June 2007 - security [ARCHIVED] - Fedora Mailing-Lists

[Bug 240970] New: CVE-2007-2821: wordpress < 2.2 admin-ajax.php SQL injection

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240970 Summary: CVE-2007-2821: wordpress < 2.2 admin-ajax.php SQL injection Product: Fedora Extras Version: fc6 Platform: All URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2821 OS/Version: Linux Status: NEW Severity: medium Priority: medium Component: wordpress AssignedTo: jwb(a)redhat.com ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list(a)redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2821 "SQL injection vulnerability in wp-admin/admin-ajax.php in WordPress before 2.2 allows remote attackers to execute arbitrary SQL commands via the cookie parameter." -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

16 years, 9 months

1
2
0 / 0

[Bug 239904] New: CVE-2007-2627: wordpress sidebar.php XSS

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239904 Summary: CVE-2007-2627: wordpress sidebar.php XSS Product: Fedora Extras Version: fc6 Platform: All URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2627 OS/Version: Linux Status: NEW Severity: medium Priority: medium Component: wordpress AssignedTo: jwb(a)redhat.com ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list(a)redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2627 "Cross-site scripting (XSS) vulnerability in sidebar.php in WordPress, when custom 404 pages that call get_sidebar are used, allows remote attackers to inject arbitrary web script or HTML via the query string (PHP_SELF), a different vulnerability than CVE-2007-1622." -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

16 years, 9 months

1
3
0 / 0

Security Response product in Bugzilla, add-tracking-bugs?

by Ville Skyttä

Hi, Is the "Security Response" product in Bugzilla and the add-tracking-bugs functionality for creating dependency trees available for use to people who are not in the Red Hat security response team? Example: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244808 and its dependencies.

16 years, 9 months

2
1
0 / 0

Need some security advice for systemtap

by David Smith

I need some security development help (and this might be the wrong list - if so, please point me in the right direction). I'm one of the systemtap developers. You can see <http://sourceware.org/systemtap/> for details, but a 2 second overview is that systemtap allows users to write a script that probes points in the kernel. systemtap takes the script, converts it into C, compiles the C into a kernel module, inserts the kernel module, and displays any output from the compiled script. When the script finishes, we remove the kernel module. One of the complaints we get from users is that we require root access (using sudo) to install/remove the kernel module. Large enterprise customers typically don't give out sudo access to all admins. So, they would like a way to designate certain scripts/modules as "blessed", and allow admins/developers/etc. without root access to run those "blessed" scripts/modules. Some basic ideas about how we can allow users without sudo access to run "blessed" scripts/modules can be seen at <http://sources.redhat.com/bugzilla/show_bug.cgi?id=4523>, So, I'm looking for thoughts, criticisms, pointers, etc. to do this in a manner that won't allow a system to be easily compromised. We're in the fairly early stages of this idea, and I'm looking for direction before heading down the wrong road. Thanks for the help. -- David Smith dsmith(a)redhat.com Red Hat http://www.redhat.com 256.217.0141 (direct) 256.837.0057 (fax)

16 years, 9 months

8
17
0 / 0