May 2007 - security [ARCHIVED] - Fedora Mailing-Lists

by Németh Tamás

Dear Fedora developers or Experts! Can you tell me if these is an Exec Shield kernel patch for most recent 2.6 series vanilla kernels being able to do full ALSR functionality, including the relocation of PIE binaries? When I look at Ingo Molnar's Exec Shield patch web page (http://people.redhat.com/mingo/exec-shield/), I got the impression that a fully featured Exec Shield patch set exists only for the 2.4 series of the Linux kernels. Am I correct? Thank you for the information! Best regards: Nemeth, Tamas IT administrator University of West-Hungary, Sopron, Hungary

16 years, 11 months

3
2
0 / 0

Security features of recent Fedora versions?

by Németh Tamás

Dear Fedora developers or Experts! In these days I am mostly engaged in the task of choosing a free and secure Linux ditribution for our university. I've read some documents from this field but I am in doubt in a few areas: When i look at Ingo Molnar's Exec Shield patch web page (http://people.redhat.com/mingo/exec-shield/), I got the impression that a fully feature Exec Shield patch set exists only for the 2.4 series of the Linux kernels, and on the 2.6 series it only provides NX. Am I correct? Is there an (maybe exprimental) Exec Shield patch for 2.6 kernels which provides full ALSR functionality, including the relocation of PIE binaries? If not, then I wonder why is it so difficult to be done for the 2.6 series. (For example PaX is still considered experimental on 2.6!) Are the Fedora packages linked with BIND_NOW option to make the -z relro linking option even more effective? Thank you for the information! Best regards: Nemeth, Tamas IT administrator University of West-Hungary, Sopron, Hungary

16 years, 11 months

1
0
0 / 0

[Bug 239213] New: CVE-2007-2500: gnash arbitrary code execution

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239213 Summary: CVE-2007-2500: gnash arbitrary code execution Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: medium Priority: medium Component: gnash AssignedTo: pertusus(a)free.fr ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list(a)redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2500 "server/parser/sprite_definition.cpp in GNU Gnash (aka GNU Flash Player) 0.7.2 allows remote attackers to execute arbitrary code via a large number of SHOWFRAME elements within a DEFINESPRITE element, which triggers memory corruption and enables the attacker to call free with an arbitrary address, probably resultant from a buffer overflow." -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

16 years, 11 months

1
2
0 / 0

[Bug 239338] New: CVE-2007-1253: blender arbitrary python code execution

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239338 Summary: CVE-2007-1253: blender arbitrary python code execution Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: medium Priority: medium Component: blender AssignedTo: Jochen(a)herr-schmitt.de ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list(a)redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1253 "Eval injection vulnerability in the (a) kmz_ImportWithMesh.py Script for Blender 0.1.9h, as used in (b) Blender before 2.43, allows user-assisted remote attackers to execute arbitrary Python code by importing a crafted (1) KML or (2) KMZ file." -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

16 years, 11 months

1
1
0 / 0

[Bug 238722] New: CVE-2007-2423: moin <= 1.5.7 XSS

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=238722 Summary: CVE-2007-2423: moin <= 1.5.7 XSS Product: Fedora Extras Version: fc6 Platform: All URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2423 OS/Version: Linux Status: NEW Severity: medium Priority: medium Component: moin AssignedTo: matthias(a)rpmforge.net ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list(a)redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2423 "Cross-site scripting (XSS) vulnerability in index.php in MoinMoin 1.5.7 allows remote attackers to inject arbitrary web script or HTML via the do parameter in an AttachFile action, a different vulnerability than CVE-2007-0857." -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

16 years, 11 months

1
2
0 / 0

[Bug 228764] New: CVE-2007-0901, CVE-2007-0902: moin 1.5.7 XSS, information disclosure

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228764 Summary: CVE-2007-0901, CVE-2007-0902: moin 1.5.7 XSS, information disclosure Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: medium Priority: normal Component: moin AssignedTo: matthias(a)rpmforge.net ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list(a)redhat.com CVE's against moin 1.5.7, with little useful information available at the moment: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0901 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0902 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

16 years, 11 months

1
3
0 / 0

[Bug 238615] New: CVE-2007-2413: perl-Imager < 0.57 heap based buffer overflow

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=238615 Summary: CVE-2007-2413: perl-Imager < 0.57 heap based buffer overflow Product: Fedora Extras Version: fc6 Platform: All URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2413 OS/Version: Linux Status: NEW Severity: medium Priority: medium Component: perl-Imager AssignedTo: steve(a)silug.org ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security- list@redhat.com,ghenry(a)suretecsystems.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2413 "Heap-based buffer overflow in Imager before 0.57 allows remote attackers to cause a denial of service (application abort) and possibly execute arbitrary code via compressed 8-bit BMP files." All distros currently at < 0.57. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

16 years, 12 months

1
2
0 / 0

[Bug 235416] New: CVE-2004-1025, CVE-2004-1026: imlib integer/buffer overflows

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235416 Summary: CVE-2004-1025, CVE-2004-1026: imlib integer/buffer overflows Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: medium Priority: medium Component: imlib AssignedTo: paul(a)city-fan.org ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list(a)redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2004-1025 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2004-1026 These two old issues appear to be still present in FE6 (1.9.13-*) and devel (1.9.15-*) imlib packages. Bug 138516 contains a test case XPM as well as a patch which should fix these issues. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

16 years, 12 months

1
3
0 / 0

[Bug 238616] New: CVE-2007-2381: MochiKit javascript hijacking vulnerability

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=238616 Summary: CVE-2007-2381: MochiKit javascript hijacking vulnerability Product: Fedora Extras Version: fc6 Platform: All URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2381 OS/Version: Linux Status: NEW Severity: medium Priority: medium Component: MochiKit AssignedTo: icon(a)fedoraproject.org ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list(a)redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2381 "The MochiKit framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."" -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

16 years, 12 months

1
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

security [ARCHIVED] May 2007