limb at jcomserv.net (Jon Ciesla) Date: Sun, 31 Oct 2004 15:21:50 -0600 (CST) Subject: installing yum In-Reply-To: <004c01c4bf8c$e440b8b0$330a0a0a@hal> References: <004c01c4bf8c$e440b8b0$330a0a0a@hal> Message-ID: <4057.65.192.24.164.1099257710.squirrel@65.192.24.164> You might try http://www.hut.fi/~tkarvine/linux/misc-rpms/yum-2.0.3-0.fdr.1.rh90.noarch.rpm. I've not tested it though, as I have no RH9 machines, so YMMV. Jon > I have an RH9 system that I want to configure to use yum > (which I want to auto-update my system with Fedora Legacy's updates). > > I am reading intently, beginning with the setup How-To at > http://fedoralegacy.org/docs/yum-rh9.php > > which claims in step 2 > > To install yum, use the following command as the root user on your > machine: > # rpm -ivh > http://download.fedora.us/fedora/redhat/9/i386/RPMS.stable/yum-2.0.3-0.fdr.1 > .rh90.noarch.rpm > > > Unfortunately my system is responding with the following error: > > Retrieving > http://download.fedora.us/fedora/redhat/9/i386/RPMS.stable/yum-2.0.3-0.fdr.1 > .rh90.noarch.rpm > error: skipping > http://download.fedora.us/fedora/redhat/9/i386/RPMS.stable/yum-2.0.3-0.fdr.1 > .rh90.noarch.rpm - transfer failed - Unknown or unexpected error > > > I tried to poke around and find the package manually but to no avail. > > Can some kind soul PLEASE point me to the proper place? > > Regards, > -- > David Anthrope > mailto://David at DAnthrope.com > http://www.DAnthrope.com > -- > > > -- > fedora-legacy-list mailing list > fedora-legacy-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-legacy-list > -- Coppula eam, se non posit acceptera jocularum!