From michal at harddata.com Tue Nov 1 02:09:49 2005 From: michal at harddata.com (Michal Jaegermann) Date: Mon, 31 Oct 2005 19:09:49 -0700 Subject: Old yum? New yum? Re: Typo in yum instructions In-Reply-To: <10001EE833205FB55CAA7686@[10.0.0.14]> References: <1130798730.31305.20.camel@prometheus.gamehouse.com> <10001EE833205FB55CAA7686@[10.0.0.14]> Message-ID: <20051101020949.GA19607@mail.harddata.com> On Mon, Oct 31, 2005 at 03:41:20PM -0800, Kenneth Porter wrote: > > Something for users new to 2.1 to watch out for: The --download-only switch > went away. If you add that to your nightly cron job (in > /etc/cron.daily/yum.cron), it will either break the script or install the > updates (I forget which). I believe another utility is available that does > the equivalent. I guess that you are thinking about 'check-update' yum command. If there are updates then yum will produce a list of available updates and will exit with a status 100 and otherwise this status is 0. Once you have a list you can retrieve packages by whatever means you have on hands. The catch is that with a list of mirrors you can get a list of updates from one mirror while you attempt to retrieve packages from somewhere else and not always they are in sync. Michal From shiva at sewingwitch.com Tue Nov 1 02:38:28 2005 From: shiva at sewingwitch.com (Kenneth Porter) Date: Mon, 31 Oct 2005 18:38:28 -0800 Subject: Old yum? New yum? Re: Typo in yum instructions In-Reply-To: <20051101020949.GA19607@mail.harddata.com> References: <1130798730.31305.20.camel@prometheus.gamehouse.com> <10001EE833205FB55CAA7686@[10.0.0.14]> <20051101020949.GA19607@mail.harddata.com> Message-ID: <3884BFB581D7A2802C3798F9@[10.0.0.14]> --On Monday, October 31, 2005 7:09 PM -0700 Michal Jaegermann wrote: > I guess that you are thinking about 'check-update' yum command. If > there are updates then yum will produce a list of available updates > and will exit with a status 100 and otherwise this status is 0. > Once you have a list you can retrieve packages by whatever means you > have on hands. The pre-2.1 yum included the option to the update command to download updates but not install them. This eliminates the need to wait for them to download once I've blessed them. I'd use that option in the midnight cron job, then apply the updates in the morning. If all went well, I'd not waste time waiting for the download, and if there was an issue, users wouldn't have to wait for me to get in to fix it. From michal at harddata.com Tue Nov 1 04:47:20 2005 From: michal at harddata.com (Michal Jaegermann) Date: Mon, 31 Oct 2005 21:47:20 -0700 Subject: Old yum? New yum? Re: Typo in yum instructions In-Reply-To: <3884BFB581D7A2802C3798F9@[10.0.0.14]> References: <1130798730.31305.20.camel@prometheus.gamehouse.com> <10001EE833205FB55CAA7686@[10.0.0.14]> <20051101020949.GA19607@mail.harddata.com> <3884BFB581D7A2802C3798F9@[10.0.0.14]> Message-ID: <20051101044720.GA21865@mail.harddata.com> On Mon, Oct 31, 2005 at 06:38:28PM -0800, Kenneth Porter wrote: > --On Monday, October 31, 2005 7:09 PM -0700 Michal Jaegermann > wrote: > > >I guess that you are thinking about 'check-update' yum command. If > >there are updates then yum will produce a list of available updates > >and will exit with a status 100 and otherwise this status is 0. > >Once you have a list you can retrieve packages by whatever means you > >have on hands. > > The pre-2.1 yum included the option to the update command to download > updates but not install them. This eliminates the need to wait for them to > download once I've blessed them. I'd use that option in the midnight cron > job, then apply the updates in the morning. Yes, that is what I am saying here. It is not a great feat to write a script which runs from cron and does "if status is not zero then download packages from this list". Of course when '--download-only' option was available you did not have to write that script. Michal From skvidal at phy.duke.edu Tue Nov 1 04:54:02 2005 From: skvidal at phy.duke.edu (seth vidal) Date: Mon, 31 Oct 2005 23:54:02 -0500 Subject: Old yum? New yum? Re: Typo in yum instructions In-Reply-To: <20051101044720.GA21865@mail.harddata.com> References: <1130798730.31305.20.camel@prometheus.gamehouse.com> <10001EE833205FB55CAA7686@[10.0.0.14]> <20051101020949.GA19607@mail.harddata.com> <3884BFB581D7A2802C3798F9@[10.0.0.14]> <20051101044720.GA21865@mail.harddata.com> Message-ID: <1130820842.29433.15.camel@cutter> > Yes, that is what I am saying here. It is not a great feat to write > a script which runs from cron and does "if status is not zero then > download packages from this list". Of course when '--download-only' > option was available you did not have to write that script. > If you want to use --download-only there is a plugin for yum that will enable that. -sv From marcdeslauriers at videotron.ca Thu Nov 3 23:54:54 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Thu, 03 Nov 2005 18:54:54 -0500 Subject: Fedora Legacy Test Update Notification: gtk2 Message-ID: <436AA34E.30700@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2005-155510 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=155510 2005-11-03 --------------------------------------------------------------------- Name : gtk2 Versions : rh73: gtk2-2.0.2-4.2.legacy Versions : rh9: gtk2-2.2.1-4.2.legacy Versions : fc1: gtk2-2.2.4-10.3.legacy Summary : The GIMP ToolKit (GTK+), a library for creating GUIs for X. Description : The gtk+ package contains the GIMP ToolKit (GTK+), a library for creating graphical user interfaces for the X Window System. GTK+ was originally written for the GIMP (GNU Image Manipulation Program) image processing program, but is now used by several other programs as well. --------------------------------------------------------------------- Update Information: Updated gtk2 packages that fix several security flaws are now available. The gtk2 package contains the GIMP ToolKit (GTK+), a library for creating graphical user interfaces for the X Window System. During testing of a previously fixed flaw in Qt (CVE-2004-0691), a flaw was discovered in the BMP image processor of gtk2. An attacker could create a carefully crafted BMP file which would cause an application to enter an infinite loop and not respond to user input when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0753 to this issue. During a security audit Chris Evans discovered a stack and a heap overflow in the XPM image decoder. An attacker could create a carefully crafted XPM file which could cause an application linked with gtk2 to crash or possibly execute arbitrary code when the file was opened by a victim. (CVE-2004-0782, CVE-2004-0783) Chris Evans also discovered an integer overflow in the ICO image decoder. An attacker could create a carefully crafted ICO file which could cause an application linked with gtk2 to crash when the file was opened by a victim. (CVE-2004-0788) A bug was found in the way gtk2 processes BMP images. It is possible that a specially crafted BMP image could cause a denial of service attack on applications linked against gtk2. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0891 to this issue. Users of gtk2 are advised to upgrade to these packages which contain backported patches and are not vulnerable to these issues. --------------------------------------------------------------------- Changelogs rh73: * Wed Nov 02 2005 Marc Deslauriers 2.0.2-4.2.legacy - Go back to a sane release number * Wed May 11 2005 Pekka Savola 2.0.2-4.1.legacy.2 - Add BMP loader double free crash from RHEL3 (CAN-2005-0891), #155510 * Thu Feb 17 2005 Dominic Hargreaves 2.0.2-4.1.legacy.1 - Add gettext, libtool, autoconf build dep * Sun Sep 19 2004 Marc Deslauriers 2.0.2-4.1.legacy - Added security patch for CAN-2004-0782, CAN-2004-0783, CAN-2004-0788 rh9: * Wed Nov 02 2005 Marc Deslauriers 2.2.1-4.2.legacy - Go back to a sane release number * Wed May 11 2005 Pekka Savola 2.2.1-4.1.legacy.2 - Add BMP loader double free crash from RHEL3 (CAN-2005-0891), #155510 * Wed Feb 23 2005 Dominic Hargreaves 2.2.1-4.1.legacy.1 - Fix build requirement for automake * Sun Sep 19 2004 Marc Deslauriers 2.2.1-4.1.legacy - add security fixes for CAN-2004-0753, CAN-2004-0782, CAN-2004-0783, CAN-2004-0788 fc1: * Wed Nov 02 2005 Marc Deslauriers 2.2.4-10.3.legacy - Added automake14 and gettext to BuildPrereq * Sat Aug 20 2005 Dave Eisenstein 2.2.4-10.2.legacy - Specfile damaged in 2.2.4-10.1.legacy. Redo specfile. Bug #155510. * Wed May 11 2005 Pekka Savola 2.2.4-10.1.legacy - Add BMP loader double free crash from RHEL3 (CAN-2005-0891), #155510 --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: f923e47859f2b8e973a19978baa299a9eb9510b9 redhat/7.3/updates-testing/i386/gtk2-2.0.2-4.2.legacy.i386.rpm 0b42963350b57d6c8f4d77fc9e611d6e976d80b1 redhat/7.3/updates-testing/i386/gtk2-devel-2.0.2-4.2.legacy.i386.rpm e975fad01109fe3e9efb1b1ab2d47db32b0b83ee redhat/7.3/updates-testing/SRPMS/gtk2-2.0.2-4.2.legacy.src.rpm rh9: 5d06ac2e6c81087e13c175b457116c0fd6950057 redhat/9/updates-testing/i386/gtk2-2.2.1-4.2.legacy.i386.rpm 99ef7dc3fdd67673358acc791ef306b914653271 redhat/9/updates-testing/i386/gtk2-devel-2.2.1-4.2.legacy.i386.rpm 8ada7b7f6ee51a281d6e0079aba0f2c150fdbf06 redhat/9/updates-testing/SRPMS/gtk2-2.2.1-4.2.legacy.src.rpm fc1: be0ba4a1776f9849cd5734ccb655b9dabb97011b fedora/1/updates-testing/i386/gtk2-2.2.4-10.3.legacy.i386.rpm 501aa3181b863c6904004ec8ef5c9e38cef77652 fedora/1/updates-testing/i386/gtk2-devel-2.2.4-10.3.legacy.i386.rpm 76c60fd3ca93a1291f6bb60403b3c080323fa855 fedora/1/updates-testing/SRPMS/gtk2-2.2.4-10.3.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From eddiew at oakleafconsultancy.com Tue Nov 8 12:24:42 2005 From: eddiew at oakleafconsultancy.com (Edward Wynn) Date: Tue, 8 Nov 2005 12:24:42 -0000 Subject: FC1 yum update Problems Message-ID: <223E6519BDCAC74695BEE9D163F8E6590B9F30@oakleaf10.oakleafconsultancy.com> Hi, I am trying to use yum to update my FC1 system. I have followed the instructions present on the website, including upgrading yum, setting up the yum.conf file and importing the GPG key via rpm -import. I have also verified that the GPG key has been imported using rpm -qa. The problem is that when I do a yum update I can download package headers and resolve dependencies OK, I then confirm that this is OK and the system trys to download and upgrade the pango package (pango-1.2.5-4.i386.rpm) - at this point yum stops and says there is a problem: ERROR: Could not find the GPG key necessary to validate the pkg pango.... What am I missing - what is wrong with GPG keys? Thanks in advance, Eddie -------------- next part -------------- An HTML attachment was scrubbed... URL: From jkosin at beta.intcomgrp.com Tue Nov 8 14:03:52 2005 From: jkosin at beta.intcomgrp.com (James Kosin) Date: Tue, 08 Nov 2005 09:03:52 -0500 Subject: FC1 yum update Problems In-Reply-To: <223E6519BDCAC74695BEE9D163F8E6590B9F30@oakleaf10.oakleafconsultancy.com> References: <223E6519BDCAC74695BEE9D163F8E6590B9F30@oakleaf10.oakleafconsultancy.com> Message-ID: <4370B048.4060803@beta.intcomgrp.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Edward Wynn wrote: > > > Hi, > > > > I am trying to use yum to update my FC1 system. > > > > I have followed the instructions present on the website, including > upgrading yum, setting up the yum.conf file and importing the GPG > key via rpm ?import. > > > > I have also verified that the GPG key has been imported using rpm ?qa. > > > > The problem is that when I do a yum update I can download package > headers and resolve dependencies OK, I then confirm that this is OK > and the system trys to download and upgrade the pango package > (pango-1.2.5-4.i386.rpm) ? at this point yum stops and says there is > a problem: ERROR: Could not find the GPG key necessary to validate > the pkg pango?. > > > > What am I missing ? what is wrong with GPG keys? > > > > Thanks in advance, Eddie > > > > >---------------------------------------------------------------------- > >-- >fedora-legacy-list mailing list >fedora-legacy-list at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-legacy-list You must have a fresh install of FC1... Somewhere about a year or so ago the fedora group had to install new GPG keys for the packages; because their keys had expired about md-project with FC1. It should be safe to get yum to ignore the GPG signature for the moment to update your system... Then import the fedora-legacy keys. Or maybe someone could resign all the packages with the fedora-legacy key. James Kosin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDcLBIkNLDmnu1kSkRAwDcAJoC86/jEQAvdTEUIJa0AH4oyK144QCfZpt/ Q7I7qbt6bMIUKSio9681YDg= =6ccG -----END PGP SIGNATURE----- -- Scanned by ClamAV - http://www.clamav.net From eddiew at oakleafconsultancy.com Tue Nov 8 14:49:21 2005 From: eddiew at oakleafconsultancy.com (Edward Wynn) Date: Tue, 8 Nov 2005 14:49:21 -0000 Subject: FC1 yum update Problems Message-ID: <223E6519BDCAC74695BEE9D163F8E6590B9F31@oakleaf10.oakleafconsultancy.com> Thanks for the hint - any ideas on how to get yum to ignore the GPG keys? I had considered doing that myself but can't find how to do it. Alternatively can't I just import the old keys from somewhere now? -----Original Message----- From: James Kosin [mailto:jkosin at beta.intcomgrp.com] Sent: 08 November 2005 14:04 To: Discussion of the Fedora Legacy Project Subject: Re: FC1 yum update Problems -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Edward Wynn wrote: > > > Hi, > > > > I am trying to use yum to update my FC1 system. > > > > I have followed the instructions present on the website, including > upgrading yum, setting up the yum.conf file and importing the GPG > key via rpm ?import. > > > > I have also verified that the GPG key has been imported using rpm ?qa. > > > > The problem is that when I do a yum update I can download package > headers and resolve dependencies OK, I then confirm that this is OK > and the system trys to download and upgrade the pango package > (pango-1.2.5-4.i386.rpm) ? at this point yum stops and says there is > a problem: ERROR: Could not find the GPG key necessary to validate > the pkg pango?. > > > > What am I missing ? what is wrong with GPG keys? > > > > Thanks in advance, Eddie > > > > >---------------------------------------------------------------------- > >-- >fedora-legacy-list mailing list >fedora-legacy-list at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-legacy-list You must have a fresh install of FC1... Somewhere about a year or so ago the fedora group had to install new GPG keys for the packages; because their keys had expired about md-project with FC1. It should be safe to get yum to ignore the GPG signature for the moment to update your system... Then import the fedora-legacy keys. Or maybe someone could resign all the packages with the fedora-legacy key. James Kosin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDcLBIkNLDmnu1kSkRAwDcAJoC86/jEQAvdTEUIJa0AH4oyK144QCfZpt/ Q7I7qbt6bMIUKSio9681YDg= =6ccG -----END PGP SIGNATURE----- -- Scanned by ClamAV - http://www.clamav.net -- fedora-legacy-list mailing list fedora-legacy-list at redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list From michal at harddata.com Tue Nov 8 17:04:27 2005 From: michal at harddata.com (Michal Jaegermann) Date: Tue, 8 Nov 2005 10:04:27 -0700 Subject: FC1 yum update Problems In-Reply-To: <223E6519BDCAC74695BEE9D163F8E6590B9F31@oakleaf10.oakleafconsultancy.com> References: <223E6519BDCAC74695BEE9D163F8E6590B9F31@oakleaf10.oakleafconsultancy.com> Message-ID: <20051108170427.GA4734@mail.harddata.com> On Tue, Nov 08, 2005 at 02:49:21PM -0000, Edward Wynn wrote: > Thanks for the hint - any ideas on how to get yum to ignore the GPG > keys? $ man yum.conf ..... gpgcheck Either '1' or '0'. This tells yum whether or not it should per- form a GPG signature check on packages. .... > I had considered doing that myself but can't find how to do it. Starting with 'rpm -qd yum' is always a good idea. Michal From mic at npgx.com.au Tue Nov 8 21:50:25 2005 From: mic at npgx.com.au (Michael Mansour) Date: Wed, 9 Nov 2005 07:50:25 +1000 Subject: Fw: [SECURITY] Fedora Core 3 Update: php-4.3.11-2.8 In-Reply-To: <200511081811.jA8IB76P001536@devserv.devel.redhat.com> References: <200511081811.jA8IB76P001536@devserv.devel.redhat.com> Message-ID: <20051108214842.M85010@npgx.com.au> Hi, I'm still running FC1 and FC2 servers and am worried about the issues below, I don't want to be stung by them like I was with the perl exploits earlier (and fixed through the FL contrib by users). Will FL be backporting these fixes asap? Michael. ---------- Forwarded Message ----------- From: "Joseph Orton" To: fedora-announce-list at redhat.com Sent: Tue, 8 Nov 2005 13:11:07 -0500 Subject: [SECURITY] Fedora Core 3 Update: php-4.3.11-2.8 --------------------------------------------------------------------- Fedora Update Notification FEDORA-2005-1061 2005-11-08 --------------------------------------------------------------------- Product : Fedora Core 3 Name : php Version : 4.3.11 Release : 2.8 Summary : The PHP HTML-embedded scripting language. (PHP: Hypertext Preprocessor) Description : PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated webpages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The mod_php module enables the Apache Web server to understand and process the embedded PHP language in Web pages. --------------------------------------------------------------------- Update Information: This update includes several security fixes: - fixes for prevent malicious requests from overwriting the GLOBALS array (CVE-2005-3390) - a fix to stop the parse_str() function from enabling the register_globals setting (CVE-2005-3389) - fixes for Cross-Site Scripting flaws in the phpinfo() output (CVE-2005-3388) - a fix for a denial of service (process crash) in EXIF image parsing (CVE-2005-3353) --------------------------------------------------------------------- * Fri Nov 4 2005 Joe Orton 4.3.11-2.8 - add security fixes from upstream: * XSS issues in phpinfo() (CVE-2005-3388, #172212) * GLOBALS handling (CVE-2005-3390, #172207) * parse_str() enabling register_globals (CVE-2005-3389, #172209) * exif: infinite recursion on corrupt JPEG (CVE-2005-3353) --------------------------------------------------------------------- This update can be downloaded from: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ 68724665fc23eb17fd5f6ab53a7a8578 SRPMS/php-4.3.11-2.8.src.rpm 6fe3ca959bf1ac54195cb1a0ece80161 x86_64/php-4.3.11-2.8.x86_64.rpm 52b086b6ae3b62b6b39850694306544f x86_64/php-devel-4.3.11-2.8.x86_64.rpm c6a89e2a4974fa966adf9f1e1d19b1e3 x86_64/php-pear-4.3.11-2.8.x86_64.rpm 495ad7cec5eead31eaf655ecda78ffc4 x86_64/php-imap-4.3.11-2.8.x86_64.rpm 26e0c1d33f77040d732c16f01ecc469c x86_64/php-ldap-4.3.11-2.8.x86_64.rpm 5d99c02f4e8c71762421368f94be7cb6 x86_64/php-mysql-4.3.11-2.8.x86_64.rpm ac907f06ae9ecaa185fdeba117d7a5f4 x86_64/php-pgsql-4.3.11-2.8.x86_64.rpm 4e8d7ee61c64683f5eb90a02fac4c71d x86_64/php-odbc-4.3.11-2.8.x86_64.rpm 2b59cd899b7640ff67918c02f0b83c9b x86_64/php-snmp-4.3.11-2.8.x86_64.rpm 50c12c4604d7fa6ed6d423732dad41cd x86_64/php-domxml-4.3.11-2.8.x86_64.rpm ed79ef8a38f3112fb90b5087730a2372 x86_64/php-xmlrpc-4.3.11-2.8.x86_64.rpm ed7b9255c03b60c57c64ec065b7bcb82 x86_64/php-mbstring-4.3.11-2.8.x86_64.rpm cac58fd700a3e3f5493e37b062407968 x86_64/php-ncurses-4.3.11-2.8.x86_64.rpm 3aefa8e720ef35c0a4a18de7f1dc8736 x86_64/php-gd-4.3.11-2.8.x86_64.rpm 4bd7ffa3c678ae086c9a688bbdedaf67 x86_64/debug/php-debuginfo-4.3.11-2.8.x86_64.rpm b03e664e7299012091046f8c6d4113e5 i386/php-4.3.11-2.8.i386.rpm 7a2f5d835948e35cdd0dd3689b27ffef i386/php-devel-4.3.11-2.8.i386.rpm 0263c49fdf67f20293b70f97536f3343 i386/php-pear-4.3.11-2.8.i386.rpm ebdd6d6529c4348fe2ed7ae3df166acc i386/php-imap-4.3.11-2.8.i386.rpm 3a98ee4ea5066f91dc4d2a19a040f949 i386/php-ldap-4.3.11-2.8.i386.rpm 0f30bca149e3e13a01255b66843bc1e6 i386/php-mysql-4.3.11-2.8.i386.rpm 9193d56cae5d3b292de0b53a33559c2a i386/php-pgsql-4.3.11-2.8.i386.rpm e69f716a3e0115e7143ed79bcc6c93fe i386/php-odbc-4.3.11-2.8.i386.rpm b291a190a62bafa094d193be6f5a16aa i386/php-snmp-4.3.11-2.8.i386.rpm c0422acefee1c4de9ab681c4e23e1233 i386/php-domxml-4.3.11-2.8.i386.rpm 5fafa898dd4512197186ac552566b83b i386/php-xmlrpc-4.3.11-2.8.i386.rpm 746dbb670f222d4b4618ea6d62f1489c i386/php-mbstring-4.3.11-2.8.i386.rpm e28a918dd7533591e376db828b840878 i386/php-ncurses-4.3.11-2.8.i386.rpm f4bb825f723c15f0c86ab87c25483ee1 i386/php-gd-4.3.11-2.8.i386.rpm c68cdde6bf01755485d6e33f1e3c4243 i386/debug/php-debuginfo-4.3.11-2.8.i386.rpm This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command. --------------------------------------------------------------------- -- fedora-announce-list mailing list fedora-announce-list at redhat.com https://www.redhat.com/mailman/listinfo/fedora-announce-list ------- End of Forwarded Message ------- From deisenst at gtw.net Tue Nov 8 22:05:17 2005 From: deisenst at gtw.net (David Eisenstein) Date: Tue, 8 Nov 2005 16:05:17 -0600 (CST) Subject: FC1 yum update Problems In-Reply-To: <223E6519BDCAC74695BEE9D163F8E6590B9F31@oakleaf10.oakleafconsultancy.com> Message-ID: > Edward Wynn wrote: > > > > Hi, > > > > I am trying to use yum to update my FC1 system. > > > > I have followed the instructions present on the website, including > > upgrading yum, setting up the yum.conf file and importing the GPG > > key via rpm ?import. > > <> > > What am I missing ? what is wrong with GPG keys? > > <> By following those directions, you only imported the Fedora Legacy GPG key. Many or most packages are signed with the original Fedora Project key, which is likely what you need here. On Monday, November 8 2005, James Kosin wrote: > You must have a fresh install of FC1... Somewhere about a year or so > ago the fedora group had to install new GPG keys for the packages; > because their keys had expired about md-project with FC1. I had never heard anything about Fedora Project keys expiring. Where did you get this from, James? AFAIK, the Red Hat Fedora Project key has been the same, for all Fedora Core distros, since the beginning of the Fedora project with FC1. > It should be safe to get yum to ignore the GPG signature for the > moment to update your system... Then import the fedora-legacy keys. > Or maybe someone could resign all the packages with the fedora-legacy > key. Resigning all the packages with FL key wouldn't be practical. It's a good idea to use GPG signatures, not only from a security stand- point, but also from a data-corruption standpoint as well, as the signa- tures should detect both failures. On Tue, 8 Nov 2005, Edward Wynn wrote: > Thanks for the hint - any ideas on how to get yum to ignore the GPG > keys? I had considered doing that myself but can't find how to do it. > > Alternatively can't I just import the old keys from somewhere now? > Yes, you can. When I do an $ rpm -qi on pango, I get this line: Signature: DSA/SHA1, Tue 28 Oct 2003 06:19:41 PM CST, Key ID b44269d04f2a6fd2 The public key ID for Fedora Core is 'b44269d04f2a6fd2', or the last 8 characters of the key should do, '4f2a6fd2'. There are a number of ways one can go about getting the Fedora Core public key. 1) If you have the original CD-ROM's for FC1, on Disc 1 is the file 'RPM-GPG-KEY-fedora'. If you have that file, do: # rpm --import /mnt/cdrom/RPM-GPG-KEY-fedora 2) You can get the PGP key from Red Hat's Fedora website: # wget http://fedora.redhat.com/about/security/4F2A6FD2.txt # rpm --import 4F2A6FD2.txt 3) Or you can import the required key into your PGP database froma public keyserver using this command: # gpg --keyserver hkp://pgpkeys.mit.edu --recv-keys 4F2A6FD2 then export it from the PGP database to an ASCII-armored file: # gpg -a --export 4F2A6FD2 >/tmp/fedora-key.asc Once that is done, you can import that to RPM: # rpm --import /tmp/fedora-key.asc # rm /tmp/fedora-key.asc 4) Also see the 'GPG keys' page at the Fedora Project for other ways of getting the key and more info about it: Hope this helped. -David From deisenst at gtw.net Tue Nov 8 22:12:35 2005 From: deisenst at gtw.net (David Eisenstein) Date: Tue, 8 Nov 2005 16:12:35 -0600 (CST) Subject: Old yum? New yum? Re: Typo in yum instructions In-Reply-To: <1130820842.29433.15.camel@cutter> Message-ID: Thanks to everyone who responded to my questions about yum. With your help my understanding is much better. :-) -David From bedouglas at earthlink.net Tue Nov 8 22:55:20 2005 From: bedouglas at earthlink.net (bruce) Date: Tue, 8 Nov 2005 14:55:20 -0800 Subject: [SECURITY] Fedora Core 3 Update: php-4.3.11-2.8 In-Reply-To: <20051108214842.M85010@npgx.com.au> Message-ID: <142a01c5e4b7$80dd1dd0$0301a8c0@Mesa.com> i'm fairly sure you can always download the patches directly from the php.net site, or from one of the mirrors for your version of FC.. -bruce -----Original Message----- From: fedora-legacy-list-bounces at redhat.com [mailto:fedora-legacy-list-bounces at redhat.com]On Behalf Of Michael Mansour Sent: Tuesday, November 08, 2005 1:50 PM To: fedora-legacy-list at redhat.com Subject: Fw: [SECURITY] Fedora Core 3 Update: php-4.3.11-2.8 Hi, I'm still running FC1 and FC2 servers and am worried about the issues below, I don't want to be stung by them like I was with the perl exploits earlier (and fixed through the FL contrib by users). Will FL be backporting these fixes asap? Michael. ---------- Forwarded Message ----------- From: "Joseph Orton" To: fedora-announce-list at redhat.com Sent: Tue, 8 Nov 2005 13:11:07 -0500 Subject: [SECURITY] Fedora Core 3 Update: php-4.3.11-2.8 --------------------------------------------------------------------- Fedora Update Notification FEDORA-2005-1061 2005-11-08 --------------------------------------------------------------------- Product : Fedora Core 3 Name : php Version : 4.3.11 Release : 2.8 Summary : The PHP HTML-embedded scripting language. (PHP: Hypertext Preprocessor) Description : PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated webpages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The mod_php module enables the Apache Web server to understand and process the embedded PHP language in Web pages. --------------------------------------------------------------------- Update Information: This update includes several security fixes: - fixes for prevent malicious requests from overwriting the GLOBALS array (CVE-2005-3390) - a fix to stop the parse_str() function from enabling the register_globals setting (CVE-2005-3389) - fixes for Cross-Site Scripting flaws in the phpinfo() output (CVE-2005-3388) - a fix for a denial of service (process crash) in EXIF image parsing (CVE-2005-3353) --------------------------------------------------------------------- * Fri Nov 4 2005 Joe Orton 4.3.11-2.8 - add security fixes from upstream: * XSS issues in phpinfo() (CVE-2005-3388, #172212) * GLOBALS handling (CVE-2005-3390, #172207) * parse_str() enabling register_globals (CVE-2005-3389, #172209) * exif: infinite recursion on corrupt JPEG (CVE-2005-3353) --------------------------------------------------------------------- This update can be downloaded from: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ 68724665fc23eb17fd5f6ab53a7a8578 SRPMS/php-4.3.11-2.8.src.rpm 6fe3ca959bf1ac54195cb1a0ece80161 x86_64/php-4.3.11-2.8.x86_64.rpm 52b086b6ae3b62b6b39850694306544f x86_64/php-devel-4.3.11-2.8.x86_64.rpm c6a89e2a4974fa966adf9f1e1d19b1e3 x86_64/php-pear-4.3.11-2.8.x86_64.rpm 495ad7cec5eead31eaf655ecda78ffc4 x86_64/php-imap-4.3.11-2.8.x86_64.rpm 26e0c1d33f77040d732c16f01ecc469c x86_64/php-ldap-4.3.11-2.8.x86_64.rpm 5d99c02f4e8c71762421368f94be7cb6 x86_64/php-mysql-4.3.11-2.8.x86_64.rpm ac907f06ae9ecaa185fdeba117d7a5f4 x86_64/php-pgsql-4.3.11-2.8.x86_64.rpm 4e8d7ee61c64683f5eb90a02fac4c71d x86_64/php-odbc-4.3.11-2.8.x86_64.rpm 2b59cd899b7640ff67918c02f0b83c9b x86_64/php-snmp-4.3.11-2.8.x86_64.rpm 50c12c4604d7fa6ed6d423732dad41cd x86_64/php-domxml-4.3.11-2.8.x86_64.rpm ed79ef8a38f3112fb90b5087730a2372 x86_64/php-xmlrpc-4.3.11-2.8.x86_64.rpm ed7b9255c03b60c57c64ec065b7bcb82 x86_64/php-mbstring-4.3.11-2.8.x86_64.rpm cac58fd700a3e3f5493e37b062407968 x86_64/php-ncurses-4.3.11-2.8.x86_64.rpm 3aefa8e720ef35c0a4a18de7f1dc8736 x86_64/php-gd-4.3.11-2.8.x86_64.rpm 4bd7ffa3c678ae086c9a688bbdedaf67 x86_64/debug/php-debuginfo-4.3.11-2.8.x86_64.rpm b03e664e7299012091046f8c6d4113e5 i386/php-4.3.11-2.8.i386.rpm 7a2f5d835948e35cdd0dd3689b27ffef i386/php-devel-4.3.11-2.8.i386.rpm 0263c49fdf67f20293b70f97536f3343 i386/php-pear-4.3.11-2.8.i386.rpm ebdd6d6529c4348fe2ed7ae3df166acc i386/php-imap-4.3.11-2.8.i386.rpm 3a98ee4ea5066f91dc4d2a19a040f949 i386/php-ldap-4.3.11-2.8.i386.rpm 0f30bca149e3e13a01255b66843bc1e6 i386/php-mysql-4.3.11-2.8.i386.rpm 9193d56cae5d3b292de0b53a33559c2a i386/php-pgsql-4.3.11-2.8.i386.rpm e69f716a3e0115e7143ed79bcc6c93fe i386/php-odbc-4.3.11-2.8.i386.rpm b291a190a62bafa094d193be6f5a16aa i386/php-snmp-4.3.11-2.8.i386.rpm c0422acefee1c4de9ab681c4e23e1233 i386/php-domxml-4.3.11-2.8.i386.rpm 5fafa898dd4512197186ac552566b83b i386/php-xmlrpc-4.3.11-2.8.i386.rpm 746dbb670f222d4b4618ea6d62f1489c i386/php-mbstring-4.3.11-2.8.i386.rpm e28a918dd7533591e376db828b840878 i386/php-ncurses-4.3.11-2.8.i386.rpm f4bb825f723c15f0c86ab87c25483ee1 i386/php-gd-4.3.11-2.8.i386.rpm c68cdde6bf01755485d6e33f1e3c4243 i386/debug/php-debuginfo-4.3.11-2.8.i386.rpm This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command. --------------------------------------------------------------------- -- fedora-announce-list mailing list fedora-announce-list at redhat.com https://www.redhat.com/mailman/listinfo/fedora-announce-list ------- End of Forwarded Message ------- -- fedora-legacy-list mailing list fedora-legacy-list at redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list From lists at benjamindsmith.com Wed Nov 9 08:53:47 2005 From: lists at benjamindsmith.com (Benjamin Smith) Date: Wed, 9 Nov 2005 00:53:47 -0800 Subject: Testing? Message-ID: <200511090053.48032.lists@benjamindsmith.com> I've been using "testing" on my yum.conf for a FC1 system. So far, everything has worked fine, AFAIK. And, it's the "AFAIK" that's the kicker. See, the system doesn't do much. It plays MP3s 24x7 a la mpg321 (picks songs at random from my considerable archives) and it backs up systems via rsync. It's hard for me to say anything other than "that recent glibc library installed OK" since I've not done anything else with it, other than see it appear in yum a while back. Does this information provide any actual value? Is there some testing harness availabe somewhere so I can know "yep" or "nope" package foo works or doesn't? -Ben -- "The best way to predict the future is to invent it." - XEROX PARC slogan, circa 1978 From drees76 at gmail.com Wed Nov 9 09:28:47 2005 From: drees76 at gmail.com (David Rees) Date: Wed, 9 Nov 2005 01:28:47 -0800 Subject: Testing? In-Reply-To: <200511090053.48032.lists@benjamindsmith.com> References: <200511090053.48032.lists@benjamindsmith.com> Message-ID: <72dbd3150511090128p6d9d2dal98fa57edafb40c68@mail.gmail.com> On 11/9/05, Benjamin Smith wrote: > Does this information provide any actual value? Is there some testing harness > availabe somewhere so I can know "yep" or "nope" package foo works or > doesn't? Please see the Legacy/QATesting document regarding the best way that testing can be done to help: http://www.fedoraproject.org/wiki/Legacy/QATesting There are no official "test" procedures. If the package installs or upgrades and the package works normally afterwards, generally that is "good enough". You then need to comment on the relevant bug with your test results. -Dave From jkosin at beta.intcomgrp.com Wed Nov 9 15:26:48 2005 From: jkosin at beta.intcomgrp.com (James Kosin) Date: Wed, 09 Nov 2005 10:26:48 -0500 Subject: PHP Attacks.... Message-ID: <43721538.9060606@beta.intcomgrp.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Everyone, In light of the recent PHP attacks, I've added as a precautionary measure the mod_security module to my RPM for the httpd (Apache) web server to help secure things more. I haven't experienced the problem; yet, KNOCKING on WOOD LOUDLY. But with the recent spike of activity of this worm, I have to take proactive action. Anyone using my version of the updates can disable the security module by going to /etc/httpd/conf.d/security.conf and commenting out the LoadModule line in the configuration file. I'll probably be acting by updating PHP also for FC1, if someone doesn't get going on this for FC1 & FC2 builds... which seem to be susceptible to this attach. http://support.intcomgrp.com/~jkosin James Kosin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDchU4kNLDmnu1kSkRA27TAJ0R6ujZEbMu42H/xxwk7trIb2o51QCgg+yG b3b9F4EZEoP1bUGA8Mmlz2I= =D6S2 -----END PGP SIGNATURE----- -- Scanned by ClamAV - http://www.clamav.net From rostetter at mail.utexas.edu Wed Nov 9 15:45:17 2005 From: rostetter at mail.utexas.edu (Eric Rostetter) Date: Wed, 9 Nov 2005 09:45:17 -0600 Subject: Testing? In-Reply-To: <200511090053.48032.lists@benjamindsmith.com> References: <200511090053.48032.lists@benjamindsmith.com> Message-ID: <1131551117.11558767c44ff@mail.ph.utexas.edu> Quoting Benjamin Smith : > I've been using "testing" on my yum.conf for a FC1 system. Great! > See, the system doesn't do much. It plays MP3s 24x7 a la mpg321 (picks songs > at random from my considerable archives) and it backs up systems via rsync. It's actually doing a lot then. > It's hard for me to say anything other than "that recent glibc library > installed OK" since I've not done anything else with it, other than see it > appear in yum a while back. The hard part is you have to track what was installed, so you know what to report as working. It doesn't do much good to say "all the testing packages I've installed work okay" if we don't know which packages those include and which it doesn't include. If you track the installed versions, then it is of value to us. > Does this information provide any actual value? Is there some testing harness > availabe somewhere so I can know "yep" or "nope" package foo works or > doesn't? Yes, it is of value. You system obviously is running the kernel. So if you track that you installed a new kernel, and assume you then reboot to that new kernel, and your machine runs fine for several days, then you have in effect QA'd that the kernel is stable in your setup. Also, as you say, if you installed the glibc library, and nothing breaks, then again you have QA'd that package fairly well (since lots of what you are doing depends on glibc). Even if you are not actively using a package, the fact that it installed cleanly and didn't break anything (or the fact that it didn't install cleanly, or did break something) is very good information from a QA point of view. So, yes, if you track what you install, and report back those packages and versions and your experience with them, then you are doing QA on them. Maybe not the best QA possible, but few due that kind of testing (stress testing, fuzz input testing, exploit testing, etc). For most people the testing is 3 questions: does it install, does it work, does anything break? You can answer those for many packages doing no more than what you do now. > -Ben > -- > "The best way to predict the future is to invent it." > - XEROX PARC slogan, circa 1978 -- Eric Rostetter From matt.followers at gmail.com Wed Nov 9 19:02:33 2005 From: matt.followers at gmail.com (Matthew Nuzum) Date: Wed, 9 Nov 2005 13:02:33 -0600 Subject: PHP Attacks.... In-Reply-To: <43721538.9060606@beta.intcomgrp.com> Message-ID: <437247cb.2b976e6c.6842.fffffe54@mx.gmail.com> > From: fedora-legacy-list-bounces at redhat.com [mailto:fedora-legacy-list- > bounces at redhat.com] On Behalf Of James Kosin > Sent: Wednesday, November 09, 2005 9:27 AM > To: Discussion of the Fedora Legacy Project > Subject: PHP Attacks.... > > Everyone, > > In light of the recent PHP attacks, I've added as a precautionary > measure the mod_security module to my RPM for the httpd (Apache) web > server to help secure things more. > I haven't experienced the problem; yet, KNOCKING on WOOD LOUDLY. But > with the recent spike of activity of this worm, I have to take > proactive action. Which worm is this that you're guarding against? I haven't heard of a new worm yet. -- Matthew Nuzum www.followers.net - Makers of "Elite Content Management System" View samples of Elite CMS in action by visiting http://www.followers.net/portfolio/ From guallar at easternrad.com Wed Nov 9 19:12:45 2005 From: guallar at easternrad.com (Josep L. Guallar-Esteve) Date: Wed, 9 Nov 2005 14:12:45 -0500 Subject: PHP Attacks.... In-Reply-To: <437247cb.2b976e6c.6842.fffffe54@mx.gmail.com> References: <437247cb.2b976e6c.6842.fffffe54@mx.gmail.com> Message-ID: <200511091412.48556.guallar@easternrad.com> On Wednesday 09 November 2005 14:02, Matthew Nuzum wrote: > Which worm is this that you're guarding against? I haven't heard of a new > worm yet. http://www.securityfocus.com/bid/14088/info http://vil.nai.com/vil/content/v_136821.htm http://news.zdnet.com/2100-1009_22-5938475.html http://www.eweek.com/article2/0,1759,1882889,00.asp?kc=EWRSS03129TX1K0000616 http://news.com.com/New+worm+targets+Linux+systems/2100-7349_3-5938475.html?part=rss&tag=5938475&subj=news http://linux.slashdot.org/article.pl?sid=05/11/08/140203&tid=220&tid=106 Regards, Josep -- Josep L. Guallar-Esteve - IT Department - Eastern Radiologists, Inc. Systems and PACS Administration http://www.easternrad.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From ad+lists at uni-x.org Wed Nov 9 19:16:15 2005 From: ad+lists at uni-x.org (Alexander Dalloz) Date: Wed, 09 Nov 2005 20:16:15 +0100 Subject: PHP Attacks.... In-Reply-To: <437247cb.2b976e6c.6842.fffffe54@mx.gmail.com> References: <437247cb.2b976e6c.6842.fffffe54@mx.gmail.com> Message-ID: <1131563775.29562.470.camel@serendipity.dogma.lan> Am Mi, den 09.11.2005 schrieb Matthew Nuzum um 20:02: > > In light of the recent PHP attacks, I've added as a precautionary > > measure the mod_security module to my RPM for the httpd (Apache) web > > server to help secure things more. > > I haven't experienced the problem; yet, KNOCKING on WOOD LOUDLY. But > > with the recent spike of activity of this worm, I have to take > > proactive action. > > Which worm is this that you're guarding against? I haven't heard of a new > worm yet. http://isc.sans.org/diary.php?storyid=829 It is no new PHP XML vulnerability misused by the attackers, but activity to find attackable hosts increased badly these days. Alexander -- Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp Serendipity 20:14:46 up 11 days, 18:15, load average: 0.45, 0.31, 0.23 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Dies ist ein digital signierter Nachrichtenteil URL: From jkeating at j2solutions.net Wed Nov 9 19:22:28 2005 From: jkeating at j2solutions.net (Jesse Keating) Date: Wed, 09 Nov 2005 11:22:28 -0800 Subject: PHP Attacks.... In-Reply-To: <200511091412.48556.guallar@easternrad.com> References: <437247cb.2b976e6c.6842.fffffe54@mx.gmail.com> <200511091412.48556.guallar@easternrad.com> Message-ID: <1131564148.2929.106.camel@prometheus.gamehouse.com> On Wed, 2005-11-09 at 14:12 -0500, Josep L. Guallar-Esteve wrote: > http://www.securityfocus.com/bid/14088/info > http://vil.nai.com/vil/content/v_136821.htm > http://news.zdnet.com/2100-1009_22-5938475.html > http://www.eweek.com/article2/0,1759,1882889,00.asp?kc=EWRSS03129TX1K0000616 > http://news.com.com/New+worm+targets+Linux > +systems/2100-7349_3-5938475.html?part=rss&tag=5938475&subj=news > http://linux.slashdot.org/article.pl?sid=05/11/08/140203&tid=220&tid=106 Does look like we need to patch this. RHEL issued an update, we can steal those patches for our releases. Would anybody like to tackle this issue right quickly? -- Jesse Keating RHCE (http://geek.j2solutions.net) Fedora Legacy Team (http://www.fedoralegacy.org) GPG Public Key (http://geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating From spamtrap433941935136 at anime.net Wed Nov 9 19:33:17 2005 From: spamtrap433941935136 at anime.net (Dan Hollis) Date: Wed, 9 Nov 2005 11:33:17 -0800 (PST) Subject: PHP Attacks.... In-Reply-To: <43721538.9060606@beta.intcomgrp.com> References: <43721538.9060606@beta.intcomgrp.com> Message-ID: On Wed, 9 Nov 2005, James Kosin wrote: > In light of the recent PHP attacks, I've added as a precautionary > measure the mod_security module to my RPM for the httpd (Apache) web > server to help secure things more. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=139778 seems like a damn good idea now. -Dan From jkeating at j2solutions.net Wed Nov 9 19:39:57 2005 From: jkeating at j2solutions.net (Jesse Keating) Date: Wed, 09 Nov 2005 11:39:57 -0800 Subject: PHP Attacks.... In-Reply-To: References: <43721538.9060606@beta.intcomgrp.com> Message-ID: <1131565197.2929.114.camel@prometheus.gamehouse.com> On Wed, 2005-11-09 at 11:33 -0800, Dan Hollis wrote: > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=139778 > > seems like a damn good idea now. If this package exists in Extras, it could be easily rebuilt for Fedora 1,2. -- Jesse Keating RHCE (http://geek.j2solutions.net) Fedora Legacy Team (http://www.fedoralegacy.org) GPG Public Key (http://geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating From spamtrap433941935136 at anime.net Wed Nov 9 19:41:48 2005 From: spamtrap433941935136 at anime.net (Dan Hollis) Date: Wed, 9 Nov 2005 11:41:48 -0800 (PST) Subject: PHP Attacks.... In-Reply-To: <1131565197.2929.114.camel@prometheus.gamehouse.com> References: <43721538.9060606@beta.intcomgrp.com> <1131565197.2929.114.camel@prometheus.gamehouse.com> Message-ID: On Wed, 9 Nov 2005, Jesse Keating wrote: > On Wed, 2005-11-09 at 11:33 -0800, Dan Hollis wrote: >> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=139778 >> seems like a damn good idea now. > If this package exists in Extras, it could be easily rebuilt for Fedora > 1,2. It doesnt exist in fedora at all right now, extras or not. I was just pointing out that these recent incidents are a strong argument for putting mod_security in core. -Dan From jedgecombe at carolina.rr.com Wed Nov 9 20:12:49 2005 From: jedgecombe at carolina.rr.com (Jason Edgecombe) Date: Wed, 09 Nov 2005 15:12:49 -0500 Subject: PHP Attacks.... In-Reply-To: References: <43721538.9060606@beta.intcomgrp.com> <1131565197.2929.114.camel@prometheus.gamehouse.com> Message-ID: <43725841.4010709@carolina.rr.com> Dan Hollis wrote: > On Wed, 9 Nov 2005, Jesse Keating wrote: > >> On Wed, 2005-11-09 at 11:33 -0800, Dan Hollis wrote: >> >>> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=139778 >>> seems like a damn good idea now. >> >> If this package exists in Extras, it could be easily rebuilt for Fedora >> 1,2. > > > It doesnt exist in fedora at all right now, extras or not. > > I was just pointing out that these recent incidents are a strong > argument for putting mod_security in core. It doesn't exist?! Then what's this: http://mirror.linux.duke.edu/pub/fedora/linux/extras/3/i386/mod_security-1.8.7-4.fc3.i386.rpm http://mirror.linux.duke.edu/pub/fedora/linux/extras/4/i386/mod_security-1.8.7-4.fc4.i386.rpm Jason From michal at harddata.com Wed Nov 9 20:27:15 2005 From: michal at harddata.com (Michal Jaegermann) Date: Wed, 9 Nov 2005 13:27:15 -0700 Subject: PHP Attacks.... In-Reply-To: <200511091412.48556.guallar@easternrad.com> References: <437247cb.2b976e6c.6842.fffffe54@mx.gmail.com> <200511091412.48556.guallar@easternrad.com> Message-ID: <20051109202715.GA13926@mail.harddata.com> On Wed, Nov 09, 2005 at 02:12:45PM -0500, Josep L. Guallar-Esteve wrote: > On Wednesday 09 November 2005 14:02, Matthew Nuzum wrote: > > Which worm is this that you're guarding against? I haven't heard of a new > > worm yet. > > http://www.securityfocus.com/bid/14088/info ...... If I understand correctly that is really an XML_RPC vulnerability in pear libraries; so if you do not have such capability, or it is not turned on, then you are not vulnerable. Of course there are some applications which require that. Do I miss something? Michal From michal at harddata.com Wed Nov 9 20:36:10 2005 From: michal at harddata.com (Michal Jaegermann) Date: Wed, 9 Nov 2005 13:36:10 -0700 Subject: PHP Attacks.... In-Reply-To: <1131564148.2929.106.camel@prometheus.gamehouse.com> References: <437247cb.2b976e6c.6842.fffffe54@mx.gmail.com> <200511091412.48556.guallar@easternrad.com> <1131564148.2929.106.camel@prometheus.gamehouse.com> Message-ID: <20051109203610.GB13926@mail.harddata.com> On Wed, Nov 09, 2005 at 11:22:28AM -0800, Jesse Keating wrote: > On Wed, 2005-11-09 at 14:12 -0500, Josep L. Guallar-Esteve wrote: > > http://www.securityfocus.com/bid/14088/info > > http://vil.nai.com/vil/content/v_136821.htm > > http://news.zdnet.com/2100-1009_22-5938475.html > > http://www.eweek.com/article2/0,1759,1882889,00.asp?kc=EWRSS03129TX1K0000616 > > http://news.com.com/New+worm+targets+Linuxsystems/2100-7349_3-5938475.html?part=rss&tag=5938475&subj=news > > http://linux.slashdot.org/article.pl?sid=05/11/08/140203&tid=220&tid=106 > > Does look like we need to patch this. RHEL issued an update, Do you mean that one from August? https://rhn.redhat.com/errata/RHSA-2005-748.html CAN ids between that one and http://www.securityfocus.com/bid/14088/info do not agree although the latest worm descriptions would suggest that RHSA-2005:748-05 is the correct one. Michal From jkeating at j2solutions.net Wed Nov 9 20:38:42 2005 From: jkeating at j2solutions.net (Jesse Keating) Date: Wed, 09 Nov 2005 12:38:42 -0800 Subject: PHP Attacks.... In-Reply-To: <20051109202715.GA13926@mail.harddata.com> References: <437247cb.2b976e6c.6842.fffffe54@mx.gmail.com> <200511091412.48556.guallar@easternrad.com> <20051109202715.GA13926@mail.harddata.com> Message-ID: <1131568722.2929.124.camel@prometheus.gamehouse.com> On Wed, 2005-11-09 at 13:27 -0700, Michal Jaegermann wrote: > If I understand correctly that is really an XML_RPC vulnerability in > pear libraries; so if you do not have such capability, or it is not > turned on, then you are not vulnerable. Of course there are some > applications which require that. Do I miss something? I don't think you're missing anything, however a lot of php-crap-apps use pear, so there is a good possibility that there are Legacy users that need patching. -- Jesse Keating RHCE (http://geek.j2solutions.net) Fedora Legacy Team (http://www.fedoralegacy.org) GPG Public Key (http://geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating From jkeating at j2solutions.net Wed Nov 9 20:49:28 2005 From: jkeating at j2solutions.net (Jesse Keating) Date: Wed, 09 Nov 2005 12:49:28 -0800 Subject: PHP Attacks.... In-Reply-To: <20051109203610.GB13926@mail.harddata.com> References: <437247cb.2b976e6c.6842.fffffe54@mx.gmail.com> <200511091412.48556.guallar@easternrad.com> <1131564148.2929.106.camel@prometheus.gamehouse.com> <20051109203610.GB13926@mail.harddata.com> Message-ID: <1131569368.2929.126.camel@prometheus.gamehouse.com> On Wed, 2005-11-09 at 13:36 -0700, Michal Jaegermann wrote: > Do you mean that one from August? > https://rhn.redhat.com/errata/RHSA-2005-748.html > CAN ids between that one and > http://www.securityfocus.com/bid/14088/info > do not agree although the latest worm descriptions would suggest > that RHSA-2005:748-05 is the correct one. Seems that 2005-748 superceeded 2005-564. Same bug text, I wonder if it was an enhanced patch or another discovery. Either way we should base our package from 748 and backport all that our current packages don't have. -- Jesse Keating RHCE (http://geek.j2solutions.net) Fedora Legacy Team (http://www.fedoralegacy.org) GPG Public Key (http://geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating From spamtrap433941935136 at anime.net Wed Nov 9 21:13:18 2005 From: spamtrap433941935136 at anime.net (Dan Hollis) Date: Wed, 9 Nov 2005 13:13:18 -0800 (PST) Subject: PHP Attacks.... In-Reply-To: <43725841.4010709@carolina.rr.com> References: <43721538.9060606@beta.intcomgrp.com> <1131565197.2929.114.camel@prometheus.gamehouse.com> <43725841.4010709@carolina.rr.com> Message-ID: On Wed, 9 Nov 2005, Jason Edgecombe wrote: > Dan Hollis wrote: >> It doesnt exist in fedora at all right now, extras or not. >> I was just pointing out that these recent incidents are a strong argument >> for putting mod_security in core. > It doesn't exist?! > Then what's this: > http://mirror.linux.duke.edu/pub/fedora/linux/extras/3/i386/mod_security-1.8.7-4.fc3.i386.rpm > http://mirror.linux.duke.edu/pub/fedora/linux/extras/4/i386/mod_security-1.8.7-4.fc4.i386.rpm hm, a brand spanking new addition (july 27) to FC extras apparently. it wasnt there last time i checked, shrug. -Dan From jkosin at beta.intcomgrp.com Wed Nov 9 21:19:35 2005 From: jkosin at beta.intcomgrp.com (James Kosin) Date: Wed, 09 Nov 2005 16:19:35 -0500 Subject: PHP Attacks.... In-Reply-To: <20051109203610.GB13926@mail.harddata.com> References: <437247cb.2b976e6c.6842.fffffe54@mx.gmail.com> <200511091412.48556.guallar@easternrad.com> <1131564148.2929.106.camel@prometheus.gamehouse.com> <20051109203610.GB13926@mail.harddata.com> Message-ID: <437267E7.6050108@beta.intcomgrp.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Michal Jaegermann wrote: > On Wed, Nov 09, 2005 at 11:22:28AM -0800, Jesse Keating wrote: > >> On Wed, 2005-11-09 at 14:12 -0500, Josep L. Guallar-Esteve wrote: >> >> >>> http://www.securityfocus.com/bid/14088/info >>> http://vil.nai.com/vil/content/v_136821.htm >>> http://news.zdnet.com/2100-1009_22-5938475.html >>> http://www.eweek.com/article2/0,1759,1882889,00.asp?kc=EWRSS03129TX1K0000616 >>> >>> http://news.com.com/New+worm+targets+Linuxsystems/2100-7349_3-5938475.html?part=rss&tag=5938475&subj=news >>> >>> http://linux.slashdot.org/article.pl?sid=05/11/08/140203&tid=220&tid=106 >>> >> >> Does look like we need to patch this. RHEL issued an update, > > > Do you mean that one from August? > https://rhn.redhat.com/errata/RHSA-2005-748.html CAN ids between > that one and http://www.securityfocus.com/bid/14088/info do not > agree although the latest worm descriptions would suggest that > RHSA-2005:748-05 is the correct one. > > Michal > > -- fedora-legacy-list mailing list fedora-legacy-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-legacy-list The CVE website states that CAN-2005-2498 is not the same as CAN-2005-1921; so, I think to reason; both need to be fixed if we are vulnerable. James Kosin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDcmfnkNLDmnu1kSkRA39pAKCABlO6P3J7EVRAG6oefeclrPDEEwCeI2w0 U65qbkAwaJhCVlc+nNLt3ao= =11iK -----END PGP SIGNATURE----- -- Scanned by ClamAV - http://www.clamav.net From jkosin at beta.intcomgrp.com Wed Nov 9 21:29:40 2005 From: jkosin at beta.intcomgrp.com (James Kosin) Date: Wed, 09 Nov 2005 16:29:40 -0500 Subject: PHP Attacks.... In-Reply-To: <1131569368.2929.126.camel@prometheus.gamehouse.com> References: <437247cb.2b976e6c.6842.fffffe54@mx.gmail.com> <200511091412.48556.guallar@easternrad.com> <1131564148.2929.106.camel@prometheus.gamehouse.com> <20051109203610.GB13926@mail.harddata.com> <1131569368.2929.126.camel@prometheus.gamehouse.com> Message-ID: <43726A44.1030809@beta.intcomgrp.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Jesse Keating wrote: >On Wed, 2005-11-09 at 13:36 -0700, Michal Jaegermann wrote: > >>Do you mean that one from August? >>https://rhn.redhat.com/errata/RHSA-2005-748.html >>CAN ids between that one and >>http://www.securityfocus.com/bid/14088/info >>do not agree although the latest worm descriptions would suggest >>that RHSA-2005:748-05 is the correct one. > > >Seems that 2005-748 superceeded 2005-564. Same bug text, I wonder if >it was an enhanced patch or another discovery. Either way we should >base our package from 748 and backport all that our current packages >don't have. > Ok, FC1 already has the patch for CAN-2005-1921.... All be need to do is add the patch for RHSA-2005:748-05 I'll have to compare the patches to be sure. James Kosin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDcmpEkNLDmnu1kSkRA9uFAJ4kfG4gLVwFcLxqQXoc+xMRwkwAJwCePpUS 6bv62XDwkenChrJ2j9+CR6w= =Kmwq -----END PGP SIGNATURE----- -- Scanned by ClamAV - http://www.clamav.net From mic at npgx.com.au Wed Nov 9 21:33:35 2005 From: mic at npgx.com.au (Michael Mansour) Date: Thu, 10 Nov 2005 07:33:35 +1000 Subject: PHP Attacks.... In-Reply-To: <1131568722.2929.124.camel@prometheus.gamehouse.com> References: <437247cb.2b976e6c.6842.fffffe54@mx.gmail.com> <200511091412.48556.guallar@easternrad.com> <20051109202715.GA13926@mail.harddata.com> <1131568722.2929.124.camel@prometheus.gamehouse.com> Message-ID: <20051109213230.M15181@npgx.com.au> > On Wed, 2005-11-09 at 13:27 -0700, Michal Jaegermann wrote: > > If I understand correctly that is really an XML_RPC vulnerability in > > pear libraries; so if you do not have such capability, or it is not > > turned on, then you are not vulnerable. Of course there are some > > applications which require that. Do I miss something? > > I don't think you're missing anything, however a lot of php-crap-apps > use pear, so there is a good possibility that there are Legacy users > that need patching. Well, I for one am looking to get my FC1 and FC2 servers patched, so if FL can get the patches in soon, I can test on production servers. Michael. From michal at harddata.com Wed Nov 9 21:38:39 2005 From: michal at harddata.com (Michal Jaegermann) Date: Wed, 9 Nov 2005 14:38:39 -0700 Subject: PHP Attacks.... In-Reply-To: <437267E7.6050108@beta.intcomgrp.com> References: <437247cb.2b976e6c.6842.fffffe54@mx.gmail.com> <200511091412.48556.guallar@easternrad.com> <1131564148.2929.106.camel@prometheus.gamehouse.com> <20051109203610.GB13926@mail.harddata.com> <437267E7.6050108@beta.intcomgrp.com> Message-ID: <20051109213839.GA16241@mail.harddata.com> On Wed, Nov 09, 2005 at 04:19:35PM -0500, James Kosin wrote: > > On Wed, Nov 09, 2005 at 11:22:28AM -0800, Jesse Keating wrote: > > > >> Does look like we need to patch this. RHEL issued an update, > > > > > > Do you mean that one from August? > > https://rhn.redhat.com/errata/RHSA-2005-748.html CAN ids between > > that one and http://www.securityfocus.com/bid/14088/info do not > > agree although the latest worm descriptions would suggest that > > RHSA-2005:748-05 is the correct one. > > > > Michal > > > > -- fedora-legacy-list mailing list fedora-legacy-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-legacy-list > > The CVE website states that CAN-2005-2498 is not the same as > CAN-2005-1921; so, I think to reason; both need to be fixed if we are > vulnerable. Indeed. But sources referenced in RHSA-2005:564-15, where CAN-2005-1751 and CAN-2005-1921 are mentioned, are explicitely marked as outdated by RHSA-2005:748-05 (CAN-2005-2498) so the latest presumably have fixes for all these. Source packages are somewhat different for RHEL3 and RHEL4 so you possibly need a right fit for FC1 and FC2. In my earlier remarks I meant that it does not look that any fix is needed for RH7.3; simply because the code with problems is not there. Yesterday updates for FC3 include also php-4.3.11-2.8.src.rpm (and php-5.0.4-10.5.src.rpm for FC4). Michal From jkosin at beta.intcomgrp.com Wed Nov 9 22:04:27 2005 From: jkosin at beta.intcomgrp.com (James Kosin) Date: Wed, 09 Nov 2005 17:04:27 -0500 Subject: PHP Attacks.... In-Reply-To: <20051109213839.GA16241@mail.harddata.com> References: <437247cb.2b976e6c.6842.fffffe54@mx.gmail.com> <200511091412.48556.guallar@easternrad.com> <1131564148.2929.106.camel@prometheus.gamehouse.com> <20051109203610.GB13926@mail.harddata.com> <437267E7.6050108@beta.intcomgrp.com> <20051109213839.GA16241@mail.harddata.com> Message-ID: <4372726B.5080200@beta.intcomgrp.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Michal Jaegermann wrote: >On Wed, Nov 09, 2005 at 04:19:35PM -0500, James Kosin wrote: > >>>On Wed, Nov 09, 2005 at 11:22:28AM -0800, Jesse Keating wrote: >>> >>>>Does look like we need to patch this. RHEL issued an update, >>> >>> >>>Do you mean that one from August? >>>https://rhn.redhat.com/errata/RHSA-2005-748.html CAN ids between >>>that one and http://www.securityfocus.com/bid/14088/info do not >>>agree although the latest worm descriptions would suggest that >>>RHSA-2005:748-05 is the correct one. >>> >>>Michal >>> >>>-- fedora-legacy-list mailing list fedora-legacy-list at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-legacy-list >> >>The CVE website states that CAN-2005-2498 is not the same as >>CAN-2005-1921; so, I think to reason; both need to be fixed if we are >>vulnerable. > > >Indeed. But sources referenced in RHSA-2005:564-15, where >CAN-2005-1751 and CAN-2005-1921 are mentioned, are explicitely >marked as outdated by RHSA-2005:748-05 (CAN-2005-2498) so the latest >presumably have fixes for all these. Source packages are somewhat >different for RHEL3 and RHEL4 so you possibly need a right fit for >FC1 and FC2. > >In my earlier remarks I meant that it does not look that any fix >is needed for RH7.3; simply because the code with problems is not >there. > >Yesterday updates for FC3 include also php-4.3.11-2.8.src.rpm >(and php-5.0.4-10.5.src.rpm for FC4). > > Michal > >-- >fedora-legacy-list mailing list >fedora-legacy-list at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-legacy-list Yes, but the release for FC3 doesn't have a patch for 2005-2498... They have a newer XML_RPC.tgz file. They also address CVE-2005-3353, CVE-2005-3388, CVE-2005-3389 and CVE-2005-3390... do we need to concern ourselves with these? James Kosin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDcnJrkNLDmnu1kSkRA+XmAJ9cRRmpSE6m+bjQWiZOdiYo0CmcHwCdF1VZ 1ZQ1/u9FymgE24ucvb596H0= =IX4H -----END PGP SIGNATURE----- -- Scanned by ClamAV - http://www.clamav.net From jkosin at beta.intcomgrp.com Wed Nov 9 22:09:06 2005 From: jkosin at beta.intcomgrp.com (James Kosin) Date: Wed, 09 Nov 2005 17:09:06 -0500 Subject: PHP Attacks.... In-Reply-To: <20051109213839.GA16241@mail.harddata.com> References: <437247cb.2b976e6c.6842.fffffe54@mx.gmail.com> <200511091412.48556.guallar@easternrad.com> <1131564148.2929.106.camel@prometheus.gamehouse.com> <20051109203610.GB13926@mail.harddata.com> <437267E7.6050108@beta.intcomgrp.com> <20051109213839.GA16241@mail.harddata.com> Message-ID: <43727382.1040004@beta.intcomgrp.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Michal Jaegermann wrote: >On Wed, Nov 09, 2005 at 04:19:35PM -0500, James Kosin wrote: << SNIP >> We could base our build for FC1 from the patches in FC3... If and only if, we are allowed to update some packages inside to newer versions. FC3 seems to have the same base code and patches to a point as FC1. James Kosin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDcnOCkNLDmnu1kSkRA52yAJ4tLcvu7AwlJb9VpW7Udzs7Kh4PyACdFuZQ PZECJdE6L3q1kUSwFsn01pM= =oNNx -----END PGP SIGNATURE----- -- Scanned by ClamAV - http://www.clamav.net From michal at harddata.com Wed Nov 9 23:10:25 2005 From: michal at harddata.com (Michal Jaegermann) Date: Wed, 9 Nov 2005 16:10:25 -0700 Subject: PHP Attacks.... In-Reply-To: <4372726B.5080200@beta.intcomgrp.com> References: <437247cb.2b976e6c.6842.fffffe54@mx.gmail.com> <200511091412.48556.guallar@easternrad.com> <1131564148.2929.106.camel@prometheus.gamehouse.com> <20051109203610.GB13926@mail.harddata.com> <437267E7.6050108@beta.intcomgrp.com> <20051109213839.GA16241@mail.harddata.com> <4372726B.5080200@beta.intcomgrp.com> Message-ID: <20051109231025.GB18491@mail.harddata.com> On Wed, Nov 09, 2005 at 05:04:27PM -0500, James Kosin wrote: > They also address CVE-2005-3353, CVE-2005-3388, CVE-2005-3389 and > CVE-2005-3390... > do we need to concern ourselves with these? Do you plan to wait until attacks will show up? Michal From jkosin at beta.intcomgrp.com Wed Nov 9 23:19:33 2005 From: jkosin at beta.intcomgrp.com (James Kosin) Date: Wed, 09 Nov 2005 18:19:33 -0500 Subject: php package for FC1 In-Reply-To: <1131577513.2929.142.camel@prometheus.gamehouse.com> References: <4372802A.20500@intcomgrp.com> <1131577513.2929.142.camel@prometheus.gamehouse.com> Message-ID: <43728405.40802@beta.intcomgrp.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Jesse Keating wrote: >On Wed, 2005-11-09 at 18:03 -0500, James Kosin wrote: > >>Here is my build source for a possible fix for several security issues >>with PHP and FC1. >>Can you review it? Make sure I didn't break anything. >> >>http://support.intcomgrp.com/mirror/fedora-core/beta/src/php-4.3.11-1.fc1.3.legacy.src.rpm >> >>Thanks, >>James Kosin >> > >It would be best if you posted it to the list/bugzilla. Did you follow >the guidlines for Legacy packages? I don't have a lot of free time to >check this out, that is why I was asking the community to. > Jesse, Ok... I'm CC'ing the list on this one also. I've built a SRPM for several php vulnorablilities. (CAN-2005-2498) by replacing the XML_RPC tar file with the latest from the FC3 release. I'm going to assume this is legal per the packaging guidelines. Someone let me know if not. (CVE-2005-3353, 3388, 3389 and 3390) directly from the FC3 patches. The FC3 version is basically identical in content as the FC1 version. So, I'm not adding anything than whet FC3 has fixed in the latest release. My box in in the process of compiling the binary files. It will not be finised as of this email. The source file is here for those fedora-legacy packagers to test and QA. http://support.intcomgrp.com/mirror/fedora-core/beta/src/php-4.3.11-1.fc1.3.legacy.src.rpm Thanks, James Kosin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDcoQFkNLDmnu1kSkRA2uZAJ4wSvnasQMs099k9KAIOZ632p2JPACffav2 IMMvSVLg9M1Zvt7pWRJRMXg= =T/ar -----END PGP SIGNATURE----- -- Scanned by ClamAV - http://www.clamav.net From marcdeslauriers at videotron.ca Wed Nov 9 22:21:27 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Wed, 09 Nov 2005 17:21:27 -0500 Subject: PHP Attacks.... In-Reply-To: <4372726B.5080200@beta.intcomgrp.com> References: <437247cb.2b976e6c.6842.fffffe54@mx.gmail.com> <200511091412.48556.guallar@easternrad.com> <1131564148.2929.106.camel@prometheus.gamehouse.com> <20051109203610.GB13926@mail.harddata.com> <437267E7.6050108@beta.intcomgrp.com> <20051109213839.GA16241@mail.harddata.com> <4372726B.5080200@beta.intcomgrp.com> Message-ID: <1131574887.10417.22.camel@mdlinux> On Wed, 2005-11-09 at 17:04 -0500, James Kosin wrote: > >>The CVE website states that CAN-2005-2498 is not the same as > >>CAN-2005-1921; so, I think to reason; both need to be fixed if we are > >>vulnerable. > > > > > >Indeed. But sources referenced in RHSA-2005:564-15, where > >CAN-2005-1751 and CAN-2005-1921 are mentioned, are explicitely > >marked as outdated by RHSA-2005:748-05 (CAN-2005-2498) so the latest > >presumably have fixes for all these. Source packages are somewhat > >different for RHEL3 and RHEL4 so you possibly need a right fit for > >FC1 and FC2. > > > >In my earlier remarks I meant that it does not look that any fix > >is needed for RH7.3; simply because the code with problems is not > >there. > > > >Yesterday updates for FC3 include also php-4.3.11-2.8.src.rpm > >(and php-5.0.4-10.5.src.rpm for FC4). > > > > Michal > > > >-- > >fedora-legacy-list mailing list > >fedora-legacy-list at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-legacy-list > > Yes, but the release for FC3 doesn't have a patch for 2005-2498... > They have a newer XML_RPC.tgz file. > They also address CVE-2005-3353, CVE-2005-3388, CVE-2005-3389 and > CVE-2005-3390... > do we need to concern ourselves with these? Right now, the worm that is going around is targeting CAN-2005-1921. FL released updates for that in July. Tonight, I'll build some packages that address all the other issues, just in case. They will be located here for QA: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166943 Marc. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From mic at npgx.com.au Wed Nov 9 23:21:10 2005 From: mic at npgx.com.au (Michael Mansour) Date: Thu, 10 Nov 2005 09:21:10 +1000 Subject: PHP Attacks.... In-Reply-To: <20051109231025.GB18491@mail.harddata.com> References: <437247cb.2b976e6c.6842.fffffe54@mx.gmail.com> <200511091412.48556.guallar@easternrad.com> <1131564148.2929.106.camel@prometheus.gamehouse.com> <20051109203610.GB13926@mail.harddata.com> <437267E7.6050108@beta.intcomgrp.com> <20051109213839.GA16241@mail.harddata.com> <4372726B.5080200@beta.intcomgrp.com> <20051109231025.GB18491@mail.harddata.com> Message-ID: <20051109231809.M18869@npgx.com.au> > On Wed, Nov 09, 2005 at 05:04:27PM -0500, James Kosin wrote: > > They also address CVE-2005-3353, CVE-2005-3388, CVE-2005-3389 and > > CVE-2005-3390... > > do we need to concern ourselves with these? > > Do you plan to wait until attacks will show up? > > Michal Everyday in my logs now I see alot of failed attempts trying to acces various php programs I don't have installed, using extended program paths etc. Things like phpBB, Gallery, etc. The problem is not that we have to wait for something to happen, the problem is that probes are currently happening, as Sysadmins, it's our job to make sure our systems are protected from any exploits, especially when we're aware of them. Michael. From starquake at tiscali.nl Wed Nov 9 10:06:56 2005 From: starquake at tiscali.nl (StarQuake) Date: Wed, 09 Nov 2005 11:06:56 +0100 Subject: [SECURITY] Fedora Core 3 Update: php-4.3.11-2.8 In-Reply-To: <142a01c5e4b7$80dd1dd0$0301a8c0@Mesa.com> References: <20051108214842.M85010@npgx.com.au> <142a01c5e4b7$80dd1dd0$0301a8c0@Mesa.com> Message-ID: I think his problem is that Fedora Legacy has not provided a updated package for FC1 and FC2. And I run a FC2 server too, so it's also my problem :P So fedora legacy _is_ the place for that version of FC. StarQuake bruce wrote: > i'm fairly sure you can always download the patches directly from the > php.net site, or from one of the mirrors for your version of FC.. > > -bruce > > > -----Original Message----- > From: fedora-legacy-list-bounces at redhat.com > [mailto:fedora-legacy-list-bounces at redhat.com]On Behalf Of Michael > Mansour > Sent: Tuesday, November 08, 2005 1:50 PM > To: fedora-legacy-list at redhat.com > Subject: Fw: [SECURITY] Fedora Core 3 Update: php-4.3.11-2.8 > > > Hi, > > I'm still running FC1 and FC2 servers and am worried about the issues below, > I > don't want to be stung by them like I was with the perl exploits earlier > (and > fixed through the FL contrib by users). > > Will FL be backporting these fixes asap? > > Michael. > > --- snip --- -- for some how-to's and rpms visit my site : http://solid.bounceme.net for commercially supported solutions visit : http://www.robas.com From marcdeslauriers at videotron.ca Wed Nov 9 23:27:50 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Wed, 09 Nov 2005 18:27:50 -0500 Subject: [FLSA-2005:166941] Updated httpd and mod_ssl packages fix two security issues Message-ID: <437285F6.1030001@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated httpd and mod_ssl packages fix two security issues Advisory ID: FLSA:166941 Issue date: 2005-11-09 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2005-2700 CVE-2005-2728 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated mod_ssl and Apache httpd packages that correct two security issues are now available. The Apache HTTP Server is a popular and freely-available Web server. The mod_ssl module provides strong cryptography for the Apache Web server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: A flaw was discovered in mod_ssl's handling of the "SSLVerifyClient" directive. This flaw occurs if a virtual host is configured using "SSLVerifyClient optional" and a directive "SSLVerifyClient required" is set for a specific location. For servers configured in this fashion, an attacker may be able to access resources that should otherwise be protected, by not supplying a client certificate when connecting. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-2700 to this issue. A flaw was discovered in Apache httpd where the byterange filter would buffer certain responses into memory. If a server has a dynamic resource such as a CGI script or PHP script that generates a large amount of data, an attacker could send carefully crafted requests in order to consume resources, potentially leading to a Denial of Service. (CVE-2005-2728) Users of mod_ssl and Apache httpd should update to these errata packages that contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166941 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/mod_ssl-2.8.12-8.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/mod_ssl-2.8.12-8.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/httpd-2.0.40-21.20.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-2.0.40-21.20.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-devel-2.0.40-21.20.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-manual-2.0.40-21.20.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mod_ssl-2.0.40-21.20.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/httpd-2.0.51-1.9.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-2.0.51-1.9.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-devel-2.0.51-1.9.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-manual-2.0.51-1.9.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mod_ssl-2.0.51-1.9.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/httpd-2.0.51-2.9.4.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/httpd-2.0.51-2.9.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/httpd-devel-2.0.51-2.9.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/httpd-manual-2.0.51-2.9.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/mod_ssl-2.0.51-2.9.4.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 670aa135fb5073b29e94f0a3fe2db9e592b40558 redhat/7.3/updates/i386/mod_ssl-2.8.12-8.legacy.i386.rpm 3442b014c181d2d1d791e8c743b4e627c87e35dc redhat/7.3/updates/SRPMS/mod_ssl-2.8.12-8.legacy.src.rpm 2e1f513ec64bc94dd087138282fb0e868a1a3abe redhat/9/updates/i386/httpd-2.0.40-21.20.legacy.i386.rpm 8fbff503cd3bf5ce657dbd977b063437775750f7 redhat/9/updates/i386/httpd-devel-2.0.40-21.20.legacy.i386.rpm b0313b4f0203cd03c84facefb1eebdb4ed928c26 redhat/9/updates/i386/httpd-manual-2.0.40-21.20.legacy.i386.rpm cface2ec6aca89b8c4641055cabd14a7b37a4ebf redhat/9/updates/i386/mod_ssl-2.0.40-21.20.legacy.i386.rpm 54b412d5bb90f1e649f838b41b1dd4c34ea93c90 redhat/9/updates/SRPMS/httpd-2.0.40-21.20.legacy.src.rpm d5cbd7cfdd31b1a6222727f99366407eb06e53e7 fedora/1/updates/i386/httpd-2.0.51-1.9.legacy.i386.rpm 994e4b34b91ae60eb7f632dc50b39c1f5e89aca4 fedora/1/updates/i386/httpd-devel-2.0.51-1.9.legacy.i386.rpm b75c88ba3deda8aed4cb3d6e5d4ea55141554723 fedora/1/updates/i386/httpd-manual-2.0.51-1.9.legacy.i386.rpm 465efbcc39ef52325928c2dc8093fc6447c33477 fedora/1/updates/i386/mod_ssl-2.0.51-1.9.legacy.i386.rpm 2bd06a4df99b703eea8f882d87b812713e5fa1c2 fedora/1/updates/SRPMS/httpd-2.0.51-1.9.legacy.src.rpm 0f4333e775c1b7b6f5af6e5cf092fa69606766c4 fedora/2/updates/i386/httpd-2.0.51-2.9.4.legacy.i386.rpm 59a54683c490ecfcea66fe0134c9ed6130905602 fedora/2/updates/i386/httpd-devel-2.0.51-2.9.4.legacy.i386.rpm 9a4e89cc67e268424b9eaa4c2183332e8f6f0d0e fedora/2/updates/i386/httpd-manual-2.0.51-2.9.4.legacy.i386.rpm a102640b8af24ddaa57ebfbb0e1e78a8a17adbc1 fedora/2/updates/i386/mod_ssl-2.0.51-2.9.4.legacy.i386.rpm db6c3e2bb4470e592cb74bf3e986ae426010dfaf fedora/2/updates/SRPMS/httpd-2.0.51-2.9.4.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2700 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2728 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From jkosin at beta.intcomgrp.com Wed Nov 9 23:57:20 2005 From: jkosin at beta.intcomgrp.com (James Kosin) Date: Wed, 09 Nov 2005 18:57:20 -0500 Subject: php package for FC1 In-Reply-To: <43728405.40802@beta.intcomgrp.com> References: <4372802A.20500@intcomgrp.com> <1131577513.2929.142.camel@prometheus.gamehouse.com> <43728405.40802@beta.intcomgrp.com> Message-ID: <43728CE0.6010100@beta.intcomgrp.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 James Kosin wrote: << SNIP >> Ok, the packages compile just fine. There where a few insignificant patches that were left out of the build from the FC3 version. (1) Removing the easter egg. (2) A silly one to encapsulate the floor() function for configuring. It doesn't change the functionality of the configure file. (3) A select patch to avoid a call to > > Passing fds > FD_SETSIZE to FD_SET gives undefined behaviour; avoid > it. > > Proper fix is to use poll() where available rather than select(). These are not addressed in the packages I put the source for. Everyone let me know if you want any or all of these added. But, they are not security issues... so they probably do not qualify to be fixed. I'm going home now; but, I'll check in the morning for any requests. I still have the RPM unpacked on my machine. James Kosin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDcozgkNLDmnu1kSkRA/gQAJ9Ecuc1+xzkFABYT7LlKRPAAd6bpACff2+k p3zzNZD/hgwsolmj8p2Ndlw= =UiDp -----END PGP SIGNATURE----- -- Scanned by ClamAV - http://www.clamav.net From marcdeslauriers at videotron.ca Thu Nov 10 04:01:25 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Wed, 09 Nov 2005 23:01:25 -0500 Subject: PHP Attacks.... In-Reply-To: <1131574887.10417.22.camel@mdlinux> References: <437247cb.2b976e6c.6842.fffffe54@mx.gmail.com> <200511091412.48556.guallar@easternrad.com> <1131564148.2929.106.camel@prometheus.gamehouse.com> <20051109203610.GB13926@mail.harddata.com> <437267E7.6050108@beta.intcomgrp.com> <20051109213839.GA16241@mail.harddata.com> <4372726B.5080200@beta.intcomgrp.com> <1131574887.10417.22.camel@mdlinux> Message-ID: <1131595285.14317.0.camel@mdlinux> On Wed, 2005-11-09 at 17:21 -0500, Marc Deslauriers wrote: > Right now, the worm that is going around is targeting CAN-2005-1921. FL > released updates for that in July. > > Tonight, I'll build some packages that address all the other issues, > just in case. They will be located here for QA: > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166943 > I just posted php packages for fc1 and fc2 to QA at the bugzilla link above. Marc. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From rdieter at math.unl.edu Thu Nov 10 13:12:45 2005 From: rdieter at math.unl.edu (Rex Dieter) Date: Thu, 10 Nov 2005 07:12:45 -0600 Subject: [FLSA-2005:166941] Updated httpd: rh9 apt metadata stale? In-Reply-To: <437285F6.1030001__2563.84059689498$1131579031$gmane$org@videotron.ca> References: <437285F6.1030001__2563.84059689498$1131579031$gmane$org@videotron.ca> Message-ID: <4373474D.1010108@math.unl.edu> Marc Deslauriers wrote: > Red Hat Linux 9: > i386: > http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-2.0.40-21.20.legacy.i386.rpm I see the packages there, but apt doesn't see it (yet)? $apt-get -q update $apt-cache showpkg httpd Package: httpd Versions: 2.0.40-21.18.legacy(/var/state/apt/lists/download.fedoralegacy.org_apt_redhat_9_i386_base_pkglist.updates) 2.0.40-21.17.legacy(/var/state/apt/lists/download.fedoralegacy.org_apt_redhat_9_i386_base_pkglist.updates) 2.0.40-21.16.legacy(/var/state/apt/lists/download.fedoralegacy.org_apt_redhat_9_i386_base_pkglist.updates) -- Rex From eddiew at oakleafconsultancy.com Thu Nov 10 15:02:15 2005 From: eddiew at oakleafconsultancy.com (Edward Wynn) Date: Thu, 10 Nov 2005 15:02:15 -0000 Subject: FC1 yum update Problems Message-ID: <223E6519BDCAC74695BEE9D163F8E6590B9F4D@oakleaf10.oakleafconsultancy.com> Big thank you for all your help with the above problem - I solved this by importing the original key from the FC1 CD as per David Eisenstein's suggestion - works a treat. -----Original Message----- From: David Eisenstein [mailto:deisenst at gtw.net] Sent: 08 November 2005 22:05 To: Discussion of the Fedora Legacy Project Subject: RE: FC1 yum update Problems > Edward Wynn wrote: > > > > Hi, > > > > I am trying to use yum to update my FC1 system. > > > > I have followed the instructions present on the website, including > > upgrading yum, setting up the yum.conf file and importing the GPG > > key via rpm ?import. > > <> > > What am I missing ? what is wrong with GPG keys? > > <> By following those directions, you only imported the Fedora Legacy GPG key. Many or most packages are signed with the original Fedora Project key, which is likely what you need here. On Monday, November 8 2005, James Kosin wrote: > You must have a fresh install of FC1... Somewhere about a year or so > ago the fedora group had to install new GPG keys for the packages; > because their keys had expired about md-project with FC1. I had never heard anything about Fedora Project keys expiring. Where did you get this from, James? AFAIK, the Red Hat Fedora Project key has been the same, for all Fedora Core distros, since the beginning of the Fedora project with FC1. > It should be safe to get yum to ignore the GPG signature for the > moment to update your system... Then import the fedora-legacy keys. > Or maybe someone could resign all the packages with the fedora-legacy > key. Resigning all the packages with FL key wouldn't be practical. It's a good idea to use GPG signatures, not only from a security stand- point, but also from a data-corruption standpoint as well, as the signa- tures should detect both failures. On Tue, 8 Nov 2005, Edward Wynn wrote: > Thanks for the hint - any ideas on how to get yum to ignore the GPG > keys? I had considered doing that myself but can't find how to do it. > > Alternatively can't I just import the old keys from somewhere now? > Yes, you can. When I do an $ rpm -qi on pango, I get this line: Signature: DSA/SHA1, Tue 28 Oct 2003 06:19:41 PM CST, Key ID b44269d04f2a6fd2 The public key ID for Fedora Core is 'b44269d04f2a6fd2', or the last 8 characters of the key should do, '4f2a6fd2'. There are a number of ways one can go about getting the Fedora Core public key. 1) If you have the original CD-ROM's for FC1, on Disc 1 is the file 'RPM-GPG-KEY-fedora'. If you have that file, do: # rpm --import /mnt/cdrom/RPM-GPG-KEY-fedora 2) You can get the PGP key from Red Hat's Fedora website: # wget http://fedora.redhat.com/about/security/4F2A6FD2.txt # rpm --import 4F2A6FD2.txt 3) Or you can import the required key into your PGP database froma public keyserver using this command: # gpg --keyserver hkp://pgpkeys.mit.edu --recv-keys 4F2A6FD2 then export it from the PGP database to an ASCII-armored file: # gpg -a --export 4F2A6FD2 >/tmp/fedora-key.asc Once that is done, you can import that to RPM: # rpm --import /tmp/fedora-key.asc # rm /tmp/fedora-key.asc 4) Also see the 'GPG keys' page at the Fedora Project for other ways of getting the key and more info about it: Hope this helped. -David -- fedora-legacy-list mailing list fedora-legacy-list at redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list From rdieter at math.unl.edu Thu Nov 10 15:13:18 2005 From: rdieter at math.unl.edu (Rex Dieter) Date: Thu, 10 Nov 2005 09:13:18 -0600 Subject: [FLSA-2005:166941] Updated httpd: rh9 apt metadata stale? In-Reply-To: <437285F6.1030001__2563.84059689498$1131579031$gmane$org@videotron.ca> References: <437285F6.1030001__2563.84059689498$1131579031$gmane$org@videotron.ca> Message-ID: Marc Deslauriers wrote: > Red Hat Linux 9: > i386: > http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-2.0.40-21.20.legacy.i386.rpm I see the packages there, but apt doesn't see it (yet)? $apt-get -q update $apt-cache showpkg httpd Package: httpd Versions: 2.0.40-21.18.legacy(/var/state/apt/lists/download.fedoralegacy.org_apt_redhat_9_i386_base_pkglist.updates) 2.0.40-21.17.legacy(/var/state/apt/lists/download.fedoralegacy.org_apt_redhat_9_i386_base_pkglist.updates) 2.0.40-21.16.legacy(/var/state/apt/lists/download.fedoralegacy.org_apt_redhat_9_i386_base_pkglist.updates) -- Rex From marcdeslauriers at videotron.ca Fri Nov 11 03:20:32 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Thu, 10 Nov 2005 22:20:32 -0500 Subject: PHP Attacks.... In-Reply-To: <1131595285.14317.0.camel@mdlinux> References: <437247cb.2b976e6c.6842.fffffe54@mx.gmail.com> <200511091412.48556.guallar@easternrad.com> <1131564148.2929.106.camel@prometheus.gamehouse.com> <20051109203610.GB13926@mail.harddata.com> <437267E7.6050108@beta.intcomgrp.com> <20051109213839.GA16241@mail.harddata.com> <4372726B.5080200@beta.intcomgrp.com> <1131574887.10417.22.camel@mdlinux> <1131595285.14317.0.camel@mdlinux> Message-ID: <1131679233.31639.0.camel@mdlinux> On Wed, 2005-11-09 at 23:01 -0500, Marc Deslauriers wrote: > On Wed, 2005-11-09 at 17:21 -0500, Marc Deslauriers wrote: > > Right now, the worm that is going around is targeting CAN-2005-1921. FL > > released updates for that in July. > > > > Tonight, I'll build some packages that address all the other issues, > > just in case. They will be located here for QA: > > > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166943 > > > > I just posted php packages for fc1 and fc2 to QA at the bugzilla link > above. There are now php packages for rh7.3 and rh9 to QA at the same bugzilla link. Marc. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From marcdeslauriers at videotron.ca Mon Nov 14 04:16:48 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Sun, 13 Nov 2005 23:16:48 -0500 Subject: Fedora Legacy Test Update Notification: php Message-ID: <43780FB0.2030109@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2005-166943 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166943 2005-11-13 --------------------------------------------------------------------- Name : php Versions : rh73: php-4.1.2-7.3.18.legacy Versions : rh9: php-4.2.2-17.16.legacy Versions : fc1: php-4.3.11-1.fc1.3.legacy Versions : fc2: php-4.3.11-1.fc2.4.legacy Summary : The PHP HTML-embedded scripting language. Description : PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated webpages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The mod_php module enables the Apache Web server to understand and process the embedded PHP language in Web pages. --------------------------------------------------------------------- Update Information: Updated PHP packages that fix multiple security issues are now available. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A bug was discovered in the PEAR XML-RPC Server package included in PHP. If a PHP script is used which implements an XML-RPC Server using the PEAR XML-RPC package, then it is possible for a remote attacker to construct an XML-RPC request which can cause PHP to execute arbitrary PHP commands as the 'apache' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2498 to this issue. A flaw was found in the way PHP registers global variables during a file upload request. A remote attacker could submit a carefully crafted multipart/form-data POST request that would overwrite the $GLOBALS array, altering expected script behavior, and possibly leading to the execution of arbitrary PHP commands. Please note that this vulnerability only affects installations which have register_globals enabled in the PHP configuration file, which is not a default or recommended option. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3390 to this issue. A flaw was found in the PHP parse_str() function. If a PHP script passes only one argument to the parse_str() function, and the script can be forced to abort execution during operation (for example due to the memory_limit setting), the register_globals may be enabled even if it is disabled in the PHP configuration file. This vulnerability only affects installations that have PHP scripts using the parse_str function in this way. (CVE-2005-3389) A Cross-Site Scripting flaw was found in the phpinfo() function. If a victim can be tricked into following a malicious URL to a site with a page displaying the phpinfo() output, it may be possible to inject javascript or HTML content into the displayed page or steal data such as cookies. This vulnerability only affects installations which allow users to view the output of the phpinfo() function. As the phpinfo() function outputs a large amount of information about the current state of PHP, it should only be used during debugging or if protected by authentication. (CVE-2005-3388) A denial of service flaw was found in the way PHP processes EXIF image data. It is possible for an attacker to cause PHP to crash by supplying carefully crafted EXIF image data. (CVE-2005-3353) Users of PHP should upgrade to these updated packages, which contain backported patches that resolve these issues. --------------------------------------------------------------------- Changelogs rh73: * Thu Nov 10 2005 Marc Deslauriers 4.1.2-7.3.18.legacy - add security fixes from upstream: * XSS issues in phpinfo() (CVE-2005-3388) * GLOBALS handling (CVE-2005-3390) * parse_str() enabling register_globals (CVE-2005-3389) rh9: * Sat Nov 12 2005 Marc Deslauriers 4.2.2-17.16.legacy - fixed broken CVE-2005-3389 patch * Thu Nov 10 2005 Marc Deslauriers 4.2.2-17.15.legacy - add security fixes from upstream: * XSS issues in phpinfo() (CVE-2005-3388) * GLOBALS handling (CVE-2005-3390) * parse_str() enabling register_globals (CVE-2005-3389) * exif: infinite recursion on corrupt JPEG (CVE-2005-3353) fc1: * Wed Nov 09 2005 Marc Deslauriers 4.3.11-1.fc1.3.legacy - pear: update to XML_RPC 1.4.0 to fix CVE-2005-2498 - add security fixes from upstream: * XSS issues in phpinfo() (CVE-2005-3388) * GLOBALS handling (CVE-2005-3390) * parse_str() enabling register_globals (CVE-2005-3389) * exif: infinite recursion on corrupt JPEG (CVE-2005-3353) fc2: * Wed Nov 09 2005 Marc Deslauriers 4.3.11-1.fc2.4.legacy - pear: update to XML_RPC 1.4.0 to fix CVE-2005-2498 - add security fixes from upstream: * XSS issues in phpinfo() (CVE-2005-3388) * GLOBALS handling (CVE-2005-3390) * parse_str() enabling register_globals (CVE-2005-3389) * exif: infinite recursion on corrupt JPEG (CVE-2005-3353) --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: 8bdf500386f11c6484c04361095061cce6c5c5f8 redhat/7.3/updates-testing/i386/php-4.1.2-7.3.18.legacy.i386.rpm 592c870e99523279267a0daea98c7dc08b09e5ca redhat/7.3/updates-testing/i386/php-devel-4.1.2-7.3.18.legacy.i386.rpm 9f84a76296d88673ba8354f416a6ee75b86afb3f redhat/7.3/updates-testing/i386/php-imap-4.1.2-7.3.18.legacy.i386.rpm 8c4b7136f2cac5f8eea394db819e0f67a973e4ff redhat/7.3/updates-testing/i386/php-ldap-4.1.2-7.3.18.legacy.i386.rpm d579f333822efd11fb2fc1364d2b9218bd3547a9 redhat/7.3/updates-testing/i386/php-manual-4.1.2-7.3.18.legacy.i386.rpm 50ec5b4419f70839b5c0b328a605189137477d12 redhat/7.3/updates-testing/i386/php-mysql-4.1.2-7.3.18.legacy.i386.rpm a73300b91e8ac8aee1792f5ec0975fb312b7f780 redhat/7.3/updates-testing/i386/php-odbc-4.1.2-7.3.18.legacy.i386.rpm af7de72af9756d6085d255544de389eb8f355c39 redhat/7.3/updates-testing/i386/php-pgsql-4.1.2-7.3.18.legacy.i386.rpm d96277ec0aa9d37af3372eedb0868249ca96ff51 redhat/7.3/updates-testing/i386/php-snmp-4.1.2-7.3.18.legacy.i386.rpm 8a03b8a7832aba6baf825ec64778f4a321707405 redhat/7.3/updates-testing/SRPMS/php-4.1.2-7.3.18.legacy.src.rpm rh9: 7ad045d32b304f8dd7ddb19b4b635c729e0150df redhat/9/updates-testing/i386/php-4.2.2-17.16.legacy.i386.rpm 1d27a480f2bd80e5de58f2bca1d35866c731a82b redhat/9/updates-testing/i386/php-devel-4.2.2-17.16.legacy.i386.rpm 649d6cf648ae7900e7c2a4d4a5cb6170b4dabf54 redhat/9/updates-testing/i386/php-imap-4.2.2-17.16.legacy.i386.rpm c80cb4ed7a141d71b1506ec53473df0f67a33f87 redhat/9/updates-testing/i386/php-ldap-4.2.2-17.16.legacy.i386.rpm 1b8467345c7a63f7e929052d320e9cafa966e3a1 redhat/9/updates-testing/i386/php-manual-4.2.2-17.16.legacy.i386.rpm 691b73249fcb8555bce72b9cc11f7bf305dc837b redhat/9/updates-testing/i386/php-mysql-4.2.2-17.16.legacy.i386.rpm 373d8598c44551d061c1a1c43699d76533d98941 redhat/9/updates-testing/i386/php-odbc-4.2.2-17.16.legacy.i386.rpm 6ad36765c9d8585222e0ec8814f3000af9ceaefc redhat/9/updates-testing/i386/php-pgsql-4.2.2-17.16.legacy.i386.rpm c8320f5f79c80ba3f22f85d93775db06746fb2a8 redhat/9/updates-testing/i386/php-snmp-4.2.2-17.16.legacy.i386.rpm 1502c7295697edcb34d89c28b922ac39785e6b20 redhat/9/updates-testing/SRPMS/php-4.2.2-17.16.legacy.src.rpm fc1: cd04cc6c329e18a9c0c989cdb9a5fcdc9b6712c8 fedora/1/updates-testing/i386/php-4.3.11-1.fc1.3.legacy.i386.rpm bdb82f6017f088488443cec5f97650aa172714bd fedora/1/updates-testing/i386/php-devel-4.3.11-1.fc1.3.legacy.i386.rpm 5921f184247991ddac4b398a617abea8768cd9d5 fedora/1/updates-testing/i386/php-domxml-4.3.11-1.fc1.3.legacy.i386.rpm b38b1aabdcee19a8764b9156ffbd4a7fd15c5345 fedora/1/updates-testing/i386/php-imap-4.3.11-1.fc1.3.legacy.i386.rpm ecb2bfd639fe1e44a389e2527babbd912279d6ad fedora/1/updates-testing/i386/php-ldap-4.3.11-1.fc1.3.legacy.i386.rpm 3bd193c7d75216cbe34cee7c637be042b2197693 fedora/1/updates-testing/i386/php-mbstring-4.3.11-1.fc1.3.legacy.i386.rpm 0883a4ef7c03d8faebc90ed0f4a138e1f9b64c9f fedora/1/updates-testing/i386/php-mysql-4.3.11-1.fc1.3.legacy.i386.rpm 62017bd8700dcaceb2280443abb3e6fd17e9458e fedora/1/updates-testing/i386/php-odbc-4.3.11-1.fc1.3.legacy.i386.rpm c9a90440e780eb1420100ed8b0e28d92ddea0295 fedora/1/updates-testing/i386/php-pgsql-4.3.11-1.fc1.3.legacy.i386.rpm ef627102ded443de2e78c33a29f76c6066f7bf5a fedora/1/updates-testing/i386/php-snmp-4.3.11-1.fc1.3.legacy.i386.rpm 38da5e66ead97e573a7105ad4a62a14c75763268 fedora/1/updates-testing/i386/php-xmlrpc-4.3.11-1.fc1.3.legacy.i386.rpm d2b93da45a735956e980e8a5401c4b171644794a fedora/1/updates-testing/SRPMS/php-4.3.11-1.fc1.3.legacy.src.rpm fc2: edce472b6a404a45bb0187ed2058929b51850423 fedora/2/updates-testing/i386/php-4.3.11-1.fc2.4.legacy.i386.rpm 5f55d05ec4dbbbd6717a14f495bfe9948bec3837 fedora/2/updates-testing/i386/php-devel-4.3.11-1.fc2.4.legacy.i386.rpm d308529686de245b33057c4ce1a7e0435ba748e6 fedora/2/updates-testing/i386/php-domxml-4.3.11-1.fc2.4.legacy.i386.rpm a85ba72dbcf8357c63bd7ddd71a8e7b1e270a0d0 fedora/2/updates-testing/i386/php-imap-4.3.11-1.fc2.4.legacy.i386.rpm 8856c97f65e6dfdf5241faa5294a9a8883de049b fedora/2/updates-testing/i386/php-ldap-4.3.11-1.fc2.4.legacy.i386.rpm f7d1159e5756ba33282920d0923bcd338306a2c8 fedora/2/updates-testing/i386/php-mbstring-4.3.11-1.fc2.4.legacy.i386.rpm 24d23bd41dc5c3233019a86a988057dfa8fd3576 fedora/2/updates-testing/i386/php-mysql-4.3.11-1.fc2.4.legacy.i386.rpm 618b32b0c28b71755c8f487b035649e44213b2cf fedora/2/updates-testing/i386/php-odbc-4.3.11-1.fc2.4.legacy.i386.rpm cf728abb52acc26f2f6d33dbb5135fdbd2ec4df0 fedora/2/updates-testing/i386/php-pear-4.3.11-1.fc2.4.legacy.i386.rpm fe3a23d81b92930426f7dd3a5b687ef979d8a3b9 fedora/2/updates-testing/i386/php-pgsql-4.3.11-1.fc2.4.legacy.i386.rpm 771c5041ed29045e4de59bcacbc0c640247c80e7 fedora/2/updates-testing/i386/php-snmp-4.3.11-1.fc2.4.legacy.i386.rpm 2962cc479b53c181dd67fdd4008ee904d81e71ac fedora/2/updates-testing/i386/php-xmlrpc-4.3.11-1.fc2.4.legacy.i386.rpm 2c6d2007423a9334a22451521a742ca942677c57 fedora/2/updates-testing/SRPMS/php-4.3.11-1.fc2.4.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From bperkins at netspace.org Fri Nov 11 22:13:35 2005 From: bperkins at netspace.org (Brian Perkins) Date: Fri, 11 Nov 2005 17:13:35 -0500 Subject: Apt pkglist not updated? Message-ID: <4375178F.2020107@netspace.org> http://download.fedoralegacy.org/apt/redhat/9/i386/base/pkglist.updates.bz2 was last modified Sept. 15th, but there are some new packages since then. I suspect that this is why apt isn't getting the new updates for me. Perhaps I'm using an old/broken version of apt? -- Brian Perkins bperkins at netspace.org From marcdeslauriers at videotron.ca Mon Nov 14 04:17:43 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Sun, 13 Nov 2005 23:17:43 -0500 Subject: [FLSA-2005:152848] Updated glibc packages fix security issues Message-ID: <43780FE7.5060302@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated glibc packages fix security issues Advisory ID: FLSA:152848 Issue date: 2005-11-13 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2004-0968 CVE-2004-1382 CVE-2004-1453 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated glibc packages that address several bugs are now available. The GNU libc packages (known as glibc) contain the standard C libraries used by applications. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: Flaws in the catchsegv and glibcbug scripts were discovered. A local user could utilize these flaws to overwrite files via a symlink attack on temporary files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0968 and CVE-2004-1382 to these issues. It was discovered that the use of LD_DEBUG and LD_SHOW_AUXV were not restricted for a setuid program. A local user could utilize this flaw to gain information, such as the list of symbols used by the program. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1453 to this issue. Users of glibc are advised to upgrade to these erratum packages that remove the unecessary glibcbug script and contain backported patches to correct these other issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152848 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/glibc-2.2.5-44.legacy.6.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-2.2.5-44.legacy.6.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-2.2.5-44.legacy.6.i686.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-common-2.2.5-44.legacy.6.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-debug-2.2.5-44.legacy.6.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-debug-2.2.5-44.legacy.6.i686.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-debug-static-2.2.5-44.legacy.6.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-devel-2.2.5-44.legacy.6.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-profile-2.2.5-44.legacy.6.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-utils-2.2.5-44.legacy.6.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/nscd-2.2.5-44.legacy.6.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/glibc-2.3.2-27.9.7.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-2.3.2-27.9.7.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-2.3.2-27.9.7.2.legacy.i686.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-common-2.3.2-27.9.7.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-debug-2.3.2-27.9.7.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-devel-2.3.2-27.9.7.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-profile-2.3.2-27.9.7.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-utils-2.3.2-27.9.7.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/nptl-devel-2.3.2-27.9.7.2.legacy.i686.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/nscd-2.3.2-27.9.7.2.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/glibc-2.3.2-101.4.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/glibc-2.3.2-101.4.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/glibc-2.3.2-101.4.2.legacy.i686.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/glibc-common-2.3.2-101.4.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/glibc-debug-2.3.2-101.4.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/glibc-devel-2.3.2-101.4.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/glibc-headers-2.3.2-101.4.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/glibc-profile-2.3.2-101.4.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/glibc-utils-2.3.2-101.4.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/nptl-devel-2.3.2-101.4.2.legacy.i686.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/nscd-2.3.2-101.4.2.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/glibc-2.3.3-27.1.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/glibc-2.3.3-27.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/glibc-2.3.3-27.1.1.legacy.i686.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/glibc-common-2.3.3-27.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/glibc-devel-2.3.3-27.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/glibc-headers-2.3.3-27.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/glibc-profile-2.3.3-27.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/glibc-utils-2.3.3-27.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/nptl-devel-2.3.3-27.1.1.legacy.i686.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/nscd-2.3.3-27.1.1.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 76bcec5fdd862df2fffaeeaeacbfcd8c53dd6a28 redhat/7.3/updates/i386/glibc-2.2.5-44.legacy.6.i386.rpm 79dd43763e464959889867bb5f28c0935d31e401 redhat/7.3/updates/i386/glibc-2.2.5-44.legacy.6.i686.rpm f83509fe544e517cfa5f40829b2921155eed6930 redhat/7.3/updates/i386/glibc-common-2.2.5-44.legacy.6.i386.rpm a4065db0ddfcec1a95dade4756b7af76da487059 redhat/7.3/updates/i386/glibc-debug-2.2.5-44.legacy.6.i386.rpm a88e249e0747927d7b0607f24202f4772c2f5f51 redhat/7.3/updates/i386/glibc-debug-2.2.5-44.legacy.6.i686.rpm bbd6858e1409960769b945af03f13e0732b35ec2 redhat/7.3/updates/i386/glibc-debug-static-2.2.5-44.legacy.6.i386.rpm 4f76f3f2267edb91ac130ad18942b34741314914 redhat/7.3/updates/i386/glibc-devel-2.2.5-44.legacy.6.i386.rpm 3996fc2d6e306a127d03d468bde83e821b6ca2f9 redhat/7.3/updates/i386/glibc-profile-2.2.5-44.legacy.6.i386.rpm 2916fbe09c40b3961add814aaebda7e651799342 redhat/7.3/updates/i386/glibc-utils-2.2.5-44.legacy.6.i386.rpm 2250cf7ccb19268cc5b103d17512f877a1e9756d redhat/7.3/updates/i386/nscd-2.2.5-44.legacy.6.i386.rpm d3178ba384c31d0e4b53b7c79f8c1f3d4f2e63c2 redhat/7.3/updates/SRPMS/glibc-2.2.5-44.legacy.6.src.rpm 6b01d43cc41177a83c765862be0e3802df307c61 redhat/9/updates/i386/glibc-2.3.2-27.9.7.2.legacy.i386.rpm b4c28abc5d318f53f22772bc069665adc4f9d5f3 redhat/9/updates/i386/glibc-2.3.2-27.9.7.2.legacy.i686.rpm 8ea462b77d16513f0623409219cb297fa95fe6ba redhat/9/updates/i386/glibc-common-2.3.2-27.9.7.2.legacy.i386.rpm 94c1f526eed545959a9b60ac79deef88c0c5c9a0 redhat/9/updates/i386/glibc-debug-2.3.2-27.9.7.2.legacy.i386.rpm b8fe3480b249761c468d4019c3b9ac0358068475 redhat/9/updates/i386/glibc-devel-2.3.2-27.9.7.2.legacy.i386.rpm a01030615e5b874b4225e9cad4e1c9ccc2f4bb33 redhat/9/updates/i386/glibc-profile-2.3.2-27.9.7.2.legacy.i386.rpm d20ce4f39ed7ffc6c8cb81c8a84b229a2158d81e redhat/9/updates/i386/glibc-utils-2.3.2-27.9.7.2.legacy.i386.rpm e20b1e22cfbc1c0eed675b6b6d99ca8d0213f725 redhat/9/updates/i386/nptl-devel-2.3.2-27.9.7.2.legacy.i686.rpm 8684b6e78d7230f8708e5e2a016264baf6ab7ac7 redhat/9/updates/i386/nscd-2.3.2-27.9.7.2.legacy.i386.rpm 5afb7ec9ec9f9b3bb36d372104ec647d7c6d9ebb redhat/9/updates/SRPMS/glibc-2.3.2-27.9.7.2.legacy.src.rpm ef743504f28c797cd9a807dd8a769a837eda8525 fedora/1/updates/i386/glibc-2.3.2-101.4.2.legacy.i386.rpm c3dd3abcc811671d63f6033e3ed3ee9806ad0f93 fedora/1/updates/i386/glibc-2.3.2-101.4.2.legacy.i686.rpm cf814c1e573db45e76b63bce49b40876fdd42e28 fedora/1/updates/i386/glibc-common-2.3.2-101.4.2.legacy.i386.rpm 4af7cb248abe614adace704520ab969717d8056b fedora/1/updates/i386/glibc-debug-2.3.2-101.4.2.legacy.i386.rpm 00809ff8abcf096091592e065dbc859a1fc413bd fedora/1/updates/i386/glibc-devel-2.3.2-101.4.2.legacy.i386.rpm 8417a8697d7929e866cd48be44bcd4e9b29ef8a2 fedora/1/updates/i386/glibc-headers-2.3.2-101.4.2.legacy.i386.rpm 309bb357b23d00d858b73a132af556862ce735fc fedora/1/updates/i386/glibc-profile-2.3.2-101.4.2.legacy.i386.rpm c7add2f20742acab29c47ec7f42bc789d6111aec fedora/1/updates/i386/glibc-utils-2.3.2-101.4.2.legacy.i386.rpm 5108e73e4fce7fda4c383a5f4a360a2ec3632a4e fedora/1/updates/i386/nptl-devel-2.3.2-101.4.2.legacy.i686.rpm ca70e82a96ad014145357feb9b8b3222314afd7e fedora/1/updates/i386/nscd-2.3.2-101.4.2.legacy.i386.rpm 30cec9b26bb5341afbb6b7698b3c092e395acb65 fedora/1/updates/SRPMS/glibc-2.3.2-101.4.2.legacy.src.rpm 9ea2cf3d307635ed6be265077ec9594d73030c71 fedora/2/updates/i386/glibc-2.3.3-27.1.1.legacy.i386.rpm 120833cba0615427157a51f69a6e73403f788667 fedora/2/updates/i386/glibc-2.3.3-27.1.1.legacy.i686.rpm d3c27007cab83e778ba7ba5c752077b865c7d618 fedora/2/updates/i386/glibc-common-2.3.3-27.1.1.legacy.i386.rpm ccc5d22e66a7c435b0e1008704ee16856e4717ec fedora/2/updates/i386/glibc-devel-2.3.3-27.1.1.legacy.i386.rpm b11bd48eee48b1b2fd6cc9d52bbbc01247533bb0 fedora/2/updates/i386/glibc-headers-2.3.3-27.1.1.legacy.i386.rpm 2a3c79e2f428742dfef1f15a1bbc64a80c48491e fedora/2/updates/i386/glibc-profile-2.3.3-27.1.1.legacy.i386.rpm 081977a5f9cd0812cd1db6230ff51782d17c83e0 fedora/2/updates/i386/glibc-utils-2.3.3-27.1.1.legacy.i386.rpm be2cc7c357c799a8ad8288e3c99d9c53ea89692e fedora/2/updates/i386/nptl-devel-2.3.3-27.1.1.legacy.i686.rpm d1a9e1c189d58b74a318dd1908cf6b9c0202ac9b fedora/2/updates/i386/nscd-2.3.3-27.1.1.legacy.i386.rpm baafd5d75a788cc578f24fb83280052f3b8422db fedora/2/updates/SRPMS/glibc-2.3.3-27.1.1.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0968 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1382 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1453 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From pekkas at netcore.fi Mon Nov 14 08:29:41 2005 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 14 Nov 2005 10:29:41 +0200 (EET) Subject: Buglist: a new 'DEFER' keyword? Message-ID: Hi, Remember, the buglist is at: http://www.netcore.fi/pekkas/buglist.html Also, I propose adding a new keyword 'DEFER', which could be used for packages for the report is basically a minor security issue, bugfix or the like. Something which might (or might not) be addressed the next time we have other reasons to create that particular package, but it doesn't make sense to roll an update just to fix that and can't be closed outright as WONTFIX. The reason for this is that such bugs can be sorted in a different category in the buglist, and it might be easier to spot more important work items. This category could include bugs such as: 121734 2005-10-31 sec nor ASSI nss_ldap openssl kills pam_ldap with SIGSEGV in err_cmp when authenticating against ldaps:// 134550 2005-10-31 nor nor NEW kernel Networking does not work on Dell Inspiron 1150 152792 2005-10-31 nor nor ASSI kernel LEGACY Kernel panic when reading /proc/net/ip_conntrack 152830 2005-10-31 sec low NEW Package LEGACY Links Malformed Table Denial of Service 152833 2005-10-31 sec low NEW w3m LEGACY w3m browser also crashes on some malformed HTML 153183 2005-10-31 sec nor NEW lrzsz ZRPOS file position not validated; segfaults possible 153660 2005-10-31 nor nor ASSI kernel Network not reachable when using kernel-2.4.22-1.2199.nptl 153719 2005-10-31 hig nor NEED mysql Mysql restarts with file size problem 153731 2005-10-31 hig nor ASSI kernel Kernel ext3 module crashes on a squid proxy 155246 2005-10-31 nor nor NEW nautilus Error When Viewing Documentation with Nautilus .... Thoughts? -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings From nils at lemonbit.nl Mon Nov 14 16:04:21 2005 From: nils at lemonbit.nl (Nils Breunese (Lemonbit Internet)) Date: Mon, 14 Nov 2005 17:04:21 +0100 Subject: Apt pkglist not updated? In-Reply-To: <4375178F.2020107@netspace.org> References: <4375178F.2020107@netspace.org> Message-ID: <5F7A8D32-7005-4EC2-A179-9B5A3D4CED2E@lemonbit.nl> Brian Perkins wrote: > http://download.fedoralegacy.org/apt/redhat/9/i386/base/ > pkglist.updates.bz2 > > > was last modified Sept. 15th, but there are some new packages since > then. I suspect that this is why apt isn't getting the new updates > for me. > > Perhaps I'm using an old/broken version of apt? I believe some time ago a lot of repositories discontinued apt support (by not generating apt metadata anymore), also because apt for rpm is no longer being maintained. Nils Breunese. From nils at lemonbit.nl Mon Nov 14 16:04:21 2005 From: nils at lemonbit.nl (Nils Breunese (Lemonbit Internet)) Date: Mon, 14 Nov 2005 17:04:21 +0100 Subject: Apt pkglist not updated? In-Reply-To: <4375178F.2020107@netspace.org> References: <4375178F.2020107@netspace.org> Message-ID: <5F7A8D32-7005-4EC2-A179-9B5A3D4CED2E@lemonbit.nl> Brian Perkins wrote: > http://download.fedoralegacy.org/apt/redhat/9/i386/base/ > pkglist.updates.bz2 > > > was last modified Sept. 15th, but there are some new packages since > then. I suspect that this is why apt isn't getting the new updates > for me. > > Perhaps I'm using an old/broken version of apt? I believe some time ago a lot of repositories discontinued apt support (by not generating apt metadata anymore), also because apt for rpm is no longer being maintained. Nils Breunese. From michal at harddata.com Mon Nov 14 17:33:34 2005 From: michal at harddata.com (Michal Jaegermann) Date: Mon, 14 Nov 2005 10:33:34 -0700 Subject: Apt pkglist not updated? In-Reply-To: <5F7A8D32-7005-4EC2-A179-9B5A3D4CED2E@lemonbit.nl> References: <4375178F.2020107@netspace.org> <5F7A8D32-7005-4EC2-A179-9B5A3D4CED2E@lemonbit.nl> Message-ID: <20051114173334.GB9180@mail.harddata.com> On Mon, Nov 14, 2005 at 05:04:21PM +0100, Nils Breunese (Lemonbit Internet) wrote: > I believe some time ago a lot of repositories discontinued apt > support (by not generating apt metadata anymore), One of reasons may be that apt is hopelessly broken in a multilib situation and for a long time nobody appeared to propose fixes. At least I am not aware of any. This is not likely important for now for most "legacy" installations but with a spread of x86_64 and similar it is surely already essential for servers. Michal From jkeating at j2solutions.net Mon Nov 14 18:16:50 2005 From: jkeating at j2solutions.net (Jesse Keating) Date: Mon, 14 Nov 2005 10:16:50 -0800 Subject: Apt pkglist not updated? In-Reply-To: <4375178F.2020107@netspace.org> References: <4375178F.2020107@netspace.org> Message-ID: <1131992210.6192.40.camel@prometheus.gamehouse.com> On Fri, 2005-11-11 at 17:13 -0500, Brian Perkins wrote: > was last modified Sept. 15th, but there are some new packages since > then. I suspect that this is why apt isn't getting the new updates > for > me. > > Perhaps I'm using an old/broken version of apt? Hrm, we're still running the tools to create the apt meta-data. Most curious. I'll look into this today. -- Jesse Keating RHCE (http://geek.j2solutions.net) Fedora Legacy Team (http://www.fedoralegacy.org) GPG Public Key (http://geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating From jkeating at j2solutions.net Mon Nov 14 19:45:25 2005 From: jkeating at j2solutions.net (Jesse Keating) Date: Mon, 14 Nov 2005 11:45:25 -0800 Subject: Blog entries worth reading. Message-ID: <1131997525.6192.56.camel@prometheus.gamehouse.com> Hi folks. In the interest if not typing everything over and over again, the following blog entries are worth reading. http://www.livejournal.com/users/jkeating/8316.html http://www.livejournal.com/users/jkeating/8564.html -- Jesse Keating RHCE (http://geek.j2solutions.net) Fedora Legacy Team (http://www.fedoralegacy.org) GPG Public Key (http://geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating From rdieter at math.unl.edu Mon Nov 14 20:06:59 2005 From: rdieter at math.unl.edu (Rex Dieter) Date: Mon, 14 Nov 2005 14:06:59 -0600 Subject: Blog entries worth reading. In-Reply-To: <1131997525.6192.56.camel@prometheus.gamehouse.com> References: <1131997525.6192.56.camel@prometheus.gamehouse.com> Message-ID: Jesse Keating wrote: > Hi folks. In the interest if not typing everything over and over again, > the following blog entries are worth reading. > > http://www.livejournal.com/users/jkeating/8316.html > > http://www.livejournal.com/users/jkeating/8564.html Congratulations! I'm certain fedora/redhat will benefit greatly with you onboard. -- Rex From rdieter at math.unl.edu Mon Nov 14 20:05:03 2005 From: rdieter at math.unl.edu (Rex Dieter) Date: Mon, 14 Nov 2005 14:05:03 -0600 Subject: Apt pkglist not updated? In-Reply-To: <5F7A8D32-7005-4EC2-A179-9B5A3D4CED2E@lemonbit.nl> References: <4375178F.2020107@netspace.org> <5F7A8D32-7005-4EC2-A179-9B5A3D4CED2E@lemonbit.nl> Message-ID: Nils Breunese (Lemonbit Internet) wrote: > Brian Perkins wrote: > >> http://download.fedoralegacy.org/apt/redhat/9/i386/base/ >> pkglist.updates.bz2 >> >> >> was last modified Sept. 15th, but there are some new packages since >> then. I suspect that this is why apt isn't getting the new updates >> for me. >> >> Perhaps I'm using an old/broken version of apt? I posted about it not working last week to deafening silence. Grad I'm not the only one. > I believe some time ago a lot of repositories discontinued apt support > (by not generating apt metadata anymore), also because apt for rpm is > no longer being maintained. True, but irrelavent to this discussion. Either provide working apt metadata, or remove it completely. -- Rex From jkeating at j2solutions.net Mon Nov 14 20:43:34 2005 From: jkeating at j2solutions.net (Jesse Keating) Date: Mon, 14 Nov 2005 12:43:34 -0800 Subject: Apt pkglist not updated? In-Reply-To: <1131992210.6192.40.camel@prometheus.gamehouse.com> References: <4375178F.2020107@netspace.org> <1131992210.6192.40.camel@prometheus.gamehouse.com> Message-ID: <1132001014.6192.62.camel@prometheus.gamehouse.com> On Mon, 2005-11-14 at 10:16 -0800, Jesse Keating wrote: > > Hrm, we're still running the tools to create the apt meta-data. Most > curious. I'll look into this today. Ok, a small change I made to the script the builders use to publish packages is excluding the apt/ tree. I am modifying the script today to take care of this. I'll post again when this is fixed. -- Jesse Keating RHCE (http://geek.j2solutions.net) Fedora Legacy Team (http://www.fedoralegacy.org) GPG Public Key (http://geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating From jkeating at j2solutions.net Mon Nov 14 20:47:34 2005 From: jkeating at j2solutions.net (Jesse Keating) Date: Mon, 14 Nov 2005 12:47:34 -0800 Subject: Apt pkglist not updated? In-Reply-To: <1132001014.6192.62.camel@prometheus.gamehouse.com> References: <4375178F.2020107@netspace.org> <1131992210.6192.40.camel@prometheus.gamehouse.com> <1132001014.6192.62.camel@prometheus.gamehouse.com> Message-ID: <1132001255.6192.64.camel@prometheus.gamehouse.com> On Mon, 2005-11-14 at 12:43 -0800, Jesse Keating wrote: > > Ok, a small change I made to the script the builders use to publish > packages is excluding the apt/ tree. I am modifying the script today to > take care of this. I'll post again when this is fixed. > And this should be fixed. -- Jesse Keating RHCE (http://geek.j2solutions.net) Fedora Legacy Team (http://www.fedoralegacy.org) GPG Public Key (http://geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating From R00020C at freescale.com Mon Nov 14 20:53:15 2005 From: R00020C at freescale.com (Steve Snyder) Date: Mon, 14 Nov 2005 15:53:15 -0500 Subject: RHL9 glibc update OK with vanilla kernel? Message-ID: <200511141553.15983.R00020C@freescale.com> On my otherwise purely-RHL9 system I run the latest v2.4.x kernel. I need a fairly recent kernel to support my Gigabit Ethernet adapter, support not present in the RHL9 kernels. Are there any known compatibility problems with the current i686 glibc packages (released yesterday) and a plain-vanilla 2.4.3x kernel? Any loss of functionality or other Bad Stuff(tm)? Thanks. From jkeating at j2solutions.net Mon Nov 14 21:00:02 2005 From: jkeating at j2solutions.net (Jesse Keating) Date: Mon, 14 Nov 2005 13:00:02 -0800 Subject: RHL9 glibc update OK with vanilla kernel? In-Reply-To: <200511141553.15983.R00020C@freescale.com> References: <200511141553.15983.R00020C@freescale.com> Message-ID: <1132002002.6192.74.camel@prometheus.gamehouse.com> On Mon, 2005-11-14 at 15:53 -0500, Steve Snyder wrote: > > Are there any known compatibility problems with the current i686 glibc > packages (released yesterday) and a plain-vanilla 2.4.3x kernel? Any > loss of functionality or other Bad Stuff(tm)? > Unfortunately this isn't really part of our QA tests, so I don't think there is a yes or a no that could come from the Legacy Project itself. However a user may have already tried it... -- Jesse Keating RHCE (http://geek.j2solutions.net) Fedora Legacy Team (http://www.fedoralegacy.org) GPG Public Key (http://geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating From R00020C at freescale.com Mon Nov 14 21:07:19 2005 From: R00020C at freescale.com (Steve Snyder) Date: Mon, 14 Nov 2005 16:07:19 -0500 Subject: RHL9 glibc update OK with vanilla kernel? In-Reply-To: <1132002002.6192.74.camel@prometheus.gamehouse.com> References: <200511141553.15983.R00020C@freescale.com> <1132002002.6192.74.camel@prometheus.gamehouse.com> Message-ID: <200511141607.20038.R00020C@freescale.com> On Monday 14 November 2005 16:00, Jesse Keating wrote: > On Mon, 2005-11-14 at 15:53 -0500, Steve Snyder wrote: > > > > Are there any known compatibility problems with the current i686 glibc > > packages (released yesterday) and a plain-vanilla 2.4.3x kernel? Any > > loss of functionality or other Bad Stuff(tm)? > > > > Unfortunately this isn't really part of our QA tests, so I don't think > there is a yes or a no that could come from the Legacy Project itself. > However a user may have already tried it... Yeah, I figured the testing was done in a purely RedHat/Legacy environment. I'm hoping another subscriber to the list is in a position similar to mine. From jkosin at beta.intcomgrp.com Mon Nov 14 21:26:08 2005 From: jkosin at beta.intcomgrp.com (James Kosin) Date: Mon, 14 Nov 2005 16:26:08 -0500 Subject: RHL9 glibc update OK with vanilla kernel? In-Reply-To: <200511141607.20038.R00020C@freescale.com> References: <200511141553.15983.R00020C@freescale.com> <1132002002.6192.74.camel@prometheus.gamehouse.com> <200511141607.20038.R00020C@freescale.com> Message-ID: <437900F0.4090900@beta.intcomgrp.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Steve Snyder wrote: >On Monday 14 November 2005 16:00, Jesse Keating wrote: > >>On Mon, 2005-11-14 at 15:53 -0500, Steve Snyder wrote: >> >>>Are there any known compatibility problems with the current i686 glibc >>>packages (released yesterday) and a plain-vanilla 2.4.3x kernel? Any >>>loss of functionality or other Bad Stuff(tm)? >>> >>Unfortunately this isn't really part of our QA tests, so I don't think >>there is a yes or a no that could come from the Legacy Project itself. >>However a user may have already tried it... > > >Yeah, I figured the testing was done in a purely RedHat/Legacy >environment. I'm hoping another subscriber to the list is in a position >similar to mine. > > >-- >fedora-legacy-list mailing list >fedora-legacy-list at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-legacy-list I'd like to know why you think the kernel relies on the glibc version? What is it that has changed that effects the kernel? James Kosin (Running FC1 with generic 2.4.32 kernel) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDeQDvkNLDmnu1kSkRAweaAKCC0kWRc36R7dAdSr3hkOEJdjDKNgCfT+Hn vyYE8GzdH9VN8CArCRPYod0= =pjGA -----END PGP SIGNATURE----- -- Scanned by ClamAV - http://www.clamav.net From R00020C at freescale.com Mon Nov 14 21:42:03 2005 From: R00020C at freescale.com (Steve Snyder) Date: Mon, 14 Nov 2005 16:42:03 -0500 Subject: RHL9 glibc update OK with vanilla kernel? In-Reply-To: <437900F0.4090900@beta.intcomgrp.com> References: <200511141553.15983.R00020C@freescale.com> <200511141607.20038.R00020C@freescale.com> <437900F0.4090900@beta.intcomgrp.com> Message-ID: <200511141642.03143.R00020C@freescale.com> On Monday 14 November 2005 16:26, James Kosin wrote: > Steve Snyder wrote: > > >On Monday 14 November 2005 16:00, Jesse Keating wrote: > > > >>On Mon, 2005-11-14 at 15:53 -0500, Steve Snyder wrote: > >> > >>>Are there any known compatibility problems with the current i686 glibc > >>>packages (released yesterday) and a plain-vanilla 2.4.3x kernel? Any > >>>loss of functionality or other Bad Stuff(tm)? > >>> > >>Unfortunately this isn't really part of our QA tests, so I don't think > >>there is a yes or a no that could come from the Legacy Project itself. > >>However a user may have already tried it... > > > > > >Yeah, I figured the testing was done in a purely RedHat/Legacy > >environment. I'm hoping another subscriber to the list is in a position > >similar to mine. > > I'd like to know why you think the kernel relies on the glibc version? > What is it that has changed that effects the kernel. > >James Kosin >(Running FC1 with generic 2.4.32 kernel) My thinking is the other way around. Not that glibc affects the kernel, but that RedHat-vintage glibc expects services/functionality provided by RedHat's patches to the 2.4.20 kernel. I'd be even more concerned if running FC1, given RH's NPTL patches. >From the above note, though, that seems not to be an issue. Thanks for the response. From jkosin at beta.intcomgrp.com Mon Nov 14 22:40:32 2005 From: jkosin at beta.intcomgrp.com (James Kosin) Date: Mon, 14 Nov 2005 17:40:32 -0500 Subject: RHL9 glibc update OK with vanilla kernel? In-Reply-To: <200511141642.03143.R00020C@freescale.com> References: <200511141553.15983.R00020C@freescale.com> <200511141607.20038.R00020C@freescale.com> <437900F0.4090900@beta.intcomgrp.com> <200511141642.03143.R00020C@freescale.com> Message-ID: <43791260.7070602@beta.intcomgrp.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Steve Snyder wrote: >On Monday 14 November 2005 16:26, James Kosin wrote: > >>Steve Snyder wrote: >> >>>On Monday 14 November 2005 16:00, Jesse Keating wrote: >>> >>>>On Mon, 2005-11-14 at 15:53 -0500, Steve Snyder wrote: >>>> >>>>>Are there any known compatibility problems with the current i686 glibc >>>>>packages (released yesterday) and a plain-vanilla 2.4.3x kernel? Any >>>>>loss of functionality or other Bad Stuff(tm)? >>>>> >>>>Unfortunately this isn't really part of our QA tests, so I don't think >>>>there is a yes or a no that could come from the Legacy Project itself. >>>>However a user may have already tried it... >>> >>> >>>Yeah, I figured the testing was done in a purely RedHat/Legacy >>>environment. I'm hoping another subscriber to the list is in a position >>>similar to mine. >> >>I'd like to know why you think the kernel relies on the glibc version? >>What is it that has changed that effects the kernel. >> >>James Kosin >>(Running FC1 with generic 2.4.32 kernel) > > >My thinking is the other way around. Not that glibc affects the kernel, >but that RedHat-vintage glibc expects services/functionality provided >by RedHat's patches to the 2.4.20 kernel. > >I'd be even more concerned if running FC1, given RH's NPTL patches. >>From the above note, though, that seems not to be an issue. > >Thanks for the response. > >-- >fedora-legacy-list mailing list >fedora-legacy-list at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-legacy-list I think if it is not supported in the kernel (no matter which) that it shouldn't break glibc or the other way around. But, I'm not sure how heavily the glibc package relies on the RedHat / Fedora kernel. I guess, if it does effect things negatively, I'd like to know sooner myself; so I can work toward re-applying the patches to my 2.4.32 kernel which is not stock... due to the complexities and time needed to rework the large number of patches. Thanks, James -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDeRJgkNLDmnu1kSkRA/PKAJ9kpSDKXVZDvmghg01cKPEE2TBVOgCbBLhu TCsEBaNbnnxfi1du1tokxpw= =iMNG -----END PGP SIGNATURE----- -- Scanned by ClamAV - http://www.clamav.net From tbeck at dragon-designs.net Mon Nov 14 23:22:34 2005 From: tbeck at dragon-designs.net (tbeck) Date: Mon, 14 Nov 2005 17:22:34 -0600 Subject: Blog entries worth reading. In-Reply-To: <1131997525.6192.56.camel@prometheus.gamehouse.com> References: <1131997525.6192.56.camel@prometheus.gamehouse.com> Message-ID: <20051114232209.M75845@dragon-designs.net> Big Con Grats here, good luck...;-) Tim -- Timothy Beck http://www.dragon-designs.net/~tbeck http://dragon-designs.homelinux.net/ 214-492-3718 Better to live free, then to live a Lie. ---------- Original Message ----------- From: Jesse Keating To: fedora-legacy-list at redhat.com Sent: Mon, 14 Nov 2005 11:45:25 -0800 Subject: Blog entries worth reading. > Hi folks. In the interest if not typing everything over and over again, > the following blog entries are worth reading. > > http://www.livejournal.com/users/jkeating/8316.html > > http://www.livejournal.com/users/jkeating/8564.html > -- > Jesse Keating RHCE (http://geek.j2solutions.net) > Fedora Legacy Team (http://www.fedoralegacy.org) > GPG Public Key > (http://geek.j2solutions.net/jkeating.j2solutions.pub) > > Was I helpful? Let others know: > http://svcs.affero.net/rm.php?r=jkeating > > -- > fedora-legacy-list mailing list > fedora-legacy-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-legacy-list > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > MailScanner thanks transtec Computers for their support. ------- End of Original Message ------- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From marcdeslauriers at videotron.ca Tue Nov 15 00:56:03 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Mon, 14 Nov 2005 19:56:03 -0500 Subject: [FLSA-2005:123013] Updated xchat package fixes security issue Message-ID: <43793223.1050401@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated xchat package fixes security issue Advisory ID: FLSA:123013 Issue date: 2005-11-14 Product: Fedora Core Keywords: Bugfix CVE Names: CVE-2004-0409 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: An updated xchat package that fixes a security bug is now available. X-Chat is a graphical IRC chat client for the X Window System. 2. Relevant releases/architectures: Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: A stack buffer overflow flaw was found in the X-Chat's Socks-5 proxy code. An attacker could create a malicious Socks-5 proxy server in such a way that X-Chat would execute arbitrary code if a victim configured X-Chat to use the proxy. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0409 to this issue. Users of X-Chat should upgrade to this updated package which contains a backported security patch and is not vulnerable to this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123013 6. RPMs required: Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/xchat-2.0.7-1.FC1.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/xchat-2.0.7-1.FC1.1.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/xchat-2.0.7-5.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/xchat-2.0.7-5.1.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 949871bada73a7e47b412e04b296fb8e661a6889 fedora/1/updates/i386/xchat-2.0.7-1.FC1.1.legacy.i386.rpm e9defab76a100c3c066b85a9fa83ebcd1527ce71 fedora/1/updates/SRPMS/xchat-2.0.7-1.FC1.1.legacy.src.rpm 557e51ab8c91c4e824c132b4e58fc372ba6bf4c7 fedora/2/updates/i386/xchat-2.0.7-5.1.legacy.i386.rpm 4e856255dd724c8364556e792c162b1f0fbc29ea fedora/2/updates/SRPMS/xchat-2.0.7-5.1.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0409 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From marcdeslauriers at videotron.ca Tue Nov 15 00:56:43 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Mon, 14 Nov 2005 19:56:43 -0500 Subject: [FLSA-2005:152794] Updated rp-pppoe package fixes security issue Message-ID: <4379324B.7030909@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated rp-pppoe package fixes security issue Advisory ID: FLSA:152794 Issue date: 2005-11-14 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2004-0564 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: An updated rp-pppoe package that fixes a security vulnerability is now available. The rp-pppoe package is a PPP over Ethernet client (for xDSL support). 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 3. Problem description: Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet driver from Roaring Penguin. When the program is running setuid root (which is not the case in a default Red Hat Linux or Fedora Core installation), an attacker could overwrite any file on the file system. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0564 to this issue. All users of rp-pppoe should upgrade to this updated package, which resolves this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152794 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/rp-pppoe-3.3-10.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/rp-pppoe-3.3-10.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/rp-pppoe-3.5-2.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/rp-pppoe-3.5-2.2.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/rp-pppoe-3.5-8.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/rp-pppoe-3.5-8.2.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 3f7646466059606af82392573647db2757a07184 redhat/7.3/updates/i386/rp-pppoe-3.3-10.legacy.i386.rpm 0c9fdb6d3ad087cdedef83dc564ae1b21d8f5bab redhat/7.3/updates/SRPMS/rp-pppoe-3.3-10.legacy.src.rpm dda91513cd724e0175550465b19c8fab00876f9a redhat/9/updates/i386/rp-pppoe-3.5-2.2.legacy.i386.rpm a5806f7bbcb5cd62f33a9b36904d08548da976b8 redhat/9/updates/SRPMS/rp-pppoe-3.5-2.2.legacy.src.rpm 8f808a8239aeebf880c9b9b894531dd26db849a9 fedora/1/updates/i386/rp-pppoe-3.5-8.2.legacy.i386.rpm ef55f4b9380d5551129f806ae76ba548bfb7bdb4 fedora/1/updates/SRPMS/rp-pppoe-3.5-8.2.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0564 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From marcdeslauriers at videotron.ca Tue Nov 15 00:57:20 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Mon, 14 Nov 2005 19:57:20 -0500 Subject: [FLSA-2005:158801] Updated bzip2 packages fix security issues Message-ID: <43793270.1080703@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated bzip2 packages fix security issues Advisory ID: FLSA:158801 Issue date: 2005-11-14 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2005-0758 CVE-2005-0953 CVE-2005-1260 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated bzip2 packages that fix multiple issues are now available. Bzip2 is a data compressor. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: A bug was found in the way bzgrep processes file names. If a user can be tricked into running bzgrep on a file with a carefully crafted file name, arbitrary commands could be executed as the user running bzgrep. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0758 to this issue. A bug was found in the way bzip2 modifies file permissions during decompression. If an attacker has write access to the directory into which bzip2 is decompressing files, it is possible for them to modify permissions on files owned by the user running bzip2 (CVE-2005-0953). A bug was found in the way bzip2 decompresses files. It is possible for an attacker to create a specially crafted bzip2 file which will cause bzip2 to cause a denial of service (by filling disk space) if decompressed by a victim (CVE-2005-1260). Users of Bzip2 should upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=158801 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/bzip2-1.0.2-2.2.73.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/bzip2-1.0.2-2.2.73.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/bzip2-devel-1.0.2-2.2.73.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/bzip2-libs-1.0.2-2.2.73.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/bzip2-1.0.2-8.1.90.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/bzip2-1.0.2-8.1.90.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/bzip2-devel-1.0.2-8.1.90.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/bzip2-libs-1.0.2-8.1.90.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/bzip2-1.0.2-10.1.fc1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/bzip2-1.0.2-10.1.fc1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/bzip2-devel-1.0.2-10.1.fc1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/bzip2-libs-1.0.2-10.1.fc1.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/bzip2-1.0.2-12.2.fc2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/bzip2-1.0.2-12.2.fc2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/bzip2-devel-1.0.2-12.2.fc2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/bzip2-libs-1.0.2-12.2.fc2.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 2d0d5267210ceefd6e2ed80187c2f6e3d994e4a0 redhat/7.3/updates/i386/bzip2-1.0.2-2.2.73.legacy.i386.rpm e661f6bf518498c375918577fc3414978a190d78 redhat/7.3/updates/i386/bzip2-devel-1.0.2-2.2.73.legacy.i386.rpm 0c1bd4a4472ca70183b104438db1a9ef98db4969 redhat/7.3/updates/i386/bzip2-libs-1.0.2-2.2.73.legacy.i386.rpm f146cb7edfa74345c42831f24cb95c7898db3064 redhat/7.3/updates/SRPMS/bzip2-1.0.2-2.2.73.legacy.src.rpm 36b3b8abb700fe93d14064ce22176ed59aef0b9b redhat/9/updates/i386/bzip2-1.0.2-8.1.90.legacy.i386.rpm 3ce61caa59d4c9a90e2412ebd5bae76500e4e462 redhat/9/updates/i386/bzip2-devel-1.0.2-8.1.90.legacy.i386.rpm 905c29052192f032dac84be0860013837b65f8d4 redhat/9/updates/i386/bzip2-libs-1.0.2-8.1.90.legacy.i386.rpm bdbf201ea36551c1f5eacff3707656fd5e099c75 redhat/9/updates/SRPMS/bzip2-1.0.2-8.1.90.legacy.src.rpm 56b7883ada43718a80577ddcbdbc8bc24072765d fedora/1/updates/i386/bzip2-1.0.2-10.1.fc1.legacy.i386.rpm 472cee03d32c68e0a0feba56a265c42d208ea5d4 fedora/1/updates/i386/bzip2-devel-1.0.2-10.1.fc1.legacy.i386.rpm 94abc962a1b84373813c558d4d3d44993722bb16 fedora/1/updates/i386/bzip2-libs-1.0.2-10.1.fc1.legacy.i386.rpm 7ce97f2488338b9d0e4b136b63c04e80c7a27394 fedora/1/updates/SRPMS/bzip2-1.0.2-10.1.fc1.legacy.src.rpm c2821d2326bdff302a8b38ab6baec2930da4ca6b fedora/2/updates/i386/bzip2-1.0.2-12.2.fc2.legacy.i386.rpm d1ba1f61d62970f0d97af8813956771b471fbc81 fedora/2/updates/i386/bzip2-devel-1.0.2-12.2.fc2.legacy.i386.rpm c8cf989f3683f4313d4a0caf7695673f48e405e7 fedora/2/updates/i386/bzip2-libs-1.0.2-12.2.fc2.legacy.i386.rpm 1ac418e19c22613a3cc4d71ee304a9d304af50e6 fedora/2/updates/SRPMS/bzip2-1.0.2-12.2.fc2.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0758 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0953 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1260 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From marcdeslauriers at videotron.ca Tue Nov 15 05:03:53 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Tue, 15 Nov 2005 00:03:53 -0500 Subject: Fedora Legacy Test Update Notification: a2ps Message-ID: <43796C39.2010601@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2005-152870 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152870 2005-11-14 --------------------------------------------------------------------- Name : a2ps Versions : rh73: a2ps-4.13b-19.2.legacy Versions : rh9: a2ps-4.13b-28.2.legacy Versions : fc1: a2ps-4.13b-30.2.legacy Summary : Converts text and other types of files to PostScript(TM). Description : The a2ps filter converts text and other types of files to PostScript format. A2ps has pretty-printing capabilities and includes support for a wide number of programming languages, encodings (ISO Latins, Cyrillic, etc.), and media. --------------------------------------------------------------------- Update Information: An updated a2ps package that fixes a security bug is now available. The a2ps filter converts text and other types of files to PostScript format. A problem was discovered in the way a2ps handles filenames that include shell metacharacters. An attacker could use this flaw to execute arbitrary commands by providing a filename that includes metacharacters as an argument. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1170 to this issue. All users of a2ps should upgrade to this updated package, which includes a patch to correct this issue. --------------------------------------------------------------------- Changelogs rh73: * Mon Nov 14 2005 Marc Deslauriers 4.13b-19.2.legacy - Added a bunch of missing packages to BuildRequires * Tue Dec 21 2004 Pekka Savola 4.13b-28.2.legacy - Added a bunch of missing packages to BuildRequires * Tue Dec 21 2004 Pekka Savola 4.13b-30.2.legacy - Added a bunch of missing packages to BuildRequires * Tue Dec 21 2004 Pekka Savola From marcdeslauriers at videotron.ca Tue Nov 15 05:03:29 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Tue, 15 Nov 2005 00:03:29 -0500 Subject: Fedora Legacy Test Update Notification: lynx Message-ID: <43796C21.2030003@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2005-152832 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152832 2005-11-14 --------------------------------------------------------------------- Name : lynx Versions : rh73: lynx-2.8.4-18.3.legacy Versions : rh9: lynx-2.8.5-11.2.legacy Versions : fc1: lynx-2.8.5-13.2.legacy Versions : fc2: lynx-2.8.5-15.2.legacy Summary : A text-based Web browser. Description : Lynx is a text-based Web browser. Lynx does not display any images, but it does support frames, tables, and most other HTML tags. One advantage Lynx has over graphical browsers is speed; Lynx starts and exits quickly and swiftly displays webpages. --------------------------------------------------------------------- Update Information: An updated lynx package that corrects security issues is now available. Lynx is a text-based Web browser. An arbitrary command execute bug was found in the lynx "lynxcgi:" URI handler. An attacker could create a web page redirecting to a malicious URL which could execute arbitrary code as the user running lynx. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-2929 to this issue. Ulf Harnhammar discovered a stack overflow bug in Lynx when handling connections to NNTP (news) servers. An attacker could create a web page redirecting to a malicious news server which could execute arbitrary code as the user running lynx. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3120 to this issue. Users should update to this erratum package, which contains backported patches to correct these issues. --------------------------------------------------------------------- Changelogs rh73: * Mon Nov 14 2005 Marc Deslauriers 2.8.4-18.3.legacy - Added missing gettext to BuildRequires * Sat Nov 12 2005 Jeff Sheltren 2.8.4-18.2 - Patches for CVE-2005-3120 and CVE-2005-2929 (#152832) rh9: * Mon Nov 14 2005 Marc Deslauriers 2.8.5-11.2.legacy - Added missing gettext to BuildRequires * Sat Nov 12 2005 Jeff Sheltren 2.8.5-11.1.legacy - Patches for CVE-2005-3120 and CVE-2005-2929 (#152832) fc1: * Mon Nov 14 2005 Marc Deslauriers 2.8.5-13.2.legacy - Added missing gettext to BuildRequires * Sat Nov 12 2005 Jeff Sheltren 2.8.5-13.1.legacy - Patches for CVE-2005-3120 and CVE-2005-2929 (#152832) fc2: * Mon Nov 14 2005 Marc Deslauriers 2.8.5-15.2.legacy - Added missing gettext to BuildRequires * Sat Nov 12 2005 Jeff Sheltren 2.8.5-15.1.legacy - Patches for CVE-2005-3120 and CVE-2005-2929 (#152832) --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: f90ed394ffb119c628f30cbe24af00980e21ddec redhat/7.3/updates-testing/i386/lynx-2.8.4-18.3.legacy.i386.rpm ae6eccd737ca25bd411bffb3db5a4ae46b512a0f redhat/7.3/updates-testing/SRPMS/lynx-2.8.4-18.3.legacy.src.rpm rh9: e3f8bdd24f77bd9122afe9550b1711ec39580c30 redhat/9/updates-testing/i386/lynx-2.8.5-11.2.legacy.i386.rpm e6f6f18d22595b977964b03e4f820ef4c259faf4 redhat/9/updates-testing/SRPMS/lynx-2.8.5-11.2.legacy.src.rpm fc1: f9a79fc5425d1d853614c53c1ab158c9328c3078 fedora/1/updates-testing/i386/lynx-2.8.5-13.2.legacy.i386.rpm 6711308acdcff88c914cda153f0862253efa0b67 fedora/1/updates-testing/SRPMS/lynx-2.8.5-13.2.legacy.src.rpm fc2: ff7d68c03bbe5cbeac076e5153dc964b8900a8d5 fedora/2/updates-testing/i386/lynx-2.8.5-15.2.legacy.i386.rpm e46bb7466177677c5a6032fcef7a71bc55145984 fedora/2/updates-testing/SRPMS/lynx-2.8.5-15.2.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From marcdeslauriers at videotron.ca Tue Nov 15 05:05:40 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Tue, 15 Nov 2005 00:05:40 -0500 Subject: Fedora Legacy Test Update Notification: enscript Message-ID: <43796CA4.4060101@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2005-152892 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152892 2005-11-14 --------------------------------------------------------------------- Name : enscript Versions : rh73: enscript-1.6.1-19.73.2.legacy Versions : rh9: enscript-1.6.1-24.2.legacy Versions : fc1: enscript-1.6.1-25.1.1.legacy Summary : A plain ASCII to PostScript converter. Description : GNU enscript is a free replacement for Adobe's Enscript program. Enscript converts ASCII files to PostScript(TM) and spools generated PostScript output to the specified printer or saves it to a file. Enscript can be extended to handle different output media and includes many options for customizing printouts. --------------------------------------------------------------------- Update Information: An updated enscript package that fixes several security issues is now available. GNU enscript converts ASCII files to PostScript. Enscript has the ability to interpret special escape sequences. A flaw was found in the handling of the epsf command used to insert inline EPS files into a document. An attacker could create a carefully crafted ASCII file which made use of the epsf pipe command in such a way that it could execute arbitrary commands if the file was opened with enscript by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1184 to this issue. Additional flaws in Enscript were also discovered which can only be triggered by executing enscript with carefully crafted command line arguments. These flaws therefore only have a security impact if enscript is executed by other programs and passed untrusted data from remote users. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-1185 and CVE-2004-1186 to these issues. All users of enscript should upgrade to these updated packages, which resolve these issues. --------------------------------------------------------------------- Changelogs rh73: * Thu Nov 03 2005 Marc Deslauriers 1.6.1-19.73.2.legacy - Added flex to BuildRequires * Mon Feb 14 2005 Dave Botsch 1.6.1-19.73.1.legacy - Applied patches to fix CAN-2004-1184, CAN-2004-1185, CAN-2004-1186 - Patches taken from rhas2.1 srpm - see changelog entries below - Bumped version number - Added legacy keyword rh9: * Thu Nov 03 2005 Marc Deslauriers 1.6.1-24.2.legacy - Added flex to BuildRequires * Tue Feb 15 2005 Pekka Savola 1.6.1-24.1.legacy - Fix CAN-2004-118[456] from RHEL (#2409) fc1: * Thu Nov 03 2005 Marc Deslauriers 1.6.1-25.1.1.legacy - Added flex to BuildRequires * Tue Feb 15 2005 Pekka Savola 1.6.1-25.1.legacy - Fix CAN-2004-118[456] from RHEL (#2409) --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: ac29cc61b638a8a4a6e70642a48d4d4e7985a94c redhat/7.3/updates-testing/i386/enscript-1.6.1-19.73.2.legacy.i386.rpm 2cc05a10d33fb0bd13cad08ae622cebbbf94ada6 redhat/7.3/updates-testing/SRPMS/enscript-1.6.1-19.73.2.legacy.src.rpm rh9: 275eecbd654c9cc15b17e65a2c60cff8c5ec6f58 redhat/9/updates-testing/i386/enscript-1.6.1-24.2.legacy.i386.rpm ed838a6c0f4235c789a872e880ddc5aff2d0e457 redhat/9/updates-testing/SRPMS/enscript-1.6.1-24.2.legacy.src.rpm fc1: f1de9a957caa34766434ea5e77ad31d49ee769dd fedora/1/updates-testing/i386/enscript-1.6.1-25.1.1.legacy.i386.rpm f73d7da391cadf7d033dfe21979fb2ae10477fc6 fedora/1/updates-testing/SRPMS/enscript-1.6.1-25.1.1.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From deisenst at gtw.net Wed Nov 16 05:21:52 2005 From: deisenst at gtw.net (David Eisenstein) Date: Tue, 15 Nov 2005 23:21:52 -0600 (CST) Subject: Buglist: a new 'DEFER' keyword? In-Reply-To: Message-ID: On Mon, 14 Nov 2005, Pekka Savola wrote: > Remember, the buglist is at: > http://www.netcore.fi/pekkas/buglist.html Thanks for the reminder of of our projects list, and for the work of keeping it up to date. It's a big help! > Also, I propose adding a new keyword 'DEFER', which could be used for > packages for the report is basically a minor security issue, bugfix or > the like. Something which might (or might not) be addressed the next > time we have other reasons to create that particular package, but it > doesn't make sense to roll an update just to fix that and can't be > closed outright as WONTFIX. > > The reason for this is that such bugs can be sorted in a different > category in the buglist, and it might be easier to spot more important > work items. I think this is a fine idea, Pekka. It cannot hurt to try it, for sure. Is it the Status Whiteboard field on Bugzilla that you propose this keyword go into? Or would it go into Bugzilla's keyword field? () Another alternative is to create a "tracking" bug in which to list all bugs in this category. However, I don't know if creating a tracking bug would really prove to be helpful or not in the context you are thinking of using it, Pekka. > > This category could include bugs such as: > > 121734 2005-10-31 sec nor ASSI nss_ldap openssl kills pam_ldap with SIGSEGV in err_cmp when authenticating against ldaps:// > 134550 2005-10-31 nor nor NEW kernel Networking does not work on Dell Inspiron 1150 > .... -David From pizza at shaftnet.org Wed Nov 16 13:00:52 2005 From: pizza at shaftnet.org (Stuffed Crust) Date: Wed, 16 Nov 2005 08:00:52 -0500 Subject: RHL9 glibc update OK with vanilla kernel? In-Reply-To: <200511141553.15983.R00020C@freescale.com> References: <200511141553.15983.R00020C@freescale.com> Message-ID: <20051116130052.GB1950@shaftnet.org> On Mon, Nov 14, 2005 at 03:53:15PM -0500, Steve Snyder wrote: > Are there any known compatibility problems with the current i686 glibc > packages (released yesterday) and a plain-vanilla 2.4.3x kernel? Any > loss of functionality or other Bad Stuff(tm)? I don't believe there are any problems with recent vanilla 2.4 kernels with "current" RH9 glibc packages -- just the ones that are always there. :) Basically, you'll only have problems with NPTL, the threading library. RH's kernels have this backported to 2.4, and it really is MoreBetter(tm). Unfortunately, there are a few quirks if you're not using a NPTL-enabled kernel. The main problem you'll see is in things that use Berkley DB -- if you get rid of the NPTL kernel, some features of bdb won't work properly. Bogofilter and subversion are affected by this. I'm not aware of any workarounds other than to build your own bdb. FC1 behaves better than RH9 in this manner, but it still has a few quirks. ..You may be better off backporting the GigE driver to the RH9 kernel; it all depends on what you do with the box. - Solomon -- Solomon Peachy ICQ: 1318344 Melbourne, FL Quidquid latine dictum sit, altum viditur -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From pekkas at netcore.fi Wed Nov 16 14:03:24 2005 From: pekkas at netcore.fi (Pekka Savola) Date: Wed, 16 Nov 2005 16:03:24 +0200 (EET) Subject: Buglist: a new 'DEFER' keyword? In-Reply-To: References: Message-ID: On Tue, 15 Nov 2005, David Eisenstein wrote: >> Remember, the buglist is at: >> http://www.netcore.fi/pekkas/buglist.html > > Thanks for the reminder of of our projects list, and for the work of > keeping it up to date. It's a big help! I've now created a DEFER keyword in the status whiteboard and reclassified a number of bugs to it. See the URL above. I'm open to suggestions for other reclassification, etc. The process flow is that when a package Foo needs to be updated, the packager would go look if there are any bugs in DEFER state for that package Foo, and then evaluate whether to include them or not (and if not, close the DEFER bugs). I also updated the wiki. ... >> time we have other reasons to create that particular package, but it >> doesn't make sense to roll an update just to fix that and can't be >> closed outright as WONTFIX. >> >> The reason for this is that such bugs can be sorted in a different >> category in the buglist, and it might be easier to spot more important >> work items. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings From deisenst at gtw.net Thu Nov 17 14:17:23 2005 From: deisenst at gtw.net (David Eisenstein) Date: Thu, 17 Nov 2005 08:17:23 -0600 (CST) Subject: FWD: Author of rp-pppoe responds Message-ID: Should we upgrade our release of rp-pppoe, per David Skoll's advice, then? -David E. Message forwarded from gmane.comp-security.bugtraq: --------------------------------------------------- Subject: Re: [FLSA-2005:152794] Updated rp-pppoe package fixes security issue From: "David F. Skoll" Newsgroups: gmane.comp.security.full-disclosure,gmane.comp.security.bugtraq Message-ID: <437A2DC8.9020401 at roaringpenguin.com> Date: Tue, 15 Nov 2005 13:49:44 -0500 Marc Deslauriers wrote: > Synopsis: Updated rp-pppoe package fixes security issue > Advisory ID: FLSA:152794 This is a totally bogus vulnerability, as I wrote in my response on http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0564 In fact, this so-called "fix" might tempt people to run rp-pppoe SUID-root, which is a Bad Thing, because there are probably tons of other reasons why a SUID-root rp-pppoe is dangerous. rp-pppoe 3.6 was released a while ago. It has a proper fix for SUID-ness. I recommend people use that instead of distro versions with dubious "security patches" NOTE: I have set the return path to to avoid hundreds of responses from Bugtraq readers' broken auto-responders. To reply to me, reply to Regards, David. From rostetter at mail.utexas.edu Thu Nov 17 16:00:04 2005 From: rostetter at mail.utexas.edu (Eric Rostetter) Date: Thu, 17 Nov 2005 10:00:04 -0600 Subject: FWD: Author of rp-pppoe responds In-Reply-To: References: Message-ID: <1132243204.59bba9e1adc13@mail.ph.utexas.edu> Quoting David Eisenstein : > > Should we upgrade our release of rp-pppoe, per David Skoll's advice, then? > > -David E. Only if you plan to run it suid, which isn't the normal setup for RHL/FC. -- Eric Rostetter From pekkas at netcore.fi Thu Nov 17 16:04:09 2005 From: pekkas at netcore.fi (Pekka Savola) Date: Thu, 17 Nov 2005 18:04:09 +0200 (EET) Subject: FWD: Author of rp-pppoe responds In-Reply-To: References: Message-ID: On Thu, 17 Nov 2005, David Eisenstein wrote: > Should we upgrade our release of rp-pppoe, per David Skoll's advice, then? This hardly seems worth the effort at this point; if a security update is needed for other reasons, maybe this could be re-evaluated then. > Message forwarded from gmane.comp-security.bugtraq: > --------------------------------------------------- > > Subject: Re: [FLSA-2005:152794] Updated rp-pppoe package fixes security issue > From: "David F. Skoll" > Newsgroups: gmane.comp.security.full-disclosure,gmane.comp.security.bugtraq > Message-ID: <437A2DC8.9020401 at roaringpenguin.com> > Date: Tue, 15 Nov 2005 13:49:44 -0500 > > Marc Deslauriers wrote: > >> Synopsis: Updated rp-pppoe package fixes security issue >> Advisory ID: FLSA:152794 > > This is a totally bogus vulnerability, as I wrote in my response on > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0564 > > In fact, this so-called "fix" might tempt people to run rp-pppoe > SUID-root, which is a Bad Thing, because there are probably tons of other > reasons why a SUID-root rp-pppoe is dangerous. > > rp-pppoe 3.6 was released a while ago. It has a proper fix for SUID-ness. > I recommend people use that instead of distro versions with dubious > "security patches" > > NOTE: I have set the return path to to avoid > hundreds of responses from Bugtraq readers' broken auto-responders. To > reply to me, reply to > > Regards, > > David. > > -- > fedora-legacy-list mailing list > fedora-legacy-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-legacy-list > -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings From marcdeslauriers at videotron.ca Fri Nov 18 05:38:12 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Fri, 18 Nov 2005 00:38:12 -0500 Subject: Fedora Legacy Test Update Notification: lesstif Message-ID: <437D68C4.8070909@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2005-152803 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152803 2005-11-17 --------------------------------------------------------------------- Name : lesstif Versions : rh73: lesstif-0.93.18-2.3.legacy Versions : rh9: lesstif-0.93.36-3.3.legacy Versions : fc1: lesstif-0.93.36-4.3.legacy Versions : fc2: lesstif-0.93.36-5.3.legacy Summary : An OSF/Motif(R) clone. Description : LessTif is a free replacement for OSF/Motif(R), which provides a full set of widgets for application development (menus, text entry areas, scrolling windows, etc.). LessTif is source compatible with OSF/Motif(R) 1.2. The widget set code is the primary focus of development. If you are installing lesstif, you also need to install lesstif-clients. --------------------------------------------------------------------- Update Information: Updated lesstif packages that fix flaws in the Xpm image library are now available. lesstif is a free replacement for OSF/Motif(R), which provides a full set of widgets for application development. During a source code audit, Chris Evans and others discovered several stack overflow flaws and an integer overflow flaw in the libXpm library used to decode XPM (X PixMap) images. A vulnerable version of this library was found within LessTif. An attacker could create a carefully crafted XPM file which would cause an application to crash or potentially execute arbitrary code if opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0687, CVE-2004-0688, and CVE-2004-0914 to these issues. An integer overflow flaw was found in libXpm; a vulnerable version of this library is found within LessTif. An attacker could create a malicious XPM file that would execute arbitrary code if opened by a victim using an application linked to LessTif. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0605 to this issue. Users of lesstif are advised to upgrade to these erratum packages, which contain backported security patches correcting these issues. --------------------------------------------------------------------- Changelogs: rh73: * Wed Jul 27 2005 Marc Deslauriers 0.93.18-2.3.legacy - Use the RHEL patches for CAN-2004-0667, CAN-2004-0668 and CAN-2004-0914 - fixed possible libXpm overflows (CAN-2005-0605) * Fri Dec 03 2004 Rob Myers 0.93.18-2.2.legacy - apply diff from current lesstif cvs that removes the monolithic Xpm.c file and breaks it into the latest versions of the separate libXpm files. this should fix CAN-2004-0667, CAN-2004-0668, and CAN-2004-0914 (FL #2142) * Thu Nov 04 2004 Rob Myers 0.93.18-2.1.legacy - apply patch for CAN-2004-0688 (FL #2142) - truncated changelog because it was somehow breaking things rh9: * Wed Jul 27 2005 Marc Deslauriers 0.93.36-3.3.legacy - Use the RHEL patches for CAN-2004-0667, CAN-2004-0668 and CAN-2004-0914 - fixed possible libXpm overflows (CAN-2005-0605) * Fri Dec 03 2004 Rob Myers 0.93.36-3.2.legacy - apply diff from current lesstif cvs that removes the monolithic Xpm.c file and breaks it into the latest versions of the separate libXpm files. this should fix CAN-2004-0667, CAN-2004-0668, and CAN-2004-0914 (FL #2142) * Thu Nov 04 2004 Rob Myers 0.93.36-3.1.legacy - apply patch for CAN-2004-0688 (FL #2142) fc1: * Wed Jul 27 2005 Marc Deslauriers 0.93.36-4.3.legacy - Use the RHEL patches for CAN-2004-0667, CAN-2004-0668 and CAN-2004-0914 - fixed possible libXpm overflows (CAN-2005-0605) * Fri Dec 03 2004 Rob Myers 0.93.36-4.2.legacy - apply diff from current lesstif cvs that removes the monolithic Xpm.c file and breaks it into the latest versions of the separate libXpm files. this should fix CAN-2004-0667, CAN-2004-0668, and CAN-2004-0914 (FL #2142) * Thu Nov 04 2004 Rob Myers 0.93.36-4.1.legacy - apply patch for CAN-2004-0688 (FL #2142) fc2: * Tue Jul 26 2005 Marc Deslauriers 0.93.36-5.3.legacy - fixed possible libXpm overflows (CAN-2005-0605) - allow to write XPM files with absolute path names again --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: 83e9647ade78338b07abdb618f5d88b0ed12b46b redhat/7.3/updates-testing/i386/lesstif-0.93.18-2.3.legacy.i386.rpm c9dcedad7c1576504e12340753b391181d613714 redhat/7.3/updates-testing/i386/lesstif-devel-0.93.18-2.3.legacy.i386.rpm 649a15edc64e3847238eb252be93db1583baa1cc redhat/7.3/updates-testing/SRPMS/lesstif-0.93.18-2.3.legacy.src.rpm rh9: a4a8e6e888234cb0751800c181430db4c7b524e6 redhat/9/updates-testing/i386/lesstif-0.93.36-3.3.legacy.i386.rpm 0804ad3304bf12be7f1ab71a463e980f4ea17975 redhat/9/updates-testing/i386/lesstif-devel-0.93.36-3.3.legacy.i386.rpm 51459c1f41f08654e13b4f22bb76082ed04bbbde redhat/9/updates-testing/SRPMS/lesstif-0.93.36-3.3.legacy.src.rpm fc1: 9d8c60a5d5fd55081cd0e7f4ac9c349393c851c8 fedora/1/updates-testing/i386/lesstif-0.93.36-4.3.legacy.i386.rpm 7453bc2247080a99da8cb3aba8adb768191fa30f fedora/1/updates-testing/i386/lesstif-devel-0.93.36-4.3.legacy.i386.rpm 0131e9cd6d912798c1ad0b45a0195fc9b3e6cfe3 fedora/1/updates-testing/SRPMS/lesstif-0.93.36-4.3.legacy.src.rpm fc2: 00c8b8ed1cc28659d23e3a786ee12b0bfa1eb10d fedora/2/updates-testing/i386/lesstif-0.93.36-5.3.legacy.i386.rpm 051563d1c29930fc45f3184ff9abbcf92daf1b74 fedora/2/updates-testing/i386/lesstif-devel-0.93.36-5.3.legacy.i386.rpm 2bb39e060197d2bed2f9e7448b9a6e68c72555f5 fedora/2/updates-testing/SRPMS/lesstif-0.93.36-5.3.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From marcdeslauriers at videotron.ca Sat Nov 19 16:03:21 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Sat, 19 Nov 2005 11:03:21 -0500 Subject: Fedora Legacy Test Update Notification: util-linux and mount Message-ID: <437F4CC9.1010703@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2005-168326 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168326 2005-11-19 --------------------------------------------------------------------- Name : util-linux and mount Versions : rh73: util-linux-2.11n-12.7.3.2.legacy Versions : rh9: util-linux-2.11y-9.2.legacy Versions : fc1: util-linux-2.11y-29.2.legacy Versions : fc2: util-linux-2.12-19.1.legacy Summary : A collection of basic system utilities. Description : The util-linux package contains a large variety of low-level system utilities that are necessary for a Linux system to function. Among others, Util-linux contains the fdisk configuration tool and the login program. --------------------------------------------------------------------- Update Information: Updated util-linux and mount packages that fix a security issue are now available. The util-linux package contains a large variety of low-level system utilities that are necessary for a Linux system to function. The mount package contains the mount, umount, swapon and swapoff programs. A bug was found in the way the umount command is executed by normal users. It may be possible for a user to gain elevated privileges if the user is able to execute the "umount -r" command on a mounted file system. The file system will be re-mounted only with the "readonly" flag set, clearing flags such as "nosuid" and "noexec". The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-2876 to this issue. All users of util-linux and mount should upgrade to these updated packages, which contain a backported patch to correct this issue. --------------------------------------------------------------------- Changelogs rh73: * Thu Nov 17 2005 Marc Deslauriers 2.11n-12.7.3.2.legacy - Added missing gettext BuildRequires * Tue Oct 11 2005 Jeff Sheltren 2.11n-12.7.3.1.legacy - Patch for CAN-2005-2876 (#168326) rh9: * Thu Nov 17 2005 Marc Deslauriers 2.11y-9.2.legacy - Added missing gettext to BuildRequires * Tue Oct 11 2005 Jeff Sheltren 2.11y-9.1.legacy - Patch for CAN-2005-2876 (#168326) fc1: * Thu Nov 17 2005 Marc Deslauriers 2.11y-29.2.legacy - Added missing gettext to BuildRequires * Tue Oct 11 2005 Jeff Sheltren 2.11y-29.1.legacy - Patch for CAN-2005-2876 (#168326) fc2: * Tue Oct 11 2005 Jeff Sheltren 2.12-19.1.legacy - Patch for CAN-2005-2876 (#168326) --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: 437139c00fbc4109ea3cd66b88a778a023d07298 redhat/7.3/updates-testing/i386/mount-2.11n-12.7.3.2.legacy.i386.rpm e39b80b435a545f87878cb2d4f6e89d89ec2c88f redhat/7.3/updates-testing/i386/util-linux-2.11n-12.7.3.2.legacy.i386.rpm 0c671214cb28d21b71917d04e4cdce3240515b45 redhat/7.3/updates-testing/i386/losetup-2.11n-12.7.3.2.legacy.i386.rpm a35553671d54999b0929f42a1283252b1cab1d18 redhat/7.3/updates-testing/SRPMS/util-linux-2.11n-12.7.3.2.legacy.src.rpm rh9: cbe71d4ed7c39c0ed186a548c194c44e3328595b redhat/9/updates-testing/i386/mount-2.11y-9.2.legacy.i386.rpm 926ae6d1c9f6d5309ab24c712cbe2a3ec97bba1c redhat/9/updates-testing/i386/util-linux-2.11y-9.2.legacy.i386.rpm 969d19231dc24415f7d761539b59ba772c716a36 redhat/9/updates-testing/i386/losetup-2.11y-9.2.legacy.i386.rpm 9ac87483879c1df0ed9c100081e19b7614af8f79 redhat/9/updates-testing/SRPMS/util-linux-2.11y-9.2.legacy.src.rpm fc1: 881c066cf8ec3aa25450a7e8db2f43e55faaef40 fedora/1/updates-testing/i386/mount-2.11y-29.2.legacy.i386.rpm f1b2f60ee7b5fb3149ab3b36133c930c6eecb788 fedora/1/updates-testing/i386/util-linux-2.11y-29.2.legacy.i386.rpm 501380711d59e946f1dab5a40b0906525393d766 fedora/1/updates-testing/i386/losetup-2.11y-29.2.legacy.i386.rpm 65519afd06a882abad31b847ad7053936dfd0ef4 fedora/1/updates-testing/SRPMS/util-linux-2.11y-29.2.legacy.src.rpm fc2: 72c70f92397f84a3f021c6cef964fa0fb9b8cc57 fedora/2/updates-testing/i386/util-linux-2.12-19.1.legacy.i386.rpm 2c93eefe88d57118fc2ddfee7fd5949e3d58c38f fedora/2/updates-testing/SRPMS/util-linux-2.12-19.1.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From marcdeslauriers at videotron.ca Sat Nov 19 16:04:11 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Sat, 19 Nov 2005 11:04:11 -0500 Subject: Fedora Legacy Test Update Notification: gettext Message-ID: <437F4CFB.5040000@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2005-136323 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136323 2005-11-19 --------------------------------------------------------------------- Name : gettext Versions : rh9: gettext-0.11.4-7.2.legacy Versions : fc1: gettext-0.12.1-1.2.legacy Versions : fc2: gettext-0.14.1-2.1.2.legacy Summary : GNU libraries and utilities for producing multi-lingual messages. Description : The GNU gettext package provides a set of tools and documentation for producing multi-lingual messages in programs. Tools include a set of conventions about how programs should be written to support message catalogs, a directory and file naming organization for the message catalogs, a runtime library which supports the retrieval of translated messages, and stand-alone programs for handling the translatable and the already translated strings. Gettext provides an easy to use library and tools for creating, using, and modifying natural language catalogs and is a powerful and simple method for internationalizing programs. --------------------------------------------------------------------- Update Information: An updated gettext package that fixes security bugs is now available. The GNU gettext package provides a set of tools and documentation for producing multi-lingual messages in programs. Temporary file vulnerabilities were discovered in the gettext package. A malicious user could use the "autopoint" and "gettextize" scripts to create or overwrite another user's files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0966 to this issue. All users of gettext should upgrade to this updated package, which includes a patch to correct these issues. --------------------------------------------------------------------- Changelogs rh9: * Thu Nov 17 2005 Marc Deslauriers 0.11.4-7.2.legacy - Fixed typo in CAN-2004-0966 patch - Added missing gcc-java and zlib-devel to BuildRequires * Fri Oct 21 2005 Jeff Sheltren 0.11.4-7.1.legacy - Patch for CAN-2004-0966 (#136323) fc1: * Sat Nov 19 2005 Marc Deslauriers 0.12.1.2.legacy - Added missing gcc-java and zlib-devel to BuildRequires * Fri Oct 21 2005 Jeff Sheltren 0.12.1.1.legacy - Patch for CAN-2004-0966 (#136323) fc2: * Sat Nov 19 2005 Marc Deslauriers 0.14.1-2.1.2.legacy - Added missing gcc-java and zlib-devel to BuildRequires * Thu Oct 20 2005 Jeff Sheltren - Patch for CAN-2004-0966 (#136323) --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh9: 7b6dee52052cf366ae9d78f42d2266045992e8b2 redhat/9/updates-testing/i386/gettext-0.11.4-7.2.legacy.i386.rpm ccb4260c2f1d4778bf1190bd6d96950c361b8131 redhat/9/updates-testing/SRPMS/gettext-0.11.4-7.2.legacy.src.rpm fc1: 7b29432779dcbbb183b98fb5c60208366346ea93 fedora/1/updates-testing/i386/gettext-0.12.1-1.2.legacy.i386.rpm 22bc34eef7d35bad85cf013381187660a4a68c8d fedora/1/updates-testing/SRPMS/gettext-0.12.1-1.2.legacy.src.rpm fc2: 7851e6bb612ae72e3fae9870ca160d2a96e7123b fedora/2/updates-testing/i386/gettext-0.14.1-2.1.2.legacy.i386.rpm 6c972dcef9866f7e53ba6855478078f8f24684d0 fedora/2/updates-testing/SRPMS/gettext-0.14.1-2.1.2.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From misselt at as.arizona.edu Sat Nov 19 20:11:15 2005 From: misselt at as.arizona.edu (Karl Misselt) Date: Sat, 19 Nov 2005 13:11:15 -0700 Subject: Unrecognized NIC Message-ID: <437F86E3.8040404@as.arizona.edu> Hi - I'm trying to ugrade a NIC on a server running FC-1 (Synced to current Legacy repo). Currently the server is on a 3Com 3c980-TX 10/100baseTX which is running fine, if a bit overloaded. I wanted to upgrade to an Intel Pro/1000 MT Server adapter. The card is recognized as a PCI device: >> /sbin/lspci -vv -d 8086:1026 00:09.0 Ethernet controller: Intel Corp. 82545GM Gigabit Ethernet Controller (rev 04) Subsystem: Intel Corp. PRO/1000 MT Server Adapter Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV+ VGASnoop- ParErr- Stepping- SERR- FastB2B- Status: Cap+ 66Mhz+ UDF- FastB2B- ParErr- DEVSEL=medium >TAbort- SERR- [disabled] [size=256K] Capabilities: [dc] Power Management version 2 Flags: PMEClk- DSI+ D1- D2- AuxCurrent=0mA PME(D0+,D1-,D2-,D3hot+,D3cold+) Status: D0 PME-Enable- DSel=0 DScale=1 PME- Capabilities: [e4] PCI-X non-bridge device. Command: DPERE- ERO+ RBC=0 OST=0 Status: Bus=0 Dev=0 Func=0 64bit- 133MHz- SCD- USC-, DC=simple, DMMRBC=0, DMOST=0, DMCRS=0, RSCEM- This is an athalon machine runing the current legacy kernel: >> uname -a Linux XXXXX 2.4.22-1.2199.5.legacy.nptl #1 Sat Apr 30 20:01:22 EDT 2005 i686 athlon i386 GNU/Linux Intel PRO/1000 Gigabit ethernet support is compiled in as a module. Unfortunately, the card is not picked up in the hardware probe and I can't get it up and running. The card is a PIC-X, but claims it should be fine in a normal PCI slot - the Moterhboard is an ASUS A7A133... Any pointers on how to get this card running? Thanks in advance. -Karl -- -------------------------------------------------------------------- | Karl A. Misselt Office: Steward 254 | | Steward Observatory Phone: 520-626-0196 | | University of Arizona FAX: 520-621-9555 | | Tucson, AZ 85721-0065 misselt at as.arizona.edu | -------------------------------------------------------------------- | http://www.fairtax.org | -------------------------------------------------------------------- From ad+lists at uni-x.org Sun Nov 20 03:19:53 2005 From: ad+lists at uni-x.org (Alexander Dalloz) Date: Sun, 20 Nov 2005 04:19:53 +0100 Subject: Unrecognized NIC In-Reply-To: <437F86E3.8040404@as.arizona.edu> References: <437F86E3.8040404@as.arizona.edu> Message-ID: <1132456793.20572.109.camel@serendipity.dogma.lan> Am Sa, den 19.11.2005 schrieb Karl Misselt um 21:11: > I'm trying to ugrade a NIC on a server running FC-1 (Synced to current > Legacy repo). Currently the server is on a 3Com 3c980-TX 10/100baseTX > which is running fine, if a bit overloaded. I wanted to upgrade to > an Intel Pro/1000 MT Server adapter. The card is recognized as a PCI > device: > > >> /sbin/lspci -vv -d 8086:1026 > 00:09.0 Ethernet controller: Intel Corp. 82545GM Gigabit Ethernet Controller (rev 04) > Subsystem: Intel Corp. PRO/1000 MT Server Adapter [...] > This is an athalon machine runing the current legacy kernel: > >> uname -a > Linux XXXXX 2.4.22-1.2199.5.legacy.nptl #1 Sat Apr 30 20:01:22 EDT 2005 i686 athlon i386 GNU/Linux > Any pointers on how to get this card running? Thanks in advance. > -Karl Get the driver sources from the Intel support page, build the e100 module from these sources and see if `modprobe -v /path/to/module/e100.o' let the NIC appear in `dmesg' then. I guess it will. Alexander -- Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp Serendipity 04:17:59 up 22 days, 2:18, load average: 1.59, 1.31, 0.92 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Dies ist ein digital signierter Nachrichtenteil URL: From deisenst at gtw.net Tue Nov 22 07:59:57 2005 From: deisenst at gtw.net (David Eisenstein) Date: Tue, 22 Nov 2005 01:59:57 -0600 (CST) Subject: FYI: Correction, regarding Cyber Security Bulletin SB05-320 (fwd) Message-ID: Just wanted to let you all know I sent this out to US-CERT, for when they publish updates including notice of our security fixes. -David ---------- Forwarded message ---------- From: David Eisenstein To: soc at us-cert.gov Date: Tue, 22 Nov 2005 01:57:15 -0600 (CST) Subject: Correction, regarding Cyber Security Bulletin SB05-320 Hi, According to , Fedora Legacy issued an advisory FLSA:158801 for the zgrep problem, CVE-2005-0758. Actually, Fedora Legacy has issued two advisories for this issue. This CVE issue for zgrep is also an issue with bzgrep (in bzip2 packages), since bzgrep comes from a common heritage as zgrep. Software publishers such as Red Hat and Fedora Legacy are fixing the bzgrep problem using the same CVE number CVE-2005-0758 for both issues. The two advisories that Fedora Legacy has issued for these issues are: 1) FLSA:157696 (available at ) which fixes the zgrep in the gzip package we offer. Advisory FLSA:157696 was issued on 2005-08-10. It was published in BugTraq: . 2) The one you mention in your bulletin SB05-320, FLSA:158801 (at ). I am noticing that the URL you post for FedoraLegacy in your Cyber Security Bulletins is , which isn't that helpful for people looking for our update advisories. May I suggest instead using if you wish to use a generic URL, or the URL of the actual Update Advisory underneath that URL? Thanks for your attention to this matter. Regards, David Eisenstein Participant, Fedora Legacy Project From mike.mccarty at sbcglobal.net Tue Nov 22 17:39:42 2005 From: mike.mccarty at sbcglobal.net (Mike McCarty) Date: Tue, 22 Nov 2005 11:39:42 -0600 Subject: Fedora Legacy Test Update Notification: util-linux and mount In-Reply-To: <437F4CC9.1010703@videotron.ca> References: <437F4CC9.1010703@videotron.ca> Message-ID: <438357DE.5070107@sbcglobal.net> Marc Deslauriers wrote: > --------------------------------------------------------------------- > Fedora Legacy Test Update Notification > FEDORALEGACY-2005-168326 > Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168326 > 2005-11-19 > --------------------------------------------------------------------- > > Name : util-linux and mount > Versions : rh73: util-linux-2.11n-12.7.3.2.legacy > Versions : rh9: util-linux-2.11y-9.2.legacy > Versions : fc1: util-linux-2.11y-29.2.legacy > Versions : fc2: util-linux-2.12-19.1.legacy > Summary : A collection of basic system utilities. > Description : > The util-linux package contains a large variety of low-level system > utilities that are necessary for a Linux system to function. Among > others, Util-linux contains the fdisk configuration tool and the login > program. > > --------------------------------------------------------------------- And yet, when I did a # yum update I was told there was nothing to do... I certainly have umount, fdisk, and login loaded here. $ uname -a Linux Presario-1 2.6.10-1.771_FC2 #1 Mon Mar 28 00:50:14 EST 2005 i686 i686 i386 GNU/Linux Mike -- p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} This message made from 100% recycled bits. You have found the bank of Larn. I can explain it for you, but I can't understand it for you. I speak only for myself, and I am unanimous in that! From jimpop at yahoo.com Tue Nov 22 18:17:21 2005 From: jimpop at yahoo.com (Jim Popovitch) Date: Tue, 22 Nov 2005 13:17:21 -0500 Subject: Fedora Legacy Test Update Notification: util-linux and mount In-Reply-To: <438357DE.5070107@sbcglobal.net> References: <437F4CC9.1010703@videotron.ca> <438357DE.5070107@sbcglobal.net> Message-ID: <438360B1.5040104@yahoo.com> What's the contents of your /etc/yum.conf? -Jim P. Mike McCarty wrote: > Marc Deslauriers wrote: >> --------------------------------------------------------------------- >> Fedora Legacy Test Update Notification >> FEDORALEGACY-2005-168326 >> Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168326 >> 2005-11-19 >> --------------------------------------------------------------------- >> >> Name : util-linux and mount >> Versions : rh73: util-linux-2.11n-12.7.3.2.legacy >> Versions : rh9: util-linux-2.11y-9.2.legacy >> Versions : fc1: util-linux-2.11y-29.2.legacy >> Versions : fc2: util-linux-2.12-19.1.legacy >> Summary : A collection of basic system utilities. >> Description : >> The util-linux package contains a large variety of low-level system >> utilities that are necessary for a Linux system to function. Among >> others, Util-linux contains the fdisk configuration tool and the login >> program. >> >> --------------------------------------------------------------------- > > And yet, when I did a > > # yum update > > I was told there was nothing to do... > I certainly have umount, fdisk, and login loaded here. > > $ uname -a > Linux Presario-1 2.6.10-1.771_FC2 #1 Mon Mar 28 00:50:14 EST 2005 i686 > i686 i386 GNU/Linux > > Mike From jkosin at beta.intcomgrp.com Tue Nov 22 18:32:20 2005 From: jkosin at beta.intcomgrp.com (James Kosin) Date: Tue, 22 Nov 2005 13:32:20 -0500 Subject: Fedora Legacy Test Update Notification: util-linux and mount In-Reply-To: <438357DE.5070107@sbcglobal.net> References: <437F4CC9.1010703@videotron.ca> <438357DE.5070107@sbcglobal.net> Message-ID: <43836434.9040503@beta.intcomgrp.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Mike McCarty wrote: > Marc Deslauriers wrote: > >> --------------------------------------------------------------------- >> Fedora Legacy Test Update Notification FEDORALEGACY-2005-168326 >> Bugzilla >> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168326 >> 2005-11-19 >> --------------------------------------------------------------------- >> >> >> Name : util-linux and mount Versions : rh73: >> util-linux-2.11n-12.7.3.2.legacy Versions : rh9: >> util-linux-2.11y-9.2.legacy Versions : fc1: >> util-linux-2.11y-29.2.legacy Versions : fc2: >> util-linux-2.12-19.1.legacy Summary : A collection of basic >> system utilities. Description : The util-linux package contains a >> large variety of low-level system utilities that are necessary >> for a Linux system to function. Among others, Util-linux contains >> the fdisk configuration tool and the login program. >> >> --------------------------------------------------------------------- >> > > > And yet, when I did a > > # yum update > > I was told there was nothing to do... I certainly have umount, > fdisk, and login loaded here. > > $ uname -a Linux Presario-1 2.6.10-1.771_FC2 #1 Mon Mar 28 00:50:14 > EST 2005 i686 i686 i386 GNU/Linux > > Mike Mike, Read the notice carefully, it states that the packages are in TESTING. So unless you have testing enabled in yum or up2date you won't be getting these until they are released by QA. Thanks, James Kosin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDg2Q0kNLDmnu1kSkRA2a/AJ9qFt5Thlsak/aBgI+rWLng0qVDmQCeLPmC ZY0IN5gzpOCt7k4q4AzhGSo= =LnK9 -----END PGP SIGNATURE----- -- Scanned by ClamAV - http://www.clamav.net From mike.mccarty at sbcglobal.net Tue Nov 22 21:54:18 2005 From: mike.mccarty at sbcglobal.net (Mike McCarty) Date: Tue, 22 Nov 2005 15:54:18 -0600 Subject: Fedora Legacy Test Update Notification: util-linux and mount In-Reply-To: <438360B1.5040104@yahoo.com> References: <437F4CC9.1010703@videotron.ca> <438357DE.5070107@sbcglobal.net> <438360B1.5040104@yahoo.com> Message-ID: <4383938A.9010109@sbcglobal.net> Jim Popovitch wrote: > What's the contents of your /etc/yum.conf? > > -Jim P. > > Mike McCarty wrote: [that yum didn't pull util-linux and mount] $ cat /etc/yum.conf # See the yum.conf(5) man page for information the syntax of this file, # including failover setup. [main] cachedir=/var/cache/yum debuglevel=2 logfile=/var/log/yum.log pkgpolicy=newest distroverpkg=redhat-release tolerant=1 exactarch=1 exclude=kernel* [base] gpgcheck=1 name=Fedora Core $releasever - Base baseurl=http://download.fedoralegacy.org/fedora/$releasever/os/$basearch [updates] gpgcheck=1 name=Fedora Core $releasever Legacy updates baseurl=http://download.fedoralegacy.org/fedora/$releasever/updates/$basearch [legacy-utils] gpgcheck=1 name=Fedora Core $releasever Legacy utilities baseurl=http://download.fedoralegacy.org/fedora/$releasever/legacy-utils/$basearch $ -- p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} This message made from 100% recycled bits. You have found the bank of Larn. I can explain it for you, but I can't understand it for you. I speak only for myself, and I am unanimous in that! From mike.mccarty at sbcglobal.net Tue Nov 22 21:55:30 2005 From: mike.mccarty at sbcglobal.net (Mike McCarty) Date: Tue, 22 Nov 2005 15:55:30 -0600 Subject: Fedora Legacy Test Update Notification: util-linux and mount In-Reply-To: <43836434.9040503@beta.intcomgrp.com> References: <437F4CC9.1010703@videotron.ca> <438357DE.5070107@sbcglobal.net> <43836434.9040503@beta.intcomgrp.com> Message-ID: <438393D2.8050701@sbcglobal.net> James Kosin wrote: > > > Mike, > > Read the notice carefully, it states that the packages are in > TESTING. So unless you have testing enabled in yum or up2date you > won't be getting these until they are released by QA. > > Thanks, > James Kosin Ahh,... Missed that. Thanks, that completely resolves it. I don't have TESTING enabled for updates. Sorry to waste your time. Mike -- p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} This message made from 100% recycled bits. You have found the bank of Larn. I can explain it for you, but I can't understand it for you. I speak only for myself, and I am unanimous in that! From jkosin at beta.intcomgrp.com Tue Nov 22 22:07:57 2005 From: jkosin at beta.intcomgrp.com (James Kosin) Date: Tue, 22 Nov 2005 17:07:57 -0500 Subject: Fedora Legacy Test Update Notification: util-linux and mount In-Reply-To: <438393D2.8050701@sbcglobal.net> References: <437F4CC9.1010703@videotron.ca> <438357DE.5070107@sbcglobal.net> <43836434.9040503@beta.intcomgrp.com> <438393D2.8050701@sbcglobal.net> Message-ID: <438396BD.8040003@beta.intcomgrp.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Mike McCarty wrote: > James Kosin wrote: > >> >> >> Mike, >> >> Read the notice carefully, it states that the packages are in >> TESTING. So unless you have testing enabled in yum or up2date >> you won't be getting these until they are released by QA. >> >> Thanks, James Kosin > > > Ahh,... Missed that. > > Thanks, that completely resolves it. I don't have TESTING enabled > for updates. > > Sorry to waste your time. > > Mike Mike, No waste of time.... The only dumb question is one that never gets asked. James -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDg5a8kNLDmnu1kSkRA8uRAJ9ajmGW2M9yIh4l0cOHCgsgVwjPwACcDDk8 UTg9u5QD7XS26kfz97wM8mE= =qI0/ -----END PGP SIGNATURE----- -- Scanned by ClamAV - http://www.clamav.net From marcdeslauriers at videotron.ca Fri Nov 25 01:09:46 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Thu, 24 Nov 2005 20:09:46 -0500 Subject: Fedora Legacy Test Update Notification: openssl Message-ID: <4386645A.3070608@videotron.ca> These were updated to correct an additional vulnerability. --------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2005-166939 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166939 2005-11-24 --------------------------------------------------------------------- Name : openssl Versions : rh73: openssl-0.9.6b-39.10.legacy Versions : rh9: openssl-0.9.7a-20.6.legacy Versions : fc1: openssl-0.9.7a-33.13.legacy Versions : fc2: openssl-0.9.7a-35.2.legacy Summary : The OpenSSL toolkit. Description : The OpenSSL toolkit provides support for secure communications between machines. OpenSSL includes a certificate management tool and shared libraries which provide various cryptographic algorithms and protocols. --------------------------------------------------------------------- Update Information: Updated OpenSSL packages that fix a security issue are now available. OpenSSL is a toolkit that implements Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full- strength general purpose cryptography library. OpenSSL contained a software work-around for a bug in SSL handling in Microsoft Internet Explorer version 3.0.2. This work-around is enabled in most servers that use OpenSSL to provide support for SSL and TLS. Yutaka Oiwa discovered that this work-around could allow an attacker, acting as a "man in the middle" to force an SSL connection to use SSL 2.0 rather than a stronger protocol such as SSL 3.0 or TLS 1.0. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-2969 to this issue. A bug was fixed in the way OpenSSL creates DSA signatures. A cache timing attack was fixed in a previous advisory which caused OpenSSL to do private key calculations with a fixed time window. The DSA fix for this was not complete and the calculations are not always performed within a fixed-window. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0109 to this issue. Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool uncovered a null-pointer assignment in the do_change_cipher_spec() function. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server that uses the OpenSSL library in such a way as to cause OpenSSL to crash. Depending on the server this could lead to a denial of service. (CVE-2004-0079) Users are advised to update to these erratum packages which contain patches to correct these issues. Note: After installing this update, users are advised to either restart all services that use OpenSSL or restart their system. --------------------------------------------------------------------- Changelogs rh73: * Tue Nov 15 2005 David Eisenstein 0.9.6b-39.10.legacy - Add patch to fix null-pointer dereference DoS, CVE-2004-0079 (#166939) - Change spec define thread_test_threads from 100 to 10 for a reasonable build time (a la RHEL). - remove deprecated der_chop, as upstream cvs has done (CAN-2004-0975, RHEL2.1's 0.9.6b-37. Replaces patch34 (openssl-0.9.7c-tempfile.patch) with a new patch34 (openssl-0.9.7a-no-der_chop.patch). - replaced add-luna patch with new one with right license, per Tomas Mraz in RHEL 2.1's 0.9.6b-39 (#158061). * Sat Oct 22 2005 Jeff Sheltren 0.9.6b-39.9.legacy - Add extra patch to fix CAN-2005-0109 - Patch to prevent version rollback, CAN-2005-2969 (#166939) * Mon Aug 29 2005 Jeff Sheltren 0.9.6b-39.8.legacy - patch for cache timing exploit CAN-2005-0109 (#166939) rh9: * Sat Oct 22 2005 Jeff Sheltren 0.9.7a-20.6.legacy - Add extra patch to fix CAN-2005-0109 - Patch to prevent version rollback, CAN-2005-2969 (#166939) * Mon Aug 29 2005 Jeff Sheltren 0.9.7a-20.5.legacy - patch for cache timing exploit CAN-2005-0109 (#166939) fc1: * Sat Oct 22 2005 Jeff Sheltren 0.9.7a-33.13.legacy - Add extra patch to fix CAN-2005-0109 - Patch to prevent version rollback, CAN-2005-2969 (#166939) * Mon Aug 29 2005 Jeff Sheltren 0.9.7a-33.12.legacy - patch for cache timing exploit CAN-2005-0109 (#166939) fc2: * Sat Oct 22 2005 Jeff Sheltren 0.9.7a-35-2.legacy - Add extra patch to fix CAN-2005-0109 - Patch to prevent version rollback, CAN-2005-2969 (#166939) * Sun Aug 28 2005 Jeff Sheltren 0.9.7a-35.1.legacy - Patches for CAN-2004-0975 and CAN-2005-0109 (#166939) --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: 772eb428fce0f9244879936da6de8540c4a0da19 redhat/7.3/updates-testing/i386/openssl095a-0.9.5a-24.7.6.legacy.i386.rpm 2abb561452161340c02522e5b304685bded02acc redhat/7.3/updates-testing/i386/openssl096-0.9.6-25.11.legacy.i386.rpm 1c00535c2fd6314aba666132c49b62850387fa2e redhat/7.3/updates-testing/i386/openssl-0.9.6b-39.10.legacy.i386.rpm eb04713acd216bf3e2b46ed11f5627af2937d726 redhat/7.3/updates-testing/i386/openssl-0.9.6b-39.10.legacy.i686.rpm 5339f0df2ca59678b043c356000c80d6a06350e9 redhat/7.3/updates-testing/i386/openssl-devel-0.9.6b-39.10.legacy.i386.rpm 602fb4b040aa26656f60771e56495f894da7a7d1 redhat/7.3/updates-testing/i386/openssl-perl-0.9.6b-39.10.legacy.i386.rpm 94c051599af2faaaf771df548c801d8f046b2d94 redhat/7.3/updates-testing/SRPMS/openssl095a-0.9.5a-24.7.6.legacy.src.rpm 876c535d8b28b2ffa22be646aa7021c57a62046c redhat/7.3/updates-testing/SRPMS/openssl096-0.9.6-25.11.legacy.src.rpm 046b9d93eee9dcd9b69f89f185ad3065c78fd4ec redhat/7.3/updates-testing/SRPMS/openssl-0.9.6b-39.10.legacy.src.rpm rh9: a404db788cdcdf1b267dde272dd6db3cf1891ba2 redhat/9/updates-testing/i386/openssl096-0.9.6-25.12.legacy.i386.rpm 11cf0a7546f054b5fcff676a88deb27e45cdb0cd redhat/9/updates-testing/i386/openssl096b-0.9.6b-15.3.legacy.i386.rpm 62eb39923eb2a98a1749a58a28fce5c425587387 redhat/9/updates-testing/i386/openssl-0.9.7a-20.6.legacy.i386.rpm e97a1fb8963711a2c97e298173d30fe64abd7a3f redhat/9/updates-testing/i386/openssl-0.9.7a-20.6.legacy.i686.rpm dca80e912b43137b71e966cdc956b50324fd59fc redhat/9/updates-testing/i386/openssl-devel-0.9.7a-20.6.legacy.i386.rpm 1f34a94f36d3b7fa56b633fc134eac3d99a08f45 redhat/9/updates-testing/i386/openssl-perl-0.9.7a-20.6.legacy.i386.rpm daa7c0eb8f988a152db550398ec6c3e9ad08418e redhat/9/updates-testing/SRPMS/openssl096-0.9.6-25.12.legacy.src.rpm beff357b1eabf4dbd89bd2776d83ad8157e4668b redhat/9/updates-testing/SRPMS/openssl096b-0.9.6b-15.3.legacy.src.rpm d010302930f88638255581d7f4d8d245fc5f1f4f redhat/9/updates-testing/SRPMS/openssl-0.9.7a-20.6.legacy.src.rpm fc1: 6e2a5333e1a41cf7c87b0bd704f37ebeefb19011 fedora/1/updates-testing/i386/openssl096-0.9.6-26.3.legacy.i386.rpm aca4f861c4dde379cec5351f56c7aec4b2e47310 fedora/1/updates-testing/i386/openssl096b-0.9.6b-18.3.legacy.i386.rpm 620c574712782b4e349ed1392d1d674507a146cc fedora/1/updates-testing/i386/openssl-0.9.7a-33.13.legacy.i386.rpm 5518b5e24176b056dae1e653a4abb9f2dd227d99 fedora/1/updates-testing/i386/openssl-0.9.7a-33.13.legacy.i686.rpm 5ce78af8e1d18ec2deb174ac6fdce6e84c68e46a fedora/1/updates-testing/i386/openssl-devel-0.9.7a-33.13.legacy.i386.rpm 1bee0f14e627fde0951377e1bf2f90b190152967 fedora/1/updates-testing/i386/openssl-perl-0.9.7a-33.13.legacy.i386.rpm 0d7079c953bb754c45c5a0231c5b292b814ce3f6 fedora/1/updates-testing/SRPMS/openssl096-0.9.6-26.3.legacy.src.rpm 8350ee0de5d81a3a0a842745997f89f8aae9e37f fedora/1/updates-testing/SRPMS/openssl096b-0.9.6b-18.3.legacy.src.rpm b116a8978d0ea6720193ac67c927d1c07eb122c4 fedora/1/updates-testing/SRPMS/openssl-0.9.7a-33.13.legacy.src.rpm fc2: 0b4dd57385c42886afbd62bc17c3b10fb3b28d38 fedora/2/updates-testing/i386/openssl096b-0.9.6b-20.3.legacy.i386.rpm d8773965612fda44388b73296ba8fb9caea9db1f fedora/2/updates-testing/i386/openssl-0.9.7a-35.2.legacy.i386.rpm 45c1a884034056c1f3f31f6a61af617a44a31e47 fedora/2/updates-testing/i386/openssl-0.9.7a-35.2.legacy.i686.rpm 24f03de813df1d534d3d847fde68ffd603a2e234 fedora/2/updates-testing/i386/openssl-devel-0.9.7a-35.2.legacy.i386.rpm a990c20059b07984cc06a1029219b713650b0cfd fedora/2/updates-testing/i386/openssl-perl-0.9.7a-35.2.legacy.i386.rpm b39cd980bda3350d69ee5a4da934fb54c956c965 fedora/2/updates-testing/SRPMS/openssl096b-0.9.6b-20.3.legacy.src.rpm 63d5d41cd2be5a010c2ad2c6276f0ddba2948e38 fedora/2/updates-testing/SRPMS/openssl-0.9.7a-35.2.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From marcdeslauriers at videotron.ca Fri Nov 25 04:37:48 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Thu, 24 Nov 2005 23:37:48 -0500 Subject: Fedora Legacy Test Update Notification: htdig Message-ID: <4386951C.4090109@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2005-152907 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152907 2005-11-24 --------------------------------------------------------------------- Name : htdig Versions : rh73: htdig-3.2.0-2.011302.3.legacy Versions : rh9: htdig-3.2.0-16.20021103.3.legacy Versions : fc1: htdig-3.2.0-19.20030601.2.legacy Versions : fc2: htdig-3.2.0b5-7.2.legacy Summary : A Web indexing system. Description : The ht://Dig system is a Web search and indexing system for a small domain or intranet. This system is not meant to replace the need for powerful Internet-wide search systems; instead it is meant to cover the search needs for a single company, campus, or even a particular subsection of a website. --------------------------------------------------------------------- Update Information: Updated htdig packages that fix a security bug are now available. The ht://Dig system is a Web search and indexing system for a small domain or intranet. A cross-site scripting bug has been found in htdig. This issue could allow an attacker to send a carefully crafted message, which could result in causing the victim's machine to execute a malicious script. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-0085 to this issue. All users of htdig should upgrade to these updated packages, which include a backported patch to correct this issue. --------------------------------------------------------------------- Changelogs rh73: * Mon Nov 21 2005 Marc Deslauriers 3.2.0-2.011302.3.legacy - Added missing autoconf, automake, sendmail, time, bison and openssl-devel to BuildRequires * Sun Nov 20 2005 Marc Deslauriers 3.2.0-2.011302.2.legacy - Added missing section back into CAN-2005-0085 patch * Sun Jun 12 2005 Marc Deslauriers 3.2.0-2.011302.1.legacy - Added patch for CAN-2005-0085 rh9: * Mon Nov 21 2005 Marc Deslauriers 3.2.0-16.20021103.3.legacy - Added missing autoconf, automake, sendmail, time, bison, libtool and openssl-devel to BuildRequires * Sun Nov 20 2005 Marc Deslauriers 3.2.0-16.20021103.2.legacy - Added missing section back into CAN-2005-0085 patch * Sun Jun 12 2005 Marc Deslauriers 3.2.0-16.20021103.1.legacy - Added patch for CAN-2005-0085 fc1: * Thu Nov 24 2005 Marc Deslauriers 3.2.0-19.20030601.1.legacy - Added missing autoconf, automake, sendmail, time, bison, libtool httpd and openssl-devel to BuildRequires * Sun Jun 12 2005 Marc Deslauriers 3.2.0-19.20030601.1.legacy - Added patch for CAN-2005-0085 fc2: * Thu Nov 24 2005 Marc Deslauriers 3.2.0b5-7.2.legacy - Added missing autoconf, automake, sendmail, time, bison, libtool httpd and openssl-devel to BuildRequires * Sun Jun 12 2005 Marc Deslauriers 3.2.0b5-7.1.legacy - Added patch for CAN-2005-0085 --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: 9f2c2108c62a38698946a3d054a02318115575db redhat/7.3/updates-testing/i386/htdig-3.2.0-2.011302.3.legacy.i386.rpm 2f7355e1dac9e1f0af4de0ba4c57707afe253ef0 redhat/7.3/updates-testing/i386/htdig-web-3.2.0-2.011302.3.legacy.i386.rpm e76b1a954834c707a05d323e1910165c204edc21 redhat/7.3/updates-testing/SRPMS/htdig-3.2.0-2.011302.3.legacy.src.rpm rh9: a660dbbc2839b32b186bb121e972a553586286fa redhat/9/updates-testing/i386/htdig-3.2.0-16.20021103.3.legacy.i386.rpm f6904537f1da733bf209d20d28b295dcc7d69b99 redhat/9/updates-testing/i386/htdig-web-3.2.0-16.20021103.3.legacy.i386.rpm 37c36aefd9331dc327e24e2fa040399be0b80601 redhat/9/updates-testing/SRPMS/htdig-3.2.0-16.20021103.3.legacy.src.rpm fc1: 7478d40f0bae9370d5ab262fe916c41944776adf fedora/1/updates-testing/i386/htdig-3.2.0-19.20030601.2.legacy.i386.rpm 8df233b896f4a139ad123a5465c3d3816da27623 fedora/1/updates-testing/i386/htdig-web-3.2.0-19.20030601.2.legacy.i386.rpm 908e27f80a740632f88bfba330c356b68c76c429 fedora/1/updates-testing/SRPMS/htdig-3.2.0-19.20030601.2.legacy.src.rpm fc2: 7b03742a875fb2964b294a1e35d690539a097204 fedora/2/updates-testing/i386/htdig-3.2.0b5-7.2.legacy.i386.rpm 5f590cad676cc7dae81a24d5b02c55cae3ebe603 fedora/2/updates-testing/i386/htdig-web-3.2.0b5-7.2.legacy.i386.rpm 31ab214325ff0fadfa3a2f0d385e16b8de24aed9 fedora/2/updates-testing/SRPMS/htdig-3.2.0b5-7.2.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From lists at benjamindsmith.com Mon Nov 28 19:39:07 2005 From: lists at benjamindsmith.com (Benjamin Smith) Date: Mon, 28 Nov 2005 11:39:07 -0800 Subject: Testing? In-Reply-To: <1131551117.11558767c44ff@mail.ph.utexas.edu> References: <200511090053.48032.lists@benjamindsmith.com> <1131551117.11558767c44ff@mail.ph.utexas.edu> Message-ID: <200511281139.07512.lists@benjamindsmith.com> // TRIMMED TO COME IN UNDER 40K // Ok, so I've been using testing enabled in my yum.conf for some time now. What's the easiest way to report that "everything is fine"? yum list installed doesn't seem to report whether an RPM is in "testing" or "regular". But, FYI, I've attached a copy of the output. Uptime is currently 76 days using the latest kernel. 2.4.22-1.2199.5.legacy.nptl 4Suite ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.0-0.0.a3 ? ? ? ? ? ? ? db ? ? ? ? ? BitTorrent ? ? ? ? ? ? ? ? ? ? ? ? ?noarch 4.0.4-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? GConf ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.0.9-11 ? ? ? ? ? ? ? ? db ? ? ? ? ? GConf2 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.4.0-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? Glide3 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 20010520-25 ? ? ? ? ? ? ?db ? ? ? ? ? MAKEDEV ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 3.3.8-2 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? MySQL ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 3.23.58-1 ? ? ? ? ? ? ? ?db ? ? ? ? ? MySQL-Max ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 3.23.58-1 ? ? ? ? ? ? ? ?db ? ? ? ? ? MySQL-client ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 3.23.58-1 ? ? ? ? ? ? ? ?db ? ? ? ? ? MySQL-devel ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 3.23.58-1 ? ? ? ? ? ? ? ?db ? ? ? ? ? MySQL-shared ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 3.23.58-1 ? ? ? ? ? ? ? ?db ? ? ? ? ? ORBit ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1:0.5.17-10.3 ? ? ? ? ? ?db ? ? ? ? ? ORBit2 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.8.2-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? Omni ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 0.9.0-4 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? Omni-foomatic ? ? ? ? ? ? ? ? ? ? ? i386 ? 0.9.0-4 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? PyXML ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 0.8.3-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? SDL ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.2.5-9 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? SysVinit ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.85-5 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? VFlib2 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.25.6-18 ? ? ? ? ? ? ? ?db ? ? ? ? ? XFree86-100dpi-fonts ? ? ? ? ? ? ? ?i386 ? 4.3.0-59.legacy ? ? ? ? ?db ? ? ? ? ? XFree86-75dpi-fonts ? ? ? ? ? ? ? ? i386 ? 4.3.0-59.legacy ? ? ? ? ?db ? ? ? ? ? XFree86-Mesa-libGL ? ? ? ? ? ? ? ? ?i386 ? 4.3.0-59.legacy ? ? ? ? ?db ? ? ? ? ? XFree86-Mesa-libGLU ? ? ? ? ? ? ? ? i386 ? 4.3.0-59.legacy ? ? ? ? ?db ? ? ? ? ? XFree86-base-fonts ? ? ? ? ? ? ? ? ?i386 ? 4.3.0-59.legacy ? ? ? ? ?db ? ? ? ? ? XFree86-font-utils ? ? ? ? ? ? ? ? ?i386 ? 4.3.0-59.legacy ? ? ? ? ?db ? ? ? ? ? XFree86-libs ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 4.3.0-59.legacy ? ? ? ? ?db ? ? ? ? ? XFree86-libs-data ? ? ? ? ? ? ? ? ? i386 ? 4.3.0-59.legacy ? ? ? ? ?db ? ? ? ? ? XFree86-truetype-fonts ? ? ? ? ? ? ?i386 ? 4.3.0-59.legacy ? ? ? ? ?db ? ? ? ? ? XFree86-xauth ? ? ? ? ? ? ? ? ? ? ? i386 ? 4.3.0-59.legacy ? ? ? ? ?db ? ? ? ? ? XFree86-xfs ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 4.3.0-59.legacy ? ? ? ? ?db ? ? ? ? ? a2ps ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 4.13b-30.2.legacy ? ? ? ?db ? ? ? ? ? acl ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.2.7-2 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? acpid ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.0.2-5 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? alchemist ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.0.27-3 ? ? ? ? ? ? ? ? db ? ? ? ? ? anacron ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.3-29 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? apmd ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1:3.0.2-20 ? ? ? ? ? ? ? db ? ? ? ? ? apr ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 0.9.4-2.1 ? ? ? ? ? ? ? ?db ? ? ? ? ? apr-util ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 0.9.4-2.1 ? ? ? ? ? ? ? ?db ? ? ? ? ? arts ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 8:1.1.4-3 ? ? ? ? ? ? ? ?db ? ? ? ? ? ash ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 0.3.8-15 ? ? ? ? ? ? ? ? db ? ? ? ? ? aspell ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 12:0.50.3-16 ? ? ? ? ? ? db ? ? ? ? ? aspell-en ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 0.51-6 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? at ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 3.1.8-46.1 ? ? ? ? ? ? ? db ? ? ? ? ? at-spi ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.3.7-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? atk ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.4.0-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? attr ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.4.1-2 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? audiofile ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1:0.2.3-7 ? ? ? ? ? ? ? ?db ? ? ? ? ? authconfig ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 4.3.8-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? authconfig-gtk ? ? ? ? ? ? ? ? ? ? ?i386 ? 4.3.8-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? autofs ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1:3.1.7-42 ? ? ? ? ? ? ? db ? ? ? ? ? basesystem ? ? ? ? ? ? ? ? ? ? ? ? ?noarch 8.0-2 ? ? ? ? ? ? ? ? ? ?db ? ? ? ? ? bash ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.05b-34 ? ? ? ? ? ? ? ? db ? ? ? ? ? bc ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.06-15.1 ? ? ? ? ? ? ? ?db ? ? ? ? ? beecrypt ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 3.0.1-0.20030630.1 ? ? ? db ? ? ? ? ? bind-utils ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 9.2.2.P3-9 ? ? ? ? ? ? ? db ? ? ? ? ? binutils ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.14.90.0.6-4 ? ? ? ? ? ?db ? ? ? ? ? bison ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.875-5 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? bitmap-fonts ? ? ? ? ? ? ? ? ? ? ? ?noarch 0.3-2 ? ? ? ? ? ? ? ? ? ?db ? ? ? ? ? bitstream-vera-fonts ? ? ? ? ? ? ? ?noarch 1.10-2 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? byacc ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.9-26 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? bzip2 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.0.2-10.1.fc1.legacy ? ?db ? ? ? ? ? bzip2-libs ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.0.2-10.1.fc1.legacy ? ?db ? ? ? ? ? cdparanoia-libs ? ? ? ? ? ? ? ? ? ? i386 ? alpha9.8-18 ? ? ? ? ? ? ?db ? ? ? ? ? cdrecord ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 8:2.01-0.a19.2.FC1.1 ? ? db ? ? ? ? ? chkconfig ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.3.9-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? chkfontpath ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.9.10-2 ? ? ? ? ? ? ? ? db ? ? ? ? ? comps ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1:1-0.20031103 ? ? ? ? ? db ? ? ? ? ? comps-extras ? ? ? ? ? ? ? ? ? ? ? ?noarch 9.0.3-2 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? coreutils ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 5.0-34.1 ? ? ? ? ? ? ? ? db ? ? ? ? ? cpio ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.5-5.2.legacy ? ? ? ? ? db ? ? ? ? ? cpp ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 3.3.2-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? cracklib ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.7-23 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? cracklib-dicts ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.7-23 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? crontabs ? ? ? ? ? ? ? ? ? ? ? ? ? ?noarch 1.10-5 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? cups ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1:1.1.19-13.9.legacy ? ? db ? ? ? ? ? cups-libs ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1:1.1.19-13.9.legacy ? ? db ? ? ? ? ? curl ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 7.10.6-7.2.legacy ? ? ? ?db ? ? ? ? ? cyrus-sasl ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.1.15-6.2.legacy ? ? ? ?db ? ? ? ? ? cyrus-sasl-md5 ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.1.15-6.2.legacy ? ? ? ?db ? ? ? ? ? cyrus-sasl-plain ? ? ? ? ? ? ? ? ? ?i386 ? 2.1.15-6.2.legacy ? ? ? ?db ? ? ? ? ? db4 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 4.1.25-14 ? ? ? ? ? ? ? ?db ? ? ? ? ? dbus ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 0.13-6 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? dbus-glib ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 0.13-6 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? desktop-backgrounds-basic ? ? ? ? ? noarch 2.0-18 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? desktop-backgrounds-extra ? ? ? ? ? noarch 2.0-18 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? desktop-file-utils ? ? ? ? ? ? ? ? ?i386 ? 0.3-10.1 ? ? ? ? ? ? ? ? db ? ? ? ? ? desktop-printing ? ? ? ? ? ? ? ? ? ?i386 ? 0.1.10-18 ? ? ? ? ? ? ? ?db ? ? ? ? ? dev ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 3.3.8-2 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? devlabel ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 0.42.05-2 ? ? ? ? ? ? ? ?db ? ? ? ? ? dhclient ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1:3.0pl2-6.16 ? ? ? ? ? ?db ? ? ? ? ? diffutils ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.8.1-9 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? docbook-dtds ? ? ? ? ? ? ? ? ? ? ? ?noarch 1.0-22.1 ? ? ? ? ? ? ? ? db ? ? ? ? ? dos2unix ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 3.1-16 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? dosfstools ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.8-11 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? dump ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 0.4b34-1 ? ? ? ? ? ? ? ? db ? ? ? ? ? e2fsprogs ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.34-1 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? ed ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 0.2-34 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? eel2 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.4.0-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? eject ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.0.13-3 ? ? ? ? ? ? ? ? db ? ? ? ? ? elfutils ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 0.89-2 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? elfutils-libelf ? ? ? ? ? ? ? ? ? ? i386 ? 0.89-2 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? enscript ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.6.1-25.1.1.legacy ? ? ?db ? ? ? ? ? esound ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1:0.2.31-1 ? ? ? ? ? ? ? db ? ? ? ? ? ethtool ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.8-2.1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? expat ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.95.5-3 ? ? ? ? ? ? ? ? db ? ? ? ? ? fam ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.6.8-12 ? ? ? ? ? ? ? ? db ? ? ? ? ? fbset ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.1-14 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? fedora-logos ? ? ? ? ? ? ? ? ? ? ? ?noarch 1.1.20-1 ? ? ? ? ? ? ? ? db ? ? ? ? ? fedora-release ? ? ? ? ? ? ? ? ? ? ?i386 ? 1-3 ? ? ? ? ? ? ? ? ? ? ?db ? ? ? ? ? fetchmail ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 6.2.0-8 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? file ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 4.02-2 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? file-roller ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.4.0.1-1 ? ? ? ? ? ? ? ?db ? ? ? ? ? filesystem ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.2.1-5 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? findutils ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1:4.1.7-17 ? ? ? ? ? ? ? db ? ? ? ? ? finger ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 0.17-18.1 ? ? ? ? ? ? ? ?db ? ? ? ? ? firstboot ? ? ? ? ? ? ? ? ? ? ? ? ? noarch 1.2.4-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? flex ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.5.4a-30 ? ? ? ? ? ? ? ?db ? ? ? ? ? fontconfig ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.2.1-6.1 ? ? ? ? ? ? ? ?db ? ? ? ? ? foomatic ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 3.0.0-21.5.legacy ? ? ? ?db ? ? ? ? ? freetype ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.1.4-5 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? ftp ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 0.17-18 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? gail ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.4.0-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? gawk ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 3.1.3-3 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? gcc ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 3.3.2-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? gcc32 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 3.2.3-6 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? gconf-editor ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.4.0-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? gdbm ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.8.0-21 ? ? ? ? ? ? ? ? db ? ? ? ? ? gdk-pixbuf ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1:0.22.0-11.3.4.1.legacy db ? ? ? ? ? gettext ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 0.12.1-1.2.legacy ? ? ? ?db ? ? ? ? ? gftp ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1:2.0.17-0.FC1.1.legacy ?db ? ? ? ? ? ggv ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.4.0.1-1 ? ? ? ? ? ? ? ?db ? ? ? ? ? ghostscript ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 7.07-15.4 ? ? ? ? ? ? ? ?db ? ? ? ? ? ghostscript-fonts ? ? ? ? ? ? ? ? ? noarch 5.50-9 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? gimp-print ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 4.2.6-4 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? gimp-print-utils ? ? ? ? ? ? ? ? ? ?i386 ? 4.2.6-4 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? glib ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1:1.2.10-11 ? ? ? ? ? ? ?db ? ? ? ? ? glib2 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.2.3-1.1 ? ? ? ? ? ? ? ?db ? ? ? ? ? glibc ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.3.2-101.4.2.legacy ? ? db ? ? ? ? ? glibc-common ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.3.2-101.4.2.legacy ? ? db ? ? ? ? ? glibc-devel ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.3.2-101.4.2.legacy ? ? db ? ? ? ? ? glibc-headers ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.3.2-101.4.2.legacy ? ? db ? ? ? ? ? glibc-kernheaders ? ? ? ? ? ? ? ? ? i386 ? 2.4-8.36 ? ? ? ? ? ? ? ? db ? ? ? ? ? gmp ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 4.1.2-9 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? gnome-applets ? ? ? ? ? ? ? ? ? ? ? i386 ? 1:2.4.1-1 ? ? ? ? ? ? ? ?db ? ? ? ? ? gnome-audio ? ? ? ? ? ? ? ? ? ? ? ? noarch 1.4.0-6 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? gnome-desktop ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.4.0-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? gnome-icon-theme ? ? ? ? ? ? ? ? ? ?noarch 1.0.9-2 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? gnome-mag ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 0.10.3-1 ? ? ? ? ? ? ? ? db ? ? ? ? ? gnome-media ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.4.0-2 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? gnome-mime-data ? ? ? ? ? ? ? ? ? ? i386 ? 2.4.0-2 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? gnome-panel ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.4.2-3 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? gnome-pilot ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.0.10-4 ? ? ? ? ? ? ? ? db ? ? ? ? ? gnome-python2 ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.0.0-2 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? gnome-python2-bonobo ? ? ? ? ? ? ? ?i386 ? 2.0.0-2 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? gnome-python2-canvas ? ? ? ? ? ? ? ?i386 ? 2.0.0-2 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? gnome-python2-gtkhtml2 ? ? ? ? ? ? ?i386 ? 2.0.0-2 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? gnome-system-monitor ? ? ? ? ? ? ? ?i386 ? 2.4.0-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? gnome-terminal ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.4.0.1-1 ? ? ? ? ? ? ? ?db ? ? ? ? ? gnome-themes ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.4.0-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? gnome-user-docs ? ? ? ? ? ? ? ? ? ? noarch 2.0.1-3 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? gnome-utils ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1:2.4.0-1 ? ? ? ? ? ? ? ?db ? ? ? ? ? gnome-vfs ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.0.5-15 ? ? ? ? ? ? ? ? db ? ? ? ? ? gnome-vfs-extras ? ? ? ? ? ? ? ? ? ?i386 ? 0.2.0-7 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? gnome-vfs2 ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.4.1-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? gnome-vfs2-extras ? ? ? ? ? ? ? ? ? i386 ? 0.99.10-3.1 ? ? ? ? ? ? ?db ? ? ? ? ? gnupg ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.2.3-2 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? gok ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 0.7.1-4 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? gpm ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.20.1-38 ? ? ? ? ? ? ? ?db ? ? ? ? ? grep ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.5.1-17.4 ? ? ? ? ? ? ? db ? ? ? ? ? groff ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.18.1-29 ? ? ? ? ? ? ? ?db ? ? ? ? ? grub ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 0.93-7 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? gstreamer ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 0.6.3-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? gstreamer-plugins ? ? ? ? ? ? ? ? ? i386 ? 0.6.3-3 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? gstreamer-tools ? ? ? ? ? ? ? ? ? ? i386 ? 0.6.3-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? gtk+ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1:1.2.10-28.1 ? ? ? ? ? ?db ? ? ? ? ? gtk-engines ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1:0.12-1 ? ? ? ? ? ? ? ? db ? ? ? ? ? gtk2 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.2.4-10.3.legacy ? ? ? ?db ? ? ? ? ? gtk2-engines ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.2.0-3 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? gtkhtml2 ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.4.0-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? gzip ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.3.3-11.2.legacy ? ? ? ?db ? ? ? ? ? hdparm ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 5.4-3 ? ? ? ? ? ? ? ? ? ?db ? ? ? ? ? hesiod ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 3.0.2-27 ? ? ? ? ? ? ? ? db ? ? ? ? ? hotplug ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 3:2003_08_05-1 ? ? ? ? ? db ? ? ? ? ? hpijs ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.5-4.4 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? htmlview ? ? ? ? ? ? ? ? ? ? ? ? ? ?noarch 2.0.0-11 ? ? ? ? ? ? ? ? db ? ? ? ? ? httpd ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.0.51-1.9.legacy ? ? ? ?db ? ? ? ? ? hwbrowser ? ? ? ? ? ? ? ? ? ? ? ? ? noarch 0.12-1 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? hwdata ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?noarch 0.103.1-1 ? ? ? ? ? ? ? ?db ? ? ? ? ? imlib ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1:1.9.13-15.fc1 ? ? ? ? ?db ? ? ? ? ? info ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 4.5-2 ? ? ? ? ? ? ? ? ? ?db ? ? ? ? ? initscripts ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 7.42.2-1 ? ? ? ? ? ? ? ? db ? ? ? ? ? intltool ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 0.27.2-1 ? ? ? ? ? ? ? ? db ? ? ? ? ? iproute ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.4.7-13.2 ? ? ? ? ? ? ? db ? ? ? ? ? iptables ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.2.9-1.0.1.legacy ? ? ? db ? ? ? ? ? iptraf ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.7.0-8 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? iputils ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 20020927-9.1 ? ? ? ? ? ? db ? ? ? ? ? irda-utils ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 0.9.15-1.1 ? ? ? ? ? ? ? db ? ? ? ? ? isdn4k-utils ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 3.2-5.p1 ? ? ? ? ? ? ? ? db ? ? ? ? ? jfsutils ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.1.3-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? jwhois ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 3.2.2-1.1 ? ? ? ? ? ? ? ?db ? ? ? ? ? kbd ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.08-11 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? kernel ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i586 ? 2.4.22-1.2199.5.legacy.nptldb ? ? ? ? ? kernel-pcmcia-cs ? ? ? ? ? ? ? ? ? ?i386 ? 1:3.1.31-16 ? ? ? ? ? ? ?db ? ? ? ? ? kernel-source ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.4.22-1.2199.5.legacy.nptldb ? ? ? ? ? kernel-utils ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1:2.4-9.1.101.fedora ? ? db ? ? ? ? ? krb5-libs ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.3.4-5.3.legacy ? ? ? ? db ? ? ? ? ? krbafs ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.2.2-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? kudzu ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.1.36.3-1 ? ? ? ? ? ? ? db ? ? ? ? ? less ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 382-1.1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? lftp ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.6.10-1 ? ? ? ? ? ? ? ? db ? ? ? ? ? lha ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.14i-12.2 ? ? ? ? ? ? ? db ? ? ? ? ? libIDL ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 0.8.2-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? libacl ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.2.7-2 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? libao ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 0.8.3-5 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? libart_lgpl ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.3.16-1 ? ? ? ? ? ? ? ? db ? ? ? ? ? libattr ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.4.1-2 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? libbonobo ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.4.0-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? libbonoboui ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.4.0-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? libcap ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.10-16 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? libcroco ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 0.3.0-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? libgail-gnome ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.0.2-2 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? libgcc ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 3.3.2-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? libgcj ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 3.3.2-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? libghttp ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1:1.0.9-8 ? ? ? ? ? ? ? ?db ? ? ? ? ? libglade2 ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.0.1-5.1 ? ? ? ? ? ? ? ?db ? ? ? ? ? libgnome ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.4.0-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? libgnomecanvas ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.4.0-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? libgnomeui ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.4.0.1-1 ? ? ? ? ? ? ? ?db ? ? ? ? ? libgsf ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.8.2-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? libgtop2 ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.0.3-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? libid3tag ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 0.15.1b-3.1.fc1.dag ? ? ?db ? ? ? ? ? libjpeg ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 6b-29 ? ? ? ? ? ? ? ? ? ?db ? ? ? ? ? libmad ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 0.15.1b-3.1.fc1.dag ? ? ?db ? ? ? ? ? libmng ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.0.4-4 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? libogg ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2:1.0-5 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? libpcap ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 14:0.7.2-8.fc1.2 ? ? ? ? db ? ? ? ? ? libpng ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2:1.2.5-7.1.legacy ? ? ? db ? ? ? ? ? libraw1394 ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 0.9.0-12 ? ? ? ? ? ? ? ? db ? ? ? ? ? librsvg2 ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.4.0-3 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? libstdc++ ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 3.3.2-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? libtermcap ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.0.8-36 ? ? ? ? ? ? ? ? db ? ? ? ? ? libtiff ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 3.5.7-14.2.legacy ? ? ? ?db ? ? ? ? ? libungif ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 4.1.0-16 ? ? ? ? ? ? ? ? db ? ? ? ? ? libuser ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 0.51.7-2 ? ? ? ? ? ? ? ? db ? ? ? ? ? libvorbis ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1:1.0-8 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? libwnck ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.4.0.1-1 ? ? ? ? ? ? ? ?db ? ? ? ? ? libwvstreams ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 3.70-12 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? libxml ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1:1.8.17-9 ? ? ? ? ? ? ? db ? ? ? ? ? libxml2 ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.6.6-3 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? libxml2-python ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.6.6-3 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? libxslt ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.0.33-2 ? ? ? ? ? ? ? ? db ? ? ? ? ? linc ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.0.3-2 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? lockdev ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.0.1-1.3 ? ? ? ? ? ? ? ?db ? ? ? ? ? logrotate ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 3.6.10-1 ? ? ? ? ? ? ? ? db ? ? ? ? ? logwatch ? ? ? ? ? ? ? ? ? ? ? ? ? ?noarch 4.3.2-2.1 ? ? ? ? ? ? ? ?db ? ? ? ? ? losetup ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.11y-29.2.legacy ? ? ? ?db ? ? ? ? ? lrzsz ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 0.12.20-17 ? ? ? ? ? ? ? db ? ? ? ? ? lsof ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 4.68-1 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? lvm ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.0.3-13.1.legacy ? ? ? ?db ? ? ? ? ? m4 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.4.1-14 ? ? ? ? ? ? ? ? db ? ? ? ? ? magicdev ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.1.4-7 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? mailcap ? ? ? ? ? ? ? ? ? ? ? ? ? ? noarch 2.1.14-1.1 ? ? ? ? ? ? ? db ? ? ? ? ? mailx ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 8.1.1-31.1 ? ? ? ? ? ? ? db ? ? ? ? ? make ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1:3.79.1-18 ? ? ? ? ? ? ?db ? ? ? ? ? man ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.5k-12 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? man-pages ? ? ? ? ? ? ? ? ? ? ? ? ? noarch 1.60-4 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? mdadm ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.3.0-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? metacity ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.6.3-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? mikmod ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 3.1.6-23 ? ? ? ? ? ? ? ? db ? ? ? ? ? mingetty ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.06-2 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? minicom ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.00.0-17 ? ? ? ? ? ? ? ?db ? ? ? ? ? mkbootdisk ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.5.1-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? mkinitrd ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 3.5.14-1 ? ? ? ? ? ? ? ? db ? ? ? ? ? mkisofs ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 8:2.01-0.a19.2.FC1.1 ? ? db ? ? ? ? ? mktemp ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.5.1-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? modutils ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.4.25-13 ? ? ? ? ? ? ? ?db ? ? ? ? ? mount ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.11y-29.2.legacy ? ? ? ?db ? ? ? ? ? mp3info ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 0.8.4-2 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? mpage ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.5.3-6 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? mpg321 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 0.2.10-1 ? ? ? ? ? ? ? ? db ? ? ? ? ? mt-st ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 0.7-12.1 ? ? ? ? ? ? ? ? db ? ? ? ? ? mtools ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 3.9.9-4 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? mtr ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2:0.52-3 ? ? ? ? ? ? ? ? db ? ? ? ? ? mtr-gtk ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2:0.52-3 ? ? ? ? ? ? ? ? db ? ? ? ? ? mutt ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 5:1.4.1-5 ? ? ? ? ? ? ? ?db ? ? ? ? ? nano ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.2.1-3 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? nautilus-cd-burner ? ? ? ? ? ? ? ? ?i386 ? 0.5.3-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? ncurses ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 5.3-9 ? ? ? ? ? ? ? ? ? ?db ? ? ? ? ? net-tools ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.60-20.1 ? ? ? ? ? ? ? ?db ? ? ? ? ? netconfig ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 0.8.19-2 ? ? ? ? ? ? ? ? db ? ? ? ? ? newt ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 0.51.6-1 ? ? ? ? ? ? ? ? db ? ? ? ? ? nfs-utils ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.0.6-1.1.legacy ? ? ? ? db ? ? ? ? ? nmap ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2:3.48-1 ? ? ? ? ? ? ? ? db ? ? ? ? ? nscd ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.3.2-101.4.2.legacy ? ? db ? ? ? ? ? nss_ldap ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 207-6 ? ? ? ? ? ? ? ? ? ?db ? ? ? ? ? ntp ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 4.1.2-5 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? ntsysv ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.3.9-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? oaf ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 0.6.10-8 ? ? ? ? ? ? ? ? db ? ? ? ? ? openjade ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.3.2-8 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? openldap ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.1.22-8 ? ? ? ? ? ? ? ? db ? ? ? ? ? openssh ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 3.6.1p2-19.2.legacy ? ? ?db ? ? ? ? ? openssh-askpass ? ? ? ? ? ? ? ? ? ? i386 ? 3.6.1p2-19.2.legacy ? ? ?db ? ? ? ? ? openssh-askpass-gnome ? ? ? ? ? ? ? i386 ? 3.6.1p2-19.2.legacy ? ? ?db ? ? ? ? ? openssh-clients ? ? ? ? ? ? ? ? ? ? i386 ? 3.6.1p2-19.2.legacy ? ? ?db ? ? ? ? ? openssh-server ? ? ? ? ? ? ? ? ? ? ?i386 ? 3.6.1p2-19.2.legacy ? ? ?db ? ? ? ? ? openssl ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 0.9.7a-33.13.legacy ? ? ?db ? ? ? ? ? pam ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 0.77-15 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? pam_krb5 ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.0.5-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? pam_smb ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.1.7-2 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? pango ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.2.5-4 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? parted ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.6.3-31 ? ? ? ? ? ? ? ? db ? ? ? ? ? passwd ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 0.68-4 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? patch ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.5.4-18 ? ? ? ? ? ? ? ? db ? ? ? ? ? pax ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 3.0-7 ? ? ? ? ? ? ? ? ? ?db ? ? ? ? ? pciutils ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.1.10-8 ? ? ? ? ? ? ? ? db ? ? ? ? ? pcre ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 4.4-1 ? ? ? ? ? ? ? ? ? ?db ? ? ? ? ? perl ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 3:5.8.3-16 ? ? ? ? ? ? ? db ? ? ? ? ? perl-DateManip ? ? ? ? ? ? ? ? ? ? ?noarch 5.40-30 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? perl-Filter ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.29-8 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? perl-HTML-Parser ? ? ? ? ? ? ? ? ? ?i386 ? 3.26-18 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? perl-HTML-Tagset ? ? ? ? ? ? ? ? ? ?noarch 3.03-28 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? perl-Parse-Yapp ? ? ? ? ? ? ? ? ? ? noarch 1.05-30 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? perl-URI ? ? ? ? ? ? ? ? ? ? ? ? ? ?noarch 1.21-7 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? perl-XML-Dumper ? ? ? ? ? ? ? ? ? ? noarch 0.4-25 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? perl-XML-Encoding ? ? ? ? ? ? ? ? ? noarch 1.01-23 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? perl-XML-Parser ? ? ? ? ? ? ? ? ? ? i386 ? 2.31-16 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? perl-libwww-perl ? ? ? ? ? ? ? ? ? ?noarch 5.65-6 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? perl-libxml-enno ? ? ? ? ? ? ? ? ? ?noarch 1.02-29 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? perl-libxml-perl ? ? ? ? ? ? ? ? ? ?noarch 0.07-28 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? php ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 4.3.11-1.fc1.3.legacy ? ?db ? ? ? ? ? php-mbstring ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 4.3.11-1.fc1.3.legacy ? ?db ? ? ? ? ? php-mysql ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 4.3.11-1.fc1.3.legacy ? ?db ? ? ? ? ? php-pgsql ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 4.3.11-1.fc1.3.legacy ? ?db ? ? ? ? ? pilot-link ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1:0.11.8-1 ? ? ? ? ? ? ? db ? ? ? ? ? pinfo ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 0.6.7-2 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? pnm2ppa ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1:1.04-8 ? ? ? ? ? ? ? ? db ? ? ? ? ? popt ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.8.1-0.30 ? ? ? ? ? ? ? db ? ? ? ? ? portmap ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 4.0-57 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? postgresql ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 7.3.9-1.2.legacy ? ? ? ? db ? ? ? ? ? postgresql-libs ? ? ? ? ? ? ? ? ? ? i386 ? 7.3.9-1.2.legacy ? ? ? ? db ? ? ? ? ? postgresql-server ? ? ? ? ? ? ? ? ? i386 ? 7.3.9-1.2.legacy ? ? ? ? db ? ? ? ? ? ppp ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.4.1-15 ? ? ? ? ? ? ? ? db ? ? ? ? ? prelink ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 0.3.0-13 ? ? ? ? ? ? ? ? db ? ? ? ? ? printman ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 0.0.1-1.20021202.15 ? ? ?db ? ? ? ? ? procmail ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 3.22-11 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? procps ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.0.17-5 ? ? ? ? ? ? ? ? db ? ? ? ? ? psmisc ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 21.3-2.RHEL.0 ? ? ? ? ? ?db ? ? ? ? ? psutils ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.17-20 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? pyOpenSSL ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 0.5.1-11 ? ? ? ? ? ? ? ? db ? ? ? ? ? pygtk2 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.0.0-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? pygtk2-libglade ? ? ? ? ? ? ? ? ? ? i386 ? 2.0.0-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? pyorbit ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.0.0-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? python ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.2.3-7 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? python-optik ? ? ? ? ? ? ? ? ? ? ? ?noarch 1.4.1-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? pyxf86config ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 0.3.12-1 ? ? ? ? ? ? ? ? db ? ? ? ? ? qt ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1:3.1.2-14.2 ? ? ? ? ? ? db ? ? ? ? ? quota ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1:3.06-11 ? ? ? ? ? ? ? ?db ? ? ? ? ? raidtools ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.00.3-6 ? ? ? ? ? ? ? ? db ? ? ? ? ? rdate ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.3-3 ? ? ? ? ? ? ? ? ? ?db ? ? ? ? ? rdist ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1:6.1.5-30.1 ? ? ? ? ? ? db ? ? ? ? ? readline ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 4.3-7 ? ? ? ? ? ? ? ? ? ?db ? ? ? ? ? redhat-artwork ? ? ? ? ? ? ? ? ? ? ?i386 ? 0.88-1 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? redhat-config-date ? ? ? ? ? ? ? ? ?noarch 1.5.25-1 ? ? ? ? ? ? ? ? db ? ? ? ? ? redhat-config-keyboard ? ? ? ? ? ? ?noarch 1.1.5-2 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? redhat-config-language ? ? ? ? ? ? ?noarch 1.0.16-1 ? ? ? ? ? ? ? ? db ? ? ? ? ? redhat-config-mouse ? ? ? ? ? ? ? ? noarch 1.1.2-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? redhat-config-network ? ? ? ? ? ? ? noarch 1.3.10-1 ? ? ? ? ? ? ? ? db ? ? ? ? ? redhat-config-network-tui ? ? ? ? ? noarch 1.3.10-1 ? ? ? ? ? ? ? ? db ? ? ? ? ? redhat-config-packages ? ? ? ? ? ? ?noarch 1.2.7-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? redhat-config-printer ? ? ? ? ? ? ? i386 ? 0.6.79.5-1 ? ? ? ? ? ? ? db ? ? ? ? ? redhat-config-printer-gui ? ? ? ? ? i386 ? 0.6.79.5-1 ? ? ? ? ? ? ? db ? ? ? ? ? redhat-config-rootpassword ? ? ? ? ?noarch 1.0.6-2 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? redhat-config-securitylevel ? ? ? ? i386 ? 1.2.11-1 ? ? ? ? ? ? ? ? db ? ? ? ? ? redhat-config-securitylevel-tui ? ? i386 ? 1.2.11-1 ? ? ? ? ? ? ? ? db ? ? ? ? ? redhat-config-services ? ? ? ? ? ? ?noarch 0.8.5-23 ? ? ? ? ? ? ? ? db ? ? ? ? ? redhat-config-soundcard ? ? ? ? ? ? noarch 1.0.8-2 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? redhat-config-users ? ? ? ? ? ? ? ? noarch 1.2.4-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? redhat-logviewer ? ? ? ? ? ? ? ? ? ?noarch 0.9.3-6 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? redhat-menus ? ? ? ? ? ? ? ? ? ? ? ?noarch 0.40-1 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? reiserfs-utils ? ? ? ? ? ? ? ? ? ? ?i386 ? 2:3.6.8-1.1 ? ? ? ? ? ? ?db ? ? ? ? ? rhgb ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 0.11.2-1 ? ? ? ? ? ? ? ? db ? ? ? ? ? rhn-applet ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.1.4-3 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? rhnlib ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?noarch 1.4-1 ? ? ? ? ? ? ? ? ? ?db ? ? ? ? ? rhpl ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 0.121-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? rmt ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 0.4b34-1 ? ? ? ? ? ? ? ? db ? ? ? ? ? rootfiles ? ? ? ? ? ? ? ? ? ? ? ? ? noarch 7.2-6 ? ? ? ? ? ? ? ? ? ?db ? ? ? ? ? rp-pppoe ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 3.5-8.2.legacy ? ? ? ? ? db ? ? ? ? ? rpm ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 4.2.1-0.30 ? ? ? ? ? ? ? db ? ? ? ? ? rpm-python ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 4.2.1-0.30 ? ? ? ? ? ? ? db ? ? ? ? ? rsh ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 0.17-19 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? rsync ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.5.7-5.fc1.1 ? ? ? ? ? ?db ? ? ? ? ? run ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.0-3 ? ? ? ? ? ? ? ? ? ?db ? ? ? ? ? samba ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 3.0.10-1.fc1.1.legacy ? ?db ? ? ? ? ? samba-common ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 3.0.10-1.fc1.1.legacy ? ?db ? ? ? ? ? schedutils ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.3.0-4 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? screen ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 3.9.15-11 ? ? ? ? ? ? ? ?db ? ? ? ? ? scrollkeeper ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 0.3.12-2 ? ? ? ? ? ? ? ? db ? ? ? ? ? sed ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 4.0.8-2 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? sendmail ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 8.12.10-1.1.1 ? ? ? ? ? ?db ? ? ? ? ? setarch ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.0-1 ? ? ? ? ? ? ? ? ? ?db ? ? ? ? ? setserial ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.17-13 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? setup ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? noarch 2.5.27-1.1 ? ? ? ? ? ? ? db ? ? ? ? ? setuptool ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.13-2 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? sgml-common ? ? ? ? ? ? ? ? ? ? ? ? noarch 0.6.3-14 ? ? ? ? ? ? ? ? db ? ? ? ? ? shadow-utils ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2:4.0.3-12 ? ? ? ? ? ? ? db ? ? ? ? ? slang ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.4.5-18.1 ? ? ? ? ? ? ? db ? ? ? ? ? slocate ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.7-4 ? ? ? ? ? ? ? ? ? ?db ? ? ? ? ? slrn ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 0.9.7.4-10 ? ? ? ? ? ? ? db ? ? ? ? ? sox ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 12.17.4-4.fc1 ? ? ? ? ? ?db ? ? ? ? ? specspo ? ? ? ? ? ? ? ? ? ? ? ? ? ? noarch 9.0.92-1 ? ? ? ? ? ? ? ? db ? ? ? ? ? star ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.5a18-2 ? ? ? ? ? ? ? ? db ? ? ? ? ? startup-notification ? ? ? ? ? ? ? ?i386 ? 0.5-2 ? ? ? ? ? ? ? ? ? ?db ? ? ? ? ? statserial ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.1-33 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? stunnel ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 4.04-6 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? sudo ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.6.7p5-2.2.legacy ? ? ? db ? ? ? ? ? switchdesk ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 3.9.8-18 ? ? ? ? ? ? ? ? db ? ? ? ? ? switchdesk-gnome ? ? ? ? ? ? ? ? ? ?i386 ? 3.9.8-18 ? ? ? ? ? ? ? ? db ? ? ? ? ? symlinks ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.2-20 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? sysklogd ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.4.1-13 ? ? ? ? ? ? ? ? db ? ? ? ? ? syslinux ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.06-1 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? talk ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 0.17-21 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? tar ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.13.25-12 ? ? ? ? ? ? ? db ? ? ? ? ? tcp_wrappers ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 7.6-34.as21.1 ? ? ? ? ? ?db ? ? ? ? ? tcpdump ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 14:3.7.2-8.fc1.2 ? ? ? ? db ? ? ? ? ? tcsh ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 6.12-5 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? telnet ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1:0.17-26.2.1.legacy ? ? db ? ? ? ? ? termcap ? ? ? ? ? ? ? ? ? ? ? ? ? ? noarch 11.0.1-17 ? ? ? ? ? ? ? ?db ? ? ? ? ? time ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.7-22 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? tmpwatch ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.9.0-2 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? traceroute ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.4a12-20.1 ? ? ? ? ? ? ?db ? ? ? ? ? ttfprint ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 0.9-10 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? ttmkfdir ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 3.0.9-7 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? tzdata ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?noarch 2004b-1.fc1 ? ? ? ? ? ? ?db ? ? ? ? ? unix2dos ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.2-20 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? unzip ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 5.50-35 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? up2date ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 4.1.21-3 ? ? ? ? ? ? ? ? db ? ? ? ? ? up2date-gnome ? ? ? ? ? ? ? ? ? ? ? i386 ? 4.1.21-3 ? ? ? ? ? ? ? ? db ? ? ? ? ? urw-fonts ? ? ? ? ? ? ? ? ? ? ? ? ? noarch 2.1-5.1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? usbutils ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 0.11-2.1 ? ? ? ? ? ? ? ? db ? ? ? ? ? usermode ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.69-1 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? usermode-gtk ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.69-1 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? utempter ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 0.5.5-3.FC1.0 ? ? ? ? ? ?db ? ? ? ? ? util-linux ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.11y-29.2.legacy ? ? ? ?db ? ? ? ? ? vconfig ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1.8-1 ? ? ? ? ? ? ? ? ? ?db ? ? ? ? ? vim-common ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1:6.2.532-1.3.legacy ? ? db ? ? ? ? ? vim-minimal ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 1:6.2.532-1.3.legacy ? ? db ? ? ? ? ? vixie-cron ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 3.0.1-76 ? ? ? ? ? ? ? ? db ? ? ? ? ? vnc-server ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 4.0-0.beta4.3.2 ? ? ? ? ?db ? ? ? ? ? vte ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 0.11.10-4 ? ? ? ? ? ? ? ?db ? ? ? ? ? wget ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.8.2-15.3 ? ? ? ? ? ? ? db ? ? ? ? ? which ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.16-1 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? wireless-tools ? ? ? ? ? ? ? ? ? ? ?i386 ? 26-1 ? ? ? ? ? ? ? ? ? ? db ? ? ? ? ? words ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? noarch 2-21 ? ? ? ? ? ? ? ? ? ? db ? ? ? ? ? wvdial ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.53-12 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? xinetd ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2:2.3.12-4.10.0 ? ? ? ? ?db ? ? ? ? ? xisdnload ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 3.2-5.p1 ? ? ? ? ? ? ? ? db ? ? ? ? ? xloadimage ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 4.1-29 ? ? ? ? ? ? ? ? ? db ? ? ? ? ? xml-common ? ? ? ? ? ? ? ? ? ? ? ? ?noarch 0.6.3-14 ? ? ? ? ? ? ? ? db ? ? ? ? ? xscreensaver ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1:4.14-2 ? ? ? ? ? ? ? ? db ? ? ? ? ? xsri ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1:2.1.0-6 ? ? ? ? ? ? ? ?db ? ? ? ? ? xterm ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 179-5 ? ? ? ? ? ? ? ? ? ?db ? ? ? ? ? yelp ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.4.0-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? yp-tools ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 2.8-2 ? ? ? ? ? ? ? ? ? ?db ? ? ? ? ? ypbind ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 3:1.12-3 ? ? ? ? ? ? ? ? db ? ? ? ? ? yum ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? noarch 2.0.5-1 ? ? ? ? ? ? ? ? ?db ? ? ? ? ? zip ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? i386 ? 2.3-26.1.1.legacy ? ? ? ?db ? ? ? ? ? zlib ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?i386 ? 1.2.0.7-2.3.legacy ? ? ? db ? ? ? ? ? -Ben On Wednesday 09 November 2005 07:45, Eric Rostetter wrote: > > It's hard for me to say anything other than "that recent glibc library > > installed OK" since I've not done anything else with it, other than see it > > appear in yum a while back. > > The hard part is you have to track what was installed, so you know what > to report as working. It doesn't do much good to say "all the testing > packages I've installed work okay" if we don't know which packages those > include and which it doesn't include. > > If you track the installed versions, then it is of value to us. > > > Does this information provide any actual value? Is there some testing harness > > availabe somewhere so I can know "yep" or "nope" package foo works or > > doesn't? > > Yes, it is of value. You system obviously is running the kernel. So if > you track that you installed a new kernel, and assume you then reboot to > that new kernel, and your machine runs fine for several days, then you have > in effect QA'd that the kernel is stable in your setup. "The best way to predict the future is to invent it." - XEROX PARC slogan, circa 1978 From marcdeslauriers at videotron.ca Tue Nov 29 00:40:23 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Mon, 28 Nov 2005 19:40:23 -0500 Subject: Fedora Legacy Test Update Notification: squid Message-ID: <438BA377.5020805@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2005-152809 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152809 2005-11-28 --------------------------------------------------------------------- Name : squid Versions : rh7.3: squid-2.4.STABLE7-0.73.3.legacy Versions : rh9: squid-2.5.STABLE1-9.10.legacy Versions : fc1: squid-2.5.STABLE3-2.fc1.6.legacy Versions : fc2: squid-2.5.STABLE9-1.FC2.4.legacy Summary : The Squid proxy caching server. Description : Squid is a high-performance proxy caching server for Web clients, supporting FTP, gopher, and HTTP data objects. Unlike traditional caching software, Squid handles all requests in a single, non-blocking, I/O-driven process. Squid keeps meta data and especially hot objects cached in RAM, caches DNS lookups, supports non-blocking DNS lookups, and implements negative caching of failed requests. Squid consists of a main server program squid, a Domain Name System lookup program (dnsserver), a program for retrieving FTP data (ftpget), and some management and client tools. --------------------------------------------------------------------- Update Information: An updated Squid package that fixes several security issues is now available. Squid is a full-featured Web proxy cache. A buffer overflow was found within the NTLM authentication helper routine. If Squid is configured to use the NTLM authentication helper, a remote attacker could potentially execute arbitrary code by sending a lengthy password. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0541 to this issue. An out of bounds memory read bug was found within the NTLM authentication helper routine. If Squid is configured to use the NTLM authentication helper, a remote attacker could send a carefully crafted NTLM authentication packet and cause Squid to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0832 to this issue. iDEFENSE reported a flaw in the squid SNMP module. This flaw could allow an attacker who has the ability to send arbitrary packets to the SNMP port to restart the server, causing it to drop all open connections. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0918 to this issue. A buffer overflow flaw was found in the Gopher relay parser. This bug could allow a remote Gopher server to crash the Squid proxy that reads data from it. Although Gopher servers are now quite rare, a malicious web page (for example) could redirect or contain a frame pointing to an attacker's malicious gopher server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0094 to this issue. An integer overflow flaw was found in the WCCP message parser. It is possible to crash the Squid server if an attacker is able to send a malformed WCCP message with a spoofed source address matching Squid's "home router". The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0095 to this issue. A memory leak was found in the NTLM fakeauth_auth helper. It is possible that an attacker could place the Squid server under high load, causing the NTML fakeauth_auth helper to consume a large amount of memory, resulting in a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0096 to this issue. A NULL pointer de-reference bug was found in the NTLM fakeauth_auth helper. It is possible for an attacker to send a malformed NTLM type 3 message, causing the Squid server to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0097 to this issue. A username validation bug was found in squid_ldap_auth. It is possible for a username to be padded with spaces, which could allow a user to bypass explicit access control rules or confuse accounting. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0173 to this issue. The way Squid handles HTTP responses was found to need strengthening. It is possible that a malicious web server could send a series of HTTP responses in such a way that the Squid cache could be poisoned, presenting users with incorrect webpages. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0174 and CVE-2005-0175 to these issues. When processing the configuration file, Squid parses empty Access Control Lists (ACLs) and proxy_auth ACLs without defined auth schemes in a way that effectively removes arguments, which could allow remote attackers to bypass intended ACLs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0194 to this issue. A buffer overflow bug was found in the WCCP message parser. It is possible that an attacker could send a malformed WCCP message which could crash the Squid server or execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0211 to this issue. A bug was found in the way Squid handled oversized HTTP response headers. It is possible that a malicious web server could send a specially crafted HTTP header which could cause the Squid cache to be poisoned, presenting users with incorrect webpages. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0241 to this issue. A bug was found in the way Squid handles FQDN lookups. It was possible to crash the Squid server by sending a carefully crafted DNS response to an FQDN lookup. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0446 to this issue. A race condition bug was found in the way Squid handles the now obsolete Set-Cookie header. It is possible that Squid can leak Set-Cookie header information to other clients connecting to Squid. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0626 to this issue. A bug was found in the way Squid handles PUT and POST requests. It is possible for an authorised remote user to cause a failed PUT or POST request which can cause Squid to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0718 to this issue. A bug was found in the way Squid processes errors in the access control list. It is possible that an error in the access control list could give users more access than intended. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1345 to this issue. A bug was found in the way Squid handles access to the cachemgr.cgi script. It is possible for an authorised remote user to bypass access control lists with this flaw. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-1999-0710 to this issue. A bug was found in the way Squid handles DNS replies. If the port Squid uses for DNS requests is not protected by a firewall it is possible for a remote attacker to spoof DNS replies, possibly redirecting a user to spoofed or malicious content. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1519 to this issue. A bug was found in the way Squid displays error messages. A remote attacker could submit a request containing an invalid hostname which would result in Squid displaying a previously used error message. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-2479 to this issue. Two denial of service bugs were found in the way Squid handles malformed requests. A remote attacker could submit a specially crafted request to Squid that would cause the server to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-2794 and CVE-2005-2796 to these issues. A bug was found in the way Squid handles certain request sequences while performing NTLM authentication. It is possible for an attacker to cause Squid to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-2917 to this issue. Users of Squid should upgrade to this updated package, which contains backported patches, and is not vulnerable to these issues. --------------------------------------------------------------------- Changelogs rh73: * Wed Nov 16 2005 Marc Deslauriers 7:2.4.STABLE7-0.73.3.legacy - Added security patches for CVE-2005-0718, CVE-1999-0710, CVE-2005-1519, CVE-2004-2479 and CVE-2005-2794 - Update the permissions on /etc/squid/squid.conf to prevent unauthorized viewing of potential plaintext passwords * Sat Mar 19 2005 Marc Deslauriers 7:2.4.STABLE7-0.73.2.legacy - Added security patch for CAN-2005-0446 taken from RHEL3 - Added backported security patch for CAN-2005-0626 * Wed Feb 16 2005 Marc Deslauriers 7:2.4.STABLE7-0.73.1.legacy - Rebuilt as Fedora Legacy security update for Red Hat Linux 7.3 * Tue Feb 01 2005 Jay Fenlason - Two more security fixes: * CAN-2005-0211 bz#146777 buffer overflow in wccp recvfrom() call * bz#146780 correct handling of oversize reply headers * Mon Jan 31 2005 Jay Fenlason - Change the squid user's login shell to /sbin/nologin * Mon Jan 31 2005 Jay Fenlason 7:2.4.STABLE7-1.21as.3 - Don't include the 0-length files created by patch in the errors directory. * Fri Jan 28 2005 Jay Fenlason 7:2.4.STABLE7-1.21as.2 - Backport three more security fixes to close bz#146159 - Also backport the -reply_header_max_size patch - Reorganize this spec file to apply upstream patches first. * Thu Jan 20 2005 Jay Fenlason 7:2.4.STABLE7-1.21as.1 - Backport fixes for CAN-2005-0094 (remote DOS in parsing malformed Gopher messages). and CAN-2005-0095 (remote DOS in parsing malformed wccp messages). - This version of squid is not vulnerable to CAN-2005-0096 and CAN-2005-0097 because it does not contain the ntlm_auth helper. * Tue Oct 12 2004 Jay Fenlason 7:2.4.STABLE7-1.21as - Backport SNMP_core_dump patch from 2.5.STABLE6 to fix CAN-2004-0918 (Remote DoS) * Mon Jun 21 2004 Jay Fenlason 7:2.4.STABLE7-0.21as - bump to 2.4.STABLE7 to pick up all the post STABLE6 patches - Include the three upstream patches to 2.4.STABLE7 - Add the forward_retries one-line patch for bugzilla #120849 rh9: * Wed Nov 16 2005 Marc Deslauriers 7:2.5.STABLE1-9.10.legacy - Added security patches for CVE-2005-0718, CVE-2005-1345, CVE-1999-0710, CVE-2005-1519, CVE-2004-2479, CVE-2005-2794, CVE-2005-2796 and CVE-2005-2917 - Update the permissions on /etc/squid/squid.conf to prevent unauthorized viewing of potential plaintext passwords * Fri Mar 18 2005 Marc Deslauriers 7:2.5.STABLE1-9.9.legacy - Added security patch for CAN-2005-0446 taken from RHEL3 - Added backported security patch for CAN-2005-0626 * Sat Feb 19 2005 Marc Deslauriers 7:2.5.STABLE1-8.9.legacy - Added openssl-devel and cyrus-sasl-devel BuildPrereq * Wed Feb 16 2005 Marc Deslauriers 7:2.5.STABLE1-7.9.legacy - Security patches for CAN-2005-0094, CAN-2005-0095, CAN-2005-0096, CAN-2005-0097, CAN-2005-0173, CAN-2005-0174, CAN-2005-0175, CAN-2005-0194, CAN-2005-0211, CAN-2005-0241 * Sat Oct 16 2004 Marc Deslauriers 7:2.5.STABLE1-6.9.legacy - CAN-2004-0918 security patch (snmp DoS) * Fri Sep 10 2004 Marc Deslauriers 7:2.5.STABLE1-5.9.legacy - CAN-2004-0832 security patch (malformed NTLMSSP packets crash NTLM helpers) * Tue Jun 08 2004 Marc Deslauriers 7:2.5.STABLE1-4.9.legacy - CAN-2004-0541 security patch (NTLM Authentication Helper Buffer Overflow) fc1: * Tue Nov 15 2005 Marc Deslauriers 7:2.5.STABLE3-2.fc1.6.legacy - Added security patches for CVE-2005-0718, CVE-2005-1345, CVE-1999-0710, CVE-2005-1519, CVE-2004-2479, CVE-2005-2794, CVE-2005-2796 and CVE-2005-2917 - Update the permissions on /etc/squid/squid.conf to prevent unauthorized viewing of potential plaintext passwords * Sat Mar 19 2005 Marc Deslauriers 7:2.5.STABLE3-2.fc1.5.legacy - Added security patch for CAN-2005-0446 taken from RHEL3 - Added backported security patch for CAN-2005-0626 * Sun Feb 20 2005 Marc Deslauriers 7:2.5.STABLE3-2.fc1.4.legacy - Added missing openssl-devel and cyrus-sasl-devel BuildPrereq * Wed Feb 16 2005 Marc Deslauriers 7:2.5.STABLE3-2.fc1.3.legacy - Security patches for CAN-2005-0094, CAN-2005-0095, CAN-2005-0096, CAN-2005-0097, CAN-2005-0173, CAN-2005-0174, CAN-2005-0175, CAN-2005-0194, CAN-2005-0211, CAN-2005-0241 * Tue Oct 12 2004 Rob Myers 7:2.5.STABLE3-2.fc1.2.legacy - apply patch for CAN-2004-0918 bug #2150 - group last patch under fedora legacy security updates * Tue Oct 05 2004 Rob Myers 7:2.5.STABLE3-2.fc1.1.legacy - apply patch from 2.5.STABLE3-1.fc1 RHEL3 for CAN-2004-0832 fc2: * Mon Nov 28 2005 Marc Deslauriers 7:2.5.STABLE9-1.FC3.4.legacy - Added missing pkgconfig BuildPrereq * Tue Nov 15 2005 Marc Deslauriers 7:2.5.STABLE9-1.FC3.3.legacy - Added security patches for CVE-1999-0710, CVE-2005-1519, CVE-2005-2794, CVE-2005-2796 and CVE-2005-2917 --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh7.3: 5db383926b0358e7b1a74cd0c84d3c253fae82a6 redhat/7.3/updates-testing/i386/squid-2.4.STABLE7-0.73.3.legacy.i386.rpm 8d2b75252ee52b9fe943d4478960e30508bae4ea redhat/7.3/updates-testing/SRPMS/squid-2.4.STABLE7-0.73.3.legacy.src.rpm rh9: d90f37a598d6789876d85fc41297fb6d6957711d redhat/9/updates-testing/i386/squid-2.5.STABLE1-9.10.legacy.i386.rpm c6f5927ebca3000a5d9cb2d52912e9ea989ee8eb redhat/9/updates-testing/SRPMS/squid-2.5.STABLE1-9.10.legacy.src.rpm fc1: 4e1d0e1546e50f3f694617ce641b31230b3989ad fedora/1/updates-testing/i386/squid-2.5.STABLE3-2.fc1.6.legacy.i386.rpm 03e318f01302e6305d368349ea778ac9f104839d fedora/1/updates-testing/SRPMS/squid-2.5.STABLE3-2.fc1.6.legacy.src.rpm fc2: 9eb87b9c886d2c72d6ecefa3f70e016d65de9574 fedora/2/updates-testing/i386/squid-2.5.STABLE9-1.FC2.4.legacy.i386.rpm 6aab32f2cb1e01196722d2ee6e980dc3915d788b fedora/2/updates-testing/SRPMS/squid-2.5.STABLE9-1.FC2.4.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From marcdeslauriers at videotron.ca Tue Nov 29 00:41:16 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Mon, 28 Nov 2005 19:41:16 -0500 Subject: [FLSA-2005:166943] Updated php packages fix security issues Message-ID: <438BA3AC.9040202@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated php packages fix security issues Advisory ID: FLSA:166943 Issue date: 2005-11-28 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2005-2498 CVE-2005-3390 CVE-2005-3389 CVE-2005-3388 CVE-2005-3353 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated PHP packages that fix multiple security issues are now available. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: A bug was discovered in the PEAR XML-RPC Server package included in PHP. If a PHP script is used which implements an XML-RPC Server using the PEAR XML-RPC package, then it is possible for a remote attacker to construct an XML-RPC request which can cause PHP to execute arbitrary PHP commands as the 'apache' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-2498 to this issue. A flaw was found in the way PHP registers global variables during a file upload request. A remote attacker could submit a carefully crafted multipart/form-data POST request that would overwrite the $GLOBALS array, altering expected script behavior, and possibly leading to the execution of arbitrary PHP commands. Please note that this vulnerability only affects installations which have register_globals enabled in the PHP configuration file, which is not a default or recommended option. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3390 to this issue. A flaw was found in the PHP parse_str() function. If a PHP script passes only one argument to the parse_str() function, and the script can be forced to abort execution during operation (for example due to the memory_limit setting), the register_globals may be enabled even if it is disabled in the PHP configuration file. This vulnerability only affects installations that have PHP scripts using the parse_str function in this way. (CVE-2005-3389) A Cross-Site Scripting flaw was found in the phpinfo() function. If a victim can be tricked into following a malicious URL to a site with a page displaying the phpinfo() output, it may be possible to inject javascript or HTML content into the displayed page or steal data such as cookies. This vulnerability only affects installations which allow users to view the output of the phpinfo() function. As the phpinfo() function outputs a large amount of information about the current state of PHP, it should only be used during debugging or if protected by authentication. (CVE-2005-3388) A denial of service flaw was found in the way PHP processes EXIF image data. It is possible for an attacker to cause PHP to crash by supplying carefully crafted EXIF image data. (CVE-2005-3353) Users of PHP should upgrade to these updated packages, which contain backported patches that resolve these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166943 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/php-4.1.2-7.3.18.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-4.1.2-7.3.18.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-devel-4.1.2-7.3.18.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-imap-4.1.2-7.3.18.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-ldap-4.1.2-7.3.18.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-manual-4.1.2-7.3.18.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-mysql-4.1.2-7.3.18.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-odbc-4.1.2-7.3.18.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-pgsql-4.1.2-7.3.18.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-snmp-4.1.2-7.3.18.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/php-4.2.2-17.16.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/php-4.2.2-17.16.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-devel-4.2.2-17.16.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-imap-4.2.2-17.16.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-ldap-4.2.2-17.16.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-manual-4.2.2-17.16.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-mysql-4.2.2-17.16.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-odbc-4.2.2-17.16.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-pgsql-4.2.2-17.16.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-snmp-4.2.2-17.16.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/php-4.3.11-1.fc1.3.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/php-4.3.11-1.fc1.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-devel-4.3.11-1.fc1.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-domxml-4.3.11-1.fc1.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-imap-4.3.11-1.fc1.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-ldap-4.3.11-1.fc1.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-mbstring-4.3.11-1.fc1.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-mysql-4.3.11-1.fc1.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-odbc-4.3.11-1.fc1.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-pgsql-4.3.11-1.fc1.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-snmp-4.3.11-1.fc1.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-xmlrpc-4.3.11-1.fc1.3.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/php-4.3.11-1.fc2.4.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/php-4.3.11-1.fc2.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-devel-4.3.11-1.fc2.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-domxml-4.3.11-1.fc2.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-imap-4.3.11-1.fc2.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-ldap-4.3.11-1.fc2.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-mbstring-4.3.11-1.fc2.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-mysql-4.3.11-1.fc2.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-odbc-4.3.11-1.fc2.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-pear-4.3.11-1.fc2.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-pgsql-4.3.11-1.fc2.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-snmp-4.3.11-1.fc2.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-xmlrpc-4.3.11-1.fc2.4.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 8bdf500386f11c6484c04361095061cce6c5c5f8 redhat/7.3/updates/i386/php-4.1.2-7.3.18.legacy.i386.rpm 592c870e99523279267a0daea98c7dc08b09e5ca redhat/7.3/updates/i386/php-devel-4.1.2-7.3.18.legacy.i386.rpm 9f84a76296d88673ba8354f416a6ee75b86afb3f redhat/7.3/updates/i386/php-imap-4.1.2-7.3.18.legacy.i386.rpm 8c4b7136f2cac5f8eea394db819e0f67a973e4ff redhat/7.3/updates/i386/php-ldap-4.1.2-7.3.18.legacy.i386.rpm d579f333822efd11fb2fc1364d2b9218bd3547a9 redhat/7.3/updates/i386/php-manual-4.1.2-7.3.18.legacy.i386.rpm 50ec5b4419f70839b5c0b328a605189137477d12 redhat/7.3/updates/i386/php-mysql-4.1.2-7.3.18.legacy.i386.rpm a73300b91e8ac8aee1792f5ec0975fb312b7f780 redhat/7.3/updates/i386/php-odbc-4.1.2-7.3.18.legacy.i386.rpm af7de72af9756d6085d255544de389eb8f355c39 redhat/7.3/updates/i386/php-pgsql-4.1.2-7.3.18.legacy.i386.rpm d96277ec0aa9d37af3372eedb0868249ca96ff51 redhat/7.3/updates/i386/php-snmp-4.1.2-7.3.18.legacy.i386.rpm 8a03b8a7832aba6baf825ec64778f4a321707405 redhat/7.3/updates/SRPMS/php-4.1.2-7.3.18.legacy.src.rpm 7ad045d32b304f8dd7ddb19b4b635c729e0150df redhat/9/updates/i386/php-4.2.2-17.16.legacy.i386.rpm 1d27a480f2bd80e5de58f2bca1d35866c731a82b redhat/9/updates/i386/php-devel-4.2.2-17.16.legacy.i386.rpm 649d6cf648ae7900e7c2a4d4a5cb6170b4dabf54 redhat/9/updates/i386/php-imap-4.2.2-17.16.legacy.i386.rpm c80cb4ed7a141d71b1506ec53473df0f67a33f87 redhat/9/updates/i386/php-ldap-4.2.2-17.16.legacy.i386.rpm 1b8467345c7a63f7e929052d320e9cafa966e3a1 redhat/9/updates/i386/php-manual-4.2.2-17.16.legacy.i386.rpm 691b73249fcb8555bce72b9cc11f7bf305dc837b redhat/9/updates/i386/php-mysql-4.2.2-17.16.legacy.i386.rpm 373d8598c44551d061c1a1c43699d76533d98941 redhat/9/updates/i386/php-odbc-4.2.2-17.16.legacy.i386.rpm 6ad36765c9d8585222e0ec8814f3000af9ceaefc redhat/9/updates/i386/php-pgsql-4.2.2-17.16.legacy.i386.rpm c8320f5f79c80ba3f22f85d93775db06746fb2a8 redhat/9/updates/i386/php-snmp-4.2.2-17.16.legacy.i386.rpm 1502c7295697edcb34d89c28b922ac39785e6b20 redhat/9/updates/SRPMS/php-4.2.2-17.16.legacy.src.rpm cd04cc6c329e18a9c0c989cdb9a5fcdc9b6712c8 fedora/1/updates/i386/php-4.3.11-1.fc1.3.legacy.i386.rpm bdb82f6017f088488443cec5f97650aa172714bd fedora/1/updates/i386/php-devel-4.3.11-1.fc1.3.legacy.i386.rpm 5921f184247991ddac4b398a617abea8768cd9d5 fedora/1/updates/i386/php-domxml-4.3.11-1.fc1.3.legacy.i386.rpm b38b1aabdcee19a8764b9156ffbd4a7fd15c5345 fedora/1/updates/i386/php-imap-4.3.11-1.fc1.3.legacy.i386.rpm ecb2bfd639fe1e44a389e2527babbd912279d6ad fedora/1/updates/i386/php-ldap-4.3.11-1.fc1.3.legacy.i386.rpm 3bd193c7d75216cbe34cee7c637be042b2197693 fedora/1/updates/i386/php-mbstring-4.3.11-1.fc1.3.legacy.i386.rpm 0883a4ef7c03d8faebc90ed0f4a138e1f9b64c9f fedora/1/updates/i386/php-mysql-4.3.11-1.fc1.3.legacy.i386.rpm 62017bd8700dcaceb2280443abb3e6fd17e9458e fedora/1/updates/i386/php-odbc-4.3.11-1.fc1.3.legacy.i386.rpm c9a90440e780eb1420100ed8b0e28d92ddea0295 fedora/1/updates/i386/php-pgsql-4.3.11-1.fc1.3.legacy.i386.rpm ef627102ded443de2e78c33a29f76c6066f7bf5a fedora/1/updates/i386/php-snmp-4.3.11-1.fc1.3.legacy.i386.rpm 38da5e66ead97e573a7105ad4a62a14c75763268 fedora/1/updates/i386/php-xmlrpc-4.3.11-1.fc1.3.legacy.i386.rpm d2b93da45a735956e980e8a5401c4b171644794a fedora/1/updates/SRPMS/php-4.3.11-1.fc1.3.legacy.src.rpm edce472b6a404a45bb0187ed2058929b51850423 fedora/2/updates/i386/php-4.3.11-1.fc2.4.legacy.i386.rpm 5f55d05ec4dbbbd6717a14f495bfe9948bec3837 fedora/2/updates/i386/php-devel-4.3.11-1.fc2.4.legacy.i386.rpm d308529686de245b33057c4ce1a7e0435ba748e6 fedora/2/updates/i386/php-domxml-4.3.11-1.fc2.4.legacy.i386.rpm a85ba72dbcf8357c63bd7ddd71a8e7b1e270a0d0 fedora/2/updates/i386/php-imap-4.3.11-1.fc2.4.legacy.i386.rpm 8856c97f65e6dfdf5241faa5294a9a8883de049b fedora/2/updates/i386/php-ldap-4.3.11-1.fc2.4.legacy.i386.rpm f7d1159e5756ba33282920d0923bcd338306a2c8 fedora/2/updates/i386/php-mbstring-4.3.11-1.fc2.4.legacy.i386.rpm 24d23bd41dc5c3233019a86a988057dfa8fd3576 fedora/2/updates/i386/php-mysql-4.3.11-1.fc2.4.legacy.i386.rpm 618b32b0c28b71755c8f487b035649e44213b2cf fedora/2/updates/i386/php-odbc-4.3.11-1.fc2.4.legacy.i386.rpm cf728abb52acc26f2f6d33dbb5135fdbd2ec4df0 fedora/2/updates/i386/php-pear-4.3.11-1.fc2.4.legacy.i386.rpm fe3a23d81b92930426f7dd3a5b687ef979d8a3b9 fedora/2/updates/i386/php-pgsql-4.3.11-1.fc2.4.legacy.i386.rpm 771c5041ed29045e4de59bcacbc0c640247c80e7 fedora/2/updates/i386/php-snmp-4.3.11-1.fc2.4.legacy.i386.rpm 2962cc479b53c181dd67fdd4008ee904d81e71ac fedora/2/updates/i386/php-xmlrpc-4.3.11-1.fc2.4.legacy.i386.rpm 2c6d2007423a9334a22451521a742ca942677c57 fedora/2/updates/SRPMS/php-4.3.11-1.fc2.4.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2498 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3390 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3389 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3388 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3353 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From marcdeslauriers at videotron.ca Wed Nov 30 01:25:29 2005 From: marcdeslauriers at videotron.ca (Marc Deslauriers) Date: Tue, 29 Nov 2005 20:25:29 -0500 Subject: Fedora Legacy Test Update Notification: mysql Message-ID: <438CFF89.1040104@videotron.ca> --------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2005-167803 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=167803 2005-11-29 --------------------------------------------------------------------- Name : mysql Versions : rh7.3: mysql-3.23.58-1.73.8.legacy Versions : rh9: mysql-3.23.58-1.90.9.legacy Versions : fc1: mysql-3.23.58-4.6.legacy Versions : fc2: mysql-3.23.58-16.FC2.3.legacy Summary : The MySQL server and related files. Description : MySQL is a true multi-user, multi-threaded SQL database server. MySQL is a client/server implementation that consists of a server daemon (mysqld) and many different client programs and libraries. This package contains the MySQL server and some accompanying files and directories. --------------------------------------------------------------------- Update Information: Updated mysql packages that fix a security issue are now available. MySQL is a multi-user, multi-threaded SQL database server. Reid Borsuk discovered a buffer overflow in the MySQL init_syms() function. A user with the ability to create and execute a user defined function could potentially execute arbitrary code on the MySQL server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-2558 to this issue. This release fixes two additional problems. A regression was introduced in a patch included in the previous MySQL packages that resulted in queries performing a DELETE without a WHERE failing on ISAM tables. Also, the MySQL init script was improved to allow the MySQL service to restart properly during upgrades. All users of the MySQL server are advised to upgrade to these updated packages, which contain fixes for these issues. --------------------------------------------------------------------- Changelogs rh73: * Mon Nov 28 2005 Marc Deslauriers 3.23.58-1.73.8.legacy - Fixed typo in init script * Sat Nov 26 2005 Marc Deslauriers 3.23.58-1.73.7.legacy - Updated init script (#172426) (#152531) - Updated security2 patch to fix DELETE without WHERE issue (#168542) - Added patch to fix CVE-2005-2558 rh9: * Mon Nov 28 2005 Marc Deslauriers 3.23.58-1.90.9.legacy - Fixed typo in init script * Sat Nov 26 2005 Marc Deslauriers 3.23.58-1.90.8.legacy - Updated init script (#172426) (#152531) * Sun Nov 20 2005 Marc Deslauriers 3.23.58-1.90.7.legacy - Updated security2 patch to fix DELETE without WHERE issue (#168542) - Added patch to fix CVE-2005-2558 fc1: * Tue Nov 29 2005 Marc Deslauriers 3.23.58-4.6.legacy - Fixed typo in init script * Sat Nov 26 2005 Marc Deslauriers 3.23.58-4.5.legacy - Updated init script (#172426) (#152531) - Updated security2 patch to fix DELETE without WHERE issue (#168542) - Added patch to fix CVE-2005-2558 fc2: * Tue Nov 29 2005 Marc Deslauriers 3.23.58-16.FC2.3.legacy - Fixed typo in init script * Sat Nov 26 2005 Marc Deslauriers 3.23.58-16.FC2.2.legacy - Updated init script (#172426) (#152531) - Updated security2 patch to fix DELETE without WHERE issue (#168542) - Added patch to fix CVE-2005-2558 --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh7.3: 95a3829a3dff72c4d411e0aef92904382bc5bdf0 redhat/7.3/updates-testing/i386/mysql-3.23.58-1.73.8.legacy.i386.rpm 77d968e0038c539dbcba7c3022a2a6f85a51c884 redhat/7.3/updates-testing/i386/mysql-devel-3.23.58-1.73.8.legacy.i386.rpm 906a3990e57c3b95fa75150a2905f09234a4c9ac redhat/7.3/updates-testing/i386/mysql-server-3.23.58-1.73.8.legacy.i386.rpm 4ab25f651faff3f7f7f57c14c427b3380dc8701f redhat/7.3/updates-testing/SRPMS/mysql-3.23.58-1.73.8.legacy.src.rpm rh9: 70f2943ec073a23cb596bfcc7fe1262410bf5b18 redhat/9/updates-testing/i386/mysql-3.23.58-1.90.9.legacy.i386.rpm 4b640a5f12088f1d4de93f19a5f1bf817df32599 redhat/9/updates-testing/i386/mysql-devel-3.23.58-1.90.9.legacy.i386.rpm 90f923a4d29a3aab8884b327ebe1d82e11b0e1f9 redhat/9/updates-testing/i386/mysql-server-3.23.58-1.90.9.legacy.i386.rpm 603a0a915b2415a2b32da73be9f155aaa5e2c8ba redhat/9/updates-testing/SRPMS/mysql-3.23.58-1.90.9.legacy.src.rpm fc1: 264c90e5f71b15bd1c416587a36a209a020a4cff fedora/1/updates-testing/i386/mysql-3.23.58-4.6.legacy.i386.rpm 0b39c15da8705ea47fed4dbfcac4eaac22b0b909 fedora/1/updates-testing/i386/mysql-bench-3.23.58-4.6.legacy.i386.rpm c3d5d996da0ce7e1472ba7a108cc8d710ee46192 fedora/1/updates-testing/i386/mysql-devel-3.23.58-4.6.legacy.i386.rpm 8a1acfa5a416a22a285cc219eed0ef0b904eb784 fedora/1/updates-testing/i386/mysql-server-3.23.58-4.6.legacy.i386.rpm bb9a8da7fe794c6d919416c1746bd2c143defeb7 fedora/1/updates-testing/SRPMS/mysql-3.23.58-4.6.legacy.src.rpm fc2: 242577abc7a4705586e1ac9c892997d12c51e1bd fedora/2/updates-testing/i386/mysql-3.23.58-16.FC2.3.legacy.i386.rpm 5279aa559e950ab8d9e64fc8b2fe002d376cc0c3 fedora/2/updates-testing/i386/mysql-bench-3.23.58-16.FC2.3.legacy.i386.rpm 9d30ecae7a1f73862b25d06f3e87e3677144c045 fedora/2/updates-testing/i386/mysql-devel-3.23.58-16.FC2.3.legacy.i386.rpm 9346371f4b58845bae1d166e8b393d18b85b4479 fedora/2/updates-testing/i386/mysql-server-3.23.58-16.FC2.3.legacy.i386.rpm 842aa0b00a7e9b96e60742785ff2e574b39a94e0 fedora/2/updates-testing/SRPMS/mysql-3.23.58-16.FC2.3.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature URL: From jpdalbec at ysu.edu Wed Nov 30 14:11:42 2005 From: jpdalbec at ysu.edu (John Dalbec) Date: Wed, 30 Nov 2005 09:11:42 -0500 Subject: glibc update Message-ID: <438DB31E.8050709@ysu.edu> I installed glibc-2.2.5-44.legacy.6 on a production NFS server and clients and I started getting locking timeouts accessing shared files (mail spool) on the server. Has anyone else experienced this? I looked at the patches and I didn't see why they would affect NFS locking. However, I rolled back the update and the errors seem to have gone away. But it could just be that the server is not as heavily used today. I was also getting problems accessing shared files from the clients, especially the UW-IMAP server. Should I try recompiling UW-IMAP against the new glibc? Thanks, John From jpdalbec at ysu.edu Wed Nov 30 17:09:09 2005 From: jpdalbec at ysu.edu (John Dalbec) Date: Wed, 30 Nov 2005 12:09:09 -0500 Subject: PHP IMAP segfault Message-ID: <438DDCB5.3050004@ysu.edu> I'm getting segfaults in imap_fetch_overview in php_imap.c. I think this is caused by the latest viruses sending out spam messages with corrupted headers. My end users are unable to read mail through IMP when they get one of these in their mailbox. I guess I could have my MTA reject the messages but that doesn't help people who've already received one. Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1024 (LWP 8920)] 0x409ba612 in zif_imap_fetch_overview () from /usr/lib/php4/imap.so (gdb) backtrace #0 0x409ba612 in zif_imap_fetch_overview () from /usr/lib/php4/imap.so #1 0x67696c61 in ?? () Cannot access memory at address 0x62656420 The following code looks suspicious to me: char address[MAILTMPLEN]; ... rfc822_write_address(address, env->from); ... rfc822_write_address(address, env->to); It looks like this function is from libc-client.a. I've looked at the IMAP source code and fixing it (snprintf-style) looks nontrivial. Any takers? Thanks, John From pekkas at netcore.fi Wed Nov 30 19:37:51 2005 From: pekkas at netcore.fi (Pekka Savola) Date: Wed, 30 Nov 2005 21:37:51 +0200 (EET) Subject: issues list(s) Message-ID: Remember, there's always a need for folks to do some QA testing. See the wiki for instructions and how to get started: http://www.fedoraproject.org/wiki/Legacy/QATesting In particular, look at the both of the "missing VERIFY" sections or "lacking PUBLISH". http://www.netcore.fi/pekkas/buglist.html (all) http://www.netcore.fi/pekkas/buglist-rhl73.html http://www.netcore.fi/pekkas/buglist-rhl9.html http://www.netcore.fi/pekkas/buglist-core1.html http://www.netcore.fi/pekkas/buglist-fc2.html -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings From michal at harddata.com Wed Nov 30 19:52:46 2005 From: michal at harddata.com (Michal Jaegermann) Date: Wed, 30 Nov 2005 12:52:46 -0700 Subject: PHP IMAP segfault In-Reply-To: <438DDCB5.3050004@ysu.edu> References: <438DDCB5.3050004@ysu.edu> Message-ID: <20051130195246.GA25423@mail.harddata.com> On Wed, Nov 30, 2005 at 12:09:09PM -0500, John Dalbec wrote: > (gdb) backtrace > #0 0x409ba612 in zif_imap_fetch_overview () from /usr/lib/php4/imap.so > #1 0x67696c61 in ?? () > Cannot access memory at address 0x62656420 0x62656420 actually spells " deb" (little endian) and 0x67696c61 is "alig". Sounds suspiciously like https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=170411 which you actually posted with that exception that depending on what distro you are using it may be either imap or libc-client libraries (or maybe php has a copy of this code?). So you may want to look as well at https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=170521 Clearly this may be a wrong guess. Michal