From Nicholas at apiit.edu.my Thu Jun 1 08:25:50 2006 From: Nicholas at apiit.edu.my (Nicholas Adrian Suppiah) Date: Thu, 1 Jun 2006 16:25:50 +0800 Subject: [fedoraforum] installation problem with display using Riva 128 Message-ID: <35A4A7118F8E9249B44EFD17B127B3BA6FCA1A@pluto.apiit.edu.my> Hi all, I posted on installation problem for FC5 earlier today but after doing a memtest I found that the one of the RAM is faulty. Changed that and now I have a new problem. I get the following displayed in ALT+F2 screen and it hangs: . . . [] blkdev_file_write+0x1a/0x1e [] vfs_write+0xa1/0x146 [] sys_write+0x3c/0x63 [] syscall+0x7/0xb Any idea whats it about? From deisenst at gtw.net Thu Jun 1 22:21:40 2006 From: deisenst at gtw.net (David Eisenstein) Date: Thu, 1 Jun 2006 17:21:40 -0500 (CDT) Subject: Incorrect topic for channel #redhat on freenode?? Message-ID: <200606012221.k51MLeFX003308@twinkfed.homedns.org> Hi folks, Looking around freenode the other day, I noticed this topic for the channel #redhat: --- Topic for #redhat is Red Hat Linux 9 (Shrike) is EOL'd (End Of Life - no more security updates) | FAQ: http://people. redhat.com/tcallawa/faq.html | For support for Red Hat Enterprise products (RHEL 3, RHAS 2.1), go to #rhel | Fedora Core related discussion takes place in #fedora | Check out http://www.fedoralegacy.org if your distribution is EOL'd. There is also this that comes across when you join #redhat: -ChanServ- [#redhat] If you're using Red Hat Linux, you need to strongly consider upgrading to Fedora Core. All versions of Red Hat Linux are end-of-lifed. Doing stupid things with Red Hat Linux entitles you to mocking, taunting, and silencing (free of charge). If you're running Red Hat Enterprise Linux, you might want to look in #rhel. As far as I know, we are at present maintaining Red Hat Linux 7.3 and 9 for security updates, so that channel topic is just plain *wrong*. Wouldn't it be better for the topic to say something like: --- Topic for #redhat is Red Hat Linux 7.3 and 9 are in maintenance mode (security updates only) | FAQ: http://people.redhat.com/tcallawa/faq.html | For support for Red Hat Enterprise products (RHEL 4, 3, RHAS 2.1), go to #rhel | Fedora Core related discussion takes place in #fedora | Check out #fedora-legacy and http://www.fedoralegacy.org if your distribution is in maintenance mode. Do we need to look into changing that topic, or should we just let it be?? RHL 7.3 and RHL 9 are getting rather long in the tooth these days. Having those two distros to support in addition to all the others is slowing down the work we do in fixing security issues in distros that are more up to date. What do you all think?? Regards, David Eisenstein From donjr at maner.org Fri Jun 2 03:48:17 2006 From: donjr at maner.org (Donald Maner) Date: Thu, 1 Jun 2006 22:48:17 -0500 Subject: Incorrect topic for channel #redhat on freenode?? Message-ID: <4A5DA14CF063A54C9DB0C98CCE35B37398A2@selket.home.maner.org> I'm all for letting it be. The age of those two versions is starting to show, and I don't think I would encourage people who don't absolutely require those versions to keep them. > -----Original Message----- > From: fedora-legacy-list-bounces at redhat.com [mailto:fedora-legacy-list- > bounces at redhat.com] On Behalf Of David Eisenstein > Sent: Thursday, June 01, 2006 5:22 PM > To: Discussion of the Fedora Legacy Project > Subject: Incorrect topic for channel #redhat on freenode?? > > Hi folks, > > Looking around freenode the other day, I noticed this topic for the > channel #redhat: From deisenst at gtw.net Fri Jun 2 07:41:07 2006 From: deisenst at gtw.net (David Eisenstein) Date: Fri, 2 Jun 2006 02:41:07 -0500 (CDT) Subject: [Legacy] Mentoring for vulnerability bug tracking -- kernel, and general Message-ID: Hi, (Please forgive me for cross-posting, but I thought I'd post this question to all the relevant groups I could think of. Please let me know if I am committing a cross-posting felony here. :) ) I am in the process of mentoring someone to help them learn how to do vulnerability tracking for Fedora Legacy. This evening, we were looking at doing that for the kernels. We quickly got confused, though, because we weren't sure how to go about making sure we only report issues into Bugzilla that would be relevant kernel issues for Fedora Legacy at this time. One complicating factor here is that we in Legacy don't necessarily release kernels in any kind of lock-step with what either Fedora Core or Red Hat Enterprise Linux does, so the issues we have to fix are a different subset of issues than what is reported in any given RHSA or FEDORA release announcement. And even if we did release kernels in lockstep, no doubt there would still be differing CVE's per distro. (For those of you not familiar with Legacy processes: we normally put multiple CVE issues [maybe as many as dozens of CVE's] into a single bugzilla report for a given .src.rpm component; and we also put multiple distros in a given bugzilla ticket as well, using a "Version" tag of "unspecified" and tracking what distros are being worked on and their statuses via the use of Status Whiteboard entries. For more information about this, you can refer to , and the most recent completed Legacy kernel bug is here in case you're interested: .) I started to suggest to my mentee this method: Have a look at the latest release announcements from Fedora Legacy for the kernels that we maintain, and then look for issues in the usual places (e.g., those resources listed in ) that have come up since we released our latest security-fixed kernels. That would provide a list of CVE's to then put in a new Bugzilla ticket or add to an already-existing ticket that would likely be relevant. But is this enough? Does this method sound workable to you? Are we missing something? Do you have you have some better ideas how to track kernel vulnerabilities to get those vulnerabilities properly listed in a Bugzilla ticket to be worked on? A more general question is this: How do we in Fedora Legacy track vulnerabilities and make sure that we are aware of all the relevant vulnerabilities for the packages that we maintain, and haven't missed something? The fedora-security-list and Josh Bressers are using audit files to track all relevant security vulnerabilities for their sets of packages, which are kept in CVS here, but we here in Fedora Legacy haven't started using this kind of tool yet. Is it time for us to start doing so? If so, are any of you interested in forming some kind of vulnerability tracking team and getting started on such list(s) for the products we maintain? Thanks much in advance! Regards, David Eisenstein From sundaram at fedoraproject.org Fri Jun 2 11:20:58 2006 From: sundaram at fedoraproject.org (Rahul Sundaram) Date: Fri, 02 Jun 2006 16:50:58 +0530 Subject: [Legacy] Mentoring for vulnerability bug tracking -- kernel, and general In-Reply-To: References: Message-ID: <1149247258.4138.3.camel@sundaram.pnq.redhat.com> On Fri, 2006-06-02 at 02:41 -0500, David Eisenstein wrote: > A more general question is this: How do we in Fedora Legacy track > vulnerabilities and make sure that we are aware of all the relevant > vulnerabilities for the packages that we maintain, and haven't missed > something? > > The fedora-security-list and Josh Bressers are using audit files to track > all relevant security vulnerabilities for their sets of packages, which > are kept in CVS here, > > > but we here in Fedora Legacy haven't started using this kind of tool yet. > Is it time for us to start doing so? If so, are any of you interested in > forming some kind of vulnerability tracking team and getting started on > such list(s) for the products we maintain? It seems to me that whatever system used by the Fedora Security Team should be adopted by Fedora Legacy after discussion with the relevant contributors. Rahul From deisenst at gtw.net Sat Jun 3 19:56:21 2006 From: deisenst at gtw.net (David Eisenstein) Date: Sat, 03 Jun 2006 14:56:21 -0500 Subject: Full list of Seamonkey (unpatched Mozilla Suite??) vulnerabilities... Message-ID: <4481E965.3090809@gtw.net> Hi again all, More Seamonkey vulnerabilties... From , there is this list: Fixed in SeaMonkey 1.0.2 ------------------------ Critical - MFSA 2006-43 Privilege escalation using addSelectionListener High - MFSA 2006-42 Web site XSS using BOM on UTF-8 pages High - MFSA 2006-41 File stealing by changing input type (variant) Critical - MFSA 2006-40 Double-free on malformed VCard Low - MFSA 2006-39 "View Image" local resource linking (Windows) Critical - MFSA 2006-38 Buffer overflow in crypto.signText() Critical - MFSA 2006-37 Remote compromise via content-defined setter on object prototypes Critical - MFSA 2006-35 Privilege escalation through XUL persist Moderate - MFSA 2006-34 XSS viewing javascript: frames or images from context menu High - MFSA 2006-33 HTTP response smuggling Critical - MFSA 2006-32 Fixes for crashes with potential memory corruption Moderate - MFSA 2006-31 EvalInSandbox escape (Proxy Autoconfig, Greasemonkey) Similar lists exists for Firefox ("Fixed in Firefox 1.5.0.4") and Thunderbird ("Fixed in Thunderbird 1.5.0.4") vulnerabilities on that same page. Somehow, I suspect that if these vulnerabilities exist in Seamonkey, then many will also exist in Mozilla-1.7.13, in Firefox-1.0.8, and Thunderbird-1.0.8 .... What is the Mozilla Foundation trying to do here? Make zero-day exploits available to malware writers to use against legacy users of Mozilla-1.7.13 Firefox-1.0.8, and Thunderbird-1.0.8 users?!? Is there any coordination among outside maintainers of these legacy packages (since the Mozilla foundation's official policy is that Mozilla-1.7.13 was the end of the line for the Mozilla suite)? Should there be?? Regards, David Eisenstein ps: None of the detailed MSFA's linked to from the known-vulnerabilities page that I looked at had any CVE's listed for them. Does anyone know if any CVE's are assigned for these vulnerabilities? Also, all of the bugzilla.mozilla.org links from the MFSA's seem to be embargoed (at least for me). Does anyone here have access to those bug reports? From bressers at redhat.com Sun Jun 4 00:34:32 2006 From: bressers at redhat.com (Josh Bressers) Date: Sat, 03 Jun 2006 20:34:32 -0400 Subject: Full list of Seamonkey (unpatched Mozilla Suite??) vulnerabilities... In-Reply-To: Your message of "Sat, 03 Jun 2006 14:56:21 CDT." <4481E965.3090809@gtw.net> Message-ID: <200606040034.k540YWJA019896@devserv.devel.redhat.com> > > Similar lists exists for Firefox ("Fixed in Firefox 1.5.0.4") and > Thunderbird ("Fixed in Thunderbird 1.5.0.4") vulnerabilities on that same page. > > Somehow, I suspect that if these vulnerabilities exist in Seamonkey, then > many will also exist in Mozilla-1.7.13, in Firefox-1.0.8, and > Thunderbird-1.0.8 .... Some of them do, some of them don't. I don't have a complete list yet. I've tracked down the most critical issues. Take a look at these bugs for the CVE ids I've identified. Mozilla: 193906 Firefox: 193895 We're working on a patch for those particular issues. Thunderbird has no critical bugs. > > What is the Mozilla Foundation trying to do here? Make zero-day exploits > available to malware writers to use against legacy users of Mozilla-1.7.13 > Firefox-1.0.8, and Thunderbird-1.0.8 users?!? Is there any coordination > among outside maintainers of these legacy packages (since the Mozilla > foundation's official policy is that Mozilla-1.7.13 was the end of the line > for the Mozilla suite)? Should there be?? The Mozilla Foundation doesn't care about users running the older versions of the suite and Firefox. I could go into detail about their mishandling of this, but I'd rather not. They have no interest in coordinating with vendors in any way. They've done a very poor job communicating the EOL of their products. I personally consider releasing a critical update on a Friday very irresponsible. I've let them know this more than once, which has been ignored. > > Regards, > > David Eisenstein > > ps: None of the detailed MSFA's linked to from the known-vulnerabilities > page that I looked at had any CVE's listed for them. Does anyone know if > any CVE's are assigned for these vulnerabilities? Also, all of the > bugzilla.mozilla.org links from the MFSA's seem to be embargoed (at least > for me). Does anyone here have access to those bug reports? All issues have CVE ids. I'm attaching the CVE mails that detail these. -- JB From coley at mitre.org Fri Jun 2 18:01:38 2006 From: coley at mitre.org (coley at mitre.org) Date: Fri, 2 Jun 2006 14:01:38 -0400 (EDT) Subject: [CVENEW] New CVE CANs: 2006/06/02 14:00 ; count=4 Message-ID: <200606021801.k52I1cba021249@cairo.mitre.org> ====================================================== Name: CVE-2006-2775 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2775 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20060602 Category: Reference: CONFIRM:http://www.mozilla.org/security/announce/2006/mfsa2006-35.html Reference: CERT-VN:VU#243153 Reference: URL:http://www.kb.cert.org/vuls/id/243153 Mozilla Firefox and Thunderbird before 1.5.0.4 associates XZUL attributes with the wrong URL under certain unspecified circumstances, which might allow remote attackers to bypass restrictions by causing a persisted string to be associated with the wrong URL. ====================================================== Name: CVE-2006-2776 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2776 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20060602 Category: Reference: CONFIRM:http://www.mozilla.org/security/announce/2006/mfsa2006-37.html Reference: CERT-VN:VU#575969 Reference: URL:http://www.kb.cert.org/vuls/id/575969 Certain privileged UI code in Mozilla Firefox and Thunderbird before 1.5.0.4 calls content-defined setters on an object prototype, which allows remote attackers to execute code at a higher privilege than intended. ====================================================== Name: CVE-2006-2777 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2777 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20060602 Category: Reference: CONFIRM:http://www.mozilla.org/security/announce/2006/mfsa2006-43.html Reference: CERT-VN:VU#237257 Reference: URL:http://www.kb.cert.org/vuls/id/237257 Unspecified vulnerability in Mozilla Firefox before 1.5.0.4 and SeaMonkey before 1.0.2 allows remote attackers to execute arbitrary code by using the nsISelectionPrivate interface of the Selection object to add a SelectionListener and create notifications that are executed in a privileged context. ====================================================== Name: CVE-2006-2778 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2778 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20060602 Category: Reference: CONFIRM:http://www.mozilla.org/security/announce/2006/mfsa2006-38.html Reference: CERT-VN:VU#421529 Reference: URL:http://www.kb.cert.org/vuls/id/421529 The crypto.signText function in Mozilla Firefox and Thunderbird before 1.5.0.4 allows remote attackers to execute arbitrary code via certain optional Certificate Authority name arguments, which causes an invalid array index and triggers a buffer overflow. From coley at mitre.org Fri Jun 2 19:01:37 2006 From: coley at mitre.org (coley at mitre.org) Date: Fri, 2 Jun 2006 15:01:37 -0400 (EDT) Subject: [CVENEW] New CVE CANs: 2006/06/02 15:00 ; count=7 Message-ID: <200606021901.k52J1bOv022240@cairo.mitre.org> ====================================================== Name: CVE-2006-2779 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2779 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20060602 Category: Reference: CONFIRM:http://www.mozilla.org/security/announce/2006/mfsa2006-32.html Reference: CERT-VN:VU#466673 Reference: URL:http://www.kb.cert.org/vuls/id/466673 Mozilla Firefox and Thunderbird before 1.5.0.4 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (1) nested