[Bug 192830] New: CVE-2006-2453 Additional dia format string flaws
by Red Hat Bugzilla
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192830
Summary: CVE-2006-2453 Additional dia format string flaws
Product: Fedora Extras
Version: fc5
Platform: All
OS/Version: Linux
Status: NEW
Severity: normal
Priority: normal
Component: dia
AssignedTo: j.w.r.degoede(a)hhs.nl
ReportedBy: bressers(a)redhat.com
QAContact: extras-qa(a)fedoraproject.org
CC: extras-qa(a)fedoraproject.org,fedora-security-
list(a)redhat.com
A number of additional format string issues were discovered by Hans de Goede and
has been assigned the CVE id CVE-2006-2453.
The fix is attachment 129852
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
16 years, 7 months
[Bug 240395] New: CVE-2007-2650: clamav OLE2 parser DoS
by Red Hat Bugzilla
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240395
Summary: CVE-2007-2650: clamav OLE2 parser DoS
Product: Fedora Extras
Version: fc6
Platform: All
OS/Version: Linux
Status: NEW
Severity: medium
Priority: medium
Component: clamav
AssignedTo: enrico.scholz(a)informatik.tu-chemnitz.de
ReportedBy: ville.skytta(a)iki.fi
QAContact: extras-qa(a)fedoraproject.org
CC: fedora-security-list(a)redhat.com
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2650
"The OLE2 parser in Clam AntiVirus (ClamAV) allows remote attackers to cause a
denial of service (resource consumption) via an OLE2 file with (1) a large
property size or (2) a loop in the FAT file block chain that triggers an
infinite loop, as demonstrated via a crafted DOC file."
Affected versions unknown.
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
16 years, 9 months
Fedora 7 and the Security Response Team
by Josh Bressers
As everybody is no doubt aware, Fedora 7 is bringing a number of changes,
one of which will be putting the burden of security on the Fedora Security
Response Team. Right now it's basically the Red Hat Security Response Team
working on Core, and not much of anything happening for Extras. This is
going to change.
I'm going to be filing a request for some resources sometime this week. I
have an IRC bot and an xmlrpc server that will initially run from there.
The long term goal is to host the various security related tools that don't
yet exist.
In the meantime, the task at hand should be to start tracking flaws for
Fedora 7. What we usually would do at this point for core, is copy the fc6
file into fc7 in CVS. We then pour over the entries looking for
questionable items. I'm thinking what we should do for Fedora 7, is
merge the fe6 and fc6 files into a f7 (a better name is welcome) file, then
start working through this file. We've never done this in a distributed
manner before, so ideas are welcome.
--
JB
16 years, 10 months
[Bug 231734] New: CVE-2007-1246: xine-lib buffer overflow
by Red Hat Bugzilla
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=231734
Summary: CVE-2007-1246: xine-lib buffer overflow
Product: Fedora Extras
Version: fc5
Platform: All
OS/Version: Linux
Status: NEW
Severity: normal
Priority: normal
Component: xine-lib
AssignedTo: gauret(a)free.fr
ReportedBy: ville.skytta(a)iki.fi
QAContact: extras-qa(a)fedoraproject.org
CC: fedora-security-list@redhat.com,ville.skytta(a)iki.fi
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1246
Originally reported against MPlayer, but it turns out xine-lib is vulnerable
too. Upstream fix pushed to FC6+ (1.1.4-3 currently building), but FC5 is still
at 1.1.2, probably already lacking "several bug and security fixes" as put by
upstream in the 1.1.3 release announcement. No FC5 system here to test with, so
leaving up to Aurelien to decide whether to update while at it or just to
possibly apply the patch for this issue from FC6+ (if it applies, unchecked).
------- Additional Comments From ville.skytta(a)iki.fi 2007-03-10 17:29 EST -------
Created an attachment (id=149781)
--> (https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=149781&action=view)
Fix from upstream CVS
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
16 years, 10 months