September 2007 - security [ARCHIVED]

[RFC] Tracking bugs for Fedora; managing security flaws in multiple supported releases

by Lubomir Kundrak

Aim: To have a flexile way to deal with flaws affecting multiple packages in multiple versions of multiple products. http://fedoraproject.org/wiki/LubomirKundrak/TrackingBugsDraft This should grow into documentation on dealing with security flaws for both package maintainer and SRT member. -- Lubomir Kundrak (Security Response Team) Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic Registered in Brno under #CZ27690016

16 years, 7 months

2
1
0 / 0

fedora-security/audit fc6,1.260,1.261 fc7,1.108,1.109

by fedora-extras-commits＠redhat.com

Author: thoger Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv23869/audit Modified Files: fc6 fc7 Log Message: Vulnerable rpc code also part of nfs-utils-lib and libtirpc. Index: fc6 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc6,v retrieving revision 1.260 retrieving revision 1.261 diff -u -r1.260 -r1.261 --- fc6 17 Sep 2007 15:42:28 -0000 1.260 +++ fc6 18 Sep 2007 15:43:23 -0000 1.261 @@ -36,6 +36,8 @@ CVE-2007-4168 backport (libexif) #243892 [since FEDORA-2007-614] CVE-2007-4000 backport (krb5) [since FEDORA-2007-690] CVE-2007-3999 backport (krb5) [since FEDORA-2007-690] +CVE-2007-3999 VULNERABLE (nfs-utils-lib) #294911 +CVE-2007-3999 VULNERABLE (libtirpc) #294931 CVE-2007-3962 ignore (gftp) multiple buffer overflows in fsplib, not on Linux CVE-2007-3961 ignore (gftp) off-by-one error in fsplib CVE-2007-3852 backport (sysstat) #252296 [since FEDORA-2007-675] Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.108 retrieving revision 1.109 diff -u -r1.108 -r1.109 --- fc7 17 Sep 2007 15:42:28 -0000 1.108 +++ fc7 18 Sep 2007 15:43:23 -0000 1.109 @@ -74,6 +74,8 @@ CVE-2007-4029 backport (libvorbis) #245991 [since FEDORA-2007-1765] CVE-2007-4000 backport (krb5) [since FEDORA-2007-2017] CVE-2007-3999 backport (krb5) [since FEDORA-2007-2017] +CVE-2007-3999 VULNERABLE (nfs-utils-lib) #294901 +CVE-2007-3999 VULNERABLE (libtirpc) #294921 CVE-2007-3962 ignore (gftp) multiple buffer overflows in fsplib, not on Linux CVE-2007-3961 ignore (gftp) off-by-one error in fsplib CVE-2007-3852 backport (sysstat) #252295 [since FEDORA-2007-1697] -- fedora-extras-commits mailing list fedora-extras-commits(a)redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits

16 years, 7 months

1
0
0 / 0

[Bug 243592] New: CVE-2007-3112, CVE-2007-3113: cacti DoS vulnerabilities

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=243592 Summary: CVE-2007-3112, CVE-2007-3113: cacti DoS vulnerabilities Product: Fedora Extras Version: f7 Platform: All OS/Version: Linux Status: NEW Severity: medium Priority: medium Component: cacti AssignedTo: mmcgrath(a)redhat.com ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list(a)redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3112 "Cacti 0.8.6i, and possibly other versions, allows remote authenticated users to cause a denial of service (CPU consumption) via a large value of the (1) graph_start or (2) graph_end parameter." http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3113 "Cacti 0.8.6i, and possibly other versions, allows remote authenticated users to cause a denial of service (CPU consumption) via a large value of the (1) graph_height or (2) graph_width parameter." The patch linked to in the reports applies to 0.8.6j too. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

16 years, 7 months

1
6
0 / 0

fedora-security/audit fc6,1.259,1.260 fc7,1.107,1.108

by fedora-extras-commits＠redhat.com

Author: thoger Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv9548/audit Modified Files: fc6 fc7 Log Message: OOo tiff heap overflow is public now Index: fc6 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc6,v retrieving revision 1.259 retrieving revision 1.260 diff -u -r1.259 -r1.260 --- fc6 17 Sep 2007 15:03:16 -0000 1.259 +++ fc6 17 Sep 2007 15:42:28 -0000 1.260 @@ -91,6 +91,7 @@ CVE-2007-2869 version (mozilla) #241840 [since FEDORA-2007-549] CVE-2007-2868 version (mozilla) #241840 [since FEDORA-2007-549] CVE-2007-2867 version (mozilla) #241840 [since FEDORA-2007-549] +CVE-2007-2834 VULNERABLE (openoffice.org, fixed 2.3) #293371 CVE-2007-2799 version (file, fixed 4.21) #241034 [since FEDORA-2007-538] CVE-2007-2797 version (xterm) CVE-2007-2453 version (kernel) [since FEDORA-2007-600] Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.107 retrieving revision 1.108 diff -u -r1.107 -r1.108 --- fc7 17 Sep 2007 15:03:16 -0000 1.107 +++ fc7 17 Sep 2007 15:42:28 -0000 1.108 @@ -187,6 +187,7 @@ CVE-2007-2865 version (phpPgAdmin, fixed 4.1.2) #241489 [since FEDORA-2007-0469] CVE-2007-2844 ignore (php) #241641 CVE-2007-2843 ignore (konqueror) safari specific +CVE-2007-2834 VULNERABLE (openoffice.org, fixed 2.3) #293361 CVE-2007-2821 version (wordpress, fixed 2.2) #245211 [since FEDORA-2007-0894] CVE-2007-2799 version (file, fixed 4.21) #241034 [since FEDORA-2007-0836] CVE-2007-2798 version (krb5, 1.6.1) [since FEDORA-2007-0740] -- fedora-extras-commits mailing list fedora-extras-commits(a)redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits

16 years, 7 months

1
0
0 / 0

fedora-security/audit fc6,1.258,1.259 fc7,1.106,1.107

by fedora-extras-commits＠redhat.com

Author: thoger Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv7566/audit Modified Files: fc6 fc7 Log Message: Add quagga bgpd DoS Index: fc6 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc6,v retrieving revision 1.258 retrieving revision 1.259 diff -u -r1.258 -r1.259 --- fc6 17 Sep 2007 10:09:34 -0000 1.258 +++ fc6 17 Sep 2007 15:03:16 -0000 1.259 @@ -9,6 +9,7 @@ GENERIC-MAP-NOMATCH VULNERABLE (wpa_supplicant) #293011 CVE-2007-4897 VULNERABLE (ekiga, version 2.0.9 ?) +CVE-2007-4826 VULNERABLE (quagga, fixed 0.99.9) CVE-2007-4752 VULNERABLE (openssh) #280471 CVE-2007-4743 backport (krb5) incomplete CVE-2007-3999 fix [since FEDORA-2007-694] CVE-2007-4730 VULNERABLE (xorg-x11) #286061 Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.106 retrieving revision 1.107 diff -u -r1.106 -r1.107 --- fc7 17 Sep 2007 12:02:09 -0000 1.106 +++ fc7 17 Sep 2007 15:03:16 -0000 1.107 @@ -17,6 +17,7 @@ CVE-2007-4841 ignore (mozilla suite) Windows only CVE-2007-4840 ignore (php) CVE-2007-4828 (mediawiki, fixed 1.11.0, 1.10.2, 1.9.4) #287881 +CVE-2007-4826 VULNERABLE (quagga, fixed 0.99.9) in updates-testing CVE-2007-4752 VULNERABLE (openssh) #280461 CVE-2007-4743 backport (krb5) incomplete CVE-2007-3999 fix [since FEDORA-2007-2066] CVE-2007-4730 VULNERABLE (xorg-x11) #286051 -- fedora-extras-commits mailing list fedora-extras-commits(a)redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits

16 years, 7 months

1
0
0 / 0

fedora-security/audit fc7,1.105,1.106

by fedora-extras-commits＠redhat.com

Author: lkundrak Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv4197 Modified Files: fc7 Log Message: Duplicity Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.105 retrieving revision 1.106 diff -u -r1.105 -r1.106 --- fc7 17 Sep 2007 11:01:38 -0000 1.105 +++ fc7 17 Sep 2007 12:02:09 -0000 1.106 @@ -8,6 +8,7 @@ # Up to date CVE as of CVE email 20070914 # Up to date FC7 as of 20070916 +GENERIC-MAP-NOMATCH VULNERABLE (duplicity) #293081 GENERIC-MAP-NOMATCH VULNERABLE (nx) #293031 GENERIC-MAP-NOMATCH VULNERABLE (wpa_supplicant) #293011 CVE-2007-4897 version (ekiga, version 2.0.9 ?) -- fedora-extras-commits mailing list fedora-extras-commits(a)redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits

16 years, 7 months

1
0
0 / 0

fedora-security/audit fc7,1.104,1.105

by fedora-extras-commits＠redhat.com

Author: lkundrak Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv28843 Modified Files: fc7 Log Message: Our libextractor is too new (libextractor-0.5.17a-1.fc7), xpdf code not used since 0.5.12 Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.104 retrieving revision 1.105 diff -u -r1.104 -r1.105 --- fc7 17 Sep 2007 10:41:12 -0000 1.104 +++ fc7 17 Sep 2007 11:01:38 -0000 1.105 @@ -132,7 +132,7 @@ CVE-2007-3387 backport (kdegraphics) #251509 [since FEDORA-2007-1594] CVE-2007-3387 backport (koffice) #251522 [since FEDORA-2007-1614] CVE-2007-3387 backport (cups) #251518 [since FEDORA-2007-1541] -CVE-2007-3387 ** (libextractor) +CVE-2007-3387 ignore (libextractor) http://bugs.gentoo.org/show_bug.cgi?id=188169 CVE-2007-3384 ignore (tomcat) only affects 3.3.x and just affects an example CVE-2007-3381 version (gdm, fixed 2.18.4) #250277 [since FEDORA-2007-1362] CVE-2007-3378 ignore (php) safe mode escape -- fedora-extras-commits mailing list fedora-extras-commits(a)redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits

16 years, 7 months

1
0
0 / 0

fedora-security/audit fc7,1.103,1.104

by fedora-extras-commits＠redhat.com

Author: lkundrak Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv20654 Modified Files: fc7 Log Message: nx Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.103 retrieving revision 1.104 diff -u -r1.103 -r1.104 --- fc7 17 Sep 2007 10:09:34 -0000 1.103 +++ fc7 17 Sep 2007 10:41:12 -0000 1.104 @@ -8,6 +8,7 @@ # Up to date CVE as of CVE email 20070914 # Up to date FC7 as of 20070916 +GENERIC-MAP-NOMATCH VULNERABLE (nx) #293031 GENERIC-MAP-NOMATCH VULNERABLE (wpa_supplicant) #293011 CVE-2007-4897 version (ekiga, version 2.0.9 ?) CVE-2007-4894 version (wordpress, fixed 2.2.3) [since FEDORA-2007-2143] -- fedora-extras-commits mailing list fedora-extras-commits(a)redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits

16 years, 7 months

1
0
0 / 0

fedora-security/audit fc6,1.257,1.258 fc7,1.102,1.103

by fedora-extras-commits＠redhat.com

Author: lkundrak Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv15525 Modified Files: fc6 fc7 Log Message: wpa_supplicant Index: fc6 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc6,v retrieving revision 1.257 retrieving revision 1.258 diff -u -r1.257 -r1.258 --- fc6 17 Sep 2007 09:52:54 -0000 1.257 +++ fc6 17 Sep 2007 10:09:34 -0000 1.258 @@ -7,6 +7,7 @@ # Up to date CVE as of CVE email 20070914 # Up to date FC6 as of 20070916 +GENERIC-MAP-NOMATCH VULNERABLE (wpa_supplicant) #293011 CVE-2007-4897 VULNERABLE (ekiga, version 2.0.9 ?) CVE-2007-4752 VULNERABLE (openssh) #280471 CVE-2007-4743 backport (krb5) incomplete CVE-2007-3999 fix [since FEDORA-2007-694] Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.102 retrieving revision 1.103 diff -u -r1.102 -r1.103 --- fc7 17 Sep 2007 09:52:54 -0000 1.102 +++ fc7 17 Sep 2007 10:09:34 -0000 1.103 @@ -8,6 +8,7 @@ # Up to date CVE as of CVE email 20070914 # Up to date FC7 as of 20070916 +GENERIC-MAP-NOMATCH VULNERABLE (wpa_supplicant) #293011 CVE-2007-4897 version (ekiga, version 2.0.9 ?) CVE-2007-4894 version (wordpress, fixed 2.2.3) [since FEDORA-2007-2143] CVE-2007-4893 version (wordpress, fixed 2.2.3) [since FEDORA-2007-2143] -- fedora-extras-commits mailing list fedora-extras-commits(a)redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits

16 years, 7 months

1
0
0 / 0

fedora-security/audit fc6,1.256,1.257 fc7,1.101,1.102

by fedora-extras-commits＠redhat.com

Author: lkundrak Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv9302 Modified Files: fc6 fc7 Log Message: QT is not embargoed anymore, track for fedora Index: fc6 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc6,v retrieving revision 1.256 retrieving revision 1.257 diff -u -r1.256 -r1.257 --- fc6 17 Sep 2007 07:53:32 -0000 1.256 +++ fc6 17 Sep 2007 09:52:54 -0000 1.257 @@ -27,6 +27,7 @@ CVE-2007-4225 ignore (kdebase) caused by fix to CVE-2007-3820 which we never shipped CVE-2007-4224 ignore (kdebase) too obvious -- mouse pointer indicates script activity CVE-2007-4211 version (dovecot, fixed 1.0.3) #251009 [since FEDORA-2007-664] +CVE-2007-4137 VULNERABLE (qt) #292951 CVE-2007-4134 VULNERABLE (star, fixed 1.5a84) #254129 CVE-2007-4131 backport (tar) #253684 [since FEDORA-2007-683] CVE-2007-4029 backport (libvorbis) #250600 [since FEDORA-2007-677] Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.101 retrieving revision 1.102 diff -u -r1.101 -r1.102 --- fc7 17 Sep 2007 07:53:32 -0000 1.101 +++ fc7 17 Sep 2007 09:52:54 -0000 1.102 @@ -62,6 +62,7 @@ CVE-2007-4154 ignore (wordpress) "remote authenticated administrators" CVE-2007-4139 version (wordpress) #250751 [since FEDORA-2007-1885] CVE-2007-4138 version (samba, fixed 3.0.26) #286311 [since FEDORA-2007-2145] +CVE-2007-4137 VULNERABLE (qt) #292941 CVE-2007-4134 version (star, fixed 1.5a84) #254128 [since FEDORA-2007-1852] CVE-2007-4131 backport (tar) #253684 [since FEDORA-2007-1890] CVE-2007-4066 backport (libvorbis) #245991 [since FEDORA-2007-1765] -- fedora-extras-commits mailing list fedora-extras-commits(a)redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits

16 years, 7 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

security [ARCHIVED] September 2007