From yon at webbox.co.za Fri Jul 1 17:00:08 2005 From: yon at webbox.co.za (yon rosenthal) Date: Fri, 1 Jul 2005 19:00:08 +0200 Subject: security of a new redhat 7.3 install Message-ID: <006b01c57e5e$58f739f0$7903a8c0@yonlaptop> Hi I'm guessing that this question has already been asked and answered, but could not find it in the archives. I need to setup a new redhat 7.3 box - if I run yum as instructed on http://www.fedoralegacy.org/docs/yum-rh7x.php will all the necessary security patches be applied? I'm concerned that you need to have been running the Red Hat Update agent for the period that it was available. Thanks in advance, Yon -------------- next part -------------- An HTML attachment was scrubbed... URL: From jkeating at j2solutions.net Fri Jul 1 17:23:28 2005 From: jkeating at j2solutions.net (Jesse Keating) Date: Fri, 01 Jul 2005 10:23:28 -0700 Subject: security of a new redhat 7.3 install In-Reply-To: <006b01c57e5e$58f739f0$7903a8c0@yonlaptop> References: <006b01c57e5e$58f739f0$7903a8c0@yonlaptop> Message-ID: <1120238608.12159.19.camel@prometheus.gamehouse.com> On Fri, 2005-07-01 at 19:00 +0200, yon rosenthal wrote: > Hi > > I'm guessing that this question has already been asked and answered, > but > could not find it in the archives. > > I need to setup a new redhat 7.3 box - if I run yum as instructed on > http://www.fedoralegacy.org/docs/yum-rh7x.php will all the necessary > security patches be applied? I'm concerned that you need to have been > running the Red Hat Update agent for the period that it was available. We archived all the Red Hat provided updates, so using our mirror and making sure the updates repository is enabled, you will be updated with as much as we have done. We have a longer lead time on security updates so there is a possibility that you could still be vulnerable. -- Jesse Keating RHCE (http://geek.j2solutions.net) Fedora Legacy Team (http://www.fedoralegacy.org) GPG Public Key (http://geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating From yon at webbox.co.za Fri Jul 1 17:27:06 2005 From: yon at webbox.co.za (yon rosenthal) Date: Fri, 1 Jul 2005 19:27:06 +0200 Subject: security of a new redhat 7.3 install In-Reply-To: <1120238608.12159.19.camel@prometheus.gamehouse.com> Message-ID: <007501c57e62$1dfe5870$7903a8c0@yonlaptop> Great. Thanks for the speedy reply. Just not quite sure what you mean by ' making sure the updates repository is enabled'? Do you mean automatic updates? Thanks, Yon -----Original Message----- From: fedora-legacy-list-bounces at redhat.com [mailto:fedora-legacy-list-bounces at redhat.com] On Behalf Of Jesse Keating Sent: 01 July 2005 07:23 PM To: fedora-legacy-list at redhat.com Subject: Re: security of a new redhat 7.3 install On Fri, 2005-07-01 at 19:00 +0200, yon rosenthal wrote: > Hi > > I'm guessing that this question has already been asked and answered, > but > could not find it in the archives. > > I need to setup a new redhat 7.3 box - if I run yum as instructed on > http://www.fedoralegacy.org/docs/yum-rh7x.php will all the necessary > security patches be applied? I'm concerned that you need to have been > running the Red Hat Update agent for the period that it was available. We archived all the Red Hat provided updates, so using our mirror and making sure the updates repository is enabled, you will be updated with as much as we have done. We have a longer lead time on security updates so there is a possibility that you could still be vulnerable. -- Jesse Keating RHCE (http://geek.j2solutions.net) Fedora Legacy Team (http://www.fedoralegacy.org) GPG Public Key (http://geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating -- fedora-legacy-list mailing list fedora-legacy-list at redhat.com http://www.redhat.com/mailman/listinfo/fedora-legacy-list From beartooth at adelphia.net Fri Jul 1 18:05:08 2005 From: beartooth at adelphia.net (beartooth) Date: Fri, 01 Jul 2005 14:05:08 -0400 Subject: If you upgrade to FC4 Message-ID: I've just upgraded three machines with working installs -- one each of FC1, 2,& 3 -- to FC4. Those with 2 & 3 did fine, without a hitch. The FC1 machine hit a hard snag: it was failing yum update, leaving me with a raw media version, which among other things couldn't run Pine, my main app by an order of magnitude. The trouble was on my end, of course; one of my gurux found it, and a quick & easy fix for it. That will doubtless be blindingly obvious to the technically ept, but wasn't to me. Turns out the upgrade from FC1 is different than from FC2 or 3; somewhere along in there, big (and very good) changes were made in yum -- and maybe that's the reason. Anyway, FC2 & 3 changed their configurations automagically when I upgraded to FC4; but FC4 kept the old yum.conf I had had on FC1, gave me a new file, named yum.conf.rpmnew, to replace that with -- and didn't tell me so, or if it did I missed it or failed to understand it. I had spotted the fact that the old yum.conf was still FC1's (the legacy one, not the original), and moved it to a new yum.conf.fc1 to get rid of it; but I didn't know what to replace it with, much less that the replacement was already there and waiting, until my excellent guru spotted that. So I simply went into /etc as root; did "mv yum.conf.rpmnew yum.conf"; ran yum update again; and now it worked. Once I had a current FC4, Pine went back to working like the charm it is. -- Beartooth Neo-Redneck, Linux Evangelist FC 1&4, YDL 4; Pine 4.63, Pan 0.14.2.91; Privoxy 3.0.3; Dillo 0.8.5, Opera 8.01, Firefox 1.0.4, Epiphany 1.0.8 Remember that I have little idea what I am talking about. From skvidal at phy.duke.edu Fri Jul 1 18:46:34 2005 From: skvidal at phy.duke.edu (seth vidal) Date: Fri, 01 Jul 2005 14:46:34 -0400 Subject: If you upgrade to FC4 In-Reply-To: References: Message-ID: <1120243594.31898.28.camel@cutter> On Fri, 2005-07-01 at 14:05 -0400, beartooth wrote: > I've just upgraded three machines with working installs -- one each of > FC1, 2,& 3 -- to FC4. Those with 2 & 3 did fine, without a hitch. > > The FC1 machine hit a hard snag: it was failing yum update, leaving me > with a raw media version, which among other things couldn't run Pine, my > main app by an order of magnitude. The trouble was on my end, of course; > one of my gurux found it, and a quick & easy fix for it. That will > doubtless be blindingly obvious to the technically ept, but wasn't to me. > > Turns out the upgrade from FC1 is different than from FC2 or 3; somewhere > along in there, big (and very good) changes were made in yum -- and maybe > that's the reason. yes - FC1 goes from a 2.4 kernel to a 2.6 kernel - and A LOT of other changes. > Anyway, FC2 & 3 changed their configurations automagically when I upgraded > to FC4; but FC4 kept the old yum.conf I had had on FC1, gave me a new > file, named yum.conf.rpmnew, to replace that with -- and didn't tell me > so, or if it did I missed it or failed to understand it. it told you - all those messages are outputted when yum runs. > I had spotted the fact that the old yum.conf was still FC1's (the legacy > one, not the original), and moved it to a new yum.conf.fc1 to get rid of > it; but I didn't know what to replace it with, much less that the > replacement was already there and waiting, until my excellent guru spotted > that. the .rpmnew file. > So I simply went into /etc as root; did "mv yum.conf.rpmnew yum.conf"; > ran yum update again; and now it worked. > > Once I had a current FC4, Pine went back to working like the charm it > is. you will probably want to find a new pine rpm. If you're still running the one from fc1 age you will want a new one - if only for security reasons. -sv From skvidal at phy.duke.edu Fri Jul 1 18:46:34 2005 From: skvidal at phy.duke.edu (seth vidal) Date: Fri, 01 Jul 2005 14:46:34 -0400 Subject: If you upgrade to FC4 In-Reply-To: References: Message-ID: <1120243594.31898.28.camel@cutter> On Fri, 2005-07-01 at 14:05 -0400, beartooth wrote: > I've just upgraded three machines with working installs -- one each of > FC1, 2,& 3 -- to FC4. Those with 2 & 3 did fine, without a hitch. > > The FC1 machine hit a hard snag: it was failing yum update, leaving me > with a raw media version, which among other things couldn't run Pine, my > main app by an order of magnitude. The trouble was on my end, of course; > one of my gurux found it, and a quick & easy fix for it. That will > doubtless be blindingly obvious to the technically ept, but wasn't to me. > > Turns out the upgrade from FC1 is different than from FC2 or 3; somewhere > along in there, big (and very good) changes were made in yum -- and maybe > that's the reason. yes - FC1 goes from a 2.4 kernel to a 2.6 kernel - and A LOT of other changes. > Anyway, FC2 & 3 changed their configurations automagically when I upgraded > to FC4; but FC4 kept the old yum.conf I had had on FC1, gave me a new > file, named yum.conf.rpmnew, to replace that with -- and didn't tell me > so, or if it did I missed it or failed to understand it. it told you - all those messages are outputted when yum runs. > I had spotted the fact that the old yum.conf was still FC1's (the legacy > one, not the original), and moved it to a new yum.conf.fc1 to get rid of > it; but I didn't know what to replace it with, much less that the > replacement was already there and waiting, until my excellent guru spotted > that. the .rpmnew file. > So I simply went into /etc as root; did "mv yum.conf.rpmnew yum.conf"; > ran yum update again; and now it worked. > > Once I had a current FC4, Pine went back to working like the charm it > is. you will probably want to find a new pine rpm. If you're still running the one from fc1 age you will want a new one - if only for security reasons. -sv From michal at harddata.com Fri Jul 1 19:33:54 2005 From: michal at harddata.com (Michal Jaegermann) Date: Fri, 1 Jul 2005 13:33:54 -0600 Subject: If you upgrade to FC4 In-Reply-To: ; from beartooth@adelphia.net on Fri, Jul 01, 2005 at 02:05:08PM -0400 References: Message-ID: <20050701133354.A12032@mail.harddata.com> On Fri, Jul 01, 2005 at 02:05:08PM -0400, beartooth wrote: > > Anyway, FC2 & 3 changed their configurations automagically when I upgraded > to FC4; but FC4 kept the old yum.conf I had had on FC1, gave me a new > file, named yum.conf.rpmnew, to replace that with -- and didn't tell me > so, or if it did I missed it or failed to understand it. The most popular reason why you will end up with an .rpmnew file is that rpm decided that the original configuration was modified so it should not be blindly replaced. Sometimes this is really the casse and sometimes rpm seems to be overly cautious but it should error on a side of safety if there are the slightest doubts. In any case after an upgrade it is nearly mandatory to look at various .rpmnew and .rpmsave files, especially in subdirectories of /etc, and clean them up by merging old and new files, replacing old files or removing what is not needed and this job can hardly be made automatic. BTW - when updating to FC4 from earlier releases there are two possible major gotchas. One is that /etc/X11/X link should point now to ../../usr/X11R6/bin/Xorg and if this was previously ../../usr/X11R6/bin/XFree86 then it may not be moved automatically. In such case X will not start until you will do the change. The other is that 'slocate.cron' will not do anything useful any longer until you enable it in /etc/updatedb.conf, if you wish to do that; so if you planned to use 'locate' to find all .rpmnew and .rpmold files you may be for a surprise. :-) Michal From michal at harddata.com Fri Jul 1 19:33:54 2005 From: michal at harddata.com (Michal Jaegermann) Date: Fri, 1 Jul 2005 13:33:54 -0600 Subject: If you upgrade to FC4 In-Reply-To: ; from beartooth@adelphia.net on Fri, Jul 01, 2005 at 02:05:08PM -0400 References: Message-ID: <20050701133354.A12032@mail.harddata.com> On Fri, Jul 01, 2005 at 02:05:08PM -0400, beartooth wrote: > > Anyway, FC2 & 3 changed their configurations automagically when I upgraded > to FC4; but FC4 kept the old yum.conf I had had on FC1, gave me a new > file, named yum.conf.rpmnew, to replace that with -- and didn't tell me > so, or if it did I missed it or failed to understand it. The most popular reason why you will end up with an .rpmnew file is that rpm decided that the original configuration was modified so it should not be blindly replaced. Sometimes this is really the casse and sometimes rpm seems to be overly cautious but it should error on a side of safety if there are the slightest doubts. In any case after an upgrade it is nearly mandatory to look at various .rpmnew and .rpmsave files, especially in subdirectories of /etc, and clean them up by merging old and new files, replacing old files or removing what is not needed and this job can hardly be made automatic. BTW - when updating to FC4 from earlier releases there are two possible major gotchas. One is that /etc/X11/X link should point now to ../../usr/X11R6/bin/Xorg and if this was previously ../../usr/X11R6/bin/XFree86 then it may not be moved automatically. In such case X will not start until you will do the change. The other is that 'slocate.cron' will not do anything useful any longer until you enable it in /etc/updatedb.conf, if you wish to do that; so if you planned to use 'locate' to find all .rpmnew and .rpmold files you may be for a surprise. :-) Michal From pyz at brama.com Fri Jul 1 19:53:39 2005 From: pyz at brama.com (Max Pyziur) Date: Fri, 1 Jul 2005 15:53:39 -0400 (EDT) Subject: If you upgrade to FC4 In-Reply-To: <1120243594.31898.28.camel@cutter> References: <1120243594.31898.28.camel@cutter> Message-ID: <52576.156.77.108.70.1120247619.squirrel@webmail.brama.com> [...] >> Once I had a current FC4, Pine went back to working like the charm it >> is. > > you will probably want to find a new pine rpm. If you're still running > the one from fc1 age you will want a new one - if only for security > reasons. You can find new(-er) pre-compiled rpms here: http://dag.wieers.com/packages/pine/ Or you can download the source the latest source rpm (pine-4.63-1.rf.src.rpm) and compile it for your installation (since there are no pre-compileds for FC4). As root rpm -ivh pine-4.63-1.rf.src.rpm cd /usr/src/redhat/SPECS rpmbuild -bb --clean pine.spec rpm -ivh /usr/src/redhat/RPMS/i386/pine-4.63-1.rf.i386.rpm and then test to see that it works. > -sv Max Pyziur pyz at brama.com From pyz at brama.com Fri Jul 1 19:53:39 2005 From: pyz at brama.com (Max Pyziur) Date: Fri, 1 Jul 2005 15:53:39 -0400 (EDT) Subject: If you upgrade to FC4 In-Reply-To: <1120243594.31898.28.camel@cutter> References: <1120243594.31898.28.camel@cutter> Message-ID: <52576.156.77.108.70.1120247619.squirrel@webmail.brama.com> [...] >> Once I had a current FC4, Pine went back to working like the charm it >> is. > > you will probably want to find a new pine rpm. If you're still running > the one from fc1 age you will want a new one - if only for security > reasons. You can find new(-er) pre-compiled rpms here: http://dag.wieers.com/packages/pine/ Or you can download the source the latest source rpm (pine-4.63-1.rf.src.rpm) and compile it for your installation (since there are no pre-compileds for FC4). As root rpm -ivh pine-4.63-1.rf.src.rpm cd /usr/src/redhat/SPECS rpmbuild -bb --clean pine.spec rpm -ivh /usr/src/redhat/RPMS/i386/pine-4.63-1.rf.i386.rpm and then test to see that it works. > -sv Max Pyziur pyz at brama.com From beartooth at adelphia.net Sat Jul 2 19:37:27 2005 From: beartooth at adelphia.net (beartooth) Date: Sat, 02 Jul 2005 15:37:27 -0400 Subject: If you upgrade to FC4 References: <1120243594.31898.28.camel@cutter> Message-ID: On Fri, 01 Jul 2005 14:46:34 -0400, seth vidal wrote: > On Fri, 2005-07-01 at 14:05 -0400, beartooth wrote: >> I've just upgraded three machines with working installs -- one each of >> FC1, 2,& 3 -- to FC4. [....] >> Turns out the upgrade from FC1 is different than from FC2 or 3; >> somewhere along in there, big (and very good) changes were made in yum >> -- and maybe that's the reason. > > yes - FC1 goes from a 2.4 kernel to a 2.6 kernel - and A LOT of other > changes. The specifics are over my head; I had heard, likely on this list, that they were big; and would've seen it at a glance if I hadn't. My praises and congratulations to the developers, with great thanks! For FC4 overall, and yum in particular. >> [....] -- and didn't tell me >> so, or if it did I missed it or failed to understand it. > > it told you - all those messages are outputted when yum runs. Not while the installer runs?? (I'd've expected it there, maybe in big boldface red letters .... -- no, not literally red.) Then it may be a relevant accident that I just happened to hit the downtime on the RH server -- which Alexander Dalloz had just announced on gmane's fedora.general list when I looked -- and only gradually realized it couldn't've been down so long as my end was beginning to make it look. > >>...but I didn't know what to replace it with, much less >> that the replacement was already there and waiting, until my excellent >> guru spotted that. > > the .rpmnew file. Yes. What I'm saying is that I hadn't known that. And fwiw, I had an email within ten minutes or so of my post, from another user who'd been in the same boat. Fwiw, past experience suggests it's exactly this sort of unawareness that Alpha Plus Technoids can no longer imagine; that's one reason I posted. Is there a good explanation of .rpmnew files somewhere, in terms a subtechnoid can follow? I don't recall ever hearing of them till now. >> Once I had a current FC4, Pine went back to working like the charm it >> is. > > you will probably want to find a new pine rpm. If you're still running > the one from fc1 age you will want a new one - if only for security > reasons. Done in advance, as a matter of fact. I had tried several ways to get pine running even before I got my yum.conf straightened out; one of those had been to do rpm -e pine, download the rpm from UW (There wasn't, and as of five minutes ago still isn't, an rpm for FC4 on Dag's site yet.), and try to do rpm -ivh -- which reported it did install. But only when I had FC4 updated would it launch -- even though I had also installed the dependency it asked for. -- Beartooth Neo-Redneck, Linux Evangelist FC 1&4, YDL 4; Pine 4.63, Pan 0.14.2.91; Privoxy 3.0.3; Dillo 0.8.5, Opera 8.01, Firefox 1.0.4, Epiphany 1.6.1 Remember that I have little idea what I am talking about. From stefaan at webarama.com.au Sun Jul 3 04:37:16 2005 From: stefaan at webarama.com.au (Stefaan de Keersmaeker) Date: Sun, 3 Jul 2005 14:37:16 +1000 Subject: Problem with shared libraries Message-ID: <200507030508.j6358Haq001420@mx3.redhat.com> RH9 System # rpm -ivh mrtg-2.9.17-13.i386.rpm error: Failed dependencies: libgd.so.1.8 is needed by mrtg-2.9.17-13 libgd.so.1.8 is provided by gd-1.8.4-11.i386.rpm # rpm -ivh gd-1.8.4-11.i386.rpm Preparing... ########################################### [100%] package gd-2.0.23-hc1 (which is newer than gd-1.8.4-11) is already installed OK I do: # locate libgd.so /usr/lib/libgd.so.2 /usr/lib/libgd.so.2.0.0 As I have libgd.so.2 I make a symbolic link: ln -s /usr/lib/libgd.so.2 /usr/lib/libgd.so.1.8 SO I got: /usr/lib/libgd.so.1.8 -> /usr/lib/libgd.so.2 /usr/lib/libgd.so.2 -> libgd.so.2.0.0 /usr/lib/libgd.so.2.0.0 But still I get # rpm -ivh mrtg-2.9.17-13.i386.rpm error: Failed dependencies: libgd.so.1.8 is needed by mrtg-2.9.17-13 should that not be backward compatible with libgd.so.1.8? And should the symbolic link not fix this issue? Running ldconfig doesn;'t help either. Tried the yum install mrtg and get an error along the same lines Gathering header information file(s) from server(s) Server: Red Hat Linux 9 - Base Server: Fedora Legacy utilities for Red Hat Linux 9 Server: Red Hat Linux 9 - Released Updates Finding updated packages Downloading needed headers Resolving dependencies ....Unable to satisfy dependencies Package mrtg needs libgd.so.1.8, this is not available. I even copied this library from another RH9 system which does have this installed but no good. Should I force an RPM install of gd-1.8.4-11.i386.rpm ? Not sure about doing that, can installing an older package create problems for the newer one or can they coexist? Maybe I'm missing something? Ta -------------- next part -------------- An HTML attachment was scrubbed... URL: From kelson at speed.net Sun Jul 3 05:27:00 2005 From: kelson at speed.net (Kelson Vibber) Date: Sat, 2 Jul 2005 22:27:00 -0700 Subject: If you upgrade to FC4 In-Reply-To: References: <1120243594.31898.28.camel@cutter> Message-ID: <5C932900-CA5F-42E3-9781-1BC401197E18@speed.net> On Jul 2, 2005, at 12:37 PM, beartooth wrote: > Is there a good explanation of .rpmnew files somewhere, in terms a > subtechnoid can follow? I don't recall ever hearing of them till now. When RPM upgrades a package, if it notices that you (or another program) have customized a config file, it will do one of two things: Either it will rename your existing file as whatever.conf.rpmsave and create a new default config, or it will leave your config in place and create the new config as whatever.conf.rpmnew. I'm not entirely sure how it decides which change to make. It may be something the person who builds the package can define. rpm -U will output a message saying something like "/etc/profile saved as /etc/profile.rpmsave", and in my experience, yum has always output these messages as it installs each package. So after you do a major upgrade, you should look through /etc for files ending in .rpmsave and .rpmnew, compare them to the current config file, and decide whether to accept the new config, stick with the old one, or pick and choose between them. Most of the time you can get away with using the choice RPM made -- you don't *need* the new command prompt for bash, or you want to keep your list of font directories -- but sometimes something important has changed, and you need to combine your customizations with the new config. From bob at proulx.com Sun Jul 3 17:29:07 2005 From: bob at proulx.com (Bob Proulx) Date: Sun, 3 Jul 2005 11:29:07 -0600 Subject: Problem with shared libraries In-Reply-To: <200507030508.j6358Haq001420@mx3.redhat.com> References: <200507030508.j6358Haq001420@mx3.redhat.com> Message-ID: <20050703172907.GB8342@dementia.proulx.com> Stefaan de Keersmaeker wrote: > RH9 System > # rpm -ivh mrtg-2.9.17-13.i386.rpm > error: Failed dependencies: > libgd.so.1.8 is needed by mrtg-2.9.17-13 What is the exact dependency? This command should print that. rpm -q --requires mrtg-2.9.17-13 > libgd.so.1.8 is provided by gd-1.8.4-11.i386.rpm > > # rpm -ivh gd-1.8.4-11.i386.rpm > Preparing... ########################################### [100%] > package gd-2.0.23-hc1 (which is newer than gd-1.8.4-11) is already installed What does gd-2.0.23-hc1 provide? This command should print that. rpm -q --provides gd-2.0.23-hc1 If the files do not conflict then you will have to --force the older package onto the machine to override the rpm check on newer packages. I hate to suggest --force. But I don't know of any other way around this type of problem. If you had installed the older package first and then run rpm -ivh on the newer package there would be no issue and it would work. So an alternate thing to do if you have both packages is to erase the newer one, install the older one, install the newer one. If there are no file conflicts then that should have the same effect. I would check the package file contents and --force the older package onto the machine if there are no file conflicts. > OK > I do: > # locate libgd.so > /usr/lib/libgd.so.2 > /usr/lib/libgd.so.2.0.0 > > As I have libgd.so.2 I make a symbolic link: > > ln -s /usr/lib/libgd.so.2 /usr/lib/libgd.so.1.8 > [...pulled up..] > should that not be backward compatible with libgd.so.1.8? Because there was an SONAME change I will assume it was done for a reason and that this won't work. The program might appear to run okay in some cases. But it is not 100% guarenteed. It all depends on what routines from the shared library are needed by a particular application. That is why SONAMEs exist. To make this work in all cases. In any event rpm won't know about this. > But still I get > > # rpm -ivh mrtg-2.9.17-13.i386.rpm > error: Failed dependencies: > libgd.so.1.8 is needed by mrtg-2.9.17-13 Right. Since rpm does not know about your symlink it still does not have any package in the rpm database that provides libgd.so.1.8. > And should the symbolic link not fix this issue? No. The rpm database does not know about your symlink. rpm -q --whatprovides libgd.so.1.8 It still needs that that requirement to be filled by something. I have reached the 4kb mailing list limit so I will continue in a second message... Bob From bob at proulx.com Sun Jul 3 17:31:42 2005 From: bob at proulx.com (Bob Proulx) Date: Sun, 3 Jul 2005 11:31:42 -0600 Subject: Problem with shared libraries In-Reply-To: <200507030508.j6358Haq001420@mx3.redhat.com> References: <200507030508.j6358Haq001420@mx3.redhat.com> Message-ID: <20050703173142.GC8342@dementia.proulx.com> Continuing the split message that was over 4kb... Stefaan de Keersmaeker wrote: > Running ldconfig doesn;'t help either. The ldconfig command is just a tool for managing those symlinks just like the 'ln -s' from the command line. (But knowledgeable about libraries and safer and so forth.) The rpm command does not know about anything built by ldconfig either. > I even copied this library from another RH9 system which does have this > installed but no good. The rpm database does not know about your copied file. > Should I force an RPM install of gd-1.8.4-11.i386.rpm ? Not sure about doing > that, can installing an older package create problems for the newer one or > can they coexist? Since they have different versions the packages can coexist on the same system. But one of the problems of rpm is that the same package name can exist on the system multiple times. This is a feature to allow multiple versions of shared libraries to exist at the same time. But if you --upgrade it removes the old package as it installs the new package. So you have to know to --install newer packages onto the system when there are multiple packages. And those multiple packages need to have a non-overlapping set of files. If one installs /usr/lib/libgd.so.1.8 and the other installs /usr/lib/libgd.so.2.0 then there is no overlap and everything is fine. But if one installs /usr/share/gd/README and the other installs /sur/share/gd/README too then those packages overlap and would produce a file conflict. That is bad. In any case, you need to know these details in order to decide if you can have both of them on the system at the same time and whether --force is an okay thing to do in this case or not. Bob From bob at proulx.com Sun Jul 3 17:49:18 2005 From: bob at proulx.com (Bob Proulx) Date: Sun, 3 Jul 2005 11:49:18 -0600 Subject: If you upgrade to FC4 In-Reply-To: <5C932900-CA5F-42E3-9781-1BC401197E18@speed.net> References: <1120243594.31898.28.camel@cutter> <5C932900-CA5F-42E3-9781-1BC401197E18@speed.net> Message-ID: <20050703174918.GD8342@dementia.proulx.com> Kelson Vibber wrote: > When RPM upgrades a package, if it notices that you (or another > program) have customized a config file, it will do one of two > things: Either it will rename your existing file as > whatever.conf.rpmsave and create a new default config, or it will > leave your config in place and create the new config as > whatever.conf.rpmnew. > > I'm not entirely sure how it decides which change to make. It may be > something the person who builds the package can define. The rules surrounding conffiles are rather complicated. If the packager marked the file as a config file then rpm has a default behavior. It checks the md5sum of three files, the old file, the new file and the current file. * If the current file is not modified from the old package version then the file is replaced with the new version. * If the current file is modified from the old package version but the new package version matches the old package version then the new package version is placed as .rpmnew. * If the new package version is different from the old package version then the current file is renamed as .rpmsave and the new package version is installed. Additionally a packager can mark the file not to ever replace the current file with %config(noreplace) to override the default behavior. > rpm -U will output a message saying something like "/etc/profile > saved as /etc/profile.rpmsave", and in my experience, yum has always > output these messages as it installs each package. Most packages don't handle upgrading configuration files very well. The person doing the upgrade needs to be told of the file so that they can manually walk through the configurations and fix up the configuration as needed. > So after you do a major upgrade, you should look through /etc for > files ending in .rpmsave and .rpmnew, compare them to the current > config file, and decide whether to accept the new config, stick with > the old one, or pick and choose between them. Most of the time you > can get away with using the choice RPM made -- you don't *need* the > new command prompt for bash, or you want to keep your list of font > directories -- but sometimes something important has changed, and you > need to combine your customizations with the new config. Agreed. Bob From listas at andreso.net Sun Jul 3 18:31:49 2005 From: listas at andreso.net (Andres Adrover Kvamsdal) Date: Sun, 03 Jul 2005 20:31:49 +0200 Subject: Problems with SSL certificate in httpd-2.0.40-21.17.legacy Message-ID: <42C82F15.8010704@andreso.net> Hello, I moved a web application from a RH9 server to another RH9 server tarring the whole /etc/httpd directory structure on the first server and untarring it in the second server. There are no IPs in the server configuration so even though the second server has a different IP there should be no problems on that count. I also set the original server's IP address as an alias for the second server so the second server now answers to its original IP address as well as to the first server's IP address. Both servers are on a demilitirized zone so they each have a public IP. Now two public IPs are routed to different IP aliases on one server. I also upgraded the RH9 to the latest from the Fedora Legacy repositories and apache and mod_ssl were upgraded to 2.0.40-21.17.legacy Originally one could access the web site very fast and https worked correctly. Now there is a 20 second delay acessing the domain name that pointed to the original server and https gives a warning of the certificate not being issued by a recognized authority. SSH works correctly and indicates there is a 20 second delay between the moment i ask for the web page in the browser until the request appears in the access log. A working mod_ssl installation has become annoying informing that the certificate is not issued by a known authority. First question. Is httpd-2.0.40-21.17.legacy buggy so that SSL certificates no longer work or have I broken something with the routing hell I have set up. Second Question. Does anybody know what is going on with the long delay before the server receives the request. In other words, what kind of routing hell I have set up. Public IP 1 routes to private IP 1 which is defined by /etc/sysconfig/network-scripts/ifcfg-eth0 Domain name points to Public IP 2 which is routed to private IP 2 which is an IP alias for the same server and is defined by /etc/sysconfig/network-scripts/ifcfg-eth0:1 The server answers to both IP adresses and ssh works without any problems to Public IP 2. Next thing we are going to try is domain name points to public address 2 which is then routed to Private address 1 which is the one and only Ip of the server. This brings me to the second question: Would it cause problems for this server to be accessible by two public IP addresses Andres From listas at andreso.net Mon Jul 4 09:42:27 2005 From: listas at andreso.net (Andres Adrover Kvamsdal) Date: Mon, 04 Jul 2005 11:42:27 +0200 Subject: Problems with SSL certificate in httpd-2.0.40-21.17.legacy In-Reply-To: <42C82F15.8010704@andreso.net> References: <42C82F15.8010704@andreso.net> Message-ID: <42C90483.7070803@andreso.net> > > First question. Is httpd-2.0.40-21.17.legacy buggy so that SSL > certificates no longer work or have I broken something with the routing > hell I have set up. Stupid mistake. The company for which I did the installation did not bother to pay for a SSL certificate but generated their own. This little fact makes this post completely off topic. > > Second Question. Does anybody know what is going on with the long delay > before the server receives the request. In other words, what kind of > routing hell I have set up. > > Public IP 1 routes to private IP 1 which is defined by > /etc/sysconfig/network-scripts/ifcfg-eth0 > > Domain name points to Public IP 2 which is routed to private IP 2 which > is an IP alias for the same server and is defined by > /etc/sysconfig/network-scripts/ifcfg-eth0:1 > > The server answers to both IP adresses and ssh works without any > problems to Public IP 2. > Ok, now I have reestablished the situation to what it was originally. Public IP 2 is redirected to the original server which was on Private IP 2. Web access is lightning fast again. Web access to the Public IP 1 which is redirected by the firewall to the server on Private IP 1 is slow. As this is off topic could you please inform me of a mailing list where such network problems could be on topic. Andres From chung at dongdu.org Fri Jul 1 13:09:29 2005 From: chung at dongdu.org (Huynh Van Chung) Date: Fri, 1 Jul 2005 22:09:29 +0900 (JST) Subject: TCP Security??? Message-ID: <1212.2001:2f8:3a:b00:f895:43d3:1b84:d39b.1120223369.squirrel@mail.dongdu.org> Hi all, How about: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0356 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2068 http://www.kb.cert.org/vuls/id/637934 From drees76 at gmail.com Tue Jul 5 17:57:10 2005 From: drees76 at gmail.com (David Rees) Date: Tue, 5 Jul 2005 10:57:10 -0700 Subject: security of a new redhat 7.3 install In-Reply-To: <007501c57e62$1dfe5870$7903a8c0@yonlaptop> References: <1120238608.12159.19.camel@prometheus.gamehouse.com> <007501c57e62$1dfe5870$7903a8c0@yonlaptop> Message-ID: <72dbd3150507051057536a999d@mail.gmail.com> On 7/1/05, yon rosenthal wrote: > > Just not quite sure what you mean by ' making sure the updates > repository is enabled'? Do you mean automatic updates? He most likely means the fedora legacy updates repo. I would make sure that the machine is not publically accessible via the internet until all security updates are applied and the machine is rebooted with the latest kernel from fedora legacy. -Dave From nils at lemonbit.nl Wed Jul 6 11:31:23 2005 From: nils at lemonbit.nl (Nils Breunese (Lemonbit Internet)) Date: Wed, 6 Jul 2005 13:31:23 +0200 Subject: apache httpd 2.0.54 on fc2 Message-ID: <49AEC786-53F8-4A68-9BD2-5FEA64EFB487@lemonbit.nl> Hello, I'm running a server on Fedora Core 2. I notice the latest httpd update is apache 2.0.51. Is 2.0.54 going to be available for fc2? Or is there no real need to upgrade? Thanks, Nils Breunese. From rostetter at mail.utexas.edu Wed Jul 6 16:19:21 2005 From: rostetter at mail.utexas.edu (Eric Rostetter) Date: Wed, 6 Jul 2005 11:19:21 -0500 Subject: apache httpd 2.0.54 on fc2 In-Reply-To: <49AEC786-53F8-4A68-9BD2-5FEA64EFB487@lemonbit.nl> References: <49AEC786-53F8-4A68-9BD2-5FEA64EFB487@lemonbit.nl> Message-ID: <1120666761.e9c1750d56d9f@mail.ph.utexas.edu> Quoting "Nils Breunese (Lemonbit Internet)" : > Hello, > > I'm running a server on Fedora Core 2. I notice the latest httpd > update is apache 2.0.51. Is 2.0.54 going to be available for fc2? Or > is there no real need to upgrade? > > Thanks, > > Nils Breunese. See the very first entry in the FAQ. Fixes are backported to the version Red Hat or Fedora Core last released. Per the FAQ: In most cases, fixes are back-ported to the current package version rather than upgrading the package to a newer version. This is done in order to limit the possible side-effects which can result from an upgrade. Packages are only upgraded to a newer version if consensus dictates that we should do so for some specific reason. So don't expect a 2.0.54 to appear, but expect any security patches to be backported to the current 2.0.51 version. -- Eric Rostetter From jkosin at beta.intcomgrp.com Wed Jul 6 20:46:09 2005 From: jkosin at beta.intcomgrp.com (James Kosin) Date: Wed, 06 Jul 2005 16:46:09 -0400 Subject: Unofficial Updates Message-ID: <42CC4311.70008@beta.intcomgrp.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Everyone, I've been busy again.... - --------------------------------------------------------------------------------------------------------------------- (1) Kernel Updates (2.4.30-2.1.fc1.vanilla) ~ Changes to update to version 2.4.32-pre1 Link: http://support.intcomgrp.com/mirror/fedora-core/beta/i386 sha1sum's: e376d93f18c17d61d4ca897db17f1d1089840cff kernel-2.4.30-2.1.fc1.vanilla.i686.rpm d20ebd238520c3a15e40850369a60376382db1a3 kernel-doc-2.4.30-2.1.fc1.vanilla.i386.rpm a0a5737ff306380d0a3a0db01113fd34cb4908d4 kernel-smp-2.4.30-2.1.fc1.vanilla.i686.rpm 8fd4e1fc57b746405ff6f27d372fe4c3eef7eaea kernel-source-2.4.30-2.1.fc1.vanilla.i386.rpm Source RPM: http://support.intcomgrp.com/mirror/fedora-core/beta/src/kernel-2.4.30-2.1.fc1.vanilla.src.rpm - ---------------------------------------------------------------------------------------------------- (2) CDrecord (2.01.01-a03.fc1.1) ~ Updated to latest alpha sources. I was hoping to get dvd support from cdrecord. This did not work, but, I did manage to update the package anyway. Link: http://support.intcomgrp.com/mirror/fedora-core/beta/i386 sha1sum's: bde41f0e3dc5ddc0fe9e39793c3f437a6acf8f5b cdda2wav-2.01.01-a03.fc1.1.i386.rpm b2230deba926afaeb26fd271695cd86eb7fad157 cdrecord-2.01.01-a03.fc1.1.i386.rpm 8a5e5faf8e9be517553bbd56298ca1fd74de2e76 cdrecord-devel-2.01.01-a03.fc1.1.i386.rpm e94f6553d3bc4f26fac746fe928f9046bb13b9be mkisofs-2.01.01-a03.fc1.1.i386.rpm Source RPM: http://support.intcomgrp.com/mirror/fedora-core/beta/src/cdrecord-2.01.01-a03.fc1.1.src.rpm - ------------------------------------------------------------------------------------------------ (3) Dvd+rw-tools (5.21.4.10.8-1.fc1) ~ Updates to the latest DVD+RW Tools for linux. This package includes growisofs needed for k3b and dvd support. Link: http://support.intcomgrp.com/mirror/fedora-core/beta/i386 sha1sums: 58584938f6393148e3dce278668cb746cf9c2233 dvd+rw-tools-5.21.4.10.8-1.fc1.i386.rpm Source RPM: http://support.intcomgrp.com/mirror/fedora-core/beta/src/dvd+rw-tools-5.21.4.10.8-1.fc1.src.rpm - -------------------------------------------------------------------------------------------------- (4) GCC (3.3.6-1.fc1) ~ I'm trying to get an update for gcc and libraries; but, I'm having problems with the make breaking on 'make -C gcc gnatlib-shared' ... Anyone willing to tell me what is wrong? Source RPM: http://support.intcomgrp.com/mirror/fedora-core/beta/src/gcc-3.3.6-1.fc1.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCzEMRkNLDmnu1kSkRAqvcAJ499r6GDimbLK83TM0vXouSQZr39gCdFnbU eL48CZcX+ByV1jqejuHrb8Q= =ieeE -----END PGP SIGNATURE----- From beartooth at adelphia.net Wed Jul 6 21:08:21 2005 From: beartooth at adelphia.net (beartooth) Date: Wed, 06 Jul 2005 17:08:21 -0400 Subject: If you upgrade to FC4 -- THANKS References: <1120243594.31898.28.camel@cutter> <5C932900-CA5F-42E3-9781-1BC401197E18@speed.net> <20050703174918.GD8342@dementia.proulx.com> Message-ID: On Sun, 03 Jul 2005 11:49:18 -0600, Bob Proulx wrote: > Kelson Vibber wrote: [....] > Most packages don't handle upgrading configuration files very well. The > person doing the upgrade needs to be told of the file so that they can > manually walk through the configurations and fix up the configuration as > needed. > >> So after you do a major upgrade, you should look through /etc for files >> ending in .rpmsave and .rpmnew, compare them to the current config >> file, and decide whether to accept the new config, stick with the old >> one, or pick and choose between them. Most of the time you can get >> away with using the choice RPM made -- you don't *need* the new command >> prompt for bash, or you want to keep your list of font directories -- >> but sometimes something important has changed, and you need to combine >> your customizations with the new config. > > Agreed. > > Bob Thank you both, immensely! Those are the things I was trying to ask about. Small and very hesitant suggestion: could the *installing* software, when it does an upgrade, watch out for such things and either pop a warning box up (perhaps only in some sort of verbose mode), or flag them and create a list to warn of on or before completion? (Maybe under firstboot?) Rationale: I think I'm not alone in being used to yum (among others) showing a lot of messages I know will be over my head, and storing them in some log I don't know where to find. I do boot-gaze, if that's a word (i.e., watch the messages on boot up, and also on shutdown), and have gradually learned quite a bit that way; but lots of things are still very opaque. (At least there're beginning to be man pages that aren't!) -- Beartooth Neo-Redneck, Linux Evangelist FC 1&4, YDL 4; Pine 4.63, Pan 0.14.2.91; Privoxy 3.0.3; Dillo 0.8.5, Opera 8.01, Firefox 1.0.4, Epiphany 1.0.8 Remember that I have little idea what I am talking about. From lukas at empoweredmail.com Thu Jul 7 15:21:00 2005 From: lukas at empoweredmail.com (Lukas Feiler) Date: Thu, 7 Jul 2005 17:21:00 +0200 Subject: zlib rpm fixing CAN-2005-2096? Message-ID: <000b01c58307$7e83be20$4201a8c0@ROCKET> Hi list! Does anyone know the status of a zlib rpm for FC2 fixing CAN-2005-2096? thanks, Lukas From rostetter at mail.utexas.edu Thu Jul 7 15:22:35 2005 From: rostetter at mail.utexas.edu (Eric Rostetter) Date: Thu, 7 Jul 2005 10:22:35 -0500 Subject: Unofficial Updates In-Reply-To: <42CC4311.70008@beta.intcomgrp.com> References: <42CC4311.70008@beta.intcomgrp.com> Message-ID: <1120749755.5ca961520761e@mail.ph.utexas.edu> Quoting James Kosin : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Everyone, > > I've been busy again.... I'd still like to see an "Unofficial, User Contributed Software" section on the wiki where people can *link* to their contributions like this... Big disclaimer of course that FL does not in any way support these, and issues should be sent to the contributor, no FL, etc. In particular I'd love to see this for adding packages that are not in a distribution (e.g. clamav, firefox, etc) but it could also be used for updated software (e.g. software that isn't good when obsolete, like spamassassin, etc), or just about anything else someone wants to contribute. I've brought this up before, and got no response, so here's another e-mail just to see if anyone disagrees, etc. -- Eric Rostetter From jkeating at j2solutions.net Wed Jul 6 15:44:42 2005 From: jkeating at j2solutions.net (Jesse Keating) Date: Wed, 06 Jul 2005 08:44:42 -0700 Subject: Unofficial Updates In-Reply-To: <1120749755.5ca961520761e@mail.ph.utexas.edu> References: <42CC4311.70008@beta.intcomgrp.com> <1120749755.5ca961520761e@mail.ph.utexas.edu> Message-ID: <1120664682.4962.8.camel@yoda.loki.me> On Thu, 2005-07-07 at 10:22 -0500, Eric Rostetter wrote: > > I've brought this up before, and got no response, so here's another > e-mail > just to see if anyone disagrees, etc. > I don't disagree. BIg disclaimer. -- Jesse Keating RHCE (geek.j2solutions.net) Fedora Legacy Team (www.fedoralegacy.org) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating From jkosin at beta.intcomgrp.com Thu Jul 7 16:05:24 2005 From: jkosin at beta.intcomgrp.com (James Kosin) Date: Thu, 07 Jul 2005 12:05:24 -0400 Subject: Unofficial Updates In-Reply-To: <1120664682.4962.8.camel@yoda.loki.me> References: <42CC4311.70008@beta.intcomgrp.com> <1120749755.5ca961520761e@mail.ph.utexas.edu> <1120664682.4962.8.camel@yoda.loki.me> Message-ID: <42CD52C4.6010601@beta.intcomgrp.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jesse Keating wrote: |On Thu, 2005-07-07 at 10:22 -0500, Eric Rostetter wrote: | |>I've brought this up before, and got no response, so here's another |>e-mail |>just to see if anyone disagrees, etc. |> | |I don't disagree. BIg disclaimer. | Thanks, ~ I'd like to contribute more. The only one not tested well would be my kernel updates! But, I do run my server with them with no problems. So far, the kernel package is the only one I had to forgo most if not all the redhat patches. The other packages I've either had to do small modifications or remove temporarily or completely. ~ I'm only supplying my packages to those interested. I haven't had time to do spamassasin yet... I'm hung up on finding a solution for the gcc build. ~ I would even be willing to help officially, if someone could tell me how to get started. ~ I would like to be able to keep my FC1 system updated........... James Kosin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCzVLEkNLDmnu1kSkRAjP8AJ9us94oYpjU+ngDcJsjjpCnRLGD2gCfYqkF hVQybO2KPrCDte9sLOBVBXc= =rcRq -----END PGP SIGNATURE----- From michal at harddata.com Thu Jul 7 16:12:05 2005 From: michal at harddata.com (Michal Jaegermann) Date: Thu, 7 Jul 2005 10:12:05 -0600 Subject: zlib rpm fixing CAN-2005-2096? In-Reply-To: <000b01c58307$7e83be20$4201a8c0@ROCKET>; from lukas@empoweredmail.com on Thu, Jul 07, 2005 at 05:21:00PM +0200 References: <000b01c58307$7e83be20$4201a8c0@ROCKET> Message-ID: <20050707101205.B11806@mail.harddata.com> On Thu, Jul 07, 2005 at 05:21:00PM +0200, Lukas Feiler wrote: > > Does anyone know the status of a zlib rpm for FC2 fixing CAN-2005-2096? This is a version 1.2.1.2 so it does need that fix. OTOH I am willing to bet that if you will take zlib-1.2.1.2-2.fc3.src.rpm with a fix and recompile that on your FC2 box then results will work just fine. Also recompiling should be trivial. According to information elsewhere installations using an older zlib-1.1.4 are not affected by this bug. Michal From mattdm at mattdm.org Thu Jul 7 16:20:19 2005 From: mattdm at mattdm.org (Matthew Miller) Date: Thu, 7 Jul 2005 12:20:19 -0400 Subject: zlib rpm fixing CAN-2005-2096? In-Reply-To: <20050707101205.B11806@mail.harddata.com> References: <000b01c58307$7e83be20$4201a8c0@ROCKET> <20050707101205.B11806@mail.harddata.com> Message-ID: <20050707162019.GA7943@jadzia.bu.edu> On Thu, Jul 07, 2005 at 10:12:05AM -0600, Michal Jaegermann wrote: > This is a version 1.2.1.2 so it does need that fix. OTOH I am Filed as bug #162680. -- Matthew Miller mattdm at mattdm.org Boston University Linux ------> Current office temperature: 76 degrees Fahrenheit. From steve at hydramusic.net Thu Jul 7 17:32:47 2005 From: steve at hydramusic.net (Stever) Date: Thu, 07 Jul 2005 10:32:47 -0700 Subject: Fedora legacy been updated recently? Message-ID: <42CD673F.10704@hydramusic.net> I've been checking the updates directory in both the fedora legacy redhat 7.3 and fedora core 2 directories and it seems the last package that was updated was during May. Is this correct? Just seems nothing has been updated in a while. Have things gotten stable? - Steve From micoots at yahoo.com Fri Jul 8 03:55:26 2005 From: micoots at yahoo.com (Michael Mansour) Date: Fri, 8 Jul 2005 13:55:26 +1000 (EST) Subject: perl suid exploit Message-ID: <20050708035526.58308.qmail@web50302.mail.yahoo.com> Hi, I run perl 5.8.3 in suid mode on Fedora Core 1, and have recently detected an attempted exploit which basically crashed my system (well, I was able to recover by removing the 15 byte /etc/ld.so.preload file which tries to reference, as part of the exploit, a /tmp/getuid.so file). I've brought the server up again, but am not sure now how I can defend against this attack since FC1 and perl 5.8.3 are the latest. Anyone have any suggestions? Thanks. Michael. Send instant messages to your online friends http://au.messenger.yahoo.com From mattdm at mattdm.org Fri Jul 8 04:08:51 2005 From: mattdm at mattdm.org (Matthew Miller) Date: Fri, 8 Jul 2005 00:08:51 -0400 Subject: perl suid exploit In-Reply-To: <20050708035526.58308.qmail@web50302.mail.yahoo.com> References: <20050708035526.58308.qmail@web50302.mail.yahoo.com> Message-ID: <20050708040851.GA5823@jadzia.bu.edu> On Fri, Jul 08, 2005 at 01:55:26PM +1000, Michael Mansour wrote: > I run perl 5.8.3 in suid mode on Fedora Core 1, and > have recently detected an attempted exploit which > basically crashed my system (well, I was able to > recover by removing the 15 byte /etc/ld.so.preload > file which tries to reference, as part of the exploit, > a /tmp/getuid.so file). > > I've brought the server up again, but am not sure now > how I can defend against this attack since FC1 and > perl 5.8.3 are the latest. > > Anyone have any suggestions? Well.... -- Matthew Miller mattdm at mattdm.org Boston University Linux ------> Current office temperature: 76 degrees Fahrenheit. From mic at npgx.com.au Fri Jul 8 05:41:08 2005 From: mic at npgx.com.au (Michael Mansour) Date: Fri, 8 Jul 2005 15:41:08 +1000 Subject: zlib rpm fixing CAN-2005-2096? In-Reply-To: <000b01c58307$7e83be20$4201a8c0@ROCKET> References: <000b01c58307$7e83be20$4201a8c0@ROCKET> Message-ID: <20050708053824.M33714@npgx.com.au> The ATrpms repo has the following version in it for FC2: zlib i386 1.2.2.2-1.rhfc2.at atrpms I'm not sure, but if this version is not vulnerable you should be able to use it without issues. Michael. > Hi list! > > Does anyone know the status of a zlib rpm for FC2 fixing CAN-2005-2096? > > thanks, > Lukas > > -- > fedora-legacy-list mailing list > fedora-legacy-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-legacy-list ------- End of Original Message ------- From marcdeslauriers at videotron.ca Sun Jul 10 21:23:16 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Sun, 10 Jul 2005 17:23:16 -0400 Subject: [FLSA-2005:154991] Updated sharutils package fixes security issue Message-ID: <42D191C4.9050104@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated sharutils package fixes security issue Advisory ID: FLSA:154991 Issue date: 2005-07-10 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CAN-2005-0990 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated packages for sharutils which fix a security vulnerability are now available. The sharutils package contains a set of tools for encoding and decoding packages of files in binary or text format. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: A bug was found in the way unshar creates temporary files. A local user could use symlinks to overwrite arbitrary files the victim running unshar has write access to. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0990 to this issue. All users of sharutils should upgrade to these packages, which resolve this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=154991 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/sharutils-4.2.1-12.8.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/sharutils-4.2.1-12.8.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/sharutils-4.2.1-16.9.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/sharutils-4.2.1-16.9.2.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/sharutils-4.2.1-17.3.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/sharutils-4.2.1-17.3.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/sharutils-4.2.1-18.3.FC2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/sharutils-4.2.1-18.3.FC2.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- b7bc64c53c9352cd872da7d6b05087a403eeb342 redhat/7.3/updates/i386/sharutils-4.2.1-12.8.legacy.i386.rpm ecd2c836c88cd4deee0f421695cf69c59dbd6895 redhat/7.3/updates/SRPMS/sharutils-4.2.1-12.8.legacy.src.rpm 00132d8850d0db03c6adae00ecece7c99de20223 redhat/9/updates/i386/sharutils-4.2.1-16.9.2.legacy.i386.rpm 715cf1cc13d0a99c379466299d67a0028bbc29c8 redhat/9/updates/SRPMS/sharutils-4.2.1-16.9.2.legacy.src.rpm 000778eae9c2f079a98f5579669eecf841fba6c7 fedora/1/updates/i386/sharutils-4.2.1-17.3.legacy.i386.rpm 3e2f5b5babcd978e4d1ef96af504f8ee6eb50fdc fedora/1/updates/SRPMS/sharutils-4.2.1-17.3.legacy.src.rpm 1211acde10ecca361e1ac19e72a82fd6dcda10f4 fedora/2/updates/i386/sharutils-4.2.1-18.3.FC2.legacy.i386.rpm 08292d722a234c43a4fd9f0c24c33e36da8a35ed fedora/2/updates/SRPMS/sharutils-4.2.1-18.3.FC2.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0990 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From marcdeslauriers at videotron.ca Sun Jul 10 21:22:10 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Sun, 10 Jul 2005 17:22:10 -0400 Subject: [FLSA-2005:155505] Updated php packages fix security issues Message-ID: <42D19182.5080506@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated php packages fix security issues Advisory ID: FLSA:155505 Issue date: 2005-07-10 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CAN-2005-0524 CAN-2005-0525 CAN-2005-1042 CAN-2005-1043 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated php packages that fix various security issues are now available. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: A bug was found in the way PHP processes IFF and JPEG images. It is possible to cause PHP to consume CPU resources for a short period of time by supplying a carefully crafted IFF or JPEG image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0524 and CAN-2005-0525 to these issues. A buffer overflow bug was also found in the way PHP processes EXIF image headers. It is possible for an attacker to construct an image file in such a way that it could execute arbitrary instructions when processed by PHP. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1042 to this issue. A denial of service bug was found in the way PHP processes EXIF image headers. It is possible for an attacker to cause PHP to enter an infinite loop for a short period of time by supplying a carefully crafted image file to PHP for processing. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1043 to this issue. The security fixes to the "unserializer" code in the previous release introduced some performance issues. A bug fix for that issue is also included in this update. Users of PHP should upgrade to these updated packages, which contain backported fixes for these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=155505 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/php-4.1.2-7.3.17.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-4.1.2-7.3.17.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-devel-4.1.2-7.3.17.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-imap-4.1.2-7.3.17.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-ldap-4.1.2-7.3.17.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-manual-4.1.2-7.3.17.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-mysql-4.1.2-7.3.17.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-odbc-4.1.2-7.3.17.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-pgsql-4.1.2-7.3.17.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-snmp-4.1.2-7.3.17.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/php-4.2.2-17.14.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/php-4.2.2-17.14.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-devel-4.2.2-17.14.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-imap-4.2.2-17.14.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-ldap-4.2.2-17.14.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-manual-4.2.2-17.14.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-mysql-4.2.2-17.14.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-odbc-4.2.2-17.14.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-pgsql-4.2.2-17.14.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-snmp-4.2.2-17.14.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/php-4.3.11-1.fc1.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/php-4.3.11-1.fc1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-devel-4.3.11-1.fc1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-domxml-4.3.11-1.fc1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-imap-4.3.11-1.fc1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-ldap-4.3.11-1.fc1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-mbstring-4.3.11-1.fc1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-mysql-4.3.11-1.fc1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-odbc-4.3.11-1.fc1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-pgsql-4.3.11-1.fc1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-snmp-4.3.11-1.fc1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-xmlrpc-4.3.11-1.fc1.1.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/php-4.3.11-1.fc1.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/php-4.3.11-1.fc2.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-devel-4.3.11-1.fc2.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-domxml-4.3.11-1.fc2.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-imap-4.3.11-1.fc2.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-ldap-4.3.11-1.fc2.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-mbstring-4.3.11-1.fc2.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-mysql-4.3.11-1.fc2.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-odbc-4.3.11-1.fc2.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-pgsql-4.3.11-1.fc2.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-snmp-4.3.11-1.fc2.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-xmlrpc-4.3.11-1.fc2.2.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 422f8a972c62b1aa1d79e9f96cc39446852eb589 redhat/7.3/updates/i386/php-4.1.2-7.3.17.legacy.i386.rpm 7c6d48ebbfb96004baee8515ae9517dcf500f43c redhat/7.3/updates/i386/php-devel-4.1.2-7.3.17.legacy.i386.rpm 8f1837ee66212ede899189e09edf25d903a7e133 redhat/7.3/updates/i386/php-imap-4.1.2-7.3.17.legacy.i386.rpm 79d4f45a887ce9df8232911f5aab6bf5bd77369d redhat/7.3/updates/i386/php-ldap-4.1.2-7.3.17.legacy.i386.rpm 63edb9b27730ad5c782484cf4757905140ece1c2 redhat/7.3/updates/i386/php-manual-4.1.2-7.3.17.legacy.i386.rpm 39b40cb4bae1374335cf7f82fbfa02501a4ed630 redhat/7.3/updates/i386/php-mysql-4.1.2-7.3.17.legacy.i386.rpm 51d4baf10b3bc132ba9205aa6cd35615041c33bd redhat/7.3/updates/i386/php-odbc-4.1.2-7.3.17.legacy.i386.rpm 42a557e7f68f290a6cf21de4c2ad1f7fe97cf763 redhat/7.3/updates/i386/php-pgsql-4.1.2-7.3.17.legacy.i386.rpm 5753d915ad5d32c14cbbaea33a7f35a3b5b908d3 redhat/7.3/updates/i386/php-snmp-4.1.2-7.3.17.legacy.i386.rpm 576f29104b946e3773d4c7b77de5b80a942a0678 redhat/7.3/updates/SRPMS/php-4.1.2-7.3.17.legacy.src.rpm bd793f717cca20745ab9c67cb6a7b4bcebe46d93 redhat/9/updates/i386/php-4.2.2-17.14.legacy.i386.rpm 8df50f63c5d3525a4359a72587c6b902d8a3325f redhat/9/updates/i386/php-devel-4.2.2-17.14.legacy.i386.rpm 665060794635ded7a76eaccb46cd09ffd04900ea redhat/9/updates/i386/php-imap-4.2.2-17.14.legacy.i386.rpm 8b34f184aba7260a8eac2708e12e906c877c10cd redhat/9/updates/i386/php-ldap-4.2.2-17.14.legacy.i386.rpm 1450f499aeac4db7d0d8c258b72d2f4c31747012 redhat/9/updates/i386/php-manual-4.2.2-17.14.legacy.i386.rpm 37cb28e9531af331954903f6b8df8509aa962a5c redhat/9/updates/i386/php-mysql-4.2.2-17.14.legacy.i386.rpm aa0378307ef06cd7f3464e59f4153d11d1d372f5 redhat/9/updates/i386/php-odbc-4.2.2-17.14.legacy.i386.rpm 00b4e55c27460abaa6d02019d7b40a73d5bdd913 redhat/9/updates/i386/php-pgsql-4.2.2-17.14.legacy.i386.rpm 8b9cf1cdafdf8f1afa9587c1f180d685632c1c65 redhat/9/updates/i386/php-snmp-4.2.2-17.14.legacy.i386.rpm 7bf7cf164de61276adf952694ee7c7d2fb86ea2e redhat/9/updates/SRPMS/php-4.2.2-17.14.legacy.src.rpm ca0fa574e713f27e91548a2e3e4dc2e8b087ff47 fedora/1/updates/i386/php-4.3.11-1.fc1.1.legacy.i386.rpm 53c419397f8f3f7625503afd8ab1a8ca0d65a197 fedora/1/updates/i386/php-devel-4.3.11-1.fc1.1.legacy.i386.rpm 72d65111cbaf7fb56ed879ee4278602e84868540 fedora/1/updates/i386/php-domxml-4.3.11-1.fc1.1.legacy.i386.rpm fe8216746096b3a6070d43659944c158df23d1a9 fedora/1/updates/i386/php-imap-4.3.11-1.fc1.1.legacy.i386.rpm fb6f8fb5dd77f0dc5f58b85f26e25b5520366ca6 fedora/1/updates/i386/php-ldap-4.3.11-1.fc1.1.legacy.i386.rpm d36a8ac545d151a20817a95d441d221c36edcb74 fedora/1/updates/i386/php-mbstring-4.3.11-1.fc1.1.legacy.i386.rpm f4d95a5cdb7fcbcdb1391a089a1ca65edf8e0e03 fedora/1/updates/i386/php-mysql-4.3.11-1.fc1.1.legacy.i386.rpm a2a0944dfd1362ad186ab8b345d7e7ab32911a7a fedora/1/updates/i386/php-odbc-4.3.11-1.fc1.1.legacy.i386.rpm 4d4546fecefc879004ebbfc596cd109f4d144ba7 fedora/1/updates/i386/php-pgsql-4.3.11-1.fc1.1.legacy.i386.rpm 5d968e87611c5dce727a492f149b3583e1588e30 fedora/1/updates/i386/php-snmp-4.3.11-1.fc1.1.legacy.i386.rpm 22a069541240a9ab4f9fe62887cd7ea45d961238 fedora/1/updates/i386/php-xmlrpc-4.3.11-1.fc1.1.legacy.i386.rpm 08203f404d05ab58128b8b12c8b5a8e5ac53b34e fedora/1/updates/SRPMS/php-4.3.11-1.fc1.1.legacy.src.rpm b9f6accb0cdf84270147e80ec27e262936f5d125 fedora/2/updates/i386/php-4.3.11-1.fc2.2.legacy.i386.rpm e4cedd230b3727daaa064222e5402a18a89b4aca fedora/2/updates/i386/php-devel-4.3.11-1.fc2.2.legacy.i386.rpm fdab268ba8d6eb59309f324a929fae08e1bb12b1 fedora/2/updates/i386/php-domxml-4.3.11-1.fc2.2.legacy.i386.rpm 960e1a97b673978778415aa2f2fcbf9a700b83da fedora/2/updates/i386/php-imap-4.3.11-1.fc2.2.legacy.i386.rpm e6a04924bbd016fdb470a8448beda47ee2b75e77 fedora/2/updates/i386/php-ldap-4.3.11-1.fc2.2.legacy.i386.rpm 019161cfaaa180f0fcb98a4d48a296d99ecca5b3 fedora/2/updates/i386/php-mbstring-4.3.11-1.fc2.2.legacy.i386.rpm 9252cfa6c6485a0b803e9483e1f43eb2624b1826 fedora/2/updates/i386/php-mysql-4.3.11-1.fc2.2.legacy.i386.rpm 48c8743b590cc176cc3497f2c9225e402ec03b67 fedora/2/updates/i386/php-odbc-4.3.11-1.fc2.2.legacy.i386.rpm 814fcfe1d33f6eea65b5bcd88ba6e54e2da3062a fedora/2/updates/i386/php-pear-4.3.11-1.fc2.2.legacy.i386.rpm d20c34df03bf67028f9ded420310b75a66c1db1d fedora/2/updates/i386/php-pgsql-4.3.11-1.fc2.2.legacy.i386.rpm d84ff3766026e802f9a815b8c599c19bfbeaaefa fedora/2/updates/i386/php-snmp-4.3.11-1.fc2.2.legacy.i386.rpm 7792c85444679beab3a0bdc56e2d4666dcb9c963 fedora/2/updates/i386/php-xmlrpc-4.3.11-1.fc2.2.legacy.i386.rpm 0772ba5bc711edf55fcfe34b368881cc5ec09ed0 fedora/2/updates/SRPMS/php-4.3.11-1.fc2.2.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0524 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0525 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1042 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1043 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From marcdeslauriers at videotron.ca Sun Jul 10 21:24:06 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Sun, 10 Jul 2005 17:24:06 -0400 Subject: [FLSA-2005:152908] Updated gftp package fixes security issue Message-ID: <42D191F6.3060103@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated gftp package fixes security issue Advisory ID: FLSA:152908 Issue date: 2005-07-10 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CAN-2005-0372 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated gftp packages that fix a security issue are now available. gFTP is a multi-threaded FTP client for the X Window System. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 3. Problem description: A directory traversal vulnerability was discovered in gftp. A remote malicious FTP server could read, overwrite or create arbitrary files via .. (dot dot) sequences in the filenames returned from a LIST command. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0372 to this issue. Users of gftp are advised to upgrade to these errata packages, which contain a backported patch correcting this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152908 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/gftp-2.0.11-2.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/gftp-2.0.11-2.2.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/gftp-2.0.14-2.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/gftp-2.0.14-2.2.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/gftp-2.0.17-0.FC1.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/gftp-2.0.17-0.FC1.1.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 49e794d3f8b144e55560c79960cedc487d737bb6 redhat/7.3/updates/i386/gftp-2.0.11-2.2.legacy.i386.rpm 428080cb2efba4e5ad3df31150fc244f13f6b02c redhat/7.3/updates/SRPMS/gftp-2.0.11-2.2.legacy.src.rpm 3c1812e77892b5a00167a3894983398dc467e262 redhat/9/updates/i386/gftp-2.0.14-2.2.legacy.i386.rpm ddf0ebe73fa8410ac213f6141ca97b3b75e34d5f redhat/9/updates/SRPMS/gftp-2.0.14-2.2.legacy.src.rpm 93823674913c4796c06d8f4e37895e3573ea17fe fedora/1/updates/i386/gftp-2.0.17-0.FC1.1.legacy.i386.rpm 6d5276c8e90ebf111e907e04602fac5e45624737 fedora/1/updates/SRPMS/gftp-2.0.17-0.FC1.1.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0372 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From marcdeslauriers at videotron.ca Sun Jul 10 21:24:52 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Sun, 10 Jul 2005 17:24:52 -0400 Subject: [FLSA-2005:152895] Updated mailman package fixes security issue Message-ID: <42D19224.1090406@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated mailman package fixes security issue Advisory ID: FLSA:152895 Issue date: 2005-07-10 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CAN-2005-0202 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated mailman packages that correct a mailman security issue are now available. Mailman is software to help manage email discussion lists, much like Majordomo and Smartmail. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 3. Problem description: A flaw in the true_path function of Mailman was discovered. A remote attacker who is a member of a private mailman list could use a carefully crafted URL and gain access to arbitrary files on the server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0202 to this issue. Note: Mailman installations running on Apache 2.0-based servers are not vulnerable to this issue. Users of mailman should update to these erratum packages that contain a patch and are not vulnerable to this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152895 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/mailman-2.0.13-7.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/mailman-2.0.13-7.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/mailman-2.1.1-8.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/mailman-2.1.1-8.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/mailman-2.1.5-8.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/mailman-2.1.5-8.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- c6ee495537e89fed3deb68810404c4786200861c redhat/7.3/updates/SRPMS/mailman-2.0.13-7.legacy.src.rpm defb763778aab1f04de4f76164afe8d71611e99a redhat/7.3/updates/i386/mailman-2.0.13-7.legacy.i386.rpm 25326c2d67924ff669ec8577e1f3da8090c7a94c redhat/9/updates/SRPMS/mailman-2.1.1-8.legacy.src.rpm df9db43206a4d4394d2ca9a0ebf473b4520df5ec redhat/9/updates/i386/mailman-2.1.1-8.legacy.i386.rpm ae868e1bf44d1e3fa94b00e91b7df385643daa37 fedora/1/updates/SRPMS/mailman-2.1.5-8.legacy.src.rpm 556f7cd0bf69c4d72c6a5630523d0609f9b85aba fedora/1/updates/i386/mailman-2.1.5-8.legacy.i386.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0202 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From marcdeslauriers at videotron.ca Sun Jul 10 21:25:32 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Sun, 10 Jul 2005 17:25:32 -0400 Subject: [FLSA-2005:152835] Updated dhcp package fixes security issue Message-ID: <42D1924C.2060708@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated dhcp package fixes security issue Advisory ID: FLSA:152835 Issue date: 2005-07-10 Product: Red Hat Linux Keywords: Bugfix CVE Names: CAN-2004-1006 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated dhcp packages that fix a security issue are now available. dhcp is a DHCP (Dynamic Host Configuration Protocol) server and relay agent. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 3. Problem description: "infamous41md" noticed that the log functions in dhcp 2.x pass parameters to a function that uses format strings. One use seems to be exploitable in connection with a malicious DNS server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1006 to this issue. Users of dhcp are advised to upgrade to this errata package, which contains backported patches correcting this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152835 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/dhcp-2.0pl5-8.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/dhcp-2.0pl5-8.2.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- e134b4118edc63c20b1227d3b199edf55e9c6411 redhat/7.3/updates/i386/dhcp-2.0pl5-8.2.legacy.i386.rpm 873fe4bb121b857436cc044cf379597f78bc0e4b redhat/7.3/updates/SRPMS/dhcp-2.0pl5-8.2.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1006 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From marcdeslauriers at videotron.ca Mon Jul 11 21:40:29 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Mon, 11 Jul 2005 17:40:29 -0400 Subject: [UPDATED] Fedora Legacy Test Update Notification: ImageMagick Message-ID: <42D2E74D.4060904@videotron.ca> These packages were updated to resolve a missing perl dependency. --------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2005-152777 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152777 2005-07-11 --------------------------------------------------------------------- Name : ImageMagick Versions : rh73: ImageMagick-5.4.3.11-12.7.x.legacy Versions : rh9: ImageMagick-5.4.7-18.legacy Versions : fc1: ImageMagick-5.5.6-13.legacy Versions : fc2: ImageMagick-6.2.0.7-2.fc2.4.legacy Summary : An X application for displaying and manipulating images. Description : ImageMagick(TM) is an image display and manipulation tool for the X Window System. ImageMagick can read and write JPEG, TIFF, PNM, GIF, and Photo CD image formats. It can resize, rotate, sharpen, color reduce, or add special effects to an image, and when finished you can either save the completed work in the original format or a different one. ImageMagick also includes command line programs for creating animated or transparent .gifs, creating composite images, creating thumbnail images, and more. --------------------------------------------------------------------- Update Information: Updated ImageMagick packages that fix multiple security vulnerabilities are now available. ImageMagick(TM) is an image display and manipulation tool for the X Window System. A temporary file handling bug has been found in ImageMagick's libmagick library. A local user could overwrite or create files as a different user if a program was linked with the vulnerable library. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0455 to this issue. A heap overflow flaw has been discovered in the ImageMagick image handler. An attacker could create a carefully crafted BMP file in such a way that it could cause ImageMagick to execute arbitrary code when processing the image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0827 to this issue. A buffer overflow flaw was discovered in the ImageMagick image handler. An attacker could create a carefully crafted image file with an improper EXIF information in such a way that it would cause ImageMagick to execute arbitrary code when processing the image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0981 to this issue. Andrei Nigmatulin discovered a heap based buffer overflow flaw in the ImageMagick image handler. An attacker could create a carefully crafted Photoshop Document (PSD) image in such a way that it would cause ImageMagick to execute arbitrary code when processing the image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0005 to this issue. A format string bug was found in the way ImageMagick handles filenames. An attacker could execute arbitrary code on a victim's machine if they were able to trick the victim into opening a file with a specially crafted name. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0397 to this issue. A bug was found in the way ImageMagick handles TIFF tags. It is possible that a TIFF image file with an invalid tag could cause ImageMagick to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0759 to this issue. A bug was found in ImageMagick's TIFF decoder. It is possible that a specially crafted TIFF image file could cause ImageMagick to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0760 to this issue. A bug was found in the way ImageMagick parses PSD files. It is possible that a specially crafted PSD file could cause ImageMagick to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0761 to this issue. A heap overflow bug was found in ImageMagick's SGI parser. It is possible that an attacker could execute arbitrary code by tricking a user into opening a specially crafted SGI image file. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0762 to this issue. A heap based buffer overflow bug was found in the way ImageMagick parses PNM files. An attacker could execute arbitrary code on a victim's machine if they were able to trick the victim into opening a specially crafted PNM file. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1275 to this issue. A denial of service bug was found in the way ImageMagick parses XWD files. A user or program executing ImageMagick to process a malicious XWD file can cause ImageMagick to enter an infinite loop causing a denial of service condition. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1739 to this issue. Users of ImageMagick should upgrade to these updated packages, which contain backported patches, and are not vulnerable to these issues. --------------------------------------------------------------------- Changelogs rh73: * Sun Jul 10 2005 Marc Deslauriers 5.4.3.11-12.7.x.legacy - Rebuilt to get perl dependencies right * Fri Jun 17 2005 Marc Deslauriers 5.4.3.11-11.7.x.legacy - Added missing libtool, libxml2-devel, XFree85-libs, ghostscript and XFree86-devel to BuildRequires * Thu Jun 09 2005 Marc Deslauriers 5.4.3.11-10.7.x.legacy - Added patch for CAN-2005-1739 * Fri May 06 2005 Marc Deslauriers 5.4.3.11-9.7.x.legacy - Added patches for CAN-2005-0759, CAN-2005-0760, CAN-2005-0761 and CAN-2005-0762 - Added patch to fix a PNM heap overflow (CAN-2005-1275) * Thu Mar 03 2005 Marc Deslauriers 5.4.3.11-8.7.x.legacy - Added better patch for CAN-2005-0005 * Tue Mar 01 2005 Marc Deslauriers 5.4.3.11-7.7.x.legacy - Added patches for CAN-2005-0005 and CAN-2005-0397 - Added htmlview to Requires * Wed Nov 24 2004 Marc Deslauriers 5.4.3.11-6.7.x.legacy - added better patch for CAN-2003-0455 (Michal Jaegermann) * Fri Nov 05 2004 Martin Siegert 5.4.3.11-5.7.x.legacy - set BrowseDelegate=htmlview * Thu Nov 04 2004 Martin Siegert 5.4.3.11-4.7.x.legacy - include patch for CAN-2003-0455 from RHEL ImageMagick-5.3.8-5 - include patch for CAN-2004-0827 - include patch for CAN-2004-0981 from Debian (bug #278401) rh9: * Sun Jul 10 2005 Marc Deslauriers 5.4.7-18.legacy - Rebuilt to get perl dependencies fixed * Fri Jun 17 2005 Marc Deslauriers 5.4.7-17.legacy - Added missing libtool, XFree86-devel, XFree86-libs, ghostscript and libxml2-devel BuildRequires * Thu Jun 09 2005 Marc Deslauriers 5.4.7-16.legacy - Added patch for CAN-2005-1739 * Sat May 07 2005 Marc Deslauriers 5.4.7-15.legacy - Added patches for CAN-2005-0759, CAN-2005-0760, CAN-2005-0761 and CAN-2005-0762 - Added patch to fix a PNM heap overflow (CAN-2005-1275) * Thu Mar 03 2005 Marc Deslauriers 5.4.7-14.legacy - Added a better patch for CAN-2005-0005 * Wed Mar 02 2005 Marc Deslauriers 5.4.7-13.legacy - Added patches for CAN-2005-0005 and CAN-2005-0397 * Wed Nov 24 2004 Marc Deslauriers 5.4.7-12.legacy - Added better security patch for CAN-2004-0827 (heap overflow in BMP, AVI, DIB) - Added security patch for CAN-2003-0455 (temporary file vulnerability) - Added security patch for CAN-2004-0981 (Remote EXIF parsing buffer overflow) * Sun Sep 12 2004 Marc Deslauriers 5.4.7-11.legacy - Added security patch for CAN-2004-0827 fc1: * Sun Jul 10 2005 Marc Deslauriers 5.5.6-13.legacy - Rebuilt to get perl dependencies fixed * Fri Jun 17 2005 Marc Deslauriers 5.5.6-12.legacy - Added missing libtool, libxml2-devel XFree86-devel and ghostscript to BuildRequires * Fri Jun 10 2005 Marc Deslauriers 5.5.6-11.legacy - Added patch for CAN-2005-1739 * Sat May 07 2005 Marc Deslauriers 5.5.6-10.legacy - Added patches for CAN-2005-0759, CAN-2005-0760, CAN-2005-0761 and CAN-2005-0762 - Added patch to fix a PNM heap overflow (CAN-2005-1275) * Thu Mar 03 2005 Marc Deslauriers 5.5.6-9.legacy - Added better patch for CAN-2005-0005 * Wed Mar 02 2005 Marc Deslauriers 5.5.6-8.legacy - Added patches for CAN-2005-0005 and CAN-2005-0397 * Sat Nov 13 2004 David Eisenstein 5.5.6-7-fc1 - add patch #8 for RedHat Bugzilla #112396, Postscript delegate - patch # 9, CAN-2004-0827 heap overflow in BMP, AVI, DIB decoders - patch #10, CAN-2004-0981 Remote EXIF parsing buffer overflow - Above two patches address Fedora Legacy Bugzilla # 2052 fc2: * Sun Jul 10 2005 Marc Deslauriers 6.2.0.7-2.fc2.4.legacy - Rebuilt to get perl dependencies fixed * Sat Jun 18 2005 Marc Deslauriers 6.2.0.7-2.fc2.3.legacy - Added missing XFree86-devel, libxml2-devel, ghostscript to BuildRequires * Fri Jun 10 2005 Marc Deslauriers 6.2.0.7-2.fc2.2.legacy - Added patch to fix CAN-2005-1739 * Sat May 07 2005 Marc Deslauriers 6.2.0.7-2.fc2.1.legacy - Added patch to fix a PNM heap overflow (CAN-2005-1275) --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: 7b27cf41597ccc41f50f5f3fd26a3c6cb1909bdd redhat/7.3/updates-testing/i386/ImageMagick-5.4.3.11-12.7.x.legacy.i386.rpm 83414dfc20fff160d3b1c4a695658e331c0d3377 redhat/7.3/updates-testing/i386/ImageMagick-c++-5.4.3.11-12.7.x.legacy.i386.rpm 9d3a2639f252fcc0630577e8472363095c94b593 redhat/7.3/updates-testing/i386/ImageMagick-c++-devel-5.4.3.11-12.7.x.legacy.i386.rpm a45ea97141ccce7c7341bb71c45253b43b11f7f8 redhat/7.3/updates-testing/i386/ImageMagick-devel-5.4.3.11-12.7.x.legacy.i386.rpm 15f0d5eb36b9aa9a747ac5dbef8711ce5ad4cd72 redhat/7.3/updates-testing/i386/ImageMagick-perl-5.4.3.11-12.7.x.legacy.i386.rpm 05387637ee1ebca6c8be0a53c6e13d9823a69b49 redhat/7.3/updates-testing/SRPMS/ImageMagick-5.4.3.11-12.7.x.legacy.src.rpm rh9: a6308b069f58c6360005ea56f3feb47eaae3bd65 redhat/9/updates-testing/i386/ImageMagick-5.4.7-18.legacy.i386.rpm 9f489f4e8e8b806a9633bb919f1d6c86717b7f27 redhat/9/updates-testing/i386/ImageMagick-c++-5.4.7-18.legacy.i386.rpm 889cc1c0ac6d8a467d5af14f7e8d7b0e6f20d8ac redhat/9/updates-testing/i386/ImageMagick-c++-devel-5.4.7-18.legacy.i386.rpm 7e88b3ec777a2389778b8dc872893a145a18f84b redhat/9/updates-testing/i386/ImageMagick-devel-5.4.7-18.legacy.i386.rpm b08d36cd4582a49599ae8d74c89996d154462f85 redhat/9/updates-testing/i386/ImageMagick-perl-5.4.7-18.legacy.i386.rpm a5af8dee9a7b06b0bc1b21e5765496cfd1ef7783 redhat/9/updates-testing/SRPMS/ImageMagick-5.4.7-18.legacy.src.rpm fc1: 893208f6a36ec085645e3bf355b6bd4d7f4385c0 fedora/1/updates-testing/i386/ImageMagick-5.5.6-13.legacy.i386.rpm 2ceb1c41c4b6e326e1b936eb5400350ab4ff6e31 fedora/1/updates-testing/i386/ImageMagick-c++-5.5.6-13.legacy.i386.rpm d30be986c274be4ed48f242c9e110fab67b242a5 fedora/1/updates-testing/i386/ImageMagick-c++-devel-5.5.6-13.legacy.i386.rpm 2bd96e8c2282b2679c2b667392c406d5907bdf0b fedora/1/updates-testing/i386/ImageMagick-devel-5.5.6-13.legacy.i386.rpm 2a3c951dad27669d92b2d96def0a7c99af1ae5e2 fedora/1/updates-testing/i386/ImageMagick-perl-5.5.6-13.legacy.i386.rpm 6140077bd02c06b986324ece6d8c13dc57ce7b16 fedora/1/updates-testing/SRPMS/ImageMagick-5.5.6-13.legacy.src.rpm fc2: 54d9009c07aeb2fcf9bf229261db01dab803dc60 fedora/2/updates-testing/i386/ImageMagick-6.2.0.7-2.fc2.4.legacy.i386.rpm ad54fd8a3e168a327d3132180d203e1e9d1cb5d9 fedora/2/updates-testing/i386/ImageMagick-c++-6.2.0.7-2.fc2.4.legacy.i386.rpm 6c5e6d0b1e190d7eb3e04caa348544f40a0be1c3 fedora/2/updates-testing/i386/ImageMagick-c++-devel-6.2.0.7-2.fc2.4.legacy.i386.rpm c57f484f174292c09b8dc5926e69a78b3f01b203 fedora/2/updates-testing/i386/ImageMagick-devel-6.2.0.7-2.fc2.4.legacy.i386.rpm 74bb46945e783a9ffc8d2299924496a5f4334d79 fedora/2/updates-testing/i386/ImageMagick-perl-6.2.0.7-2.fc2.4.legacy.i386.rpm 00ca9b91408f73c74d7574b4cf1247d8f6cf8749 fedora/2/updates-testing/SRPMS/ImageMagick-6.2.0.7-2.fc2.4.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From marcdeslauriers at videotron.ca Mon Jul 11 22:28:25 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Mon, 11 Jul 2005 18:28:25 -0400 Subject: [FLSA-2005:152583] Updated telnet packages fix security issues Message-ID: <42D2F289.7050409@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated telnet packages fix security issues Advisory ID: FLSA:152583 Issue date: 2005-07-11 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CAN-2005-0468 CAN-2005-0469 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated telnet packages that fix two buffer overflow vulnerabilities are now available. The telnet package provides a command line telnet client. The telnet- server package includes a telnet daemon, telnetd, that supports remote login to the host machine. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 3. Problem description: Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim's machine if the victim can be tricked into connecting to a malicious telnet server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0468 and CAN-2005-0469 to these issues. Users of telnet should upgrade to this updated package, which contains backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152583 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/telnet-0.17-20.1.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/telnet-0.17-20.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/telnet-server-0.17-20.1.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/telnet-0.17-25.1.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/telnet-0.17-25.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/telnet-server-0.17-25.1.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/telnet-0.17-26.2.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/telnet-0.17-26.2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/telnet-server-0.17-26.2.1.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- eb72994dc7fa63672d461f1b80189e450b7dc7ab redhat/7.3/updates/i386/telnet-0.17-20.1.legacy.i386.rpm ae27914b4039594609d14d209c466f78b09649d4 redhat/7.3/updates/i386/telnet-server-0.17-20.1.legacy.i386.rpm 3e426f9573240179fb31d5407ef9a25b82b836ec redhat/7.3/updates/SRPMS/telnet-0.17-20.1.legacy.src.rpm 114ead8f946fd9f50f88ed017f03a2302647ebd1 redhat/9/updates/i386/telnet-0.17-25.1.legacy.i386.rpm e5c31fdc2b08cd4a5614101be249a4888d87ded0 redhat/9/updates/i386/telnet-server-0.17-25.1.legacy.i386.rpm acf5dc1ab3bbe1d704963eefe79fb66521a012da redhat/9/updates/SRPMS/telnet-0.17-25.1.legacy.src.rpm 3298baa93d57f2caa2110bc83ae45731fc8c41e7 fedora/1/updates/i386/telnet-0.17-26.2.1.legacy.i386.rpm 208769de63330b46785dbe0b23502c37307dfa65 fedora/1/updates/i386/telnet-server-0.17-26.2.1.legacy.i386.rpm 58836e7c8741f08c5da712f6dc7cbd3d7a5581e8 fedora/1/updates/SRPMS/telnet-0.17-26.2.1.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From marcdeslauriers at videotron.ca Mon Jul 11 22:27:33 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Mon, 11 Jul 2005 18:27:33 -0400 Subject: [FLSA-2005:123014] Updated openssh packages fix a security issue Message-ID: <42D2F255.7080105@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated openssh packages fix a security issue Advisory ID: FLSA:123014 Issue date: 2005-07-11 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CAN-2004-0175 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated openssh packages that fix a potential security vulnerability are now available. OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. SSH replaces rlogin and rsh, and provides secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over a secure channel. Public key authentication can be used for "passwordless" access to servers. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: The scp protocol allows a server to instruct a client to write to arbitrary files outside of the current directory. This could potentially cause a security issue if a user uses scp to copy files from a malicious server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0175 to this issue. These updated packages also correct the following bug: On systems where direct ssh access for the root user was disabled by configuration (setting "PermitRootLogin no"), attempts to guess the root password could be judged as sucessful or unsucessful by observing a delay. Users of openssh should upgrade to these updated packages, which contain backported patches to resolve these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123014 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/openssh-3.1p1-14.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssh-3.1p1-14.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssh-askpass-3.1p1-14.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssh-askpass-gnome-3.1p1-14.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssh-clients-3.1p1-14.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssh-server-3.1p1-14.2.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/openssh-3.5p1-11.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/openssh-3.5p1-11.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/openssh-askpass-3.5p1-11.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/openssh-askpass-gnome-3.5p1-11.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/openssh-clients-3.5p1-11.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/openssh-server-3.5p1-11.2.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/openssh-3.6.1p2-19.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/openssh-3.6.1p2-19.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/openssh-askpass-3.6.1p2-19.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/openssh-askpass-gnome-3.6.1p2-19.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/openssh-clients-3.6.1p2-19.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/openssh-server-3.6.1p2-19.2.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/openssh-3.6.1p2-34.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/openssh-3.6.1p2-34.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/openssh-askpass-3.6.1p2-34.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/openssh-askpass-gnome-3.6.1p2-34.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/openssh-clients-3.6.1p2-34.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/openssh-server-3.6.1p2-34.2.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 8bd4e4daf209249160c1d7f170c63b0d0f43bb54 redhat/7.3/updates/i386/openssh-3.1p1-14.2.legacy.i386.rpm d24556ae238b448fe37d0ce1afa032a743b7339b redhat/7.3/updates/i386/openssh-askpass-3.1p1-14.2.legacy.i386.rpm d7034dde021d188bbfff57b9287ea0f8dea162b0 redhat/7.3/updates/i386/openssh-askpass-gnome-3.1p1-14.2.legacy.i386.rpm b24fa1844c81632719b0ee10c5aba27e72b1ef11 redhat/7.3/updates/i386/openssh-clients-3.1p1-14.2.legacy.i386.rpm 7567b5a4c4f49ee9d247b30ae35741d3e0885f59 redhat/7.3/updates/i386/openssh-server-3.1p1-14.2.legacy.i386.rpm 93591a2b6fd1d4be2796be09e108ff301bab9baf redhat/7.3/updates/SRPMS/openssh-3.1p1-14.2.legacy.src.rpm 35820cc8261fffa5e1bbce4b22abb6075966418a redhat/9/updates/i386/openssh-3.5p1-11.2.legacy.i386.rpm b006d5c937b482b30835d4a5283683f039d2c963 redhat/9/updates/i386/openssh-askpass-3.5p1-11.2.legacy.i386.rpm 75f2303826649634880245fa13935c74bf76b8df redhat/9/updates/i386/openssh-askpass-gnome-3.5p1-11.2.legacy.i386.rpm 598d2940ce65b82de88a7e563b0450752d679d50 redhat/9/updates/i386/openssh-clients-3.5p1-11.2.legacy.i386.rpm d23f5da5bae703ee28a1de84999ce8fb4945ba20 redhat/9/updates/i386/openssh-server-3.5p1-11.2.legacy.i386.rpm 67ac403b9057d01c5bbfc0ac0d7334955086f080 redhat/9/updates/SRPMS/openssh-3.5p1-11.2.legacy.src.rpm 09ba397b8a3cdee453ab44af50470f392b1a1d9a fedora/1/updates/i386/openssh-3.6.1p2-19.2.legacy.i386.rpm a59fbcbe89778e212b4ccaa397f298ad35291020 fedora/1/updates/i386/openssh-askpass-3.6.1p2-19.2.legacy.i386.rpm d026e18b3d16d4b05d204de3aa1de9cf5e9ae756 fedora/1/updates/i386/openssh-askpass-gnome-3.6.1p2-19.2.legacy.i386.rpm 70ebb446b1cc50bb2e242af4ec04cee53aa71713 fedora/1/updates/i386/openssh-clients-3.6.1p2-19.2.legacy.i386.rpm 1af3ab8e0b843f6bf72c9061f3399ce09f674c98 fedora/1/updates/i386/openssh-server-3.6.1p2-19.2.legacy.i386.rpm cee2cbca4b9fde1534bf76c9cb46d1ddd7a30fc7 fedora/1/updates/SRPMS/openssh-3.6.1p2-19.2.legacy.src.rpm 42a086b1508853dd44be7d88e562613764c359cb fedora/2/updates/i386/openssh-3.6.1p2-34.2.legacy.i386.rpm f39c8fc529c50d0a67eedb89abb04015970a5ec2 fedora/2/updates/i386/openssh-askpass-3.6.1p2-34.2.legacy.i386.rpm 30c087e45ae7a3c6abcff83d8608d1c8d881458c fedora/2/updates/i386/openssh-askpass-gnome-3.6.1p2-34.2.legacy.i386.rpm 53851fd533168707f6f250d66506dc51769c9348 fedora/2/updates/i386/openssh-clients-3.6.1p2-34.2.legacy.i386.rpm 833ce8cf4f100a2b5b48aa77cb9d67fecba93366 fedora/2/updates/i386/openssh-server-3.6.1p2-34.2.legacy.i386.rpm c7584c616f01c21264e912e77892ebc8bbd8be29 fedora/2/updates/SRPMS/openssh-3.6.1p2-34.2.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0175 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From marcdeslauriers at videotron.ca Tue Jul 12 23:35:43 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Tue, 12 Jul 2005 19:35:43 -0400 Subject: Fedora Legacy Test Update Notification: mc Message-ID: <42D453CF.1020000@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2005-152889 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152889 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=148865 2005-07-12 --------------------------------------------------------------------- Name : mc Versions : rh73: mc-4.5.55-11.legacy Versions : rh9: mc-4.6.0-18.2.fc0.9.legacy Versions : fc1: mc-4.6.0-18.2.fc1.0.legacy Versions : fc2: mc-4.6.1-0.13.FC2.legacy Summary : A user-friendly file manager and visual shell. Description : Midnight Commander is a visual shell much like a file manager, only with many more features. It is a text mode application, but it also includes mouse support if you are running GPM. Midnight Commander's best features are its ability to FTP, view tar and zip files, and to poke into RPMs for specific files. --------------------------------------------------------------------- Update Information: Updated mc packages that fix several security issues are now available. Midnight Commander is a visual shell much like a file manager. Several buffer overflows, several temporary file creation vulnerabilities, and one format string vulnerability have been discovered in Midnight Commander. These vulnerabilities were discovered mostly by Andrew V. Samoilov and Pavel Roskin. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0226, CAN-2004-0231, and CAN-2004-0232 to these issues. Shell escape bugs have been discovered in several of the mc vfs backend scripts. An attacker who is able to influence a victim to open a specially-crafted URI using mc could execute arbitrary commands as the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0494 to this issue. Several format string bugs were found in Midnight Commander. If a user is tricked by an attacker into opening a specially crafted path with mc, it may be possible to execute arbitrary code as the user running Midnight Commander. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1004 to this issue. Several buffer overflow bugs were found in Midnight Commander. If a user is tricked by an attacker into opening a specially crafted file or path with mc, it may be possible to execute arbitrary code as the user running Midnight Commander. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1005 to this issue. Several denial of service bugs were found in Midnight Commander. These bugs could cause Midnight Commander to hang or crash if a victim opens a carefully crafted file. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-1009, CAN-2004-1090, CAN-2004-1091, CAN-2004-1092, CAN-2004-1093 and CAN-2004-1174 to these issues. A filename quoting bug was found in Midnight Commander's FISH protocol handler. If a victim connects via embedded SSH support to a host containing a carefully crafted filename, arbitrary code may be executed as the user running Midnight Commander. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1175 to this issue. A buffer underflow bug was found in Midnight Commander. If a malicious local user is able to modify the extfs.ini file, it could be possible to execute arbitrary code as a user running Midnight Commander. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1176 to this issue. A buffer overflow bug was found in the way Midnight Commander handles directory completion. If a victim uses completion on a maliciously crafted directory path, it is possible for arbitrary code to be executed as the user running Midnight Commander. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0763 to this issue. Users of mc are advised to upgrade to these packages, which contain backported security patches to correct these issues. --------------------------------------------------------------------- Changelogs rh73: * Sun Apr 17 2005 Leonard den Ottolander 4.5.55-11.legacy - Missed the removal of a strcat in gtkedit/syntax.c open_include_file() in CAN-2004-0226 causing crash in mcedit. Cleaned up syntax.c a bit more in accordance with the Debian patch and CVS (redundant -1s in strncpy()s) * Wed Apr 13 2005 Leonard den Ottolander 4.5.55-10.legacy - Add patch for CAN-2005-0763 * Fri Apr 08 2005 Leonard den Ottolander 4.5.55-9.legacy - Use CAN-2004-0226 patch from RHEL 2.1 as it is more complete than the Debian patch. - Split original CAN-2004-0226 patch in 6 parts: CAN-2004-0226 (buffer overflows), CAN-2004-0231 (temp file fixes), CAN-2004-0232 (format string vulnerabilities), CAN-2004-0494 (vfs quoting fixes), ftpfs, and fish. - Add one modified hunk from Debian to src/complete.c (CAN-2004-0226) - Don't use CAN-2004-0494 parts from RHEL 2.1 CAN-2004-0226 patch as the current patch is more complete. - Rename mc-4.5.55-extfs.patch to mc-4.5.55-CAN-2004-0494.patch. - Removed some redundant hunks and fixed a few in CAN-2004-0494 patch. - Add missing hunk for lib/cedit.menu to CAN-2004-0231 patch. - One cpio.c hunk removed from CAN-2004-1005 patch (already in -0226) * Mon Feb 14 2005 Leonard den Ottolander 4.5.55-8.legacy - Really apply remainder of CAN-2004-0226 patch * Wed Feb 09 2005 Leonard den Ottolander 4.5.55-7.legacy - Fixed extfs for quoting and some temp file issues (CAN-2004-0494). - Removed mc-cvs-uzip as it is no longer needed with above fixes. - trpm and zip fixes are unneeded but left in as the patch was made against a tree that has them applied. - Added fixes for CAN-2004-0226, CAN-2004-1004, CAN-2004-1005, CAN-2004-1009, CAN-2004-1090, CAN-2004-1091, CAN-2004-1092, CAN-2004-1093, CAN-2004-1174, CAN-2004-1175 & CAN-2004-1176. rh9: * Sat Feb 12 2005 David Eisenstein 1:4.6.0-18.2.fc0.9.legacy - rebuild SRPM for RH9. (FL bugzilla #2009, 2405). * Fri Feb 11 2005 David Eisenstein 1:4.6.0-18.2.fc1.0.legacy - Add mc-4.6.0-multi-CVE.patch which completes the fixes for CAN-2004-1004, CAN-2004-1005, and CAN-2004-1176. Source of these patches are from Debian, (DSA-639) and ultimately from the mc CVS tree. - FL Bugzilla #2405. * Sun Feb 06 2005 David Eisenstein 1:4.6.0-18.1.fc1.0.legacy - Per Leonard den Ottolander, get rid of mc-cvs-uzip. Required removing a hunk from mc-4.6.0-jumbo.patch, now renamed mc-4.6.0-jumbo-b.patch. - Use revised quoted-security2 patch, less drastic changes to uzip.in in extfs directory for vulnerability CAN-2004-0494. FL bugzilla #2009. * Fri Jan 28 2005 David Eisenstein 1:4.6.0-18.0.fc1.0.legacy - Update extfs shell quoting fixes in scripts (CAN-2004-0494) to match scripts in upstream's cvs. This takes care of fixes missed in Fedora update FEDORA-2004-272. - Fedora Legacy bugzilla # 2009. fc1: * Fri Feb 11 2005 David Eisenstein 1:4.6.0-18.2.fc1.0.legacy - Add mc-4.6.0-multi-CVE.patch which completes the fixes for CAN-2004-1004, CAN-2004-1005, and CAN-2004-1176. Source of these patches are from Debian, (DSA-639) and ultimately from the mc CVS tree. - FL Bugzilla #2405. * Sun Feb 06 2005 David Eisenstein 1:4.6.0-18.1.fc1.0.legacy - Per Leonard den Ottolander, get rid of mc-cvs-uzip. Required removing a hunk from mc-4.6.0-jumbo.patch, now renamed mc-4.6.0-jumbo-b.patch. - Use revised quoted-security2 patch, less drastic changes to uzip.in in extfs directory for vulnerability CAN-2004-0494. FL bugzilla #2009. * Fri Jan 28 2005 David Eisenstein 1:4.6.0-18.0.fc1.0.legacy - Update extfs shell quoting fixes in scripts (CAN-2004-0494) to match scripts in upstream's cvs. This takes care of fixes missed in Fedora update FEDORA-2004-272. - Fedora Legacy bugzilla # 2009. fc2: * Tue Jul 12 2005 Marc Deslauriers 4.6.1-0.13.FC2.legacy - Rebuilt as a Fedora Legacy update * Fri Mar 04 2005 Jindrich Novy 4.6.1-0.13.FC2 - backport FC3 update to FC2 to fix security issues: (#148865) - CAN-2004-1004 (string vulnerabilities) - CAN-2004-1005 (buffer overflows) - CAN-2004-1176 (buffer underflow) - introduce mc-4.6.1-pre3 to FC2 users --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: 3b7cdb46f5ea6bea6b3f157960e8b8d2df6f606c redhat/7.3/updates-testing/i386/mc-4.5.55-11.legacy.i386.rpm 0f7524e6546c64fdd6dc25fbacb61007afbda3bf redhat/7.3/updates-testing/SRPMS/mc-4.5.55-11.legacy.src.rpm rh9: 1ff0fb79aab253a3c7fe4a6324dc2402c6b8f437 redhat/9/updates-testing/i386/mc-4.6.0-18.2.fc0.9.legacy.i386.rpm 331bcec08ee0a3bf47b6b5651ce2a27816f8ec30 redhat/9/updates-testing/SRPMS/mc-4.6.0-18.2.fc0.9.legacy.src.rpm fc1: f5959c3196abe94223f9d43b4b78f78c88c98554 fedora/1/updates-testing/i386/mc-4.6.0-18.2.fc1.0.legacy.i386.rpm 529796f562e9e49739170ad86bc427a45a5d2f05 fedora/1/updates-testing/SRPMS/mc-4.6.0-18.2.fc1.0.legacy.src.rpm fc2: 67695b66e6d9019c0a612cd5698d3101d6de60a2 fedora/2/updates-testing/i386/mc-4.6.1-0.13.FC2.legacy.i386.rpm 9180550f9122594f36a813c6362b9e0bc12db89d fedora/2/updates-testing/SRPMS/mc-4.6.1-0.13.FC2.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From marcdeslauriers at videotron.ca Tue Jul 12 22:20:50 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Tue, 12 Jul 2005 18:20:50 -0400 Subject: [FLSA-2005:152777] Updated ImageMagick packages fix security issues Message-ID: <42D44242.8050309@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated ImageMagick packages fix security issues Advisory ID: FLSA:152777 Issue date: 2005-07-12 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CAN-2003-0455 CAN-2004-0827 CAN-2004-0981 CAN-2005-0005 CAN-2005-0397 CAN-2005-0759 CAN-2005-0760 CAN-2005-0761 CAN-2005-0762 CAN-2005-1275 CAN-2005-1739 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated ImageMagick packages that fix multiple security vulnerabilities are now available. ImageMagick(TM) is an image display and manipulation tool for the X Window System. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: A temporary file handling bug has been found in ImageMagick's libmagick library. A local user could overwrite or create files as a different user if a program was linked with the vulnerable library. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0455 to this issue. A heap overflow flaw has been discovered in the ImageMagick image handler. An attacker could create a carefully crafted BMP file in such a way that it could cause ImageMagick to execute arbitrary code when processing the image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0827 to this issue. A buffer overflow flaw was discovered in the ImageMagick image handler. An attacker could create a carefully crafted image file with an improper EXIF information in such a way that it would cause ImageMagick to execute arbitrary code when processing the image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0981 to this issue. Andrei Nigmatulin discovered a heap based buffer overflow flaw in the ImageMagick image handler. An attacker could create a carefully crafted Photoshop Document (PSD) image in such a way that it would cause ImageMagick to execute arbitrary code when processing the image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0005 to this issue. A format string bug was found in the way ImageMagick handles filenames. An attacker could execute arbitrary code on a victim's machine if they were able to trick the victim into opening a file with a specially crafted name. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0397 to this issue. A bug was found in the way ImageMagick handles TIFF tags. It is possible that a TIFF image file with an invalid tag could cause ImageMagick to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0759 to this issue. A bug was found in ImageMagick's TIFF decoder. It is possible that a specially crafted TIFF image file could cause ImageMagick to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0760 to this issue. A bug was found in the way ImageMagick parses PSD files. It is possible that a specially crafted PSD file could cause ImageMagick to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0761 to this issue. A heap overflow bug was found in ImageMagick's SGI parser. It is possible that an attacker could execute arbitrary code by tricking a user into opening a specially crafted SGI image file. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0762 to this issue. A heap based buffer overflow bug was found in the way ImageMagick parses PNM files. An attacker could execute arbitrary code on a victim's machine if they were able to trick the victim into opening a specially crafted PNM file. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1275 to this issue. A denial of service bug was found in the way ImageMagick parses XWD files. A user or program executing ImageMagick to process a malicious XWD file can cause ImageMagick to enter an infinite loop causing a denial of service condition. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1739 to this issue. Users of ImageMagick should upgrade to these updated packages, which contain backported patches, and are not vulnerable to these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152777 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/ImageMagick-5.4.3.11-12.7.x.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/ImageMagick-5.4.3.11-12.7.x.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/ImageMagick-c++-5.4.3.11-12.7.x.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/ImageMagick-c++-devel-5.4.3.11-12.7.x.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/ImageMagick-devel-5.4.3.11-12.7.x.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/ImageMagick-perl-5.4.3.11-12.7.x.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/ImageMagick-5.4.7-18.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/ImageMagick-5.4.7-18.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/ImageMagick-c++-5.4.7-18.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/ImageMagick-c++-devel-5.4.7-18.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/ImageMagick-devel-5.4.7-18.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/ImageMagick-perl-5.4.7-18.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/ImageMagick-5.5.6-13.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/ImageMagick-5.5.6-13.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/ImageMagick-c++-5.5.6-13.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/ImageMagick-c++-devel-5.5.6-13.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/ImageMagick-devel-5.5.6-13.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/ImageMagick-perl-5.5.6-13.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/ImageMagick-6.2.0.7-2.fc2.4.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/ImageMagick-6.2.0.7-2.fc2.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/ImageMagick-c++-6.2.0.7-2.fc2.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/ImageMagick-c++-devel-6.2.0.7-2.fc2.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/ImageMagick-devel-6.2.0.7-2.fc2.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/ImageMagick-perl-6.2.0.7-2.fc2.4.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 7b27cf41597ccc41f50f5f3fd26a3c6cb1909bdd redhat/7.3/updates/i386/ImageMagick-5.4.3.11-12.7.x.legacy.i386.rpm 83414dfc20fff160d3b1c4a695658e331c0d3377 redhat/7.3/updates/i386/ImageMagick-c++-5.4.3.11-12.7.x.legacy.i386.rpm 9d3a2639f252fcc0630577e8472363095c94b593 redhat/7.3/updates/i386/ImageMagick-c++-devel-5.4.3.11-12.7.x.legacy.i386.rpm a45ea97141ccce7c7341bb71c45253b43b11f7f8 redhat/7.3/updates/i386/ImageMagick-devel-5.4.3.11-12.7.x.legacy.i386.rpm 15f0d5eb36b9aa9a747ac5dbef8711ce5ad4cd72 redhat/7.3/updates/i386/ImageMagick-perl-5.4.3.11-12.7.x.legacy.i386.rpm 05387637ee1ebca6c8be0a53c6e13d9823a69b49 redhat/7.3/updates/SRPMS/ImageMagick-5.4.3.11-12.7.x.legacy.src.rpm a6308b069f58c6360005ea56f3feb47eaae3bd65 redhat/9/updates/i386/ImageMagick-5.4.7-18.legacy.i386.rpm 9f489f4e8e8b806a9633bb919f1d6c86717b7f27 redhat/9/updates/i386/ImageMagick-c++-5.4.7-18.legacy.i386.rpm 889cc1c0ac6d8a467d5af14f7e8d7b0e6f20d8ac redhat/9/updates/i386/ImageMagick-c++-devel-5.4.7-18.legacy.i386.rpm 7e88b3ec777a2389778b8dc872893a145a18f84b redhat/9/updates/i386/ImageMagick-devel-5.4.7-18.legacy.i386.rpm b08d36cd4582a49599ae8d74c89996d154462f85 redhat/9/updates/i386/ImageMagick-perl-5.4.7-18.legacy.i386.rpm a5af8dee9a7b06b0bc1b21e5765496cfd1ef7783 redhat/9/updates/SRPMS/ImageMagick-5.4.7-18.legacy.src.rpm 893208f6a36ec085645e3bf355b6bd4d7f4385c0 fedora/1/updates/i386/ImageMagick-5.5.6-13.legacy.i386.rpm 2ceb1c41c4b6e326e1b936eb5400350ab4ff6e31 fedora/1/updates/i386/ImageMagick-c++-5.5.6-13.legacy.i386.rpm d30be986c274be4ed48f242c9e110fab67b242a5 fedora/1/updates/i386/ImageMagick-c++-devel-5.5.6-13.legacy.i386.rpm 2bd96e8c2282b2679c2b667392c406d5907bdf0b fedora/1/updates/i386/ImageMagick-devel-5.5.6-13.legacy.i386.rpm 2a3c951dad27669d92b2d96def0a7c99af1ae5e2 fedora/1/updates/i386/ImageMagick-perl-5.5.6-13.legacy.i386.rpm 6140077bd02c06b986324ece6d8c13dc57ce7b16 fedora/1/updates/SRPMS/ImageMagick-5.5.6-13.legacy.src.rpm 54d9009c07aeb2fcf9bf229261db01dab803dc60 fedora/2/updates/i386/ImageMagick-6.2.0.7-2.fc2.4.legacy.i386.rpm ad54fd8a3e168a327d3132180d203e1e9d1cb5d9 fedora/2/updates/i386/ImageMagick-c++-6.2.0.7-2.fc2.4.legacy.i386.rpm 6c5e6d0b1e190d7eb3e04caa348544f40a0be1c3 fedora/2/updates/i386/ImageMagick-c++-devel-6.2.0.7-2.fc2.4.legacy.i386.rpm c57f484f174292c09b8dc5926e69a78b3f01b203 fedora/2/updates/i386/ImageMagick-devel-6.2.0.7-2.fc2.4.legacy.i386.rpm 74bb46945e783a9ffc8d2299924496a5f4334d79 fedora/2/updates/i386/ImageMagick-perl-6.2.0.7-2.fc2.4.legacy.i386.rpm 00ca9b91408f73c74d7574b4cf1247d8f6cf8749 fedora/2/updates/SRPMS/ImageMagick-6.2.0.7-2.fc2.4.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0455 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0827 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0981 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0005 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0397 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0759 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0760 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0761 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0762 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1275 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1739 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From shiva at sewingwitch.com Wed Jul 13 05:17:00 2005 From: shiva at sewingwitch.com (Kenneth Porter) Date: Tue, 12 Jul 2005 22:17:00 -0700 Subject: New repository metadata format In-Reply-To: <1115232781.28515.27.camel@jkeating2.hq.pogolinux.com> References: <382AE7E877C4CB520095C298@[10.0.0.14]> <1115226675.28515.11.camel@jkeating2.hq.pogolinux.com> <1115232781.28515.27.camel@jkeating2.hq.pogolinux.com> Message-ID: --On Wednesday, May 04, 2005 11:53 AM -0700 Jesse Keating wrote: >> Yep, I installed the newer yum to get the more efficient metadata >> representation. (The tricky part was that one has to hand-update any >> customized yum.conf to include the new /etc/yum.d files, as yum.conf >> is >> marked noreplace. But this might have been addressed in more recent >> packages by a post scriptlet.) >> >> Eventually FC3 will move to Legacy and will need this, so effort to >> set up >> the mechanism wouldn't be wasted. > > Yeah it's just an extra line in our 'upload' script. It will add a few > minutes on our end is all. I'd rather not gen the metadata twice ): It doesn't look like this ever happened. At the time I updated yum FC2 was still a "live" product and most mirrors had both kinds of metadata so it wasn't a problem to update yum to use the newer format and take advantage of the features of the newer system. Should I wait for the metadata or should I just mirror the whole repo and create my own? From jkeating at j2solutions.net Wed Jul 13 08:04:07 2005 From: jkeating at j2solutions.net (Jesse Keating) Date: Wed, 13 Jul 2005 01:04:07 -0700 Subject: New repository metadata format In-Reply-To: References: <382AE7E877C4CB520095C298@[10.0.0.14]> <1115226675.28515.11.camel@jkeating2.hq.pogolinux.com> <1115232781.28515.27.camel@jkeating2.hq.pogolinux.com> Message-ID: <1121241847.31376.0.camel@prometheus.gamehouse.com> On Tue, 2005-07-12 at 22:17 -0700, Kenneth Porter wrote: > It doesn't look like this ever happened. At the time I updated yum FC2 > was > still a "live" product and most mirrors had both kinds of metadata so > it > wasn't a problem to update yum to use the newer format and take > advantage > of the features of the newer system. > > Should I wait for the metadata or should I just mirror the whole repo > and > create my own? You're right, this hasn't been done yet. I need to look a bit more into this. -- Jesse Keating RHCE (http://geek.j2solutions.net) Fedora Legacy Team (http://www.fedoralegacy.org) GPG Public Key (http://geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating From Axel.Thimm at ATrpms.net Wed Jul 13 11:00:22 2005 From: Axel.Thimm at ATrpms.net (Axel Thimm) Date: Wed, 13 Jul 2005 13:00:22 +0200 Subject: New repository metadata format In-Reply-To: <1121241847.31376.0.camel@prometheus.gamehouse.com> References: <382AE7E877C4CB520095C298@[10.0.0.14]> <1115226675.28515.11.camel@jkeating2.hq.pogolinux.com> <1115232781.28515.27.camel@jkeating2.hq.pogolinux.com> <1121241847.31376.0.camel@prometheus.gamehouse.com> Message-ID: <20050713110022.GA8909@neu.nirvana> Hi, On Wed, Jul 13, 2005 at 01:04:07AM -0700, Jesse Keating wrote: > On Tue, 2005-07-12 at 22:17 -0700, Kenneth Porter wrote: > > It doesn't look like this ever happened. At the time I updated yum > > FC2 was still a "live" product and most mirrors had both kinds of > > metadata so it wasn't a problem to update yum to use the newer > > format and take advantage of the features of the newer system. > > > > Should I wait for the metadata or should I just mirror the whole > > repo and create my own? > > You're right, this hasn't been done yet. I need to look a bit more into > this. dl.atrpms.net has vendor and legacy updates with all three metadata formats, apt, yum20 and yum. Until fedoralegacy introduces the new metadata support, you can use ATrpms'. For FC2/i386 this is under http://dl.atrpms.net/fc2-i386/redhat/updates/ http://dl.atrpms.net/fc2-i386/redhat/updates-legacy/ In order to ease on resources I'm maintaining the updates split as above, so that metadata recreation takes less time. The mirror and metadata recreation scripts run hourly. (but note that today there is a maintenance downtime: http://lists.atrpms.net/pipermail/atrpms-announce/2005-July/000011.html) -- Axel.Thimm at ATrpms.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From shiva at sewingwitch.com Wed Jul 13 23:10:58 2005 From: shiva at sewingwitch.com (Kenneth Porter) Date: Wed, 13 Jul 2005 16:10:58 -0700 Subject: New repository metadata format In-Reply-To: <20050713110022.GA8909@neu.nirvana> References: <382AE7E877C4CB520095C298@[10.0.0.14]> <1115226675.28515.11.camel@jkeating2.hq.pogolinux.com> <1115232781.28515.27.camel@jkeating2.hq.pogolinux.com> <1121241847.31376.0.camel@prometheus.gamehouse.com> <20050713110022.GA8909@neu.nirvana> Message-ID: <81F9DC14C8065221604D0F8D@[10.169.6.233]> --On Wednesday, July 13, 2005 1:00 PM +0200 Axel Thimm wrote: > dl.atrpms.net has vendor and legacy updates with all three metadata > formats, apt, yum20 and yum. Until fedoralegacy introduces the new > metadata support, you can use ATrpms'. Thanks! Much appreciated! From pekkas at netcore.fi Thu Jul 14 09:36:23 2005 From: pekkas at netcore.fi (Pekka Savola) Date: Thu, 14 Jul 2005 12:36:23 +0300 (EEST) Subject: issues list(s) Message-ID: Remember, there's always a need for folks to do some QA testing. See the wiki for instructions and how to get started: http://www.fedoralegacy.org/wiki/index.php/QaTesting In particular, IMHO the biggest need right now is having people take a look at "All packages lacking VERIFY" category, secondarily "All packages lacking PUBLISH". There is also a large number of packages which still lack verify votes, but will be released anyway after a timeout. http://www.netcore.fi/pekkas/buglist.html (all) http://www.netcore.fi/pekkas/buglist-rhl73.html http://www.netcore.fi/pekkas/buglist-rhl9.html http://www.netcore.fi/pekkas/buglist-core1.html http://www.netcore.fi/pekkas/buglist-fc2.html -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings From tseaver at palladion.com Wed Jul 13 20:53:24 2005 From: tseaver at palladion.com (Tres Seaver) Date: Wed, 13 Jul 2005 16:53:24 -0400 Subject: Self Introduction Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 1. Name: Tres Seaver 2. Location: Fredericksburg, Virginia, USA 3. Profession: Software Developer 4. Company: Palladion Software 5. Goals: QA for FC1 6. Qualifications: Lots of Zope and Python experience; receding C++ and Java. I am the "pope" of the Zope CMF project. 7. GPG KEYID and fingerprint: pub 1024D/CE25B50E 2005-01-19 Tres Seaver Key fingerprint = EE82 A7EA F5B2 6055 33FE E6E8 FA07 AB2E CE25 B50E sub 1024g/15460A58 2005-01-19 The key is at: http://palladion.com/home/tseaver/pubkey.gpg BTW, at least the SelfIntroduction wiki page has been taken over by pornspam. Tres. - -- =================================================================== Tres Seaver +1 202-558-7113 tseaver at palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFC1X9D+gerLs4ltQ4RAsZMAJ4uKs2XhEe2o6pCQO4Knuq2HVqR8QCfXqYH dVFuAjJVnfWabwb76mhgfD8= =IacM -----END PGP SIGNATURE----- From sheltren at cs.ucsb.edu Sat Jul 16 00:56:23 2005 From: sheltren at cs.ucsb.edu (Jeff Sheltren) Date: Fri, 15 Jul 2005 17:56:23 -0700 Subject: Wiki Problems Message-ID: <1DF78824-0FDF-4CF2-9836-3217721EA086@cs.ucsb.edu> It looks like the database is having some problems. I was able to load one page, but now I just get this error: lib/WikiDB/backend/PearDB.php:32: Fatal[256]: Can't connect to database: wikidb_backend_mysql: fatal database error * DB Error: unknown error * ( [nativecode=Commands out of sync; You can't run this command now] ** mysql://legwik:XXXXXXXX at unix(/var/lib/mysql/mysql.sock)/ legacywiki) -Jeff From marcdeslauriers at videotron.ca Sat Jul 16 02:00:46 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Fri, 15 Jul 2005 22:00:46 -0400 Subject: [FLSA-2005:158149] Updated mozilla packages fix security issues Message-ID: <42D86A4E.2030606@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated mozilla packages fix security issues Advisory ID: FLSA:158149 Issue date: 2005-07-15 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CAN-2005-1476 CAN-2005-1477 CAN-2005-1531 CAN-2005-1532 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated mozilla packages that fix various security bugs are now available. Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: Several bugs were found in the way Mozilla executes javascript code. Javascript executed from a web page should run with a restricted access level, preventing dangerous actions. It is possible that a malicious web page could execute javascript code with elevated privileges, allowing access to protected data and functions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-1476, CAN-2005-1477, CAN-2005-1531, and CAN-2005-1532 to these issues. Users of Mozilla are advised to upgrade to this updated package, which contains Mozilla version 1.7.8 to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=158149 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/mozilla-1.7.8-0.73.1.legacy.src.rpm http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/galeon-1.2.14-0.73.3.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-1.7.8-0.73.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-chat-1.7.8-0.73.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-devel-1.7.8-0.73.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-dom-inspector-1.7.8-0.73.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-js-debugger-1.7.8-0.73.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-mail-1.7.8-0.73.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nspr-1.7.8-0.73.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nspr-devel-1.7.8-0.73.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nss-1.7.8-0.73.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nss-devel-1.7.8-0.73.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/galeon-1.2.14-0.73.3.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/mozilla-1.7.8-0.90.1.legacy.src.rpm http://download.fedoralegacy.org/redhat/9/updates/SRPMS/galeon-1.2.14-0.90.3.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-1.7.8-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-chat-1.7.8-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-devel-1.7.8-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-dom-inspector-1.7.8-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-js-debugger-1.7.8-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-mail-1.7.8-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nspr-1.7.8-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nspr-devel-1.7.8-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nss-1.7.8-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nss-devel-1.7.8-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/galeon-1.2.14-0.90.3.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/mozilla-1.7.8-1.1.1.legacy.src.rpm http://download.fedoralegacy.org/fedora/1/updates/SRPMS/epiphany-1.0.8-1.fc1.3.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-1.7.8-1.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-chat-1.7.8-1.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-devel-1.7.8-1.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-dom-inspector-1.7.8-1.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-js-debugger-1.7.8-1.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-mail-1.7.8-1.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-nspr-1.7.8-1.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-nspr-devel-1.7.8-1.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-nss-1.7.8-1.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-nss-devel-1.7.8-1.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/epiphany-1.0.8-1.fc1.3.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/mozilla-1.7.8-1.2.1.legacy.src.rpm http://download.fedoralegacy.org/fedora/2/updates/SRPMS/epiphany-1.2.10-0.2.4.legacy.src.rpm http://download.fedoralegacy.org/fedora/2/updates/SRPMS/devhelp-0.9.1-0.2.7.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-1.7.8-1.2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-chat-1.7.8-1.2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-devel-1.7.8-1.2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-dom-inspector-1.7.8-1.2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-js-debugger-1.7.8-1.2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-mail-1.7.8-1.2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-nspr-1.7.8-1.2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-nspr-devel-1.7.8-1.2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-nss-1.7.8-1.2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-nss-devel-1.7.8-1.2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/epiphany-1.2.10-0.2.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/devhelp-0.9.1-0.2.7.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/devhelp-devel-0.9.1-0.2.7.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 53bfba163e4771b025d445b797325241c2f64cc5 redhat/7.3/updates/i386/mozilla-1.7.8-0.73.1.legacy.i386.rpm 1adb3bd0f07970e08a68ad7885455291c715057e redhat/7.3/updates/i386/mozilla-chat-1.7.8-0.73.1.legacy.i386.rpm 00b6c60d5595977f421566918da4c61aef8fe575 redhat/7.3/updates/i386/mozilla-devel-1.7.8-0.73.1.legacy.i386.rpm 8a41e399f0db66efd9ab716d0a6a8ff6d5d62566 redhat/7.3/updates/i386/mozilla-dom-inspector-1.7.8-0.73.1.legacy.i386.rpm f7d191586e65e40bff5a68efda356628dbfb5ecf redhat/7.3/updates/i386/mozilla-js-debugger-1.7.8-0.73.1.legacy.i386.rpm f3659f9a5c7f90abbc6e8ed95867103773f7a032 redhat/7.3/updates/i386/mozilla-mail-1.7.8-0.73.1.legacy.i386.rpm b3891f513e1ac4473811b3fb9d6d6cf10fc793eb redhat/7.3/updates/i386/mozilla-nspr-1.7.8-0.73.1.legacy.i386.rpm 4ec6616b781f1f94ad807525327084435b5be477 redhat/7.3/updates/i386/mozilla-nspr-devel-1.7.8-0.73.1.legacy.i386.rpm 5af05b2836009b2081c3ac035ab82661a056705a redhat/7.3/updates/i386/mozilla-nss-1.7.8-0.73.1.legacy.i386.rpm 3b41861da189e369bafdca92e22a7ba5cd403d3b redhat/7.3/updates/i386/mozilla-nss-devel-1.7.8-0.73.1.legacy.i386.rpm 3c0dec35034ceec86ccbe5976d7bcaa937372c99 redhat/7.3/updates/SRPMS/mozilla-1.7.8-0.73.1.legacy.src.rpm f1d71f876d9a14884a2c78e6f52b0d85eda58420 redhat/7.3/updates/i386/galeon-1.2.14-0.73.3.legacy.i386.rpm c7c74a1d0c0e82963ae297b299870c0266a6fd29 redhat/7.3/updates/SRPMS/galeon-1.2.14-0.73.3.legacy.src.rpm 19f88b4dc5a45a4252dafe81ecefa575caafac72 redhat/9/updates/i386/mozilla-1.7.8-0.90.1.legacy.i386.rpm 575d3b0ede7f8b9f44b2e5490ac35df7a2b6dbf4 redhat/9/updates/i386/mozilla-chat-1.7.8-0.90.1.legacy.i386.rpm 378b0f97133657932c4cd3d37bc7253382ff4a36 redhat/9/updates/i386/mozilla-devel-1.7.8-0.90.1.legacy.i386.rpm 4d95a0a8aa165cf936ed8241429a6ab79eba2503 redhat/9/updates/i386/mozilla-dom-inspector-1.7.8-0.90.1.legacy.i386.rpm 65c8f757d727d0f9574a453487075150062d67f4 redhat/9/updates/i386/mozilla-js-debugger-1.7.8-0.90.1.legacy.i386.rpm 7293d848df84337a70c2a9a1b1d91761e74ec0a9 redhat/9/updates/i386/mozilla-mail-1.7.8-0.90.1.legacy.i386.rpm 1b82a4b2c9b949d81ee15847e8d60175a164012e redhat/9/updates/i386/mozilla-nspr-1.7.8-0.90.1.legacy.i386.rpm 743753ebcfa235ab55d2973bf1f27f29edd58740 redhat/9/updates/i386/mozilla-nspr-devel-1.7.8-0.90.1.legacy.i386.rpm 581ba496932635198b89e90b73bdbc2e3960a535 redhat/9/updates/i386/mozilla-nss-1.7.8-0.90.1.legacy.i386.rpm 3a1564245d1fb4f7fec69dc8d804630ae0289846 redhat/9/updates/i386/mozilla-nss-devel-1.7.8-0.90.1.legacy.i386.rpm d2ec94bec7f180a30689df5ef71dfce501803514 redhat/9/updates/SRPMS/mozilla-1.7.8-0.90.1.legacy.src.rpm a9d0d67e3e1decf95935fb586e2c20169342a6d9 redhat/9/updates/i386/galeon-1.2.14-0.90.3.legacy.i386.rpm 05aeb7cbb8752b2329a8d8fdda5c8a79fcd6546f redhat/9/updates/SRPMS/galeon-1.2.14-0.90.3.legacy.src.rpm f2ccc30d5dee06f1154ba54adac985750e530adf fedora/1/updates/i386/mozilla-1.7.8-1.1.1.legacy.i386.rpm 0048085efd174b33a9eeed00e48aa687aaee7f99 fedora/1/updates/i386/mozilla-chat-1.7.8-1.1.1.legacy.i386.rpm d0d0cc511d4d2ffc84073927e34b38345f6abab9 fedora/1/updates/i386/mozilla-devel-1.7.8-1.1.1.legacy.i386.rpm 1b886dbcef418cc55ca974ca3d80850bffe30052 fedora/1/updates/i386/mozilla-dom-inspector-1.7.8-1.1.1.legacy.i386.rpm 177808f5cfe0aa7bd3aa881b3667f8c19c2e0269 fedora/1/updates/i386/mozilla-js-debugger-1.7.8-1.1.1.legacy.i386.rpm 1655745d989c7d66b8f99e0864be7860a59e92fe fedora/1/updates/i386/mozilla-mail-1.7.8-1.1.1.legacy.i386.rpm 07b0a00586ef0daac144ef99b1af769bb93e9b8c fedora/1/updates/i386/mozilla-nspr-1.7.8-1.1.1.legacy.i386.rpm 1d613a99f63808f47bc7187012c58211e455ba8d fedora/1/updates/i386/mozilla-nspr-devel-1.7.8-1.1.1.legacy.i386.rpm 39ff2c9023453a8288010d4c51bfaa08575989f4 fedora/1/updates/i386/mozilla-nss-1.7.8-1.1.1.legacy.i386.rpm 4f48517697ddd63df94272a19ea381b591dad2f5 fedora/1/updates/i386/mozilla-nss-devel-1.7.8-1.1.1.legacy.i386.rpm bcc8e1337881d00774d61109b795ff26dbaef05f fedora/1/updates/SRPMS/mozilla-1.7.8-1.1.1.legacy.src.rpm 54323a70f1a98fed5e2cfe1f110ebe36e6b369f0 fedora/1/updates/i386/epiphany-1.0.8-1.fc1.3.legacy.i386.rpm 5fdcb7b6eb361740d92ee428c13896bf279d4d42 fedora/1/updates/SRPMS/epiphany-1.0.8-1.fc1.3.legacy.src.rpm 4c9998181a6aec013277b6033fb76d995ca744fa fedora/2/updates/i386/mozilla-1.7.8-1.2.1.legacy.i386.rpm f63261e90613cc48ab9890481b9ba79dbe57e32f fedora/2/updates/i386/mozilla-chat-1.7.8-1.2.1.legacy.i386.rpm ac6deaaa97b6a07a751c85002e119158a65ae6bc fedora/2/updates/i386/mozilla-devel-1.7.8-1.2.1.legacy.i386.rpm 31391d41a8e4580761ee6d8f769f98ac60695e6a fedora/2/updates/i386/mozilla-dom-inspector-1.7.8-1.2.1.legacy.i386.rpm dbc5b635361a4c81a16f40e24aa2b5a431bd8cb9 fedora/2/updates/i386/mozilla-js-debugger-1.7.8-1.2.1.legacy.i386.rpm eb40fa6b6ea9a346a92940341b436a10db1447ab fedora/2/updates/i386/mozilla-mail-1.7.8-1.2.1.legacy.i386.rpm 6d2ef4fcf9f89756e21a2446584e8e64a3ebc1f2 fedora/2/updates/i386/mozilla-nspr-1.7.8-1.2.1.legacy.i386.rpm c1096bad603bf508c86e1dbef2a7def8dd5bc457 fedora/2/updates/i386/mozilla-nspr-devel-1.7.8-1.2.1.legacy.i386.rpm 8f576d7491bf3f342ca561f4fd0d7958204f90f1 fedora/2/updates/i386/mozilla-nss-1.7.8-1.2.1.legacy.i386.rpm 852ca275701aca0661fd10135432438f28f3dba4 fedora/2/updates/i386/mozilla-nss-devel-1.7.8-1.2.1.legacy.i386.rpm 4325b3cc4308aa7a0f38da1916b1660762470984 fedora/2/updates/SRPMS/mozilla-1.7.8-1.2.1.legacy.src.rpm 271bcd5329cd2de25c7e306bad38b7fb3c06e0d3 fedora/2/updates/i386/epiphany-1.2.10-0.2.4.legacy.i386.rpm 782fa5b86e1c01c6913c8c17ccba29a807de8443 fedora/2/updates/SRPMS/epiphany-1.2.10-0.2.4.legacy.src.rpm d90b234dbaeca4b4ade39c5b9dd56cefd6891e90 fedora/2/updates/i386/devhelp-0.9.1-0.2.7.legacy.i386.rpm 76064f34923bafe79ab89a47e2a95d944fdfda51 fedora/2/updates/i386/devhelp-devel-0.9.1-0.2.7.legacy.i386.rpm 11d23437935e95917a803662e6475dc4ea8037ff fedora/2/updates/SRPMS/devhelp-0.9.1-0.2.7.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1476 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1477 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1531 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1532 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From marcdeslauriers at videotron.ca Sat Jul 16 02:01:53 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Fri, 15 Jul 2005 22:01:53 -0400 Subject: [FLSA-2005:154272] Updated gdk-pixbuf packages fix a security issue Message-ID: <42D86A91.50406@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated gdk-pixbuf packages fix a security issue Advisory ID: FLSA:154272 Issue date: 2005-07-15 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CAN-2005-0891 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated gdk-pixbuf packages that fix a double free vulnerability are now available. The gdk-pixbuf package contains an image loading library used with the GNOME GUI desktop environment. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 3. Problem description: A bug was found in the way gdk-pixbuf processes BMP images. It is possible that a specially crafted BMP image could cause a denial of service attack on applications linked against gdk-pixbuf. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0891 to this issue. Users of gdk-pixbuf are advised to upgrade to these packages, which contain a backported patch and are not vulnerable to this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=154272 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/gdk-pixbuf-0.22.0-7.73.3.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/gdk-pixbuf-0.22.0-7.73.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/gdk-pixbuf-devel-0.22.0-7.73.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/gdk-pixbuf-gnome-0.22.0-7.73.3.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/gdk-pixbuf-0.22.0-7.90.3.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/gdk-pixbuf-0.22.0-7.90.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/gdk-pixbuf-devel-0.22.0-7.90.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/gdk-pixbuf-gnome-0.22.0-7.90.3.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/gdk-pixbuf-0.22.0-11.3.4.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/gdk-pixbuf-0.22.0-11.3.4.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/gdk-pixbuf-devel-0.22.0-11.3.4.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/gdk-pixbuf-gnome-0.22.0-11.3.4.1.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 603ade3d2671dc2486de4e88e5753c390cfbe25c redhat/7.3/updates/i386/gdk-pixbuf-0.22.0-7.73.3.legacy.i386.rpm 9af2cd78533f6aa3edf18e418f22972e96dd68b8 redhat/7.3/updates/i386/gdk-pixbuf-devel-0.22.0-7.73.3.legacy.i386.rpm c23e9bfe47fa3e23d05da3d336f151f15f260467 redhat/7.3/updates/i386/gdk-pixbuf-gnome-0.22.0-7.73.3.legacy.i386.rpm 9b4c5298bcaff267cb7ffa0bbfe90e64f6f2d925 redhat/7.3/updates/SRPMS/gdk-pixbuf-0.22.0-7.73.3.legacy.src.rpm 34c176e0ff80d5cf680edd35aac08541a13cd4e6 redhat/9/updates/i386/gdk-pixbuf-0.22.0-7.90.3.legacy.i386.rpm 8dcb027f064d3a378f44354fbc8fbfdf54402113 redhat/9/updates/i386/gdk-pixbuf-devel-0.22.0-7.90.3.legacy.i386.rpm 53d96ae1336f7d4a442f239db2afc24ac91e27d5 redhat/9/updates/i386/gdk-pixbuf-gnome-0.22.0-7.90.3.legacy.i386.rpm 9fb12eae733ceca5606814fe6d46b9d2c2c63bd5 redhat/9/updates/SRPMS/gdk-pixbuf-0.22.0-7.90.3.legacy.src.rpm 26ad2e60b327e7f5d4d0a5056be6cd42b0bff150 fedora/1/updates/i386/gdk-pixbuf-0.22.0-11.3.4.1.legacy.i386.rpm 66885c30f770531c0dc53cc3715aa56633780613 fedora/1/updates/i386/gdk-pixbuf-devel-0.22.0-11.3.4.1.legacy.i386.rpm f70ac09e0a5d768da740c37f1d5115589c6515e4 fedora/1/updates/i386/gdk-pixbuf-gnome-0.22.0-11.3.4.1.legacy.i386.rpm 2f70a1f23a819f242d916529e7b531d494ef45eb fedora/1/updates/SRPMS/gdk-pixbuf-0.22.0-11.3.4.1.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0891 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From marcdeslauriers at videotron.ca Sat Jul 16 02:02:37 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Fri, 15 Jul 2005 22:02:37 -0400 Subject: [FLSA-2005:152925] Updated mysql packages fix security issues Message-ID: <42D86ABD.9060605@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated mysql packages fix security issues Advisory ID: FLSA:152925 Issue date: 2005-07-15 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CAN-2005-0709 CAN-2005-0710 CAN-2005-0711 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated mysql packages that fix various security issues are now available. MySQL is a multi-user, multi-threaded SQL database server. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 3. Problem description: This update fixes several security risks in the MySQL server. Stefano Di Paola discovered two bugs in the way MySQL handles user- defined functions. A user with the ability to create and execute a user defined function could potentially execute arbitrary code on the MySQL server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0709 and CAN-2005-0710 to these issues. Stefano Di Paola also discovered a bug in the way MySQL creates temporary tables. A local user could create a specially crafted symlink which could result in the MySQL server overwriting a file which it has write access to. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-0711 to this issue. All users of the MySQL server are advised to upgrade to these updated packages, which contain fixes for these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152925 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/mysql-3.23.58-1.73.6.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/mysql-3.23.58-1.73.6.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mysql-devel-3.23.58-1.73.6.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mysql-server-3.23.58-1.73.6.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/mysql-3.23.58-1.90.6.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/mysql-3.23.58-1.90.6.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mysql-devel-3.23.58-1.90.6.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mysql-server-3.23.58-1.90.6.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/mysql-3.23.58-4.4.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/mysql-3.23.58-4.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mysql-bench-3.23.58-4.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mysql-devel-3.23.58-4.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mysql-server-3.23.58-4.4.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 6b9ad2acc6eaaebeef935feb6e32b1e59f8d1e94 redhat/7.3/updates/i386/mysql-3.23.58-1.73.6.legacy.i386.rpm 090bce8a56c5cc7fedbca223925eb9d15dca5cd5 redhat/7.3/updates/i386/mysql-devel-3.23.58-1.73.6.legacy.i386.rpm 8d8565f44b2de5f7d36274803d04e4b06e2abf81 redhat/7.3/updates/i386/mysql-server-3.23.58-1.73.6.legacy.i386.rpm 1d8f01787f7824c2d2638c8e48e9e8c03d7c0c28 redhat/7.3/updates/SRPMS/mysql-3.23.58-1.73.6.legacy.src.rpm c838b40be12cd10b40f4b2c7e4c14c368734da23 redhat/9/updates/i386/mysql-3.23.58-1.90.6.legacy.i386.rpm dc86a50ecfef42f4f85aaf798f84beea0bf656fa redhat/9/updates/i386/mysql-devel-3.23.58-1.90.6.legacy.i386.rpm dc24c3c52eeb2874b3547b0d2347e214b321da02 redhat/9/updates/i386/mysql-server-3.23.58-1.90.6.legacy.i386.rpm 4f713ffcf56fd07d19e12f291a87a4feea6fbd23 redhat/9/updates/SRPMS/mysql-3.23.58-1.90.6.legacy.src.rpm ed3ddb39dbadf121a87348c9b7cfb3d6fc3917c4 fedora/1/updates/i386/mysql-3.23.58-4.4.legacy.i386.rpm 3c57f554ed37cbb29e05773c1527f389f4601b16 fedora/1/updates/i386/mysql-bench-3.23.58-4.4.legacy.i386.rpm d08b91055dae251b192de109a453a4bbe03828c9 fedora/1/updates/i386/mysql-devel-3.23.58-4.4.legacy.i386.rpm 950b5116ba77127478cb02d5a9b7e23711376daf fedora/1/updates/i386/mysql-server-3.23.58-4.4.legacy.i386.rpm 56257305e480c2db1669de92024033f7bb9f1702 fedora/1/updates/SRPMS/mysql-3.23.58-4.4.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0709 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0710 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0711 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From marcdeslauriers at videotron.ca Sat Jul 16 02:03:14 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Fri, 15 Jul 2005 22:03:14 -0400 Subject: [FLSA-2005:152917] Updated curl packages fix a security issue Message-ID: <42D86AE2.4070402@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated curl packages fix a security issue Advisory ID: FLSA:152917 Issue date: 2005-07-15 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CAN-2005-0490 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated curl packages are now available. cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict servers, using any of the supported protocols. cURL is designed to work without user interaction or any kind of interactivity. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: Multiple buffer overflow bugs were found in the way curl processes base64 encoded replies. If a victim can be tricked into visiting a URL with curl, a malicious web server could execute arbitrary code on a victim's machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0490 to this issue. All users of curl are advised to upgrade to these updated packages, which contain backported fixes for these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152917 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/curl-7.9.5-2.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/curl-7.9.5-2.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/curl-devel-7.9.5-2.2.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/curl-7.9.8-5.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/curl-7.9.8-5.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/curl-devel-7.9.8-5.2.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/curl-7.10.6-7.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/curl-7.10.6-7.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/curl-devel-7.10.6-7.2.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/curl-7.11.1-1.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/curl-7.11.1-1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/curl-devel-7.11.1-1.2.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 8032bf94d434873de3f02100fd8eb36b206cba02 redhat/7.3/updates/i386/curl-7.9.5-2.2.legacy.i386.rpm 2d95c39024f58f3a7897e58da3da39dd297c8109 redhat/7.3/updates/i386/curl-devel-7.9.5-2.2.legacy.i386.rpm 559d63a957091747972eb963a29642ef7c3835d7 redhat/7.3/updates/SRPMS/curl-7.9.5-2.2.legacy.src.rpm ca02f070ca45c96cfb93157e88b81f96c4646051 redhat/9/updates/i386/curl-7.9.8-5.2.legacy.i386.rpm 57329416fa302765f25ba963bf9a6d334a225e72 redhat/9/updates/i386/curl-devel-7.9.8-5.2.legacy.i386.rpm e793df5a65927b98203c0308972389cc80896749 redhat/9/updates/SRPMS/curl-7.9.8-5.2.legacy.src.rpm c083d601e3b6f1c54dede72bb635e0215bb6230b fedora/1/updates/i386/curl-7.10.6-7.2.legacy.i386.rpm 835a427b82413d4ccc83a17dbc0ea0204dfd1e4a fedora/1/updates/i386/curl-devel-7.10.6-7.2.legacy.i386.rpm cb59fc5fd7f74e1e5d407fe6fdd4d086e7f93bac fedora/1/updates/SRPMS/curl-7.10.6-7.2.legacy.src.rpm c8c23e7748058bd6965efb188fc02fc27bc1f1c1 fedora/2/updates/i386/curl-7.11.1-1.2.legacy.i386.rpm 401b44aeb653730fb6dcc7b83ecb88f9600f64cc fedora/2/updates/i386/curl-devel-7.11.1-1.2.legacy.i386.rpm d0fbc3ee3137034a02cdc136959f7e119daae817 fedora/2/updates/SRPMS/curl-7.11.1-1.2.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0490 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From marcdeslauriers at videotron.ca Sat Jul 16 02:03:53 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Fri, 15 Jul 2005 22:03:53 -0400 Subject: [FLSA-2005:152891] Updated cpio package fixes security issue Message-ID: <42D86B09.6050503@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated cpio package fixes security issue Advisory ID: FLSA:152891 Issue date: 2005-07-15 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CAN-1999-1572 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: An updated cpio package that fixes a umask bug and supports large files (>2GB) is now available. GNU cpio copies files into or out of a cpio or tar archive. 2. Relevant releases/architectures: Red Hat Linux 9 - i386 Fedora Core 1 - i386 3. Problem description: It was discovered that cpio uses a 0 umask when creating files using the -O (archive) option. This creates output files with mode 0666 (all can read and write) regardless of the user's umask setting. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-1999-1572 to this issue. All users of cpio should upgrade to this updated package, which resolves this issue, and adds support for large files (> 2GB). 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152891 6. RPMs required: Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/cpio-2.5-3.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/cpio-2.5-3.2.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/cpio-2.5-5.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/cpio-2.5-5.2.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 9f7b398cf0b0259eb983fa3f77aaae4558aa3f81 redhat/9/updates/i386/cpio-2.5-3.2.legacy.i386.rpm afb4f3892398e6a08bb9f8f3016ffe4a33302fdc redhat/9/updates/SRPMS/cpio-2.5-3.2.legacy.src.rpm 757cee489c9ceb9aa0d8c775a035cfbe5f1f93fe fedora/1/updates/i386/cpio-2.5-5.2.legacy.i386.rpm d78fe3e156c510479e55b52ec284b0ba04704909 fedora/1/updates/SRPMS/cpio-2.5-5.2.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1572 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From marcdeslauriers at videotron.ca Sat Jul 16 02:04:30 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Fri, 15 Jul 2005 22:04:30 -0400 Subject: [FLSA-2005:152874] Updated samba packages fix security issues Message-ID: <42D86B2E.3040808@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated samba packages fix security issues Advisory ID: FLSA:152874 Issue date: 2005-07-15 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CAN-2004-0882 CAN-2004-0930 CAN-2004-1154 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated samba packages that fix various security vulnerabilities are now available. Samba provides file and printer sharing services to SMB/CIFS clients. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 3. Problem description: During a code audit, Stefan Esser discovered a buffer overflow in Samba versions prior to 3.0.8 when handling unicode filenames. An authenticated remote user could exploit this bug which may lead to arbitrary code execution on the server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0882 to this issue. A bug was found in the input validation routines in versions of Samba prior to 3.0.8 that caused the smbd process to consume abnormal amounts of system memory. An authenticated remote user could exploit this bug to cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0930 to this issue. Greg MacManus of iDEFENSE Labs has discovered an integer overflow bug in Samba versions prior to 3.0.10. An authenticated remote user could exploit this bug which may lead to arbitrary code execution on the Samba server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1154 to this issue. Users of Samba should upgrade to these updated packages, which contain backported security patches, and are not vulnerable to these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152874 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/samba-2.2.12-0.73.7.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/samba-2.2.12-0.73.7.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/samba-client-2.2.12-0.73.7.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/samba-common-2.2.12-0.73.7.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/samba-swat-2.2.12-0.73.7.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/ i386: http://download.fedoralegacy.org/redhat/9/updates/i386/samba-2.2.12-0.90.6.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/samba-client-2.2.12-0.90.6.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/samba-common-2.2.12-0.90.6.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/samba-swat-2.2.12-0.90.6.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/samba-3.0.10-1.fc1.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/samba-3.0.10-1.fc1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/samba-client-3.0.10-1.fc1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/samba-common-3.0.10-1.fc1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/samba-swat-3.0.10-1.fc1.1.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 42ecbf32e60d20aad26f484f56f3ff8238693476 redhat/7.3/updates/i386/samba-2.2.12-0.73.7.legacy.i386.rpm 8fd4d9cbba8086ccfd900d2f52606c2d54806988 redhat/7.3/updates/i386/samba-client-2.2.12-0.73.7.legacy.i386.rpm 6daa57cd26b5e821863c3eb9cfe2ae3f0c663ddb redhat/7.3/updates/i386/samba-common-2.2.12-0.73.7.legacy.i386.rpm e3675223b6b0bcd6dad4c2fe4012f4545ca7515a redhat/7.3/updates/i386/samba-swat-2.2.12-0.73.7.legacy.i386.rpm 2c2a86f860e4e1d431d805baaf8677d3c9f48ac7 redhat/7.3/updates/SRPMS/samba-2.2.12-0.73.7.legacy.src.rpm ff231fafc909e978892e585eb74fb3e7401eb31a redhat/9/updates/i386/samba-2.2.12-0.90.6.legacy.i386.rpm 6b6e61f0b359f34188958e5a24e4899844e3d0e7 redhat/9/updates/i386/samba-client-2.2.12-0.90.6.legacy.i386.rpm 9e26a3dae0f0fd7e4970fb5cafb29252be65cf2f redhat/9/updates/i386/samba-common-2.2.12-0.90.6.legacy.i386.rpm f4a8520bad06083f5f472334d9b69e0ec36db5ed redhat/9/updates/i386/samba-swat-2.2.12-0.90.6.legacy.i386.rpm 7e9fdd549b6e0ea6876a633ee4309d8eb648d7f7 redhat/9/updates/SRPMS/samba-2.2.12-0.90.6.legacy.src.rpm 43f8acddedfb9ad2dcaee1fb6a9f00a76f0e5d14 fedora/1/updates/i386/samba-3.0.10-1.fc1.1.legacy.i386.rpm 9c60ba3681f1ba637cf4683bd0f5ae82232506a8 fedora/1/updates/i386/samba-client-3.0.10-1.fc1.1.legacy.i386.rpm df6025e7fb9539f3c728c3fef379f70076bd563b fedora/1/updates/i386/samba-common-3.0.10-1.fc1.1.legacy.i386.rpm 9c8bf7b144c3aa4078216369936072b1b1e8c092 fedora/1/updates/i386/samba-swat-3.0.10-1.fc1.1.legacy.i386.rpm f047f8ec8734653aee8b62683aae922a38bd606e fedora/1/updates/SRPMS/samba-3.0.10-1.fc1.1.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0882 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0930 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1154 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From marcdeslauriers at videotron.ca Sat Jul 16 02:05:06 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Fri, 15 Jul 2005 22:05:06 -0400 Subject: [FLSA-2005:152841] Updated openssl packages fix security issues Message-ID: <42D86B52.501@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated openssl packages fix security issues Advisory ID: FLSA:152841 Issue date: 2005-07-15 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CAN-2004-0975 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated OpenSSL packages that fix security issues are now available. OpenSSL is a toolkit that implements Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 3. Problem description: A flaw was found in the way the der_chop script creates temporary files. It is possible that a malicious local user could cause der_chop to overwrite files (CAN-2004-0975). Users are advised to update to these erratum packages which contain a patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152841 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/openssl-0.9.6b-39.7.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssl-0.9.6b-39.7.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssl-0.9.6b-39.7.legacy.i686.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssl-devel-0.9.6b-39.7.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssl-perl-0.9.6b-39.7.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/openssl-0.9.7a-20.4.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/openssl-0.9.7a-20.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/openssl-0.9.7a-20.4.legacy.i686.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/openssl-devel-0.9.7a-20.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/openssl-perl-0.9.7a-20.4.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/openssl-0.9.7a-33.11.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/openssl-0.9.7a-33.11.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/openssl-0.9.7a-33.11.legacy.i686.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/openssl-devel-0.9.7a-33.11.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/openssl-perl-0.9.7a-33.11.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 23e338ea168362be064b0fc5818ca75fb0ff478d redhat/7.3/updates/i386/openssl-0.9.6b-39.7.legacy.i386.rpm 909d19843a102c8db726f4ce19bec343e468c205 redhat/7.3/updates/i386/openssl-0.9.6b-39.7.legacy.i686.rpm e5d2ded644fc5e6efd947ce85c6889e8f3d85cf9 redhat/7.3/updates/i386/openssl-devel-0.9.6b-39.7.legacy.i386.rpm 94f5abf2da579c8546b26a579d125a402c517cd4 redhat/7.3/updates/i386/openssl-perl-0.9.6b-39.7.legacy.i386.rpm 22e61ba5e83c0f2ffb1cf01c2f440e0f5778aeb5 redhat/7.3/updates/SRPMS/openssl-0.9.6b-39.7.legacy.src.rpm fc4ccd852dbdb32d35feda73d57dfec9695bb124 redhat/9/updates/i386/openssl-0.9.7a-20.4.legacy.i386.rpm 53d60e01f25892efcc5da5281110259f15560f95 redhat/9/updates/i386/openssl-0.9.7a-20.4.legacy.i686.rpm 6044af703d7b8915a0ff64cd57862c09f202884b redhat/9/updates/i386/openssl-devel-0.9.7a-20.4.legacy.i386.rpm 366b375b6e77103d41e2b3b1fbdf2e4fd11ff31c redhat/9/updates/i386/openssl-perl-0.9.7a-20.4.legacy.i386.rpm 55334c3b4a44b6743d86d7a5e40ec2ac853cfca9 redhat/9/updates/SRPMS/openssl-0.9.7a-20.4.legacy.src.rpm 76fa768ce6ead9d3a2fe5a4bafa7c78c7d73049c fedora/1/updates/i386/openssl-0.9.7a-33.11.legacy.i386.rpm b0eadfbcbfe4b8306eff0d0d9fe1abc56e77633b fedora/1/updates/i386/openssl-0.9.7a-33.11.legacy.i686.rpm 7b24ed7cdbd8c55dbe0f7c9234314383c1cb90ca fedora/1/updates/i386/openssl-devel-0.9.7a-33.11.legacy.i386.rpm 196577ad1b00b1285a41c30d8e42cf2c22d4063a fedora/1/updates/i386/openssl-perl-0.9.7a-33.11.legacy.i386.rpm adfbc1d2c8753ae170cc9badee8ed56f5f4cf5cb fedora/1/updates/SRPMS/openssl-0.9.7a-33.11.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0975 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From marcdeslauriers at videotron.ca Sat Jul 16 02:05:45 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Fri, 15 Jul 2005 22:05:45 -0400 Subject: [FLSA-2005:152838] Updated gd packages fix security issues Message-ID: <42D86B79.2070302@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated gd packages fix security issues Advisory ID: FLSA:152838 Issue date: 2005-07-15 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CAN-2004-0941 CAN-2004-0990 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated gd packages that fix security issues with overflow in various memory allocation calls are now available. The gd packages contain a graphics library used for the dynamic creation of images such as PNG and JPEG. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 3. Problem description: Several buffer overflows were reported in various memory allocation calls. An attacker could create a carefully crafted image file in such a way that it could cause ImageMagick to execute arbitrary code when processing the image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0990 to these issues. While researching the fixes to these overflows, additional buffer overflows were discovered in calls to gdMalloc. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0941 to these issues. Users of gd should upgrade to these updated packages, which contain a backported security patch, and are not vulnerable to these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152838 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/gd-1.8.4-4.1.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/gd-1.8.4-4.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/gd-devel-1.8.4-4.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/gd-progs-1.8.4-4.1.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/gd-1.8.4-11.1.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/gd-1.8.4-11.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/gd-devel-1.8.4-11.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/gd-progs-1.8.4-11.1.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/gd-2.0.15-1.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/gd-2.0.15-1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/gd-devel-2.0.15-1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/gd-progs-2.0.15-1.2.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 094e683de916db07104de9f735a0773db3a89d25 redhat/7.3/updates/i386/gd-1.8.4-4.1.legacy.i386.rpm addb29d84db162ceedd78e208efa08b3f7b35589 redhat/7.3/updates/i386/gd-devel-1.8.4-4.1.legacy.i386.rpm e736bda88bfdc20a5560c33a2866d36af57d365a redhat/7.3/updates/i386/gd-progs-1.8.4-4.1.legacy.i386.rpm f75168266e076834d3c8c4bd247f5b71dd46a6b3 redhat/7.3/updates/SRPMS/gd-1.8.4-4.1.legacy.src.rpm 3315825ff28caf0516227aa9c7b60df6ad5fb865 redhat/9/updates/i386/gd-1.8.4-11.1.legacy.i386.rpm e4e1128a446799ade2bdfd31c2b2165e8391298c redhat/9/updates/i386/gd-devel-1.8.4-11.1.legacy.i386.rpm 68ddd0a5e252b8c478006a7121a516a125b468e7 redhat/9/updates/i386/gd-progs-1.8.4-11.1.legacy.i386.rpm 66a0ea816ea63de04c80914410cec6d772e89dee redhat/9/updates/SRPMS/gd-1.8.4-11.1.legacy.src.rpm e468a13340eb0adc2c4a53ea46db6acd2a909cdc fedora/1/updates/i386/gd-2.0.15-1.2.legacy.i386.rpm 1b589147f1a2779031d9815c330b919098fcc4ca fedora/1/updates/i386/gd-devel-2.0.15-1.2.legacy.i386.rpm eec3d79e1bb687c7aae118d561ff8683d0c4713d fedora/1/updates/i386/gd-progs-2.0.15-1.2.legacy.i386.rpm ca49d8c20730afd691e5cbe83b9c396a57a789aa fedora/1/updates/SRPMS/gd-2.0.15-1.2.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0941 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0990 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From marcdeslauriers at videotron.ca Sat Jul 16 02:07:18 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Fri, 15 Jul 2005 22:07:18 -0400 Subject: [FLSA-2005:152769] Updated kdelibs/kdebase packages fix security issues Message-ID: <42D86BD6.5080304@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated kdelibs/kdebase packages fix security issues Advisory ID: FLSA:152769 Issue date: 2005-07-15 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CAN-2003-0592 CAN-2004-0411 CAN-2004-0689 CAN-2004-0721 CAN-2004-0746 CAN-2004-1158 CAN-2004-1165 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated kdelibs and kdebase packages that resolve several security issues are now available. The kdelibs packages include libraries for the K Desktop Environment. The kdebase packages include core applications for the K Desktop Environment. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 3. Problem description: Flaws have been found in the cookie path handling between a number of Web browsers and servers. The HTTP cookie standard allows a Web server supplying a cookie to a client to specify a subset of URLs on the origin server to which the cookie applies. Web servers such as Apache do not filter returned cookies and assume that the client will only send back cookies for requests that fall within the server-supplied subset of URLs. However, by supplying URLs that use path traversal (/../) and character encoding, it is possible to fool many browsers into sending a cookie to a path outside of the originally-specified subset. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0592 to this issue. iDEFENSE identified a vulnerability in the Opera web browser that could allow remote attackers to create or truncate arbitrary files. The KDE team has found two similar vulnerabilities that also exist in KDE. A flaw in the telnet URI handler may allow options to be passed to the telnet program, resulting in creation or replacement of files. An attacker could create a carefully crafted link such that when opened by a victim it creates or overwrites a file with the victim's permissions. A flaw in the mailto URI handler may allow options to be passed to the kmail program. These options could cause kmail to write to the file system or to run on a remote X display. An attacker could create a carefully crafted link in such a way that access may be obtained to run arbitrary code as the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0411 to these issues. Andrew Tuitt reported that versions of KDE up to and including 3.2.3 create temporary directories with predictable names. A local attacker could prevent KDE applications from functioning correctly, or overwrite files owned by other users by creating malicious symlinks. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0689 to this issue. WESTPOINT internet reconnaissance services has discovered that the KDE web browser Konqueror allows websites to set cookies for certain country specific secondary top level domains. An attacker within one of the affected domains could construct a cookie which would be sent to all other websites within the domain leading to a session fixation attack. This issue does not affect popular domains such as .co.uk, .co.in, or .com. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0721 to this issue. A frame injection spoofing vulnerability has been discovered in the Konqueror web browser. This issue could allow a malicious website to show arbitrary content in a named frame of a different browser window. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0746 to this issue. Secunia Research discovered a window injection spoofing vulnerability affecting the Konqueror web browser. This issue could allow a malicious website to show arbitrary content in a different browser window. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-1158 to this issue. A bug was discovered in the way kioslave handles URL-encoded newline (%0a) characters before the FTP command. It is possible that a specially crafted URL could be used to execute any ftp command on a remote server, or potentially send unsolicited email. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-1165 to this issue. All users of KDE are advised to upgrade to this updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152769 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/kdebase-3.0.5a-0.73.7.legacy.src.rpm http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/kdelibs-3.0.5a-0.73.6.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/kdebase-3.0.5a-0.73.7.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/kdebase-devel-3.0.5a-0.73.7.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/kdelibs-3.0.5a-0.73.6.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/kdelibs-devel-3.0.5a-0.73.6.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/kdebase-3.1-18.legacy.src.rpm http://download.fedoralegacy.org/redhat/9/updates/SRPMS/kdelibs-3.1-17.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/kdebase-3.1-18.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/kdebase-devel-3.1-18.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/kdelibs-3.1-17.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/kdelibs-devel-3.1-17.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/kdebase-3.1.4-9.legacy.src.rpm http://download.fedoralegacy.org/fedora/1/updates/SRPMS/kdelibs-3.1.4-9.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/kdebase-3.1.4-9.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/kdebase-devel-3.1.4-9.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/kdelibs-3.1.4-9.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/kdelibs-devel-3.1.4-9.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- ab6411334132d5802fc3ee5f2fe84f093e4bc2e7 redhat/7.3/updates/i386/kdebase-3.0.5a-0.73.7.legacy.i386.rpm 56c46a2228202188e3ed7568d920026271c7b50b redhat/7.3/updates/i386/kdebase-devel-3.0.5a-0.73.7.legacy.i386.rpm 150f547193e5c29da348580d5fbd3a073f9ef10e redhat/7.3/updates/i386/kdelibs-3.0.5a-0.73.6.legacy.i386.rpm 018101a1b09d9e8f1ce5aef49186385ee5822eaf redhat/7.3/updates/i386/kdelibs-devel-3.0.5a-0.73.6.legacy.i386.rpm 5cd53bb265cb29964d1d52680846296eaa34aa5e redhat/7.3/updates/SRPMS/kdebase-3.0.5a-0.73.7.legacy.src.rpm aac6a1b078750398b5636e26890d37eeaba15d07 redhat/7.3/updates/SRPMS/kdelibs-3.0.5a-0.73.6.legacy.src.rpm 89ec164225d93ec6572d40f843c8ffed6e0b454b redhat/9/updates/i386/kdebase-3.1-18.legacy.i386.rpm a7e702304cc599eba38bd232ab216b2f11c04b03 redhat/9/updates/i386/kdebase-devel-3.1-18.legacy.i386.rpm 43952098114d6f1de023ad02051850d1e62a843b redhat/9/updates/i386/kdelibs-3.1-17.legacy.i386.rpm bfc0d2fc7e80c57a5306aac818cd75f073b114bd redhat/9/updates/i386/kdelibs-devel-3.1-17.legacy.i386.rpm 937fc96d039dd3eb43a4acc975545b954112e3d5 redhat/9/updates/SRPMS/kdebase-3.1-18.legacy.src.rpm 2afbef59e60e63906b9ee20a57dccf438f667dcc redhat/9/updates/SRPMS/kdelibs-3.1-17.legacy.src.rpm c9bb19c3b14d0307048d6963fd943a558b6beace fedora/1/updates/i386/kdebase-3.1.4-9.legacy.i386.rpm 229ea248850a2bc07f3ea50f6a26932ba019aa93 fedora/1/updates/i386/kdebase-devel-3.1.4-9.legacy.i386.rpm a9778ed5012ffbe9d9453e589ab04db5531e3918 fedora/1/updates/i386/kdelibs-3.1.4-9.legacy.i386.rpm fbb005803701315f6d5932967f7e9152eb2365f0 fedora/1/updates/i386/kdelibs-devel-3.1.4-9.legacy.i386.rpm 3cdb52e7b0fd6fc444a7cea58034db5dcdbc9f99 fedora/1/updates/SRPMS/kdebase-3.1.4-9.legacy.src.rpm 0d896b24d8d88e072e7b46d1cf1ba9733b78b42a fedora/1/updates/SRPMS/kdelibs-3.1.4-9.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0592 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0411 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0689 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0721 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0746 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1158 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1165 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From marcdeslauriers at videotron.ca Sat Jul 16 16:20:19 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Sat, 16 Jul 2005 12:20:19 -0400 Subject: [FLSA-2005:152900] Updated squirrelmail package fixes security issue Message-ID: <42D933C3.3090007@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated squirrelmail package fixes security issue Advisory ID: FLSA:152900 Issue date: 2005-07-16 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CAN-2004-1036 CAN-2005-0075 CAN-2005-0103 CAN-2005-0104 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: An updated SquirrelMail package that fixes a cross-site scripting vulnerability is now available. SquirrelMail is a webmail package written in PHP. 2. Relevant releases/architectures: Red Hat Linux 9 - i386 Fedora Core 1 - i386 3. Problem description: A cross-site scripting bug has been found in SquirrelMail. This issue could allow an attacker to send a mail with a carefully crafted header, which could result in causing the victim's machine to execute a malicious script. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-1036 to this issue. Jimmy Conner discovered a missing variable initialization in Squirrelmail. This flaw could allow potential insecure file inclusions on servers where the PHP setting "register_globals" is set to "On". This is not a default or recommended setting. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0075 to this issue. A URL sanitisation bug was found in Squirrelmail. This flaw could allow a cross site scripting attack when loading the URL for the sidebar. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0103 to this issue. A missing variable initialization bug was found in Squirrelmail. This flaw could allow a cross site scripting attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0104 to this issue. Users of Squirrelmail are advised to upgrade to this updated package, which contains backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152900 6. RPMs required: Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/squirrelmail-1.4.3-0.f0.9.3.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/squirrelmail-1.4.3-0.f0.9.3.legacy.noarch.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/squirrelmail-1.4.3-0.f1.1.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/squirrelmail-1.4.3-0.f1.1.2.legacy.noarch.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 3196c12423fef52a83ad5e4636f7b74793c8e63e redhat/9/updates/i386/squirrelmail-1.4.3-0.f0.9.3.legacy.noarch.rpm 7a07ddaffdf6cb57a5990839ad17e4f27d29eaf7 redhat/9/updates/SRPMS/squirrelmail-1.4.3-0.f0.9.3.legacy.src.rpm fee964ec13662fc69361810ed6a4a4d3f2c16196 fedora/1/updates/i386/squirrelmail-1.4.3-0.f1.1.2.legacy.noarch.rpm 3e0b6ab9bfb4b83c05de5d7ba3749e464ee2329d fedora/1/updates/SRPMS/squirrelmail-1.4.3-0.f1.1.2.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1036 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0075 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0103 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0104 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From marcdeslauriers at videotron.ca Sat Jul 16 16:21:05 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Sat, 16 Jul 2005 12:21:05 -0400 Subject: [FLSA-2005:152844] Updated PostgreSQL packages fix security issues Message-ID: <42D933F1.2030400@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated PostgreSQL packages fix security issues Advisory ID: FLSA:152844 Issue date: 2005-07-16 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CAN-2004-0977 CAN-2005-0227 CAN-2005-0244 CAN-2005-0245 CAN-2005-0246 CAN-2005-0247 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated PostgreSQL packages to fix various security flaws are now available. PostgreSQL is an advanced Object-Relational database management system (DBMS). 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 3. Problem description: Trustix has identified improper temporary file usage in the make_oidjoins_check script. It is possible that an attacker could overwrite arbitrary file contents as the user running the make_oidjoins_check script. This script has been removed from the RPM file since it has no use to ordinary users. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0977 to this issue. A flaw in the LOAD command in PostgreSQL was discovered. A local user could use this flaw to load arbitrary shared librarys and therefore execute arbitrary code, gaining the privileges of the PostgreSQL server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0227 to this issue. A permission checking flaw in PostgreSQL was discovered. A local user could bypass the EXECUTE permission check for functions by using the CREATE AGGREGATE command. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0244 to this issue. Multiple buffer overflows were found in PL/PgSQL. A database user who has permissions to create plpgsql functions could trigger this flaw which could lead to arbitrary code execution, gaining the privileges of the PostgreSQL server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0245 and CAN-2005-0247 to these issues. A flaw in the integer aggregator (intagg) contrib module for PostgreSQL was found. A user could create carefully crafted arrays and cause a denial of service (crash). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0246 to this issue. Users of PostgreSQL are advised to update to these erratum packages which are not vulnerable to these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152844 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/postgresql-7.2.7-1.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/postgresql-7.2.7-1.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/postgresql-contrib-7.2.7-1.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/postgresql-devel-7.2.7-1.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/postgresql-docs-7.2.7-1.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/postgresql-jdbc-7.2.7-1.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/postgresql-libs-7.2.7-1.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/postgresql-odbc-7.2.7-1.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/postgresql-perl-7.2.7-1.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/postgresql-python-7.2.7-1.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/postgresql-server-7.2.7-1.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/postgresql-tcl-7.2.7-1.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/postgresql-test-7.2.7-1.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/postgresql-tk-7.2.7-1.2.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/ i386: http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-7.3.9-0.90.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-contrib-7.3.9-0.90.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-devel-7.3.9-0.90.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-docs-7.3.9-0.90.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-jdbc-7.3.9-0.90.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-libs-7.3.9-0.90.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-pl-7.3.9-0.90.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-python-7.3.9-0.90.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-server-7.3.9-0.90.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-tcl-7.3.9-0.90.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-test-7.3.9-0.90.2.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/postgresql-7.3.9-1.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-7.3.9-1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-contrib-7.3.9-1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-devel-7.3.9-1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-docs-7.3.9-1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-jdbc-7.3.9-1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-libs-7.3.9-1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-pl-7.3.9-1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-python-7.3.9-1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-server-7.3.9-1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-tcl-7.3.9-1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-test-7.3.9-1.2.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- d31c189c8a7deff6956075bf77e2b1d65ec5c4a7 redhat/7.3/updates/i386/postgresql-7.2.7-1.2.legacy.i386.rpm 2f0d1bf43ce424777839a4114c1586de17003028 redhat/7.3/updates/i386/postgresql-contrib-7.2.7-1.2.legacy.i386.rpm 3c8ca3b49b600ee328d376509ba2fa81178bc785 redhat/7.3/updates/i386/postgresql-devel-7.2.7-1.2.legacy.i386.rpm 69f068253ca62dbfecf102e4599ad592fe07d654 redhat/7.3/updates/i386/postgresql-docs-7.2.7-1.2.legacy.i386.rpm 0aef7d8c5eaa0f9acbbf6bbdb9aa325ff993094c redhat/7.3/updates/i386/postgresql-jdbc-7.2.7-1.2.legacy.i386.rpm 4ddd20835495bf19a00665136b3e7634e3e29da4 redhat/7.3/updates/i386/postgresql-libs-7.2.7-1.2.legacy.i386.rpm 11a5ef1ad11f2cbd11344aa225c4685ecffe56c1 redhat/7.3/updates/i386/postgresql-odbc-7.2.7-1.2.legacy.i386.rpm 5cafe5600b825fcbf96eebc390ac0f2024b2a2be redhat/7.3/updates/i386/postgresql-perl-7.2.7-1.2.legacy.i386.rpm a00ed6283f7b0b4878be4a5d33c4d08c6cecd032 redhat/7.3/updates/i386/postgresql-python-7.2.7-1.2.legacy.i386.rpm 022b23b4f4f7942220a8ca069b739089873685b2 redhat/7.3/updates/i386/postgresql-server-7.2.7-1.2.legacy.i386.rpm 77156886ec28350b6dffef06f96fcb3ee1ee7ebf redhat/7.3/updates/i386/postgresql-tcl-7.2.7-1.2.legacy.i386.rpm 2c3cc238af77cee13a342c677c965c5d57c34bb9 redhat/7.3/updates/i386/postgresql-test-7.2.7-1.2.legacy.i386.rpm f150672bd8473dc450010b436e557a46761f5c57 redhat/7.3/updates/i386/postgresql-tk-7.2.7-1.2.legacy.i386.rpm 35222d526cd08e720a50d5f441a152fc6d93056f redhat/7.3/updates/SRPMS/postgresql-7.2.7-1.2.legacy.src.rpm 97c1e38c06d6bb16a76e346aad2a9ae9f4dbe4de redhat/9/updates/i386/postgresql-7.3.9-0.90.2.legacy.i386.rpm 44dc64014d89dd84cb7dbc7077adcb0b8d382233 redhat/9/updates/i386/postgresql-contrib-7.3.9-0.90.2.legacy.i386.rpm 12fea917971b79931ab833c7725e2fed9ee737f5 redhat/9/updates/i386/postgresql-devel-7.3.9-0.90.2.legacy.i386.rpm db0d341829ca4d29dfefa049939efea2f0a7b966 redhat/9/updates/i386/postgresql-docs-7.3.9-0.90.2.legacy.i386.rpm 882789ef9a838332b16477f4c217c9c61517ac97 redhat/9/updates/i386/postgresql-jdbc-7.3.9-0.90.2.legacy.i386.rpm 9247cee701af231b2c5a29d880c347a2a9d99399 redhat/9/updates/i386/postgresql-libs-7.3.9-0.90.2.legacy.i386.rpm 7afd9c0344c6b340d77fd74be9ba2f7b078d7a8a redhat/9/updates/i386/postgresql-pl-7.3.9-0.90.2.legacy.i386.rpm 11889c69f5ecafcbf8d75905d8452ae3a8f8227f redhat/9/updates/i386/postgresql-python-7.3.9-0.90.2.legacy.i386.rpm 1446eb258819fb54beb7c4cafd53ad828b445eab redhat/9/updates/i386/postgresql-server-7.3.9-0.90.2.legacy.i386.rpm 9d367f4e478199a6d186633f302c706ba2a6dbd6 redhat/9/updates/i386/postgresql-tcl-7.3.9-0.90.2.legacy.i386.rpm 8c06644a98389f11fa1a5a13f5a4d6c9558b8d0f redhat/9/updates/i386/postgresql-test-7.3.9-0.90.2.legacy.i386.rpm 7855eeced400cfeaf85b478c69810099eb304826 redhat/9/updates/SRPMS/postgresql-7.3.9-0.90.2.legacy.src.rpm e41bd8377a22b935f44202ddc785fc9185355234 fedora/1/updates/i386/postgresql-7.3.9-1.2.legacy.i386.rpm efab40afd8fe5c92a7d68a5a41d01fcec96430c6 fedora/1/updates/i386/postgresql-contrib-7.3.9-1.2.legacy.i386.rpm 9044550eed20628c22f4f75bb13afcddfd0d724a fedora/1/updates/i386/postgresql-devel-7.3.9-1.2.legacy.i386.rpm 8c689dc13b2be91d97a235a389f85f615d1d1ee6 fedora/1/updates/i386/postgresql-docs-7.3.9-1.2.legacy.i386.rpm 2da174ac3fd08fa4e5dda831054d1e541f7226fb fedora/1/updates/i386/postgresql-jdbc-7.3.9-1.2.legacy.i386.rpm d6a0eb0d12ebc73b5fde3bd45e6eb9061f56ca00 fedora/1/updates/i386/postgresql-libs-7.3.9-1.2.legacy.i386.rpm a1bccc43dffd3bbb0bcd1351f4b75965f8e24e6d fedora/1/updates/i386/postgresql-pl-7.3.9-1.2.legacy.i386.rpm 4a4d1bf5cfa876b0303a4eefb4df4aea7f90cea3 fedora/1/updates/i386/postgresql-python-7.3.9-1.2.legacy.i386.rpm 62e0287827577a799f586b0815cbbe5544952207 fedora/1/updates/i386/postgresql-server-7.3.9-1.2.legacy.i386.rpm c993c8888856a89603116de70a8f6f5de8422c7a fedora/1/updates/i386/postgresql-tcl-7.3.9-1.2.legacy.i386.rpm 766dd53d0ef9761c986373f7c9626ecb85635893 fedora/1/updates/i386/postgresql-test-7.3.9-1.2.legacy.i386.rpm 993c2134e2a29ecde59935afa87b6d11a1d3a108 fedora/1/updates/SRPMS/postgresql-7.3.9-1.2.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0977 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0227 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0244 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0245 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0246 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0247 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From marcdeslauriers at videotron.ca Sat Jul 16 18:57:15 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Sat, 16 Jul 2005 14:57:15 -0400 Subject: Fedora Legacy Test Update Notification: cups Message-ID: <42D9588B.1060405@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2005-163274 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=163274 2005-07-16 --------------------------------------------------------------------- Name : cups Versions : rh7.3: cups-1.1.14-15.4.5.legacy Versions : rh9: cups-1.1.17-13.3.0.14.legacy Versions : fc1: cups-1.1.19-13.9.legacy Versions : fc2: cups-1.1.20-11.11.2.legacy Summary : Common Unix Printing System Description : The Common UNIX Printing System provides a portable printing layer for UNIX(R) operating systems. It has been developed by Easy Software Products to promote a standard printing solution for all UNIX vendors and users. CUPS provides the System V and Berkeley command-line interfaces. --------------------------------------------------------------------- Update Information: Updated CUPS packages that fix a security issue are now available. The Common UNIX Printing System provides a portable printing layer for UNIX(R) operating systems. When processing a request, the CUPS scheduler would use case-sensitive matching on the queue name to decide which authorization policy should be used. However, queue names are not case-sensitive. An unauthorized user could print to a password-protected queue without needing a password. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-2154 to this issue. All users of CUPS should upgrade to these erratum packages which contain a backported patch to correct this issue. --------------------------------------------------------------------- Changelogs rh73: * Thu Jul 14 2005 Jeff Sheltren 1.1.14-15.4.5.legacy - Patch CAN-2004-2154 (#163274) rh9: * Thu Jul 14 2005 Jeff Sheltren 1.1.17-13.3.0.14.legacy - Fix for CAN-2004-2154 (#163274) fc1: * Thu Jul 14 2005 Jeff Sheltren 1:1.1.19-13.9.legacy - Fix for CAN-2004-2154 (#163274) fc2: * Sat Jul 16 2005 Marc Deslauriers 1:1.1.20-11.11.2.legacy - Added missing automake zlib-devel libjpeg-devel libtiff-devel libpng-devel to BuildPrereq * Thu Jul 14 2005 Jeff Sheltren 1:1.1.20-11.11.1.legacy - Fix for CAN-2004-2154 (#163274) --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) 0c703164c4314cc91e31a859ed8e149e4249bd68 redhat/7.3/updates-testing/i386/cups-1.1.14-15.4.5.legacy.i386.rpm 62414dc09ab8e240f92fe476dc272d227ba223ce redhat/7.3/updates-testing/i386/cups-devel-1.1.14-15.4.5.legacy.i386.rpm 4bce41d4c0323700d3a78adf21bb3ff0790cbe44 redhat/7.3/updates-testing/i386/cups-libs-1.1.14-15.4.5.legacy.i386.rpm 2fa58515d46929fe6116c8c72e50c26b8313c504 redhat/7.3/updates-testing/SRPMS/cups-1.1.14-15.4.5.legacy.src.rpm 4d6585d937c4855c8d999bc292d17e13258d5cb5 redhat/9/updates-testing/i386/cups-1.1.17-13.3.0.14.legacy.i386.rpm 445a0332fff4b09cd2c4f8d7643fb12213498608 redhat/9/updates-testing/i386/cups-devel-1.1.17-13.3.0.14.legacy.i386.rpm d65b045173aba91de7fa2d44217ba6d939a775a3 redhat/9/updates-testing/i386/cups-libs-1.1.17-13.3.0.14.legacy.i386.rpm 35bf3fdafd340588d4c8f167709d53bcc2eb6ff4 redhat/9/updates-testing/SRPMS/cups-1.1.17-13.3.0.14.legacy.src.rpm 97265e88f58dde6d0a9956ef9de0fce61c256077 fedora/1/updates-testing/i386/cups-1.1.19-13.9.legacy.i386.rpm cb73c7d7e91cff10fab3c11a63dbcb002f1242d9 fedora/1/updates-testing/i386/cups-devel-1.1.19-13.9.legacy.i386.rpm d3ae92680bbadfa11ce5f0c92c8243950e92d441 fedora/1/updates-testing/i386/cups-libs-1.1.19-13.9.legacy.i386.rpm 244deb8d82130ecc23e143574cee05bda29d9e7c fedora/1/updates-testing/SRPMS/cups-1.1.19-13.9.legacy.src.rpm 1973c00db116e6f20afb96acfc3f98d240ac1b1e fedora/2/updates-testing/i386/cups-1.1.20-11.11.2.legacy.i386.rpm 0a6c53922499dc4a5917e25660478c25921752a7 fedora/2/updates-testing/i386/cups-devel-1.1.20-11.11.2.legacy.i386.rpm 5989d3bc71592333e6dba34d37b2251e776b7318 fedora/2/updates-testing/i386/cups-libs-1.1.20-11.11.2.legacy.i386.rpm e3fd4d455daaee834ab6b1888454b082a56d52ea fedora/2/updates-testing/SRPMS/cups-1.1.20-11.11.2.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From marcdeslauriers at videotron.ca Sat Jul 16 18:57:41 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Sat, 16 Jul 2005 14:57:41 -0400 Subject: Fedora Legacy Test Update Notification: zlib Message-ID: <42D958A5.20200@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2005-162680 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=162680 2005-07-16 --------------------------------------------------------------------- Name : zlib Versions : fc1: zlib-1.2.0.7-2.2.legacy Versions : fc2: zlib-1.2.1.2-0.fc2.1.legacy Summary : The zlib compression and decompression library. Description : Zlib is a general-purpose, patent-free, lossless data compression library which is used by many different programs. --------------------------------------------------------------------- Update Information: Updated Zlib packages that fix a buffer overflow are now available. Zlib is a general-purpose lossless data compression library which is used by many different programs. Tavis Ormandy discovered a buffer overflow affecting Zlib version 1.2 and above. An attacker could create a carefully crafted compressed stream that would cause an application to crash if the stream is opened by a user. As an example, an attacker could create a malicious PNG image file which would cause a web browser or mail viewer to crash if the image is viewed. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-2096 to this issue. All users should update to these erratum packages which contain a patch from Mark Adler which corrects this issue. --------------------------------------------------------------------- Changelogs fc1: * Wed Jul 13 2005 Jeff Sheltren 1.2.0.7-2.2.legacy - Patch for buffer overflow (#162680) CAN-2005-2096 fc2: * Wed Jul 13 2005 Jeff Sheltren 1.2.1.2-0.fc2.1.legacy - Patch buffer overflow (#162680), CAN-2005-2096 --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) 8638918082aaee312e8311ddf56391cf88bd621a fedora/1/updates-testing/i386/zlib-1.2.0.7-2.2.legacy.i386.rpm aafba6e837b2c82ba79affe61b0ef71863505fba fedora/1/updates-testing/i386/zlib-devel-1.2.0.7-2.2.legacy.i386.rpm 9cca71f3eeb03dad93851d6c66e70773f8369070 fedora/1/updates-testing/SRPMS/zlib-1.2.0.7-2.2.legacy.src.rpm 7ec6202d58ed3a41f3575757b111ab88622081d7 fedora/2/updates-testing/i386/zlib-1.2.1.2-0.fc2.1.legacy.i386.rpm 450f8ce4f02f36dbee569c0a9fdbe772829dce15 fedora/2/updates-testing/i386/zlib-devel-1.2.1.2-0.fc2.1.legacy.i386.rpm 64599917d793d263bbc522d8b0da1495577ca55e fedora/2/updates-testing/SRPMS/zlib-1.2.1.2-0.fc2.1.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From marcdeslauriers at videotron.ca Mon Jul 18 21:00:01 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Mon, 18 Jul 2005 17:00:01 -0400 Subject: Fedora Legacy Test Update Notification: gzip Message-ID: <42DC1851.60202@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2005-157696 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157696 2005-07-18 --------------------------------------------------------------------- Name : gzip Versions : rh73: gzip-1.3.3-1.1.legacy Versions : rh9: gzip-1.3.3-9.1.legacy Versions : fc1: gzip-1.3.3-11.1.legacy Versions : fc2: gzip-1.3.3-12.1.legacy Summary : The GNU data compression program. Description : The gzip package contains the popular GNU gzip data compression program. Gzipped files have a .gz extension. --------------------------------------------------------------------- Update Information: An updated gzip package is now available. The gzip package contains the GNU gzip data compression program. A bug was found in the way zgrep processes file names. If a user can be tricked into running zgrep on a file with a carefully crafted file name, arbitrary commands could be executed as the user running zgrep. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0758 to this issue. A bug was found in the way gunzip modifies permissions of files being decompressed. A local attacker with write permissions in the directory in which a victim is decompressing a file could remove the file being written and replace it with a hard link to a different file owned by the victim, gunzip then gives the linked file the permissions of the uncompressed file. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0988 to this issue. A directory traversal bug was found in the way gunzip processes the -N flag. If a victim decompresses a file with the -N flag, gunzip fails to sanitize the path which could result in a file owned by the victim being overwritten. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1228 to this issue. Users of gzip should upgrade to this updated package, which contains backported patches to correct these issues. --------------------------------------------------------------------- Changelogs rh73: * Wed Jul 13 2005 Jeff Sheltren 1.3.3-1.1.legacy - Patches for CAN 2005-0758, 2005-0988, 2005-1228 (#157696) rh9: * Wed Jul 13 2005 Jeff Sheltren 1.3.3-9.1.legacy - Patches for CAN 2005-0758, 2005-0988, 2005-1228 (#157696) fc1: * Wed Jul 13 2005 Jeff Sheltren 1.3.3-11.1.legacy - Patches for CAN 2005-0758, 2005-0988, 2005-1228 (#157696) fc2: * Wed Jul 13 2005 Jeff Sheltren 1.3.3-12.1.legacy - Patches for CAN 2005-0758, 2005-0988, 2005-1228 (#157696) --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: 6d93fc47e14ad87b869a26824a53c7c4c86efd8d redhat/7.3/updates-testing/i386/gzip-1.3.3-1.1.legacy.i386.rpm acb874d06480862be1f866bb2e7cb334f68ffd70 redhat/7.3/updates-testing/SRPMS/gzip-1.3.3-1.1.legacy.src.rpm rh9: e502c04eba525ffc028597d89a561234a5e4677a redhat/9/updates-testing/i386/gzip-1.3.3-9.1.legacy.i386.rpm 87df69eab2730b360ab121c9cf0ff6884a086252 redhat/9/updates-testing/SRPMS/gzip-1.3.3-9.1.legacy.src.rpm fc1: 7a915440462673b34c4c24cb91224d80c353beb1 fedora/1/updates-testing/i386/gzip-1.3.3-11.1.legacy.i386.rpm 59ee2ba2d0e7f70829fa303e68dc5d8589505a18 fedora/1/updates-testing/SRPMS/gzip-1.3.3-11.1.legacy.src.rpm fc2: b57fccc4cba1717fd9114ea5d628d6fd704538b9 fedora/2/updates-testing/i386/gzip-1.3.3-12.1.legacy.i386.rpm ecfe9ca29f8d3ba6aa2f9b8aad10a923d1179360 fedora/2/updates-testing/SRPMS/gzip-1.3.3-12.1.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From gerry at pathtech.org Tue Jul 19 00:36:24 2005 From: gerry at pathtech.org (G. Roderick Singleton) Date: Mon, 18 Jul 2005 20:36:24 -0400 Subject: Is there a contrib repostitory? Message-ID: <1121733384.2972.69.camel@www.pathtech.org> I think I asked this a while ago and at the time the answer was no. However I have noticed activity in this direction and would like to know where I could submit sendmail-8.13.4 as an rpm for vetting. -- G. Roderick Singleton PATH tech From gerry at pathtech.org Tue Jul 19 00:38:07 2005 From: gerry at pathtech.org (G. Roderick Singleton) Date: Mon, 18 Jul 2005 20:38:07 -0400 Subject: Is there a contrib repostitory? In-Reply-To: <1121733384.2972.69.camel@www.pathtech.org> References: <1121733384.2972.69.camel@www.pathtech.org> Message-ID: <1121733488.2972.71.camel@www.pathtech.org> Oops, forgot to mention this is for RH7.3 On Mon, 2005-07-18 at 20:36 -0400, G. Roderick Singleton wrote: > I think I asked this a while ago and at the time the answer was no. > However I have noticed activity in this direction and would like to know > where I could submit sendmail-8.13.4 as an rpm for vetting. > -- G. Roderick Singleton PATH tech From rostetter at mail.utexas.edu Tue Jul 19 02:32:25 2005 From: rostetter at mail.utexas.edu (Eric Rostetter) Date: Mon, 18 Jul 2005 21:32:25 -0500 Subject: Is there a contrib repostitory? In-Reply-To: <1121733384.2972.69.camel@www.pathtech.org> References: <1121733384.2972.69.camel@www.pathtech.org> Message-ID: <1121740345.2ccbbdbfbd0f1@mail.ph.utexas.edu> Quoting "G. Roderick Singleton" : > I think I asked this a while ago and at the time the answer was no. > However I have noticed activity in this direction and would like to know > where I could submit sendmail-8.13.4 as an rpm for vetting. We don't provide hosting for packages, but if you have a way to post your packages for download then you can link to you package from the wiki page: http://www.fedoralegacy.org/wiki/index.php/UnserContributedPackages > -- > G. Roderick Singleton > PATH tech > > -- > fedora-legacy-list mailing list > fedora-legacy-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-legacy-list > -- Eric Rostetter From mic at npgx.com.au Tue Jul 19 05:35:29 2005 From: mic at npgx.com.au (Michael Mansour) Date: Tue, 19 Jul 2005 15:35:29 +1000 Subject: new perl rpm in contrib Message-ID: <20050719053049.M72617@npgx.com.au> Hi, I just noticed there's some new perl rpm's in the contrib directory. I'm new to this "contrib" area and only referenced it when I needed a perl update because of a prior exploitable perl version (thanks to the replyer of my original post to that issue), but how does one know what's been updated in the latest perl RPM's: perl-5.8.3-18.1.legacy.i386.rpm perl-suidperl-5.8.3-18.1.legacy.i386.rpm etc and also, how does one know/get notified when new packages have been posted in the contrib area? Thanks. Michael. From marcdeslauriers at videotron.ca Tue Jul 19 23:39:03 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Tue, 19 Jul 2005 19:39:03 -0400 Subject: [UPDATED] Fedora Legacy Test Update Notification: gzip Message-ID: <42DD8F17.70905@videotron.ca> Packages were rebuilt to correct a missing texinfo BuildRequires. --------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2005-157696 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157696 2005-07-19 --------------------------------------------------------------------- Name : gzip Versions : rh73: gzip-1.3.3-1.2.legacy Versions : rh9: gzip-1.3.3-9.2.legacy Versions : fc1: gzip-1.3.3-11.2.legacy Versions : fc2: gzip-1.3.3-12.2.legacy Summary : The GNU data compression program. Description : The gzip package contains the popular GNU gzip data compression program. Gzipped files have a .gz extension. --------------------------------------------------------------------- Update Information: An updated gzip package is now available. The gzip package contains the GNU gzip data compression program. A bug was found in the way zgrep processes file names. If a user can be tricked into running zgrep on a file with a carefully crafted file name, arbitrary commands could be executed as the user running zgrep. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0758 to this issue. A bug was found in the way gunzip modifies permissions of files being decompressed. A local attacker with write permissions in the directory in which a victim is decompressing a file could remove the file being written and replace it with a hard link to a different file owned by the victim, gunzip then gives the linked file the permissions of the uncompressed file. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0988 to this issue. A directory traversal bug was found in the way gunzip processes the -N flag. If a victim decompresses a file with the -N flag, gunzip fails to sanitize the path which could result in a file owned by the victim being overwritten. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1228 to this issue. Users of gzip should upgrade to this updated package, which contains backported patches to correct these issues. --------------------------------------------------------------------- Changelogs rh73: * Tue Jul 19 2005 Marc Deslauriers 1.3.3-1.2.legacy - Added missing texinfo to BuildRequires * Wed Jul 13 2005 Jeff Sheltren 1.3.3-1.1.legacy - Patches for CAN 2005-0758, 2005-0988, 2005-1228 (#157696) rh9: * Tue Jul 19 2005 Marc Deslauriers 1.3.3-9.2.legacy - Added missing texinfo BuildRequires * Wed Jul 13 2005 Jeff Sheltren 1.3.3-9.1.legacy - Patches for CAN 2005-0758, 2005-0988, 2005-1228 (#157696) fc1: * Tue Jul 19 2005 Marc Deslauriers 1.3.3-11.2.legacy - Added missing texinfo BuildRequires * Wed Jul 13 2005 Jeff Sheltren 1.3.3-11.1.legacy - Patches for CAN 2005-0758, 2005-0988, 2005-1228 (#157696) fc2: * Tue Jul 19 2005 Marc Deslauriers 1.3.3-12.2.legacy - Added missing texinfo BuildRequires * Wed Jul 13 2005 Jeff Sheltren 1.3.3-12.1.legacy - Patches for CAN 2005-0758, 2005-0988, 2005-1228 (#157696) --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: 16a19e2142d83f1db86dbf5a9a5a0b4e35d50c92 redhat/7.3/updates-testing/i386/gzip-1.3.3-1.2.legacy.i386.rpm 98e5fcc727442dd531277cffc2771b7bc8d5f1f8 redhat/7.3/updates-testing/SRPMS/gzip-1.3.3-1.2.legacy.src.rpm rh9: 7960019da89fbdee222e71b7d9884e6dc9ed3056 redhat/9/updates-testing/i386/gzip-1.3.3-9.2.legacy.i386.rpm de3e4e8dd934c383feb2a464b522c4e62bdd3f6d redhat/9/updates-testing/SRPMS/gzip-1.3.3-9.2.legacy.src.rpm fc1: b5cc020182af4b945a461c35e1adc3ddb15e953b fedora/1/updates-testing/i386/gzip-1.3.3-11.2.legacy.i386.rpm 28c8700ac53cb6f8110c744ffc8456095cf9d051 fedora/1/updates-testing/SRPMS/gzip-1.3.3-11.2.legacy.src.rpm fc2: 3d056ec2af5e344ef56e22049e5bd196f0c27180 fedora/2/updates-testing/i386/gzip-1.3.3-12.2.legacy.i386.rpm f6b4d52075528761fd56e44c8227c45130f959b0 fedora/2/updates-testing/SRPMS/gzip-1.3.3-12.2.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From sheltren at cs.ucsb.edu Wed Jul 20 16:01:44 2005 From: sheltren at cs.ucsb.edu (Jeff Sheltren) Date: Wed, 20 Jul 2005 09:01:44 -0700 Subject: Wiki Permissions Message-ID: <68336F56-70F4-4DFA-AA9B-1F99B5F17CE3@cs.ucsb.edu> I don't understand why there are no permissions set up for the Wiki. At this point, anyone can 'login' and edit the pages which is leaving all sorts of spam around. It'd be nice to have real accounts which can be granted access to edit pages - people could mail their username to the list to get it added to the edit group. -Jeff From jkeating at j2solutions.net Wed Jul 20 16:28:48 2005 From: jkeating at j2solutions.net (Jesse Keating) Date: Wed, 20 Jul 2005 09:28:48 -0700 Subject: Wiki Permissions In-Reply-To: <68336F56-70F4-4DFA-AA9B-1F99B5F17CE3@cs.ucsb.edu> References: <68336F56-70F4-4DFA-AA9B-1F99B5F17CE3@cs.ucsb.edu> Message-ID: <1121876928.1063.0.camel@prometheus.gamehouse.com> On Wed, 2005-07-20 at 09:01 -0700, Jeff Sheltren wrote: > I don't understand why there are no permissions set up for the Wiki. > At this point, anyone can 'login' and edit the pages which is leaving > all sorts of spam around. It'd be nice to have real accounts which > can be granted access to edit pages - people could mail their > username to the list to get it added to the edit group. > We are moving off the old wiki and joining the fedoraproject.org wiki space which as ACLs for allowing write access and such. Stay tuned. -- Jesse Keating RHCE (http://geek.j2solutions.net) Fedora Legacy Team (http://www.fedoralegacy.org) GPG Public Key (http://geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating From sheltren at cs.ucsb.edu Wed Jul 20 16:27:26 2005 From: sheltren at cs.ucsb.edu (Jeff Sheltren) Date: Wed, 20 Jul 2005 09:27:26 -0700 Subject: Wiki Permissions In-Reply-To: <1121876928.1063.0.camel@prometheus.gamehouse.com> References: <68336F56-70F4-4DFA-AA9B-1F99B5F17CE3@cs.ucsb.edu> <1121876928.1063.0.camel@prometheus.gamehouse.com> Message-ID: <973291B8-8507-49BD-A257-3F87F76B3342@cs.ucsb.edu> On Jul 20, 2005, at 9:28 AM, Jesse Keating wrote: > > We are moving off the old wiki and joining the fedoraproject.org wiki > space which as ACLs for allowing write access and such. Stay tuned. > > -- Great! Anything I can do to help? -Jeff From jkeating at j2solutions.net Wed Jul 20 16:49:33 2005 From: jkeating at j2solutions.net (Jesse Keating) Date: Wed, 20 Jul 2005 09:49:33 -0700 Subject: Wiki Permissions In-Reply-To: <973291B8-8507-49BD-A257-3F87F76B3342@cs.ucsb.edu> References: <68336F56-70F4-4DFA-AA9B-1F99B5F17CE3@cs.ucsb.edu> <1121876928.1063.0.camel@prometheus.gamehouse.com> <973291B8-8507-49BD-A257-3F87F76B3342@cs.ucsb.edu> Message-ID: <1121878173.1063.2.camel@prometheus.gamehouse.com> On Wed, 2005-07-20 at 09:27 -0700, Jeff Sheltren wrote: > > Great! Anything I can do to help? When we get going, help w/ moving content and translating it to the new wiki format. -- Jesse Keating RHCE (http://geek.j2solutions.net) Fedora Legacy Team (http://www.fedoralegacy.org) GPG Public Key (http://geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating From rostetter at mail.utexas.edu Wed Jul 20 17:40:00 2005 From: rostetter at mail.utexas.edu (Eric Rostetter) Date: Wed, 20 Jul 2005 12:40:00 -0500 Subject: Wiki Permissions In-Reply-To: <1121878173.1063.2.camel@prometheus.gamehouse.com> References: <68336F56-70F4-4DFA-AA9B-1F99B5F17CE3@cs.ucsb.edu> <1121876928.1063.0.camel@prometheus.gamehouse.com> <973291B8-8507-49BD-A257-3F87F76B3342@cs.ucsb.edu> <1121878173.1063.2.camel@prometheus.gamehouse.com> Message-ID: <1121881200.059d63da015cf@mail.ph.utexas.edu> Quoting Jesse Keating : > On Wed, 2005-07-20 at 09:27 -0700, Jeff Sheltren wrote: > > > > Great! Anything I can do to help? > > When we get going, help w/ moving content and translating it to the new > wiki format. There may, or may not, be issues with the newly created "User Contributed" packages page when we move. Someone may need to investigate what, if any, issues will be involved there. Basically find out what the policy is on the new wiki site as far as external links, pointing to things that have legality/patent/etc issues, etc. -- Eric Rostetter From sheltren at cs.ucsb.edu Wed Jul 20 18:02:32 2005 From: sheltren at cs.ucsb.edu (Jeff Sheltren) Date: Wed, 20 Jul 2005 11:02:32 -0700 Subject: Wiki Permissions In-Reply-To: <1121881200.059d63da015cf@mail.ph.utexas.edu> References: <68336F56-70F4-4DFA-AA9B-1F99B5F17CE3@cs.ucsb.edu> <1121876928.1063.0.camel@prometheus.gamehouse.com> <973291B8-8507-49BD-A257-3F87F76B3342@cs.ucsb.edu> <1121878173.1063.2.camel@prometheus.gamehouse.com> <1121881200.059d63da015cf@mail.ph.utexas.edu> Message-ID: <70A9DF4C-8C23-4A8E-B157-B6D256355949@cs.ucsb.edu> On Jul 20, 2005, at 10:40 AM, Eric Rostetter wrote: > Quoting Jesse Keating : > > >> On Wed, 2005-07-20 at 09:27 -0700, Jeff Sheltren wrote: >> >>> >>> Great! Anything I can do to help? >>> >> >> When we get going, help w/ moving content and translating it to >> the new >> wiki format. >> > > There may, or may not, be issues with the newly created "User > Contributed" > packages page when we move. Someone may need to investigate what, > if any, > issues will be involved there. > > Basically find out what the policy is on the new wiki site as far > as external > links, pointing to things that have legality/patent/etc issues, etc. > > -- > Eric Rostetter > > Yeah - Seth, are you around and, if so, what are your feelings on external links from the wiki? On another note, perhaps Fedora Legacy needs to do some sort of review on packages that are submitted there? Eric, I noticed the current page is actually misspelled as: 'Unser Contributed Packages' (instead of User) - is that easy to move? Thanks, Jeff From jkeating at j2solutions.net Wed Jul 20 18:16:30 2005 From: jkeating at j2solutions.net (Jesse Keating) Date: Wed, 20 Jul 2005 11:16:30 -0700 Subject: Wiki Permissions In-Reply-To: <1121881200.059d63da015cf@mail.ph.utexas.edu> References: <68336F56-70F4-4DFA-AA9B-1F99B5F17CE3@cs.ucsb.edu> <1121876928.1063.0.camel@prometheus.gamehouse.com> <973291B8-8507-49BD-A257-3F87F76B3342@cs.ucsb.edu> <1121878173.1063.2.camel@prometheus.gamehouse.com> <1121881200.059d63da015cf@mail.ph.utexas.edu> Message-ID: <1121883390.1063.5.camel@prometheus.gamehouse.com> On Wed, 2005-07-20 at 12:40 -0500, Eric Rostetter wrote: > Basically find out what the policy is on the new wiki site as far as > external > links, pointing to things that have legality/patent/etc issues, etc. > We cannot point to anything that is legally questionable. Period. My thoughts on 'contrib' was space given for packages to fulfill current Legacy bugzilla items. Not 3rd party packages to extend/enhance and otherwise fall outside the spec of Fedora Legacy. -- Jesse Keating RHCE (http://geek.j2solutions.net) Fedora Legacy Team (http://www.fedoralegacy.org) GPG Public Key (http://geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating From skvidal at phy.duke.edu Wed Jul 20 18:12:19 2005 From: skvidal at phy.duke.edu (seth vidal) Date: Wed, 20 Jul 2005 14:12:19 -0400 Subject: Wiki Permissions In-Reply-To: <70A9DF4C-8C23-4A8E-B157-B6D256355949@cs.ucsb.edu> References: <68336F56-70F4-4DFA-AA9B-1F99B5F17CE3@cs.ucsb.edu> <1121876928.1063.0.camel@prometheus.gamehouse.com> <973291B8-8507-49BD-A257-3F87F76B3342@cs.ucsb.edu> <1121878173.1063.2.camel@prometheus.gamehouse.com> <1121881200.059d63da015cf@mail.ph.utexas.edu> <70A9DF4C-8C23-4A8E-B157-B6D256355949@cs.ucsb.edu> Message-ID: <1121883139.9450.25.camel@cutter> On Wed, 2005-07-20 at 11:02 -0700, Jeff Sheltren wrote: > On Jul 20, 2005, at 10:40 AM, Eric Rostetter wrote: > > > Quoting Jesse Keating : > > > > > >> On Wed, 2005-07-20 at 09:27 -0700, Jeff Sheltren wrote: > >> > >>> > >>> Great! Anything I can do to help? > >>> > >> > >> When we get going, help w/ moving content and translating it to > >> the new > >> wiki format. > >> > > > > There may, or may not, be issues with the newly created "User > > Contributed" > > packages page when we move. Someone may need to investigate what, > > if any, > > issues will be involved there. > > > > Basically find out what the policy is on the new wiki site as far > > as external > > links, pointing to things that have legality/patent/etc issues, etc. > > > > -- > > Eric Rostetter > > > > > > Yeah - Seth, are you around and, if so, what are your feelings on > external links from the wiki? > > On another note, perhaps Fedora Legacy needs to do some sort of > review on packages that are submitted there? > > Eric, I noticed the current page is actually misspelled as: 'Unser > Contributed Packages' (instead of User) - is that easy to move? patent issues are right out from all things fedora afaict. why would even fedora legacy have patent-linked items? -sv From rostetter at mail.utexas.edu Wed Jul 20 18:28:32 2005 From: rostetter at mail.utexas.edu (Eric Rostetter) Date: Wed, 20 Jul 2005 13:28:32 -0500 Subject: Wiki Permissions In-Reply-To: <70A9DF4C-8C23-4A8E-B157-B6D256355949@cs.ucsb.edu> References: <68336F56-70F4-4DFA-AA9B-1F99B5F17CE3@cs.ucsb.edu> <1121876928.1063.0.camel@prometheus.gamehouse.com> <973291B8-8507-49BD-A257-3F87F76B3342@cs.ucsb.edu> <1121878173.1063.2.camel@prometheus.gamehouse.com> <1121881200.059d63da015cf@mail.ph.utexas.edu> <70A9DF4C-8C23-4A8E-B157-B6D256355949@cs.ucsb.edu> Message-ID: <1121884112.7d79ecc6b8c0e@mail.ph.utexas.edu> Quoting Jeff Sheltren : > On another note, perhaps Fedora Legacy needs to do some sort of > review on packages that are submitted there? That would only increase the legal burden on us... > Eric, I noticed the current page is actually misspelled as: 'Unser > Contributed Packages' (instead of User) - is that easy to move? Apparently not. The phpwiki admin page available does not have the rename plug-in, so I'm not sure how this would best be done. But thanks for pointing out how stupid I am that I can't even check my own spelling/typing for mistakes... ;) > Thanks, > Jeff -- Eric Rostetter From rostetter at mail.utexas.edu Wed Jul 20 18:32:24 2005 From: rostetter at mail.utexas.edu (Eric Rostetter) Date: Wed, 20 Jul 2005 13:32:24 -0500 Subject: Wiki Permissions In-Reply-To: <1121883390.1063.5.camel@prometheus.gamehouse.com> References: <68336F56-70F4-4DFA-AA9B-1F99B5F17CE3@cs.ucsb.edu> <1121876928.1063.0.camel@prometheus.gamehouse.com> <973291B8-8507-49BD-A257-3F87F76B3342@cs.ucsb.edu> <1121878173.1063.2.camel@prometheus.gamehouse.com> <1121881200.059d63da015cf@mail.ph.utexas.edu> <1121883390.1063.5.camel@prometheus.gamehouse.com> Message-ID: <1121884344.0d2e448de4ba8@mail.ph.utexas.edu> Quoting Jesse Keating : > On Wed, 2005-07-20 at 12:40 -0500, Eric Rostetter wrote: > > Basically find out what the policy is on the new wiki site as far as > > external > > links, pointing to things that have legality/patent/etc issues, etc. > > > > We cannot point to anything that is legally questionable. Period. My Correct. But we're not pointing, and we would remove anything there that we knew was an issue. Not sure if that qualifies though or not (removing anything put there, rather than restricting what is put there). > thoughts on 'contrib' was space given for packages to fulfill current > Legacy bugzilla items. Not 3rd party packages to extend/enhance and > otherwise fall outside the spec of Fedora Legacy. I don't see a need for what you are saying here. The only need I see is for packages which fall outside the spec of Fedora Legacy. I think we (I and others) made it pretty clear the page was for stuff outside of the FL scope. And your reply to it seemed to me to be taken in that spirit. If that isn't your intend, then please clarify. -- Eric Rostetter From rostetter at mail.utexas.edu Wed Jul 20 18:38:24 2005 From: rostetter at mail.utexas.edu (Eric Rostetter) Date: Wed, 20 Jul 2005 13:38:24 -0500 Subject: Wiki Permissions In-Reply-To: <1121883139.9450.25.camel@cutter> References: <68336F56-70F4-4DFA-AA9B-1F99B5F17CE3@cs.ucsb.edu> <1121876928.1063.0.camel@prometheus.gamehouse.com> <973291B8-8507-49BD-A257-3F87F76B3342@cs.ucsb.edu> <1121878173.1063.2.camel@prometheus.gamehouse.com> <1121881200.059d63da015cf@mail.ph.utexas.edu> <70A9DF4C-8C23-4A8E-B157-B6D256355949@cs.ucsb.edu> <1121883139.9450.25.camel@cutter> Message-ID: <1121884704.1138325d68561@mail.ph.utexas.edu> Quoting seth vidal : > patent issues are right out from all things fedora afaict. >From all their official sites yes, and I assume also from the wiki but I don't know. > why would even fedora legacy have patent-linked items? FL is not putting them there. They are user contributed links. We don't review them until after they are there, so we can't stop them (part of the wonders of wikis). So the question is two part: 1) Is it is a problem that people might add bad content, even if we later find and remove it, etc. 2) Should we instead make them submit package links to us for review? Legally this adds additional burden on us. It also makes more work for those who already have too much work. 3) Should we just kill the page, since it *might* violate RH/FP policy if someone abuses it? We're not talking about the intended use of the page, we're talking about abuse, etc. Also, I'd have to remove the links to the repositories on their (ATrpms, etc) since they likely have questionable packages, etc. So we couldn't use it to point to other sources anymore, just to peoples individual packages. If indeed we can even do that. What we need is a clear statement of policy on the wiki we're proposing to move to. > -sv -- Eric Rostetter From jkeating at j2solutions.net Wed Jul 20 19:04:41 2005 From: jkeating at j2solutions.net (Jesse Keating) Date: Wed, 20 Jul 2005 12:04:41 -0700 Subject: Wiki Permissions In-Reply-To: <1121884704.1138325d68561@mail.ph.utexas.edu> References: <68336F56-70F4-4DFA-AA9B-1F99B5F17CE3@cs.ucsb.edu> <1121876928.1063.0.camel@prometheus.gamehouse.com> <973291B8-8507-49BD-A257-3F87F76B3342@cs.ucsb.edu> <1121878173.1063.2.camel@prometheus.gamehouse.com> <1121881200.059d63da015cf@mail.ph.utexas.edu> <70A9DF4C-8C23-4A8E-B157-B6D256355949@cs.ucsb.edu> <1121883139.9450.25.camel@cutter> <1121884704.1138325d68561@mail.ph.utexas.edu> Message-ID: <1121886281.1063.10.camel@prometheus.gamehouse.com> On Wed, 2005-07-20 at 13:38 -0500, Eric Rostetter wrote: > FL is not putting them there. They are user contributed links. We don't > review them until after they are there, so we can't stop them (part of the > wonders of wikis). So the question is two part: With the new wiki, we have to approve people to write to our wiki space. This becomes much less of an issue. > 1) Is it is a problem that people might add bad content, even if we later > find and remove it, etc. If we remove it when we see it, shouldn't be a problem. We can 'subscribe' to the contrib page and see when changes are made via email so that we can log in and immediately remove the content and warn the user about what should go there instead. > 2) Should we instead make them submit package links to us for review? Legally > this adds additional burden on us. It also makes more work for those > who already have too much work. I'm still not happy w/ the whole idea of Contrib. Legacy isn't addon stuff. Legacy is security fixes for old releases. Add on packages for old releases is outside the scope of Legacy and I don't want to have anything to do with it. > 3) Should we just kill the page, since it *might* violate RH/FP policy if > someone abuses it? I vote kill it. > We're not talking about the intended use of the page, we're talking about > abuse, etc. > > Also, I'd have to remove the links to the repositories on their (ATrpms, > etc) since they likely have questionable packages, etc. So we couldn't > use it to point to other sources anymore, just to peoples individual packages. > If indeed we can even do that. > > What we need is a clear statement of policy on the wiki we're proposing to > move to. Policy is simple. Don't link to anything that is legally questionable. In the Legacy space we shouldn't have to worry about that. -- Jesse Keating RHCE (http://geek.j2solutions.net) Fedora Legacy Team (http://www.fedoralegacy.org) GPG Public Key (http://geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating From jkeating at j2solutions.net Wed Jul 20 19:07:30 2005 From: jkeating at j2solutions.net (Jesse Keating) Date: Wed, 20 Jul 2005 12:07:30 -0700 Subject: Wiki Permissions In-Reply-To: <1121884344.0d2e448de4ba8@mail.ph.utexas.edu> References: <68336F56-70F4-4DFA-AA9B-1F99B5F17CE3@cs.ucsb.edu> <1121876928.1063.0.camel@prometheus.gamehouse.com> <973291B8-8507-49BD-A257-3F87F76B3342@cs.ucsb.edu> <1121878173.1063.2.camel@prometheus.gamehouse.com> <1121881200.059d63da015cf@mail.ph.utexas.edu> <1121883390.1063.5.camel@prometheus.gamehouse.com> <1121884344.0d2e448de4ba8@mail.ph.utexas.edu> Message-ID: <1121886450.1063.14.camel@prometheus.gamehouse.com> On Wed, 2005-07-20 at 13:32 -0500, Eric Rostetter wrote: > I don't see a need for what you are saying here. The only need I see is > for packages which fall outside the spec of Fedora Legacy. > > I think we (I and others) made it pretty clear the page was for stuff > outside of the FL scope. And your reply to it seemed to me to be taken > in that spirit. If that isn't your intend, then please clarify. > Appearently I wasn't paying attention to the thread. At one time, 'contrib' was talked about as a web space that folks who had none could put packages for bugzilla entries up. It was not for add-on 3rd party stuff for old releases. I must have been confused if/when I replied to a thread about add-on stuff, or I just wasn't paying attention. I apologize for that. We have 0 need for a page to link to add-on or 3rd party packages for older releases. We're here to fix security bugs in existing software, not add to it (with the exception of yum to get the updates) I'm sorry if I led the project into believing that this was OK. It is not, and the page should be removed. 3rd party add-ons can go somewhere else, they are not Legacy scope. -- Jesse Keating RHCE (http://geek.j2solutions.net) Fedora Legacy Team (http://www.fedoralegacy.org) GPG Public Key (http://geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating From rostetter at mail.utexas.edu Wed Jul 20 19:12:57 2005 From: rostetter at mail.utexas.edu (Eric Rostetter) Date: Wed, 20 Jul 2005 14:12:57 -0500 Subject: Wiki Permissions In-Reply-To: <1121886450.1063.14.camel@prometheus.gamehouse.com> References: <68336F56-70F4-4DFA-AA9B-1F99B5F17CE3@cs.ucsb.edu> <1121876928.1063.0.camel@prometheus.gamehouse.com> <973291B8-8507-49BD-A257-3F87F76B3342@cs.ucsb.edu> <1121878173.1063.2.camel@prometheus.gamehouse.com> <1121881200.059d63da015cf@mail.ph.utexas.edu> <1121883390.1063.5.camel@prometheus.gamehouse.com> <1121884344.0d2e448de4ba8@mail.ph.utexas.edu> <1121886450.1063.14.camel@prometheus.gamehouse.com> Message-ID: <1121886777.2ecf502dabaf7@mail.ph.utexas.edu> Quoting Jesse Keating : > Appearently I wasn't paying attention to the thread. At one time, > 'contrib' was talked about as a web space that folks who had none could > put packages for bugzilla entries up. Personally, I'd rather see an ftp site for this. Better control, more universal and less prone to corruption, etc. > We have 0 need for a page to link to add-on or 3rd party packages for > older releases. Well, if "We" == "The Fedora Legacy Project" then no, if "We" == "the people who use Fedora Legacy" then their is obviously a great demand for this, both from people who want to share their packages, and even more from people who want to find such packages. > We're here to fix security bugs in existing software, Unfortunately, since we consumed the older project which did provide add-ons and updates, people are still looking for than functionality. Now, why they can't find it in ATrpms et all is another question. Maybe we could solve this problem by adding an FAQ entry which points to ATrpms, FreshRPMS, etc. and telling them to look there for that kind of support? > not add to it (with the exception of yum to get the updates) I'm sorry > if I led the project into believing that this was OK. It is not, and > the page should be removed. 3rd party add-ons can go somewhere else, > they are not Legacy scope. I've removed the link to the page (not sure how to remove the actual orphaned page, assume that will happen automatically or something). What about putting an FAQ entry pointing to sites which do provide updated packages for "legacy" os versions? Would that be okay, and if so, should I create it? -- Eric Rostetter From jkeating at j2solutions.net Wed Jul 20 20:44:40 2005 From: jkeating at j2solutions.net (Jesse Keating) Date: Wed, 20 Jul 2005 13:44:40 -0700 Subject: Wiki Permissions In-Reply-To: <1121886777.2ecf502dabaf7@mail.ph.utexas.edu> References: <68336F56-70F4-4DFA-AA9B-1F99B5F17CE3@cs.ucsb.edu> <1121876928.1063.0.camel@prometheus.gamehouse.com> <973291B8-8507-49BD-A257-3F87F76B3342@cs.ucsb.edu> <1121878173.1063.2.camel@prometheus.gamehouse.com> <1121881200.059d63da015cf@mail.ph.utexas.edu> <1121883390.1063.5.camel@prometheus.gamehouse.com> <1121884344.0d2e448de4ba8@mail.ph.utexas.edu> <1121886450.1063.14.camel@prometheus.gamehouse.com> <1121886777.2ecf502dabaf7@mail.ph.utexas.edu> Message-ID: <1121892280.1063.18.camel@prometheus.gamehouse.com> On Wed, 2005-07-20 at 14:12 -0500, Eric Rostetter wrote: > Personally, I'd rather see an ftp site for this. Better control, more > universal and less prone to corruption, etc. Yes, I need to come up w/ some sort of mechanism to generate random user/password combos for onetime uploading for this. > > We have 0 need for a page to link to add-on or 3rd party packages for > > older releases. > > Well, if "We" == "The Fedora Legacy Project" then no, if "We" == > "the people who use Fedora Legacy" then their is obviously a great > demand for this, both from people who want to share their packages, and > even more from people who want to find such packages. I'm speaking from the Fedora Legacy Project standpoint. > > We're here to fix security bugs in existing software, > > Unfortunately, since we consumed the older project which did provide add-ons > and updates, people are still looking for than functionality. Now, why > they can't find it in ATrpms et all is another question. > > Maybe we could solve this problem by adding an FAQ entry which points to > ATrpms, FreshRPMS, etc. and telling them to look there for that kind of > support? We didn't consume any project... Warren from Fedora.us assisted us in some initial setup and helped me with some logics on how to set things up, but we are our own project and have been since day one. I do not believe we can link to repos that have questionable content. Just not allowed. We can link to Fedora Extras as packages there are pre-vetted. Pretty much nowhere else though. > > not add to it (with the exception of yum to get the updates) I'm sorry > > if I led the project into believing that this was OK. It is not, and > > the page should be removed. 3rd party add-ons can go somewhere else, > > they are not Legacy scope. > > I've removed the link to the page (not sure how to remove the actual > orphaned page, assume that will happen automatically or something). > > What about putting an FAQ entry pointing to sites which do provide updated > packages for "legacy" os versions? Would that be okay, and if so, should > I create it? See above. -- Jesse Keating RHCE (http://geek.j2solutions.net) Fedora Legacy Team (http://www.fedoralegacy.org) GPG Public Key (http://geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating From sheltren at cs.ucsb.edu Wed Jul 20 20:46:04 2005 From: sheltren at cs.ucsb.edu (Jeff Sheltren) Date: Wed, 20 Jul 2005 13:46:04 -0700 Subject: Wiki Permissions In-Reply-To: <1121883139.9450.25.camel@cutter> References: <68336F56-70F4-4DFA-AA9B-1F99B5F17CE3@cs.ucsb.edu> <1121876928.1063.0.camel@prometheus.gamehouse.com> <973291B8-8507-49BD-A257-3F87F76B3342@cs.ucsb.edu> <1121878173.1063.2.camel@prometheus.gamehouse.com> <1121881200.059d63da015cf@mail.ph.utexas.edu> <70A9DF4C-8C23-4A8E-B157-B6D256355949@cs.ucsb.edu> <1121883139.9450.25.camel@cutter> Message-ID: On Jul 20, 2005, at 11:12 AM, seth vidal wrote: > > patent issues are right out from all things fedora afaict. > > why would even fedora legacy have patent-linked items? > > -sv > > Sorry, perhaps my message didn't make sense. My point was, if we have a wiki page where people are posting package contributions (which apparently we won't have - see Jesse's replies to this thread), that we would probably need to keep an eye on what packages are getting posted in order to keep out things with patent/copyright issues. Since it appears the contrib page was not supposed to exist in the first place, this isn't really an issue :) -Jeff From rostetter at mail.utexas.edu Wed Jul 20 20:52:20 2005 From: rostetter at mail.utexas.edu (Eric Rostetter) Date: Wed, 20 Jul 2005 15:52:20 -0500 Subject: Wiki Permissions In-Reply-To: <1121892280.1063.18.camel@prometheus.gamehouse.com> References: <68336F56-70F4-4DFA-AA9B-1F99B5F17CE3@cs.ucsb.edu> <1121876928.1063.0.camel@prometheus.gamehouse.com> <973291B8-8507-49BD-A257-3F87F76B3342@cs.ucsb.edu> <1121878173.1063.2.camel@prometheus.gamehouse.com> <1121881200.059d63da015cf@mail.ph.utexas.edu> <1121883390.1063.5.camel@prometheus.gamehouse.com> <1121884344.0d2e448de4ba8@mail.ph.utexas.edu> <1121886450.1063.14.camel@prometheus.gamehouse.com> <1121886777.2ecf502dabaf7@mail.ph.utexas.edu> <1121892280.1063.18.camel@prometheus.gamehouse.com> Message-ID: <1121892740.4c13ee183b48e@mail.ph.utexas.edu> Quoting Jesse Keating : > We didn't consume any project... Warren from Fedora.us assisted us in > some initial setup and helped me with some logics on how to set things > up, but we are our own project and have been since day one. According to our docs at http://www.fedoralegacy.org/about/overview.php Where we say things like: "fedora.us will eventually become the Fedora Legacy project." and: "Extras will probably no longer exist at fedora.us for newer distributions after being merged into fedora.redhat.com Extras around FC2 time." One would kind of assume that The Fedora Project and The Fedora Legacy Project have or will be taking over fedora.us. If this isn't true, then we need to update those docs, which I've tried to do to no avail in the past. > I do not believe we can link to repos that have questionable content. > Just not allowed. We can link to Fedora Extras as packages there are > pre-vetted. Pretty much nowhere else though. Does this apply to the FL web site, or just to things hosted by the Fedora Project like the wiki? That is, are we going to create a policy for FL that is the same or similiar to Red Hat's and the Fedora Project's policies? > > What about putting an FAQ entry pointing to sites which do provide updated > > packages for "legacy" os versions? Would that be okay, and if so, should > > I create it? > > See above. I'd rather you explicitly state your answer, for the archives. If this is policy, or is to be policy, we need a clear, unabiguous statement of it somewhere. -- Eric Rostetter From kelson at speed.net Wed Jul 20 21:59:59 2005 From: kelson at speed.net (Kelson) Date: Wed, 20 Jul 2005 14:59:59 -0700 Subject: Wiki Permissions In-Reply-To: <1121883139.9450.25.camel@cutter> References: <68336F56-70F4-4DFA-AA9B-1F99B5F17CE3@cs.ucsb.edu> <1121876928.1063.0.camel@prometheus.gamehouse.com> <973291B8-8507-49BD-A257-3F87F76B3342@cs.ucsb.edu> <1121878173.1063.2.camel@prometheus.gamehouse.com> <1121881200.059d63da015cf@mail.ph.utexas.edu> <70A9DF4C-8C23-4A8E-B157-B6D256355949@cs.ucsb.edu> <1121883139.9450.25.camel@cutter> Message-ID: <42DEC95F.8020807@speed.net> seth vidal wrote: > why would even fedora legacy have patent-linked items? Didn't Red Hat 7.3 still have an MP3-capable version of XMMS? If there were a security update for that, it might become an issue. -- Kelson Vibber SpeedGate Communications From gene.heskett at verizon.net Fri Jul 22 13:52:28 2005 From: gene.heskett at verizon.net (Gene Heskett) Date: Fri, 22 Jul 2005 09:52:28 -0400 Subject: fetchmail vs kmail Message-ID: <200507220952.28821.gene.heskett@verizon.net> Greetings; Due to a long standing bug in kmail that causes it to quit fetching new mail occasionally, I've been doing the fetch with fetchmail. Is there any way I can tell kmail there is new mail so that both are not fighting over the /var/spool/mail/root file? I think there have been some instances where one or the other had a lock, and I'm missing an email from time to time. This is something that would be a piece of cake on my old now dead amiga, I'd just use arexx to send it a message, thereby achieveing synch between the apps. Now in linux I think dcop is the tool, but no idea how to go about using it. There are no manpages for it. -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) 99.35% setiathome rank, not too shabby for a WV hillbilly Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2005 by Maurice Eugene Heskett, all rights reserved. From warren at togami.com Sun Jul 24 02:28:00 2005 From: warren at togami.com (Warren Togami) Date: Sat, 23 Jul 2005 16:28:00 -1000 Subject: Some Suggestions (Mirror Space, gaim, ethereal, etc) Message-ID: <42E2FCB0.6090800@togami.com> Hi, I am mirroring fedoralegacy FC2 into fedora.us's old apt repository. I noticed that legacy contains many old updates from FC2 that were long since superceded and erased in download.fedora.redhat.com. Can Legacy implement an automatic obsolete update purging script in order to help save space on the mirrors? download.fedora.redhat.com uses something like "purge if the update package is superceded by another update for 1 month". Even 2 months would be fine. This matters a lot more with the *many* updates of mozilla and openoffice.org happening in the past year. May I also suggest creating a category of packages where it is generally OK to upgrade the version because: 1) There is no ABI to break because it is a leaf-node package, like ethereal. 2) Nobody expects ABI compat, like ethereal. 3) Or ABI/API is maintained, like gaim-1.x or spamassassin-3.x. Plugins built against gaim-1.0 are supposed to continue work with any future gaim-1.x. Fedora Legacy can save time and effort by simply following the newer Fedora Core releases on these packages when it is safe to upgrade versions. No review necessary, but perhaps some testing and ACK votes to push. Warren Togami wtogami at redhat.com From pekkas at netcore.fi Sun Jul 24 06:14:47 2005 From: pekkas at netcore.fi (Pekka Savola) Date: Sun, 24 Jul 2005 09:14:47 +0300 (EEST) Subject: Some Suggestions (Mirror Space, gaim, ethereal, etc) In-Reply-To: <42E2FCB0.6090800@togami.com> References: <42E2FCB0.6090800@togami.com> Message-ID: On Sat, 23 Jul 2005, Warren Togami wrote: > May I also suggest creating a category of packages where it is generally OK > to upgrade the version because: > 1) There is no ABI to break because it is a leaf-node package, like ethereal. > 2) Nobody expects ABI compat, like ethereal. > 3) Or ABI/API is maintained, like gaim-1.x or spamassassin-3.x. Plugins > built against gaim-1.0 are supposed to continue work with any future > gaim-1.x. > > Fedora Legacy can save time and effort by simply following the newer Fedora > Core releases on these packages when it is safe to upgrade versions. No > review necessary, but perhaps some testing and ACK votes to push. Actually, whether or not it makes sense to upgrade or use a backport depends on whether a backported patch is already available. So far, for RHL73 and RHL9, we've had RHEL21 and RHEL3 patches which usually fit very well. In some cases, FC1 and FC2 likewise, but these may be trickier. I think there is is significantly less need for testing for updates which only apply a backported patch (which has come through from RHEL QA process, or some equivalent QA). On the other hand, I do believe we don't have resources to create these backported patches ourselves. When such are not available, upgrading the package should be considered. In particular I note that we should apply such a policy even more to the FC1 and FC2 packages. So, I think the good rules of thumb are: 1) if there is already QA'd patch backport, use that; 2) if not, consider upgrading the package to a version that: a) has easier access to already QA'd patches or b) has been maintained by official FC updates, so RPM versioning with upgrades (e.g., FC2 -> FC3) doesn't break. In considering whether to upgrade, the considerations you posted are likely useful to consider. IMHO, it's also useful to consider what other distros (RHEL in particular) have done. If they have upgraded, I don't see why we shouldn't either. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings From mattdm at mattdm.org Sun Jul 24 13:50:04 2005 From: mattdm at mattdm.org (Matthew Miller) Date: Sun, 24 Jul 2005 09:50:04 -0400 Subject: Some Suggestions (Mirror Space, gaim, ethereal, etc) In-Reply-To: References: <42E2FCB0.6090800@togami.com> Message-ID: <20050724135004.GA1885@jadzia.bu.edu> On Sun, Jul 24, 2005 at 09:14:47AM +0300, Pekka Savola wrote: > So far, for RHL73 and RHL9, we've had RHEL21 and RHEL3 patches which > usually fit very well. In some cases, FC1 and FC2 likewise, but these > may be trickier. I think FC1 is the really hard one. FC2 is pretty similar to FC3, and therefore to RHEL4. > So, I think the good rules of thumb are: > 1) if there is already QA'd patch backport, use that; > 2) if not, consider upgrading the package to a version that: > a) has easier access to already QA'd patches or > b) has been maintained by official FC updates, so > RPM versioning with upgrades (e.g., FC2 -> FC3) doesn't > break. Sounds good to me. -- Matthew Miller mattdm at mattdm.org Boston University Linux ------> Current office temperature: 77 degrees Fahrenheit. From marcdeslauriers at videotron.ca Sun Jul 24 14:16:27 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Sun, 24 Jul 2005 10:16:27 -0400 Subject: Some Suggestions (Mirror Space, gaim, ethereal, etc) In-Reply-To: References: <42E2FCB0.6090800@togami.com> Message-ID: <1122214587.13657.10.camel@mdlinux> On Sun, 2005-07-24 at 09:14 +0300, Pekka Savola wrote: > On the other hand, I do believe we don't have resources to create > these backported patches ourselves. When such are not available, > upgrading the package should be considered. In particular I note that > we should apply such a policy even more to the FC1 and FC2 packages. > > So, I think the good rules of thumb are: > 1) if there is already QA'd patch backport, use that; > 2) if not, consider upgrading the package to a version that: > a) has easier access to already QA'd patches or > b) has been maintained by official FC updates, so > RPM versioning with upgrades (e.g., FC2 -> FC3) doesn't > break. I don't agree with this. It's a lot easier to backport a patch than to upgrade to a newer version and break a whole bunch of other stuff. (Of course, there are exceptions, like gaim, ethereal, etc.). Everytime we've updated a version in the past, we've broken a lot more than when we've backported a patch. Marc. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From marcdeslauriers at videotron.ca Sun Jul 24 14:22:56 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Sun, 24 Jul 2005 10:22:56 -0400 Subject: Some Suggestions (Mirror Space, gaim, ethereal, etc) In-Reply-To: <42E2FCB0.6090800@togami.com> References: <42E2FCB0.6090800@togami.com> Message-ID: <1122214976.13972.2.camel@mdlinux> On Sat, 2005-07-23 at 16:28 -1000, Warren Togami wrote: > May I also suggest creating a category of packages where it is generally > OK to upgrade the version because: > 1) There is no ABI to break because it is a leaf-node package, like > ethereal. > 2) Nobody expects ABI compat, like ethereal. > 3) Or ABI/API is maintained, like gaim-1.x or spamassassin-3.x. Plugins > built against gaim-1.0 are supposed to continue work with any future > gaim-1.x. > > Fedora Legacy can save time and effort by simply following the newer > Fedora Core releases on these packages when it is safe to upgrade > versions. No review necessary, but perhaps some testing and ACK votes > to push. That's pretty much what we do already...ethereal, spamassassin and gaim are pretty much rebuilt with the latest FC release... Although it would be great just to be able to rebuild the packages without meddling with them. Would you be willing to integrate some more options in the FC gaim spec file to target FL releases? Marc. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From marcdeslauriers at videotron.ca Sun Jul 24 14:53:21 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Sun, 24 Jul 2005 10:53:21 -0400 Subject: [FLSA-2005:154276] Updated krb5 packages fix security issues Message-ID: <42E3AB61.9060009@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated krb5 packages fix security issues Advisory ID: FLSA:154276 Issue date: 2005-07-24 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CAN-2004-0523 CAN-2004-0642 CAN-2004-0643 CAN-2004-0644 CAN-2004-0772 CAN-2004-0971 CAN-2004-1189 CAN-2005-0468 CAN-2005-0469 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated Kerberos (krb5) packages that correct multiple security issues are now available. Kerberos is a networked authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other. Note that some of these issues have already been fixed in Fedora Core 1. Please refer to previous advisories for details. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 3. Problem description: Several buffer overflows were possible for all Kerberos versions up to and including 1.3.3 in the krb5_aname_to_localname library function. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0523 to this issue. Several double-free bugs were found in the Kerberos 5 KDC and libraries. A remote attacker could potentially exploit these flaws to execuate arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0642 and CAN-2004-0643 to these issues. A double-free bug was also found in the krb524 server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0772 to this issue. An infinite loop bug was found in the Kerberos 5 ASN.1 decoder library. A remote attacker may be able to trigger this flaw and cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0644 to this issue. A heap based buffer overflow bug was found in the administration library of Kerberos 1.3.5 and earlier. This bug could allow an authenticated remote attacker to execute arbitrary commands on a realm's master Kerberos KDC. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1189 to this issue. Additionally a temporary file bug was found in the Kerberos krb5-send-pr program. It is possible that an attacker could create a temporary file that would allow an arbitrary file to be overwritten which the victim has write access to. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0971 to this issue. The krb5-workstation package includes a Kerberos-aware telnet client. Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim's machine if the victim can be tricked into connecting to a malicious telnet server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0468 and CAN-2005-0469 to these issues. All users of krb5 should upgrade to these updated packages, which contain backported security patches to resolve these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=154276 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/krb5-1.2.4-16.1.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/krb5-devel-1.2.4-16.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/krb5-libs-1.2.4-16.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/krb5-server-1.2.4-16.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/krb5-workstation-1.2.4-16.1.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/krb5-1.2.7-38.3.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/krb5-devel-1.2.7-38.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/krb5-libs-1.2.7-38.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/krb5-server-1.2.7-38.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/krb5-workstation-1.2.7-38.3.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/krb5-1.3.4-5.3.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/krb5-devel-1.3.4-5.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/krb5-libs-1.3.4-5.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/krb5-server-1.3.4-5.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/krb5-workstation-1.3.4-5.3.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 4fcc561d7f179fb0672b0f273043c272b790f423 redhat/7.3/updates/i386/krb5-devel-1.2.4-16.1.legacy.i386.rpm 07938a62bd7498733b3e535a381fe18223184eda redhat/7.3/updates/i386/krb5-libs-1.2.4-16.1.legacy.i386.rpm c81a4385ede484d89187d5836d49cacbc5655ee1 redhat/7.3/updates/i386/krb5-server-1.2.4-16.1.legacy.i386.rpm 568b4b641c2b9a54eafd14b4099bc72d49f02137 redhat/7.3/updates/i386/krb5-workstation-1.2.4-16.1.legacy.i386.rpm 4ee83ff2a6f0bd9bdbf0726ba2fd4acf6c5f43cc redhat/7.3/updates/SRPMS/krb5-1.2.4-16.1.legacy.src.rpm 0111aeb1c5946f18e8a48d1d27d8493c919ca936 redhat/9/updates/i386/krb5-devel-1.2.7-38.3.legacy.i386.rpm 35141598dbb9c60e8cd0b3f06b23528ee526bb46 redhat/9/updates/i386/krb5-libs-1.2.7-38.3.legacy.i386.rpm bcaf771e3de01b16e73327cc3643a2ebd4fda6dd redhat/9/updates/i386/krb5-server-1.2.7-38.3.legacy.i386.rpm 4b4b056d4abc0d69c14e7df45fa3b02e76db48fb redhat/9/updates/i386/krb5-workstation-1.2.7-38.3.legacy.i386.rpm ddc2bdafbecf5801a7238187936fee99966efc65 redhat/9/updates/SRPMS/krb5-1.2.7-38.3.legacy.src.rpm 389b8b7b2b59b4363f941e22213be5794e3321a0 fedora/1/updates/i386/krb5-devel-1.3.4-5.3.legacy.i386.rpm f0f7a0e7a002751d9ed19d2c573f9b332759ac00 fedora/1/updates/i386/krb5-libs-1.3.4-5.3.legacy.i386.rpm 8d685627a81c1cc51545e8d43db8c3f2acc4a520 fedora/1/updates/i386/krb5-server-1.3.4-5.3.legacy.i386.rpm 9aed15c515e7e319fe880b064ecc595565db6575 fedora/1/updates/i386/krb5-workstation-1.3.4-5.3.legacy.i386.rpm d8f81d57720d1b4c4fc393778f82d7119aeb209c fedora/1/updates/SRPMS/krb5-1.3.4-5.3.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0523 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0642 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0643 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0644 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0772 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0971 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1189 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From marcdeslauriers at videotron.ca Sun Jul 24 14:54:03 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Sun, 24 Jul 2005 10:54:03 -0400 Subject: [FLSA-2005:152842] Updated lvm package fixes security issue Message-ID: <42E3AB8B.6070804@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated lvm package fixes security issue Advisory ID: FLSA:152842 Issue date: 2005-07-24 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CAN-2004-0972 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: An updated lvm package that fixes a security flaw is now available. LVM is the Linux Logical Volume Manager utilities. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 3. Problem description: A vulnerability has been reported in LVM, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. The vulnerability is caused due to the "lvmcreate_initrd" script creating temporary files insecurely. This can be exploited via symlink attacks to overwrite arbitrary files on the system with the privileges of the user invoking the vulnerable script. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0972 to this issue. Users of lvm are advised to upgrade to this errata package, which contains a backported patch correcting this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152842 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/lvm-1.0.3-4.1.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/lvm-1.0.3-4.1.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/lvm-1.0.3-12.1.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/lvm-1.0.3-12.1.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/lvm-1.0.3-13.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/lvm-1.0.3-13.1.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 2f33b8e68c37dea86b0059275184d366a1bffddf redhat/7.3/updates/i386/lvm-1.0.3-4.1.legacy.i386.rpm a4d6f9581baf72a6facf9ae2184eddc5c22aa562 redhat/7.3/updates/SRPMS/lvm-1.0.3-4.1.legacy.src.rpm 3f66e70eef52374a49d9ab4dc87ec1ada14dec32 redhat/9/updates/i386/lvm-1.0.3-12.1.legacy.i386.rpm 3b852bbe5291bb43910920b51612b087bf8603aa redhat/9/updates/SRPMS/lvm-1.0.3-12.1.legacy.src.rpm 9378ae503e4d43934813b93951160ed705f41cd3 fedora/1/updates/i386/lvm-1.0.3-13.1.legacy.i386.rpm 0d3176879d28e673fc18158d643870b1acf367fd fedora/1/updates/SRPMS/lvm-1.0.3-13.1.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0972 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From gene.heskett at verizon.net Sun Jul 24 22:08:05 2005 From: gene.heskett at verizon.net (Gene Heskett) Date: Sun, 24 Jul 2005 18:08:05 -0400 Subject: RH7.3 system, gzip updated last night, now amanda fails Message-ID: <200507241808.06021.gene.heskett@verizon.net> when the backup profile does NOT call for gzip to be used... The compressed entries in the disklist were done ok. Anybody have an idea why? -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) 99.35% setiathome rank, not too shabby for a WV hillbilly Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2005 by Maurice Eugene Heskett, all rights reserved. From jkeating at j2solutions.net Sun Jul 24 23:20:01 2005 From: jkeating at j2solutions.net (Jesse Keating) Date: Sun, 24 Jul 2005 16:20:01 -0700 Subject: RH7.3 system, gzip updated last night, now amanda fails In-Reply-To: <200507241808.06021.gene.heskett@verizon.net> References: <200507241808.06021.gene.heskett@verizon.net> Message-ID: <1122247201.22455.0.camel@yoda.loki.me> On Sun, 2005-07-24 at 18:08 -0400, Gene Heskett wrote: > when the backup profile does NOT call for gzip to be used... The > compressed entries in the disklist were done ok. > > Anybody have an idea why? Hrm, there shouldn't have been any API changes... If you rebuild amanda vs the new zlib-devel, will it work then? -- Jesse Keating RHCE (geek.j2solutions.net) Fedora Legacy Team (www.fedoralegacy.org) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating From gene.heskett at verizon.net Mon Jul 25 01:28:25 2005 From: gene.heskett at verizon.net (Gene Heskett) Date: Sun, 24 Jul 2005 21:28:25 -0400 Subject: RH7.3 system, gzip updated last night, now amanda fails In-Reply-To: <1122247201.22455.0.camel@yoda.loki.me> References: <200507241808.06021.gene.heskett@verizon.net> <1122247201.22455.0.camel@yoda.loki.me> Message-ID: <200507242128.25785.gene.heskett@verizon.net> On Sunday 24 July 2005 19:20, Jesse Keating wrote: >On Sun, 2005-07-24 at 18:08 -0400, Gene Heskett wrote: >> when the backup profile does NOT call for gzip to be used... The >> compressed entries in the disklist were done ok. >> >> Anybody have an idea why? > >Hrm, there shouldn't have been any API changes... If you rebuild > amanda vs the new zlib-devel, will it work then? I can, the srcs are there, or I can move them over and have version matching till the next amanda snapshot comes out, but the puzzle is why the non-compressed backups failed, while the compressed ones worked. Non-compressed tells me gzip isn't a factor. And, to top it off, the normal printout of results amanda does for me, didn't print until I investigated after getting an email from amcheck that there appeared to be another instance of amdump running, or I needed to run amcleanup. Since amdump, nor any of its slaves were running, I ran the cleanup script, and then got the printout and the email telling me what had failed. Me confused, and goes off to wait till tonights run & see if it repeats. -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) 99.35% setiathome rank, not too shabby for a WV hillbilly Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2005 by Maurice Eugene Heskett, all rights reserved. From jkeating at j2solutions.net Mon Jul 25 02:30:20 2005 From: jkeating at j2solutions.net (Jesse Keating) Date: Sun, 24 Jul 2005 19:30:20 -0700 Subject: RH7.3 system, gzip updated last night, now amanda fails In-Reply-To: <200507242128.25785.gene.heskett@verizon.net> References: <200507241808.06021.gene.heskett@verizon.net> <1122247201.22455.0.camel@yoda.loki.me> <200507242128.25785.gene.heskett@verizon.net> Message-ID: <1122258620.22455.2.camel@yoda.loki.me> On Sun, 2005-07-24 at 21:28 -0400, Gene Heskett wrote: > I can, the srcs are there, or I can move them over and have version > matching till the next amanda snapshot comes out, but the puzzle is > why the non-compressed backups failed, while the compressed ones > worked. Non-compressed tells me gzip isn't a factor. And, to top it > off, the normal printout of results amanda does for me, didn't print > until I investigated after getting an email from amcheck that there > appeared to be another instance of amdump running, or I needed to run > amcleanup. Since amdump, nor any of its slaves were running, I ran > the cleanup script, and then got the printout and the email telling > me what had failed. > > Me confused, and goes off to wait till tonights run & see if it > repeats. Oh whoops. I thought you said non-compressed worked and compressed didn't. My bad. See what happens tonight. -- Jesse Keating RHCE (geek.j2solutions.net) Fedora Legacy Team (www.fedoralegacy.org) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating From pekkas at netcore.fi Mon Jul 25 07:37:05 2005 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 25 Jul 2005 10:37:05 +0300 (EEST) Subject: Mozilla update: jvm plugin broke? Message-ID: Hi, I just noticed that after updating the fedora legacy update, java plugin (j2re-1.4.2) broke ("Help" -> "About Plugins" doesn't list it). In /usr/lib/mozilla/plugins/, I previously had: libjavaplugin_oji.so -> ../../../java/j2re1.4.2_08/plugin/i386/ns610-gcc32/libjavaplugin_oji.so .. It started working again when I replaced the symlink to the non-gcc32 version of the plugin. Did anyone else notice something like this? -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings From gene.heskett at verizon.net Mon Jul 25 12:25:50 2005 From: gene.heskett at verizon.net (Gene Heskett) Date: Mon, 25 Jul 2005 08:25:50 -0400 Subject: RH7.3 system, gzip updated last night, now amanda fails In-Reply-To: <1122258620.22455.2.camel@yoda.loki.me> References: <200507241808.06021.gene.heskett@verizon.net> <200507242128.25785.gene.heskett@verizon.net> <1122258620.22455.2.camel@yoda.loki.me> Message-ID: <200507250825.50350.gene.heskett@verizon.net> On Sunday 24 July 2005 22:30, Jesse Keating wrote: >On Sun, 2005-07-24 at 21:28 -0400, Gene Heskett wrote: >> I can, the srcs are there, or I can move them over and have >> version matching till the next amanda snapshot comes out, but the >> puzzle is why the non-compressed backups failed, while the >> compressed ones worked. Non-compressed tells me gzip isn't a >> factor. And, to top it off, the normal printout of results amanda >> does for me, didn't print until I investigated after getting an >> email from amcheck that there appeared to be another instance of >> amdump running, or I needed to run amcleanup. Since amdump, nor >> any of its slaves were running, I ran the cleanup script, and then >> got the printout and the email telling me what had failed. >> >> Me confused, and goes off to wait till tonights run & see if it >> repeats. > >Oh whoops. I thought you said non-compressed worked and compressed >didn't. My bad. See what happens tonight. And I just looked at the emailed report, and the printout, and everything worked just fine last night. I don't *think* it was a case of PEBKAC, but thats first time in many moons that its missfired since I went to virtual tapes on a big hard drive. That yum update did not take place while amanda was running. I suppose the next time it happens, I will have forgotten about waiting for the other shoe to drop. Isn't there a Murphy's Law corollary about that? :-) -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) 99.35% setiathome rank, not too shabby for a WV hillbilly Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2005 by Maurice Eugene Heskett, all rights reserved. From warren at togami.com Mon Jul 25 12:25:58 2005 From: warren at togami.com (Warren Togami) Date: Mon, 25 Jul 2005 02:25:58 -1000 Subject: Some Suggestions (Mirror Space, gaim, ethereal, etc) In-Reply-To: <1122214976.13972.2.camel@mdlinux> References: <42E2FCB0.6090800@togami.com> <1122214976.13972.2.camel@mdlinux> Message-ID: <42E4DA56.8070705@togami.com> Marc Deslauriers wrote: >> >>Fedora Legacy can save time and effort by simply following the newer >>Fedora Core releases on these packages when it is safe to upgrade >>versions. No review necessary, but perhaps some testing and ACK votes >>to push. > > > That's pretty much what we do already...ethereal, spamassassin and gaim > are pretty much rebuilt with the latest FC release... > > Although it would be great just to be able to rebuild the packages > without meddling with them. Would you be willing to integrate some more > options in the FC gaim spec file to target FL releases? > You mean the existing options don't work? # OPTION: perl integration (FC1+) %define perl_integration 1 # OPTION: krb5 for Zephyr protocol (FC1+) %define krb_integration 1 # OPTION: gtkspell integration (FC1+) %define gtkspell_integration 1 # OPTION: Preferred Applications with gnome-open (FC1+) %define gnome_open_integration 1 # OPTION: Evolution 1.5+ integration (FC3+) %define evolution_integration 1 # OPTION: SILC integration (FC3+) %define silc_integration 1 Just flip the booleans. This spec should theoretically work with RH9+ with everything zero, FC1+ with the first four options one, and FC3+ with all options one. (FC1's gnome-open was broken due to broken default config tools and gconf schedule, so you might want to turn that off if Legacy hasn't backported my control-center and gnome-vfs2 schema patch from FC2 like I suggested a while ago. Probably not worth it now though, because this does nothing to help existing user profiles.) Warren Togami wtogami at redhat.com From warren at togami.com Mon Jul 25 12:29:14 2005 From: warren at togami.com (Warren Togami) Date: Mon, 25 Jul 2005 02:29:14 -1000 Subject: Some Suggestions (Mirror Space, gaim, ethereal, etc) In-Reply-To: <1122214587.13657.10.camel@mdlinux> References: <42E2FCB0.6090800@togami.com> <1122214587.13657.10.camel@mdlinux> Message-ID: <42E4DB1A.1080709@togami.com> Marc Deslauriers wrote: > On Sun, 2005-07-24 at 09:14 +0300, Pekka Savola wrote: > >>On the other hand, I do believe we don't have resources to create >>these backported patches ourselves. When such are not available, >>upgrading the package should be considered. In particular I note that >>we should apply such a policy even more to the FC1 and FC2 packages. >> >>So, I think the good rules of thumb are: >> 1) if there is already QA'd patch backport, use that; >> 2) if not, consider upgrading the package to a version that: >> a) has easier access to already QA'd patches or >> b) has been maintained by official FC updates, so >> RPM versioning with upgrades (e.g., FC2 -> FC3) doesn't >> break. > > > I don't agree with this. It's a lot easier to backport a patch than to > upgrade to a newer version and break a whole bunch of other stuff. (Of > course, there are exceptions, like gaim, ethereal, etc.). > > Everytime we've updated a version in the past, we've broken a lot more > than when we've backported a patch. Yes, this is why I didn't suggest changing Legacy policy for the majority of cases, but rather the rare cases like gaim and ethereal where nothing else depends on it, or it maintains a forward compatible ABI. It is simply a waste of time to backport patches to these programs when they have their weekly security hole when nobody cares about their version. (Note that gaim upgrading is only an option for RH9+.) Warren Togami wtogami at redhat.com From jkosin at beta.intcomgrp.com Mon Jul 25 18:27:55 2005 From: jkosin at beta.intcomgrp.com (James Kosin) Date: Mon, 25 Jul 2005 14:27:55 -0400 Subject: Unsupported Updates.. Message-ID: <42E52F2B.5020608@beta.intcomgrp.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Everyone, ClamAV updates to version 0.86.2 - ------------- I've updated my clamav packages to reflect the current version 0.86.2 of clamav released Monday... !!! Wow, I actually had a fast turn around on the package. AutoMake update to version 1.9.6 - -------------- I've been upgrading to the latest versions for all the make utilities in hopes of finding the problem with gcc and the gnatlib-shared build for gcc. Make update to 3.80 - -------------- I've applied one of the three patches. The other two patches are there. the second one has already been applied upstream and the third patch I'm holding off on, since it looks like the module itself has been re-written. I may be applying the third patch again in the future. Seems to effect error reporting when a system error has occured. GCC 3.3.6 - --------------- I'm close on this... I've got the problem narrowed down. I've got some major testing afterwards on this one; since, it will probably effect all the major libraries. James Kosin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFC5S8rkNLDmnu1kSkRAvzVAJ9qnP1Xl02oSukRbrFumyOq3A/dfQCeO0dp NyPpAV+J1m1iwC2y/O0kSPw= =ICJx -----END PGP SIGNATURE----- From marcdeslauriers at videotron.ca Mon Jul 25 19:18:55 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Mon, 25 Jul 2005 15:18:55 -0400 Subject: Mozilla update: jvm plugin broke? In-Reply-To: References: Message-ID: <1122319135.30551.10.camel@mdlinux> On Mon, 2005-07-25 at 10:37 +0300, Pekka Savola wrote: > .. It started working again when I replaced the symlink to the > non-gcc32 version of the plugin. > > Did anyone else notice something like this? > On what OS? Marc -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From marcdeslauriers at videotron.ca Mon Jul 25 19:24:21 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Mon, 25 Jul 2005 15:24:21 -0400 Subject: Some Suggestions (Mirror Space, gaim, ethereal, etc) In-Reply-To: <42E4DA56.8070705@togami.com> References: <42E2FCB0.6090800@togami.com> <1122214976.13972.2.camel@mdlinux> <42E4DA56.8070705@togami.com> Message-ID: <1122319461.30551.16.camel@mdlinux> On Mon, 2005-07-25 at 02:25 -1000, Warren Togami wrote: > You mean the existing options don't work? > > # OPTION: perl integration (FC1+) > %define perl_integration 1 > # OPTION: krb5 for Zephyr protocol (FC1+) > %define krb_integration 1 > # OPTION: gtkspell integration (FC1+) > %define gtkspell_integration 1 > # OPTION: Preferred Applications with gnome-open (FC1+) > %define gnome_open_integration 1 > # OPTION: Evolution 1.5+ integration (FC3+) > %define evolution_integration 1 > # OPTION: SILC integration (FC3+) > %define silc_integration 1 > > Just flip the booleans. This spec should theoretically work with RH9+ > with everything zero, FC1+ with the first four options one, and FC3+ > with all options one. There are a couple of more issues with older releases...off the top of my head: rh73 and rh9 need an explicit perl path for the perl plugin to be built correctly, rh73 can't ship with the system tray icon, etc. I usually build FC1+ by flipping the booleans. Marc. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From marcdeslauriers at videotron.ca Mon Jul 25 19:26:47 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Mon, 25 Jul 2005 15:26:47 -0400 Subject: Some Suggestions (Mirror Space, gaim, ethereal, etc) In-Reply-To: <42E4DB1A.1080709@togami.com> References: <42E2FCB0.6090800@togami.com> <1122214587.13657.10.camel@mdlinux> <42E4DB1A.1080709@togami.com> Message-ID: <1122319607.30551.20.camel@mdlinux> On Mon, 2005-07-25 at 02:29 -1000, Warren Togami wrote: > Marc Deslauriers wrote: > >>So, I think the good rules of thumb are: > >> 1) if there is already QA'd patch backport, use that; > >> 2) if not, consider upgrading the package to a version that: > >> a) has easier access to already QA'd patches or > >> b) has been maintained by official FC updates, so > >> RPM versioning with upgrades (e.g., FC2 -> FC3) doesn't > >> break. > > > > > > I don't agree with this. It's a lot easier to backport a patch than to > > upgrade to a newer version and break a whole bunch of other stuff. (Of > > course, there are exceptions, like gaim, ethereal, etc.). > > > > Everytime we've updated a version in the past, we've broken a lot more > > than when we've backported a patch. > > Yes, this is why I didn't suggest changing Legacy policy for the > majority of cases, but rather the rare cases like gaim and ethereal > where nothing else depends on it, or it maintains a forward compatible > ABI. It is simply a waste of time to backport patches to these programs > when they have their weekly security hole when nobody cares about their > version. I agree. I usually just rebuild the FC packages for those... Marc. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From pekkas at netcore.fi Mon Jul 25 20:05:54 2005 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 25 Jul 2005 23:05:54 +0300 (EEST) Subject: Mozilla update: jvm plugin broke? In-Reply-To: <1122319135.30551.10.camel@mdlinux> References: <1122319135.30551.10.camel@mdlinux> Message-ID: On Mon, 25 Jul 2005, Marc Deslauriers wrote: > On Mon, 2005-07-25 at 10:37 +0300, Pekka Savola wrote: >> .. It started working again when I replaced the symlink to the >> non-gcc32 version of the plugin. >> >> Did anyone else notice something like this? > > On what OS? Sorry, I said have said this before. RHL9. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings From warren at togami.com Mon Jul 25 20:29:34 2005 From: warren at togami.com (Warren Togami) Date: Mon, 25 Jul 2005 10:29:34 -1000 Subject: Some Suggestions (Mirror Space, gaim, ethereal, etc) In-Reply-To: <1122319461.30551.16.camel@mdlinux> References: <42E2FCB0.6090800@togami.com> <1122214976.13972.2.camel@mdlinux> <42E4DA56.8070705@togami.com> <1122319461.30551.16.camel@mdlinux> Message-ID: <42E54BAE.30109@togami.com> Marc Deslauriers wrote: > On Mon, 2005-07-25 at 02:25 -1000, Warren Togami wrote: > >>You mean the existing options don't work? >> >># OPTION: perl integration (FC1+) >>%define perl_integration 1 >># OPTION: krb5 for Zephyr protocol (FC1+) >>%define krb_integration 1 >># OPTION: gtkspell integration (FC1+) >>%define gtkspell_integration 1 >># OPTION: Preferred Applications with gnome-open (FC1+) >>%define gnome_open_integration 1 >># OPTION: Evolution 1.5+ integration (FC3+) >>%define evolution_integration 1 >># OPTION: SILC integration (FC3+) >>%define silc_integration 1 >> >>Just flip the booleans. This spec should theoretically work with RH9+ >>with everything zero, FC1+ with the first four options one, and FC3+ >>with all options one. > > > There are a couple of more issues with older releases...off the top of > my head: rh73 and rh9 need an explicit perl path for the perl plugin to > be built correctly, rh73 can't ship with the system tray icon, etc. > > I usually build FC1+ by flipping the booleans. > rh73 has a working gtk2 for gaim-1.x? If you can give me details about the perl path for RH73 and RH9, I can improve the default gaim.spec. I just never bothered to do so for the past year because the upstream perl plugin has been broken and unsable for a long time, so nobody would miss it being gone anyway. (Upstream gaim is in the process of fixing the perl plugin now, one of their Google Summer of Code projects.) Warren Togami wtogami at redhat.com From marcdeslauriers at videotron.ca Tue Jul 26 03:04:08 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Mon, 25 Jul 2005 23:04:08 -0400 Subject: Mozilla update: jvm plugin broke? In-Reply-To: References: <1122319135.30551.10.camel@mdlinux> Message-ID: <1122347048.6017.3.camel@mdlinux> On Mon, 2005-07-25 at 23:05 +0300, Pekka Savola wrote: > On Mon, 25 Jul 2005, Marc Deslauriers wrote: > > On Mon, 2005-07-25 at 10:37 +0300, Pekka Savola wrote: > >> .. It started working again when I replaced the symlink to the > >> non-gcc32 version of the plugin. > >> > >> Did anyone else notice something like this? > > > > On what OS? > > Sorry, I said have said this before. RHL9. > That's weird. Mozilla on RHL9 has always been built with gcc 2.96. I am surprised you actually got it working with the gcc32 version of java... Marc. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From marcdeslauriers at videotron.ca Tue Jul 26 03:11:27 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Mon, 25 Jul 2005 23:11:27 -0400 Subject: Some Suggestions (Mirror Space, gaim, ethereal, etc) In-Reply-To: <42E54BAE.30109@togami.com> References: <42E2FCB0.6090800@togami.com> <1122214976.13972.2.camel@mdlinux> <42E4DA56.8070705@togami.com> <1122319461.30551.16.camel@mdlinux> <42E54BAE.30109@togami.com> Message-ID: <1122347487.6017.11.camel@mdlinux> On Mon, 2005-07-25 at 10:29 -1000, Warren Togami wrote: > rh73 has a working gtk2 for gaim-1.x? > Yep, it seems to be working enough for gaim. I did basic testing of it a while back and nobody has complained about the 3-4 releases so far. > If you can give me details about the perl path for RH73 and RH9, I can > improve the default gaim.spec. I just never bothered to do so for the > past year because the upstream perl plugin has been broken and unsable > for a long time, so nobody would miss it being gone anyway. Curiously, people noticed it was missing from rh7.3 and rh9 for a while. I guess they didn't actually try to use it. :) Thanks for the offer. Next time I build gaim for FL, I'll check what I did to the spec file. Marc. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From pekkas at netcore.fi Tue Jul 26 05:20:11 2005 From: pekkas at netcore.fi (Pekka Savola) Date: Tue, 26 Jul 2005 08:20:11 +0300 (EEST) Subject: Mozilla update: jvm plugin broke? In-Reply-To: <1122347048.6017.3.camel@mdlinux> References: <1122319135.30551.10.camel@mdlinux> <1122347048.6017.3.camel@mdlinux> Message-ID: On Mon, 25 Jul 2005, Marc Deslauriers wrote: > On Mon, 2005-07-25 at 23:05 +0300, Pekka Savola wrote: >> On Mon, 25 Jul 2005, Marc Deslauriers wrote: >>> On Mon, 2005-07-25 at 10:37 +0300, Pekka Savola wrote: >>>> .. It started working again when I replaced the symlink to the >>>> non-gcc32 version of the plugin. >>>> >>>> Did anyone else notice something like this? >>> >>> On what OS? >> >> Sorry, I said have said this before. RHL9. > > That's weird. Mozilla on RHL9 has always been built with gcc 2.96. I am > surprised you actually got it working with the gcc32 version of java... OK, it must be an issue at our end -- we had rebuilt the previous mozilla version locally, and I guess that had been done with gcc 3.2.2... I'm a bit surprised why it's built with gcc 2.96 though, as RHL9 ships with gcc-3.2.2.. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings From warren at togami.com Tue Jul 26 05:25:06 2005 From: warren at togami.com (Warren Togami) Date: Mon, 25 Jul 2005 19:25:06 -1000 Subject: clamav for RH9, FC1, FC2 Message-ID: <42E5C932.8080309@togami.com> http://download.fedora.us/pending/redhat/9/i386/RPMS.stable/ http://download.fedora.us/pending/fedora/1/i386/RPMS.stable/ http://download.fedora.us/pending/fedora/2/i386/RPMS.stable/ fedora.us Extras security updates of clamav need testing. This is the same as the package in fedora.redhat.com Extras for FC3, FC4 and FC5. Warren Togami wtogami at redhat.com From jkeating at j2solutions.net Tue Jul 26 05:31:07 2005 From: jkeating at j2solutions.net (Jesse Keating) Date: Mon, 25 Jul 2005 22:31:07 -0700 Subject: Mozilla update: jvm plugin broke? In-Reply-To: References: <1122319135.30551.10.camel@mdlinux> <1122347048.6017.3.camel@mdlinux> Message-ID: <1122355867.3353.0.camel@yoda.loki.me> On Tue, 2005-07-26 at 08:20 +0300, Pekka Savola wrote: > OK, it must be an issue at our end -- we had rebuilt the previous > mozilla version locally, and I guess that had been done with gcc > 3.2.2... > > I'm a bit surprised why it's built with gcc 2.96 though, as RHL9 > ships > with gcc-3.2.2.. RHL9 was all built using gcc 2.96. I do recall gcc3 being shipped w/ RHL9 as an optional newer compiler, but the distro itself is 2.96 compiled. -- Jesse Keating RHCE (geek.j2solutions.net) Fedora Legacy Team (www.fedoralegacy.org) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating From peak at argo.troja.mff.cuni.cz Tue Jul 26 09:45:36 2005 From: peak at argo.troja.mff.cuni.cz (Pavel Kankovsky) Date: Tue, 26 Jul 2005 11:45:36 +0200 (MET DST) Subject: Mozilla update: jvm plugin broke? In-Reply-To: <1122355867.3353.0.camel@yoda.loki.me> Message-ID: <20050726111533.241D.0@argo.troja.mff.cuni.cz> On Mon, 25 Jul 2005, Jesse Keating wrote: > RHL9 was all built using gcc 2.96. I do recall gcc3 being shipped w/ > RHL9 as an optional newer compiler, but the distro itself is 2.96 > compiled. Was/is it? $ cat /etc/redhat-release Red Hat Linux release 9 (Shrike) $ grep -l GCC: /usr/lib/*.a | while read f; do strings -a $f | grep GCC: | head -1; done | sort | uniq -c 26 GCC: (GNU) 3.2.1 20021207 (Red Hat Linux 8.0 3.2.1-2) 2 GCC: (GNU) 3.2.1 20030127 (Red Hat Linux 8.0 3.2.1-5) 9 GCC: (GNU) 3.2.1 20030127 (Red Hat Linux 8.0 3.2.1-6) 24 GCC: (GNU) 3.2.1 20030202 (Red Hat Linux 8.0 3.2.1-7) 2 GCC: (GNU) 3.2.2 20030213 (Red Hat Linux 8.0 3.2.2-1) 1 GCC: (GNU) 3.2.2 20030217 (Red Hat Linux 8.0 3.2.2-2) 10 GCC: (GNU) 3.2.2 20030222 (Red Hat Linux 3.2.2-4) 11 GCC: (GNU) 3.2.2 20030222 (Red Hat Linux 3.2.2-5) It appears to be a little chaotic but it is obvious a large part of the distro is compiled with various RH variants of GCC 3.2.x. Moreover, I can't find anything like RH GCC 2.96 in the original distro: $ lftp ftp.redhat.com lftp ftp.redhat.com:/pub/redhat> cd /pub/redhat/linux/9/en/os/i386/RedHat/RPMS/ cd ok, cwd=/pub/redhat/linux/9/en/os/i386/RedHat/RPMS lftp ftp.redhat.com:/pub/redhat/linux/9/en/os/i386/RedHat/RPMS> ls gcc* -rw-r--r-- 1 ftpadm ftpadm 4518355 Feb 25 2003 gcc-3.2.2-5.i386.rpm -rw-r--r-- 1 ftpadm ftpadm 1902283 Feb 25 2003 gcc-c++-3.2.2-5.i386.rpm -rw-r--r-- 1 ftpadm ftpadm 1854834 Feb 25 2003 gcc-g77-3.2.2-5.i386.rpm -rw-r--r-- 1 ftpadm ftpadm 5867574 Feb 25 2003 gcc-gnat-3.2.2-5.i386.rpm -rw-r--r-- 1 ftpadm ftpadm 1526204 Feb 25 2003 gcc-java-3.2.2-5.i386.rpm -rw-r--r-- 1 ftpadm ftpadm 1299772 Feb 25 2003 gcc-objc-3.2.2-5.i386.rpm On the other hand, both their original Mozilla package (mozilla-1.2.1-26.i386.rpm) and the latest RH update (mozilla-1.4.2-0.9.0.i386.rpm) appear to be built with RH GCC 2.96 because they require libstdc++-libc6.2-2.so.3 rather than libstdc++.so.5. (Unfortunately, I can't find any GCC tag in Mozilla packages. There are no static libraries there.) This is a great mystery. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation." From marcdeslauriers at videotron.ca Tue Jul 26 12:10:46 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Tue, 26 Jul 2005 08:10:46 -0400 Subject: Mozilla update: jvm plugin broke? In-Reply-To: References: <1122319135.30551.10.camel@mdlinux> <1122347048.6017.3.camel@mdlinux> Message-ID: <1122379846.11413.7.camel@mdlinux> On Tue, 2005-07-26 at 08:20 +0300, Pekka Savola wrote: > I'm a bit surprised why it's built with gcc 2.96 though, as RHL9 ships > with gcc-3.2.2.. > When rh9 came out, java didn't have a gcc3 version. Mozilla was specifically compiled with gcc 2.96 to cope with binary plugins that used the older gcc. Marc. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From marcdeslauriers at videotron.ca Tue Jul 26 12:13:56 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Tue, 26 Jul 2005 08:13:56 -0400 Subject: Mozilla update: jvm plugin broke? In-Reply-To: <1122355867.3353.0.camel@yoda.loki.me> References: <1122319135.30551.10.camel@mdlinux> <1122347048.6017.3.camel@mdlinux> <1122355867.3353.0.camel@yoda.loki.me> Message-ID: <1122380036.11413.10.camel@mdlinux> On Mon, 2005-07-25 at 22:31 -0700, Jesse Keating wrote: > RHL9 was all built using gcc 2.96. I do recall gcc3 being shipped w/ > RHL9 as an optional newer compiler, but the distro itself is 2.96 > compiled. > 3.2.2 is the default gcc on rh9. A compat 2.96 package was shipped to compile, IIRC, the kernel and mozilla. Maybe OpenOffice.org too. Marc. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From jkosin at beta.intcomgrp.com Tue Jul 26 14:49:40 2005 From: jkosin at beta.intcomgrp.com (James Kosin) Date: Tue, 26 Jul 2005 10:49:40 -0400 Subject: [FC1] ClamAV 0.86.2 Unsupported Update Message-ID: <42E64D84.6000203@beta.intcomgrp.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Everyone, I've had to fix my packages for clamav. This only effects clamav-milter and anyone using clamav to scan their emails. Apparently, a recent change has caused problems with clamav-milter to complain about --timeout being specified without --external being specified. The only change is in the /etc/sysconfig/clamav-milter file to add the - --timeout=0 option to the list, until this is fixed. I'm also emailing the development team with my findings on this. ClamAV 0.86.2-2.fc1 - ------------------------ http://support.intcomgrp.com/mirror/fedora-core/beta/i386 Package area http://support.intcomgrp.com/mirror/fedora-core/beta/src Package source area GCC Update - -------------- Not as close as I'd like it to be. I got past one problem and another problem has shown up. Now in building c++flint James Kosin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFC5k16kNLDmnu1kSkRAt4lAJ9NAHDUIGoBD8TrqF1/AdVeyFi8nwCfZYrn /KJJLx70yqgWJUkgmNPFYIU= =tyrQ -----END PGP SIGNATURE----- From jkeating at j2solutions.net Tue Jul 26 15:13:18 2005 From: jkeating at j2solutions.net (Jesse Keating) Date: Tue, 26 Jul 2005 08:13:18 -0700 Subject: Mozilla update: jvm plugin broke? In-Reply-To: <20050726111533.241D.0@argo.troja.mff.cuni.cz> References: <20050726111533.241D.0@argo.troja.mff.cuni.cz> Message-ID: <1122390798.3353.6.camel@yoda.loki.me> On Tue, 2005-07-26 at 11:45 +0200, Pavel Kankovsky wrote: > Was/is it? > Whoops. My mistake. Please see Marc's email on the issue, he obviously has a much better grasp on the situation than I do. Thats what I get for trying to work from memory on a distro that is this old.. (: -- Jesse Keating RHCE (geek.j2solutions.net) Fedora Legacy Team (www.fedoralegacy.org) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating From jung at one.ekof.bg.ac.yu Tue Jul 26 15:38:17 2005 From: jung at one.ekof.bg.ac.yu (Igor =?iso-8859-2?Q?Nestorovi=E6?=) Date: Tue, 26 Jul 2005 17:38:17 +0200 Subject: Mozilla update: jvm plugin broke? In-Reply-To: <1122380036.11413.10.camel@mdlinux> References: <1122319135.30551.10.camel@mdlinux> <1122347048.6017.3.camel@mdlinux> <1122355867.3353.0.camel@yoda.loki.me> <1122380036.11413.10.camel@mdlinux> Message-ID: <1122392297.5346.8.camel@lara> Mozilla in Red Hat 9 works only with the following Java plugin: /usr/lib/jre/plugin/i386/ns610-gcc32/libjavaplugin_oji.so starting with the very first version shipped with the release. The other one: /usr/lib/jre/plugin/i386/ns610/libjavaplugin_oji.so (non GCC32 plugin) is a no show. ? uto, 26. 07. 2005. ? 08:13 -0400, Marc Deslauriers ??????: > On Mon, 2005-07-25 at 22:31 -0700, Jesse Keating wrote: > > RHL9 was all built using gcc 2.96. I do recall gcc3 being shipped w/ > > RHL9 as an optional newer compiler, but the distro itself is 2.96 > > compiled. > > > > 3.2.2 is the default gcc on rh9. A compat 2.96 package was shipped to > compile, IIRC, the kernel and mozilla. Maybe OpenOffice.org too. > > Marc. > -- > fedora-legacy-list mailing list > fedora-legacy-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-legacy-list -- The future not being born, my friend, we will abstain from baptizing it. -- George Meredith -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: ??? ?? ??? ?????? ?? ?????????? ???????? URL: From marcdeslauriers at videotron.ca Wed Jul 27 21:03:33 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Wed, 27 Jul 2005 17:03:33 -0400 Subject: Fedora Legacy Test Update Notification: php Message-ID: <42E7F6A5.7080009@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2005-163559 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=163559 2005-07-27 --------------------------------------------------------------------- Name : php Versions : fc1: php-4.3.11-1.fc1.2.legacy Versions : fc2: php-4.3.11-1.fc2.3.legacy Summary : The PHP HTML-embedded scripting language. Description : PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated webpages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The mod_php module enables the Apache Web server to understand and process the embedded PHP language in Web pages. --------------------------------------------------------------------- Update Information: Updated PHP packages that fix two security issues are now available. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A bug was discovered in the PEAR XML-RPC Server package included in PHP. If a PHP script is used which implements an XML-RPC Server using the PEAR XML-RPC package, then it is possible for a remote attacker to construct an XML-RPC request which can cause PHP to execute arbitrary PHP commands as the 'apache' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1921 to this issue. A race condition in temporary file handling was discovered in the shtool script installed by PHP. If a third-party PHP module which uses shtool was compiled as root, a local user may be able to modify arbitrary files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1751 to this issue. Users of PHP should upgrade to these updated packages, which contain backported fixes for these issues. --------------------------------------------------------------------- fc1 changelog: * Tue Jul 26 2005 Marc Deslauriers 4.3.11-1.fc1.2.legacy - add security fixes: * shtool temp file handling (CAN-2005-1751) * XML_RPC command injection (Stefan Esser, CAN-2005-1921) fc2 changelog: * Tue Jul 26 2005 Marc Deslauriers 4.3.11-1.fc2.3.legacy - add security fixes: * shtool temp file handling (CAN-2005-1751) * XML_RPC command injection (Stefan Esser, CAN-2005-1921) --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) 171656872d0f5824fcb30fcef4309d7fa012d9c5 fedora/1/updates-testing/i386/php-4.3.11-1.fc1.2.legacy.i386.rpm 04f3e47079d7a5240806b4fb26a5d5f1786e838e fedora/1/updates-testing/i386/php-devel-4.3.11-1.fc1.2.legacy.i386.rpm b53f067e610d6f312403a30c8ba702d377bad46a fedora/1/updates-testing/i386/php-domxml-4.3.11-1.fc1.2.legacy.i386.rpm 45a976dde09647657d1db340598ca25403f3875c fedora/1/updates-testing/i386/php-imap-4.3.11-1.fc1.2.legacy.i386.rpm cabf9c604343977f0ff2db609e8ed9a85828dce1 fedora/1/updates-testing/i386/php-ldap-4.3.11-1.fc1.2.legacy.i386.rpm 0c31e1138c74bd508c298b547372a7cdf621e8ec fedora/1/updates-testing/i386/php-mbstring-4.3.11-1.fc1.2.legacy.i386.rpm 17f9d2c41ae2762eb9d6f4910cfd86f992b96871 fedora/1/updates-testing/i386/php-mysql-4.3.11-1.fc1.2.legacy.i386.rpm 2452bc637bf072d2906e9267a86fae65de4b580e fedora/1/updates-testing/i386/php-odbc-4.3.11-1.fc1.2.legacy.i386.rpm 483e46c97dce391ec770b7095ce26eb929179b3a fedora/1/updates-testing/i386/php-pgsql-4.3.11-1.fc1.2.legacy.i386.rpm f30e91737a2003f853ef783464a735718a3396bf fedora/1/updates-testing/i386/php-snmp-4.3.11-1.fc1.2.legacy.i386.rpm e36b3e123516ad54651eb32cfd91af219769f19a fedora/1/updates-testing/i386/php-xmlrpc-4.3.11-1.fc1.2.legacy.i386.rpm 56e68f7e47d59ba10dfef0f6b34ac203b88e80ae fedora/1/updates-testing/SRPMS/php-4.3.11-1.fc1.2.legacy.src.rpm cf09a945e599887705e6b3cd0ff31bd6ae5c016c fedora/2/updates-testing/i386/php-4.3.11-1.fc2.3.legacy.i386.rpm 42d388c0b0245b68809e9d26f38ba45c42065d7c fedora/2/updates-testing/i386/php-devel-4.3.11-1.fc2.3.legacy.i386.rpm 9a8c40612bc6ae96b8aace4763b3302bfe88f4ac fedora/2/updates-testing/i386/php-domxml-4.3.11-1.fc2.3.legacy.i386.rpm 0bf81586c0794af8baba6dc407df1894ce5143a5 fedora/2/updates-testing/i386/php-imap-4.3.11-1.fc2.3.legacy.i386.rpm acf5d4c20689f1de12ca3c00758fd7b9fb10be45 fedora/2/updates-testing/i386/php-ldap-4.3.11-1.fc2.3.legacy.i386.rpm 28698222a4268b9748e2ec22418f030ce8ad68d4 fedora/2/updates-testing/i386/php-mbstring-4.3.11-1.fc2.3.legacy.i386.rpm fd9a5a444b8170277bbb94edf2c5cbb2d0b0a0e1 fedora/2/updates-testing/i386/php-mysql-4.3.11-1.fc2.3.legacy.i386.rpm fcdb53ff36392e98eb8695e3a3a6d7aef382ad18 fedora/2/updates-testing/i386/php-odbc-4.3.11-1.fc2.3.legacy.i386.rpm 778c9b93507a5977ab00f479d6a55ef62e360f0b fedora/2/updates-testing/i386/php-pear-4.3.11-1.fc2.3.legacy.i386.rpm 29cf0cad08a2735ac26226a2012b8b91f63ca7ba fedora/2/updates-testing/i386/php-pgsql-4.3.11-1.fc2.3.legacy.i386.rpm 81fca59193d5d2ee72f6960ee8887f82c036f02d fedora/2/updates-testing/i386/php-snmp-4.3.11-1.fc2.3.legacy.i386.rpm ef0ab724d7228333d416effbc5f1da250db68fe8 fedora/2/updates-testing/i386/php-xmlrpc-4.3.11-1.fc2.3.legacy.i386.rpm 761cd56c659e8c8fa83cdde3a695a1113bf8c2b5 fedora/2/updates-testing/SRPMS/php-4.3.11-1.fc2.3.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From gene.heskett at verizon.net Thu Jul 28 01:30:13 2005 From: gene.heskett at verizon.net (Gene Heskett) Date: Wed, 27 Jul 2005 21:30:13 -0400 Subject: yum problems Message-ID: <200507272130.13729.gene.heskett@verizon.net> Greetings; I finally got yum to run again, by rpm -Uvh --oldpackage to put a bunch of libxml2* and libxslt* stuff back in from the FC2 iso images. I've added the required excludes to /etc/yum.conf to keep the self destruction at bay (but I still, after all the mewling, fail to understand why yum is allowed to update its required dependencies with crap that doesn't allow yum to function ever more), but now when I type yum update, I get this exit: Resolving dependencies ....Unable to satisfy dependencies Package nfs-utils needs kernel >= 2.2.14, this is not available. Now folks, FC2 never to my knowledge had a kernel as old as 2.2.14. The original kernel from FC2 has long since been rm'd but kernel* is in the excludes as I'm running on any one day, the latest stable 2.6 built from tarballs, or even Ingo Molnars Realtime-Preempt series, currently booted to 2.6.12-RT-V0.7.51-38. In mode 4, but watch for IRQ hungry stuff lagging X into oblivion, requireing an X restart. As nfs is something thats NEVER worked here, I'd like to try it. So I've installed the original kernel but with a --justdb option, and it appears to be working. -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) 99.35% setiathome rank, not too shabby for a WV hillbilly Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2005 by Maurice Eugene Heskett, all rights reserved. From mike.mccarty at sbcglobal.net Thu Jul 28 02:33:01 2005 From: mike.mccarty at sbcglobal.net (Mike McCarty) Date: Wed, 27 Jul 2005 21:33:01 -0500 Subject: yum problems In-Reply-To: <200507272130.13729.gene.heskett@verizon.net> References: <200507272130.13729.gene.heskett@verizon.net> Message-ID: <42E843DD.1050408@sbcglobal.net> Gene Heskett wrote: > Greetings; > [snip] > Now folks, FC2 never to my knowledge had a kernel as old as 2.2.14. The version I installed (from the distro ISOs) was 2.6.5-1.358 I'd guess this was the earliest. [snip] > As nfs is something thats NEVER worked here, I'd like to try it. > Worked fine for me out of the box, so I dunno. > So I've installed the original kernel but with a --justdb option, and > it appears to be working. > Great! Mike -- p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} This message made from 100% recycled bits. I can explain it for you, but I can't understand it for you. I speak only for myself, and I am unanimous in that! From jkeating at j2solutions.net Thu Jul 28 02:49:29 2005 From: jkeating at j2solutions.net (Jesse Keating) Date: Wed, 27 Jul 2005 19:49:29 -0700 Subject: yum problems In-Reply-To: <200507272130.13729.gene.heskett@verizon.net> References: <200507272130.13729.gene.heskett@verizon.net> Message-ID: <1122518969.9615.0.camel@yoda.loki.me> On Wed, 2005-07-27 at 21:30 -0400, Gene Heskett wrote: > Resolving dependencies > ....Unable to satisfy dependencies > Package nfs-utils needs kernel >= 2.2.14, this is not available. Your DB is horked. This is Greater than or equal to 2.2.14. Your 2.6 kernel should most certainly satisfy this. However your system seems to think that the kernel isn't installed. I don't know what you've done to your rpm db, and most likely you will not be able to recover to a sane state. I would really suggest starting over. -- Jesse Keating RHCE (geek.j2solutions.net) Fedora Legacy Team (www.fedoralegacy.org) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating From gene.heskett at verizon.net Thu Jul 28 03:11:19 2005 From: gene.heskett at verizon.net (Gene Heskett) Date: Wed, 27 Jul 2005 23:11:19 -0400 Subject: yum problems In-Reply-To: <42E843DD.1050408@sbcglobal.net> References: <200507272130.13729.gene.heskett@verizon.net> <42E843DD.1050408@sbcglobal.net> Message-ID: <200507272311.19399.gene.heskett@verizon.net> On Wednesday 27 July 2005 22:33, Mike McCarty wrote: >Gene Heskett wrote: >> Greetings; > >[snip] > >> Now folks, FC2 never to my knowledge had a kernel as old as >> 2.2.14. > >The version I installed (from the distro ISOs) was 2.6.5-1.358 >I'd guess this was the earliest. > >[snip] > >> As nfs is something thats NEVER worked here, I'd like to try it. > >Worked fine for me out of the box, so I dunno. > >> So I've installed the original kernel but with a --justdb option, >> and it appears to be working. > >Great! > >Mike Now the 64k$ question is, will an NFS export work now? Its getting late on this side of the planet & I ran 18 bags of handicrete into a footer hole earlier today, so I'm not as fresh as I might have been 70 years ago. I've long since forgotten the syntax to setup an NFS share, the last time sev3eral folks tried to be helpfull I couldn't get past some sort of a no permission error. Its still turned on in sysconfig, and I get an error from NSF4 on booting, something about a missing RPC MTAB, whatever the heck that is. And its apparently not precious as it doesn't show in the messages or dmesg files, so I'd have to take a screen snapshot to record it. So I'll essentally be starting from scratch. Since the older nfsutils is now installed, I just ran a couple of service nfs restarts, and this looks promising: [root at coyote init.d]# service nfs restart Shutting down NFS mountd: [FAILED] Shutting down NFS daemon: [FAILED] Shutting down NFS quotas: [FAILED] Shutting down NFS services: [ OK ] Starting NFS services: [ OK ] Starting NFS quotas: [ OK ] Starting NFS daemon: [ OK ] Starting NFS mountd: [ OK ] Starting NFS4 idmapd: Error: RPC MTAB does not exist. [root at coyote init.d]# service nfs restart Shutting down NFS mountd: [ OK ] Shutting down NFS daemon: [ OK ] Shutting down NFS quotas: [ OK ] Shutting down NFS services: [ OK ] Starting NFS services: [ OK ] Starting NFS quotas: [ OK ] Starting NFS daemon: [ OK ] Starting NFS mountd: [ OK ] Starting NFS4 idmapd: Error: RPC MTAB does not exist. So now at least, with the older fc1 version installed, that some progress has been made. At least NFS is not taking a silent crap now. I just fixed the fstab line according to the manpage and another restart was equally successfull. It was pointing to an iso repository that no longer existed. Now it does. More tomorrow. -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) 99.35% setiathome rank, not too shabby for a WV hillbilly Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2005 by Maurice Eugene Heskett, all rights reserved. From gene.heskett at verizon.net Thu Jul 28 03:23:15 2005 From: gene.heskett at verizon.net (Gene Heskett) Date: Wed, 27 Jul 2005 23:23:15 -0400 Subject: yum problems In-Reply-To: <1122518969.9615.0.camel@yoda.loki.me> References: <200507272130.13729.gene.heskett@verizon.net> <1122518969.9615.0.camel@yoda.loki.me> Message-ID: <200507272323.15825.gene.heskett@verizon.net> On Wednesday 27 July 2005 22:49, Jesse Keating wrote: >On Wed, 2005-07-27 at 21:30 -0400, Gene Heskett wrote: >> Resolving dependencies >> ....Unable to satisfy dependencies >> Package nfs-utils needs kernel >= 2.2.14, this is not available. > >Your DB is horked. This is Greater than or equal to 2.2.14. Your > 2.6 kernel should most certainly satisfy this. However your system > seems to think that the kernel isn't installed. > According to rpm, it wasn't, so I did an install with the --justdb option, which fixed that right up. Note that I don't frankly care if the original kernel is available for booting or not, I've currently about 25 choices setup in grub.conf. I have been known to build 3 kernels a day just for fun & testing. [root at coyote init.d]# uname -r 2.6.12-RT-V0.7.51-38 Which I think you have to admit is in danger of leaving blood on the floor. It does have some IRQ handling problems though. >I don't know what you've done to your rpm db, and most likely you > will not be able to recover to a sane state. I would really > suggest starting over. Never say never my friend. I've just come off a weeks worth of trying to install FC4 on another machine & gave up after about 10 cycles. Those cd's went out with the trash this morning. 3 of the many installs worked long enough to type yum update, which promptly destroyed them to the point of being unbootable. So if I do something here thats not recoverable via amanda, and have to re-install, the re-install with start with disk 1 of debian-3.1. Or maybe even gentoo, but at 70, I may not have enough time to get it to run as clean as I have this one running now for day to day use. -- Cheers Jesse, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) 99.35% setiathome rank, not too shabby for a WV hillbilly Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2005 by Maurice Eugene Heskett, all rights reserved. From jkeating at j2solutions.net Thu Jul 28 05:27:40 2005 From: jkeating at j2solutions.net (Jesse Keating) Date: Wed, 27 Jul 2005 22:27:40 -0700 Subject: yum problems In-Reply-To: <200507272323.15825.gene.heskett@verizon.net> References: <200507272130.13729.gene.heskett@verizon.net> <1122518969.9615.0.camel@yoda.loki.me> <200507272323.15825.gene.heskett@verizon.net> Message-ID: <1122528460.9615.22.camel@yoda.loki.me> On Wed, 2005-07-27 at 23:23 -0400, Gene Heskett wrote: > According to rpm, it wasn't, so I did an install with the --justdb > option, which fixed that right up. Note that I don't frankly care if > the original kernel is available for booting or not, I've currently > about 25 choices setup in grub.conf. I have been known to build 3 > kernels a day just for fun & testing. Which is why I say your rpm db is borked. You cannot be running a clean rpm db if you have no kernel entry. The fact that you had to --justdb it tells me that something has borked your rpm db, and in just about every place I've ran into a borked rpm db for unknown reasons, it wasn't worth the lengthy effort to try and figure out what went wrong and fix it. It was best to pave it, and restore critical data from backup. [...] > > Never say never my friend. I've just come off a weeks worth of trying > to install FC4 on another machine & gave up after about 10 cycles. > Those cd's went out with the trash this morning. 3 of the many > installs worked long enough to type yum update, which promptly > destroyed them to the point of being unbootable. Whats so special about you that is different from the hundreds of thousands of other users that are able to get FC4 installed w/out a hitch? It isn't terribly difficult, nor inherrently broken, unless you have some wild system that just doesn't like their default kernels, or you have hardware issues that are leading to corruption. > So if I do > something here thats not recoverable via amanda, and have to > re-install, the re-install with start with disk 1 of debian-3.1. Or > maybe even gentoo, but at 70, I may not have enough time to get it to > run as clean as I have this one running now for day to day use. More power to you. Some Linux distributions are more... forgiving... when you wander off the beaten path. Some are less. Fedora is generally in the middle until all of a sudden the rpm DB is borked. The problem you see installing on one system is not indicative of a bad OS, just a system that perhaps doesn't like the install for one reason or another. Do whatever you wish with your systems, however I can't take any credit in any packaging bug you may find, as I know you don't have a pristine or even semi-clean system. Don't expect our stuff to work out of the box on your system either. -- Jesse Keating RHCE (geek.j2solutions.net) Fedora Legacy Team (www.fedoralegacy.org) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating From i.wells at ntlworld.com Thu Jul 28 07:35:20 2005 From: i.wells at ntlworld.com (Ian Wells) Date: Thu, 28 Jul 2005 08:35:20 +0100 Subject: CAN-2005-2335 fetchmail Message-ID: <00c201c59346$e86da220$1500a8c0@eddie> Is CAN-2005-2335 being looked at by Fedora Legacy? (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2335) There is a RedHat Security Advisory RHSA-2005:640-08 http://rhn.redhat.com/errata/RHSA-2005-640.html For RH7.3 it appears to be a case of rebuilding the RHEL ES (v. 2.1) SRPM Ian From jkosin at intcomgrp.com Mon Jul 25 18:27:17 2005 From: jkosin at intcomgrp.com (James Kosin) Date: Mon, 25 Jul 2005 14:27:17 -0400 Subject: Unsupported Updates.. Message-ID: <42E52F05.9040003@intcomgrp.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Everyone, ClamAV updates to version 0.86.2 - ------------- I've updated my clamav packages to reflect the current version 0.86.2 of clamav released Monday... !!! Wow, I actually had a fast turn around on the package. AutoMake update to version 1.9.6 - -------------- I've been upgrading to the latest versions for all the make utilities in hopes of finding the problem with gcc and the gnatlib-shared build for gcc. Make update to 3.80 - -------------- I've applied one of the three patches. The other two patches are there. the second one has already been applied upstream and the third patch I'm holding off on, since it looks like the module itself has been re-written. I may be applying the third patch again in the future. Seems to effect error reporting when a system error has occured. GCC 3.3.6 - --------------- I'm close on this... I've got the problem narrowed down. I've got some major testing afterwards on this one; since, it will probably effect all the major libraries. James Kosin - -- - -- James Kosin International Communications Group, Inc. 230 Pickett's Line Newport News, VA 23603-1366 - - United States of America - Phone: 1(757)947-1030 ext. 122 Fax : 1(757)947-1035 - -- GPG Fingerprint: 28E9 6487 34B2 18DD 6468 F091 8CD9 2038 DEB0 0590 GPG Key ID: 0xDEB00590 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFC5S8FjNkgON6wBZARAnORAJ9550DEcwaunP+eLKBc28cK7BzjUgCcDxK6 FB4F53QQsCeCWxRgGUjXYXU= =DiGe -----END PGP SIGNATURE----- From sheltren at cs.ucsb.edu Thu Jul 28 14:03:54 2005 From: sheltren at cs.ucsb.edu (Jeff Sheltren) Date: Thu, 28 Jul 2005 07:03:54 -0700 Subject: CAN-2005-2335 fetchmail In-Reply-To: <00c201c59346$e86da220$1500a8c0@eddie> References: <00c201c59346$e86da220$1500a8c0@eddie> Message-ID: <0EC8B483-5210-4354-A779-3C8BADE198F4@cs.ucsb.edu> I didn't see any bugzilla entries, so I opened a new bug for this: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=164512 I'll try to get some updated packages later today. -Jeff On Jul 28, 2005, at 12:35 AM, Ian Wells wrote: > Is CAN-2005-2335 being looked at by Fedora Legacy? (http:// > cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2335) > > There is a RedHat Security Advisory RHSA-2005:640-08 > http://rhn.redhat.com/errata/RHSA-2005-640.html > > For RH7.3 it appears to be a case of rebuilding the RHEL ES (v. > 2.1) SRPM > > Ian > -- > fedora-legacy-list mailing list > fedora-legacy-list at redhat.com > http://www.redhat.com/mailman/listinfo/fedora-legacy-list > From gene.heskett at verizon.net Thu Jul 28 13:20:57 2005 From: gene.heskett at verizon.net (Gene Heskett) Date: Thu, 28 Jul 2005 09:20:57 -0400 Subject: inkscape compile problems Message-ID: <200507280920.57477.gene.heskett@verizon.net> Greetings; I cannot get inkscape to compile on an FC2 box, and the staticly linked versions are apparently expecting a newer glib than the glib-1.2.10-12.1.1 installed on this FC2 system. Is it possible to update glib without borking everything, & if so, how far forward can I move? -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) 99.35% setiathome rank, not too shabby for a WV hillbilly Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2005 by Maurice Eugene Heskett, all rights reserved. From jkeating at j2solutions.net Thu Jul 28 14:59:05 2005 From: jkeating at j2solutions.net (Jesse Keating) Date: Thu, 28 Jul 2005 07:59:05 -0700 Subject: inkscape compile problems In-Reply-To: <200507280920.57477.gene.heskett@verizon.net> References: <200507280920.57477.gene.heskett@verizon.net> Message-ID: <1122562745.9615.37.camel@yoda.loki.me> On Thu, 2005-07-28 at 09:20 -0400, Gene Heskett wrote: > > I cannot get inkscape to compile on an FC2 box, and the staticly > linked versions are apparently expecting a newer glib than the > glib-1.2.10-12.1.1 installed on this FC2 system. What fails when trying to compile it? > Is it possible to update glib without borking everything, & if so, how > far forward can I move? Tis a dark path you are looking down, chock full of failed systems from previous fellows who have attempted that which you are about to attempt. Then again, your system isn't all that clean to begin with so why not? (: -- Jesse Keating RHCE (geek.j2solutions.net) Fedora Legacy Team (www.fedoralegacy.org) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating From jkeating at j2solutions.net Thu Jul 28 17:21:01 2005 From: jkeating at j2solutions.net (Jesse Keating) Date: Thu, 28 Jul 2005 10:21:01 -0700 Subject: New bugzilla feature Message-ID: <1122571261.24982.57.camel@prometheus.gamehouse.com> I was just informed that any bugzilla query can be turned into an rss feed. Perhaps we should have a feed on our website covering active bugs. Can somebody look into this for me? -- Jesse Keating RHCE (http://geek.j2solutions.net) Fedora Legacy Team (http://www.fedoralegacy.org) GPG Public Key (http://geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating From jkeating at j2solutions.net Thu Jul 28 17:56:06 2005 From: jkeating at j2solutions.net (Jesse Keating) Date: Thu, 28 Jul 2005 10:56:06 -0700 Subject: Move to Fedoraproject.org wiki Message-ID: <1122573366.24982.69.camel@prometheus.gamehouse.com> Those of you that would like to help out w/ moving the wiki contents over to fedoraproject.org's wiki, please go to http://www.fedoraproject.org/wiki/ and create accounts and then email me with the account name. I will add you to the LegacyGroup and EditGroup so that you can start adding pages. All pages for Legacy need to have the following at the very top: #acl LegacyGroup:admin,read,write,delete,revert Known:read -- Jesse Keating RHCE (http://geek.j2solutions.net) Fedora Legacy Team (http://www.fedoralegacy.org) GPG Public Key (http://geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating From jkeating at j2solutions.net Thu Jul 28 17:58:45 2005 From: jkeating at j2solutions.net (Jesse Keating) Date: Thu, 28 Jul 2005 10:58:45 -0700 Subject: Move to Fedoraproject.org wiki In-Reply-To: <1122573366.24982.69.camel@prometheus.gamehouse.com> References: <1122573366.24982.69.camel@prometheus.gamehouse.com> Message-ID: <1122573525.24982.70.camel@prometheus.gamehouse.com> On Thu, 2005-07-28 at 10:56 -0700, Jesse Keating wrote: > All pages for Legacy need to have the following at the very top: > > #acl LegacyGroup:admin,read,write,delete,revert Known:read Rather this should be: #acl LegacyGroup:admin,read,write,delete,revert All:read -- Jesse Keating RHCE (http://geek.j2solutions.net) Fedora Legacy Team (http://www.fedoralegacy.org) GPG Public Key (http://geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating From jkeating at j2solutions.net Thu Jul 28 18:08:28 2005 From: jkeating at j2solutions.net (Jesse Keating) Date: Thu, 28 Jul 2005 11:08:28 -0700 Subject: Move to Fedoraproject.org wiki In-Reply-To: <1122573525.24982.70.camel@prometheus.gamehouse.com> References: <1122573366.24982.69.camel@prometheus.gamehouse.com> <1122573525.24982.70.camel@prometheus.gamehouse.com> Message-ID: <1122574109.24982.76.camel@prometheus.gamehouse.com> On Thu, 2005-07-28 at 10:58 -0700, Jesse Keating wrote: > On Thu, 2005-07-28 at 10:56 -0700, Jesse Keating wrote: > > All pages for Legacy need to have the following at the very top: > > > > #acl LegacyGroup:admin,read,write,delete,revert Known:read > > Rather this should be: > > #acl LegacyGroup:admin,read,write,delete,revert All:read And I just noticed that you will most likely not be able to edit ACLs. Thats fine, I can go through pages as they get created to set the ACL. To help me with this, please when making a new page, select that the page belongs to the 'CategoryLegacy'. This will add a line to the bottom of your page that looks like: ---- CategoryLegacy This only has to be added once. This way I can quickly see pages that are Legacy related and I can set the ACL accordingly. Thanks for all the help you may provide with this. -- Jesse Keating RHCE (http://geek.j2solutions.net) Fedora Legacy Team (http://www.fedoralegacy.org) GPG Public Key (http://geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating From dom at earth.li Thu Jul 28 18:10:33 2005 From: dom at earth.li (Dominic Hargreaves) Date: Thu, 28 Jul 2005 19:10:33 +0100 Subject: My status Message-ID: <20050728181033.GH32369@urchin.earth.li> Hi all, As you'll have noticed I've been very quiet in recent months for various reasons. This has been due to a number of factors, but most interestingly I've now moved away from my job at Astrophysics where fedora-legacy work was useful to them. They have now migrated almost entirely away from Red Hat and my new employers (http://www.blackcatnetworks.co.uk/) don't use Red Hat either. So it's unlikely I'll be spending much time on the project in future. I'll probably hang around on the mailing lists and IRC channel for the time being and if I can ever spare time to help out with package builds etc, I will do so. Thanks for the other community members who have helped to make fedora-legacy a useful project. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) From jkosin at beta.intcomgrp.com Thu Jul 28 18:12:04 2005 From: jkosin at beta.intcomgrp.com (James Kosin) Date: Thu, 28 Jul 2005 14:12:04 -0400 Subject: Move to Fedoraproject.org wiki In-Reply-To: <1122573366.24982.69.camel@prometheus.gamehouse.com> References: <1122573366.24982.69.camel@prometheus.gamehouse.com> Message-ID: <42E91FF4.8010300@beta.intcomgrp.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jesse Keating wrote: |Those of you that would like to help out w/ moving the wiki contents |over to fedoraproject.org's wiki, please go to |http://www.fedoraproject.org/wiki/ and create accounts and then email me |with the account name. I will add you to the LegacyGroup and EditGroup |so that you can start adding pages. | |All pages for Legacy need to have the following at the very top: | |#acl LegacyGroup:admin,read,write,delete,revert Known:read | What about those of us who already have wiki accounts on www.fedoraproject.org ? I'm already a member; what can I do to help with things? Or what do I need to do? My account is JamesKosin ... Thanks, James Kosin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFC6R/zkNLDmnu1kSkRAjQoAJkBiRfPQ0FlhqpXYMeYrJVyxVEo+gCdEPP/ AonuJj5nXSOon09AOACJbTY= =L9FE -----END PGP SIGNATURE----- From mike.mccarty at sbcglobal.net Thu Jul 28 18:14:44 2005 From: mike.mccarty at sbcglobal.net (Mike McCarty) Date: Thu, 28 Jul 2005 13:14:44 -0500 Subject: My status In-Reply-To: <20050728181033.GH32369@urchin.earth.li> References: <20050728181033.GH32369@urchin.earth.li> Message-ID: <42E92094.8080907@sbcglobal.net> Dominic Hargreaves wrote: > Hi all, [snip] > So it's unlikely I'll be spending much time on the project in future. > I'll probably hang around on the mailing lists and IRC channel for the > time being and if I can ever spare time to help out with package builds > etc, I will do so. I am a newcomer to this list (only about a month) and so I haven't noticed you being gone, but before you go, I'd like to say THANK YOU Mike -- p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} This message made from 100% recycled bits. I can explain it for you, but I can't understand it for you. I speak only for myself, and I am unanimous in that! From jkeating at j2solutions.net Thu Jul 28 18:37:14 2005 From: jkeating at j2solutions.net (Jesse Keating) Date: Thu, 28 Jul 2005 11:37:14 -0700 Subject: Move to Fedoraproject.org wiki In-Reply-To: <42E91FF4.8010300@beta.intcomgrp.com> References: <1122573366.24982.69.camel@prometheus.gamehouse.com> <42E91FF4.8010300@beta.intcomgrp.com> Message-ID: <1122575834.18792.1.camel@prometheus.gamehouse.com> On Thu, 2005-07-28 at 14:12 -0400, James Kosin wrote: > I'm already a member; what can I do to help with things? Or what do I > need to do? > > My account is JamesKosin ... So basically any content in the old wiki we wish to keep needs to be migrated to the new page. THere is a SubPage of the main wiki called Legacy, see it here http://www.fedoraproject.org/wiki/Legacy THere is an example there of how to make pages that are within the subpage of Legacy. So just start moving pages over. Unfortunately they will have to be reformatted as the wikis use a different formatting syntax. -- Jesse Keating RHCE (http://geek.j2solutions.net) Fedora Legacy Team (http://www.fedoralegacy.org) GPG Public Key (http://geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating From seyman at wanadoo.fr Thu Jul 28 20:40:49 2005 From: seyman at wanadoo.fr (Emmanuel Seyman) Date: Thu, 28 Jul 2005 22:40:49 +0200 Subject: New bugzilla feature In-Reply-To: <1122571261.24982.57.camel@prometheus.gamehouse.com> References: <1122571261.24982.57.camel@prometheus.gamehouse.com> Message-ID: <20050728204049.GA14348@orient.maison.moi> On Thu, Jul 28, 2005 at 10:21:01AM -0700, Jesse Keating wrote: > > I was just informed that any bugzilla query can be turned into an rss > feed. Perhaps we should have a feed on our website covering active It's a feature that's been present for quite a while in Bugzilla but the only stable release to have it is 2.20rc1 (which wasn't probably that stable to begin with since 2.20rc2 is due out Friday). Still, Red Hat's Bugzilla has it, which is the important thing. Basically, every search result gives you a "RSS" link between the "CSV" and "iCalendar" links. Clicking on that gives you the RSS feed. Emmanuel From jkeating at j2solutions.net Thu Jul 28 20:49:40 2005 From: jkeating at j2solutions.net (Jesse Keating) Date: Thu, 28 Jul 2005 13:49:40 -0700 Subject: New bugzilla feature In-Reply-To: <20050728204049.GA14348@orient.maison.moi> References: <1122571261.24982.57.camel@prometheus.gamehouse.com> <20050728204049.GA14348@orient.maison.moi> Message-ID: <1122583780.18792.8.camel@prometheus.gamehouse.com> On Thu, 2005-07-28 at 22:40 +0200, Emmanuel Seyman wrote: > It's a feature that's been present for quite a while in Bugzilla but > the only stable release to have it is 2.20rc1 (which wasn't probably > that stable to begin with since 2.20rc2 is due out Friday). > Still, Red Hat's Bugzilla has it, which is the important thing. > > Basically, every search result gives you a "RSS" link between the > "CSV" and "iCalendar" links. Clicking on that gives you the RSS feed. So would anybody be willing to mock up a web page using this rss information so that we can have a page that shows real-time but status. -- Jesse Keating RHCE (http://geek.j2solutions.net) Fedora Legacy Team (http://www.fedoralegacy.org) GPG Public Key (http://geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating From jkeating at j2solutions.net Thu Jul 28 20:56:40 2005 From: jkeating at j2solutions.net (Jesse Keating) Date: Thu, 28 Jul 2005 13:56:40 -0700 Subject: Daniel Culioli has been unsubbed Message-ID: <1122584200.18792.10.camel@prometheus.gamehouse.com> He was sending out autoconfirm messages to anybody that sent something to the list. He has been usubbed. -- Jesse Keating RHCE (http://geek.j2solutions.net) Fedora Legacy Team (http://www.fedoralegacy.org) GPG Public Key (http://geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating From jung at one.ekof.bg.ac.yu Thu Jul 28 21:02:47 2005 From: jung at one.ekof.bg.ac.yu (Igor =?iso-8859-2?Q?Nestorovi=E6?=) Date: Thu, 28 Jul 2005 23:02:47 +0200 Subject: New bugzilla feature In-Reply-To: <1122583780.18792.8.camel@prometheus.gamehouse.com> References: <1122571261.24982.57.camel@prometheus.gamehouse.com> <20050728204049.GA14348@orient.maison.moi> <1122583780.18792.8.camel@prometheus.gamehouse.com> Message-ID: <1122584567.5158.2.camel@lara> ? ?et, 28. 07. 2005. ? 13:49 -0700, Jesse Keating ??????: > So would anybody be willing to mock up a web page using this rss > information so that we can have a page that shows real-time but status. Jesse, that was a very amusing typo. :) Or, maybe it was intentional? ;) -- e-credibility: the non-guaranteeable likelihood that the electronic data you're seeing is genuine rather than somebody's made-up crap. - Karl Lehenbauer -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: ??? ?? ??? ?????? ?? ?????????? ???????? URL: From jkeating at j2solutions.net Thu Jul 28 21:05:53 2005 From: jkeating at j2solutions.net (Jesse Keating) Date: Thu, 28 Jul 2005 14:05:53 -0700 Subject: New bugzilla feature In-Reply-To: <1122584567.5158.2.camel@lara> References: <1122571261.24982.57.camel@prometheus.gamehouse.com> <20050728204049.GA14348@orient.maison.moi> <1122583780.18792.8.camel@prometheus.gamehouse.com> <1122584567.5158.2.camel@lara> Message-ID: <1122584753.18792.12.camel@prometheus.gamehouse.com> On Thu, 2005-07-28 at 23:02 +0200, Igor Nestorovi? wrote: > ? ?et, 28. 07. 2005. ? 13:49 -0700, Jesse Keating ??????: > > So would anybody be willing to mock up a web page using this rss > > information so that we can have a page that shows real-time but > status. > Jesse, that was a very amusing typo. :) > > Or, maybe it was intentional? ;) Er... whoops. I have no idea how those chars got there. Should have just been 'real-time status'. -- Jesse Keating RHCE (http://geek.j2solutions.net) Fedora Legacy Team (http://www.fedoralegacy.org) GPG Public Key (http://geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating From nils at lemonbit.nl Thu Jul 28 23:38:40 2005 From: nils at lemonbit.nl (Nils Breunese (Lemonbit Internet)) Date: Fri, 29 Jul 2005 01:38:40 +0200 Subject: New bugzilla feature In-Reply-To: <1122584753.18792.12.camel@prometheus.gamehouse.com> References: <1122571261.24982.57.camel@prometheus.gamehouse.com> <20050728204049.GA14348@orient.maison.moi> <1122583780.18792.8.camel@prometheus.gamehouse.com> <1122584567.5158.2.camel@lara> <1122584753.18792.12.camel@prometheus.gamehouse.com> Message-ID: <44C52D2E-9F56-4EFF-B9C0-E8DD8E01E973@lemonbit.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jesse Keating: >>> So would anybody be willing to mock up a web page using this rss >>> information so that we can have a page that shows real-time but >>> status. >> >> Jesse, that was a very amusing typo. :) >> >> Or, maybe it was intentional? ;) > > Er... whoops. I have no idea how those chars got there. Should have > just been 'real-time status'. I think 'real-time bug status'? Oh well... :o) Nils. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFC6WyIa/6OPYXzVGERAl2cAKDfWDJYknlHa0+maCpnUQ715MRAKQCgyc+I 1aQ5iTm5p1MhnCRPvOFSR/4= =uPOk -----END PGP SIGNATURE----- From marcdeslauriers at videotron.ca Fri Jul 29 03:09:29 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Thu, 28 Jul 2005 23:09:29 -0400 Subject: [UPDATED] Fedora Legacy Test Update Notification: mc Message-ID: <42E99DE9.9050306@videotron.ca> Packages were updates to add missing groff and gnome-libs dependencies. --------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2005-152889 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152889 2005-07-28 --------------------------------------------------------------------- Name : mc Versions : rh73: mc-4.5.55-12.legacy Versions : rh9: mc-4.6.0-18.3.fc0.9.legacy Versions : fc1: mc-4.6.0-18.3.fc1.0.legacy Versions : fc2: mc-4.6.1-0.13.FC2.1.legacy Summary : A user-friendly file manager and visual shell. Description : Midnight Commander is a visual shell much like a file manager, only with many more features. It is a text mode application, but it also includes mouse support if you are running GPM. Midnight Commander's best features are its ability to FTP, view tar and zip files, and to poke into RPMs for specific files. --------------------------------------------------------------------- Update Information: Updated mc packages that fix several security issues are now available. Midnight Commander is a visual shell much like a file manager. Several buffer overflows, several temporary file creation vulnerabilities, and one format string vulnerability have been discovered in Midnight Commander. These vulnerabilities were discovered mostly by Andrew V. Samoilov and Pavel Roskin. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0226, CAN-2004-0231, and CAN-2004-0232 to these issues. Shell escape bugs have been discovered in several of the mc vfs backend scripts. An attacker who is able to influence a victim to open a specially-crafted URI using mc could execute arbitrary commands as the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0494 to this issue. Several format string bugs were found in Midnight Commander. If a user is tricked by an attacker into opening a specially crafted path with mc, it may be possible to execute arbitrary code as the user running Midnight Commander. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1004 to this issue. Several buffer overflow bugs were found in Midnight Commander. If a user is tricked by an attacker into opening a specially crafted file or path with mc, it may be possible to execute arbitrary code as the user running Midnight Commander. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1005 to this issue. Several denial of service bugs were found in Midnight Commander. These bugs could cause Midnight Commander to hang or crash if a victim opens a carefully crafted file. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-1009, CAN-2004-1090, CAN-2004-1091, CAN-2004-1092, CAN-2004-1093 and CAN-2004-1174 to these issues. A filename quoting bug was found in Midnight Commander's FISH protocol handler. If a victim connects via embedded SSH support to a host containing a carefully crafted filename, arbitrary code may be executed as the user running Midnight Commander. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1175 to this issue. A buffer underflow bug was found in Midnight Commander. If a malicious local user is able to modify the extfs.ini file, it could be possible to execute arbitrary code as a user running Midnight Commander. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1176 to this issue. A buffer overflow bug was found in the way Midnight Commander handles directory completion. If a victim uses completion on a maliciously crafted directory path, it is possible for arbitrary code to be executed as the user running Midnight Commander. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0763 to this issue. Users of mc are advised to upgrade to these packages, which contain backported security patches to correct these issues. --------------------------------------------------------------------- Changelogs rh73: * Sun Apr 17 2005 Leonard den Ottolander 4.5.55-11.legacy - Missed the removal of a strcat in gtkedit/syntax.c open_include_file() in CAN-2004-0226 causing crash in mcedit. Cleaned up syntax.c a bit more in accordance with the Debian patch and CVS (redundant -1s in strncpy()s) * Wed Apr 13 2005 Leonard den Ottolander 4.5.55-10.legacy - Add patch for CAN-2005-0763 * Fri Apr 08 2005 Leonard den Ottolander 4.5.55-9.legacy - Use CAN-2004-0226 patch from RHEL 2.1 as it is more complete than the Debian patch. - Split original CAN-2004-0226 patch in 6 parts: CAN-2004-0226 (buffer overflows), CAN-2004-0231 (temp file fixes), CAN-2004-0232 (format string vulnerabilities), CAN-2004-0494 (vfs quoting fixes), ftpfs, and fish. - Add one modified hunk from Debian to src/complete.c (CAN-2004-0226) - Don't use CAN-2004-0494 parts from RHEL 2.1 CAN-2004-0226 patch as the current patch is more complete. - Rename mc-4.5.55-extfs.patch to mc-4.5.55-CAN-2004-0494.patch. - Removed some redundant hunks and fixed a few in CAN-2004-0494 patch. - Add missing hunk for lib/cedit.menu to CAN-2004-0231 patch. - One cpio.c hunk removed from CAN-2004-1005 patch (already in -0226) * Mon Feb 14 2005 Leonard den Ottolander 4.5.55-8.legacy - Really apply remainder of CAN-2004-0226 patch * Wed Feb 09 2005 Leonard den Ottolander 4.5.55-7.legacy - Fixed extfs for quoting and some temp file issues (CAN-2004-0494). - Removed mc-cvs-uzip as it is no longer needed with above fixes. - trpm and zip fixes are unneeded but left in as the patch was made against a tree that has them applied. - Added fixes for CAN-2004-0226, CAN-2004-1004, CAN-2004-1005, CAN-2004-1009, CAN-2004-1090, CAN-2004-1091, CAN-2004-1092, CAN-2004-1093, CAN-2004-1174, CAN-2004-1175 & CAN-2004-1176. rh9: * Sat Feb 12 2005 David Eisenstein 1:4.6.0-18.2.fc0.9.legacy - rebuild SRPM for RH9. (FL bugzilla #2009, 2405). * Fri Feb 11 2005 David Eisenstein 1:4.6.0-18.2.fc1.0.legacy - Add mc-4.6.0-multi-CVE.patch which completes the fixes for CAN-2004-1004, CAN-2004-1005, and CAN-2004-1176. Source of these patches are from Debian, (DSA-639) and ultimately from the mc CVS tree. - FL Bugzilla #2405. * Sun Feb 06 2005 David Eisenstein 1:4.6.0-18.1.fc1.0.legacy - Per Leonard den Ottolander, get rid of mc-cvs-uzip. Required removing a hunk from mc-4.6.0-jumbo.patch, now renamed mc-4.6.0-jumbo-b.patch. - Use revised quoted-security2 patch, less drastic changes to uzip.in in extfs directory for vulnerability CAN-2004-0494. FL bugzilla #2009. * Fri Jan 28 2005 David Eisenstein 1:4.6.0-18.0.fc1.0.legacy - Update extfs shell quoting fixes in scripts (CAN-2004-0494) to match scripts in upstream's cvs. This takes care of fixes missed in Fedora update FEDORA-2004-272. - Fedora Legacy bugzilla # 2009. fc1: * Fri Feb 11 2005 David Eisenstein 1:4.6.0-18.2.fc1.0.legacy - Add mc-4.6.0-multi-CVE.patch which completes the fixes for CAN-2004-1004, CAN-2004-1005, and CAN-2004-1176. Source of these patches are from Debian, (DSA-639) and ultimately from the mc CVS tree. - FL Bugzilla #2405. * Sun Feb 06 2005 David Eisenstein 1:4.6.0-18.1.fc1.0.legacy - Per Leonard den Ottolander, get rid of mc-cvs-uzip. Required removing a hunk from mc-4.6.0-jumbo.patch, now renamed mc-4.6.0-jumbo-b.patch. - Use revised quoted-security2 patch, less drastic changes to uzip.in in extfs directory for vulnerability CAN-2004-0494. FL bugzilla #2009. * Fri Jan 28 2005 David Eisenstein 1:4.6.0-18.0.fc1.0.legacy - Update extfs shell quoting fixes in scripts (CAN-2004-0494) to match scripts in upstream's cvs. This takes care of fixes missed in Fedora update FEDORA-2004-272. - Fedora Legacy bugzilla # 2009. fc2: * Tue Jul 12 2005 Marc Deslauriers 4.6.1-0.13.FC2.legacy - Rebuilt as a Fedora Legacy update * Fri Mar 04 2005 Jindrich Novy 4.6.1-0.13.FC2 - backport FC3 update to FC2 to fix security issues: (#148865) - CAN-2004-1004 (string vulnerabilities) - CAN-2004-1005 (buffer overflows) - CAN-2004-1176 (buffer underflow) - introduce mc-4.6.1-pre3 to FC2 users --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: 7dd653902f620c9ab66fc187c92e1e8c70af4b6f redhat/7.3/updates-testing/i386/mc-4.5.55-12.legacy.i386.rpm 94c75a0b0dcb60dd1df86b247af305b876d9a1e8 redhat/7.3/updates-testing/SRPMS/mc-4.5.55-12.legacy.src.rpm rh9: 82c7263b65d3959003c6043131dad7248fa7c40e redhat/9/updates-testing/i386/mc-4.6.0-18.3.fc0.9.legacy.i386.rpm df1385e379c96a306acfd106533cc2195b4ea39a redhat/9/updates-testing/SRPMS/mc-4.6.0-18.3.fc0.9.legacy.src.rpm fc1: 14ba4a2f6f2096786ffc543f5e084ad1d69b3f1b fedora/1/updates-testing/i386/mc-4.6.0-18.3.fc1.0.legacy.i386.rpm c17b32b79eba441aaf458036ac7dfa08d77c4bb7 fedora/1/updates-testing/SRPMS/mc-4.6.0-18.3.fc1.0.legacy.src.rpm fc2: a8270921b5ded8b829c7fda54d7bac77145df129 fedora/2/updates-testing/i386/mc-4.6.1-0.13.FC2.1.legacy.i386.rpm 30c732c47fb2c97743b492b0c41d8cfc4ff28b96 fedora/2/updates-testing/SRPMS/mc-4.6.1-0.13.FC2.1.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From marcdeslauriers at videotron.ca Fri Jul 29 03:10:29 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Thu, 28 Jul 2005 23:10:29 -0400 Subject: [FLSA-2005:163559] Updated php packages fix security issues Message-ID: <42E99E25.6050105@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated php packages fix security issues Advisory ID: FLSA:163559 Issue date: 2005-07-28 Product: Fedora Core Keywords: Bugfix CVE Names: CAN-2005-1751 CAN-2005-1921 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated PHP packages that fix two security issues are now available. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. 2. Relevant releases/architectures: Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: A bug was discovered in the PEAR XML-RPC Server package included in PHP. If a PHP script is used which implements an XML-RPC Server using the PEAR XML-RPC package, then it is possible for a remote attacker to construct an XML-RPC request which can cause PHP to execute arbitrary PHP commands as the 'apache' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1921 to this issue. A race condition in temporary file handling was discovered in the shtool script installed by PHP. If a third-party PHP module which uses shtool was compiled as root, a local user may be able to modify arbitrary files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1751 to this issue. Users of PHP should upgrade to these updated packages, which contain backported fixes for these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=163559 6. RPMs required: Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/php-4.3.11-1.fc1.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/php-4.3.11-1.fc1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-devel-4.3.11-1.fc1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-domxml-4.3.11-1.fc1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-imap-4.3.11-1.fc1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-ldap-4.3.11-1.fc1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-mbstring-4.3.11-1.fc1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-mysql-4.3.11-1.fc1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-odbc-4.3.11-1.fc1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-pgsql-4.3.11-1.fc1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-snmp-4.3.11-1.fc1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-xmlrpc-4.3.11-1.fc1.2.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/php-4.3.11-1.fc2.3.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/php-4.3.11-1.fc2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-devel-4.3.11-1.fc2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-domxml-4.3.11-1.fc2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-imap-4.3.11-1.fc2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-ldap-4.3.11-1.fc2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-mbstring-4.3.11-1.fc2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-mysql-4.3.11-1.fc2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-odbc-4.3.11-1.fc2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-pgsql-4.3.11-1.fc2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-snmp-4.3.11-1.fc2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-xmlrpc-4.3.11-1.fc2.3.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 171656872d0f5824fcb30fcef4309d7fa012d9c5 fedora/1/updates/i386/php-4.3.11-1.fc1.2.legacy.i386.rpm 04f3e47079d7a5240806b4fb26a5d5f1786e838e fedora/1/updates/i386/php-devel-4.3.11-1.fc1.2.legacy.i386.rpm b53f067e610d6f312403a30c8ba702d377bad46a fedora/1/updates/i386/php-domxml-4.3.11-1.fc1.2.legacy.i386.rpm 45a976dde09647657d1db340598ca25403f3875c fedora/1/updates/i386/php-imap-4.3.11-1.fc1.2.legacy.i386.rpm cabf9c604343977f0ff2db609e8ed9a85828dce1 fedora/1/updates/i386/php-ldap-4.3.11-1.fc1.2.legacy.i386.rpm 0c31e1138c74bd508c298b547372a7cdf621e8ec fedora/1/updates/i386/php-mbstring-4.3.11-1.fc1.2.legacy.i386.rpm 17f9d2c41ae2762eb9d6f4910cfd86f992b96871 fedora/1/updates/i386/php-mysql-4.3.11-1.fc1.2.legacy.i386.rpm 2452bc637bf072d2906e9267a86fae65de4b580e fedora/1/updates/i386/php-odbc-4.3.11-1.fc1.2.legacy.i386.rpm 483e46c97dce391ec770b7095ce26eb929179b3a fedora/1/updates/i386/php-pgsql-4.3.11-1.fc1.2.legacy.i386.rpm f30e91737a2003f853ef783464a735718a3396bf fedora/1/updates/i386/php-snmp-4.3.11-1.fc1.2.legacy.i386.rpm e36b3e123516ad54651eb32cfd91af219769f19a fedora/1/updates/i386/php-xmlrpc-4.3.11-1.fc1.2.legacy.i386.rpm 56e68f7e47d59ba10dfef0f6b34ac203b88e80ae fedora/1/updates/SRPMS/php-4.3.11-1.fc1.2.legacy.src.rpm cf09a945e599887705e6b3cd0ff31bd6ae5c016c fedora/2/updates/i386/php-4.3.11-1.fc2.3.legacy.i386.rpm 42d388c0b0245b68809e9d26f38ba45c42065d7c fedora/2/updates/i386/php-devel-4.3.11-1.fc2.3.legacy.i386.rpm 9a8c40612bc6ae96b8aace4763b3302bfe88f4ac fedora/2/updates/i386/php-domxml-4.3.11-1.fc2.3.legacy.i386.rpm 0bf81586c0794af8baba6dc407df1894ce5143a5 fedora/2/updates/i386/php-imap-4.3.11-1.fc2.3.legacy.i386.rpm acf5d4c20689f1de12ca3c00758fd7b9fb10be45 fedora/2/updates/i386/php-ldap-4.3.11-1.fc2.3.legacy.i386.rpm 28698222a4268b9748e2ec22418f030ce8ad68d4 fedora/2/updates/i386/php-mbstring-4.3.11-1.fc2.3.legacy.i386.rpm fd9a5a444b8170277bbb94edf2c5cbb2d0b0a0e1 fedora/2/updates/i386/php-mysql-4.3.11-1.fc2.3.legacy.i386.rpm fcdb53ff36392e98eb8695e3a3a6d7aef382ad18 fedora/2/updates/i386/php-odbc-4.3.11-1.fc2.3.legacy.i386.rpm 778c9b93507a5977ab00f479d6a55ef62e360f0b fedora/2/updates/i386/php-pear-4.3.11-1.fc2.3.legacy.i386.rpm 29cf0cad08a2735ac26226a2012b8b91f63ca7ba fedora/2/updates/i386/php-pgsql-4.3.11-1.fc2.3.legacy.i386.rpm 81fca59193d5d2ee72f6960ee8887f82c036f02d fedora/2/updates/i386/php-snmp-4.3.11-1.fc2.3.legacy.i386.rpm ef0ab724d7228333d416effbc5f1da250db68fe8 fedora/2/updates/i386/php-xmlrpc-4.3.11-1.fc2.3.legacy.i386.rpm 761cd56c659e8c8fa83cdde3a695a1113bf8c2b5 fedora/2/updates/SRPMS/php-4.3.11-1.fc2.3.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1751 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1921 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From sheltren at cs.ucsb.edu Fri Jul 29 18:26:36 2005 From: sheltren at cs.ucsb.edu (Jeff Sheltren) Date: Fri, 29 Jul 2005 11:26:36 -0700 Subject: Move to Fedoraproject.org wiki In-Reply-To: <1122575834.18792.1.camel@prometheus.gamehouse.com> References: <1122573366.24982.69.camel@prometheus.gamehouse.com> <42E91FF4.8010300@beta.intcomgrp.com> <1122575834.18792.1.camel@prometheus.gamehouse.com> Message-ID: <847CB823-33EA-490F-B81E-B0770A2BB6C4@cs.ucsb.edu> On Jul 28, 2005, at 11:37 AM, Jesse Keating wrote: > > So basically any content in the old wiki we wish to keep needs to be > migrated to the new page. THere is a SubPage of the main wiki called > Legacy, see it here > > http://www.fedoraproject.org/wiki/Legacy > > THere is an example there of how to make pages that are within the > subpage of Legacy. So just start moving pages over. Unfortunately > they > will have to be reformatted as the wikis use a different formatting > syntax. I added a few pages last night. I think I got all the QA docs as well as the self intro and rpm versioning. If someone is thinking of updating some more pages, see: http://fedoraproject.org/wiki/CategoryLegacy to see what is already done. There are still a few things left to transfer over, and it would be nice to have an intro on the main 'Legacy' page. Jesse, all those legacy pages need the ACLs set. -Jeff From jkeating at j2solutions.net Fri Jul 29 18:33:19 2005 From: jkeating at j2solutions.net (Jesse Keating) Date: Fri, 29 Jul 2005 11:33:19 -0700 Subject: Move to Fedoraproject.org wiki In-Reply-To: <847CB823-33EA-490F-B81E-B0770A2BB6C4@cs.ucsb.edu> References: <1122573366.24982.69.camel@prometheus.gamehouse.com> <42E91FF4.8010300@beta.intcomgrp.com> <1122575834.18792.1.camel@prometheus.gamehouse.com> <847CB823-33EA-490F-B81E-B0770A2BB6C4@cs.ucsb.edu> Message-ID: <1122661999.3470.7.camel@prometheus.gamehouse.com> On Fri, 2005-07-29 at 11:26 -0700, Jeff Sheltren wrote: > I added a few pages last night. I think I got all the QA docs as > well as the self intro and rpm versioning. If someone is thinking of > updating some more pages, see: > http://fedoraproject.org/wiki/CategoryLegacy > to see what is already done. Awesome. > There are still a few things left to transfer over, and it would be > nice to have an intro on the main 'Legacy' page. Yeah, I wasn't feeling very verbose last night. We could take a look at the Extras/ main page and model ours after it. I'm open to volunteers. > Jesse, all those legacy pages need the ACLs set. Done. -- Jesse Keating RHCE (http://geek.j2solutions.net) Fedora Legacy Team (http://www.fedoralegacy.org) GPG Public Key (http://geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating From jkosin at beta.intcomgrp.com Fri Jul 29 19:46:21 2005 From: jkosin at beta.intcomgrp.com (James Kosin) Date: Fri, 29 Jul 2005 15:46:21 -0400 Subject: Move to Fedoraproject.org wiki In-Reply-To: <1122661999.3470.7.camel@prometheus.gamehouse.com> References: <1122573366.24982.69.camel@prometheus.gamehouse.com> <42E91FF4.8010300@beta.intcomgrp.com> <1122575834.18792.1.camel@prometheus.gamehouse.com> <847CB823-33EA-490F-B81E-B0770A2BB6C4@cs.ucsb.edu> <1122661999.3470.7.camel@prometheus.gamehouse.com> Message-ID: <42EA878D.1070406@beta.intcomgrp.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jesse Keating wrote: |On Fri, 2005-07-29 at 11:26 -0700, Jeff Sheltren wrote: | |>I added a few pages last night. I think I got all the QA docs as |>well as the self intro and rpm versioning. If someone is thinking of |>updating some more pages, see: |>http://fedoraproject.org/wiki/CategoryLegacy |>to see what is already done. | | |Awesome. | |>There are still a few things left to transfer over, and it would be |>nice to have an intro on the main 'Legacy' page. | | |Yeah, I wasn't feeling very verbose last night. We could take a look at |the Extras/ main page and model ours after it. I'm open to volunteers. | |>Jesse, all those legacy pages need the ACLs set. | | |Done. | Everything is transfered... Sorry, but I have a few suggestions. (a) Put the QA stuff on a page with clearly numbered steps showing the process. #1, #2, etc. (b) The QA Testing page should probably be renamed to maybe QA Procedure or a more appropriate name describing it's function. (c) What is the process for adding pages to the Legacy area? (d) What sort of topics, etc. I've gotten into package management a little and managed to roll out several update (unofficially of course). I primarily have a FC1 box that I try and keep up2date with RPMs. Example, I could come up with a good page on the process of building an RPM for submission to QA. Though packages that patch take one path and packages that re-build or upgrade version numbers should ideally take another path. I'd like to help; but, have only limited free time on my busy schedule. I'm trying to get a GCC update setup and working. only problem is now I think there are package problems... Compiling completes correctly now. James Kosin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFC6oeMkNLDmnu1kSkRAm6BAJ9Tusso4vtLAC9hf25dpJFWYHx65wCeMmaI h1LysBknsKP1CuWOovEbmSo= =gh3c -----END PGP SIGNATURE----- From jkeating at j2solutions.net Fri Jul 29 19:52:37 2005 From: jkeating at j2solutions.net (Jesse Keating) Date: Fri, 29 Jul 2005 12:52:37 -0700 Subject: Move to Fedoraproject.org wiki In-Reply-To: <42EA878D.1070406@beta.intcomgrp.com> References: <1122573366.24982.69.camel@prometheus.gamehouse.com> <42E91FF4.8010300@beta.intcomgrp.com> <1122575834.18792.1.camel@prometheus.gamehouse.com> <847CB823-33EA-490F-B81E-B0770A2BB6C4@cs.ucsb.edu> <1122661999.3470.7.camel@prometheus.gamehouse.com> <42EA878D.1070406@beta.intcomgrp.com> Message-ID: <1122666757.3470.10.camel@prometheus.gamehouse.com> On Fri, 2005-07-29 at 15:46 -0400, James Kosin wrote: > Everything is transfered... Sorry, but I have a few suggestions. > (a) Put the QA stuff on a page with clearly numbered steps showing > the process. #1, #2, etc. Care to take up this task? > (b) The QA Testing page should probably be renamed to maybe QA > Procedure or a more appropriate name describing it's function. Suggestions? > (c) What is the process for adding pages to the Legacy area? Sign up for a wiki account, email me that account name so I can give you write access to the Legacy/ space. Edit the front page of Legacy/ and follow examples of the other pages listed there. You'll get a link that allows you to create a new page. Go to town. > (d) What sort of topics, etc. Anything that you see fit to assisting people with QA/Testing/Packaging/Using/etc.... > I've gotten into package management a > little and managed to roll out several update (unofficially of > course). I primarily have a FC1 box that I try and keep up2date with > RPMs. Example, I could come up with a good page on the process of > building an RPM for submission to QA. Though packages that patch take > one path and packages that re-build or upgrade version numbers should > ideally take another path. That sounds like a great page for review! > I'd like to help; but, have only limited free time on my busy > schedule. I'm trying to get a GCC update setup and working. only > problem is now I think there are package problems... Compiling > completes correctly now. -- Jesse Keating RHCE (http://geek.j2solutions.net) Fedora Legacy Team (http://www.fedoralegacy.org) GPG Public Key (http://geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating From pekkas at netcore.fi Sat Jul 30 05:30:44 2005 From: pekkas at netcore.fi (Pekka Savola) Date: Sat, 30 Jul 2005 08:30:44 +0300 (EEST) Subject: New bugzilla feature In-Reply-To: <1122583780.18792.8.camel@prometheus.gamehouse.com> References: <1122571261.24982.57.camel@prometheus.gamehouse.com> <20050728204049.GA14348@orient.maison.moi> <1122583780.18792.8.camel@prometheus.gamehouse.com> Message-ID: On Thu, 28 Jul 2005, Jesse Keating wrote: > On Thu, 2005-07-28 at 22:40 +0200, Emmanuel Seyman wrote: >> It's a feature that's been present for quite a while in Bugzilla but >> the only stable release to have it is 2.20rc1 (which wasn't probably >> that stable to begin with since 2.20rc2 is due out Friday). >> Still, Red Hat's Bugzilla has it, which is the important thing. >> >> Basically, every search result gives you a "RSS" link between the >> "CSV" and "iCalendar" links. Clicking on that gives you the RSS feed. > > So would anybody be willing to mock up a web page using this rss > information so that we can have a page that shows real-time bu[g] status. I took a look at this. (See attached for an example.) As far as I know, this doesn't help. It only gives an RSS link for those packages that already exist in that query. In my example test, I queried for "pending building to updates-testing". But in a couple of days, the list is going to be different. If my reading of the rss file is correct, RSS could only be used this way by Legacy users to track the bug numbers instead of having to watch the bugs. If anyone is interested in playing with it, below are the queries I use to create "buglists" right now. Just add '&ctype=rss' at the end to get the RSS listing of the bugs for each category _at the moment_. ========= All packages waiting to be released to updates 'https://bugzilla.redhat.com/bugzilla/buglist.cgi?query_format=advanced&short_desc=&product=Fedora%20Legacy&component_text=&bug_status=NEW&bug_status=VERIFIED&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=NEEDINFO&bug_status=MODIFIED&status_whiteboard_type=allwordssubstr&columnlist=changeddate,bug_severity,priority,bug_status,bug_resolution,component,status_whiteboard,short_desc&&order=bugs.bug_id&status_whiteboard=needsrelease' All packages waiting to be built to updates-testing 'https://bugzilla.redhat.com/bugzilla/buglist.cgi?query_format=advanced&short_desc=&product=Fedora%20Legacy&component_text=&bug_status=NEW&bug_status=VERIFIED&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=NEEDINFO&bug_status=MODIFIED&status_whiteboard_type=allwordssubstr&columnlist=changeddate,bug_severity,priority,bug_status,bug_resolution,component,status_whiteboard,short_desc&&order=bugs.bug_id&status_whiteboard=needsbuild' All packages lacking VERIFY, but will be released anyway unless issues are found 'https://bugzilla.redhat.com/bugzilla/buglist.cgi?query_format=advanced&short_desc=&product=Fedora%20Legacy&component_text=&bug_status=NEW&bug_status=VERIFIED&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=NEEDINFO&bug_status=MODIFIED&status_whiteboard_type=allwordssubstr&columnlist=changeddate,bug_severity,priority,bug_status,bug_resolution,component,status_whiteboard,short_desc&&order=bugs.bug_id&status_whiteboard=verify&field0-0-0=status_whiteboard&type0-0-0=anywords&value0-0-0=timeout&field1-0-0=status_whiteboard&type1-0-0=nowords&value1-0-0=needsrelease+needswork+discuss' All packages lacking VERIFY 'https://bugzilla.redhat.com/bugzilla/buglist.cgi?query_format=advanced&short_desc=&product=Fedora%20Legacy&component_text=&bug_status=NEW&bug_status=VERIFIED&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=NEEDINFO&bug_status=MODIFIED&status_whiteboard_type=allwordssubstr&columnlist=changeddate,bug_severity,priority,bug_status,bug_resolution,component,status_whiteboard,short_desc&&order=bugs.bug_id&status_whiteboard=verify&field0-0-0=status_whiteboard&type0-0-0=nowords&value0-0-0=timeout+needsrelease' All packages lacking PUBLISH (but excluding NEEDSWORK) 'https://bugzilla.redhat.com/bugzilla/buglist.cgi?query_format=advanced&short_desc=&product=Fedora%20Legacy&component_text=&bug_status=NEW&bug_status=VERIFIED&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=NEEDINFO&bug_status=MODIFIED&status_whiteboard_type=allwordssubstr&columnlist=changeddate,bug_severity,priority,bug_status,bug_resolution,component,status_whiteboard,short_desc&&order=bugs.bug_id&status_whiteboard=publish&field0-0-0=status_whiteboard&type0-0-0=nowords&value0-0-0=needswork' All packages which need discussion: 'https://bugzilla.redhat.com/bugzilla/buglist.cgi?query_format=advanced&short_desc=&product=Fedora%20Legacy&component_text=&bug_status=NEW&bug_status=VERIFIED&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=NEEDINFO&bug_status=MODIFIED&status_whiteboard_type=allwordssubstr&columnlist=changeddate,bug_severity,priority,bug_status,bug_resolution,component,status_whiteboard,short_desc&&order=bugs.bug_id&status_whiteboard=discuss' All packages which need work (e.g., packages, patch analysis,...) 'https://bugzilla.redhat.com/bugzilla/buglist.cgi?query_format=advanced&short_desc=&product=Fedora%20Legacy&component_text=&bug_status=NEW&bug_status=VERIFIED&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=NEEDINFO&bug_status=MODIFIED&status_whiteboard_type=allwordssubstr&columnlist=changeddate,bug_severity,priority,bug_status,bug_resolution,component,status_whiteboard,short_desc&&order=bugs.bug_id&status_whiteboard=NEEDSWORK' Other bug reports 'https://bugzilla.redhat.com/bugzilla/buglist.cgi?query_format=advanced&short_desc=&product=Fedora%20Legacy&component_text=&bug_status=NEW&bug_status=VERIFIED&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=NEEDINFO&bug_status=MODIFIED&status_whiteboard_type=allwordssubstr&columnlist=changeddate,bug_severity,priority,bug_status,bug_resolution,component,status_whiteboard,short_desc&&order=bugs.bug_id&field0-0-0=status_whiteboard&type0-0-0=nowords&value0-0-0=needswork+needsbuild+needsrelease+verify+publish+discuss' -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings -------------- next part -------------- Bugzilla Bugs Bugzilla Bug List https://bugzilla.redhat.com/bugzilla/buglist.cgi?query_format=advanced&short_desc=&product=Fedora%20Legacy&component_text=&bug_status=NEW&bug_status=VERIFIED&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=NEEDINFO&bug_status=MODIFIED&status_whiteboard_type=allwordssubstr&columnlist=changeddate%2Cbug_severity%2Cpriority%2Cbug_status%2Cbug_resolution%2Ccomponent%2Cstatus_whiteboard%2Cshort_desc&status_whiteboard=needsbuild& hourly 2 Bug 152816 - CAN-2004-0803,0803,0886 kdefax libtiff remote code execution https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152816 2005-07-30T01:19Z <table> <tr> <th>Field</th><th>Value</th> </tr><tr> <td>Opened</td> <td>2004-10-16</td> </tr><tr> <td>Assignee</td> <td></td> </tr><tr> <td>Priority</td> <td>normal</td> </tr><tr> <td>Severity </td> <td>security</td> </tr><tr> <td>Status</td> <td>ASSIGNED</td> </tr><tr> <td>Changed</td> <td>2005-04-06</td> </tr> </table> Bug 152848 - CAN-2004-0968,1382,1453 glibc catchsegv/glibcbug/LD_DEBUG vulnerabilities https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152848 2005-07-30T01:19Z <table> <tr> <th>Field</th><th>Value</th> </tr><tr> <td>Opened</td> <td>2004-11-09</td> </tr><tr> <td>Assignee</td> <td></td> </tr><tr> <td>Priority</td> <td>normal</td> </tr><tr> <td>Severity </td> <td>security</td> </tr><tr> <td>Status</td> <td>ASSIGNED</td> </tr><tr> <td>Changed</td> <td>2005-07-23</td> </tr> </table> Bug 152803 - CAN-2004-0687,0688,0914, CAN-2005-0605 - lesstiff integer overflows in libXpm https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152803 2005-07-30T01:19Z <table> <tr> <th>Field</th><th>Value</th> </tr><tr> <td>Opened</td> <td>2004-10-08</td> </tr><tr> <td>Assignee</td> <td></td> </tr><tr> <td>Priority</td> <td>normal</td> </tr><tr> <td>Severity </td> <td>security</td> </tr><tr> <td>Status</td> <td>MODIFIED</td> </tr><tr> <td>Changed</td> <td>Thu 02:25</td> </tr> </table> Bug 152867 - rpm-4.2-0.69 as shipped with RHL9 is buggy; update to 4.2-1 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152867 2005-07-30T01:19Z <table> <tr> <th>Field</th><th>Value</th> </tr><tr> <td>Opened</td> <td>2004-12-07</td> </tr><tr> <td>Assignee</td> <td></td> </tr><tr> <td>Priority</td> <td>normal</td> </tr><tr> <td>Severity </td> <td>normal</td> </tr><tr> <td>Status</td> <td>NEW</td> </tr><tr> <td>Changed</td> <td>2005-04-11</td> </tr> </table> From pekkas at netcore.fi Sat Jul 30 06:29:05 2005 From: pekkas at netcore.fi (Pekka Savola) Date: Sat, 30 Jul 2005 09:29:05 +0300 (EEST) Subject: issues list(s) Message-ID: Remember, there's always a need for folks to do some QA testing. See the wiki for instructions and how to get started: http://www.fedoraproject.org/wiki/Legacy/QATesting In particular, IMHO the biggest need right now is having people take a look at "All packages lacking VERIFY" category espcially for FC1/FC2. Secondarily "All packages lacking PUBLISH" (for example, a couple of my trivial packages have been sitting there for months, and I'm not inclined to create any more of them until these have gone forward). http://www.netcore.fi/pekkas/buglist.html (all) http://www.netcore.fi/pekkas/buglist-rhl73.html http://www.netcore.fi/pekkas/buglist-rhl9.html http://www.netcore.fi/pekkas/buglist-core1.html http://www.netcore.fi/pekkas/buglist-fc2.html -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings