from:"Marc Deslauriers"

Re: Moving Mozilla to Seamonkey

2006-07-27 Thread Marc Deslauriers

On Thu, 2006-07-27 at 15:11 -0600, Stephen John Smoogen wrote:
 I think it might be a good idea to evaluate a change of
 Firefox/Thunderbird/Mozilla to the latest tree set. This would mean
 changing Mozilla to Seamonkey, and moving Firefox/Thunderbird to 1.5.x
 series.
 
 I know this is a big change, but is the time to backport fixes worth
 the headache in time of bug open in this case?

We should stick to what RHEL is doing. Seamonkey is coming out for RHEL,
so that's a change we should make. I suggest waiting to see what happens
with Firefox...

Marc.


signature.asc
Description: This is a digitally signed message part
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

Re: Moving Mozilla to Seamonkey

2006-07-27 Thread Marc Deslauriers

On Fri, 2006-07-28 at 03:42 +0530, Rahul wrote:
 In general, IMO,  Fedora Legacy errata policy should be to bump up to 
 the newer upstream version on ancillary packages and backport fixes to 
 only libraries or software that have other visible major dependencies 
 and externally defined interfaces which are known to be used by third 
 parties. If there isnt any opposition to this, I will add this piece of 
 info to the wiki pages and FAQ on legacy.

Who is going to test the bump up to the newer upstream version? We have
tried this in the past and got hit by more bugs and more work than
simply backporting the security fixes.

How do we determine what's considered an ancillary package? Is Firefox
an ancillary package? What about PHP or sendmail?

Marc.


signature.asc
Description: This is a digitally signed message part
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

[FLSA-2006:175040] Updated php packages fix security issues

2006-07-27 Thread Marc Deslauriers

-
   Fedora Legacy Update Advisory

Synopsis:  Updated php packages fix security issues
Advisory ID:   FLSA:175040
Issue date:2006-07-27
Product:   Red Hat Linux, Fedora Core
Keywords:  Bugfix
CVE Names: CVE-2005-2933 CVE-2005-3883 CVE-2006-0208
   CVE-2006-0996 CVE-2006-1490 CVE-2006-1990
-


-
1. Topic:

Updated PHP packages that fix multiple security issues are now
available.

PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP Web server.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386
Fedora Core 3 - i386, x86_64

3. Problem description:

A buffer overflow flaw was discovered in uw-imap, the University of
Washington's IMAP Server. php-imap is compiled against the static
c-client libraries from imap and therefore needed to be recompiled
against the fixed version. (CVE-2005-2933).

An input validation error was found in the mb_send_mail() function. An
attacker could use this flaw to inject arbitrary headers in a mail sent
via a script calling the mb_send_mail() function where the To
parameter can be controlled by the attacker. (CVE-2005-3883)

The error handling output was found to not properly escape HTML output
in certain cases. An attacker could use this flaw to perform cross-site
scripting attacks against sites where both display_errors and
html_errors are enabled. (CVE-2006-0208)

The phpinfo() PHP function did not properly sanitize long strings. An
attacker could use this to perform cross-site scripting attacks against
sites that have publicly-available PHP scripts that call phpinfo().
(CVE-2006-0996)

The html_entity_decode() PHP function was found to not be binary safe.
An attacker could use this flaw to disclose a certain part of the
memory. In order for this issue to be exploitable the target site would
need to have a PHP script which called the html_entity_decode()
function with untrusted input from the user and displayed the result.
(CVE-2006-1490)

The wordwrap() PHP function did not properly check for integer overflow
in the handling of the break parameter. An attacker who could control
the string passed to the break parameter could cause a heap overflow.
(CVE-2006-1990)

Users of PHP should upgrade to these updated packages, which contain
backported patches that resolve these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which
are not installed but included in the list will not be updated.  Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt.  Many
people find this an easier way to apply updates.  To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.  This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175040

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/php-4.1.2-7.3.20.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-4.1.2-7.3.20.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-devel-4.1.2-7.3.20.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-imap-4.1.2-7.3.20.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-ldap-4.1.2-7.3.20.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-manual-4.1.2-7.3.20.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-mysql-4.1.2-7.3.20.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-odbc-4.1.2-7.3.20.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-pgsql-4.1.2-7.3.20.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-snmp-4.1.2-7.3.20.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/php-4.2.2-17.21.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/php-4.2.2-17.21.legacy.i386.rpm

Re: Squirrelmail 1.4.7 security fixes

2006-07-24 Thread Marc Deslauriers

On Mon, 2006-07-24 at 10:39 +0200, Nils Breunese (Lemonbit Internet)
wrote:
 I see squirrelmail 1.4.7 fixes several security issues (see http:// 
 www.squirrelmail.org/changelog.php), but I couldn't find any bugs  
 related to these in bugzilla. I'm not a bugzilla wizard however, so I  
 didn't open any, I might just be blind. Can anyone tell me if these  
 issues affect current installations and should bug reports be opened?

Yeah, current installation are probably vulnerable. There are no bugs
open against this. Please feel free to open one.

Thanks.

Marc.


signature.asc
Description: This is a digitally signed message part
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

[FLSA-2006:189137-1] Updated mozilla packages fix security issues

2006-06-06 Thread Marc Deslauriers

-
Fedora Legacy Update Advisory

Synopsis: Updated mozilla packages fix security issues
Advisory ID:FLSA:189137-1
Issue date: 2006-06-06
Product:Red Hat Linux, Fedora Core
Keywords: Bugfix, Security
CVE Names: CVE-2006-0748 CVE-2006-0749 CVE-2006-0884 CVE-2006-1727
CVE-2006-1728 CVE-2006-1729 CVE-2006-1730 CVE-2006-1731
CVE-2006-1732 CVE-2006-1733 CVE-2006-1734 CVE-2006-1735
CVE-2006-1737 CVE-2006-1738 CVE-2006-1739 CVE-2006-1740
CVE-2006-1741 CVE-2006-1742 CVE-2006-1790
-

-
1. Topic:

Updated mozilla packages that fix several security bugs are now
available.

Mozilla is an open source Web browser, advanced email and newsgroup
client, IRC chat client, and HTML editor.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386
Fedora Core 3 - i386, x86_64

3. Problem description:

Several bugs were found in the way Mozilla processes malformed
javascript. A malicious web page could modify the content of a different
open web page, possibly stealing sensitive information or conducting a
cross-site scripting attack. (CVE-2006-1731, CVE-2006-1732,
CVE-2006-1741)

Several bugs were found in the way Mozilla processes certain javascript
actions. A malicious web page could execute arbitrary javascript
instructions with the permissions of chrome, allowing the page to
steal sensitive information or install browser malware. (CVE-2006-1727,
CVE-2006-1728, CVE-2006-1733, CVE-2006-1734, CVE-2006-1735,
CVE-2006-1742)

Several bugs were found in the way Mozilla processes malformed web
pages. A carefully crafted malicious web page could cause the execution
of arbitrary code as the user running Mozilla. (CVE-2006-0748,
CVE-2006-0749, CVE-2006-1730, CVE-2006-1737, CVE-2006-1738,
CVE-2006-1739, CVE-2006-1790)

A bug was found in the way Mozilla displays the secure site icon. If a
browser is configured to display the non-default secure site modal
warning dialog, it may be possible to trick a user into believing they
are viewing a secure site. (CVE-2006-1740)

A bug was found in the way Mozilla allows javascript mutation events on
input form elements. A malicious web page could be created in such a
way that when a user submits a form, an arbitrary file could be uploaded
to the attacker. (CVE-2006-1729)

A bug was found in the way Mozilla executes in-line mail forwarding. If
a user can be tricked into forwarding a maliciously crafted mail message
as in-line content, it is possible for the message to execute javascript
with the permissions of chrome. (CVE-2006-0884)

Users of Mozilla are advised to upgrade to these updated packages
containing Mozilla version 1.7.13 which corrects these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189137

6. RPMs required:

Red Hat Linux 7.3:

SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/mozilla-1.7.13-0.73.1.legacy.src.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/galeon-1.2.14-0.73.6.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-1.7.13-0.73.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-chat-1.7.13-0.73.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-devel-1.7.13-0.73.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-dom-inspector-1.7.13-0.73.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-js-debugger-1.7.13-0.73.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-mail-1.7.13-0.73.1.legacy.i386.rpm

[FLSA-2006:189137-2] Updated firefox package fixes security issues

2006-06-06 Thread Marc Deslauriers

-
Fedora Legacy Update Advisory

Synopsis: Updated firefox package fixes security issues
Advisory ID:FLSA:189137-2
Issue date: 2006-06-06
Product:Fedora Core
Keywords: Bugfix, Security
CVE Names: CVE-2006-0748 CVE-2006-0749 CVE-2006-1724 CVE-2006-1727
CVE-2006-1728 CVE-2006-1729 CVE-2006-1730 CVE-2006-1731
CVE-2006-1732 CVE-2006-1733 CVE-2006-1734 CVE-2006-1735
CVE-2006-1737 CVE-2006-1738 CVE-2006-1739 CVE-2006-1740
CVE-2006-1741 CVE-2006-1742 CVE-2006-1790
-

-
1. Topic:

An updated firefox package that fixes several security bugs is now
available.

Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance and portability.

2. Relevant releases/architectures:

Fedora Core 3 - i386, x86_64

3. Problem description:

Several bugs were found in the way Firefox processes malformed
javascript. A malicious web page could modify the content of a different
open web page, possibly stealing sensitive information or conducting a
cross-site scripting attack. (CVE-2006-1731, CVE-2006-1732,
CVE-2006-1741)

Several bugs were found in the way Firefox processes certain javascript
actions. A malicious web page could execute arbitrary javascript
instructions with the permissions of chrome, allowing the page to
steal sensitive information or install browser malware. (CVE-2006-1727,
CVE-2006-1728, CVE-2006-1733, CVE-2006-1734, CVE-2006-1735,
CVE-2006-1742)

Several bugs were found in the way Firefox processes malformed web
pages. A carefully crafted malicious web page could cause the execution
of arbitrary code as the user running Firefox. (CVE-2006-0748,
CVE-2006-0749, CVE-2006-1724, CVE-2006-1730, CVE-2006-1737,
CVE-2006-1738, CVE-2006-1739, CVE-2006-1790)

A bug was found in the way Firefox displays the secure site icon. If a
browser is configured to display the non-default secure site modal
warning dialog, it may be possible to trick a user into believing they
are viewing a secure site. (CVE-2006-1740)

A bug was found in the way Firefox allows javascript mutation events on
input form elements. A malicious web page could be created in such a
way that when a user submits a form, an arbitrary file could be uploaded
to the attacker. (CVE-2006-1729)

Users of Firefox are advised to upgrade to these updated packages
containing Firefox version 1.0.8 which corrects these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189137

6. RPMs required:

Fedora Core 3:

SRPM:
http://download.fedoralegacy.org/fedora/3/updates/SRPMS/firefox-1.0.8-1.1.fc3.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/3/updates/i386/firefox-1.0.8-1.1.fc3.1.legacy.i386.rpm

x86_64:
http://download.fedoralegacy.org/fedora/3/updates/x86_64/firefox-1.0.8-1.1.fc3.1.legacy.x86_64.rpm

7. Verification:

SHA1 sum Package Name
-

8b719bb18c6dfe14b472c684ac5133d82d1b96d0
fedora/3/updates/i386/firefox-1.0.8-1.1.fc3.1.legacy.i386.rpm
946f2ccbc412675ee6959a3dee50c2cb3ba90c3a
fedora/3/updates/x86_64/firefox-1.0.8-1.1.fc3.1.legacy.x86_64.rpm
0747aa65730e328a9274ec66c0de8dc30645dc1d
fedora/3/updates/SRPMS/firefox-1.0.8-1.1.fc3.1.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v filename

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum filename

8. References:

[FLSA-2006:190777] Updated X.org packages fix security issue

2006-06-06 Thread Marc Deslauriers

-
   Fedora Legacy Update Advisory

Synopsis:  Updated X.org packages fix security issue
Advisory ID:   FLSA:190777
Issue date:2006-06-06
Product:   Fedora Core
Keywords:  Bugfix
CVE Names: CVE-2006-1526
-


-
1. Topic:

Updated X.org packages that fix a security issue are now available.

X.org is an open source implementation of the X Window System. It
provides the basic low-level functionality that full-fledged graphical
user interfaces (GUIs) such as GNOME and KDE are designed upon.

2. Relevant releases/architectures:

Fedora Core 3 - i386, x86_64

3. Problem description:

A buffer overflow flaw in the X.org server RENDER extension was
discovered. A malicious authorized client could exploit this issue to
cause a denial of service (crash) or potentially execute arbitrary code
with root privileges on the X.org server. (CVE-2006-1526)

Users of X.org should upgrade to these updated packages, which contain a
backported patch and is not vulnerable to this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which
are not installed but included in the list will not be updated.  Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt.  Many
people find this an easier way to apply updates.  To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.  This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=190777

6. RPMs required:

Fedora Core 3:

SRPM:
http://download.fedoralegacy.org/fedora/3/updates/SRPMS/xorg-x11-6.8.2-1.FC3.45.3.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-6.8.2-1.FC3.45.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-deprecated-libs-6.8.2-1.FC3.45.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-deprecated-libs-devel-6.8.2-1.FC3.45.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-devel-6.8.2-1.FC3.45.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-doc-6.8.2-1.FC3.45.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-font-utils-6.8.2-1.FC3.45.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-libs-6.8.2-1.FC3.45.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-Mesa-libGL-6.8.2-1.FC3.45.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-Mesa-libGLU-6.8.2-1.FC3.45.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-sdk-6.8.2-1.FC3.45.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-tools-6.8.2-1.FC3.45.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-twm-6.8.2-1.FC3.45.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-xauth-6.8.2-1.FC3.45.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-xdm-6.8.2-1.FC3.45.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-Xdmx-6.8.2-1.FC3.45.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-xfs-6.8.2-1.FC3.45.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-Xnest-6.8.2-1.FC3.45.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-Xvfb-6.8.2-1.FC3.45.3.legacy.i386.rpm

x86_64:
http://download.fedoralegacy.org/fedora/3/updates/x86_64/xorg-x11-6.8.2-1.FC3.45.3.legacy.x86_64.rpm
http://download.fedoralegacy.org/fedora/3/updates/x86_64/xorg-x11-deprecated-libs-6.8.2-1.FC3.45.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/x86_64/xorg-x11-deprecated-libs-6.8.2-1.FC3.45.3.legacy.x86_64.rpm
http://download.fedoralegacy.org/fedora/3/updates/x86_64/xorg-x11-deprecated-libs-devel-6.8.2-1.FC3.45.3.legacy.x86_64.rpm
http://download.fedoralegacy.org/fedora/3/updates/x86_64/xorg-x11-devel-6.8.2-1.FC3.45.3.legacy.i386.rpm

[FLSA-2006:190884] Updated squirrelmail package fixes security issues

2006-06-06 Thread Marc Deslauriers

-
Fedora Legacy Update Advisory

Synopsis: Updated squirrelmail package fixes security issues
Advisory ID: FLSA:190884
Issue date:2006-06-06
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2006-0188 CVE-2006-0195 CVE-2006-0377
-

-
1. Topic:

An updated squirrelmail package that fixes three security issues is now
available.

SquirrelMail is a standards-based webmail package written in PHP4.

2. Relevant releases/architectures:

Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386
Fedora Core 3 - i386, x86_64

3. Problem description:

A bug was found in the way SquirrelMail presents the right frame to the
user. If a user can be tricked into opening a carefully crafted URL, it
is possible to present the user with arbitrary HTML data.
(CVE-2006-0188)

A bug was found in the way SquirrelMail filters incoming HTML email. It
is possible to cause a victim's web browser to request remote content by
opening a HTML email while running a web browser that processes certain
types of invalid style sheets. Only Internet Explorer is known to
process such malformed style sheets. (CVE-2006-0195)

A bug was found in the way SquirrelMail processes a request to select an
IMAP mailbox. If a user can be tricked into opening a carefully crafted
URL, it is possible to execute arbitrary IMAP commands as the user
viewing their mail with SquirrelMail. (CVE-2006-0377)

Users of SquirrelMail are advised to upgrade to this updated package,
which contains SquirrelMail version 1.4.6 and is not vulnerable to these
issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=190884

6. RPMs required:

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/squirrelmail-1.4.6-3.rh9.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/squirrelmail-1.4.6-3.rh9.1.legacy.noarch.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/squirrelmail-1.4.6-4.fc1.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/squirrelmail-1.4.6-4.fc1.1.legacy.noarch.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/squirrelmail-1.4.6-4.fc2.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/squirrelmail-1.4.6-4.fc2.1.legacy.noarch.rpm

Fedora Core 3:

SRPM:
http://download.fedoralegacy.org/fedora/3/updates/SRPMS/squirrelmail-1.4.6-4.fc3.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/3/updates/i386/squirrelmail-1.4.6-4.fc3.1.legacy.noarch.rpm

x86_64:
http://download.fedoralegacy.org/fedora/3/updates/x86_64/squirrelmail-1.4.6-4.fc3.1.legacy.noarch.rpm

7. Verification:

SHA1 sum Package Name
-

rh9:
62ae72ed168667c97e1b6ccc5bc23dea6c374bcb
redhat/9/updates/i386/squirrelmail-1.4.6-3.rh9.1.legacy.noarch.rpm
51264756a2f2bb5d8e6f5b6d1d33dcba40f41a68
redhat/9/updates/SRPMS/squirrelmail-1.4.6-3.rh9.1.legacy.src.rpm

fc1:
0e2dbf765d4df6592fad31ff331a3101fd33674e
fedora/1/updates/i386/squirrelmail-1.4.6-4.fc1.1.legacy.noarch.rpm
7c6d183c795bfd1da1e872a74e7ff1f197afb93a
fedora/1/updates/SRPMS/squirrelmail-1.4.6-4.fc1.1.legacy.src.rpm

fc2:
36bc9ae701f8844d6369dde0f2d4a537b2dce85c
fedora/2/updates/i386/squirrelmail-1.4.6-4.fc2.1.legacy.noarch.rpm
60098c585bc6bab9df4e3883e3a0b0762fd4dc6d
fedora/2/updates/SRPMS/squirrelmail-1.4.6-4.fc2.1.legacy.src.rpm

fc3:
9e96352495249c4aa526b24729128696467ca728
fedora/3/updates/i386/squirrelmail-1.4.6-4.fc3.1.legacy.noarch.rpm
9e96352495249c4aa526b24729128696467ca728
fedora/3/updates/x86_64/squirrelmail-1.4.6-4.fc3.1.legacy.noarch.rpm

Re: Fedora products, to upgrade rather than backport?

2006-05-15 Thread Marc Deslauriers

On Mon, 2006-05-15 at 15:20 -0400, Jesse Keating wrote:
 So in the RHL space, the choice was clear.  Backport whenever possible.
 However the Fedora landscape is different.  Upstream Core does not do
 backporting, they more often than not version upgrade to resolve
 security issues.  Why should Legacy be any different?  If we want to be
 transparent to end users we should follow what upstream does.

Every time we've decided to upgrade a package instead of backporting
security fixes, we've broken other stuff and have had to work twice as
hard to get things back into working order.

I don't think we have the resources to upgrade packages. Backporting is
a lot less work...

Marc.


signature.asc
Description: This is a digitally signed message part
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

Fedora Legacy Test Update Notification: mozilla

2006-05-15 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-189137-1
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189137
2006-05-15
-

Name: mozilla
Versions: rh7.3: mozilla-1.7.13-0.73.1.legacy
Versions: rh9:   mozilla-1.7.13-0.90.1.legacy
Versions: fc1:   mozilla-1.7.13-1.1.1.legacy
Versions: fc2:   mozilla-1.7.13-1.2.1.legacy
Versions: fc3:   mozilla-1.7.13-1.3.1.legacy
Summary : A Web browser.
Description :
Mozilla is an open-source Web browser, designed for standards
compliance, performance, and portability.

-
Update Information:

Updated mozilla packages that fix several security bugs are now
available.

Mozilla is an open source Web browser, advanced email and newsgroup
client, IRC chat client, and HTML editor.

Several bugs were found in the way Mozilla processes malformed
javascript. A malicious web page could modify the content of a different
open web page, possibly stealing sensitive information or conducting a
cross-site scripting attack. (CVE-2006-1731, CVE-2006-1732,
CVE-2006-1741)

Several bugs were found in the way Mozilla processes certain javascript
actions. A malicious web page could execute arbitrary javascript
instructions with the permissions of chrome, allowing the page to
steal sensitive information or install browser malware. (CVE-2006-1727,
CVE-2006-1728, CVE-2006-1733, CVE-2006-1734, CVE-2006-1735,
CVE-2006-1742)

Several bugs were found in the way Mozilla processes malformed web
pages. A carefully crafted malicious web page could cause the execution
of arbitrary code as the user running Mozilla. (CVE-2006-0748,
CVE-2006-0749, CVE-2006-1730, CVE-2006-1737, CVE-2006-1738,
CVE-2006-1739, CVE-2006-1790)

A bug was found in the way Mozilla displays the secure site icon. If a
browser is configured to display the non-default secure site modal
warning dialog, it may be possible to trick a user into believing they
are viewing a secure site. (CVE-2006-1740)

A bug was found in the way Mozilla allows javascript mutation events on
input form elements. A malicious web page could be created in such a
way that when a user submits a form, an arbitrary file could be uploaded
to the attacker. (CVE-2006-1729)

A bug was found in the way Mozilla executes in-line mail forwarding. If
a user can be tricked into forwarding a maliciously crafted mail message
as in-line content, it is possible for the message to execute javascript
with the permissions of chrome. (CVE-2006-0884)

Users of Mozilla are advised to upgrade to these updated packages
containing Mozilla version 1.7.13 which corrects these issues.

-
Changelogs

rh7.3:
* Sat Apr 22 2006 Marc Deslauriers [EMAIL PROTECTED]
37:1.7.13-0.73.1.legacy
- Updated to 1.7.13 to fix security issues


rh9:
* Sat Apr 22 2006 Marc Deslauriers [EMAIL PROTECTED]
37:1.7.13-0.90.1.legacy
- Updated to 1.7.13 to fix security issues

fc1:
* Fri Apr 21 2006 Marc Deslauriers [EMAIL PROTECTED]
37:1.7.13-1.1.1.legacy
- Updated to 1.7.13 to fix security issues


fc2:
* Fri Apr 21 2006 Marc Deslauriers [EMAIL PROTECTED]
37:1.7.13-1.2.1.legacy
- Updated to 1.7.13 to fix security issues

fc3:
* Fri Apr 21 2006 Marc Deslauriers [EMAIL PROTECTED]
37:1.7.13-1.3.1.legacy
- Updated to 1.7.13 to fix security issues

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh7.3:
b7616c52ee2776f3577fcda0a0628c5ec6cffae7
redhat/7.3/updates-testing/i386/mozilla-1.7.13-0.73.1.legacy.i386.rpm
a6234bd3b89616ce5b924a36c95ba1421b6b8ecf
redhat/7.3/updates-testing/i386/mozilla-chat-1.7.13-0.73.1.legacy.i386.rpm
3d7b92d47b825f5a936c54ca63679916f428917e
redhat/7.3/updates-testing/i386/mozilla-devel-1.7.13-0.73.1.legacy.i386.rpm
2b4c765543b3f4fc5ac04127ca70c70a33fddaec
redhat/7.3/updates-testing/i386/mozilla-dom-inspector-1.7.13-0.73.1.legacy.i386.rpm
c15eceb55105a87f8d5dc0db24b9cf95e815a5a2
redhat/7.3/updates-testing/i386/mozilla-js-debugger-1.7.13-0.73.1.legacy.i386.rpm
09dcdb176779a013efc6b1819e5391854d94a751
redhat/7.3/updates-testing/i386/mozilla-mail-1.7.13-0.73.1.legacy.i386.rpm
5126d56d8ff98dfdcd69ed6864821120fc959c55
redhat/7.3/updates-testing/i386/mozilla-nspr-1.7.13-0.73.1.legacy.i386.rpm
d2db357f5fe0d1ffce22db18f7d95c96dcfcffa3
redhat/7.3/updates-testing/i386/mozilla-nspr-devel-1.7.13-0.73.1.legacy.i386.rpm
7b3a403f4981d5ffa676aa38e5699fca9e7c2f18
redhat/7.3/updates-testing/i386/mozilla-nss-1.7.13-0.73.1.legacy.i386.rpm
3eea1812fa6a6ef13ed8826cd7734bd266c9b0fb
redhat/7.3/updates-testing/i386/mozilla-nss-devel-1.7.13-0.73.1.legacy.i386.rpm
46393b4afb72fcd8100de2c61b6531d9ffe1dbf5
redhat/7.3/updates-testing/i386/galeon-1.2.14-0.73.6.legacy.i386.rpm

Fedora Legacy Test Update Notification: firefox

2006-05-15 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-189137-2
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189137
2006-05-15
-

Name: firefox
Versions: fc3: firefox-1.0.8-1.1.fc3.1.legacy
Summary : Mozilla Firefox Web browser.
Description :
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance and portability.

-
Update Information:

An updated firefox package that fixes several security bugs is now
available.

Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance and portability.

Several bugs were found in the way Firefox processes malformed
javascript. A malicious web page could modify the content of a different
open web page, possibly stealing sensitive information or conducting a
cross-site scripting attack. (CVE-2006-1731, CVE-2006-1732,
CVE-2006-1741)

Several bugs were found in the way Firefox processes certain javascript
actions. A malicious web page could execute arbitrary javascript
instructions with the permissions of chrome, allowing the page to
steal sensitive information or install browser malware. (CVE-2006-1727,
CVE-2006-1728, CVE-2006-1733, CVE-2006-1734, CVE-2006-1735,
CVE-2006-1742)

Several bugs were found in the way Firefox processes malformed web
pages. A carefully crafted malicious web page could cause the execution
of arbitrary code as the user running Firefox. (CVE-2006-0748,
CVE-2006-0749, CVE-2006-1724, CVE-2006-1730, CVE-2006-1737,
CVE-2006-1738, CVE-2006-1739, CVE-2006-1790)

A bug was found in the way Firefox displays the secure site icon. If a
browser is configured to display the non-default secure site modal
warning dialog, it may be possible to trick a user into believing they
are viewing a secure site. (CVE-2006-1740)

A bug was found in the way Firefox allows javascript mutation events on
input form elements. A malicious web page could be created in such a
way that when a user submits a form, an arbitrary file could be uploaded
to the attacker. (CVE-2006-1729)

Users of Firefox are advised to upgrade to these updated packages
containing Firefox version 1.0.8 which corrects these issues.

-
Changelogs

fc3:
* Wed Apr 19 2006 Marc Deslauriers [EMAIL PROTECTED]
0:1.0.8-1.1.fc3.1.legacy
- Update to firefox 1.0.8

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

fc3:
8b719bb18c6dfe14b472c684ac5133d82d1b96d0
fedora/3/updates-testing/i386/firefox-1.0.8-1.1.fc3.1.legacy.i386.rpm
946f2ccbc412675ee6959a3dee50c2cb3ba90c3a
fedora/3/updates-testing/x86_64/firefox-1.0.8-1.1.fc3.1.legacy.x86_64.rpm
0747aa65730e328a9274ec66c0de8dc30645dc1d
fedora/3/updates-testing/SRPMS/firefox-1.0.8-1.1.fc3.1.legacy.src.rpm

-

Please test and comment in bugzilla.




signature.asc
Description: OpenPGP digital signature
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

[FLSA-2006:152898] Updated emacs packages fix a security issue

2006-05-12 Thread Marc Deslauriers

-
Fedora Legacy Update Advisory

Synopsis: Updated emacs packages fix a security issue
Advisory ID: FLSA:152898
Issue date:2006-05-12
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2005-0100
-

-
1. Topic:

Updated Emacs packages that fix a string format issue are now available.

Emacs is a powerful, customizable, self-documenting, modeless text
editor.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386

3. Problem description:

Max Vozeler discovered several format string vulnerabilities in the
movemail utility of Emacs. If a user connects to a malicious POP server,
an attacker can execute arbitrary code as the user running emacs. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2005-0100 to this issue.

Users of Emacs are advised to upgrade to these updated packages, which
contain backported patches to correct this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152898

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/emacs-21.2-3.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/emacs-21.2-3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/emacs-el-21.2-3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/emacs-leim-21.2-3.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/emacs-21.2-34.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/emacs-21.2-34.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/emacs-el-21.2-34.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/emacs-leim-21.2-34.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/emacs-21.3-9.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/emacs-21.3-9.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/emacs-el-21.3-9.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/emacs-leim-21.3-9.2.legacy.i386.rpm

7. Verification:

SHA1 sum Package Name
-

4441c55cfe91aabf2203d68bcbc0cf2bbd5f8798
redhat/7.3/updates/i386/emacs-21.2-3.legacy.i386.rpm
33e802e8f306f13519dd2c3f045eb9efe5e4680a
redhat/7.3/updates/i386/emacs-el-21.2-3.legacy.i386.rpm
f6293ffe1c51c3bb31f1b3941da0938d8a98eff2
redhat/7.3/updates/i386/emacs-leim-21.2-3.legacy.i386.rpm
a5767f1100037b49602abb80831fa22da135c081
redhat/7.3/updates/SRPMS/emacs-21.2-3.legacy.src.rpm
ae56dba68d59f5d49105f7afb6918ac945ad8b01
redhat/9/updates/i386/emacs-21.2-34.legacy.i386.rpm
84047366c8488fa3c95070466b1bd20ce5d8687a
redhat/9/updates/i386/emacs-el-21.2-34.legacy.i386.rpm
8eb8449c456e7d475157992c3e6f8bc4bdf64c7b
redhat/9/updates/i386/emacs-leim-21.2-34.legacy.i386.rpm
4cf0ba484c3ab93210d186beb3c79b68b4e56984
redhat/9/updates/SRPMS/emacs-21.2-34.legacy.src.rpm
d56260f010b4603c89516ccf2ddd09c33c8c53c4
fedora/1/updates/i386/emacs-21.3-9.2.legacy.i386.rpm
6bf7cb9bacc6c0f9374849fa4507ededa13193cf
fedora/1/updates/i386/emacs-el-21.3-9.2.legacy.i386.rpm
fb23df114772b6c758499401751dfc389e2e1d88
fedora/1/updates/i386/emacs-leim-21.3-9.2.legacy.i386.rpm
1a1133d917d4993c92a03c30ba08e8916c6a7bfe
fedora/1/updates/SRPMS/emacs-21.3-9.2.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm

[FLSA-2006:152904] Updated ncpfs package fixes security issues

2006-05-12 Thread Marc Deslauriers

-
Fedora Legacy Update Advisory

Synopsis: Updated ncpfs package fixes security issues
Advisory ID: FLSA:152904
Issue date:2006-05-12
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2004-1079 CVE-2005-0013 CVE-2005-0014
-

-
1. Topic:

An updated ncpfs package is now available.

Ncpfs is a file system that understands the Novell NetWare(TM) NCP
protocol.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386
Fedora Core 3 - i386, x86_64

3. Problem description:

Buffer overflows were found in the nwclient program. An attacker, using
a long -T option, could possibly execute arbitrary code and gain
privileges. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2004-1079 to this issue.

A bug was found in the way ncpfs handled file permissions. ncpfs did not
sufficiently check if the file owner matched the user attempting to
access the file, potentially violating the file permissions. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CVE-2005-0013 to this issue.

A buffer overflow was found in the ncplogin program. A remote malicious
NetWare server could execute arbitrary code on a victim's machine. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2005-0014 to this issue.

All users of ncpfs are advised to upgrade to this updated package, which
contains backported fixes for these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152904

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/ncpfs-2.2.0.18-6.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/ncpfs-2.2.0.18-6.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/ipxutils-2.2.0.18-6.1.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/ncpfs-2.2.1-1.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/ncpfs-2.2.1-1.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/ipxutils-2.2.1-1.1.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/ncpfs-2.2.3-1.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/ncpfs-2.2.3-1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/ipxutils-2.2.3-1.1.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/ncpfs-2.2.4-1.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/ncpfs-2.2.4-1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/ipxutils-2.2.4-1.1.legacy.i386.rpm

Fedora Core 3:

SRPM:
http://download.fedoralegacy.org/fedora/3/updates/SRPMS/ncpfs-2.2.4-5.FC3.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/3/updates/i386/ncpfs-2.2.4-5.FC3.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/ipxutils-2.2.4-5.FC3.1.legacy.i386.rpm

x86_64:
http://download.fedoralegacy.org/fedora/3/updates/x86_64/ncpfs-2.2.4-5.FC3.1.legacy.x86_64.rpm
http://download.fedoralegacy.org/fedora/3/updates/x86_64/ipxutils-2.2.4-5.FC3.1.legacy.x86_64.rpm

7. Verification:

SHA1 sum Package Name
-

16740d3fa5e17a46429ad3586e4adf9a14a64f8d
redhat/7.3/updates/i386/ncpfs-2.2.0.18-6.1.legacy.i386.rpm
21f8520c8a2a3d60e55041c0db028e03549f8544
redhat/7.3/updates/i386/ipxutils-2.2.0.18-6.1.legacy.i386.rpm

[FLSA-2006:152923] Updated xloadimage package fixes security issues

2006-05-12 Thread Marc Deslauriers

-
Fedora Legacy Update Advisory

Synopsis: Updated xloadimage package fixes security issues
Advisory ID: FLSA:152923
Issue date:2006-05-12
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2005-0638 CVE-2005-3178
-

-
1. Topic:

A new xloadimage package that fixes bugs in handling malformed tiff and
pbm/pnm/ppm images, and in handling metacharacters in file names is now
available.

The xloadimage utility displays images in an X Window System window,
loads images into the root window, or writes images into a file.
Xloadimage supports many image types (including GIF, TIFF, JPEG, XPM,
and XBM).

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

A flaw was discovered in xloadimage where filenames were not properly
quoted when calling the gunzip command. An attacker could create a file
with a carefully crafted filename so that it would execute arbitrary
commands if opened by a victim. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CVE-2005-0638 to
this issue.

A flaw was discovered in xloadimage via which an attacker can construct
a NIFF image with a very long embedded image title. This image can cause
a buffer overflow. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2005-3178 to this issue.

All users of xloadimage should upgrade to this erratum package, which
contains backported patches to correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152923

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/xloadimage-4.1-21.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/xloadimage-4.1-21.2.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/xloadimage-4.1-27.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/xloadimage-4.1-27.2.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/xloadimage-4.1-29.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/xloadimage-4.1-29.2.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/xloadimage-4.1-34.FC2.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/xloadimage-4.1-34.FC2.2.legacy.i386.rpm

7. Verification:

SHA1 sum Package Name
-

88326ff1a0753287240180322b36f8174686e0cc
redhat/7.3/updates/i386/xloadimage-4.1-21.2.legacy.i386.rpm
663b64ed039000824bacd3475e807c29c835f388
redhat/7.3/updates/SRPMS/xloadimage-4.1-21.2.legacy.src.rpm
7fef8d73737dfacb3d56f203bf31f3c8e2014925
redhat/9/updates/i386/xloadimage-4.1-27.2.legacy.i386.rpm
2b4223a41ab2127ee3b173e0803635f3c441bb4f
redhat/9/updates/SRPMS/xloadimage-4.1-27.2.legacy.src.rpm
c24c7a2ae4d703b00a3f84623cae24775674d5d7
fedora/1/updates/i386/xloadimage-4.1-29.2.legacy.i386.rpm
ec2c5a9b5049aeca3cd4d12e7b84c650fec1c295
fedora/1/updates/SRPMS/xloadimage-4.1-29.2.legacy.src.rpm
2910727dcd74a462a2f137746592e53ba5fcdfac
fedora/2/updates/i386/xloadimage-4.1-34.FC2.2.legacy.i386.rpm
924f5e4ffc9ff7190dc1808def838e57377f5fd6
fedora/2/updates/SRPMS/xloadimage-4.1-34.FC2.2.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v filename

If you only wish to verify

[FLSA-2006:185355] Updated gnupg package fixes security issues

2006-05-12 Thread Marc Deslauriers

-
Fedora Legacy Update Advisory

Synopsis: Updated gnupg package fixes security issues
Advisory ID: FLSA:185355
Issue date:2006-05-12
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2006-0049 CVE-2006-0455
-

-
1. Topic:

An updated GnuPG package that fixes signature verification flaws is now
available.

GnuPG is a utility for encrypting data and creating digital signatures.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386
Fedora Core 3 - i386, x86_64

3. Problem description:

Tavis Ormandy discovered a bug in the way GnuPG verifies
cryptographically signed data with detached signatures. It is possible
for an attacker to construct a cryptographically signed message which
could appear to come from a third party. When a victim processes a GnuPG
message with a malformed detached signature, GnuPG ignores the malformed
signature, processes and outputs the signed data, and exits with status
0, just as it would if the signature had been valid. In this case,
GnuPG's exit status would not indicate that no signature verification
had taken place. This issue would primarily be of concern when
processing GnuPG results via an automated script. The Common
Vulnerabilities and Exposures project assigned the name CVE-2006-0455 to
this issue.

Tavis Ormandy also discovered a bug in the way GnuPG verifies
cryptographically signed data with inline signatures. It is possible for
an attacker to inject unsigned data into a signed message in such a way
that when a victim processes the message to recover the data, the
unsigned data is output along with the signed data, gaining the
appearance of having been signed. The Common Vulnerabilities and
Exposures project assigned the name CVE-2006-0049 to this issue.

Please note that neither of these issues affect the way RPM or up2date
verify RPM package files, nor is RPM vulnerable to either of these
issues.

All users of GnuPG are advised to upgrade to this updated package, which
contains backported patches to correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=185355

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/gnupg-1.0.7-13.3.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/gnupg-1.0.7-13.3.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/gnupg-1.2.1-9.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/gnupg-1.2.1-9.2.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/gnupg-1.2.3-2.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/gnupg-1.2.3-2.2.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/gnupg-1.2.4-2.3.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/gnupg-1.2.4-2.3.legacy.i386.rpm

Fedora Core 3:

SRPM:
http://download.fedoralegacy.org/fedora/3/updates/SRPMS/gnupg-1.2.7-1.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/3/updates/i386/gnupg-1.2.7-1.2.legacy.i386.rpm

x86_64:
http://download.fedoralegacy.org/fedora/3/updates/x86_64/gnupg-1.2.7-1.2.legacy.x86_64.rpm

7. Verification:

SHA1 sum Package Name
-

8908e71fbca5c2bae5f3aadd774e42a49a5cb957
redhat/7.3/updates/i386/gnupg-1.0.7-13.3.legacy.i386.rpm
dd9dc31630ca66faffb4f214f425b973cb3212cf
redhat/7.3/updates/SRPMS/gnupg-1.0.7-13.3.legacy.src.rpm
b551dcbc9739ca6af6ca175c61709d5a4209fee6

Fedora Legacy Test Update Notification: tetex

2006-04-26 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-152868
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152868
2006-04-26
-

Name: tetex
Versions: rh73: tetex-1.0.7-47.5.legacy
Versions: rh9: tetex-1.0.7-66.3.legacy
Versions: fc1: tetex-2.0.2-8.2.legacy
Versions: fc2: tetex-2.0.2-14FC2.3.legacy
Summary : The TeX text formatting system.
Description :
TeTeX is an implementation of TeX for Linux or UNIX systems. TeX takes
a text file and a set of formatting commands as input and creates a
typesetter-independent .dvi (DeVice Independent) file as output.
Usually, TeX is used in conjunction with a higher level formatting
package like LaTeX or PlainTeX, since TeX by itself is not very
user-friendly.

-
Update Information:

Updated tetex packages that fix several security issues are now
available.

TeTeX is an implementation of TeX. TeX takes a text file and a set of
formatting commands as input and creates a typesetter-independent .dvi
(DeVice Independent) file as output.

A number of integer overflow bugs that affect Xpdf were discovered. The
teTeX package contains a copy of the Xpdf code used for parsing PDF
files and is therefore affected by these bugs. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
names CVE-2004-0888 and CVE-2004-1125 to these issues.

Several flaws were discovered in the teTeX PDF parsing library. An
attacker could construct a carefully crafted PDF file that could cause
teTeX to crash or possibly execute arbitrary code when opened. The
Common Vulnerabilities and Exposures project assigned the names
CVE-2005-3191, CVE-2005-3192, CVE-2005-3193, CVE-2005-3624,
CVE-2005-3625, CVE-2005-3626, CVE-2005-3627 and CVE-2005-3628 to these
issues.

Users of teTeX should upgrade to these updated packages, which contain
backported patches and are not vulnerable to these issues.

-
Changelogs

rh73:
* Tue Apr 25 2006 Marc Deslauriers [EMAIL PROTECTED]
1.0.7-47.5.legacy
- Added tetex tetex-latex and tetex-dvips to BuildPreReq!

* Fri Apr 21 2006 Marc Deslauriers [EMAIL PROTECTED]
1.0.7-47.4.legacy
- Added patch to remove expiration check

* Wed Apr 19 2006 Marc Deslauriers [EMAIL PROTECTED]
1.0.7-47.3.legacy
- Added missing netpbm-progs, ghostscript, ed and texinfo to BuildPrereq

* Fri Mar 17 2006 Donald Maner [EMAIL PROTECTED] 1.0.7-47.2.legacy
- Patches for CESA-2004-007, CAN-2004-1125, CAN-2004-0888, CVE-2005-3193

rh9:
* Tue Apr 25 2006 Marc Deslauriers [EMAIL PROTECTED]
1.0.7-66.3.legacy
- Added missing tetex, tetex-latex and tetex-dvips to BuildPreReq

* Fri Apr 21 2006 Marc Deslauriers [EMAIL PROTECTED]
1.0.7-66.2.legacy
- Added missing ed and texinfo to BuildPrereq

* Thu Mar 16 2006 Donald Maner [EMAIL PROTECTED] 1.0.7-66.1.legacy
- Patches for CESA-2004-007 CAN-2004-0888 CAN-2004-1125 CVE-2005-3193
(#152868)

fc1:
* Wed Apr 26 2006 Marc Deslauriers [EMAIL PROTECTED]
2.0.2-8.2.legacy
- Added missing ed, texinfo, tetex, tetex-latex and tetex-dvips to
BuildPreReq

* Thu Mar 16 2006 Donald Maner [EMAIL PROTECTED] 2.0.2-8.1.legacy
- Patches for CAN-2004-0888, CAN-2004-1125, CAN-2005-0064
  and 2005-3193

fc2:
* Tue Apr 25 2006 Marc Deslauriers [EMAIL PROTECTED]
2.0.2-14FC2.3.legacy
- Fixed release tag
- Added missing tetex, tetex-latex and tetex-dvips to BuildPreReq

* Thu Mar 16 2006 Donald Maner [EMAIL PROTECTED] 2.0.2-14.3.legacy
- Patch CVE-2005-3193 (#152868)

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh73:
80b05b7896c5db589e960da0d73b1cd4ae120cce
redhat/7.3/updates-testing/i386/tetex-1.0.7-47.5.legacy.i386.rpm
28c6022b4f6a237d4695d1f268276ec6b18dcf4c
redhat/7.3/updates-testing/i386/tetex-afm-1.0.7-47.5.legacy.i386.rpm
017fa321d9834685f04819070d4f5fb799e05d01
redhat/7.3/updates-testing/i386/tetex-doc-1.0.7-47.5.legacy.i386.rpm
3303175840f2fc37c5f3f77e672eeb3fafae718a
redhat/7.3/updates-testing/i386/tetex-dvilj-1.0.7-47.5.legacy.i386.rpm
fa43c7cbdf02cb7d439c9beeb0e358f8c69a5f22
redhat/7.3/updates-testing/i386/tetex-dvips-1.0.7-47.5.legacy.i386.rpm
1e69a574c3d47cec5b58963387956dfc8337d6ec
redhat/7.3/updates-testing/i386/tetex-fonts-1.0.7-47.5.legacy.i386.rpm
bb229acb3b38ae16025d56a77c41cab939a512ac
redhat/7.3/updates-testing/i386/tetex-latex-1.0.7-47.5.legacy.i386.rpm
d21419415faefcb90b688f8d8dc60a57a6374bad
redhat/7.3/updates-testing/i386/tetex-xdvi-1.0.7-47.5.legacy.i386.rpm
f646b3f3c2ebafa6ae264f20a3f056c778bd84db
redhat/7.3/updates-testing/SRPMS/tetex-1.0.7-47.5.legacy.src.rpm

rh9:
26f54ca0403372b21e6fd441d9bb64073f23e7de
redhat/9/updates-testing/i386/tetex-1.0.7-66.3.legacy.i386.rpm
e74de7855d1d07bcef6a713f4a8735e8008f5249
redhat

Fedora Legacy Test Update Notification: emacs

2006-04-26 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-152898
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152898
2006-04-26
-

Name: emacs
Versions: rh73: emacs-21.2-3.legacy
Versions: rh9: emacs-21.2-34.legacy
Versions: fc1: emacs-21.3-9.2.legacy
Summary : The libraries needed to run the GNU Emacs text editor.
Description :
Emacs is a powerful, customizable, self-documenting, modeless text
editor. Emacs contains special code editing features, a scripting
language (elisp), and the capability to read mail, news, and more
without leaving the editor.

-
Update Information:

Updated Emacs packages that fix a string format issue are now available.

Emacs is a powerful, customizable, self-documenting, modeless text
editor.

Max Vozeler discovered several format string vulnerabilities in the
movemail utility of Emacs. If a user connects to a malicious POP server,
an attacker can execute arbitrary code as the user running emacs. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2005-0100 to this issue.

Users of Emacs are advised to upgrade to these updated packages, which
contain backported patches to correct this issue.

-
Changelogs

rh73:
* Sun Mar 12 2006 Jesse Keating [EMAIL PROTECTED] 21.2-3.legacy
- Patch for CAN-2005-0100 (#152898)

rh9:
* Sun Mar 12 2006 Jesse Keating [EMAIL PROTECTED] 21.2-34.legacy
- Patch for CAN-2005-0100 (#152898)

fc1:
* Wed Mar 15 2006 David Eisenstein [EMAIL PROTECTED] 21.3-9.2.legacy
- Clean up the #101818 (vm/break dumper problem) workaround

* Wed Mar 15 2006 David Eisenstein [EMAIL PROTECTED] 21.3-9.1.legacy
- Oops.  Forgot to rework make install for the broken setarch.
  Now done.

* Wed Mar 15 2006 David Eisenstein [EMAIL PROTECTED] 21.3-9.legacy
- Re-instate setarch stuff; but make use of setarch dependent upon
  whether or not it is broken in this given invocation of rpmbuild.
  Why?  If setarch doesn't break, it is probably needed and will be
  used for the bugzilla #101818 issue.  If setarch *does* break, then
  it is likely breaking because it is operating within another setarch
  (FC1's setarch breaks under that circumstance), such as when being
  built by plague/mock.  In that instance, it is not needed.

* Sun Mar 12 2006 Jesse Keating [EMAIL PROTECTED] 21.3-8.legacy
- Patch for CAN-2005-0100 (#152898)
- Remove setarch stuff, not needed in new build system
- Added builddep on autoconf213

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh73:
4441c55cfe91aabf2203d68bcbc0cf2bbd5f8798
redhat/7.3/updates-testing/i386/emacs-21.2-3.legacy.i386.rpm
33e802e8f306f13519dd2c3f045eb9efe5e4680a
redhat/7.3/updates-testing/i386/emacs-el-21.2-3.legacy.i386.rpm
f6293ffe1c51c3bb31f1b3941da0938d8a98eff2
redhat/7.3/updates-testing/i386/emacs-leim-21.2-3.legacy.i386.rpm
a5767f1100037b49602abb80831fa22da135c081
redhat/7.3/updates-testing/SRPMS/emacs-21.2-3.legacy.src.rpm

rh9:
ae56dba68d59f5d49105f7afb6918ac945ad8b01
redhat/9/updates-testing/i386/emacs-21.2-34.legacy.i386.rpm
84047366c8488fa3c95070466b1bd20ce5d8687a
redhat/9/updates-testing/i386/emacs-el-21.2-34.legacy.i386.rpm
8eb8449c456e7d475157992c3e6f8bc4bdf64c7b
redhat/9/updates-testing/i386/emacs-leim-21.2-34.legacy.i386.rpm
4cf0ba484c3ab93210d186beb3c79b68b4e56984
redhat/9/updates-testing/SRPMS/emacs-21.2-34.legacy.src.rpm

fc1:
d56260f010b4603c89516ccf2ddd09c33c8c53c4
fedora/1/updates-testing/i386/emacs-21.3-9.2.legacy.i386.rpm
6bf7cb9bacc6c0f9374849fa4507ededa13193cf
fedora/1/updates-testing/i386/emacs-el-21.3-9.2.legacy.i386.rpm
fb23df114772b6c758499401751dfc389e2e1d88
fedora/1/updates-testing/i386/emacs-leim-21.3-9.2.legacy.i386.rpm
1a1133d917d4993c92a03c30ba08e8916c6a7bfe
fedora/1/updates-testing/SRPMS/emacs-21.3-9.2.legacy.src.rpm

-

Please test and comment in bugzilla.



signature.asc
Description: OpenPGP digital signature
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

Re: [Updated] [FLSA-2006:186277] Updated sendmail packages fix security issue

2006-04-05 Thread Marc Deslauriers

On Wed, 2006-04-05 at 12:50 -0400, Adam Gibson wrote:
 One thing I noticed after the latest yum update of sendmail from the 
 previous update is that alternatives is broken for /etc/pam.d/smtp for 
 the sendmail package.  Sendmail used to create /etc/pam.d/smtp.sendmail 
 which alternatives would create a symlink at /etc/pam.d/smtp to 
 eventually point to the current configured smtp pam config 
 (/etc/pam.d/smtp.sendmail for sendmail).
 

Sendmail on rh73, rh9 and fc1 didn't use alternatives
for /etc/pam.d/smtp. It was a real file. That was the problem with the
first sendmail update we came out with, it used alternatives for that
file and the proper symlink wouldn't get automatically created. In the
latest update, we reverted to the previous functionality of having the
package create a real /etc/pam.d/smtp file.

Marc.


signature.asc
Description: This is a digitally signed message part
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

[FLSA-2006:152873] Updated xine package fixes security issues

2006-04-04 Thread Marc Deslauriers

-
   Fedora Legacy Update Advisory

Synopsis:  Updated xine package fixes security issues
Advisory ID:   FLSA:152873
Issue date:2006-04-04
Product:   Red Hat Linux 7.3
Keywords:  Bugfix, Security
CVE Names: CVE-2004-0372, CVE-2004-1379
-


-
1. Topic:

An updated xine package that fixes security bugs is now available.

xine is a free gpl-licensed video player for unix-like systems.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386

3. Problem description:

A vulnerability has been reported in the way xine handles a bug report
email. A local user could create a specially crafted symlink which could
result in xine overwriting a file which it has write access to. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2004-0372 to this issue.

A heap overflow has been found in the DVD subpicture decoder of
xine-lib. This can be used for a remote heap overflow exploit, which
can, on some systems, lead to or help in executing malicious code with
the permissions of the user running a xine-lib based media application.
The Common Vulnerabilities and Exposures project has assigned the name
CVE-2004-1379 to this issue.

All users of xine should upgrade to this updated package, which includes
backported patches to correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which
are not installed but included in the list will not be updated.  Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt.  Many
people find this an easier way to apply updates.  To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.  This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152873

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/xine-0.9.8-4.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/xine-0.9.8-4.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/xine-devel-0.9.8-4.2.legacy.i386.rpm


7. Verification:

SHA1 sum Package Name
-
http://download.fedoralegacy.org/

297e2b6fb5bb2dad8629944e03dc8d7635f5c225
redhat/7.3/updates/i386/xine-0.9.8-4.2.legacy.i386.rpm
465a4ea2a12017a0cee76883e9263ece27c31a6d
redhat/7.3/updates/i386/xine-devel-0.9.8-4.2.legacy.i386.rpm
7336c58504919c05a6ccd5caac1c4a41bb7b7c12
redhat/7.3/updates/SRPMS/xine-0.9.8-4.2.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security.  Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v filename

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum filename

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0372
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1379

9. Contact:

The Fedora Legacy security contact is [EMAIL PROTECTED]. More
project details at http://www.fedoralegacy.org

-




signature.asc
Description: OpenPGP digital signature
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

[FLSA-2006:152896] Updated mod_python package fixes a security issue

2006-04-04 Thread Marc Deslauriers

-
Fedora Legacy Update Advisory

Synopsis: Updated mod_python package fixes a security issue
Advisory ID: FLSA:152896
Issue date:2006-04-04
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix, Security
CVE Name: CVE-2005-0088
-

-
1. Topic:

An Updated mod_python package that fixes a security issue in the
publisher handler is now available.

Mod_python is a module that embeds the Python language interpreter
within the Apache web server, allowing handlers to be written in Python.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386

3. Problem description:

Graham Dumpleton discovered a flaw affecting the publisher handler of
mod_python, used to make objects inside modules callable via URL.
A remote user could visit a carefully crafted URL that would gain access
to objects that should not be visible, leading to an information leak.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2005-0088 to this issue.

Users of mod_python are advised to upgrade to this updated package,
which contains a backported patch to correct this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152896

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/mod_python-2.7.8-1.7.3.3.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mod_python-2.7.8-1.7.3.3.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/mod_python-3.0.1-4.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/mod_python-3.0.1-4.1.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/mod_python-3.0.4-0.1.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/mod_python-3.0.4-0.1.1.legacy.i386.rpm

7. Verification:

SHA1 sum Package Name
-

f936f1ddb29779efae651ff90a19fa17d4edb9f8
redhat/7.3/updates/i386/mod_python-2.7.8-1.7.3.3.legacy.i386.rpm
d7792718f71006a00d5e932009dff9b8688330a5
redhat/7.3/updates/SRPMS/mod_python-2.7.8-1.7.3.3.legacy.src.rpm

6b1e637878a7af1f58f1127d07b7614334b71136
redhat/9/updates/i386/mod_python-3.0.1-4.1.legacy.i386.rpm
5ef5e32ac4d17f77c602d99299baab7f7c00c52d
redhat/9/updates/SRPMS/mod_python-3.0.1-4.1.legacy.src.rpm

d3959d23e0718b15a4a0b4fc4126b3198e7e98f8
fedora/1/updates/i386/mod_python-3.0.4-0.1.1.legacy.i386.rpm
20c04acf2eadcb2d99cf6c076a6d1ea34537ed24
fedora/1/updates/SRPMS/mod_python-3.0.4-0.1.1.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v filename

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum filename

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0088

9. Contact:

The Fedora Legacy security contact is [EMAIL PROTECTED]. More
project details at http://www.fedoralegacy.org

signature.asc
Description: OpenPGP digital signature
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

[FLSA-2006:156290] Updated cyrus-imapd packages fix security issues

2006-04-04 Thread Marc Deslauriers

-
Fedora Legacy Update Advisory

Synopsis: Updated cyrus-imapd packages fix security issues
Advisory ID: FLSA:156290
Issue date:2006-04-04
Product: Fedora Core
Keywords: Bugfix, Security
CVE Names: CVE-2005-0546
-

-
1. Topic:

Updated cyrus-imapd packages that fix several buffer overflow security
issues are now available.

The cyrus-imapd package contains the core of the Cyrus IMAP server.

2. Relevant releases/architectures:

Fedora Core 2 - i386

3. Problem description:

Several buffer overflow bugs were found in cyrus-imapd. It is possible
that an authenticated malicious user could cause the imap server to
crash. Additionally, a peer news admin could potentially execute
arbitrary code on the imap server when news is received using the
fetchnews command. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2005-0546 to this issue.

Users of cyrus-imapd are advised to upgrade to these updated packages,
which contain cyrus-imapd version 2.2.12 to correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=156290

6. RPMs required:

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/cyrus-imapd-2.2.12-1.1.fc2.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/cyrus-imapd-2.2.12-1.1.fc2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/cyrus-imapd-devel-2.2.12-1.1.fc2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/cyrus-imapd-murder-2.2.12-1.1.fc2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/cyrus-imapd-nntp-2.2.12-1.1.fc2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/cyrus-imapd-utils-2.2.12-1.1.fc2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/perl-Cyrus-2.2.12-1.1.fc2.1.legacy.i386.rpm

7. Verification:

SHA1 sum Package Name
-

869a5d94e05156e2bdcff36242fd25b2c0e1c6d1
fedora/2/updates/i386/cyrus-imapd-2.2.12-1.1.fc2.1.legacy.i386.rpm
b3bfaca68420697544395c17dbf2cefb5eabcf8f
fedora/2/updates/i386/cyrus-imapd-devel-2.2.12-1.1.fc2.1.legacy.i386.rpm
0a8652c25f5d608811b64c634191845b6dcd672a
fedora/2/updates/i386/cyrus-imapd-murder-2.2.12-1.1.fc2.1.legacy.i386.rpm
d7cfe6d91b0aa23b189949bf516e94479eefd8ef
fedora/2/updates/i386/cyrus-imapd-nntp-2.2.12-1.1.fc2.1.legacy.i386.rpm
03b23f099fd26fa8421bf90f4542ff4e56226d36
fedora/2/updates/i386/cyrus-imapd-utils-2.2.12-1.1.fc2.1.legacy.i386.rpm
1d1f935c0d88f209321ebb9ae679af9a0ff23e42
fedora/2/updates/i386/perl-Cyrus-2.2.12-1.1.fc2.1.legacy.i386.rpm
de27bfdc5d7e2a2c5268d769ef0842aba85bfed5
fedora/2/updates/SRPMS/cyrus-imapd-2.2.12-1.1.fc2.1.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v filename

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum filename

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0546

9. Contact:

The Fedora Legacy security contact is [EMAIL PROTECTED]. More
project details at http://www.fedoralegacy.org

signature.asc
Description: OpenPGP digital signature
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

[FLSA-2006:170411] Updated imap packages fix security issue

2006-04-04 Thread Marc Deslauriers

-
Fedora Legacy Update Advisory

Synopsis: Updated imap packages fix security issue
Advisory ID: FLSA:170411
Issue date:2006-04-04
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix, Security
CVE Names: CVE-2005-2933
-

-
1. Topic:

An updated imap package that fixes a buffer overflow issue is now
available.

The imap package provides server daemons for both the IMAP (Internet
Message Access Protocol) and POP (Post Office Protocol) mail access
protocols.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386

3. Problem description:

A buffer overflow flaw was discovered in the way the c-client library
parses user supplied mailboxes. If an authenticated user requests a
specially crafted mailbox name, it may be possible to execute arbitrary
code on a server that uses the library. The Common Vulnerabilities and
Exposures project has assigned the name CVE-2005-2933 to this issue.

All users of imap should upgrade to these updated packages, which
contain a backported patch and are not vulnerable to this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=170411

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/imap-2001a-10.3.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/imap-2001a-10.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/imap-devel-2001a-10.3.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/imap-2001a-18.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/imap-2001a-18.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/imap-devel-2001a-18.2.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/imap-2002d-3.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/imap-2002d-3.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/imap-devel-2002d-3.2.legacy.i386.rpm

7. Verification:

SHA1 sum Package Name
-

a516bdac39c9b3946a51e2aa1b2c525418405097
redhat/7.3/updates/i386/imap-2001a-10.3.legacy.i386.rpm
7492a4f5a96f61a50bc1d486004a991407fb8a93
redhat/7.3/updates/i386/imap-devel-2001a-10.3.legacy.i386.rpm
eb6df42d990be3bbf408b9c9cfe759d4ac31d82f
redhat/7.3/updates/SRPMS/imap-2001a-10.3.legacy.src.rpm

dd3d1a3bac748d1db5643a76a86c02568abec7d2
redhat/9/updates/i386/imap-2001a-18.2.legacy.i386.rpm
d7986d8efea12260ebb0613bb6cd486d72ef4ac1
redhat/9/updates/i386/imap-devel-2001a-18.2.legacy.i386.rpm
aef5ef7d054ff02b594bcb2ba564bfbb4778f00b
redhat/9/updates/SRPMS/imap-2001a-18.2.legacy.src.rpm

369fb568801a2d2865a55b2ceabab87e496d8705
fedora/1/updates/i386/imap-2002d-3.2.legacy.i386.rpm
967a77fbc8a4d2dcc3fdfac8b715d7a84537c0c0
fedora/1/updates/i386/imap-devel-2002d-3.2.legacy.i386.rpm
43b5221927cbeb9c2f3387f6a4b8f46f66d4d77d
fedora/1/updates/SRPMS/imap-2002d-3.2.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v filename

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum filename

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2933

9. Contact:

The Fedora Legacy security contact is [EMAIL PROTECTED]. More
project details at http://www.fedoralegacy.org

[FLSA-2006:183571-1] Updated tar package fixes security issue

2006-04-04 Thread Marc Deslauriers

-
Fedora Legacy Update Advisory

Synopsis: Updated tar package fixes security issue
Advisory ID: FLSA:183571-1
Issue date:2006-04-04
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix, Security
CVE Names: CVE-2005-1918
-

-
1. Topic:

An updated tar package that fixes a path traversal flaw is now
available.

The GNU tar program saves many files together in one archive and can
restore individual files (or all of the files) from that archive.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

In 2002, a path traversal flaw was found in the way GNU tar extracted
archives. A malicious user could create a tar archive that could write
to arbitrary files to which the user running GNU tar has write access
(CVE-2002-0399). A security advisory was released containing a
backported patch.

It was discovered that the backported security patch contained an
incorrect optimization and therefore was not sufficient to completely
correct this vulnerability. The Common Vulnerabilities and Exposures
project (cve.mitre.org) assigned the name CVE-2005-1918 to this issue.

Users of tar should upgrade to this updated package, which contains a
replacement backported patch to correct this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=183571

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/tar-1.13.25-4.7.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/tar-1.13.25-4.7.2.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/tar-1.13.25-11.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/tar-1.13.25-11.1.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/tar-1.13.25-12.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/tar-1.13.25-12.1.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/tar-1.13.25-14.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/tar-1.13.25-14.1.legacy.i386.rpm

7. Verification:

SHA1 sum Package Name
-

57d5b198335bcb254ff49b26b60b2ded6fdc3c29
redhat/7.3/updates/i386/tar-1.13.25-4.7.2.legacy.i386.rpm
aec36c77c75a882b3c44a61fa61c23ff204ef4e5
redhat/7.3/updates/SRPMS/tar-1.13.25-4.7.2.legacy.src.rpm

df30641462702e447ac80e5e71db048e039cc378
redhat/9/updates/i386/tar-1.13.25-11.1.legacy.i386.rpm
27e7678d52f44d3872047c5b05c6dfd751c2a806
redhat/9/updates/SRPMS/tar-1.13.25-11.1.legacy.src.rpm

0caee4057c9325f93ac327e1a4d067fee8b1a744
fedora/1/updates/i386/tar-1.13.25-12.1.legacy.i386.rpm
458a1d96fdf8f580b5702a7243f7653d8c581ac6
fedora/1/updates/SRPMS/tar-1.13.25-12.1.legacy.src.rpm

5565230fd52a82671b69a9310883a25f7844b8a6
fedora/2/updates/i386/tar-1.13.25-14.1.legacy.i386.rpm
864f986b64392dacaec2bde2c42339a4e6bd7e35
fedora/2/updates/SRPMS/tar-1.13.25-14.1.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v filename

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum filename

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1918

9. Contact:

The Fedora Legacy security contact is [EMAIL PROTECTED]. More
project

[FLSA-2006:184074] Updated pine package fixes security issue

2006-04-04 Thread Marc Deslauriers

-
   Fedora Legacy Update Advisory

Synopsis:  Updated pine package fixes security issue
Advisory ID:   FLSA:184074
Issue date:2006-04-04
Product:   Red Hat Linux
Keywords:  Bugfix, Security
CVE Names: CVE-2003-0297
-


-
1. Topic:

An updated Pine package is now available to fix a denial of service
attack.

Pine is an email user agent.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386

3. Problem description:

The c-client IMAP client library, as used in Pine 4.44 contains an
integer overflow and integer signedness flaw. An attacker could create a
malicious IMAP server in such a way that it would cause Pine to crash.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2003-0297 to this issue.

Users of Pine are advised to upgrade to these erratum packages which
contain a backported patch to correct this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which
are not installed but included in the list will not be updated.  Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt.  Many
people find this an easier way to apply updates.  To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.  This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=184074

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/pine-4.44-19.73.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/pine-4.44-19.73.1.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/pine-4.44-19.90.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/pine-4.44-19.90.1.legacy.i386.rpm


7. Verification:

SHA1 sum Package Name
-

2f5de5f092e8d5c2d821e3715fcc6656b19e1b54
redhat/7.3/updates/i386/pine-4.44-19.73.1.legacy.i386.rpm
4fc304469e6dad1025ac0eb1c428bbc84a9ed76f
redhat/7.3/updates/SRPMS/pine-4.44-19.73.1.legacy.src.rpm

043112c55f52e5454ab01e52f7a50968016ac6a1
redhat/9/updates/i386/pine-4.44-19.90.1.legacy.i386.rpm
d84320a9dbe9b1b1917e2acb8c6306c005711075
redhat/9/updates/SRPMS/pine-4.44-19.90.1.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security.  Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v filename

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum filename

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0297

9. Contact:

The Fedora Legacy security contact is [EMAIL PROTECTED]. More
project details at http://www.fedoralegacy.org

-



signature.asc
Description: OpenPGP digital signature
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

[FLSA-2006:184098] Updated libc-client packages fixes security issue

2006-04-04 Thread Marc Deslauriers

-
Fedora Legacy Update Advisory

Synopsis: Updated libc-client packages fixes security issue
Advisory ID: FLSA:184098
Issue date:2006-04-04
Product: Fedora Core 2
Keywords: Bugfix, Security
CVE Names: CVE-2005-2933
-

-
1. Topic:

Updated libc-client packages that fix a buffer overflow issue are now
available.

C-client is a common API for accessing mailboxes.

2. Relevant releases/architectures:

Fedora Core 2 - i386

3. Problem description:

A buffer overflow flaw was discovered in the way C-client parses user
supplied mailboxes. If an authenticated user requests a specially
crafted mailbox name, it may be possible to execute arbitrary code on a
server that uses C-client to access mailboxes. The Common
Vulnerabilities and Exposures project has assigned the name
CVE-2005-2933 to this issue.

All users of libc-client should upgrade to these updated packages, which
contain a backported patch that resolves this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=184098

6. RPMs required:

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/libc-client-2002e-5.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/libc-client-2002e-5.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/libc-client-devel-2002e-5.1.legacy.i386.rpm

7. Verification:

SHA1 sum Package Name
-

5232f6a722f64fac4c5e09ca3d34a8e5d33192ed
fedora/2/updates/i386/libc-client-2002e-5.1.legacy.i386.rpm
5e03f3725e30f607708e8da1e9c1537d6e929a29
fedora/2/updates/i386/libc-client-devel-2002e-5.1.legacy.i386.rpm
489cbea579ce3fece1527c68df20f24e8c9bfe75
fedora/2/updates/SRPMS/libc-client-2002e-5.1.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v filename

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum filename

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2933

9. Contact:

The Fedora Legacy security contact is [EMAIL PROTECTED]. More
project details at http://www.fedoralegacy.org

signature.asc
Description: OpenPGP digital signature
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

[Updated] [FLSA-2006:186277] Updated sendmail packages fix security issue

2006-04-04 Thread Marc Deslauriers

-
Fedora Legacy Update Advisory

Synopsis: Updated sendmail packages fix security issue
Advisory ID: FLSA:186277
Issue date:2006-04-04
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix, Security
CVE Names: CVE-2006-0058
-

-
1. Topic:

Updated sendmail packages that fix a security issue are now
available.

The sendmail package provides a widely used Mail Transport Agent (MTA).

[Updated 4th April 2006]
Red Hat Linux 7.3, Red Hat Linux 9, and Fedora Core 1 packages have been
updated to correct numerous problems with the previously released
updates.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386
Fedora Core 3 - i386, x86_64

3. Problem description:

A flaw in the handling of asynchronous signals was discovered in
Sendmail. A remote attacker may be able to exploit a race condition to
execute arbitrary code as root. The Common Vulnerabilities and Exposures
project assigned the name CVE-2006-0058 to this issue.

In order to correct this issue for RHL 7.3 users, it was necessary to
upgrade the version of Sendmail from 8.11 as originally shipped to
Sendmail 8.12.11 with the addition of the security patch supplied by
Sendmail Inc. This erratum provides updated packages based on Sendmail
8.12 with a compatibility mode enabled as provided by Red Hat for
RHEL 2.1. After updating to these packages, users should pay close
attention to their sendmail logs to ensure that the upgrade completed
sucessfully.

In order to correct this issue for RHL 9 and FC1 users, it was necessary
to upgrade the version of Sendmail from 8.12.8 and 8.12.10 respectively
to 8.12.11 with the addition of the security patch supplied by Sendmail
Inc. After updating to these packages, users should pay close attention
to their sendmail logs to ensure that the upgrade completed sucessfully.

For Fedora Core 3 users, the patch supplied by Sendmail Inc. applies
cleanly to the latest sendmail package previously released for Fedora
Core 3.

Users of Sendmail should upgrade to this updated package, which contains
a backported patch to correct this issue. Users updating to these
packages are urged to review their sendmail.cf file after updating.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

rpm -Fvh [filenames]

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=186277

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/sendmail-8.12.11-4.22.10.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/sendmail-8.12.11-4.22.10.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/sendmail-cf-8.12.11-4.22.10.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/sendmail-devel-8.12.11-4.22.10.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/sendmail-doc-8.12.11-4.22.10.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/sendmail-8.12.11-4.24.3.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/sendmail-8.12.11-4.24.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/sendmail-cf-8.12.11-4.24.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/sendmail-devel-8.12.11-4.24.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/sendmail-doc-8.12.11-4.24.3.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/sendmail-8.12.11-4.25.3.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/sendmail-8.12.11-4.25.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/sendmail-cf-8.12.11-4.25.3.legacy.i386.rpm

[UPDATED] Fedora Legacy Test Update Notification: gnupg

2006-04-01 Thread Marc Deslauriers

The rh73 packages were updated to correct a broken info page.

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-185355
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=185355
2006-04-01
-

Name: gnupg
Versions: rh73: gnupg-1.0.7-13.3.legacy
Versions: rh9: gnupg-1.2.1-9.2.legacy
Versions: fc1: gnupg-1.2.3-2.2.legacy
Versions: fc2: gnupg-1.2.4-2.3.legacy
Versions: fc3: gnupg-1.2.7-1.2.legacy
Summary : A GNU utility for secure communication and data storage.
Description :
GnuPG (GNU Privacy Guard) is a GNU utility for encrypting data and
creating digital signatures. GnuPG has advanced key management
capabilities and is compliant with the proposed OpenPGP Internet
standard described in RFC2440. Since GnuPG doesn't use any patented
algorithm, it is not compatible with any version of PGP2 (PGP2.x uses
only IDEA for symmetric-key encryption, which is patented worldwide).

-
Update Information:

An updated GnuPG package that fixes signature verification flaws is now
available.

GnuPG is a utility for encrypting data and creating digital signatures.

Tavis Ormandy discovered a bug in the way GnuPG verifies
cryptographically signed data with detached signatures. It is possible
for an attacker to construct a cryptographically signed message which
could appear to come from a third party. When a victim processes a GnuPG
message with a malformed detached signature, GnuPG ignores the malformed
signature, processes and outputs the signed data, and exits with status
0, just as it would if the signature had been valid. In this case,
GnuPG's exit status would not indicate that no signature verification
had taken place. This issue would primarily be of concern when
processing GnuPG results via an automated script. The Common
Vulnerabilities and Exposures project assigned the name CVE-2006-0455 to
this issue.

Tavis Ormandy also discovered a bug in the way GnuPG verifies
cryptographically signed data with inline signatures. It is possible for an
attacker to inject unsigned data into a signed message in such a way that
when a victim processes the message to recover the data, the unsigned data
is output along with the signed data, gaining the appearance of having been
signed. This issue is mitigated in the GnuPG shipped with Red Hat
Enterprise Linux as the --ignore-crc-error option must be passed to the gpg
executable for this attack to be successful. The Common Vulnerabilities and
Exposures project assigned the name CVE-2006-0049 to this issue.

Please note that neither of these issues affect the way RPM or up2date
verify RPM package files, nor is RPM vulnerable to either of these issues.

All users of GnuPG are advised to upgrade to this updated package, which
contains backported patches to correct these issues.


-
Changelogs

rh73:
* Sat Apr 01 2006 Marc Deslauriers [EMAIL PROTECTED]
1.0.7-13.3.legacy
- Added missing texinfo to BuildPrereq

* Thu Mar 23 2006 Marc Deslauriers [EMAIL PROTECTED]
1.0.7-13.2.legacy
- Added missing openldap-devel and zlib-devel to BuildPrereq

* Wed Mar 15 2006 Donald Maner [EMAIL PROTECTED] 1.0.7-13.1.legacy
- add patch from Werner Koch to error out on ambiguous armored signatures in
  message, with some more bits from Klaus Singvogel to handle argument
parsing,
  backported (CVE-2006-0049, #185355)
- add backport of patch from Werner Koch to fix the exit status when
verifying
  signatures when no signature is provided (CVE-2006-0455, #185355)

rh9:
* Thu Mar 23 2006 Marc Deslauriers [EMAIL PROTECTED]
1.2.1-9.2.legacy
- Added missing openldap to BuildPrereq

* Wed Mar 15 2006 Donald Maner [EMAIL PROTECTED] 1.2.1-9.1.legacy
- add patch from Werner Koch to error out on ambiguous armored signatures in
  message, with some more bits from Klaus Singvogel to handle argument
parsing,
  backported (CVE-2006-0049, #185355)
- add backport of patch from Werner Koch to fix the exit status when
verifying
  signatures when no signature is provided (CVE-2006-0455, #185355)

fc1:
* Thu Mar 23 2006 Marc Deslauriers [EMAIL PROTECTED]
1.2.3-2.2.legacy
- Added missing openldap-devel and zlib-devel to BuildPrereq

* Wed Mar 15 2006 Donald Maner [EMAIL PROTECTED] 1.2.3-2.1.legacy
- add patch from Werner Koch to error out on ambiguous armored signatures in
  message, with some more bits from Klaus Singvogel to handle argument
parsing,
  backported (CVE-2006-0049, #185355)
- add backport of patch from Werner Koch to fix the exit status when
verifying
  signatures when no signature is provided (CVE-2006-0455, #185355)

fc2:
* Thu Mar 23 2006 Marc Deslauriers [EMAIL PROTECTED]
1.2.3-2.3.legacy
- Added missing openldap-devel, bzip2-devel and zlib-devel to BuildPrereq

* Wed Mar 15 2006 Donald Maner

Fedora Legacy Test Update Notification: ncpfs

2006-03-28 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-152904
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152904
2006-03-28
-

Name: ncpfs
Versions: rh73: ncpfs-2.2.0.18-6.1.legacy
Versions: rh9: ncpfs-2.2.1-1.1.legacy
Versions: fc1: ncpfs-2.2.3-1.1.legacy
Versions: fc2: ncpfs-2.2.4-1.1.legacy
Versions: fc3: ncpfs-2.2.4-5.FC3.1.legacy
Summary : Utilities for the ncpfs filesystem, a NetWare client.
Description :
Ncpfs is a filesystem which understands the Novell NetWare(TM) NCP
protocol.  Functionally, NCP is used for NetWare the way NFS is used
in the TCP/IP world.  For a Linux system to mount a NetWare
filesystem, it needs a special mount program.  The ncpfs package
contains such a mount program plus other tools for configuring and
using the ncpfs filesystem.

-
Update Information:

An updated ncpfs package is now available.

Ncpfs is a file system that understands the Novell NetWare(TM) NCP
protocol.

Buffer overflows were found in the nwclient program. An attacker, using
a long -T option, could possibly execute arbitrary code and gain
privileges. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2004-1079 to this issue.

A bug was found in the way ncpfs handled file permissions. ncpfs did not
sufficiently check if the file owner matched the user attempting to
access the file, potentially violating the file permissions. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CVE-2005-0013 to this issue.

A buffer overflow was found in the ncplogin program. A remote malicious
NetWare server could execute arbitrary code on a victim's machine. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2005-0014 to this issue.

All users of ncpfs are advised to upgrade to this updated package, which
contains backported fixes for these issues.

-
Changelogs

rh73:
* Fri Mar 10 2006 Marc Deslauriers [EMAIL PROTECTED]
2.2.0.18-6.1.legacy
- fixed getuid security bug CVE-2005-0013

rh9:
* Fri Mar 10 2006 Marc Deslauriers [EMAIL PROTECTED]
2.2.1-1.1.legacy
- Added patches for CVE-2004-1079, CVE-2005-0013 and CVE-2005-0014

fc1:
* Sat Mar 11 2006 Marc Deslauriers [EMAIL PROTECTED]
2.2.3-1.1.legacy
- Added patches for CVE-2004-1079, CVE-2005-0013 and CVE-2005-0014

fc2:
* Sat Mar 11 2006 Marc Deslauriers [EMAIL PROTECTED]
2.2.4-1.1.legacy
- Added patches for CVE-2004-1079, CVE-2005-0013 and CVE-2005-0014

fc3:
* Sat Mar 11 2006 Marc Deslauriers [EMAIL PROTECTED]
2.2.4-5.FC3.1.legacy
- Added missing part of CVE-2005-0013 fix

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh73:
16740d3fa5e17a46429ad3586e4adf9a14a64f8d
redhat/7.3/updates-testing/i386/ncpfs-2.2.0.18-6.1.legacy.i386.rpm
21f8520c8a2a3d60e55041c0db028e03549f8544
redhat/7.3/updates-testing/i386/ipxutils-2.2.0.18-6.1.legacy.i386.rpm
6704d55f1f43360b6ad4211e2ca0f92e9f2174c8
redhat/7.3/updates-testing/SRPMS/ncpfs-2.2.0.18-6.1.legacy.src.rpm

rh9:
6acd3b7b7d09cb0e47769b43a888adf72a6278ac
redhat/9/updates-testing/i386/ncpfs-2.2.1-1.1.legacy.i386.rpm
c49d83f88b229ce57c689d313eccb4df7b89f36b
redhat/9/updates-testing/i386/ipxutils-2.2.1-1.1.legacy.i386.rpm
ac833c51fcf831bca3edef5d0275ccd1ae0a530f
redhat/9/updates-testing/SRPMS/ncpfs-2.2.1-1.1.legacy.src.rpm

fc1:
8379face8f68fe556d40bf32f72a5ab368e8eb6d
fedora/1/updates-testing/i386/ncpfs-2.2.3-1.1.legacy.i386.rpm
eefaa839a26179ca5d41897eacf7bbf3c49661e1
fedora/1/updates-testing/i386/ipxutils-2.2.3-1.1.legacy.i386.rpm
ede00a8544200515b5e09a7a40836d8f558cac9d
fedora/1/updates-testing/SRPMS/ncpfs-2.2.3-1.1.legacy.src.rpm

fc2:
1d32d2f0c39475f98206d78f87c587d4f96ddb70
fedora/2/updates-testing/i386/ncpfs-2.2.4-1.1.legacy.i386.rpm
c095ce2d66184b605516231609cddc30520c3eb5
fedora/2/updates-testing/i386/ipxutils-2.2.4-1.1.legacy.i386.rpm
874f8a48f85fef80615b5892a70d214f0935ed7a
fedora/2/updates-testing/SRPMS/ncpfs-2.2.4-1.1.legacy.src.rpm

fc3:
dc329c8b3558f67350486358b01b6a62f6f467af
fedora/3/updates-testing/i386/ncpfs-2.2.4-5.FC3.1.legacy.i386.rpm
1ddd6caafe4a693d4a69d341be69600df446de3b
fedora/3/updates-testing/i386/ipxutils-2.2.4-5.FC3.1.legacy.i386.rpm
db8660759a23570a6d06bda37c619e0931425ef8
fedora/3/updates-testing/x86_64/ncpfs-2.2.4-5.FC3.1.legacy.x86_64.rpm
1e8bc7d10995fde90688b424f5001c14f7d3e3bc
fedora/3/updates-testing/x86_64/ipxutils-2.2.4-5.FC3.1.legacy.x86_64.rpm
7f29dd88dcf31f19970e22c8c3af7267c62a5508
fedora/3/updates-testing/SRPMS/ncpfs-2.2.4-5.FC3.1.legacy.src.rpm

-

Please test and comment in bugzilla

Fedora Legacy Test Update Notification: fetchmail

2006-03-28 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-164512
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=164512
2006-03-28
-

Name: fetchmail
Versions: rh73: fetchmail-5.9.0-21.7.3.2.legacy
Versions: rh9: fetchmail-6.2.0-3.4.legacy
Versions: fc1: fetchmail-6.2.0-8.2.legacy
Versions: fc2: fetchmail-6.2.5-2.2.legacy
Summary : A remote mail retrieval and forwarding utility.
Description :
Fetchmail is a remote mail retrieval and forwarding utility intended
for use over on-demand TCP/IP links, like SLIP or PPP connections.
Fetchmail supports every remote-mail protocol currently in use on the
Internet (POP2, POP3, RPOP, APOP, KPOP, all IMAPs, ESMTP ETRN, IPv6,
and IPSEC) for retrieval. Then Fetchmail forwards the mail through
SMTP so you can read it through your favorite mail client.

-
Update Information:

Updated fetchmail packages that fix security flaws are now available.

Fetchmail is a remote mail retrieval and forwarding utility.

A bug was found in the way fetchmail allocates memory for long lines. A
remote attacker could cause a denial of service by sending a specially-
crafted email. The Common Vulnerabilities and Exposures project has
assigned the name CVE-2003-0792 to this issue.

A buffer overflow was discovered in fetchmail's POP3 client. A malicious
server could cause send a carefully crafted message UID and cause
fetchmail to crash or potentially execute arbitrary code as the user
running fetchmail. The Common Vulnerabilities and Exposures project
assigned the name CAN-2005-2335 to this issue.

A bug was found in the way the fetchmailconf utility program writes
configuration files. The default behavior of fetchmailconf is to write a
configuration file which may be world readable for a short period of
time. This configuration file could provide passwords to a local
malicious attacker within the short window before fetchmailconf sets
secure permissions. The Common Vulnerabilities and Exposures project has
assigned the name CVE-2005-3088 to this issue.

A bug was found when fetchmail is running in multidrop mode. A malicious
mail server can cause a denial of service by sending a message without
headers. The Common Vulnerabilities and Exposures project has assigned
the name CVE-2005-4348 to this issue.

Users of fetchmail should update to this erratum package which contains
backported patches to correct these issues.

-
Changelogs

rh73:
* Sat Mar 11 2006 Donald Maner [EMAIL PROTECTED] 6.2.0-3.2.legacy
- add patch for CAN-2003-0792 (#164512)
- add patch for CAN-2005-4348 (#164512)
- add patch for CAN-2005-3088 from RHEL 2.1 (#164512)

* Thu Jul 28 2005 Jeff Sheltren [EMAIL PROTECTED] 5.9.0-21.7.3.1.legacy
- add patch for POP3 buffer overflow - CAN-2005-2355 (#164512)

rh9:
* Thu Mar 23 2006 Marc Deslauriers [EMAIL PROTECTED]
6.2.0-3.4.legacy
- Added missing e2fsprogs-devel to BuildPrereq

* Sat Mar 11 2006 Donald Maner [EMAIL PROTECTED] 6.2.0-3.2.legacy
- add patch for CAN-2003-0792 (#164512)
- add patch for CAN-2005-3088 (#164512)

* Thu Jul 28 2005 Jeff Sheltren [EMAIL PROTECTED] 6.2.0-3.1.legacy
- add patch for POP3 buffer overflow - CAN-2005-2355 (#164512)

fc1:
* Sun Mar 12 2006 Donald Maner [EMAIL PROTECTED] 6.2.0-8.2.legacy
- add patch for CAN-2005-3088 (#164512)
- add patch for CAN-2005-2355 (#164512)

* Thu Jul 28 2005 Jeff Sheltren [EMAIL PROTECTED] 6.2.0-8.1.legacy
- add patch for POP3 buffer overflow - CAN-2005-2355 (#164512)

fc2:
* Sun Mar 12 2006 Donald Maner [EMAIL PROTECTED] 6.2.5-2.2.legacy
- add patch for crash on empty message - CVE-2005-4348 (#164512)
- add patch for CAN-2005-3088 (#164512)

* Thu Jul 28 2005 Jeff Sheltren [EMAIL PROTECTED] 6.2.5-2.1.legacy
- add patch for POP3 buffer overflow - CAN-2005-2355 (#164512)

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh73:
8b49bca60dc8bcbba7634b8e0559c82fbeef3db5
redhat/7.3/updates-testing/i386/fetchmail-5.9.0-21.7.3.2.legacy.i386.rpm
9c9c861757b4b8b2866f1d0e91dbc16d5037d956
redhat/7.3/updates-testing/i386/fetchmailconf-5.9.0-21.7.3.2.legacy.i386.rpm
9cca4f274cb21928d459ed25883e5d3c1f758f10
redhat/7.3/updates-testing/SRPMS/fetchmail-5.9.0-21.7.3.2.legacy.src.rpm

rh9:
0fd22e51f83aab97d8c1790ed95423882f01aa9b
redhat/9/updates-testing/i386/fetchmail-6.2.0-3.4.legacy.i386.rpm
7d2eb582d0aba96e07710eb89cd8c4c41c4530d3
redhat/9/updates-testing/SRPMS/fetchmail-6.2.0-3.4.legacy.src.rpm

fc1:
5df158a0ba6bb0c323a75464e04b11e246dd8f98
fedora/1/updates-testing/i386/fetchmail-6.2.0-8.2.legacy.i386.rpm
927ed2783b8b4a29d0669e7936c1d27fd05564eb
fedora/1/updates-testing/SRPMS/fetchmail-6.2.0-8.2.legacy.src.rpm

fc2

Fedora Legacy Test Update Notification: gnupg

2006-03-28 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-185355
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=185355
2006-03-28
-

Name: gnupg
Versions: rh73: gnupg-1.0.7-13.2.legacy
Versions: rh9: gnupg-1.2.1-9.2.legacy
Versions: fc1: gnupg-1.2.3-2.2.legacy
Versions: fc2: gnupg-1.2.4-2.3.legacy
Versions: fc3: gnupg-1.2.7-1.2.legacy
Summary : A GNU utility for secure communication and data storage.
Description :
GnuPG (GNU Privacy Guard) is a GNU utility for encrypting data and
creating digital signatures. GnuPG has advanced key management
capabilities and is compliant with the proposed OpenPGP Internet
standard described in RFC2440. Since GnuPG doesn't use any patented
algorithm, it is not compatible with any version of PGP2 (PGP2.x uses
only IDEA for symmetric-key encryption, which is patented worldwide).

-
Update Information:

An updated GnuPG package that fixes signature verification flaws is now
available.

GnuPG is a utility for encrypting data and creating digital signatures.

Tavis Ormandy discovered a bug in the way GnuPG verifies
cryptographically signed data with detached signatures. It is possible
for an attacker to construct a cryptographically signed message which
could appear to come from a third party. When a victim processes a GnuPG
message with a malformed detached signature, GnuPG ignores the malformed
signature, processes and outputs the signed data, and exits with status
0, just as it would if the signature had been valid. In this case,
GnuPG's exit status would not indicate that no signature verification
had taken place. This issue would primarily be of concern when
processing GnuPG results via an automated script. The Common
Vulnerabilities and Exposures project assigned the name CVE-2006-0455 to
this issue.

Tavis Ormandy also discovered a bug in the way GnuPG verifies
cryptographically signed data with inline signatures. It is possible for an
attacker to inject unsigned data into a signed message in such a way that
when a victim processes the message to recover the data, the unsigned data
is output along with the signed data, gaining the appearance of having been
signed. This issue is mitigated in the GnuPG shipped with Red Hat
Enterprise Linux as the --ignore-crc-error option must be passed to the gpg
executable for this attack to be successful. The Common Vulnerabilities and
Exposures project assigned the name CVE-2006-0049 to this issue.

Please note that neither of these issues affect the way RPM or up2date
verify RPM package files, nor is RPM vulnerable to either of these issues.

All users of GnuPG are advised to upgrade to this updated package, which
contains backported patches to correct these issues.


-
Changelogs

rh73:
* Thu Mar 23 2006 Marc Deslauriers [EMAIL PROTECTED]
1.0.7-13.2.legacy
- Added missing openldap-devel and zlib-devel to BuildPrereq

* Wed Mar 15 2006 Donald Maner [EMAIL PROTECTED] 1.0.7-13.1.legacy
- add patch from Werner Koch to error out on ambiguous armored signatures in
  message, with some more bits from Klaus Singvogel to handle argument
parsing,
  backported (CVE-2006-0049, #185355)
- add backport of patch from Werner Koch to fix the exit status when
verifying
  signatures when no signature is provided (CVE-2006-0455, #185355)

rh9:
* Thu Mar 23 2006 Marc Deslauriers [EMAIL PROTECTED]
1.2.1-9.2.legacy
- Added missing openldap to BuildPrereq

* Wed Mar 15 2006 Donald Maner [EMAIL PROTECTED] 1.2.1-9.1.legacy
- add patch from Werner Koch to error out on ambiguous armored signatures in
  message, with some more bits from Klaus Singvogel to handle argument
parsing,
  backported (CVE-2006-0049, #185355)
- add backport of patch from Werner Koch to fix the exit status when
verifying
  signatures when no signature is provided (CVE-2006-0455, #185355)

fc1:
* Thu Mar 23 2006 Marc Deslauriers [EMAIL PROTECTED]
1.2.3-2.2.legacy
- Added missing openldap-devel and zlib-devel to BuildPrereq

* Wed Mar 15 2006 Donald Maner [EMAIL PROTECTED] 1.2.3-2.1.legacy
- add patch from Werner Koch to error out on ambiguous armored signatures in
  message, with some more bits from Klaus Singvogel to handle argument
parsing,
  backported (CVE-2006-0049, #185355)
- add backport of patch from Werner Koch to fix the exit status when
verifying
  signatures when no signature is provided (CVE-2006-0455, #185355)

fc2:
* Thu Mar 23 2006 Marc Deslauriers [EMAIL PROTECTED]
1.2.3-2.3.legacy
- Added missing openldap-devel, bzip2-devel and zlib-devel to BuildPrereq

* Wed Mar 15 2006 Donald Maner [EMAIL PROTECTED] 1.2.3-2.1.legacy
- add patch from Werner Koch to error out on ambiguous armored signatures in
  message, with some more bits from Klaus Singvogel to handle

[UPDATED] Fedora Legacy Test Update Notification: sendmail

2006-03-28 Thread Marc Deslauriers

These updated test packages for rh73, rh9 and fc1 fix problems with the
previous sendmail update.

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-186277
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=186277
2006-03-28
-

Name: sendmail
Versions: rh73: sendmail-8.12.11-4.22.10.legacy
Versions: rh9: sendmail-8.12.11-4.24.3.legacy
Versions: fc1: sendmail-8.12.11-4.25.3.legacy
Summary : A widely used Mail Transport Agent (MTA).
Description :
The Sendmail program is a very widely used Mail Transport Agent (MTA).
MTAs send mail from one machine to another. Sendmail is not a client
program, which you use to read your email. Sendmail is a
behind-the-scenes program which actually moves your email over
networks or the Internet to where you want it to go.

-
Update Information:

Updated sendmail packages that fix a flaw in the handling of asynchronous
signals are now available.

A flaw in the handling of asynchronous signals was discovered in
Sendmail. A remote attacker may be able to exploit a race condition to
execute arbitrary code as root. The Common Vulnerabilities and Exposures
project assigned the name CVE-2006-0058 to this issue.

In order to correct this issue for RHL 7.3 users, it was necessary to
upgrade the version of Sendmail from 8.11 as originally shipped to
Sendmail 8.12.11 with the addition of the security patch supplied by
Sendmail Inc. This erratum provides updated packages based on Sendmail
8.12 with a compatibility mode enabled as provided by Red Hat for
RHEL 2.1. After updating to these packages, users should pay close
attention to their sendmail logs to ensure that the upgrade completed
sucessfully.

In order to correct this issue for RHL 9 and FC1 users, it was necessary
to upgrade the version of Sendmail from 8.12.8 and 8.12.10 respectively
to 8.12.11 with the addition of the security patch supplied by Sendmail
Inc. After updating to these packages, users should pay close attention
to their sendmail logs to ensure that the upgrade completed sucessfully.

Users of Sendmail should upgrade to this updated package, which contains
a backported patch to correct this issue.

-
Changelogs

rh73:
* Sat Mar 25 2006 Marc Deslauriers [EMAIL PROTECTED]
8.12.11-4.22.10.legacy
- Added hesiod-devel to BuildRequires
- Reverted to previous alternatives files
- Removed new triggers
- Modified instructions in sendmail.mc

* Wed Mar 22 2006 Jesse Keating [EMAIL PROTECTED]
8.12.11-4.22.9.legacy
- Sourced in for RHL7.3
- Added groff buildreq
- Enable alternatives

rh9:
* Sun Mar 26 2006 Marc Deslauriers [EMAIL PROTECTED] -
8.12.11-4.24.3.legacy
- Reverted statistics file path in mc file
- Reverted CERT paths in mc file
- Don't enable statistics by default

* Sat Mar 25 2006 Marc Deslauriers [EMAIL PROTECTED] -
8.12.11-4.24.2.legacy
- Reverted statistics file to /etc/mail
- Reverted to previous alternatives files

* Wed Mar 22 2006 Jesse Keating [EMAIL PROTECTED] -
8.12.11-4.24.1.legacy
- fixed VU#834865 (#186277)
- disable -fpie
- enable old_setup
- Add BuildReq gdbm-devel
- Use sasl1

fc1:
* Sun Mar 26 2006 Marc Deslauriers [EMAIL PROTECTED] -
8.12.11-4.25.3.legacy
- Reverted statistics file path in mc file
- Reverted CERT paths in mc file
- Don't enable statistics by default

* Sat Mar 25 2006 Marc Deslauriers [EMAIL PROTECTED] -
8.12.11-4.25.2.legacy
- Reverted statistics file to /etc/mail
- Reverted to previous alternatives files
- Added gdbm-devel to BuildRequires

* Wed Mar 22 2006 Jesse Keating [EMAIL PROTECTED] -
8.12.11-4.25.1.legacy
- fixed VU#834865 (#186277)
- enable old_setup

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh73:
950fc853550d93f521d4203b9f78023721fbdecd
redhat/7.3/updates-testing/i386/sendmail-8.12.11-4.22.10.legacy.i386.rpm
d8c06f3f92d7dd526426b86e52bdd244e75c061a
redhat/7.3/updates-testing/i386/sendmail-cf-8.12.11-4.22.10.legacy.i386.rpm
dde44f59a60481edae75ddf6d854341308e4ce62
redhat/7.3/updates-testing/i386/sendmail-devel-8.12.11-4.22.10.legacy.i386.rpm
faf27d20eb151227225cc4e2ac5014bb205aa350
redhat/7.3/updates-testing/i386/sendmail-doc-8.12.11-4.22.10.legacy.i386.rpm
e0b9ece564e8103a254311da19c6bc41a21c8ffc
redhat/7.3/updates-testing/SRPMS/sendmail-8.12.11-4.22.10.legacy.src.rpm

rh9:
9f1caeadce45e2922f6bc29ea0f4e7bce4e26d02
redhat/9/updates-testing/i386/sendmail-8.12.11-4.24.3.legacy.i386.rpm
6b7b437bb58ac9f805185ae992da9a157a0d755d
redhat/9/updates-testing/i386/sendmail-cf-8.12.11-4.24.3.legacy.i386.rpm
ae48cf1d3a5d8f5bfc789a408de392fe27e84b73
redhat/9/updates-testing/i386/sendmail-devel-8.12.11-4.24.3.legacy.i386.rpm

Re: New sendmail and missing /usr/lib/sendmail

2006-03-27 Thread Marc Deslauriers

On Sun, 2006-03-26 at 23:48 -0600, Mike McCarty wrote:
 Ah, now we get down to the nitty gritty of the desire to hasten
 the process of going from a Test state to a Release state. Hopefully,
 those who in past have seen no need to maintain a policy of no package
 can move from Test state to Release state unless it has actually gone
 through test to prove proper operation and want to change to one of
 if enough time has lapsed, then even if no verification of proper
 operation has taken place, we need to move from Test state to Release
 state can see a little bit of the other side of the fence, now.

Curiously, sendmail actually DID get test votes for all platforms before
it got moved to official updates. No part of the QA process was
hastened.

This has happened before. Most packages that got pushed out that had
serious problems had been through QA and had people test them. One of
the php updates is an example I know of.

Marc.


signature.asc
Description: This is a digitally signed message part
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

Re: New sendmail and missing /usr/lib/sendmail

2006-03-27 Thread Marc Deslauriers

On Mon, 2006-03-27 at 10:47 -0800, Jesse Keating wrote:

 These issues should be resolved in the newer packages in
 updates-testing.

They're not in updates-testing yet. They're still awaiting PUBLISH votes
in bugzilla.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=186277

Marc.


signature.asc
Description: This is a digitally signed message part
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

Re: sendmail upgrade issues

2006-03-26 Thread Marc Deslauriers

On Sun, 2006-03-26 at 01:38 -0600, Eric Rostetter wrote:

  This is fixed in the package awaiting QA.
 
 I never received an email about any such package...
 

I didn't know I had to send you one. :)

Look here:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=186277

Marc.



signature.asc
Description: This is a digitally signed message part
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

Re: RH 9.0: AUTH LOGIN issue with latest sendmail patch

2006-03-25 Thread Marc Deslauriers

On Sat, 2006-03-25 at 08:52 -0600, Mike Klinke wrote:

 There seem to be three missing links on RH9 and FC1:
 
 /usr/lib/sendmail - 
 /etc/alternatives/mta-sendmail
 
 /usr/share/man/man8/sendmail.8.gz - 
 /etc/alternatives/mta-sendmailman
 
 /etc/pam.d/smtp -
 /etc/alternatives/mta-pam
 

If you do a alternatives --config mta and re-select sendmail, do the
links get created?

Marc.


signature.asc
Description: This is a digitally signed message part
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

[FLEA-2006:173091-1] Updated glibc packages add daylight savings rule enhancements

2006-03-23 Thread Marc Deslauriers

-
   Fedora Legacy Update Advisory

Synopsis:  Updated glibc packages add daylight savings rule
   enhancements
Advisory ID:   FLEA:173091-1
Issue date:2006-03-23
Product:   Red Hat Linux
Keywords:  Enhancement
-


-
1. Topic:

Updated glibc packages that add daylight savings rule enhancements for
various countries are now available.

The GNU libc packages (known as glibc) contain the standard C libraries
used by applications.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386

3. Problem description:

This update adjusts timezone files for countries where daylight savings
rules have recently changed or are going to change in the near future.

Users in those countries should upgrade to these updated packages
and rerun redhat-config-date to update the local timezone in
/etc/localtime.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which
are not installed but included in the list will not be updated.  Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt.  Many
people find this an easier way to apply updates.  To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.  This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=173091

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/glibc-2.2.5-44.legacy.8.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-2.2.5-44.legacy.8.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-2.2.5-44.legacy.8.i686.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-common-2.2.5-44.legacy.8.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-debug-2.2.5-44.legacy.8.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-debug-2.2.5-44.legacy.8.i686.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-debug-static-2.2.5-44.legacy.8.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-devel-2.2.5-44.legacy.8.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-profile-2.2.5-44.legacy.8.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-utils-2.2.5-44.legacy.8.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/nscd-2.2.5-44.legacy.8.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/glibc-2.3.2-27.9.7.4.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-2.3.2-27.9.7.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-2.3.2-27.9.7.4.legacy.i686.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-common-2.3.2-27.9.7.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-debug-2.3.2-27.9.7.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-devel-2.3.2-27.9.7.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-profile-2.3.2-27.9.7.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-utils-2.3.2-27.9.7.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/nptl-devel-2.3.2-27.9.7.4.legacy.i686.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/nscd-2.3.2-27.9.7.4.legacy.i386.rpm


7. Verification:

SHA1 sum Package Name
-

8977060010fc16bbaf2aba545c3b958e4a953ec8
redhat/7.3/updates/i386/glibc-2.2.5-44.legacy.8.i386.rpm
4e4fce10ff1cfbdda21dbd0ca19132ffa3b34a15
redhat/7.3/updates/i386/glibc-2.2.5-44.legacy.8.i686.rpm
ccc856a5f596cffca0d76f1242df7cecd413
redhat/7.3/updates/i386/glibc-common-2.2.5-44.legacy.8.i386.rpm
f301116e857b0d3d63c39af5003dcbab897b4af2
redhat/7.3/updates/i386/glibc-debug-2.2.5-44.legacy.8.i386.rpm
c7f784964cff0af15108e981fb0eed5f5b49b8b4
redhat/7.3/updates/i386/glibc-debug-2.2.5-44.legacy.8.i686.rpm
2f59c12525a171646595f56126f882a656107fb7

[FLEA-2006:173091-2] Updated tzdata package adds daylight savings rule enhancements

2006-03-23 Thread Marc Deslauriers

-
   Fedora Legacy Update Advisory

Synopsis:  Updated tzdata package adds daylight savings rule
   enhancements
Advisory ID:   FLEA:173091-2
Issue date:2006-03-23
Product:   Fedora Core
Keywords:  Enhancement
-


-
1. Topic:

An updated tzdata package that adds daylight savings rule enhancements
for various countries is now available.

The tzdata package contains data files with rules for various timezones
around the world.

2. Relevant releases/architectures:

Fedora Core 1 - i386
Fedora Core 2 - i386
Fedora Core 3 - i386, x86_64

3. Problem description:

This update adjusts timezone files for countries where daylight savings
rules have recently changed or are going to change in the near future.

Users in those countries should upgrade to these updated packages
and rerun redhat-config-date (or system-config-date in FC2) to update
the local timezone in /etc/localtime.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which
are not installed but included in the list will not be updated.  Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt.  Many
people find this an easier way to apply updates.  To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.  This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=173091

6. RPMs required:

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/tzdata-2006a-2.fc1.1.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/tzdata-2006a-2.fc1.1.noarch.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/tzdata-2006a-2.fc2.1.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/tzdata-2006a-2.fc2.1.noarch.rpm

Fedora Core 3:

SRPM:
http://download.fedoralegacy.org/fedora/3/updates/SRPMS/tzdata-2006a-2.fc3.1.src.rpm

i386:
http://download.fedoralegacy.org/fedora/3/updates/i386/tzdata-2006a-2.fc3.1.noarch.rpm

x86_64:
http://download.fedoralegacy.org/fedora/3/updates/x86_64/tzdata-2006a-2.fc3.1.noarch.rpm


7. Verification:

SHA1 sum Package Name
-

e2ded77aca0a2b9f5dfb2ace0344ee59634f5776
fedora/1/updates/i386/tzdata-2006a-2.fc1.1.noarch.rpm
303892ebacb9b1f35612d7dade0cbb52c6c5cc3a
fedora/1/updates/SRPMS/tzdata-2006a-2.fc1.1.src.rpm

fcb96a5975ffe9e1b1acb183a97b6bb19ec51d51
fedora/2/updates/i386/tzdata-2006a-2.fc2.1.noarch.rpm
61e89be1e7373113c80f5fcda11a75a278f9b3ab
fedora/2/updates/SRPMS/tzdata-2006a-2.fc2.1.src.rpm

e8781a60ab8686bd4e1af2a70e233b292d41625a
fedora/3/updates/i386/tzdata-2006a-2.fc3.1.noarch.rpm
e8781a60ab8686bd4e1af2a70e233b292d41625a
fedora/3/updates/x86_64/tzdata-2006a-2.fc3.1.noarch.rpm
ad359bb43953718456cb876f6f06cf3eab08b69a
fedora/3/updates/SRPMS/tzdata-2006a-2.fc3.1.src.rpm

These packages are GPG signed by Fedora Legacy for security.  Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v filename

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum filename

8. Contact:

The Fedora Legacy security contact is [EMAIL PROTECTED]. More
project details at http://www.fedoralegacy.org

-



signature.asc
Description: OpenPGP digital signature
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

[FLEA-2006:173091-1] Updated glibc packages add daylight savings rule enhancements

2006-03-23 Thread Marc Deslauriers

-
   Fedora Legacy Update Advisory

Synopsis:  Updated glibc packages add daylight savings rule
   enhancements
Advisory ID:   FLEA:173091-1
Issue date:2006-03-23
Product:   Red Hat Linux
Keywords:  Enhancement
-


-
1. Topic:

Updated glibc packages that add daylight savings rule enhancements for
various countries are now available.

The GNU libc packages (known as glibc) contain the standard C libraries
used by applications.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386

3. Problem description:

This update adjusts timezone files for countries where daylight savings
rules have recently changed or are going to change in the near future.

Users in those countries should upgrade to these updated packages
and rerun redhat-config-date to update the local timezone in
/etc/localtime.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which
are not installed but included in the list will not be updated.  Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt.  Many
people find this an easier way to apply updates.  To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.  This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=173091

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/glibc-2.2.5-44.legacy.8.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-2.2.5-44.legacy.8.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-2.2.5-44.legacy.8.i686.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-common-2.2.5-44.legacy.8.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-debug-2.2.5-44.legacy.8.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-debug-2.2.5-44.legacy.8.i686.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-debug-static-2.2.5-44.legacy.8.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-devel-2.2.5-44.legacy.8.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-profile-2.2.5-44.legacy.8.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-utils-2.2.5-44.legacy.8.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/nscd-2.2.5-44.legacy.8.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/glibc-2.3.2-27.9.7.4.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-2.3.2-27.9.7.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-2.3.2-27.9.7.4.legacy.i686.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-common-2.3.2-27.9.7.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-debug-2.3.2-27.9.7.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-devel-2.3.2-27.9.7.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-profile-2.3.2-27.9.7.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-utils-2.3.2-27.9.7.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/nptl-devel-2.3.2-27.9.7.4.legacy.i686.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/nscd-2.3.2-27.9.7.4.legacy.i386.rpm


7. Verification:

SHA1 sum Package Name
-

8977060010fc16bbaf2aba545c3b958e4a953ec8
redhat/7.3/updates/i386/glibc-2.2.5-44.legacy.8.i386.rpm
4e4fce10ff1cfbdda21dbd0ca19132ffa3b34a15
redhat/7.3/updates/i386/glibc-2.2.5-44.legacy.8.i686.rpm
ccc856a5f596cffca0d76f1242df7cecd413
redhat/7.3/updates/i386/glibc-common-2.2.5-44.legacy.8.i386.rpm
f301116e857b0d3d63c39af5003dcbab897b4af2
redhat/7.3/updates/i386/glibc-debug-2.2.5-44.legacy.8.i386.rpm
c7f784964cff0af15108e981fb0eed5f5b49b8b4
redhat/7.3/updates/i386/glibc-debug-2.2.5-44.legacy.8.i686.rpm
2f59c12525a171646595f56126f882a656107fb7

[FLEA-2006:173091-2] Updated tzdata package adds daylight savings rule enhancements

2006-03-23 Thread Marc Deslauriers

-
   Fedora Legacy Update Advisory

Synopsis:  Updated tzdata package adds daylight savings rule
   enhancements
Advisory ID:   FLEA:173091-2
Issue date:2006-03-23
Product:   Fedora Core
Keywords:  Enhancement
-


-
1. Topic:

An updated tzdata package that adds daylight savings rule enhancements
for various countries is now available.

The tzdata package contains data files with rules for various timezones
around the world.

2. Relevant releases/architectures:

Fedora Core 1 - i386
Fedora Core 2 - i386
Fedora Core 3 - i386, x86_64

3. Problem description:

This update adjusts timezone files for countries where daylight savings
rules have recently changed or are going to change in the near future.

Users in those countries should upgrade to these updated packages
and rerun redhat-config-date (or system-config-date in FC2) to update
the local timezone in /etc/localtime.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which
are not installed but included in the list will not be updated.  Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt.  Many
people find this an easier way to apply updates.  To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.  This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=173091

6. RPMs required:

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/tzdata-2006a-2.fc1.1.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/tzdata-2006a-2.fc1.1.noarch.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/tzdata-2006a-2.fc2.1.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/tzdata-2006a-2.fc2.1.noarch.rpm

Fedora Core 3:

SRPM:
http://download.fedoralegacy.org/fedora/3/updates/SRPMS/tzdata-2006a-2.fc3.1.src.rpm

i386:
http://download.fedoralegacy.org/fedora/3/updates/i386/tzdata-2006a-2.fc3.1.noarch.rpm

x86_64:
http://download.fedoralegacy.org/fedora/3/updates/x86_64/tzdata-2006a-2.fc3.1.noarch.rpm


7. Verification:

SHA1 sum Package Name
-

e2ded77aca0a2b9f5dfb2ace0344ee59634f5776
fedora/1/updates/i386/tzdata-2006a-2.fc1.1.noarch.rpm
303892ebacb9b1f35612d7dade0cbb52c6c5cc3a
fedora/1/updates/SRPMS/tzdata-2006a-2.fc1.1.src.rpm

fcb96a5975ffe9e1b1acb183a97b6bb19ec51d51
fedora/2/updates/i386/tzdata-2006a-2.fc2.1.noarch.rpm
61e89be1e7373113c80f5fcda11a75a278f9b3ab
fedora/2/updates/SRPMS/tzdata-2006a-2.fc2.1.src.rpm

e8781a60ab8686bd4e1af2a70e233b292d41625a
fedora/3/updates/i386/tzdata-2006a-2.fc3.1.noarch.rpm
e8781a60ab8686bd4e1af2a70e233b292d41625a
fedora/3/updates/x86_64/tzdata-2006a-2.fc3.1.noarch.rpm
ad359bb43953718456cb876f6f06cf3eab08b69a
fedora/3/updates/SRPMS/tzdata-2006a-2.fc3.1.src.rpm

These packages are GPG signed by Fedora Legacy for security.  Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v filename

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum filename

8. Contact:

The Fedora Legacy security contact is [EMAIL PROTECTED]. More
project details at http://www.fedoralegacy.org

-



signature.asc
Description: OpenPGP digital signature
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

Re: US-CERT Technical Cyber Security Alert TA06-081A -- Sendmail Race Condition Vulnerability (fwd)

2006-03-23 Thread Marc Deslauriers

On Wed, 2006-03-22 at 10:29 -0800, Kenneth Porter wrote:
 For those of us accepting mail from outside on pre-FC4 Fedora, are any 
 updates in the pipe to address this?

Packages have been created and QA'd. They will be pushed to
updates-testing soon.

You may follow progress here:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=186277

Marc.


signature.asc
Description: This is a digitally signed message part
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

[FLSA-2006:173274] Updated gdk-pixbuf packages fix security issues

2006-03-16 Thread Marc Deslauriers

-
Fedora Legacy Update Advisory

Synopsis: Updated gdk-pixbuf packages fix security issues
Advisory ID: FLSA:173274
Issue date:2006-03-16
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2005-2975 CVE-2005-2976 CVE-2005-3186
-

-
1. Topic:

Updated gdk-pixbuf packages that fix several security issues are now
available.

The gdk-pixbuf package contains an image loading library used with the
GNOME GUI desktop environment.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

A bug was found in the way gdk-pixbuf processes XPM images. An attacker
could create a carefully crafted XPM file in such a way that it could
cause an application linked with gdk-pixbuf to execute arbitrary code
when the file was opened by a victim. The Common Vulnerabilities and
Exposures project has assigned the name CVE-2005-3186 to this issue.

Ludwig Nussel discovered an integer overflow bug in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM
file in such a way that it could cause an application linked with
gdk-pixbuf to execute arbitrary code or crash when the file was opened
by a victim. The Common Vulnerabilities and Exposures project has
assigned the name CVE-2005-2976 to this issue.

Ludwig Nussel also discovered an infinite-loop denial of service bug in
the way gdk-pixbuf processes XPM images. An attacker could create a
carefully crafted XPM file in such a way that it could cause an
application linked with gdk-pixbuf to stop responding when the file was
opened by a victim. The Common Vulnerabilities and Exposures project has
assigned the name CVE-2005-2975 to this issue.

Users of gdk-pixbuf are advised to upgrade to these updated packages,
which contain backported patches and are not vulnerable to these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=173274

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/gdk-pixbuf-0.22.0-7.73.4.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/gdk-pixbuf-0.22.0-7.73.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/gdk-pixbuf-devel-0.22.0-7.73.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/gdk-pixbuf-gnome-0.22.0-7.73.4.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/gdk-pixbuf-0.22.0-7.90.4.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/gdk-pixbuf-0.22.0-7.90.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/gdk-pixbuf-devel-0.22.0-7.90.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/gdk-pixbuf-gnome-0.22.0-7.90.4.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/gdk-pixbuf-0.22.0-11.3.4.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/gdk-pixbuf-0.22.0-11.3.4.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/gdk-pixbuf-devel-0.22.0-11.3.4.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/gdk-pixbuf-gnome-0.22.0-11.3.4.2.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/gdk-pixbuf-0.22.0-12.fc2.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/gdk-pixbuf-0.22.0-12.fc2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/gdk-pixbuf-devel-0.22.0-12.fc2.1.legacy.i386.rpm

[FLSA-2006:175404] Updated xpdf package fixes security issues

2006-03-16 Thread Marc Deslauriers

-
Fedora Legacy Update Advisory

Synopsis: Updated xpdf package fixes security issues
Advisory ID: FLSA:175404
Issue date:2006-03-16
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2005-2097 CVE-2005-3191 CVE-2005-3192
CVE-2005-3193 CVE-2005-3624 CVE-2005-3625
CVE-2005-3626 CVE-2005-3627 CVE-2005-3628
CVE-2006-0301
-

-
1. Topic:

An updated xpdf package that fixes several security issues is now
available.

The xpdf package is an X Window System-based viewer for Portable
Document Format (PDF) files.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386
Fedora Core 3 - i386, x86_64

3. Problem description:

A flaw was discovered in Xpdf in that an attacker could construct a
carefully crafted PDF file that would cause Xpdf to consume all
available disk space in /tmp when opened. The Common Vulnerabilities
and Exposures project assigned the name CVE-2005-2097 to this issue.

Several flaws were discovered in Xpdf. An attacker could construct a
carefully crafted PDF file that could cause Xpdf to crash or possibly
execute arbitrary code when opened. The Common Vulnerabilities and
Exposures project assigned the names CVE-2005-3191, CVE-2005-3192,
CVE-2005-3193, CVE-2005-3624, CVE-2005-3625, CVE-2005-3626,
CVE-2005-3627 and CVE-2005-3628 to these issues.

A heap based buffer overflow bug was discovered in Xpdf. An attacker
could construct a carefully crafted PDF file that could cause Xpdf to
crash or possibly execute arbitrary code when opened. The Common
Vulnerabilities and Exposures project assigned the name CVE-2006-0301
to this issue.

Users of Xpdf should upgrade to this updated package, which contains
backported patches to resolve these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175404

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/xpdf-1.00-7.6.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/xpdf-1.00-7.6.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/xpdf-chinese-simplified-1.00-7.6.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/xpdf-chinese-traditional-1.00-7.6.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/xpdf-japanese-1.00-7.6.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/xpdf-korean-1.00-7.6.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/xpdf-2.01-11.4.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/xpdf-2.01-11.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/xpdf-chinese-simplified-2.01-11.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/xpdf-chinese-traditional-2.01-11.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/xpdf-japanese-2.01-11.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/xpdf-korean-2.01-11.4.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/xpdf-2.03-1.4.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/xpdf-2.03-1.4.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/xpdf-3.00-3.8.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/xpdf-3.00-3.8.1.legacy.i386.rpm

Fedora Core 3:

SRPM:
http://download.fedoralegacy.org/fedora/3/updates/SRPMS/xpdf-3.01-0.FC3.5.legacy.src.rpm

i386:

[FLSA-2006:178606] Updated kdelibs packages fix security issues

2006-03-16 Thread Marc Deslauriers

-
Fedora Legacy Update Advisory

Synopsis: Updated kdelibs packages fix security issues
Advisory ID: FLSA:178606
Issue date:2006-03-16
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2005-0237 CVE-2005-0396 CVE-2005-1046
CVE-2005-1920 CVE-2006-0019
-

-
1. Topic:

Updated kdelibs packages that fix several security issues are now
available.

The kdelibs package provides libraries for the K Desktop Environment.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386
Fedora Core 3 - i386, x86_64

3. Problem description:

The International Domain Name (IDN) support in the Konqueror browser
allowed remote attackers to spoof domain names using punycode encoded
domain names. Such domain names are decoded in URLs and SSL certificates
in a way that uses homograph characters from other character sets, which
facilitates phishing attacks. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CVE-2005-0237 to this
issue.

Sebastian Krahmer discovered a flaw in dcopserver, the KDE Desktop
Communication Protocol (DCOP) daemon. A local user could use this flaw
to stall the DCOP authentication process, affecting any local desktop
users and causing a reduction in their desktop functionality. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CVE-2005-0396 to this issue.

A buffer overflow was found in the kimgio library for KDE 3.4.0. An
attacker could create a carefully crafted PCX image in such a way that
it would cause kimgio to execute arbitrary code when processing the
image. The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2005-1046 to this issue.

A flaw was discovered affecting Kate, the KDE advanced text editor, and
Kwrite. Depending on system settings, it may be possible for a local
user to read the backup files created by Kate or Kwrite. The Common
Vulnerabilities and Exposures project assigned the name CVE-2005-1920 to
this issue.

A heap overflow flaw was discovered affecting kjs, the JavaScript
interpreter engine used by Konqueror and other parts of KDE. An attacker
could create a malicious web site containing carefully crafted
JavaScript code that would trigger this flaw and possibly lead to
arbitrary code execution. The Common Vulnerabilities and Exposures
project assigned the name CVE-2006-0019 to this issue.

Users of KDE should upgrade to these erratum packages, which contain
backported patches to correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178606

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/kdelibs-3.0.5a-0.73.7.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/kdelibs-3.0.5a-0.73.7.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/kdelibs-devel-3.0.5a-0.73.7.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/kdelibs-3.1-17.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/kdelibs-3.1-17.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/kdelibs-devel-3.1-17.1.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/kdelibs-3.1.4-9.FC1.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/kdelibs-3.1.4-9.FC1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/kdelibs-devel-3.1.4-9.FC1.1.legacy.i386.rpm

Fedora Core 2:

SRPM:

Fedora Legacy Server Outage

2006-03-16 Thread Marc Deslauriers

As we sent out today's security advisories, one of our servers
experienced an outage before completely syncing to the mirrors.

As a result, the updates repository contains missing packages.

This situation should be corrected shortly. I apologize for any problems
this may cause.

Marc.


signature.asc
Description: OpenPGP digital signature
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

Fedora Legacy Test Update Notification: mod_python

2006-03-15 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-152896
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152896
2006-03-15
-

Name: mod_python
Versions: rh73: mod_python-2.7.8-1.7.3.3.legacy
Versions: rh9: mod_python-3.0.1-4.1.legacy
Versions: fc1: mod_python-3.0.4-0.1.1.legacy
Summary : An embedded Python interpreter for the Apache Web server.
Description :
Mod_python is a module that embeds the Python language interpreter
within the server, allowing Apache handlers to be written in Python.

-
Update Information:

An Updated mod_python package that fixes a security issue in the
publisher handler is now available.

Mod_python is a module that embeds the Python language interpreter
within the Apache web server, allowing handlers to be written in Python.

Graham Dumpleton discovered a flaw affecting the publisher handler of
mod_python, used to make objects inside modules callable via URL.
A remote user could visit a carefully crafted URL that would gain access
to objects that should not be visible, leading to an information leak.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2005-0088 to this issue.

Users of mod_python are advised to upgrade to this updated package,
which contains a backported patch to correct this issue.

-
Changelogs

rh73:
* Sat Mar 11 2006 Jeff Sheltren [EMAIL PROTECTED] 2.7.8-1.7.3.3.legacy
- Patch for CAN-2005-0088 (#152896)
- Patch config file to remove ieee linking which was causing build to fail

rh9:
* Sat Mar 11 2006 Jeff Sheltren [EMAIL PROTECTED] 3.0.1-4.1.legacy
- Patch for CAN-2005-0088 (#152896)
- Patch configure script not to link with ieee lib

fc1:
* Sat Mar 11 2006 Jeff Sheltren [EMAIL PROTECTED] 3.0.4-0.1.1.legacy
- Patch for CAN-2005-0088 (#152896)
- Patch configure script not to link to ieee lib

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh73:
f936f1ddb29779efae651ff90a19fa17d4edb9f8
redhat/7.3/updates-testing/i386/mod_python-2.7.8-1.7.3.3.legacy.i386.rpm
d7792718f71006a00d5e932009dff9b8688330a5
redhat/7.3/updates-testing/SRPMS/mod_python-2.7.8-1.7.3.3.legacy.src.rpm

rh9:
6b1e637878a7af1f58f1127d07b7614334b71136
redhat/9/updates-testing/i386/mod_python-3.0.1-4.1.legacy.i386.rpm
5ef5e32ac4d17f77c602d99299baab7f7c00c52d
redhat/9/updates-testing/SRPMS/mod_python-3.0.1-4.1.legacy.src.rpm

fc1:
d3959d23e0718b15a4a0b4fc4126b3198e7e98f8
fedora/1/updates-testing/i386/mod_python-3.0.4-0.1.1.legacy.i386.rpm
20c04acf2eadcb2d99cf6c076a6d1ea34537ed24
fedora/1/updates-testing/SRPMS/mod_python-3.0.4-0.1.1.legacy.src.rpm

-

Please test and comment in bugzilla.


signature.asc
Description: OpenPGP digital signature
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

Fedora Legacy Test Update Notification: tcpdump

2006-03-15 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-156139
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=156139
2006-03-15
-

Name: tcpdump
Versions: rh9: tcpdump-3.7.2-7.9.4.legacy
Versions: fc1: tcpdump-3.7.2-8.fc1.3.legacy
Versions: fc2: tcpdump-3.8.2-6.FC2.3.legacy
Summary : A network traffic monitoring tool.
Description :
Tcpdump is a command-line tool for monitoring network traffic.
Tcpdump can capture and display the packet headers on a particular
network interface or on all interfaces. Tcpdump can display all of the
packet headers, or just the ones that match particular criteria.

-
Update Information:

Updated tcpdump packages that fix several security issues are now
available.

Tcpdump is a command-line tool for monitoring network traffic.

Several denial of service bugs were found in the way tcpdump processes
certain network packets. It is possible for an attacker to inject a
carefully crafted packet onto the network, crashing a running tcpdump
session. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the names CVE-2005-1267, CVE-2005-1278,
CVE-2005-1279, and CVE-2005-1280 to these issues.

Users of tcpdump are advised to upgrade to these erratum packages, which
contain backported security patches and are not vulnerable to these
issues.

-
Changelogs

rh9:
* Sat Jun 11 2005 Marc Deslauriers [EMAIL PROTECTED]
14:3.7.2-7.9.4.legacy
- fix for Multiple DoS issues in tcpdump
  (CAN-2005-1280, CAN-2005-1279, CAN-2005-1278)

fc1:
* Sat Jun 11 2005 Marc Deslauriers [EMAIL PROTECTED] -
14:3.7.2-8.fc1.3.legacy
- fix for Multiple DoS issues in tcpdump
  (CAN-2005-1280, CAN-2005-1279, CAN-2005-1278)

fc2:
* Sat Mar 11 2006 Jeff Sheltren [EMAIL PROTECTED] -
14:3.8.2-6.FC2.3.legacy
- Patch CAN-2005-1267 (#156139)

* Sat Jun 11 2005 Marc Deslauriers [EMAIL PROTECTED] -
14:3.8.2-6.FC2.2.legacy
- fix for Multiple DoS issues in tcpdump
  (CAN-2005-1280, CAN-2005-1279, CAN-2005-1278)

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh9:
0beccb4a6dd929174bc2d70d680a2e3c4a094391
redhat/9/updates-testing/i386/tcpdump-3.7.2-7.9.4.legacy.i386.rpm
71e1ffc2c4dbf2a5c754630e198f17af94000e66
redhat/9/updates-testing/i386/libpcap-0.7.2-7.9.4.legacy.i386.rpm
843a832974f531413a8e406491f6c91d09bda24d
redhat/9/updates-testing/i386/arpwatch-2.1a11-7.9.4.legacy.i386.rpm
192fa5bbebe8039f3c23b8aa26804d1c4b788412
redhat/9/updates-testing/SRPMS/tcpdump-3.7.2-7.9.4.legacy.src.rpm

fc1:
1a426b6225718dbd325fbe0c6d54f8904b710103
fedora/1/updates-testing/i386/tcpdump-3.7.2-8.fc1.3.legacy.i386.rpm
45cffdb7d98c2eb03da004d89b776a7050ff5c40
fedora/1/updates-testing/i386/libpcap-0.7.2-8.fc1.3.legacy.i386.rpm
75e263aa296969c873d0475cc1c0785c30ea24d6
fedora/1/updates-testing/i386/arpwatch-2.1a11-8.fc1.3.legacy.i386.rpm
6e86c20a8af1fc607809c713d7ac00ab5e2f717c
fedora/1/updates-testing/SRPMS/tcpdump-3.7.2-8.fc1.3.legacy.src.rpm

fc2:
32d0dcf31fbe12225954cc32dad45dbcb6c5f5e4
fedora/2/updates-testing/i386/tcpdump-3.8.2-6.FC2.3.legacy.i386.rpm
c84625e92600faa8566129c8229daa6c328dcee9
fedora/2/updates-testing/i386/libpcap-0.8.3-6.FC2.3.legacy.i386.rpm
dbdcbed104a6d3985a0735aab55031a3be0e1a74
fedora/2/updates-testing/i386/arpwatch-2.1a13-6.FC2.3.legacy.i386.rpm
bb98c4cd71507e4dec94da2c1c9f95ee9bbacde1
fedora/2/updates-testing/SRPMS/tcpdump-3.8.2-6.FC2.3.legacy.src.rpm

-

Please test and comment in bugzilla.


signature.asc
Description: OpenPGP digital signature
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

Fedora Legacy Test Update Notification: cyrus-imapd

2006-03-15 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-156290
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=156290
2006-03-15
-

Name: cyrus-imapd
Versions: fc2: cyrus-imapd-2.2.12-1.1.fc2.1.legacy
Summary : A high-performance mail server with IMAP, POP3, NNTP
  and SIEVE support.
Description :
The cyrus-imapd package contains the core of the Cyrus IMAP server.
It is a scaleable enterprise mail system designed for use from
small to large enterprise environments using standards-based
internet mail technologies.

-
Update Information:

Updated cyrus-imapd packages that fix several buffer overflow security
issues are now available.

The cyrus-imapd package contains the core of the Cyrus IMAP server.

Several buffer overflow bugs were found in cyrus-imapd. It is possible
that an authenticated malicious user could cause the imap server to
crash. Additionally, a peer news admin could potentially execute
arbitrary code on the imap server when news is received using the
fetchnews command. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2005-0546 to this issue.

Users of cyrus-imapd are advised to upgrade to these updated packages,
which contain cyrus-imapd version 2.2.12 to correct these issues.

-
Changelogs

fc2:
* Mon Mar 06 2006 Marc Deslauriers [EMAIL PROTECTED]
2.2.12-1.1.fc2.1.legacy
- Update to 2.2.12 to fix CVE-2005-0546. The only difference between
  2.2.10 and 2.2.12 was the security fix, so upgrading is the
  equivalent of backporting the security fix.

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

fc2:
869a5d94e05156e2bdcff36242fd25b2c0e1c6d1
fedora/2/updates-testing/i386/cyrus-imapd-2.2.12-1.1.fc2.1.legacy.i386.rpm
b3bfaca68420697544395c17dbf2cefb5eabcf8f
fedora/2/updates-testing/i386/cyrus-imapd-devel-2.2.12-1.1.fc2.1.legacy.i386.rpm
0a8652c25f5d608811b64c634191845b6dcd672a
fedora/2/updates-testing/i386/cyrus-imapd-murder-2.2.12-1.1.fc2.1.legacy.i386.rpm
d7cfe6d91b0aa23b189949bf516e94479eefd8ef
fedora/2/updates-testing/i386/cyrus-imapd-nntp-2.2.12-1.1.fc2.1.legacy.i386.rpm
03b23f099fd26fa8421bf90f4542ff4e56226d36
fedora/2/updates-testing/i386/cyrus-imapd-utils-2.2.12-1.1.fc2.1.legacy.i386.rpm
1d1f935c0d88f209321ebb9ae679af9a0ff23e42
fedora/2/updates-testing/i386/perl-Cyrus-2.2.12-1.1.fc2.1.legacy.i386.rpm
de27bfdc5d7e2a2c5268d769ef0842aba85bfed5
fedora/2/updates-testing/SRPMS/cyrus-imapd-2.2.12-1.1.fc2.1.legacy.src.rpm

-

Please test and comment in bugzilla.


signature.asc
Description: OpenPGP digital signature
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

Fedora Legacy Test Update Notification: imap

2006-03-15 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-170411
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=170411
2006-03-15
-

Name: imap
Versions: rh7.3: imap-2001a-10.3.legacy
Versions: rh9: imap-2001a-18.2.legacy
Versions: fc1: imap-2002d-3.2.legacy
Summary : Server daemons for IMAP and POP network mail protocols.
Description :
The imap package provides server daemons for both the IMAP (Internet
Message Access Protocol) and POP (Post Office Protocol) mail access
protocols. The POP protocol uses a post office machine to collect
mail for users and allows users to download their mail to their local
machine for reading. The IMAP protocol allows a user to read mail on a
remote machine without downloading it to their local machine.

-
Update Information:

An updated imap package that fixes a buffer overflow issue is now
available.

The imap package provides server daemons for both the IMAP (Internet
Message Access Protocol) and POP (Post Office Protocol) mail access
protocols.

A buffer overflow flaw was discovered in the way the c-client library
parses user supplied mailboxes. If an authenticated user requests a
specially crafted mailbox name, it may be possible to execute arbitrary
code on a server that uses the library. The Common Vulnerabilities and
Exposures project has assigned the name CVE-2005-2933 to this issue.

All users of imap should upgrade to these updated packages, which
contain a backported patch and are not vulnerable to this issue.

-
Changelogs

rh73:
* Mon Mar 06 2006 Marc Deslauriers [EMAIL PROTECTED]
2001a-10.3.legacy
- Replaced CVE-2005-2933 patch with the one from RHEL21
  for consistency's sake

* Wed Oct 12 2005 Ville Herva [EMAIL PROTECTED] 2001a-10.2.legacy
- Added security patch for CAN-2005-2933

rh9:
* Mon Mar 06 2006 Marc Deslauriers [EMAIL PROTECTED]
2001a-18.2.legacy
- Added security patch for CVE-2005-2933

fc1:
* Mon Mar 06 2006 Marc Deslauriers [EMAIL PROTECTED]
1:2002d-3.2.legacy
- Added patch for CVE-2005-2933

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh7.3:
a516bdac39c9b3946a51e2aa1b2c525418405097
redhat/7.3/updates-testing/i386/imap-2001a-10.3.legacy.i386.rpm
7492a4f5a96f61a50bc1d486004a991407fb8a93
redhat/7.3/updates-testing/i386/imap-devel-2001a-10.3.legacy.i386.rpm
eb6df42d990be3bbf408b9c9cfe759d4ac31d82f
redhat/7.3/updates-testing/SRPMS/imap-2001a-10.3.legacy.src.rpm

rh9:
dd3d1a3bac748d1db5643a76a86c02568abec7d2
redhat/9/updates-testing/i386/imap-2001a-18.2.legacy.i386.rpm
d7986d8efea12260ebb0613bb6cd486d72ef4ac1
redhat/9/updates-testing/i386/imap-devel-2001a-18.2.legacy.i386.rpm
aef5ef7d054ff02b594bcb2ba564bfbb4778f00b
redhat/9/updates-testing/SRPMS/imap-2001a-18.2.legacy.src.rpm

fc1:
369fb568801a2d2865a55b2ceabab87e496d8705
fedora/1/updates-testing/i386/imap-2002d-3.2.legacy.i386.rpm
967a77fbc8a4d2dcc3fdfac8b715d7a84537c0c0
fedora/1/updates-testing/i386/imap-devel-2002d-3.2.legacy.i386.rpm
43b5221927cbeb9c2f3387f6a4b8f46f66d4d77d
fedora/1/updates-testing/SRPMS/imap-2002d-3.2.legacy.src.rpm

-

Please test and comment in bugzilla.


signature.asc
Description: OpenPGP digital signature
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

Fedora Legacy Test Update Notification: tar (rh73, rh9, fc1, fc2)

2006-03-15 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-183571-1
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=183571
2006-03-15
-

Name: tar
Versions: rh73: tar-1.13.25-4.7.2.legacy
Versions: rh9: tar-1.13.25-11.1.legacy
Versions: fc1: tar-1.13.25-12.1.legacy
Versions: fc2: tar-1.13.25-14.1.legacy
Summary : A GNU file archiving program.
Description :
The GNU tar program saves many files together in one archive and can
restore individual files (or all of the files) from that archive. Tar
can also be used to add supplemental files to an archive and to update
or list files in the archive. Tar includes multivolume support,
automatic archive compression/decompression, the ability to perform
remote archives, and the ability to perform incremental and full
backups.

-
Update Information:

An updated tar package that fixes a path traversal flaw is now
available.

The GNU tar program saves many files together in one archive and can
restore individual files (or all of the files) from that archive.

In 2002, a path traversal flaw was found in the way GNU tar extracted
archives. A malicious user could create a tar archive that could write
to arbitrary files to which the user running GNU tar has write access
(CVE-2002-0399). A security advisory was released containing a
backported patch.

It was discovered that the backported security patch contained an
incorrect optimization and therefore was not sufficient to completely
correct this vulnerability. The Common Vulnerabilities and Exposures
project (cve.mitre.org) assigned the name CVE-2005-1918 to this issue.

Users of tar should upgrade to this updated package, which contains a
replacement backported patch to correct this issue.

-
Changelogs

rh73:
* Tue Mar 07 2006 Marc Deslauriers [EMAIL PROTECTED]
1.13.25-4.7.2.legacy
- Updated security fix for CVE-2005-1918

rh9:
* Tue Mar 07 2006 Marc Deslauriers [EMAIL PROTECTED]
1.13.25-11.1.legacy
- Updated security fix for CVE-2005-1918

fc1:
* Tue Mar 07 2006 Marc Deslauriers [EMAIL PROTECTED]
1.13.25-12.1.legacy
- Updated security fix for CVE-2005-1918

fc2:
* Wed Mar 08 2006 Marc Deslauriers [EMAIL PROTECTED]
1.13.25-14.1.legacy
- Updated security fix for CVE-2005-1918

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh73:
57d5b198335bcb254ff49b26b60b2ded6fdc3c29
redhat/7.3/updates-testing/i386/tar-1.13.25-4.7.2.legacy.i386.rpm
aec36c77c75a882b3c44a61fa61c23ff204ef4e5
redhat/7.3/updates-testing/SRPMS/tar-1.13.25-4.7.2.legacy.src.rpm

rh9:
df30641462702e447ac80e5e71db048e039cc378
redhat/9/updates-testing/i386/tar-1.13.25-11.1.legacy.i386.rpm
27e7678d52f44d3872047c5b05c6dfd751c2a806
redhat/9/updates-testing/SRPMS/tar-1.13.25-11.1.legacy.src.rpm

fc1:
0caee4057c9325f93ac327e1a4d067fee8b1a744
fedora/1/updates-testing/i386/tar-1.13.25-12.1.legacy.i386.rpm
458a1d96fdf8f580b5702a7243f7653d8c581ac6
fedora/1/updates-testing/SRPMS/tar-1.13.25-12.1.legacy.src.rpm

fc2:
5565230fd52a82671b69a9310883a25f7844b8a6
fedora/2/updates-testing/i386/tar-1.13.25-14.1.legacy.i386.rpm
864f986b64392dacaec2bde2c42339a4e6bd7e35
fedora/2/updates-testing/SRPMS/tar-1.13.25-14.1.legacy.src.rpm

-

Please test and comment in bugzilla.


signature.asc
Description: OpenPGP digital signature
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

Fedora Legacy Test Update Notification: pine

2006-03-15 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-184074
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=184074
2006-03-15
-

Name: pine
Versions: rh73: pine-4.44-19.73.1.legacy
Versions: rh9: pine-4.44-19.90.1.legacy
Summary : A commonly used, MIME compliant mail and news reader.
Description :
Pine is a very popular, easy to use, full-featured email user agent
that includes a simple text editor called pico. Pine supports MIME
extensions and can also be used to read news. Pine also supports IMAP,
mail, and MH style folders.

-
Update Information:

An updated Pine package is now available to fix a denial of service
attack.

Pine is an email user agent.

The c-client IMAP client library, as used in Pine 4.44 contains an
integer overflow and integer signedness flaw. An attacker could create a
malicious IMAP server in such a way that it would cause Pine to crash.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2003-0297 to this issue.

Users of Pine are advised to upgrade to these erratum packages which
contain a backported patch to correct this issue.

-
Changelogs

rh73:
* Wed Mar 08 2006 Marc Deslauriers [EMAIL PROTECTED]
4.44-19.73.1.legacy
- Added patch for CVE-2003-0297

rh9:
* Wed Mar 08 2006 Marc Deslauriers [EMAIL PROTECTED]
4.44-19.90.1.legacy
- Added patch for CVE-2003-0297

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh73:
2f5de5f092e8d5c2d821e3715fcc6656b19e1b54
redhat/7.3/updates-testing/i386/pine-4.44-19.73.1.legacy.i386.rpm
4fc304469e6dad1025ac0eb1c428bbc84a9ed76f
redhat/7.3/updates-testing/SRPMS/pine-4.44-19.73.1.legacy.src.rpm

rh9:
043112c55f52e5454ab01e52f7a50968016ac6a1
redhat/9/updates-testing/i386/pine-4.44-19.90.1.legacy.i386.rpm
d84320a9dbe9b1b1917e2acb8c6306c005711075
redhat/9/updates-testing/SRPMS/pine-4.44-19.90.1.legacy.src.rpm

-

Please test and comment in bugzilla.


signature.asc
Description: OpenPGP digital signature
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

Fedora Legacy Test Update Notification: libc-client

2006-03-15 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-184098
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=184098
2006-03-15
-

Name: libc-client
Versions: fc2: libc-client-2002e-5.1.legacy
Summary : C-client mail access routines for IMAP and POP protocols
Description :
C-client is a common API for accessing mailboxes. It is used internally
by the popular PINE mail reader, the University of Washington's IMAP
server and PHP.

-
Update Information:

Updated libc-client packages that fix a buffer overflow issue are now
available.

C-client is a common API for accessing mailboxes.

A buffer overflow flaw was discovered in the way C-client parses user
supplied mailboxes. If an authenticated user requests a specially
crafted mailbox name, it may be possible to execute arbitrary code on a
server that uses C-client to access mailboxes. The Common
Vulnerabilities and Exposures project has assigned the name
CVE-2005-2933 to this issue.

All users of libc-client should upgrade to these updated packages, which
contain a backported patch that resolves this issue.

-
Changelogs

fc2:
* Tue Mar 07 2006 Marc Deslauriers [EMAIL PROTECTED]
2002e-5.1.legacy
- apply fix for CVE-2005-2933: buffer overflow

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

fc2:
5232f6a722f64fac4c5e09ca3d34a8e5d33192ed
fedora/2/updates-testing/i386/libc-client-2002e-5.1.legacy.i386.rpm
5e03f3725e30f607708e8da1e9c1537d6e929a29
fedora/2/updates-testing/i386/libc-client-devel-2002e-5.1.legacy.i386.rpm
489cbea579ce3fece1527c68df20f24e8c9bfe75
fedora/2/updates-testing/SRPMS/libc-client-2002e-5.1.legacy.src.rpm

-

Please test and comment in bugzilla.


signature.asc
Description: OpenPGP digital signature
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

[FLSA-2006:168516] Updated pcre packages fix a security issue

2006-03-07 Thread Marc Deslauriers

-
Fedora Legacy Update Advisory

Synopsis: Updated pcre packages fix a security issue
Advisory ID: FLSA:168516
Issue date:2006-03-07
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2005-2491
-

-
1. Topic:

Updated pcre packages are now available to correct a security issue.

PCRE is a Perl-compatible regular expression library.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

An integer overflow flaw was found in PCRE, triggered by a maliciously
crafted regular expression. On systems that accept arbitrary regular
expressions from untrusted users, this could be exploited to execute
arbitrary code with the privileges of the application using the library.
The Common Vulnerabilities and Exposures project assigned the name
CVE-2005-2491 to this issue.

Users should update to these erratum packages that contain a backported
patch to correct this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168516

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/pcre-3.9-2.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/pcre-3.9-2.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/pcre-devel-3.9-2.1.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/pcre-3.9-10.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/pcre-3.9-10.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/pcre-devel-3.9-10.1.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/pcre-4.4-1.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/pcre-4.4-1.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/pcre-devel-4.4-1.2.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/pcre-4.5-2.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/pcre-4.5-2.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/pcre-devel-4.5-2.2.legacy.i386.rpm

7. Verification:

SHA1 sum Package Name
-

9b641aa989639c706065bafc146d34bb6e282a22
redhat/7.3/updates/i386/pcre-3.9-2.1.legacy.i386.rpm
7d8b094083c7a85991d194d6741a0a664204a19d
redhat/7.3/updates/i386/pcre-devel-3.9-2.1.legacy.i386.rpm
9a49145385042483532254fb5d05fae6c3f252f3
redhat/7.3/updates/SRPMS/pcre-3.9-2.1.legacy.src.rpm

d876a7f4cdb3a936b2f72fb629fae928d3db6e96
redhat/9/updates/i386/pcre-3.9-10.1.legacy.i386.rpm
9e516b5e44944b25a47171b15c0229423b10f99d
redhat/9/updates/i386/pcre-devel-3.9-10.1.legacy.i386.rpm
55de51292b97aacbad6c375b4ad8578561ac5fe3
redhat/9/updates/SRPMS/pcre-3.9-10.1.legacy.src.rpm

4edc206f1e0fc0c3df459b6f8de289f27417974b
fedora/1/updates/i386/pcre-4.4-1.2.legacy.i386.rpm
0fcc5801dc238bb1fac0d59b8403e6cdcc72f126
fedora/1/updates/i386/pcre-devel-4.4-1.2.legacy.i386.rpm
57b3a2c5c2bb3435d3c7971daf29c665fb2c1687
fedora/1/updates/SRPMS/pcre-4.4-1.2.legacy.src.rpm

bff4b330e8c9a76262020c7ddb2b48f71bf01788
fedora/2/updates/i386/pcre-4.5-2.2.legacy.i386.rpm
8354926500e18905dd94dddc1e6bf44cd236df68
fedora/2/updates/i386/pcre-devel-4.5-2.2.legacy.i386.rpm
9f43e7d484412d93734dfe4b08f87d2ef133100a
fedora/2/updates/SRPMS/pcre-4.5-2.2.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with

[FLSA-2006:176751] Updated gpdf package fixes security issues

2006-03-07 Thread Marc Deslauriers

-
   Fedora Legacy Update Advisory

Synopsis:  Updated gpdf package fixes security issues
Advisory ID:   FLSA:176751
Issue date:2006-03-07
Product:   Fedora Core
Keywords:  Bugfix
CVE Names: CVE-2005-2097 CVE-2005-3191 CVE-2005-3192
   CVE-2005-3193 CVE-2005-3624 CVE-2005-3625
   CVE-2005-3626 CVE-2005-3627 CVE-2005-3628
-


-
1. Topic:

An updated gpdf package that fixes several security issues is now
available.

The gpdf package is a GNOME based viewer for Portable Document Format
(PDF) files.

2. Relevant releases/architectures:

Fedora Core 1 - i386
Fedora Core 2 - i386
Fedora Core 3 - i386, x86_64

3. Problem description:

A flaw was discovered in gpdf. An attacker could construct a carefully
crafted PDF file that would cause gpdf to consume all available disk
space in /tmp when opened. The Common Vulnerabilities and Exposures
project assigned the name CVE-2005-2097 to this issue.

Several flaws were discovered in gpdf. An attacker could construct a
carefully crafted PDF file that could cause gpdf to crash or possibly
execute arbitrary code when opened. The Common Vulnerabilities and
Exposures project assigned the names CVE-2005-3191, CVE-2005-3192,
CVE-2005-3193, CVE-2005-3624, CVE-2005-3625, CVE-2005-3626,
CVE-2005-3627 and CVE-2005-3628 to these issues.

Users of gpdf should upgrade to this updated package, which contains
backported patches to resolve these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which
are not installed but included in the list will not be updated.  Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt.  Many
people find this an easier way to apply updates.  To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.  This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=176751

6. RPMs required:

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/gpdf-0.110-1.5.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/gpdf-0.110-1.5.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/gpdf-2.8.2-4.1.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/gpdf-2.8.2-4.1.1.legacy.i386.rpm

Fedora Core 3:

SRPM:
http://download.fedoralegacy.org/fedora/3/updates/SRPMS/gpdf-2.8.2-7.2.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/3/updates/i386/gpdf-2.8.2-7.2.1.legacy.i386.rpm

x86_64:
http://download.fedoralegacy.org/fedora/3/updates/x86_64/gpdf-2.8.2-7.2.1.legacy.x86_64.rpm


7. Verification:

SHA1 sum Package Name
-

646edd9bdaf07a2f74d0b9874a666f94dc4f7982
fedora/1/updates-testing/i386/gpdf-0.110-1.5.legacy.i386.rpm
23f1172453f4e6572bd5a5bebcf093fda9c9ef62
fedora/1/updates-testing/SRPMS/gpdf-0.110-1.5.legacy.src.rpm

2798a8e5ba37214b4ad3d537aa38b65c62c9e7c7
fedora/2/updates-testing/i386/gpdf-2.8.2-4.1.1.legacy.i386.rpm
e6d36329145bd25d5646da0064124f4b3a3faf99
fedora/2/updates-testing/SRPMS/gpdf-2.8.2-4.1.1.legacy.src.rpm

2a08ad7afb9cecc7e41d80603a536b191d85f776
fedora/3/updates-testing/i386/gpdf-2.8.2-7.2.1.legacy.i386.rpm
3d3ab23bea79b424aaac1c26e3c16a3dfbee7af0
fedora/3/updates-testing/SRPMS/gpdf-2.8.2-7.2.1.legacy.src.rpm
a434ff117af22aeacc3c76773fa6985be9c107c0
fedora/3/updates-testing/x86_64/gpdf-2.8.2-7.2.1.legacy.x86_64.rpm

These packages are GPG signed by Fedora Legacy for security.  Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v filename

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum filename

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2097
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3191
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3192

[UPDATED] Fedora Legacy Test Update Notification: kernel (fc1)

2006-03-05 Thread Marc Deslauriers

These packages were updated to fix an incorrect patch that caused
instability under heavy load.

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-157459-2
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157459
2006-03-05
-

Name: kernel
Versions: fc1: kernel-2.4.22-1.2199.8.legacy.nptl
Summary : The Linux kernel (the core of the Linux operating system).
Description :
The kernel package contains the Linux kernel (vmlinuz), the core of
the Red Hat Linux operating system. The kernel handles the basic
functions of the operating system: memory allocation, process
allocation, device input and output, etc.

-
Update Information:

Updated kernel packages that fix several security issues are now
available.

The Linux kernel handles the basic functions of the operating system.

These new kernel packages contain fixes for the security issues
described below:

- a flaw in network IGMP processing that a allowed a remote user on the
local network to cause a denial of service (disabling of multicast
reports) if the system is running multicast applications (CVE-2002-2185)

- a recent Internet Draft by Fernando Gont recommended that ICMP Source
Quench messages be ignored by hosts. A patch to ignore these messages is
included. (CVE-2004-0791)

- flaws in ptrace() syscall handling on AMD64 and Intel EM64T systems
that allowed a local user to cause a denial of service (crash)
(CAN-2005-0756, CAN-2005-1762, CAN-2005-2553)

- a flaw between execve() syscall handling and core dumping of
ELF-format executables allowed local unprivileged users to cause a
denial of service (system crash) or possibly gain privileges
(CVE-2005-1263)

- a flaw in gzip/zlib handling internal to the kernel that may allow a
local user to cause a denial of service (crash) (CVE-2005-2458)

- a flaw in sendmsg() syscall handling on 64-bit systems that allowed
a local user to cause a denial of service or potentially gain
privileges (CAN-2005-2490)

- a flaw in exec() handling on some 64-bit architectures that allowed
a local user to cause a denial of service (crash) (CVE-2005-2708)

- a flaw in procfs handling during unloading of modules that allowed a
local user to cause a denial of service or potentially gain privileges
(CVE-2005-2709)

- a flaw in IPv6 network UDP port hash table lookups that allowed a
local user to cause a denial of service (hang) (CVE-2005-2973)

- a flaw in 32-bit-compat handling of the TIOCGDEV ioctl that allowed
a local user to cause a denial of service (crash) (CVE-2005-3044)

- a network buffer info leak using the orinoco driver that allowed
a remote user to possibly view uninitialized data (CVE-2005-3180)

- a flaw in IPv4 network TCP and UDP netfilter handling that allowed
a local user to cause a denial of service (crash) (CVE-2005-3275)

- a minor info leak with the get_thread_area() syscall that allowed
a local user to view uninitialized kernel stack data (CVE-2005-3276)

- a flaw in the IPv6 flowlabel code that allowed a local user to cause a
denial of service (crash) (CVE-2005-3806)

- a flaw in file lease time-out handling that allowed a local user to
cause a denial of service (log file overflow) (CVE-2005-3857)

All users are advised to upgrade their kernels to the packages
associated with their machine architectures and configurations as listed
in this erratum.

-
Changelogs

fc1:
* Fri Mar 03 2006 Marc Deslauriers [EMAIL PROTECTED]
2.4.22-1.2199.8.legacy.nptl
- Fixed the broken CVE-2005-0749 patch that was causing unstability

* Fri Feb 17 2006 Marc Deslauriers [EMAIL PROTECTED]
2.4.22-1.2199.7.legacy.nptl
- Added patch for CVE-2002-2185 (potential IGMP DoS)

* Thu Feb 02 2006 Marc Deslauriers [EMAIL PROTECTED]
2.4.22-1.2199.6.legacy.nptl
- Added patches for:
  CVE-2004-0791 (source quench DoS)
  CVE-2005-0756 (ptrace-check-segment x86_64 crash)
  CVE-2005-1263 (ELF core dump privilege elevation)
  CVE-2005-1762 (ptrace can induce double-fault on x86_64)
  CVE-2005-2458 (gzip/zlib flaws)
  CVE-2005-2490 (compat layer sendmsg() races)
  CVE-2005-2553 (32-bit ptrace find_target() oops)
  CVE-2005-2708 (user code panics kernel in exec.c)
  CVE-2005-2709 (sysctl races)
  CVE-2005-2973 (ipv6 infinite loop)
  CVE-2005-3044 (lost fput and sockfd_put could lead to DoS)
  CVE-2005-3180 (orinoco driver information leakage)
  CVE-2005-3275 (NAT DoS)
  CVE-2005-3276 (sys_get_thread_area minor info leak)
  CVE-2005-3806 (ipv6 flowlabel DOS)
  CVE-2005-3857 (lease printk DoS)

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

fc1:
5ec641496db89906ce3e587bda826b38f0e2b2b4
fedora/1/updates-testing/i386/kernel-2.4.22-1.2199.8

Re: Rebuild exisitng errata for x86_64?

2006-03-04 Thread Marc Deslauriers

On Sat, 2006-03-04 at 01:58 -0600, Eric Rostetter wrote:
 In any case, I think we should _at least_ release all FC3 packages
 for x86_64.  In other words, we shouldn't release new FC3 x86_64
 without releasing also the older FC3 x86_64, for consistency.

So far, all FC3 updates have had x86_64 packages.

Marc.


signature.asc
Description: This is a digitally signed message part
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

Fedora Legacy Test Update Notification: glibc

2006-03-01 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-173091-1
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=173091
2006-03-01
-

Name: glibc
Versions: rh73: glibc-2.2.5-44.legacy.8
Versions: rh9: glibc-2.3.2-27.9.7.4.legacy
Summary : The GNU libc libraries.
Description :
The glibc package contains standard libraries which are used by
multiple programs on the system. In order to save disk space and
memory, as well as to make upgrading easier, common system code is
kept in one place and shared between programs. This particular package
contains the most important sets of shared libraries: the standard C
library and the standard math library. Without these two libraries, a
Linux system will not function.

-
Update Information:

Updated glibc packages that add daylight savings rule enhancements for
various countries are now available.

The GNU libc packages (known as glibc) contain the standard C libraries
used by applications.

This update adjusts timezone files for countries where daylight savings
rules have recently changed or are going to change in the near future.

Users in those countries should upgrade to these updated packages
and rerun redhat-config-date to update the local timezone in
/etc/localtime.

-
Changelogs

rh73:
* Mon Feb 20 2006 Marc Deslauriers [EMAIL PROTECTED]
2.2.4-44.legacy.8
- Bring timezone info up to version 2006a

* Sat Feb 18 2006 Marc Deslauriers [EMAIL PROTECTED]
2.2.4-44.legacy.7
- Bring timezone info up to version 2005m

rh9:
* Tue Feb 21 2006 Marc Deslauriers [EMAIL PROTECTED]
2.3.2-27.9.7.4.legacy
- Bring timezone info up to version 2006a

* Sun Feb 12 2006 Marc Deslauriers [EMAIL PROTECTED]
2.3.2-27.9.7.3.legacy
- Bring timezone info up to version 2005m

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh73:
8977060010fc16bbaf2aba545c3b958e4a953ec8
redhat/7.3/updates-testing/i386/glibc-2.2.5-44.legacy.8.i386.rpm
4e4fce10ff1cfbdda21dbd0ca19132ffa3b34a15
redhat/7.3/updates-testing/i386/glibc-2.2.5-44.legacy.8.i686.rpm
ccc856a5f596cffca0d76f1242df7cecd413
redhat/7.3/updates-testing/i386/glibc-common-2.2.5-44.legacy.8.i386.rpm
f301116e857b0d3d63c39af5003dcbab897b4af2
redhat/7.3/updates-testing/i386/glibc-debug-2.2.5-44.legacy.8.i386.rpm
c7f784964cff0af15108e981fb0eed5f5b49b8b4
redhat/7.3/updates-testing/i386/glibc-debug-2.2.5-44.legacy.8.i686.rpm
2f59c12525a171646595f56126f882a656107fb7
redhat/7.3/updates-testing/i386/glibc-debug-static-2.2.5-44.legacy.8.i386.rpm
fbc27b34ed90759a4a8572c11b714e42bd2e3bda
redhat/7.3/updates-testing/i386/glibc-devel-2.2.5-44.legacy.8.i386.rpm
1a53624c0e7ee609a57d60740769fcb8e661244f
redhat/7.3/updates-testing/i386/glibc-profile-2.2.5-44.legacy.8.i386.rpm
f316b55111db5e4e6afb6e7defdf04b4a5505867
redhat/7.3/updates-testing/i386/glibc-utils-2.2.5-44.legacy.8.i386.rpm
18bb566cbc5b0e8abb1f7d72db364601584efb92
redhat/7.3/updates-testing/i386/nscd-2.2.5-44.legacy.8.i386.rpm
3e8f11366500b362ef7040173912e0f07607b51c
redhat/7.3/updates-testing/SRPMS/glibc-2.2.5-44.legacy.8.src.rpm

rh9:
91117fc583591c8bcc04939cc2c02af012356fb3
redhat/9/updates-testing/i386/glibc-2.3.2-27.9.7.4.legacy.i386.rpm
18a13ba104fd958e1abcbe42cdf2ae31c9b0cb30
redhat/9/updates-testing/i386/glibc-2.3.2-27.9.7.4.legacy.i686.rpm
cb5501a39b03cacda052757f8265bc6f02c92883
redhat/9/updates-testing/i386/glibc-common-2.3.2-27.9.7.4.legacy.i386.rpm
bbf1af111006a214efde3da5b734372ec98c75d9
redhat/9/updates-testing/i386/glibc-debug-2.3.2-27.9.7.4.legacy.i386.rpm
753ea0d554610c4dd35cc54764def86269c2c148
redhat/9/updates-testing/i386/glibc-devel-2.3.2-27.9.7.4.legacy.i386.rpm
1ccda9c9ca1b424d5714016fad7b49280d981e3a
redhat/9/updates-testing/i386/glibc-profile-2.3.2-27.9.7.4.legacy.i386.rpm
112788df6619fb9fc39282ab0eeaf7718d34f8b5
redhat/9/updates-testing/i386/glibc-utils-2.3.2-27.9.7.4.legacy.i386.rpm
6a8728560054bce9a0e4ddc8de897085fa54a8c6
redhat/9/updates-testing/i386/nscd-2.3.2-27.9.7.4.legacy.i386.rpm
326be845c248a3d35e66550b54fbcd3a9556cae7
redhat/9/updates-testing/i386/nptl-devel-2.3.2-27.9.7.4.legacy.i686.rpm
1cdcc8fa2428568fb571a6428b80217c17ec8183
redhat/9/updates-testing/SRPMS/glibc-2.3.2-27.9.7.4.legacy.src.rpm

-

Please test and comment in bugzilla.


signature.asc
Description: OpenPGP digital signature
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

Fedora Legacy Test Update Notification: tzdata

2006-03-01 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-173091-2
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=173091
2006-03-01
-

Name: tzdata
Versions: fc1: tzdata-2005r-3.fc1.1.legacy
Versions: fc2: tzdata-2005r-3.fc2.1.legacy
Summary : Timezone data
Description :
This package contains data files with rules for various timezones around
the world.

-
Update Information:

An updated tzdata package that adds daylight savings rule enhancements
for various countries is now available.

The tzdata package contains data files with rules for various timezones
around the world.

This update adjusts timezone files for countries where daylight savings
rules have recently changed or are going to change in the near future.

Users in those countries should upgrade to these updated packages
and rerun redhat-config-date (or system-config-date in FC2) to update
the local timezone in /etc/localtime.

-
Changelogs

fc1:
* Sat Feb 18 2006 Marc Deslauriers [EMAIL PROTECTED]
2005r-3.fc1.1.legacy
- Rebuilt as a Fedora Legacy update to Fedora Core 1

fc2:
* Sat Feb 18 2006 Marc Deslauriers [EMAIL PROTECTED]
2005r-3.fc2.1.legacy
- Rebuilt as a Fedora Legacy update to Fedora Core 2

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

fc1:
87a51c9f24d223e74e1c0c658a5e687953989e7d
fedora/1/updates-testing/i386/tzdata-2005r-3.fc1.1.legacy.noarch.rpm
cb64a4e80ad60994f21a95bf2f7e5043a1ca2f2a
fedora/1/updates-testing/SRPMS/tzdata-2005r-3.fc1.1.legacy.src.rpm

fc2:
e308480e1839d599fe08fa795de988cb68711ce0
fedora/2/updates-testing/i386/tzdata-2005r-3.fc2.1.legacy.noarch.rpm
cd90b47e9e6d5074194805c27a2eddaf948c78e8
fedora/2/updates-testing/SRPMS/tzdata-2005r-3.fc2.1.legacy.src.rpm

-

Please test and comment in bugzilla.


signature.asc
Description: OpenPGP digital signature
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

[FLSA-2006:175818] Updated udev packages fix a security issue

2006-02-27 Thread Marc Deslauriers

-
Fedora Legacy Update Advisory

Synopsis: Updated udev packages fix a security issue
Advisory ID: FLSA:175818
Issue date:2006-02-27
Product: Fedora Core
Keywords: Bugfix
CVE Names: CVE-2005-3631
-

-
1. Topic:

Updated udev packages that fix a security issue are now available.

The udev package contains an implementation of devfs in userspace using
sysfs and /sbin/hotplug.

2. Relevant releases/architectures:

Fedora Core 2 - i386
Fedora Core 3 - i386, x86_64

3. Problem description:

Richard Cunningham discovered a flaw in the way udev sets permissions on
various files in /dev/input. It may be possible for an authenticated
attacker to gather sensitive data entered by a user at the console, such
as passwords. The Common Vulnerabilities and Exposures project has
assigned the name CVE-2005-3631 to this issue.

All users of udev should upgrade to these updated packages, which
contain a backported patch and are not vulnerable to this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175818

6. RPMs required:

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/udev-024-6.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/udev-024-6.2.legacy.i386.rpm

Fedora Core 3:

SRPM:
http://download.fedoralegacy.org/fedora/3/updates/SRPMS/udev-039-10.FC3.9.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/3/updates/i386/udev-039-10.FC3.9.legacy.i386.rpm

x86_64:
http://download.fedoralegacy.org/fedora/3/updates/x86_64/udev-039-10.FC3.9.legacy.x86_64.rpm

7. Verification:

SHA1 sum Package Name
-

d2b2850b4066a595a4d3c162e151dc27c5b43198
fedora/2/updates/i386/udev-024-6.2.legacy.i386.rpm
9ed5ef68d64987f8f644da065399d6885e7e1176
fedora/2/updates/SRPMS/udev-024-6.2.legacy.src.rpm

a2682a89f6fe03c2f2c2401caa511c299c1ae1cc
fedora/3/updates/i386/udev-039-10.FC3.9.legacy.i386.rpm
fbcf92e15337b34511d4a305100d6797d644a84e
fedora/3/updates/x86_64/udev-039-10.FC3.9.legacy.x86_64.rpm
fe4e15a6ac3d4d80ce3db01f08a75c93985964e8
fedora/3/updates/SRPMS/udev-039-10.FC3.9.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v filename

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum filename

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3631

9. Contact:

The Fedora Legacy security contact is [EMAIL PROTECTED]. More
project details at http://www.fedoralegacy.org

signature.asc
Description: OpenPGP digital signature
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

[FLSA-2006:177326] Updated mod_auth_pgsql package fixes security issue

2006-02-27 Thread Marc Deslauriers

-
   Fedora Legacy Update Advisory

Synopsis:  Updated mod_auth_pgsql package fixes security issue
Advisory ID:   FLSA:177326
Issue date:2006-02-27
Product:   Fedora Core
Keywords:  Bugfix
CVE Names: CVE-2005-3656
-


-
1. Topic:

An updated mod_auth_pgsql package that fixes a format string flaw is now
available.

The mod_auth_pgsql package is an httpd module that allows user
authentication against information stored in a PostgreSQL database.

2. Relevant releases/architectures:

Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

Several format string flaws were found in the way mod_auth_pgsql logs
information. It may be possible for a remote attacker to execute
arbitrary code as the 'apache' user if mod_auth_pgsql is used for user
authentication. The Common Vulnerabilities and Exposures project
assigned the name CVE-2005-3656 to this issue.

Please note that this issue only affects servers which have
mod_auth_pgsql installed and configured to perform user authentication
against a PostgreSQL database.

All users of mod_auth_pgsql should upgrade to these updated packages,
which contain a backported patch to resolve this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which
are not installed but included in the list will not be updated.  Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt.  Many
people find this an easier way to apply updates.  To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.  This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=177326

6. RPMs required:

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/mod_auth_pgsql-2.0.1-3.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/mod_auth_pgsql-2.0.1-3.1.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/mod_auth_pgsql-2.0.1-4.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/mod_auth_pgsql-2.0.1-4.2.legacy.i386.rpm


7. Verification:

SHA1 sum Package Name
-

e6ce19c8be5f4638e2050437c4529b0d4a0f5e1f
fedora/1/updates/i386/mod_auth_pgsql-2.0.1-3.1.legacy.i386.rpm
119b3b6045eaa3b175ebe3d613daca8e9c81b35c
fedora/1/updates/SRPMS/mod_auth_pgsql-2.0.1-3.1.legacy.src.rpm

8f9c2503b417db84b73483e6daca445c4789e4e4
fedora/2/updates/i386/mod_auth_pgsql-2.0.1-4.2.legacy.i386.rpm
52aabaff10fb0f862e1b96199facb7da046e94dc
fedora/2/updates/SRPMS/mod_auth_pgsql-2.0.1-4.2.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security.  Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v filename

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum filename

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3656

9. Contact:

The Fedora Legacy security contact is [EMAIL PROTECTED]. More
project details at http://www.fedoralegacy.org

-


signature.asc
Description: OpenPGP digital signature
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

[FLSA-2006:177694] Updated auth_ldap package fixes security issue

2006-02-27 Thread Marc Deslauriers

-
   Fedora Legacy Update Advisory

Synopsis:  Updated auth_ldap package fixes security issue
Advisory ID:   FLSA:177694
Issue date:2006-02-27
Product:   Red Hat Linux
Keywords:  Bugfix
CVE Names: CVE-2006-0150
-


-
1. Topic:

An updated auth_ldap package that fixes a format string security issue
is now available for Red Hat Linux 7.3.

The auth_ldap package is an httpd module that allows user authentication
against information stored in an LDAP database.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386

3. Problem description:

A format string flaw was found in the way auth_ldap logs information. It
may be possible for a remote attacker to execute arbitrary code as the
'apache' user if auth_ldap is used for user authentication. The Common
Vulnerabilities and Exposures project (cve.mitre.org) assigned the name
CVE-2006-0150 to this issue.

Note that this issue only affects servers that have auth_ldap installed
and configured to perform user authentication against an LDAP database.

All users of auth_ldap should upgrade to this updated package, which
contains a backported patch to resolve this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which
are not installed but included in the list will not be updated.  Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt.  Many
people find this an easier way to apply updates.  To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.  This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=177694

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/auth_ldap-1.6.0-4.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/auth_ldap-1.6.0-4.2.legacy.i386.rpm


7. Verification:

SHA1 sum Package Name
-

38f70135bc17c313fecdb81f61e776ac032b796e
redhat/7.3/updates/i386/auth_ldap-1.6.0-4.2.legacy.i386.rpm
78b7ee876d5b900ff5268b1a396a59ca9f2385f0
redhat/7.3/updates/SRPMS/auth_ldap-1.6.0-4.2.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security.  Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v filename

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum filename

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0150

9. Contact:

The Fedora Legacy security contact is [EMAIL PROTECTED]. More
project details at http://www.fedoralegacy.org

-


signature.asc
Description: OpenPGP digital signature
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

[FLSA-2006:181014] Updated gnutls packages fix a security issue

2006-02-27 Thread Marc Deslauriers

-
Fedora Legacy Update Advisory

Synopsis: Updated gnutls packages fix a security issue
Advisory ID: FLSA:181014
Issue date:2006-02-27
Product: Fedora Core
Keywords: Bugfix
CVE Names: CVE-2006-0645
-

-
1. Topic:

Updated gnutls packages that fix a security issue are now available.

The GNU TLS Library provides support for cryptographic algorithms and
protocols such as TLS. GNU TLS includes Libtasn1, a library developed
for ASN.1 structures management that includes DER encoding and decoding.

2. Relevant releases/architectures:

Fedora Core 3 - i386, x86_64

3. Problem description:

Several flaws were found in the way libtasn1 decodes DER. An attacker
could create a carefully crafted invalid X.509 certificate in such a way
that could trigger this flaw if parsed by an application that uses GNU
TLS. This could lead to a denial of service (application crash). It is
not certain if this issue could be escalated to allow arbitrary code
execution. The Common Vulnerabilities and Exposures project assigned the
name CVE-2006-0645 to this issue.

Users are advised to upgrade to these updated packages, which contain a
backported patch from the GNU TLS maintainers to correct this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=181014

6. RPMs required:

Fedora Core 3:

SRPM:
http://download.fedoralegacy.org/fedora/3/updates/SRPMS/gnutls-1.0.20-3.1.3.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/3/updates/i386/gnutls-1.0.20-3.1.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/gnutls-devel-1.0.20-3.1.3.legacy.i386.rpm

x86_64:
http://download.fedoralegacy.org/fedora/3/updates/x86_64/gnutls-1.0.20-3.1.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/x86_64/gnutls-1.0.20-3.1.3.legacy.x86_64.rpm
http://download.fedoralegacy.org/fedora/3/updates/x86_64/gnutls-devel-1.0.20-3.1.3.legacy.x86_64.rpm

7. Verification:

SHA1 sum Package Name
-

87b93af583ea3abaa48337b0a8c71cba97a45410
fedora/3/updates/i386/gnutls-1.0.20-3.1.3.legacy.i386.rpm
dca7e6e11093d7b8528d82cc9c3f5f1b1c78ea23
fedora/3/updates/i386/gnutls-devel-1.0.20-3.1.3.legacy.i386.rpm
87b93af583ea3abaa48337b0a8c71cba97a45410
fedora/3/updates/x86_64/gnutls-1.0.20-3.1.3.legacy.i386.rpm
742be40634dc2a32b245f78caf610d0a6b45cb75
fedora/3/updates/x86_64/gnutls-1.0.20-3.1.3.legacy.x86_64.rpm
762630c8973f02bcc934adc8f5a946383f8479cc
fedora/3/updates/x86_64/gnutls-devel-1.0.20-3.1.3.legacy.x86_64.rpm
cce2a463b57be400362624f09dc49a4fdde09305
fedora/3/updates/SRPMS/gnutls-1.0.20-3.1.3.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v filename

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum filename

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0645

9. Contact:

The Fedora Legacy security contact is [EMAIL PROTECTED]. More
project details at http://www.fedoralegacy.org

signature.asc
Description: OpenPGP digital signature
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

Fedora Legacy Test Update Notification: pcre

2006-02-26 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-168516
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168516
2006-02-26
-

Name: pcre
Versions: rh73: pcre-3.9-2.1.legacy
Versions: rh9: pcre-3.9-10.1.legacy
Versions: fc1: pcre-4.4-1.2.legacy
Versions: fc2: pcre-4.5-2.2.legacy
Summary : Perl-compatible regular expression library.
Description :
Perl-compatible regular expression library. PCRE has its own native
API, but a set of wrapper functions that are based on the POSIX API
are also supplied in the library libpcreposix. Note that this just
provides a POSIX calling interface to PCRE; the regular expressions
themselves still follow Perl syntax and semantics. The header file for
the POSIX-style functions is called pcreposix.h.

-
Update Information:

Updated pcre packages are now available to correct a security issue.

PCRE is a Perl-compatible regular expression library.

An integer overflow flaw was found in PCRE, triggered by a maliciously
crafted regular expression. On systems that accept arbitrary regular
expressions from untrusted users, this could be exploited to execute
arbitrary code with the privileges of the application using the library.
The Common Vulnerabilities and Exposures project assigned the name
CVE-2005-2491 to this issue.

Users should update to these erratum packages that contain a backported
patch to correct this issue.

-
Changelogs

rh73:
* Fri Oct 28 2005 Leonard den Ottolander leonard agromisa org
3.9-2.1.legacy
- Fix CAN-2005-2491

rh9:
* Sun Feb 19 2006 Marc Deslauriers [EMAIL PROTECTED]
3.9-10.1.legacy
- Added patch for CVE-2005-2491

fc1:
* Sat Feb 25 2006 Marc Deslauriers [EMAIL PROTECTED]
4.4-1.2.legacy
- Added pcre-devel to BuildPrereq

* Sun Feb 19 2006 Marc Deslauriers [EMAIL PROTECTED]
4.4-1.1.legacy
- Added patch for CVE-2005-2491

fc2:
* Sat Feb 25 2006 Marc Deslauriers [EMAIL PROTECTED]
4.5-2.2.legacy
- Added pcre-devel to BuildPrereq

* Mon Feb 20 2006 Marc Deslauriers [EMAIL PROTECTED]
4.5-2.1.legacy
- Added patch for CVE-2005-2491

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh73:
9b641aa989639c706065bafc146d34bb6e282a22
redhat/7.3/updates-testing/i386/pcre-3.9-2.1.legacy.i386.rpm
7d8b094083c7a85991d194d6741a0a664204a19d
redhat/7.3/updates-testing/i386/pcre-devel-3.9-2.1.legacy.i386.rpm
9a49145385042483532254fb5d05fae6c3f252f3
redhat/7.3/updates-testing/SRPMS/pcre-3.9-2.1.legacy.src.rpm

rh9:
d876a7f4cdb3a936b2f72fb629fae928d3db6e96
redhat/9/updates-testing/i386/pcre-3.9-10.1.legacy.i386.rpm
9e516b5e44944b25a47171b15c0229423b10f99d
redhat/9/updates-testing/i386/pcre-devel-3.9-10.1.legacy.i386.rpm
55de51292b97aacbad6c375b4ad8578561ac5fe3
redhat/9/updates-testing/SRPMS/pcre-3.9-10.1.legacy.src.rpm

fc1:
4edc206f1e0fc0c3df459b6f8de289f27417974b
fedora/1/updates-testing/i386/pcre-4.4-1.2.legacy.i386.rpm
0fcc5801dc238bb1fac0d59b8403e6cdcc72f126
fedora/1/updates-testing/i386/pcre-devel-4.4-1.2.legacy.i386.rpm
57b3a2c5c2bb3435d3c7971daf29c665fb2c1687
fedora/1/updates-testing/SRPMS/pcre-4.4-1.2.legacy.src.rpm

fc2:
bff4b330e8c9a76262020c7ddb2b48f71bf01788
fedora/2/updates-testing/i386/pcre-4.5-2.2.legacy.i386.rpm
8354926500e18905dd94dddc1e6bf44cd236df68
fedora/2/updates-testing/i386/pcre-devel-4.5-2.2.legacy.i386.rpm
9f43e7d484412d93734dfe4b08f87d2ef133100a
fedora/2/updates-testing/SRPMS/pcre-4.5-2.2.legacy.src.rpm

-

Please test and comment in bugzilla.


signature.asc
Description: OpenPGP digital signature
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

Fedora Legacy Test Update Notification: xpdf

2006-02-26 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-175404
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175404
2006-02-26
-

Name: xpdf
Versions: rh73: xpdf-1.00-7.6.legacy
Versions: rh9: xpdf-2.01-11.4.legacy
Versions: fc1: xpdf-2.03-1.4.legacy
Versions: fc2: xpdf-3.00-3.8.1.legacy
Versions: fc3: xpdf-3.01-0.FC3.5.legacy
Summary : A PDF file viewer for the X Window System.
Description :
Xpdf is an X Window System based viewer for Portable Document Format
(PDF) files. Xpdf is a small and efficient program which uses
standard X fonts.

-
Update Information:

An updated xpdf package that fixes several security issues is now
available.

The xpdf package is an X Window System-based viewer for Portable
Document Format (PDF) files.

A flaw was discovered in Xpdf in that an attacker could construct a
carefully crafted PDF file that would cause Xpdf to consume all
available disk space in /tmp when opened. The Common Vulnerabilities
and Exposures project assigned the name CVE-2005-2097 to this issue.

Several flaws were discovered in Xpdf. An attacker could construct a
carefully crafted PDF file that could cause Xpdf to crash or possibly
execute arbitrary code when opened. The Common Vulnerabilities and
Exposures project assigned the names CVE-2005-3191, CVE-2005-3192,
CVE-2005-3193, CVE-2005-3624, CVE-2005-3625, CVE-2005-3626,
CVE-2005-3627 and CVE-2005-3628 to these issues.

A heap based buffer overflow bug was discovered in Xpdf. An attacker
could construct a carefully crafted PDF file that could cause Xpdf to
crash or possibly execute arbitrary code when opened. The Common
Vulnerabilities and Exposures project assigned the name CVE-2006-0301
to this issue.

Users of Xpdf should upgrade to this updated package, which contains
backported patches to resolve these issues.

-
Changelogs

rh73:
* Mon Feb 20 2006 Marc Deslauriers [EMAIL PROTECTED]
1.00-7.6.legacy
- Added better patch for CVE-2004-0888

* Sun Feb 19 2006 Marc Deslauriers [EMAIL PROTECTED]
1.00-7.5.legacy
- Added patch for CVE-2005-3193

rh9:
* Sun Feb 19 2006 Marc Deslauriers [EMAIL PROTECTED]
2.01-11.4.legacy
- Added better patch for CVE-2004-0888
- Added patch for CVE-2005-3193

fc1:
* Sun Feb 19 2006 Marc Deslauriers [EMAIL PROTECTED]
1:2.03-1.4.legacy
- Added better patch for CVE-2004-0888
- Added patch for CVE-2005-3193

fc2:
* Sun Feb 19 2006 Marc Deslauriers [EMAIL PROTECTED]
1:3.00-3.8.1.legacy
- Apply patches for CVE-2005-2097, CVE-2005-3193, CVE-2006-0301

fc3:
* Sat Feb 18 2006 Marc Deslauriers [EMAIL PROTECTED]
1:3.01-0.FC3.5.legacy
- Added patch for CVE-2006-0301

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh73:
6096aa2b487e635ae3003cf246ec66d53dc81d41
redhat/7.3/updates-testing/i386/xpdf-1.00-7.6.legacy.i386.rpm
e670899dd04a31d466d0ba2cc213763157a3b101
redhat/7.3/updates-testing/i386/xpdf-chinese-simplified-1.00-7.6.legacy.i386.rpm
c636a2b79eb22afe35993466675e9fdd086a84f2
redhat/7.3/updates-testing/i386/xpdf-chinese-traditional-1.00-7.6.legacy.i386.rpm
9a2bfe9e373cd20422a862f48d3d6ad787b7f0f1
redhat/7.3/updates-testing/i386/xpdf-japanese-1.00-7.6.legacy.i386.rpm
bc47f11dea342606e74aff1a55cf74bd52783b60
redhat/7.3/updates-testing/i386/xpdf-korean-1.00-7.6.legacy.i386.rpm
ace7a51b625269d9f5bd3355b07a842f0e1426f4
redhat/7.3/updates-testing/SRPMS/xpdf-1.00-7.6.legacy.src.rpm

rh9:
4fe0714cdf2194cf0426e15210cbe509d77b2788
redhat/9/updates-testing/i386/xpdf-2.01-11.4.legacy.i386.rpm
c54fad904f475d693c781632dbadfae9434e4c87
redhat/9/updates-testing/i386/xpdf-chinese-simplified-2.01-11.4.legacy.i386.rpm
1b6f0cf3f309515fd60b88576a1168f9d9bc7fe0
redhat/9/updates-testing/i386/xpdf-chinese-traditional-2.01-11.4.legacy.i386.rpm
accef6df9ed9b1cee0e05fffa7e7dde085ae3f35
redhat/9/updates-testing/i386/xpdf-japanese-2.01-11.4.legacy.i386.rpm
69a7ae59cb1ddb5b422eccdec53711f459939c3f
redhat/9/updates-testing/i386/xpdf-korean-2.01-11.4.legacy.i386.rpm
090ddacf36dc0180c16cef8526aedc9bb9c5225c
redhat/9/updates-testing/SRPMS/xpdf-2.01-11.4.legacy.src.rpm

fc1:
0349626a79f659adc0590938b99a6097f6898f10
fedora/1/updates-testing/i386/xpdf-2.03-1.4.legacy.i386.rpm
8612ba60a89cfb0ef195450d1c927487b868deec
fedora/1/updates-testing/SRPMS/xpdf-2.03-1.4.legacy.src.rpm

fc2:
f60fc20854386ef91f6769aabd29f3a77e29084d
fedora/2/updates-testing/i386/xpdf-3.00-3.8.1.legacy.i386.rpm
64139c039afc0af67eadcc8c87e03aed6c6254d0
fedora/2/updates-testing/SRPMS/xpdf-3.00-3.8.1.legacy.src.rpm

fc3:
268cba4fb5fd62699595cdeed78375f324c874f6
fedora/3/updates-testing/i386/xpdf-3.01-0.FC3.5.legacy.i386.rpm
021ec4bb4d86192a519261b3073a3d348e4fa14a
fedora/3

Fedora Legacy Test Update Notification: udev

2006-02-26 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-175818
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175818
2006-02-26
-

Name: udev
Versions: fc2: udev-024-6.2.legacy
Versions: fc3: udev-039-10.FC3.9.legacy
Summary : A userspace implementation of devfs
Description :
udev is a implementation of devfs in userspace using sysfs and
/sbin/hotplug. It requires a 2.6 kernel to run properly.

-
Update Information:

Updated udev packages that fix a security issue are now available.

The udev package contains an implementation of devfs in userspace using
sysfs and /sbin/hotplug.

Richard Cunningham discovered a flaw in the way udev sets permissions on
various files in /dev/input. It may be possible for an authenticated
attacker to gather sensitive data entered by a user at the console, such
as passwords. The Common Vulnerabilities and Exposures project has
assigned the name CVE-2005-3631 to this issue.

All users of udev should upgrade to these updated packages, which
contain a backported patch and are not vulnerable to this issue.

-
Changelogs

fc2:
* Sun Feb 26 2006 Marc Deslauriers [EMAIL PROTECTED]
024-6.2.legacy
- Added missing glib2-devel to BuildRequires

* Sun Feb 19 2006 Marc Deslauriers [EMAIL PROTECTED]
024-6.1.legacy
- Changed permissions for input to fix CVE-2005-3631

fc3:
* Sun Feb 19 2006 Marc Deslauriers [EMAIL PROTECTED] -
039-10.FC3.9.legacy
- Change input permissions to fix CVE-2005-3631

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

fc2:
d2b2850b4066a595a4d3c162e151dc27c5b43198
fedora/2/updates-testing/i386/udev-024-6.2.legacy.i386.rpm
9ed5ef68d64987f8f644da065399d6885e7e1176
fedora/2/updates-testing/SRPMS/udev-024-6.2.legacy.src.rpm

fc3:
a2682a89f6fe03c2f2c2401caa511c299c1ae1cc
fedora/3/updates-testing/i386/udev-039-10.FC3.9.legacy.i386.rpm
fbcf92e15337b34511d4a305100d6797d644a84e
fedora/3/updates-testing/x86_64/udev-039-10.FC3.9.legacy.x86_64.rpm
fe4e15a6ac3d4d80ce3db01f08a75c93985964e8
fedora/3/updates-testing/SRPMS/udev-039-10.FC3.9.legacy.src.rpm

-

Please test and comment in bugzilla.


signature.asc
Description: OpenPGP digital signature
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

[FLSA-2006:138098] Updated nfs-utils package fixes security issues

2006-02-25 Thread Marc Deslauriers

-
   Fedora Legacy Update Advisory

Synopsis:  Updated nfs-utils package fixes security issues
Advisory ID:   FLSA:138098
Issue date:2006-02-25
Product:   Red Hat Linux, Fedora Core
Keywords:  Bugfix
CVE Names: CVE-2004-0946 CVE-2004-1014
-


-
1. Topic:

An updated nfs-utils package that fixes security issues is now
available.

The nfs-utils package provides a daemon for the kernel NFS server and
related tools, providing a much higher level of performance than the
traditional Linux NFS server used by most users.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

Arjan van de Ven discovered a buffer overflow in rquotad. On 64-bit
architectures, an improper integer conversion can lead to a buffer
overflow. An attacker with access to an NFS share could send a specially
crafted request which could lead to the execution of arbitrary code. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2004-0946 to this issue.

In addition, the Fedora Core 2 update fixes the following issue:

SGI reported that the statd daemon did not properly handle the SIGPIPE
signal. A misconfigured or malicious peer could cause statd to crash,
leading to a denial of service. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CVE-2004-1014 to this
issue.

All users of nfs-utils should upgrade to this updated package, which
resolves these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which
are not installed but included in the list will not be updated.  Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt.  Many
people find this an easier way to apply updates.  To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.  This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=138098

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/nfs-utils-0.3.3-6.73.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/nfs-utils-0.3.3-6.73.2.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/nfs-utils-1.0.1-3.9.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/nfs-utils-1.0.1-3.9.2.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/nfs-utils-1.0.6-1.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/nfs-utils-1.0.6-1.2.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/nfs-utils-1.0.6-22.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/nfs-utils-1.0.6-22.2.legacy.i386.rpm

7. Verification:

SHA1 sum Package Name
-

fc563f70e9f2b5eeafb51b969689185ef504
redhat/7.3/updates/i386/nfs-utils-0.3.3-6.73.2.legacy.i386.rpm
79dd718df766c23fc8ab4880a0e1557ca990c181
redhat/7.3/updates/SRPMS/nfs-utils-0.3.3-6.73.2.legacy.src.rpm
45c4f3a310d3090271f0d0798cae1e3148ab8299
redhat/9/updates/i386/nfs-utils-1.0.1-3.9.2.legacy.i386.rpm
bf009c4fe075b7105316084c6ca577f15c5bdb52
redhat/9/updates/SRPMS/nfs-utils-1.0.1-3.9.2.legacy.src.rpm
1c96ae93420683ad79b675b205ecb5d6ddb61ef4
fedora/1/updates/i386/nfs-utils-1.0.6-1.2.legacy.i386.rpm
6d4ee9e13e8b3bf1278d59b48ccb0c48f7645f7f
fedora/1/updates/SRPMS/nfs-utils-1.0.6-1.2.legacy.src.rpm
2063735e17273d7967c8fa1f3649ab86921c910e
fedora/2/updates/i386/nfs-utils-1.0.6-22.2.legacy.i386.rpm
dc3207c089204dd1c47653dc4918fe45b81a8654
fedora/2/updates/SRPMS/nfs-utils-1.0.6-22.2.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security.  Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v filename

If you only wish to verify that each package has not

[FLSA-2006:158543] Updated gaim package fixes security issues

2006-02-25 Thread Marc Deslauriers

-
   Fedora Legacy Update Advisory

Synopsis:  Updated gaim package fixes security issues
Advisory ID:   FLSA:158543
Issue date:2006-02-25
Products:  Red Hat Linux, Fedora Core
Keywords:  Bugfix
CVE Names: CVE-2005-0208 CVE-2005-0473 CVE-2005-0472 CVE-2005-0965
   CVE-2005-0966 CVE-2005-0967 CVE-2005-1261 CVE-2005-1262
   CVE-2005-2103 CVE-2005-2102 CVE-2005-2370 CVE-2005-1269
   CVE-2005-1934
-


-
1. Topic:

An updated gaim package that fixes various security issues as well as a
number of bugs is now available.

The Gaim application is a multi-protocol instant messaging client.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

Two HTML parsing bugs were discovered in Gaim. It is possible that a
remote attacker could send a specially crafted message to a Gaim client,
causing it to crash. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the names CVE-2005-0208 and CVE-2005-0473
to these issues.

A bug in the way Gaim processes SNAC packets was discovered. It is
possible that a remote attacker could send a specially crafted SNAC
packet to a Gaim client, causing the client to stop responding. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2005-0472 to this issue.

A buffer overflow bug was found in the way gaim escapes HTML. It is
possible that a remote attacker could send a specially crafted message
to a Gaim client, causing it to crash. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CVE-2005-0965
to this issue.

A bug was found in several of gaim's IRC processing functions. These
functions fail to properly remove various markup tags within an IRC
message. It is possible that a remote attacker could send a specially
crafted message to a Gaim client connected to an IRC server, causing it
to crash. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2005-0966 to this issue.

A bug was found in gaim's Jabber message parser. It is possible for a
remote Jabber user to send a specially crafted message to a Gaim client,
causing it to crash. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2005-0967 to this issue.

A stack based buffer overflow bug was found in the way gaim processes a
message containing a URL. A remote attacker could send a carefully
crafted message resulting in the execution of arbitrary code on a
victim's machine. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2005-1261 to this issue.

A bug was found in the way gaim handles malformed MSN messages. A remote
attacker could send a carefully crafted MSN message causing gaim to
crash. The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2005-1262 to this issue.

A heap based buffer overflow issue was discovered in the way Gaim
processes away messages. A remote attacker could send a specially
crafted away message to a Gaim user logged into AIM or ICQ that could
result in arbitrary code execution. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CVE-2005-2103 to
this issue.

Daniel Atallah discovered a denial of service issue in Gaim. A remote
attacker could attempt to upload a file with a specially crafted name to
a user logged into AIM or ICQ, causing Gaim to crash. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CVE-2005-2102 to this issue.

A denial of service bug was found in Gaim's Gadu Gadu protocol handler.
A remote attacker could send a specially crafted message to a Gaim user
logged into Gadu Gadu, causing Gaim to crash. Please note that this
issue only affects PPC and IBM S/390 systems running Gaim. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CVE-2005-2370 to this issue.

Jacopo Ottaviani discovered a bug in the way Gaim handles Yahoo!
Messenger file transfers. It is possible for a malicious user to send a
specially crafted file transfer request that causes Gaim to crash. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2005-1269 to this issue.

Additionally, Hugo de Bokkenrijder discovered a bug in the way Gaim
parses MSN Messenger messages. It is possible for a malicious user to
send a specially crafted MSN Messenger message that causes Gaim to
crash. The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2005-1934 to this issue.

Additionally, various client crashes,

[FLSA-2006:176731] Updated perl packages fix security issue

2006-02-25 Thread Marc Deslauriers

-
Fedora Legacy Update Advisory

Synopsis: Updated perl packages fix security issue
Advisory ID: FLSA:176731
Issue date:2006-02-25
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2005-3962
-

-
1. Topic:

Updated perl packages that fix a security flaw are now available.

Perl is a high-level programming language commonly used for system
administration utilities and Web programming.

2. Relevant releases/architectures:

Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

An integer overflow bug was found in Perl's format string processor. It
is possible for an attacker to cause perl to crash or execute arbitrary
code if the attacker is able to process a malicious format string. This
issue is only exploitable through a script which passes arbitrary
untrusted strings to the format string processor. The Common
Vulnerabilities and Exposures project assigned the name CVE-2005-3962 to
this issue.

Note that this vulnerability do not affect perl packages in Red Hat
Linux 7.3

Users of perl are advised to upgrade to these packages which contain a
backported patch and are not vulnerable to this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=176731

6. RPMs required:

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/perl-5.8.0-90.0.13.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/perl-5.8.0-90.0.13.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/perl-CGI-2.81-90.0.13.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/perl-CPAN-1.61-90.0.13.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/perl-DB_File-1.804-90.0.13.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/perl-suidperl-5.8.0-90.0.13.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/perl-5.8.3-17.5.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/perl-5.8.3-17.5.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/perl-suidperl-5.8.3-17.5.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/perl-5.8.3-19.5.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/perl-5.8.3-19.5.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/perl-suidperl-5.8.3-19.5.legacy.i386.rpm

7. Verification:

SHA1 sum Package Name
-

4d2401a09f2cc0b126df88659bd9e259a528146d
redhat/9/updates/i386/perl-5.8.0-90.0.13.legacy.i386.rpm
3b5448a2a8d8241a85c4c54ad5d5deb4b9d466d4
redhat/9/updates/i386/perl-CGI-2.81-90.0.13.legacy.i386.rpm
40a05fcf3a7d128e7fa79b00022d54d0542bd3af
redhat/9/updates/i386/perl-CPAN-1.61-90.0.13.legacy.i386.rpm
5444ce68de7e8f0b1b051a15a1658c7d497be61b
redhat/9/updates/i386/perl-DB_File-1.804-90.0.13.legacy.i386.rpm
76ff3cdbe78a2e7c92c1f95760906fd396f974bf
redhat/9/updates/i386/perl-suidperl-5.8.0-90.0.13.legacy.i386.rpm
62fbcae6dd839fd18aabcf5c9fcc6babfd844d94
redhat/9/updates/SRPMS/perl-5.8.0-90.0.13.legacy.src.rpm

3267a9d83ac3cadcfa650b1625cf5c458adb5540
fedora/1/updates/i386/perl-5.8.3-17.5.legacy.i386.rpm
2445d66c7ced8bccc7d875a21404216a0cd5cdb6
fedora/1/updates/i386/perl-suidperl-5.8.3-17.5.legacy.i386.rpm
297a649694e03e67b13cfbac7ae8211554cea44b
fedora/1/updates/SRPMS/perl-5.8.3-17.5.legacy.src.rpm

772f9571df3a0eab7749bb0d162311f4cd539879
fedora/2/updates/i386/perl-5.8.3-19.5.legacy.i386.rpm
83cf2b36b48760eb1f99a042214eead7a9650d38

Fedora Legacy Test Update Notification: gdk-pixbuf

2006-02-23 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-173274
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=173274
2006-02-23
-

Name: gdk-pixbuf
Versions: rh73: gdk-pixbuf-0.22.0-7.73.4.legacy
Versions: rh9: gdk-pixbuf-0.22.0-7.90.4.legacy
Versions: fc1: gdk-pixbuf-0.22.0-11.3.4.2.legacy
Versions: fc2: gdk-pixbuf-0.22.0-12.fc2.1.legacy
Summary : An image loading library used with GNOME.
Description :
The gdk-pixbuf package contains an image loading library used with the
GNOME desktop environment. The GdkPixBuf library provides image
loading facilities, the rendering of a GdkPixBuf into various formats
(drawables or GdkRGB buffers), and a cache interface.

-
Update Information:

Updated gdk-pixbuf packages that fix several security issues are now
available.

The gdk-pixbuf package contains an image loading library used with the
GNOME GUI desktop environment.

A bug was found in the way gdk-pixbuf processes XPM images. An attacker
could create a carefully crafted XPM file in such a way that it could
cause an application linked with gdk-pixbuf to execute arbitrary code
when the file was opened by a victim. The Common Vulnerabilities and
Exposures project has assigned the name CVE-2005-3186 to this issue.

Ludwig Nussel discovered an integer overflow bug in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM
file in such a way that it could cause an application linked with
gdk-pixbuf to execute arbitrary code or crash when the file was opened
by a victim. The Common Vulnerabilities and Exposures project has
assigned the name CVE-2005-2976 to this issue.

Ludwig Nussel also discovered an infinite-loop denial of service bug in
the way gdk-pixbuf processes XPM images. An attacker could create a
carefully crafted XPM file in such a way that it could cause an
application linked with gdk-pixbuf to stop responding when the file was
opened by a victim. The Common Vulnerabilities and Exposures project has
assigned the name CVE-2005-2975 to this issue.

Users of gdk-pixbuf are advised to upgrade to these updated packages,
which contain backported patches and are not vulnerable to these issues.

-
Changelogs

rh73:
* Sun Feb 19 2006 Marc Deslauriers [EMAIL PROTECTED] -
1:0.22.0-7.73.4.legacy
- Prevent another integer overflow in the xpm loader (CVE-2005-2976)
- Prevent an infinite loop in the xpm loader (CVE-2005-2975)
- Prevent an integer overflow in the xpm loader (CVE-2005-3186)

rh9:
* Sun Feb 19 2006 Marc Deslauriers [EMAIL PROTECTED] -
1:0.22.0-7.90.4.legacy
- Prevent another integer overflow in the xpm loader (CVE-2005-2976)
- Prevent an infinite loop in the xpm loader (CVE-2005-2975)
- Prevent an integer overflow in the xpm loader (CVE-2005-3186)

fc1:
* Sun Feb 19 2006 Marc Deslauriers [EMAIL PROTECTED] -
1:0.22.0-11.3.4.2.legacy
- Prevent another integer overflow in the xpm loader (CVE-2005-2976)
- Prevent an infinite loop in the xpm loader (CVE-2005-2975)
- Prevent an integer overflow in the xpm loader (CVE-2005-3186)

fc2:
* Sun Feb 19 2006 Marc Deslauriers [EMAIL PROTECTED] -
1:0.22.0-12.fc2.1.legacy
- Prevent another integer overflow in the xpm loader (CVE-2005-2976)
- Prevent an infinite loop in the xpm loader (CVE-2005-2975)
- Prevent an integer overflow in the xpm loader (CVE-2005-3186)

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh73:
68920e1aa48821ef2712597cfbb738a308fed989
redhat/7.3/updates-testing/i386/gdk-pixbuf-0.22.0-7.73.4.legacy.i386.rpm
bed67c95aeba203d572601c03f61f4a87738577e
redhat/7.3/updates-testing/i386/gdk-pixbuf-devel-0.22.0-7.73.4.legacy.i386.rpm
83b2d6fa22c90b3335c80e8516bbf7c013f3e0ce
redhat/7.3/updates-testing/i386/gdk-pixbuf-gnome-0.22.0-7.73.4.legacy.i386.rpm
72d3a78c075cbd1108551c0f003d1d546474f345
redhat/7.3/updates-testing/SRPMS/gdk-pixbuf-0.22.0-7.73.4.legacy.src.rpm

rh9:
d2f5f242b378c44caa4b05ff2d157732b4f50896
redhat/9/updates-testing/i386/gdk-pixbuf-0.22.0-7.90.4.legacy.i386.rpm
5a4b0b7566fb195e3ae9ac9df3a1d0d85f86d53d
redhat/9/updates-testing/i386/gdk-pixbuf-devel-0.22.0-7.90.4.legacy.i386.rpm
99deb34f608c31c177acc48aae2a5a22dbef5e27
redhat/9/updates-testing/i386/gdk-pixbuf-gnome-0.22.0-7.90.4.legacy.i386.rpm
34b8e79dfcfabfbd375636077a606f4c7193aabb
redhat/9/updates-testing/SRPMS/gdk-pixbuf-0.22.0-7.90.4.legacy.src.rpm

fc1:
0c08e3ec62a3ffc2cf4bf020f56dbce6c6abe55e
fedora/1/updates-testing/i386/gdk-pixbuf-0.22.0-11.3.4.2.legacy.i386.rpm
b51c2c8928ef71b22375ef359262f5ab0467ede1
fedora/1/updates-testing/i386/gdk-pixbuf-devel-0.22.0-11.3.4.2.legacy.i386.rpm
c36d9f5d78ddb75cfade93741fac76b692159fc0
fedora/1

Fedora Legacy Test Update Notification: libungif

2006-02-23 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-174479
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=174479
2006-02-23
-

Name: libungif
Versions: rh73: libungif-4.1.0-10.2.legacy
Versions: rh9: libungif-4.1.0-15.2.legacy
Versions: fc1: libungif-4.1.0-16.2.legacy
Versions: fc2: libungif-4.1.0-17.3.legacy
Summary : A library for manipulating GIF format image files.
Description :
The libungif package contains a shared library of functions for
loading and saving GIF format image files. The libungif library can
load any GIF file, but it will save GIFs only in uncompressed format;
it will not use the patented LZW compression used to save
normal compressed GIF files.

-
Update Information:

Updated libungif packages that fix two security issues are now
available.

The libungif package contains a shared library of functions for loading
and saving GIF format image files.

Several bugs in the way libungif decodes GIF images were discovered. An
attacker could create a carefully crafted GIF image file in such a way
that it could cause an application linked with libungif to crash or
execute arbitrary code when the file is opened by a victim. The Common
Vulnerabilities and Exposures project has assigned the names
CVE-2005-2974 and CVE-2005-3350 to these issues.

All users of libungif are advised to upgrade to these updated packages,
which contain backported patches that resolve these issues.

-
Changelogs

rh73:
* Wed Feb 22 2006 Marc Deslauriers [EMAIL PROTECTED]
4.1.0-10.2.legacy
- Added missing XFree86-devel, netpbm-devel and texinfo to BuildRequires
- Added patch from RHEL to get librle in

* Sun Feb 19 2006 Marc Deslauriers [EMAIL PROTECTED]
4.1.0-10.1.legacy
- Added patch for CVE-2005-2974 and CVE-2005-3350

rh9:
* Wed Feb 22 2006 Marc Deslauriers [EMAIL PROTECTED]
4.1.0-15.2.legacy
- Added missing XFree86-devel, netpbm-devel and texinfo to BuildRequires
- Added patch from RHEL to get librle in

* Sun Feb 19 2006 Marc Deslauriers [EMAIL PROTECTED]
4.1.0-15.1.legacy
- Added patch to fix CVE-2005-2974 and CVE-2005-3350

fc1:
* Thu Feb 23 2006 Marc Deslauriers [EMAIL PROTECTED]
4.1.0-16.2.legacy
- Added missing XFree86-devel to BuildRequires

* Sun Feb 19 2006 Marc Deslauriers [EMAIL PROTECTED]
4.1.0-16.1.legacy
- Added patch to fix CVE-2005-2974 and CVE-2005-3350

fc2:
* Thu Feb 23 2006 Marc Deslauriers [EMAIL PROTECTED]
4.1.0-17.3.legacy
- Added missing xorg-x11-devel to BuildRequires

* Sun Feb 19 2006 Marc Deslauriers [EMAIL PROTECTED]
4.1.0-17.2.legacy
- Added patch to fix CVE-2005-2974 and CVE-2005-3350

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh73:
540bf946dff308b065de73d7ce6ab9eb8d8c504a
redhat/7.3/updates-testing/i386/libungif-4.1.0-10.2.legacy.i386.rpm
840791ef661042f779275b7c835760ab521a8d80
redhat/7.3/updates-testing/i386/libungif-devel-4.1.0-10.2.legacy.i386.rpm
81f2ed8f2bae2785ec2820234875b870f583c7ce
redhat/7.3/updates-testing/i386/libungif-progs-4.1.0-10.2.legacy.i386.rpm
8e039159be2bf479bf2bdb84ebadc2a364b3bd06
redhat/7.3/updates-testing/SRPMS/libungif-4.1.0-10.2.legacy.src.rpm

rh9:
c78cfe7b9a7e46d45865fcebad0956efb8962970
redhat/9/updates-testing/i386/libungif-4.1.0-15.2.legacy.i386.rpm
1b8a2ff811fca4b56850adfc5fc602bd140876d8
redhat/9/updates-testing/i386/libungif-devel-4.1.0-15.2.legacy.i386.rpm
35f6365684cec0da676b5c5fea9bdf2e9863d1ff
redhat/9/updates-testing/i386/libungif-progs-4.1.0-15.2.legacy.i386.rpm
cb023ca008db9d81ad6d730cb714cb1f51ea97f3
redhat/9/updates-testing/SRPMS/libungif-4.1.0-15.2.legacy.src.rpm

fc1:
351c84419dfff38690db6f343fa91a41e6b2af1e
fedora/1/updates-testing/i386/libungif-4.1.0-16.2.legacy.i386.rpm
72af8bc46a9deb31ede1fc773866e67f20f0da0b
fedora/1/updates-testing/i386/libungif-devel-4.1.0-16.2.legacy.i386.rpm
3d36816c8ec4479647419402be97568fade3088e
fedora/1/updates-testing/i386/libungif-progs-4.1.0-16.2.legacy.i386.rpm
92a4859d10e58f5abc85e7e22c89e4cf4911fbf0
fedora/1/updates-testing/SRPMS/libungif-4.1.0-16.2.legacy.src.rpm

fc2:
3a87b57220b6b788150d24094dc54f6732fe
fedora/2/updates-testing/i386/libungif-4.1.0-17.3.legacy.i386.rpm
c2d7e51e31ecb48546712d0c6f9998601af6daec
fedora/2/updates-testing/i386/libungif-devel-4.1.0-17.3.legacy.i386.rpm
fbde1aceba27f12aacb41c8acbe2cf58a59cc121
fedora/2/updates-testing/i386/libungif-progs-4.1.0-17.3.legacy.i386.rpm
609e3081132c7dca0da32f631e5ec4117df51265
fedora/2/updates-testing/SRPMS/libungif-4.1.0-17.3.legacy.src.rpm

-

Please test and comment in bugzilla.


signature.asc
Description: OpenPGP digital signature
--
fedora

[FLSA-2006:180036-1] Updated mozilla packages fix security issues

2006-02-23 Thread Marc Deslauriers

-
Fedora Legacy Update Advisory

Synopsis: Updated mozilla packages fix security issues
Advisory ID: FLSA:180036-1
Issue date:2006-02-23
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2005-4134 CVE-2006-0292 CVE-2006-0296
-

-
1. Topic:

Updated mozilla packages that fix several security bugs are now
available.

Mozilla is an open source Web browser, advanced email and newsgroup
client, IRC chat client, and HTML editor.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386
Fedora Core 3 - i386, x86_64

3. Problem description:

Igor Bukanov discovered a bug in the way Mozilla's Javascript
interpreter dereferences objects. If a user visits a malicious web page,
Mozilla could crash or execute arbitrary code as the user running
Mozilla. The Common Vulnerabilities and Exposures project assigned the
name CVE-2006-0292 to this issue.

moz_bug_r_a4 discovered a bug in Mozilla's XULDocument.persist()
function. A malicious web page could inject arbitrary RDF data into a
user's localstore.rdf file, which can cause Mozilla to execute arbitrary
javascript when a user runs Mozilla. (CVE-2006-0296)

A denial of service bug was found in the way Mozilla saves history
information. If a user visits a web page with a very long title, it is
possible Mozilla will crash or take a very long time the next time it is
run. (CVE-2005-4134)

Users of Mozilla are advised to upgrade to these updated packages, which
contain backported patches to correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=180036

6. RPMs required:

Red Hat Linux 7.3:

SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/mozilla-1.7.12-0.73.3.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-1.7.12-0.73.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-chat-1.7.12-0.73.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-devel-1.7.12-0.73.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-dom-inspector-1.7.12-0.73.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-js-debugger-1.7.12-0.73.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-mail-1.7.12-0.73.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nspr-1.7.12-0.73.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nspr-devel-1.7.12-0.73.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nss-1.7.12-0.73.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nss-devel-1.7.12-0.73.3.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/mozilla-1.7.12-0.90.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-1.7.12-0.90.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-chat-1.7.12-0.90.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-devel-1.7.12-0.90.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-dom-inspector-1.7.12-0.90.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-js-debugger-1.7.12-0.90.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-mail-1.7.12-0.90.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nspr-1.7.12-0.90.2.legacy.i386.rpm

[FLSA-2006:180036-2] Updated firefox package fixes security issues

2006-02-23 Thread Marc Deslauriers

-
Fedora Legacy Update Advisory

Synopsis: Updated firefox package fixes security issues
Advisory ID: FLSA:180036-2
Issue date:2006-02-23
Product: Fedora Core
Keywords: Bugfix
CVE Names: CVE-2005-4134 CVE-2006-0292 CVE-2006-0296
-

-
1. Topic:

An updated firefox package that fixes several security bugs is now
available.

Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance and portability.

2. Relevant releases/architectures:

Fedora Core 3 - i386, x86_64

3. Problem description:

Igor Bukanov discovered a bug in the way Firefox's Javascript
interpreter derefernces objects. If a user visits a malicious web page,
Firefox could crash or execute arbitrary code as the user running
Firefox. The Common Vulnerabilities and Exposures project assigned the
name CVE-2006-0292 to this issue.

moz_bug_r_a4 discovered a bug in Firefox's XULDocument.persist()
function. A malicious web page could inject arbitrary RDF data into a
user's localstore.rdf file, which can cause Firefox to execute arbitrary
javascript when a user runs Firefox. (CVE-2006-0296)

A denial of service bug was found in the way Firefox saves history
information. If a user visits a web page with a very long title, it is
possible Firefox will crash or take a very long time the next time it is
run. (CVE-2005-4134)

Users of Firefox are advised to upgrade to this updated package, which
contains backported patches to correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=180036

6. RPMs required:

Fedora Core 3:

SRPM:
http://download.fedoralegacy.org/fedora/3/updates/SRPMS/firefox-1.0.7-1.3.fc3.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/3/updates/i386/firefox-1.0.7-1.3.fc3.legacy.i386.rpm

x86_64:
http://download.fedoralegacy.org/fedora/3/updates/x86_64/firefox-1.0.7-1.3.fc3.legacy.x86_64.rpm

7. Verification:

SHA1 sum Package Name
-

3b05d93992aba7369a418d53344250aa275330ac
fedora/3/updates/i386/firefox-1.0.7-1.3.fc3.legacy.i386.rpm
850534b4cfa591372d8245808e46378c5923e086
fedora/3/updates/x86_64/firefox-1.0.7-1.3.fc3.legacy.x86_64.rpm
a167dc9061c484aa26f89703dc0228883409235e
fedora/3/updates/SRPMS/firefox-1.0.7-1.3.fc3.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v filename

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum filename

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4134
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0292
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0296

9. Contact:

The Fedora Legacy security contact is [EMAIL PROTECTED]. More
project details at http://www.fedoralegacy.org

signature.asc
Description: OpenPGP digital signature
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

Re: x86_64 Packages missing

2006-02-22 Thread Marc Deslauriers

On Wed, 2006-02-22 at 13:07 +0100, Klaus Steinberger wrote:
 Hello,
 
 in the last Advisories (e.g. [FLSA-2006:175406]) also x86_64 Packages were 
 mentioned, but they are missing from the updates Repository, they are just in 
 updates-testing.
 
 Were they missed or is that intentional? the x86_64 Support is essential for 
 me.

Sorry about that. I forgot to move the x86_64 packages from
updates-testing to updates.

The mirrors are being synced now, they should appear shortly.

Marc.



signature.asc
Description: This is a digitally signed message part
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

Re: Fedora Legacy Test Update Notification: gpdf

2006-02-22 Thread Marc Deslauriers

On Wed, 2006-02-22 at 09:57 -0700, Michal Jaegermann wrote:
 On Mon, Feb 20, 2006 at 07:58:41PM -0500, Marc Deslauriers wrote:
  -
  Fedora Legacy Test Update Notification
  FEDORALEGACY-2006-176751
 
  fedora/3/updates-testing/i386/gpdf-2.8.2-7.2.1.legacy.i386.rpm
 
 At least this package is unsigned so yum, in a default configuration
 from legacy-yumconf-3-4.fc3 plus enabled 'legacy-testing', will not
 install that.  sha1sum agrees with what was posted, though.

Thanks for noticing. I just pushed out signed ones.

Marc.


signature.asc
Description: This is a digitally signed message part
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

Fedora Legacy Test Update Notification: kernel (rh73 and rh9)

2006-02-20 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-157459-1
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157459
2006-02-20
-

Name: kernel
Versions: rh7.3: kernel-2.4.20-45.7.legacy
Versions: rh9: kernel-2.4.20-45.9.legacy
Summary : The Linux kernel (the core of the Linux operating system).
Description :
The kernel package contains the Linux kernel (vmlinuz), the core of
the Red Hat Linux operating system. The kernel handles the basic
functions of the operating system: memory allocation, process
allocation, device input and output, etc.

-
Update Information:

Updated kernel packages that fix several security issues are now
available.

The Linux kernel handles the basic functions of the operating system.

These new kernel packages contain fixes for the security issues
described below:

- a flaw in network IGMP processing that a allowed a remote user on the
local network to cause a denial of service (disabling of multicast
reports) if the system is running multicast applications (CVE-2002-2185)

- a recent Internet Draft by Fernando Gont recommended that ICMP Source
Quench messages be ignored by hosts. A patch to ignore these messages is
included. (CVE-2004-0791)

- flaws in the coda module that allowed denial-of-service attacks
(crashes) or local privilege escalations (CVE-2005-0124)

- a flaw between execve() syscall handling and core dumping of
ELF-format executables allowed local unprivileged users to cause a
denial of service (system crash) or possibly gain privileges
(CVE-2005-1263)

- a flaw in gzip/zlib handling internal to the kernel that may allow a
local user to cause a denial of service (crash) (CVE-2005-2458)

- a flaw in sendmsg() syscall handling on 64-bit systems that allowed
a local user to cause a denial of service or potentially gain
privileges (CAN-2005-2490)

- a flaw in exec() handling on some 64-bit architectures that allowed
a local user to cause a denial of service (crash) (CVE-2005-2708)

- a flaw in procfs handling during unloading of modules that allowed a
local user to cause a denial of service or potentially gain privileges
(CVE-2005-2709)

- a flaw in IPv6 network UDP port hash table lookups that allowed a
local user to cause a denial of service (hang) (CVE-2005-2973)

- a network buffer info leak using the orinoco driver that allowed
a remote user to possibly view uninitialized data (CVE-2005-3180)

- a flaw in the packet radio ROSE protocol that allowed a user to
trigger out-of-bounds errors. (CVE-2005-3273)

- a flaw in IPv4 network TCP and UDP netfilter handling that allowed
a local user to cause a denial of service (crash) (CVE-2005-3275)

- a minor info leak with the get_thread_area() syscall that allowed
a local user to view uninitialized kernel stack data (CVE-2005-3276)

- a flaw in the IPv6 flowlabel code that allowed a local user to cause a
denial of service (crash) (CVE-2005-3806)

- a flaw in file lease time-out handling that allowed a local user to
cause a denial of service (log file overflow) (CVE-2005-3857)

All users are advised to upgrade their kernels to the packages
associated with their machine architectures and configurations as listed
in this erratum.

-
Changelogs

rh73:
* Sat Feb 04 2006 Marc Deslauriers [EMAIL PROTECTED]
2.4.20-45.9.legacy
- Removed CVE-2005-3044 patch (it was 64-bit only)
- Fixed CVE-2005-2709 patch
- Added patch for CVE-2002-2185 (potential IGMP DoS)

* Fri Feb 03 2006 Marc Deslauriers [EMAIL PROTECTED]
2.4.20-44.9.legacy
- Added patches for:
  CVE-2004-0791 (source quench DoS)
  CVE-2005-0124 (coda fs flaw)
  CVE-2005-1263 (ELF core dump privilege elevation)
  CVE-2005-2458 (gzip/zlib flaws)
  CVE-2005-2490 (compat layer sendmsg() races)
  CVE-2005-2708 (user code panics kernel in exec.c)
  CVE-2005-2709 (sysctl races)
  CVE-2005-2973 (ipv6 infinite loop)
  CVE-2005-3044 (lost fput and sockfd_put could lead to DoS)
  CVE-2005-3180 (orinoco driver information leakage)
  CVE-2005-3273 (ROSE ndigis verification)
  CVE-2005-3275 (NAT DoS)
  CVE-2005-3276 (sys_get_thread_area minor info leak)
  CVE-2005-3806 (ipv6 flowlabel DOS)
  CVE-2005-3857 (lease printk DoS)

rh9:
* Sat Feb 04 2006 Marc Deslauriers [EMAIL PROTECTED]
2.4.20-45.9.legacy
- Removed CVE-2005-3044 patch (it was 64-bit only)
- Fixed CVE-2005-2709 patch
- Added patch for CVE-2002-2185 (potential IGMP DoS)

* Fri Feb 03 2006 Marc Deslauriers [EMAIL PROTECTED]
2.4.20-44.9.legacy
- Added patches for:
  CVE-2004-0791 (source quench DoS)
  CVE-2005-0124 (coda fs flaw)
  CVE-2005-1263 (ELF core dump privilege elevation)
  CVE-2005-2458 (gzip/zlib flaws)
  CVE-2005-2490 (compat layer sendmsg() races)
  CVE-2005-2708 (user code panics kernel in exec.c)
  CVE-2005-2709

Fedora Legacy Test Update Notification: kernel (fc1)

2006-02-20 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-157459-2
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157459
2006-02-20
-

Name: kernel
Versions: fc1: kernel-2.4.22-1.2199.7.legacy.nptl
Summary : The Linux kernel (the core of the Linux operating system).
Description :
The kernel package contains the Linux kernel (vmlinuz), the core of
the Red Hat Linux operating system. The kernel handles the basic
functions of the operating system: memory allocation, process
allocation, device input and output, etc.

-
Update Information:

Updated kernel packages that fix several security issues are now
available.

The Linux kernel handles the basic functions of the operating system.

These new kernel packages contain fixes for the security issues
described below:

- a flaw in network IGMP processing that a allowed a remote user on the
local network to cause a denial of service (disabling of multicast
reports) if the system is running multicast applications (CVE-2002-2185)

- a recent Internet Draft by Fernando Gont recommended that ICMP Source
Quench messages be ignored by hosts. A patch to ignore these messages is
included. (CVE-2004-0791)

- flaws in ptrace() syscall handling on AMD64 and Intel EM64T systems
that allowed a local user to cause a denial of service (crash)
(CAN-2005-0756, CAN-2005-1762, CAN-2005-2553)

- a flaw between execve() syscall handling and core dumping of
ELF-format executables allowed local unprivileged users to cause a
denial of service (system crash) or possibly gain privileges
(CVE-2005-1263)

- a flaw in gzip/zlib handling internal to the kernel that may allow a
local user to cause a denial of service (crash) (CVE-2005-2458)

- a flaw in sendmsg() syscall handling on 64-bit systems that allowed
a local user to cause a denial of service or potentially gain
privileges (CAN-2005-2490)

- a flaw in exec() handling on some 64-bit architectures that allowed
a local user to cause a denial of service (crash) (CVE-2005-2708)

- a flaw in procfs handling during unloading of modules that allowed a
local user to cause a denial of service or potentially gain privileges
(CVE-2005-2709)

- a flaw in IPv6 network UDP port hash table lookups that allowed a
local user to cause a denial of service (hang) (CVE-2005-2973)

- a flaw in 32-bit-compat handling of the TIOCGDEV ioctl that allowed
a local user to cause a denial of service (crash) (CVE-2005-3044)

- a network buffer info leak using the orinoco driver that allowed
a remote user to possibly view uninitialized data (CVE-2005-3180)

- a flaw in IPv4 network TCP and UDP netfilter handling that allowed
a local user to cause a denial of service (crash) (CVE-2005-3275)

- a minor info leak with the get_thread_area() syscall that allowed
a local user to view uninitialized kernel stack data (CVE-2005-3276)

- a flaw in the IPv6 flowlabel code that allowed a local user to cause a
denial of service (crash) (CVE-2005-3806)

- a flaw in file lease time-out handling that allowed a local user to
cause a denial of service (log file overflow) (CVE-2005-3857)

All users are advised to upgrade their kernels to the packages
associated with their machine architectures and configurations as listed
in this erratum.

-
Changelogs

fc1:
* Fri Feb 17 2006 Marc Deslauriers [EMAIL PROTECTED]
2.4.22-1.2199.7.legacy.nptl
- Added patch for CVE-2002-2185 (potential IGMP DoS)

* Thu Feb 02 2006 Marc Deslauriers [EMAIL PROTECTED]
2.4.22-1.2199.6.legacy.nptl
- Added patches for:
  CVE-2004-0791 (source quench DoS)
  CVE-2005-0756 (ptrace-check-segment x86_64 crash)
  CVE-2005-1263 (ELF core dump privilege elevation)
  CVE-2005-1762 (ptrace can induce double-fault on x86_64)
  CVE-2005-2458 (gzip/zlib flaws)
  CVE-2005-2490 (compat layer sendmsg() races)
  CVE-2005-2553 (32-bit ptrace find_target() oops)
  CVE-2005-2708 (user code panics kernel in exec.c)
  CVE-2005-2709 (sysctl races)
  CVE-2005-2973 (ipv6 infinite loop)
  CVE-2005-3044 (lost fput and sockfd_put could lead to DoS)
  CVE-2005-3180 (orinoco driver information leakage)
  CVE-2005-3275 (NAT DoS)
  CVE-2005-3276 (sys_get_thread_area minor info leak)
  CVE-2005-3806 (ipv6 flowlabel DOS)
  CVE-2005-3857 (lease printk DoS)

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

fc1:
3e6b7ebfdf1b6c5f075aef36299ce8746f292d40
fedora/1/updates-testing/i386/kernel-2.4.22-1.2199.7.legacy.nptl.athlon.rpm
839072496f51940e258f5611b9cc58007a4d7364
fedora/1/updates-testing/i386/kernel-2.4.22-1.2199.7.legacy.nptl.i586.rpm
79d928006411ff6bffda331d2f2a4c1023b5f26f
fedora/1/updates-testing/i386/kernel-2.4.22-1.2199.7.legacy.nptl.i686

Fedora Legacy Test Update Notification: kernel (fc2)

2006-02-20 Thread Marc Deslauriers

that is operating under a heavy load (CVE-2005-3110)

- a network buffer info leak using the orinoco driver that allowed
a remote user to possibly view uninitialized data (CVE-2005-3180)

- a memory leak was found in the audit system that allowed an
unprivileged local user to cause a denial of service. (CVE-2005-3181)

- a race condition in ip_vs_conn_flush that allowed a local user to
cause a denial of service (CVE-2005-3274)

- a flaw in IPv4 network TCP and UDP netfilter handling that allowed
a local user to cause a denial of service (crash) (CVE-2005-3275)

- a minor info leak with the get_thread_area() syscall that allowed
a local user to view uninitialized kernel stack data (CVE-2005-3276)

- a flaw in mq_open system call that allowed a local user to cause a
denial of service (crash) (CVE-2005-3356)

- a flaw in set_mempolicy that allowed a local user on some 64-bit
architectures to cause a denial of service (crash) (CVE-2005-3358)

- a flaw in the auto-reap of child processes that allowed a local user
to cause a denial of service (crash) (CVE-2005-3784)

- a flaw in the POSIX timer cleanup handling that allowed a local user
to cause a denial of service (crash) (CVE-2005-3805)

- a flaw in the IPv6 flowlabel code that allowed a local user to cause a
denial of service (crash) (CVE-2005-3806)

- a memory leak in the VFS file lease handling that allowed a local user
to cause a denial of service (CVE-2005-3807)

- a flaw in network ICMP processing that allowed a local user to cause
a denial of service (memory exhaustion) (CVE-2005-3848)

- a flaw in file lease time-out handling that allowed a local user to
cause a denial of service (log file overflow) (CVE-2005-3857)

- a flaw in network IPv6 xfrm handling that allowed a local user to
cause a denial of service (memory exhaustion) (CVE-2005-3858)

- a flaw in procfs handling that allowed a local user to read kernel
memory (CVE-2005-4605)

- a memory disclosure flaw in dm-crypt that allowed a local user to
obtain sensitive information about a cryptographic key (CVE-2006-0095)

All users are advised to upgrade their kernels to the packages
associated with their machine architectures and configurations as listed
in this erratum.

-
Changelogs

fc2:
* Fri Feb 10 2006 Marc Deslauriers [EMAIL PROTECTED]
2.6.10-2.3.legacy_FC2
- Added patches for:
  CVE-2002-2185 (IGMP DoS)
  CVE-2005-3805 (POSIX timer cleanup handling on exit locking problem)
  CVE-2005-3807 (memory leak with file leases)
  CVE-2006-0095 (dm-crypt key leak)

* Fri Feb 03 2006 Marc Deslauriers [EMAIL PROTECTED]
2.6.10-2.2.legacy_FC2
- Added patches for:
  CVE-2005-2800 (/proc/scsi/scsi DoS)
  CVE-2005-2801 (ext2/3 xattr sharing bug)
  CVE-2005-2872 (ipt_recent integer handling)
  CVE-2005-2973 (ipv6 infinite loop)
  CVE-2005-3053 (sys_set_mempolicy() bounds check)
  CVE-2005-3106 (exec_mmap race DoS)
  CVE-2005-3109 (HFS oops)
  CVE-2005-3110 (race in ebtables)
  CVE-2005-3180 (etherleak in orinoco)
  CVE-2005-3181 (names_cache memory leak)
  CVE-2005-3275 (NAT DoS)
  CVE-2005-3276 (sys_get_thread_area has minor info leak)
  CVE-2005-3848 (dst_entry leak DoS)
  CVE-2005-3858 (ip6_input_finish DoS)

* Sat Jan 28 2006 Marc Deslauriers [EMAIL PROTECTED]
2.6.10-2.1.legacy_FC2
- Added patches for:
  CVE-2005-0756 (ptrace-check-segment x86_64 crash)
  CVE-2005-0839 (Only root should be able to set the N_MOUSE line
discipline)
  CVE-2005-0867 (signedness issue in sysfs)
  CVE-2005-0937 (futex mmap_sem deadlock)
  CVE-2005-0977 (tmpfs truncate bug)
  CVE-2005-1041 (crash while reading /proc/net/route)
  CVE-2005-1263 (ELF core dump privilege elevation)
  CVE-2005-1264 (data corruptor/local root in raw driver)
  CVE-2005-1265 (Prevent NULL mmap in topdown model)
  CVE-2005-1368 (key lookup race DoS)
  CVE-2005-1369 (i2c alarms sysfs DoS)
  CVE-2005-1761 (ia64 ptrace vulnerability)
  CVE-2005-1762 (ptrace can induce double-fault on x86_64)
  CVE-2005-1763 (x86_64-ptrace-overflow crash)
  CVE-2005-2098 (key management session can leave semaphore pinned)
  CVE-2005-2099 (Destruction of failed keyring oopses)
  CVE-2005-2456 (IPSEC overflow)
  CVE-2005-2458 (gzip/zlib flaws)
  CVE-2005-2490 (compat layer sendmsg() races)
  CVE-2005-2492 (Fix raw_sendmsg accesses)
  CVE-2005-2555 (IPSEC lacks restrictions)
  CVE-2005-2709 (sysctl races)
  CVE-2005-3044 (lost fput and sockfd_put could lead to DoS)
  CVE-2005-3274 (ip_vs_conn_flush race condition DoS)
  CVE-2005-3356 (double decrement of mqueue_mnt-mnt_count in sys_mq_open)
  CVE-2005-3358 (prevent panic caused by invalid arguments to set_mempolicy)
  CVE-2005-3784 (auto-reap DoS)
  CVE-2005-3806 (ipv6 flowlabel DOS)
  CVE-2005-3857 (lease printk DoS)
  CVE-2005-4605 (kernel memory disclosure via /proc exploit)

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

fc2:
68999cdecf0bb3c6cda09edbe2cedd57fff709ad

Fedora Legacy Test Update Notification: kernel (fc3)

2006-02-20 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-157459-4
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157459
2006-02-20
-

Name: kernel
Versions: fc3: kernel-2.6.12-2.3.legacy_FC3
Summary : The Linux kernel (the core of the Linux operating system).
Description :
The kernel package contains the Linux kernel (vmlinuz), the core of
the Red Hat Linux operating system. The kernel handles the basic
functions of the operating system: memory allocation, process
allocation, device input and output, etc.

-
Update Information:

Updated kernel packages that fix several security issues are now
available.

The Linux kernel handles the basic functions of the operating system.

These new kernel packages contain fixes for the security issues
described below:

- a flaw in network IGMP processing that a allowed a remote user on the
local network to cause a denial of service (disabling of multicast
reports) if the system is running multicast applications (CVE-2002-2185)

- a flaw in procfs handling during unloading of modules that allowed a
local user to cause a denial of service or potentially gain privileges
(CVE-2005-2709)

- a flaw in 32-bit-compat handling of the TIOCGDEV ioctl that allowed
a local user to cause a denial of service (crash) (CVE-2005-3044)

- a race condition in ip_vs_conn_flush that allowed a local user to
cause a denial of service (CVE-2005-3274)

- a flaw in mq_open system call that allowed a local user to cause a
denial of service (crash) (CVE-2005-3356)

- a flaw in set_mempolicy that allowed a local user on some 64-bit
architectures to cause a denial of service (crash) (CVE-2005-3358)

- a race condition in do_coredump in signal.c that allowed a local user
to cause a denial of service (crash) (CVE-2005-3527)

- a flaw in the auto-reap of child processes that allowed a local user
to cause a denial of service (crash) (CVE-2005-3784)

- a flaw in the POSIX timer cleanup handling that allowed a local user
to cause a denial of service (crash) (CVE-2005-3805)

- a flaw in the IPv6 flowlabel code that allowed a local user to cause a
denial of service (crash) (CVE-2005-3806)

- a memory leak in the VFS file lease handling that allowed a local user
to cause a denial of service (CVE-2005-3807)

- a flaw in file lease time-out handling that allowed a local user to
cause a denial of service (log file overflow) (CVE-2005-3857)

- a flaw in procfs handling that allowed a local user to read kernel
memory (CVE-2005-4605)

- a memory disclosure flaw in dm-crypt that allowed a local user to
obtain sensitive information about a cryptographic key (CVE-2006-0095)

- a flaw while constructing an ICMP response that allowed remote users
to cause a denial of service (crash) (CVE-2006-0454)

All users are advised to upgrade their kernels to the packages
associated with their machine architectures and configurations as listed
in this erratum.

-
Changelogs

fc3:
* Sat Feb 18 2006 Marc Deslauriers [EMAIL PROTECTED]
2.6.12-2.3.legacy_FC3
- Corrected upstream reference in CVE-2006-0454 patch

* Tue Feb 07 2006 Marc Deslauriers [EMAIL PROTECTED]
2.6.12-2.2.legacy_FC3
- Added patches for:
  CVE-2002-2185 (IGMP DoS)
  CVE-2005-3527 (do_coredump() vs SIGSTOP race)
  CVE-2005-3805 (POSIX timer cleanup handling on exit locking problem)
  CVE-2006-0095 (dm-crypt key leak)
  CVE-2006-0454 (ICMP route double-free)
  CVE-2005-3807 (memory leak with file leases)

* Fri Jan 27 2006 Marc Deslauriers [EMAIL PROTECTED]
2.6.12-2.1.legacy_FC3
- Added patches for:
  CVE-2005-2709 (sysctl races)
  CVE-2005-3044 (lost fput and sockfd_put could lead to DoS)
  CVE-2005-3274 (ip_vs_conn_flush race condition DoS)
  CVE-2005-3356 (double decrement of mqueue_mnt-mnt_count in sys_mq_open)
  CVE-2005-3358 (prevent panic caused by invalid arguments to set_mempolicy)
  CVE-2005-3784 (auto-reap DoS)
  CVE-2005-3806 (ipv6 flowlabel DOS)
  CVE-2005-3857 (lease printk DoS)
  CVE-2005-4605 (kernel memory disclosure via /proc exploit)

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

fc3:
b9e37d94319ce74e98aa053d9da798437b979a5e
fedora/3/updates-testing/i386/kernel-2.6.12-2.3.legacy_FC3.i586.rpm
e8698e932795b5a8c9ecc97e95fab42f55d71ac9
fedora/3/updates-testing/i386/kernel-2.6.12-2.3.legacy_FC3.i686.rpm
58e7014a387ef6e17bf9f68d26eb1242a9dab3f2
fedora/3/updates-testing/i386/kernel-doc-2.6.12-2.3.legacy_FC3.noarch.rpm
d09fb6f194558505d8d52fb22a60420cd35a06f1
fedora/3/updates-testing/i386/kernel-smp-2.6.12-2.3.legacy_FC3.i586.rpm
640077c447f1ac5edf5e21000c916bb750006f84
fedora/3/updates-testing/i386/kernel-smp-2.6.12-2.3.legacy_FC3.i686.rpm

Fedora Legacy Test Update Notification: gpdf

2006-02-20 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-176751
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=176751
2006-02-20
-

Name: gpdf
Versions: fc1: gpdf-0.110-1.5.legacy
Versions: fc2: gpdf-2.8.2-4.1.1.legacy
Versions: fc3: gpdf-2.8.2-7.2.1.legacy
Summary : viewer for Portable Document Format (PDF) files for GNOME
Description :
This is GPdf, a viewer for Portable Document Format (PDF) files for
GNOME. GPdf is based on the Xpdf program and uses additional GNOME
libraries for better desktop integration.

-
Update Information:

An updated gpdf package that fixes several security issues is now
available.

The gpdf package is a GNOME based viewer for Portable Document Format
(PDF) files.

A flaw was discovered in gpdf. An attacker could construct a carefully
crafted PDF file that would cause gpdf to consume all available disk
space in /tmp when opened. The Common Vulnerabilities and Exposures
project assigned the name CVE-2005-2097 to this issue.

Several flaws were discovered in gpdf. An attacker could construct a
carefully crafted PDF file that could cause gpdf to crash or possibly
execute arbitrary code when opened. The Common Vulnerabilities and
Exposures project assigned the names CVE-2005-3191, CVE-2005-3192,
CVE-2005-3193, CVE-2005-3624, CVE-2005-3625, CVE-2005-3626,
CVE-2005-3627 and CVE-2005-3628 to these issues.

Users of gpdf should upgrade to this updated package, which contains
backported patches to resolve these issues.

-
Changelogs

fc1:
* Sat Feb 18 2006 Marc Deslauriers [EMAIL PROTECTED]
0.110-1.5.legacy
- Use better patch for CVE-2004-0888 (from RHEL3 xpdf)
- Add patch for CVE-2005-3193

fc2:
* Sat Feb 18 2006 Marc Deslauriers [EMAIL PROTECTED]
2.8.2-4.1.1.legacy
- Rebuilt as Fedora Legacy security update for Fedora Core 2
- Removed the desktop-file-utils dependencies

* Fri Jan 06 2006 Ray Strode [EMAIL PROTECTED] 2.8.2-7.4
- Apply fix for CVE-2005-3624 (also covers CVE-2005-3193) (bug 176865)

* Wed Dec 14 2005 Ray Strode [EMAIL PROTECTED] 2.8.2-7.3
- apply updated patch for CVE-2005-3193 (bug 175102)

fc3:
* Sat Feb 18 2006 Marc Deslauriers [EMAIL PROTECTED]
2.8.2-7.2.1.legacy
- Rebuilt as Fedora Legacy security update for Fedora Core 3

* Fri Jan 06 2006 Ray Strode [EMAIL PROTECTED] 2.8.2-7.4
- Apply fix for CVE-2005-3624 (also covers CVE-2005-3193) (bug 176865)

* Wed Dec 14 2005 Ray Strode [EMAIL PROTECTED] 2.8.2-7.3
- apply updated patch for CVE-2005-3193 (bug 175102)

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

fc1:
646edd9bdaf07a2f74d0b9874a666f94dc4f7982
fedora/1/updates-testing/i386/gpdf-0.110-1.5.legacy.i386.rpm
23f1172453f4e6572bd5a5bebcf093fda9c9ef62
fedora/1/updates-testing/SRPMS/gpdf-0.110-1.5.legacy.src.rpm

fc2:
2798a8e5ba37214b4ad3d537aa38b65c62c9e7c7
fedora/2/updates-testing/i386/gpdf-2.8.2-4.1.1.legacy.i386.rpm
e6d36329145bd25d5646da0064124f4b3a3faf99
fedora/2/updates-testing/SRPMS/gpdf-2.8.2-4.1.1.legacy.src.rpm

fc3:
b732b32164a34ddca2471548cffdb4fa654a61cd
fedora/3/updates-testing/i386/gpdf-2.8.2-7.2.1.legacy.i386.rpm
3ec3762affc6295144245af9e804692e293614be
fedora/3/updates-testing/SRPMS/gpdf-2.8.2-7.2.1.legacy.src.rpm
e6c957006f2bc7c17c5754df527cd8eec86d0c9a
fedora/3/updates-testing/x86_64/gpdf-2.8.2-7.2.1.legacy.x86_64.rpm

-

Please test and comment in bugzilla.


signature.asc
Description: OpenPGP digital signature
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

Fedora Legacy Test Update Notification: perl-DBI

2006-02-20 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-178989
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178989
2006-02-20
-

Name: perl-DBI
Versions: rh73: perl-DBI-1.21-1.1.legacy
Versions: rh9: perl-DBI-1.32-5.1.legacy
Versions: fc1: perl-DBI-1.37-1.1.legacy
Versions: fc2: perl-DBI-1.40-4.1.legacy
Summary : A database access API for Perl.
Description :
DBI is a database access Application Programming Interface (API) for
the Perl programming language. The DBI API specification defines a set
of functions, variables and conventions that provide a consistent
database interface independent of the actual database being used.

-
Update Information:

An updated perl-DBI package that fixes a temporary file flaw in
DBI::ProxyServer is now available.

DBI is a database access Application Programming Interface (API) for
the Perl programming language.

The Debian Security Audit Project discovered that the DBI library
creates a temporary PID file in an insecure manner. A local user could
overwrite or create files as a different user who happens to run an
application which uses DBI::ProxyServer. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CVE-2005-0077 to
this issue.

Users should update to this erratum package which disables the temporary
PID file unless configured.

-
Changelogs

rh73:
* Sat Feb 18 2006 Marc Deslauriers [EMAIL PROTECTED]
1.21-1.1.legacy
- Added fix for CVE-2005-0077

rh9:
* Sat Feb 18 2006 Marc Deslauriers [EMAIL PROTECTED]
1.32-5.1.legacy
- Added fix for CVE-2005-0077

fc1:
* Sat Feb 18 2006 Marc Deslauriers [EMAIL PROTECTED]
1.37-1.1.legacy
- Added fix for CVE-2005-0077

fc2:
* Sat Feb 18 2006 Marc Deslauriers [EMAIL PROTECTED]
1.40-4.1.legacy
- Added fix for CVE-2005-0077

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh73:
847cb03e61abf1bbb965b2fa6e7c0f812e7edde1
redhat/7.3/updates-testing/i386/perl-DBI-1.21-1.1.legacy.i386.rpm
7c0c13670d8da3620d6bdc0d24f96201ff3feee8
redhat/7.3/updates-testing/SRPMS/perl-DBI-1.21-1.1.legacy.src.rpm

rh9:
2e473b5822a019a10b7b9577f4de60933e75fecc
redhat/9/updates-testing/i386/perl-DBI-1.32-5.1.legacy.i386.rpm
19934b803bf33b0cc93466ae43e2ac14302ac0df
redhat/9/updates-testing/SRPMS/perl-DBI-1.32-5.1.legacy.src.rpm

fc1:
50a02fd2d68f47d35f76bc690281253bbdf9a486
fedora/1/updates-testing/i386/perl-DBI-1.37-1.1.legacy.i386.rpm
0018ffba083fd98b88a4bcec3383005ed32d5e6a
fedora/1/updates-testing/SRPMS/perl-DBI-1.37-1.1.legacy.src.rpm

fc2:
69a623c7db409341705bfc125b5fd6f0c056af7b
fedora/2/updates-testing/i386/perl-DBI-1.40-4.1.legacy.i386.rpm
4443111b0e9137bd1624183b9d209b2cada204dd
fedora/2/updates-testing/SRPMS/perl-DBI-1.40-4.1.legacy.src.rpm

-

Please test and comment in bugzilla.


signature.asc
Description: OpenPGP digital signature
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

[FLSA-2006:152809] Updated squid package fixes security issues

2006-02-18 Thread Marc Deslauriers

-
   Fedora Legacy Update Advisory

Synopsis:  Updated squid package fixes security issues
Advisory ID:   FLSA:152809
Issue date:2006-02-18
Product:   Red Hat Linux, Fedora Core
Keywords:  Bugfix
CVE Names: CVE-2004-0541 CVE-2004-0832 CVE-2004-0918
   CVE-2005-0094 CVE-2005-0095 CVE-2005-0096
   CVE-2005-0097 CVE-2005-0173 CVE-2005-0174
   CVE-2005-0175 CVE-2005-0194 CVE-2005-0211
   CVE-2005-0241 CVE-2005-0446 CVE-2005-0626
   CVE-2005-0718 CVE-2005-1345 CVE-1999-0710
   CVE-2005-1519 CVE-2004-2479 CVE-2005-2794
   CVE-2005-2796 CVE-2005-2917

-


-
1. Topic:

An updated Squid package that fixes several security issues is now
available.

Squid is a full-featured Web proxy cache.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

A buffer overflow was found within the NTLM authentication helper
routine. If Squid is configured to use the NTLM authentication helper,
a remote attacker could potentially execute arbitrary code by sending a
lengthy password. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2004-0541 to this issue.

An out of bounds memory read bug was found within the NTLM
authentication helper routine. If Squid is configured to use the NTLM
authentication helper, a remote attacker could send a carefully crafted
NTLM authentication packet and cause Squid to crash. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CVE-2004-0832 to this issue.

iDEFENSE reported a flaw in the squid SNMP module. This flaw could allow
an attacker who has the ability to send arbitrary packets to the SNMP
port to restart the server, causing it to drop all open connections. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2004-0918 to this issue.

A buffer overflow flaw was found in the Gopher relay parser. This bug
could allow a remote Gopher server to crash the Squid proxy that reads
data from it. Although Gopher servers are now quite rare, a malicious
web page (for example) could redirect or contain a frame pointing to an
attacker's malicious gopher server. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CVE-2005-0094 to
this issue.

An integer overflow flaw was found in the WCCP message parser. It is
possible to crash the Squid server if an attacker is able to send a
malformed WCCP message with a spoofed source address matching Squid's
home router. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2005-0095 to this issue.

A memory leak was found in the NTLM fakeauth_auth helper. It is possible
that an attacker could place the Squid server under high load, causing
the NTML fakeauth_auth helper to consume a large amount of memory,
resulting in a denial of service. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CVE-2005-0096 to
this issue.

A NULL pointer de-reference bug was found in the NTLM fakeauth_auth
helper. It is possible for an attacker to send a malformed NTLM type 3
message, causing the Squid server to crash. The Common Vulnerabilities
and Exposures project (cve.mitre.org) has assigned the name
CVE-2005-0097 to this issue.

A username validation bug was found in squid_ldap_auth. It is possible
for a username to be padded with spaces, which could allow a user to
bypass explicit access control rules or confuse accounting. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CVE-2005-0173 to this issue.

The way Squid handles HTTP responses was found to need strengthening. It
is possible that a malicious web server could send a series of HTTP
responses in such a way that the Squid cache could be poisoned,
presenting users with incorrect webpages. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the names CVE-2005-0174
and CVE-2005-0175 to these issues.

When processing the configuration file, Squid parses empty Access
Control Lists (ACLs) and proxy_auth ACLs without defined auth schemes in
a way that effectively removes arguments, which could allow remote
attackers to bypass intended ACLs. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CVE-2005-0194 to
this issue.

A buffer overflow bug was found in the WCCP message parser. It is
possible that an attacker could send a malformed WCCP message which
could crash the Squid server or execute arbitrary code. The Common
Vulnerabilities and Exposures project

[FLSA-2006:168935] Updated openssh packages fix security issues

2006-02-18 Thread Marc Deslauriers

-
Fedora Legacy Update Advisory

Synopsis: Updated openssh packages fix security issues
Advisory ID: FLSA:168935
Issue date:2006-02-18
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2004-2069 CVE-2006-0225
-

-
1. Topic:

Updated openssh packages that fix security issues are now available.

OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. SSH
replaces rlogin and rsh, and provides secure encrypted communications
between two untrusted hosts over an insecure network. X11 connections
and arbitrary TCP/IP ports can also be forwarded over a secure channel.
Public key authentication can be used for passwordless access to
servers.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386
Fedora Core 3 - i386, x86_64

3. Problem description:

A bug was found in the way the OpenSSH server handled the MaxStartups
and LoginGraceTime configuration variables. A malicious user could
connect to the SSH daemon in such a way that it would prevent additional
logins from occuring until the malicious connections are closed. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2004-2069 to this issue.

The scp command was found to expose filenames twice to shell expansion.
A malicious user could execute arbitrary commands by using specially
crafted filenames containing shell metacharacters or spaces. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CVE-2006-0225 to this issue.

Users of openssh should upgrade to these updated packages, which contain
backported patches to resolve these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168935

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/openssh-3.1p1-14.3.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssh-3.1p1-14.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssh-askpass-3.1p1-14.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssh-askpass-gnome-3.1p1-14.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssh-clients-3.1p1-14.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssh-server-3.1p1-14.3.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/openssh-3.5p1-11.4.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/openssh-3.5p1-11.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/openssh-askpass-3.5p1-11.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/openssh-askpass-gnome-3.5p1-11.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/openssh-clients-3.5p1-11.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/openssh-server-3.5p1-11.4.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/openssh-3.6.1p2-19.4.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/openssh-3.6.1p2-19.4.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/openssh-askpass-3.6.1p2-19.4.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/openssh-askpass-gnome-3.6.1p2-19.4.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/openssh-clients-3.6.1p2-19.4.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/openssh-server-3.6.1p2-19.4.legacy.i386.rpm

Fedora Core 2:

SRPM:

[FLSA-2006:175406] Updated Apache httpd packages fix security issues

2006-02-18 Thread Marc Deslauriers

-
Fedora Legacy Update Advisory

Synopsis: Updated Apache httpd packages fix security issues
Advisory ID: FLSA:175406
Issue date:2006-02-18
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2005-2970 CVE-2005-3352 CVE-2005-3357
-

-
1. Topic:

Updated Apache httpd packages that correct three security issues are now
available.

The Apache HTTP Server is a popular and freely-available Web server.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386
Fedora Core 3 - i386, x86_64

3. Problem description:

A memory leak in the worker MPM could allow remote attackers to cause a
denial of service (memory consumption) via aborted connections, which
prevents the memory for the transaction pool from being reused for other
connections. The Common Vulnerabilities and Exposures project assigned
the name CVE-2005-2970 to this issue. This vulnerability only affects
users who are using the non-default worker MPM.

A flaw in mod_imap when using the Referer directive with image maps was
discovered. With certain site configurations, a remote attacker could
perform a cross-site scripting attack if a victim can be forced to visit
a malicious URL using certain web browsers. (CVE-2005-3352)

A NULL pointer dereference flaw in mod_ssl was discovered affecting
server configurations where an SSL virtual host is configured with
access control and a custom 400 error document. A remote attacker could
send a carefully crafted request to trigger this issue which would lead
to a crash. This crash would only be a denial of service if using the
non-default worker MPM. (CVE-2005-3357)

Users of httpd should update to these erratum packages which contain
backported patches to correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175406

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/apache-1.3.27-9.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/apache-1.3.27-9.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/apache-devel-1.3.27-9.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/apache-manual-1.3.27-9.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/httpd-2.0.40-21.21.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-2.0.40-21.21.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-devel-2.0.40-21.21.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-manual-2.0.40-21.21.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mod_ssl-2.0.40-21.21.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/httpd-2.0.51-1.10.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-2.0.51-1.10.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-devel-2.0.51-1.10.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-manual-2.0.51-1.10.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mod_ssl-2.0.51-1.10.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/httpd-2.0.51-2.9.5.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/httpd-2.0.51-2.9.5.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/httpd-devel-2.0.51-2.9.5.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/httpd-manual-2.0.51-2.9.5.legacy.i386.rpm

Fedora Legacy Test Update Notification: sudo

2006-02-17 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-162750
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=162750
2006-02-17
-

Name: sudo
Versions: rh7.3: sudo-1.6.5p2-2.3.legacy
Versions: rh9: sudo-1.6.6-3.3.legacy
Versions: fc1: sudo-1.6.7p5-2.3.legacy
Versions: fc2: sudo-1.6.7p5-26.2.legacy
Summary : Allows restricted root access for specified users.
Description :
Sudo (superuser do) allows a system administrator to give certain
users (or groups of users) the ability to run some (or all) commands
as root while logging all commands and arguments. Sudo operates on a
per-command basis. It is not a replacement for the shell. Features
include: the ability to restrict what commands a user may run on a
per-host basis, copious logging of each command (providing a clear
audit trail of who did what), a configurable timeout of the sudo
command, and the ability to use the same configuration file (sudoers)
on many different machines.

-
Update Information:

An updated sudo package is available that fixes a race condition in
sudo's pathname validation.

The sudo (superuser do) utility allows system administrators to give
certain users the ability to run commands as root with logging.

A race condition bug was found in the way sudo handles pathnames. It is
possible that a local user with limited sudo access could create
a race condition that would allow the execution of arbitrary commands as
the root user. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2005-1993 to this issue.

Users of sudo should update to this updated package, which contains a
backported patch and is not vulnerable to this issue.

-
Changelogs

rh73:
* Mon Feb 13 2006 Marc Deslauriers [EMAIL PROTECTED]
1.6.5p2-2.3.legacy
- Fix CVE-2005-1993 sudo trusted user arbitrary command execution

rh9:
* Mon Feb 13 2006 Marc Deslauriers [EMAIL PROTECTED]
1.6.6-3.3.legacy
- Fix CVE-2005-1993 sudo trusted user arbitrary command execution

fc1:
* Wed Feb 15 2006 Marc Deslauriers [EMAIL PROTECTED]
1.6.7p5-2.3.legacy
- Fix CVE-2005-1993 sudo trusted user arbitrary command execution

fc2:
* Thu Feb 16 2006 Marc Deslauriers [EMAIL PROTECTED]
1.6.7p5-26.2.legacy
- Added missing libselinux-devel to BuildRequires

* Wed Feb 15 2006 Marc Deslauriers [EMAIL PROTECTED]
1.6.7p5-26.1.legacy
- Fix CVE-2005-1993 sudo trusted user arbitrary command execution

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh7.3:
5eed8171a2be78f8a03de987b86220b1c8ecb9d4
redhat/7.3/updates-testing/i386/sudo-1.6.5p2-2.3.legacy.i386.rpm
f1fdc4b82456cf66f89764ec7f9c0909a0603805
redhat/7.3/updates-testing/SRPMS/sudo-1.6.5p2-2.3.legacy.src.rpm

rh9:
7a84e2d96bba56142ca8c6dec2603577e31b2072
redhat/9/updates-testing/i386/sudo-1.6.6-3.3.legacy.i386.rpm
4aca97be1c9e5f61efa1165955eb219fce3af70e
redhat/9/updates-testing/SRPMS/sudo-1.6.6-3.3.legacy.src.rpm

fc1:
4e7b55e41c355e51b4cdd3a820a6d5c94df43fdc
fedora/1/updates-testing/i386/sudo-1.6.7p5-2.3.legacy.i386.rpm
6843f6ee7792e8c63f1034107a4a4e464a613798
fedora/1/updates-testing/SRPMS/sudo-1.6.7p5-2.3.legacy.src.rpm

fc2:
954a6e7098b7e86e7bc1f1532a72f8a3dab32380
fedora/2/updates-testing/i386/sudo-1.6.7p5-26.2.legacy.i386.rpm
82c884d6bcff123dd510ffdb8a0d81ce63606364
fedora/2/updates-testing/SRPMS/sudo-1.6.7p5-26.2.legacy.src.rpm

-

Please test and comment in bugzilla.


signature.asc
Description: OpenPGP digital signature
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

Fedora Legacy Test Update Notification: XFree86

2006-02-17 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-168264-1
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168264
2006-02-17
-

Name: XFree86
Versions: rh73: XFree86-4.2.1-16.73.31.legacy
Versions: rh9: XFree86-4.3.0-2.90.61.legacy
Versions: fc1: XFree86-4.3.0-60.legacy
Summary : The basic fonts, programs and docs for an X workstation.
Description :
XFree86 is an open source implementation of the X Window System.  It
provides the basic low level functionality which full fledged
graphical user interfaces (GUIs) such as GNOME and KDE are designed
upon.
-
Update Information:

Updated XFree86 packages that fix security issues are now available.

XFree86 is an open source implementation of the X Window System. It
provides the basic low-level functionality that full-fledged graphical
user interfaces (GUIs) such as GNOME and KDE are designed upon.

An integer overflow flaw was found in libXpm, which is used by some
applications for loading of XPM images. An attacker could create a
malicious XPM file that would execute arbitrary code if opened by a
victim using an application linked to the vulnerable library. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CVE-2005-0605 to this issue.

Several integer overflow bugs were found in the way XFree86 parses
pixmap images. It is possible for a user to gain elevated privileges by
loading a specially crafted pixmap image. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CVE-2005-2495 to
this issue.

Users of XFree86 should upgrade to these updated packages, which contain
backported patches and are not vulnerable to these issues.

-
Changelogs

rh73:
* Sun Feb 12 2006 Marc Deslauriers [EMAIL PROTECTED]
4.2.1-16.73.31.legacy
- Add XFree86-4.1.0-xpm-security-fix-CAN-2005-0605.patch.
- Add XFree86-4.3.0-security-CAN-2005-2495.patch to fix various integer
  overflows.

rh9:
* Sun Feb 12 2006 Marc Deslauriers [EMAIL PROTECTED]
4.3.0-2.x.61.legacy
- Add XFree86-4.1.0-xpm-security-fix-CAN-2005-0605.patch.
- Add XFree86-4.3.0-security-CAN-2005-2495.patch to fix various integer
  overflows.

fc1:
* Sun Feb 12 2006 Marc Deslauriers [EMAIL PROTECTED]
4.3.0-60.legacy
- Add XFree86-4.1.0-xpm-security-fix-CAN-2005-0605.patch.
- Add XFree86-4.3.0-security-CAN-2005-2495.patch to fix various integer
  overflows.

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh73:
0cbc1cb6499a8684d19f24cf111b4fea65ba92ae
redhat/7.3/updates-testing/i386/XFree86-100dpi-fonts-4.2.1-16.73.31.legacy.i386.rpm
8c2025d75448c2f03b9bd2493cdc42f84741ba14
redhat/7.3/updates-testing/i386/XFree86-4.2.1-16.73.31.legacy.i386.rpm
45d182c851d2d98fcf551ee5f4229ba76f7fe1ae
redhat/7.3/updates-testing/i386/XFree86-75dpi-fonts-4.2.1-16.73.31.legacy.i386.rpm
57d848f52c35787175eb7556350cf6202a3acc9e
redhat/7.3/updates-testing/i386/XFree86-base-fonts-4.2.1-16.73.31.legacy.i386.rpm
6b7e1499d32cea54eda46c7a23586edff860b01f
redhat/7.3/updates-testing/i386/XFree86-cyrillic-fonts-4.2.1-16.73.31.legacy.i386.rpm
5ae4db073a051453c1ea05328ba611820c54ac6e
redhat/7.3/updates-testing/i386/XFree86-devel-4.2.1-16.73.31.legacy.i386.rpm
8f5ddf6f2ffc17a706368dbdcd9f6880cf163eca
redhat/7.3/updates-testing/i386/XFree86-doc-4.2.1-16.73.31.legacy.i386.rpm
e80034e10d2babcab44f449040556f1c62b9c65b
redhat/7.3/updates-testing/i386/XFree86-font-utils-4.2.1-16.73.31.legacy.i386.rpm
67b6b5d8b00a4f53ad300bc07d5c35c6c023280f
redhat/7.3/updates-testing/i386/XFree86-ISO8859-15-100dpi-fonts-4.2.1-16.73.31.legacy.i386.rpm
c25c85a92e2fb2e80fb9ee2c19b0cb017e92b065
redhat/7.3/updates-testing/i386/XFree86-ISO8859-15-75dpi-fonts-4.2.1-16.73.31.legacy.i386.rpm
a54081ce435b2ed6695231f895e8cce95972027f
redhat/7.3/updates-testing/i386/XFree86-ISO8859-2-100dpi-fonts-4.2.1-16.73.31.legacy.i386.rpm
ceb5c88c82123d553c09ed2dceb7395abf893dfc
redhat/7.3/updates-testing/i386/XFree86-ISO8859-2-75dpi-fonts-4.2.1-16.73.31.legacy.i386.rpm
9d8a2d217d1161cd8e37187ab82826592fced64b
redhat/7.3/updates-testing/i386/XFree86-ISO8859-9-100dpi-fonts-4.2.1-16.73.31.legacy.i386.rpm
7b7684a8bca628231f42d04aa545624052ebd59b
redhat/7.3/updates-testing/i386/XFree86-ISO8859-9-75dpi-fonts-4.2.1-16.73.31.legacy.i386.rpm
dc04b533163d6a61471e2ce404bbce11e8a026de
redhat/7.3/updates-testing/i386/XFree86-libs-4.2.1-16.73.31.legacy.i386.rpm
58388c03cb94a1b74c4e65246a21b364e3e9bec0
redhat/7.3/updates-testing/i386/XFree86-tools-4.2.1-16.73.31.legacy.i386.rpm
23d5801937faf0b0033db434d4713719bf13992f
redhat/7.3/updates-testing/i386/XFree86-truetype-fonts-4.2.1-16.73.31.legacy.i386.rpm

Fedora Legacy Test Update Notification: xorg-x11

2006-02-17 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-168264-2
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168264
2006-02-17
-

Name: xorg-x11
Versions: fc2: xorg-x11-6.7.0-14.1.legacy
Summary : The basic fonts, programs and docs for an X workstation.
Description :
X.org X11 is an open source implementation of the X Window System.  It
provides the basic low level functionality which full fledged
graphical user interfaces (GUIs) such as GNOME and KDE are designed
upon.
-
Update Information:

Updated X.org packages that fix a security issue are now available.

X.org is an open source implementation of the X Window System. It
provides the basic low-level functionality that full-fledged graphical
user interfaces (GUIs) such as GNOME and KDE are designed upon.

Several integer overflow bugs were found in the way X.org parses
pixmap images. It is possible for a user to gain elevated privileges by
loading a specially crafted pixmap image. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CVE-2005-2495 to
this issue.

Users of X.org should upgrade to these updated packages, which contain a
backported patch and are not vulnerable to this issue.

-
Changelogs

fc2:
* Sun Feb 12 2006 Marc Deslauriers [EMAIL PROTECTED]
6.7.0-14.1.legacy
- Add XFree86-4.3.0-security-CAN-2005-2495.patch to fix various integer
  overflows.

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

fc2:
fb2e8bbd5c2f1132d19ee20bd773be9d3179db9d
fedora/2/updates-testing/i386/xorg-x11-100dpi-fonts-6.7.0-14.1.legacy.i386.rpm
02ff368c88f7907764b2da5e385f2e079f3849cd
fedora/2/updates-testing/i386/xorg-x11-6.7.0-14.1.legacy.i386.rpm
c81dda89910ea896c7070eab733df161dba54a39
fedora/2/updates-testing/i386/xorg-x11-75dpi-fonts-6.7.0-14.1.legacy.i386.rpm
501f87e1196be0a33d95f0d52ead826677a34f22
fedora/2/updates-testing/i386/xorg-x11-base-fonts-6.7.0-14.1.legacy.i386.rpm
1e0c6b43d3965b5e7d2d049bbc790d9a8c73a7d0
fedora/2/updates-testing/i386/xorg-x11-cyrillic-fonts-6.7.0-14.1.legacy.i386.rpm
82eb2326f5b8494f96761e6092e34056e700a809
fedora/2/updates-testing/i386/xorg-x11-devel-6.7.0-14.1.legacy.i386.rpm
c0d1461ddb2c070cdabddf6b3ebccc34ec66d3ef
fedora/2/updates-testing/i386/xorg-x11-doc-6.7.0-14.1.legacy.i386.rpm
3f6382954c75e22ab177abbe1707140feea0170d
fedora/2/updates-testing/i386/xorg-x11-font-utils-6.7.0-14.1.legacy.i386.rpm
6f0c373860e9d64c5efea95e77d3e6d5872dacc0
fedora/2/updates-testing/i386/xorg-x11-ISO8859-14-100dpi-fonts-6.7.0-14.1.legacy.i386.rpm
c861aa4032a4f169929f225d46e798f5e0f18890
fedora/2/updates-testing/i386/xorg-x11-ISO8859-14-75dpi-fonts-6.7.0-14.1.legacy.i386.rpm
83eb270f4395c14edd17cc55a1d78965e5f602e8
fedora/2/updates-testing/i386/xorg-x11-ISO8859-15-100dpi-fonts-6.7.0-14.1.legacy.i386.rpm
a99b042654bd86640eea6e7e1b76bda402d49b85
fedora/2/updates-testing/i386/xorg-x11-ISO8859-15-75dpi-fonts-6.7.0-14.1.legacy.i386.rpm
52b7c9ff7e29265605c4bb1d08a735b279287fc5
fedora/2/updates-testing/i386/xorg-x11-ISO8859-2-100dpi-fonts-6.7.0-14.1.legacy.i386.rpm
4e3900230a90728563f1173c8af82af2272dec03
fedora/2/updates-testing/i386/xorg-x11-ISO8859-2-75dpi-fonts-6.7.0-14.1.legacy.i386.rpm
5091477dffb64324caae7d3d558882ab73e26609
fedora/2/updates-testing/i386/xorg-x11-ISO8859-9-100dpi-fonts-6.7.0-14.1.legacy.i386.rpm
9ef03f7f4355a5e1d3f19f71d597e541cad3e831
fedora/2/updates-testing/i386/xorg-x11-ISO8859-9-75dpi-fonts-6.7.0-14.1.legacy.i386.rpm
f1ea8740e9802ad98b194284e8afb3eee8e1106d
fedora/2/updates-testing/i386/xorg-x11-libs-6.7.0-14.1.legacy.i386.rpm
222037711ead385d31fac145142c10c9c93f8c51
fedora/2/updates-testing/i386/xorg-x11-libs-data-6.7.0-14.1.legacy.i386.rpm
c21a7c11d52eaabe8bae5145e270c5301fcf8c17
fedora/2/updates-testing/i386/xorg-x11-Mesa-libGL-6.7.0-14.1.legacy.i386.rpm
3314b29f2bc32e4ccd837b7973fc07847d073df0
fedora/2/updates-testing/i386/xorg-x11-Mesa-libGLU-6.7.0-14.1.legacy.i386.rpm
3eac8219f4e3753644511090657ddc513a75c0c8
fedora/2/updates-testing/i386/xorg-x11-sdk-6.7.0-14.1.legacy.i386.rpm
f99d01e683755302d4ed5ea8a03f09b4828b7ea0
fedora/2/updates-testing/i386/xorg-x11-syriac-fonts-6.7.0-14.1.legacy.i386.rpm
d265d17e698e8d2e3a40c9b8519fe70cd01a1ca2
fedora/2/updates-testing/i386/xorg-x11-tools-6.7.0-14.1.legacy.i386.rpm
ff8ff747514e3b9bf7945aac37ed19ab00293fbd
fedora/2/updates-testing/i386/xorg-x11-truetype-fonts-6.7.0-14.1.legacy.i386.rpm
e6141cfe3188c556c6e8ba54eba44d5e8645f09b
fedora/2/updates-testing/i386/xorg-x11-twm-6.7.0-14.1.legacy.i386.rpm
05fc596a5a8956e8fcbd1ac788bbba855e87fbba
fedora/2/updates-testing/i386/xorg-x11-xauth-6.7.0-14.1.legacy.i386.rpm

Fedora Legacy Test Update Notification: postgresql

2006-02-12 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-157366
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157366
2006-02-12
-

Name: postgresql
Versions: rh9: postgresql-7.3.10-0.90.1.legacy
Versions: fc1: postgresql-7.3.10-1.1.legacy
Versions: fc2: postgresql-7.4.8-1.FC2.1.legacy
Summary : PostgreSQL client programs and libraries.
Description :
PostgreSQL is an advanced Object-Relational database management system
(DBMS) that supports almost all SQL constructs, including
transactions, subselects, and user-defined types and functions. The
postgresql package includes the client programs and libraries that you
need to access a PostgreSQL DBMS server.

-
Update Information:

Updated postgresql packages that fix several security vulnerabilities
and risks of data loss are now available.

PostgreSQL is an advanced Object-Relational database management system
(DBMS) that supports almost all SQL constructs (including
transactions, subselects and user-defined types and functions).

The PostgreSQL community discovered two distinct errors in initial
system catalog entries that could allow authorized database users to
crash the database and possibly escalate their privileges. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
names CVE-2005-1409 and CVE-2005-1410 to these issues.

Although installing this update will protect new (freshly initdb'd)
database installations from these errors, administrators MUST TAKE
MANUAL ACTION to repair the errors in pre-existing databases. The
appropriate procedures are explained at
http://www.postgresql.org/docs/8.0/static/release-7-4-8.html
for Fedora Core 2 users, or
http://www.postgresql.org/docs/8.0/static/release-7-3-10.html
for Fedora Core 1 and Red Hat Linux 9 users.

This update also includes fixes for several other errors, including two
race conditions that could result in apparent data inconsistency or
actual data loss.

All users of PostgreSQL are advised to upgrade to these updated packages
and to apply the recommended manual corrections to existing databases.

-
Changelogs

rh9:
* Sat Feb 11 2006 Marc Deslauriers [EMAIL PROTECTED]
7.3.10-0.90.1.legacy
- Update to PostgreSQL 7.3.10 (fixes CVE-2005-1409 and CVE-2005-1410)

fc1:
* Sat Feb 11 2006 Marc Deslauriers [EMAIL PROTECTED]
7.3.10-1.1.legacy
- Rebuilt as Fedora Legacy security update for Fedore Core 1
- Added missing libtermcap-devel, perl-SGMLSpm, openjade, docbook-utils
  and docbook-style-dsssl to BuildRequires

fc2:
* Sat Feb 11 2006 Marc Deslauriers [EMAIL PROTECTED]
7.4.8-1.FC2.1.legacy
- Rebuild as a Fedora Legacy update for Fedora Core 2

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh9:
88bf97be3530effdf1c7c3a779bfe7f80e7ea6be
redhat/9/updates-testing/i386/postgresql-7.3.10-0.90.1.legacy.i386.rpm
6130777335db38d64a44d52106353cd76154ca23
redhat/9/updates-testing/i386/postgresql-contrib-7.3.10-0.90.1.legacy.i386.rpm
4bce5f9e6e80edb944a7aa24839f34c609c44c99
redhat/9/updates-testing/i386/postgresql-devel-7.3.10-0.90.1.legacy.i386.rpm
f6d7a63730df0a33b4f7582077472bf8cecc0f4e
redhat/9/updates-testing/i386/postgresql-docs-7.3.10-0.90.1.legacy.i386.rpm
3f76bb95ef0ce2da9b6a58993cdf7a1000e33019
redhat/9/updates-testing/i386/postgresql-jdbc-7.3.10-0.90.1.legacy.i386.rpm
a7a9187c41f2820ca9c2d2364f63859d33d21044
redhat/9/updates-testing/i386/postgresql-libs-7.3.10-0.90.1.legacy.i386.rpm
0d0e4d4e566583111f30f4c06f255daeaf9bbd49
redhat/9/updates-testing/i386/postgresql-pl-7.3.10-0.90.1.legacy.i386.rpm
def9d9581141c219e013a875146c75b65af67e91
redhat/9/updates-testing/i386/postgresql-python-7.3.10-0.90.1.legacy.i386.rpm
43590dabe9601ddbefbc6d9086c9b7dfb363acaa
redhat/9/updates-testing/i386/postgresql-server-7.3.10-0.90.1.legacy.i386.rpm
e4769b82d862178d6d395f52ebcbd56a75e36e71
redhat/9/updates-testing/i386/postgresql-tcl-7.3.10-0.90.1.legacy.i386.rpm
fbd07e5eaad5e4ee5bd1b30e02001a043331daff
redhat/9/updates-testing/i386/postgresql-test-7.3.10-0.90.1.legacy.i386.rpm
57fc00132f9d6626372956fd1eba3d7a9d2f
redhat/9/updates-testing/SRPMS/postgresql-7.3.10-0.90.1.legacy.src.rpm

fc1:
de59e42459e24cd8846fbd6d765bc892d621a0dc
fedora/1/updates-testing/i386/postgresql-7.3.10-1.1.legacy.i386.rpm
88abba3e24f01c6189be15b6481d77b135b6191c
fedora/1/updates-testing/i386/postgresql-contrib-7.3.10-1.1.legacy.i386.rpm
39a6163dffc299ba088f8f71c0393fca08648ae9
fedora/1/updates-testing/i386/postgresql-devel-7.3.10-1.1.legacy.i386.rpm
0ac78a44e03f5b31113b7b110d35472aded5ecbd
fedora/1/updates-testing/i386/postgresql-docs-7.3.10-1.1.legacy.i386.rpm
e8a17936599c1c2aa7a26056ee3449e43a460d07
fedora

Fedora Legacy Test Update Notification: gnutls

2006-02-12 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-181014
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=181014
2006-02-12
-

Name: gnutls
Versions: fc3:
Summary : A TLS implementation.
Description :
The GNU TLS Library provides support for cryptographic algorithms and
protocols such as TLS. GNU TLS includes Libtasn1, a library developed
for ASN.1 structures management that includes DER encoding and decoding.
-
Update Information:

Updated gnutls packages that fix a security issue are now available.

The GNU TLS Library provides support for cryptographic algorithms and
protocols such as TLS. GNU TLS includes Libtasn1, a library developed
for ASN.1 structures management that includes DER encoding and decoding.

Several flaws were found in the way libtasn1 decodes DER. An attacker
could create a carefully crafted invalid X.509 certificate in such a way
that could trigger this flaw if parsed by an application that uses GNU
TLS. This could lead to a denial of service (application crash). It is
not certain if this issue could be escalated to allow arbitrary code
execution. The Common Vulnerabilities and Exposures project assigned the
name CVE-2006-0645 to this issue.

Users are advised to upgrade to these updated packages, which contain a
backported patch from the GNU TLS maintainers to correct this issue.

-
Changelogs

fc3:
* Sun Feb 12 2006 Marc Deslauriers [EMAIL PROTECTED]
1.0.20-3.1.3.legacy
- Added missing zlib-devel to BuildPrereq

* Sat Feb 11 2006 Marc Deslauriers [EMAIL PROTECTED]
1.0.20-3.1.2.legacy
- Added patch for GnuTLS x509 DER DoS - CVE-2006-0645

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

fc3:
87b93af583ea3abaa48337b0a8c71cba97a45410
fedora/3/updates-testing/i386/gnutls-1.0.20-3.1.3.legacy.i386.rpm
dca7e6e11093d7b8528d82cc9c3f5f1b1c78ea23
fedora/3/updates-testing/i386/gnutls-devel-1.0.20-3.1.3.legacy.i386.rpm
87b93af583ea3abaa48337b0a8c71cba97a45410
fedora/3/updates-testing/x86_64/gnutls-1.0.20-3.1.3.legacy.i386.rpm
742be40634dc2a32b245f78caf610d0a6b45cb75
fedora/3/updates-testing/x86_64/gnutls-1.0.20-3.1.3.legacy.x86_64.rpm
762630c8973f02bcc934adc8f5a946383f8479cc
fedora/3/updates-testing/x86_64/gnutls-devel-1.0.20-3.1.3.legacy.x86_64.rpm
cce2a463b57be400362624f09dc49a4fdde09305
fedora/3/updates-testing/SRPMS/gnutls-1.0.20-3.1.3.legacy.src.rpm

-

Please test and comment in bugzilla.


signature.asc
Description: OpenPGP digital signature
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

Re: no mandatory QA testing at all [Re: crazy thought about how to ease QA testing]

2006-02-11 Thread Marc Deslauriers

On Fri, 2006-02-10 at 22:00 -0800, Jesse Keating wrote:
 On Sat, 2006-02-11 at 07:32 +0200, Pekka Savola wrote:
  
  I agree that this would complicate the process further.
  
  I have proposed something simpler, and still do:
  
  1) every package, even without any VERIFY QA votes at all, will be
  released automatically in X weeks (suggest: X=2).
  
  exception: at package PUBLISH time, the packager and/or publisher,
  if they think the changes are major enough (e.g., non-QAed patches
  etc.), they can specify that the package should not be
  automatically released.
  
  2) negative reports block automatic publishing.
  
  3) positive reports can speed up automatic publishing (for example: 2
  VERIFY votes -- released within 1 week, all verify votes:
  released immediately after the last verify)
  
  There is no need (IMHO) to grade packages to more or less critical 
  ones.  Every QA tester and eventual package user uses his or her own 
  value judgment.  If (s)he fears that the (potentially untested) 
  automatic update would break the system, (s)he would test it before 
  two weeks are over.
  
  Publishing positive reports can be made simpler but that probably 
  isn't on the critical path here. 

I agree to this. 

Marc


signature.asc
Description: This is a digitally signed message part
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

[UPDATED] Fedora Legacy Test Update Notification: httpd

2006-02-11 Thread Marc Deslauriers

This notification was updated to include x86_64 packages for
Fedora Core 3.

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-175406
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175406
2006-02-11
-

Name: httpd
Versions: rh73: apache-1.3.27-9.legacy
Versions: rh9: httpd-2.0.40-21.21.legacy
Versions: fc1: httpd-2.0.51-1.10.legacy
Versions: fc2: httpd-2.0.51-2.9.5.legacy
Versions: fc3: httpd-2.0.53-3.4.legacy
Summary : The httpd Web server
Description :
This package contains a powerful, full-featured, efficient, and
freely-available Web server based on work done by the Apache Software
Foundation. It is also the most popular Web server on the Internet.

-
Update Information:

Updated Apache httpd packages that correct three security issues are now
available.

The Apache HTTP Server is a popular and freely-available Web server.

A memory leak in the worker MPM could allow remote attackers to cause a
denial of service (memory consumption) via aborted connections, which
prevents the memory for the transaction pool from being reused for other
connections. The Common Vulnerabilities and Exposures project assigned
the name CVE-2005-2970 to this issue. This vulnerability only affects
users who are using the non-default worker MPM.

A flaw in mod_imap when using the Referer directive with image maps was
discovered. With certain site configurations, a remote attacker could
perform a cross-site scripting attack if a victim can be forced to visit
a malicious URL using certain web browsers. (CVE-2005-3352)

A NULL pointer dereference flaw in mod_ssl was discovered affecting
server configurations where an SSL virtual host is configured with
access control and a custom 400 error document. A remote attacker could
send a carefully crafted request to trigger this issue which would lead
to a crash. This crash would only be a denial of service if using the
non-default worker MPM. (CVE-2005-3357)

Users of httpd should update to these erratum packages which contain
backported patches to correct these issues.

-
Changelogs

rh73:
* Sun Jan 22 2006 Marc Deslauriers [EMAIL PROTECTED]
1.3.27-9.legacy
- mod_imap: add security fix for XSS issue (CVE-2005-3352)

rh9:
* Sun Jan 22 2006 Marc Deslauriers [EMAIL PROTECTED]
2.0.40-21.21.legacy
- mod_ssl: add security fix for HTTP-on-SSL-port handling (CVE-2005-3357)
- mod_imap: add security fix for XSS issue (CVE-2005-3352)
- worker MPM: add security fix for memory consumption DoS (CVE-2005-2970),
  and bug fixes for handling resource allocation failures (#171759)

fc1:
* Sun Jan 22 2006 Marc Deslauriers [EMAIL PROTECTED]
2.0.51-1.10.legacy
- mod_ssl: add security fix for HTTP-on-SSL-port handling (CVE-2005-3357)
- mod_imap: add security fix for XSS issue (CVE-2005-3352)
- worker MPM: add security fix for memory consumption DoS (CVE-2005-2970),
  and bug fixes for handling resource allocation failures (#171759)

fc2:
* Sun Jan 22 2006 Marc Deslauriers [EMAIL PROTECTED]
2.0.51-2.9.5.legacy
- mod_ssl: add security fix for HTTP-on-SSL-port handling (CVE-2005-3357)
- mod_imap: add security fix for XSS issue (CVE-2005-3352)
- worker MPM: add security fix for memory consumption DoS (CVE-2005-2970),
  and bug fixes for handling resource allocation failures (#171759)

fc3:
* Sun Jan 22 2006 Marc Deslauriers [EMAIL PROTECTED]
2.0.53-3.4.legacy
- mod_ssl: add security fix for HTTP-on-SSL-port handling (CVE-2005-3357)
- mod_imap: add security fix for XSS issue (CVE-2005-3352)
- worker MPM: add security fix for memory consumption DoS (CVE-2005-2970),
  and bug fixes for handling resource allocation failures (#171759)

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh73:
c55d929dd5acbf4b0191a28b0ad128f1064810f8
redhat/7.3/updates-testing/i386/apache-1.3.27-9.legacy.i386.rpm
aae52f7966d03dd6e81f8b8b5a090bf60fa8e601
redhat/7.3/updates-testing/i386/apache-devel-1.3.27-9.legacy.i386.rpm
fafcea3e68311223b5a814a482927cd645c4356a
redhat/7.3/updates-testing/i386/apache-manual-1.3.27-9.legacy.i386.rpm
db23f5e77a78f78a346104038a564f0197ee9414
redhat/7.3/updates-testing/SRPMS/apache-1.3.27-9.legacy.src.rpm

rh9:
8e6ca52b5fb88a43322a38966ffeb0285b0699e1
redhat/9/updates-testing/i386/httpd-2.0.40-21.21.legacy.i386.rpm
be601feefd0483b24e3ce5efdfadcef6b5d7d040
redhat/9/updates-testing/i386/httpd-devel-2.0.40-21.21.legacy.i386.rpm
8816478ae2287a3d2d4c9ca91d55662efcae2b87
redhat/9/updates-testing/i386/httpd-manual-2.0.40-21.21.legacy.i386.rpm
2d565db0d6fa0756c51ca7aef8211b463c5f5348
redhat/9/updates-testing/i386/mod_ssl-2.0.40-21.21.legacy.i386.rpm
e05115a5178fbf853dfe8fdc75b962c44a787316

Fedora Legacy Test Update Notification: nfs-utils

2006-02-11 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-138098
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=138098
2006-02-11
-

Name: nfs-utils
Versions: rh7.3: nfs-utils-0.3.3-6.73.2.legacy
Versions: rh9: nfs-utils-1.0.1-3.9.2.legacy
Versions: fc1: nfs-utils-1.0.6-1.2.legacy
Versions: fc2: nfs-utils-1.0.6-22.2.legacy
Summary : NFS utilities and supporting daemons for the kernel NFS
  server.
Description :
The nfs-utils package provides a daemon for the kernel NFS server and
related tools, providing a much higher level of performance than the
traditional Linux NFS server used by most users.

This package also contains the showmount program. Showmount queries
the mount daemon on a remote host for information about the NFS
(Network File System) server on the remote host.

-
Update Information:

An updated nfs-utils package that fixes security issues is now
available.

The nfs-utils package provides a daemon for the kernel NFS server and
related tools, providing a much higher level of performance than the
traditional Linux NFS server used by most users.

Arjan van de Ven discovered a buffer overflow in rquotad. On 64-bit
architectures, an improper integer conversion can lead to a buffer
overflow. An attacker with access to an NFS share could send a specially
crafted request which could lead to the execution of arbitrary code. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0946 to this issue.

In addition, the Fedora Core 2 update fixes the following issue:

SGI reported that the statd daemon did not properly handle the SIGPIPE
signal. A misconfigured or malicious peer could cause statd to crash,
leading to a denial of service. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2004-1014 to this
issue.

All users of nfs-utils should upgrade to this updated package, which
resolves these issues.

-
Changelogs

rh73:
* Mon Nov 14 2005 Jeff Sheltren [EMAIL PROTECTED] 0.3.3-6.73.2.legacy
- Patch for CVE-2004-0946, rquotad buffer overflow (#138098)

rh9:
* Mon Nov 14 2005 Jeff Sheltren [EMAIL PROTECTED] 1.0.1-3.9.2.legacy
- Patch for CVE-2004-0946, rquotad buffer overflow (#138098)

fc1:
* Mon Nov 14 2005 Jeff Sheltren [EMAIL PROTECTED] 1.0.6-1.2.legacy
- Patch for CVE-2004-0946, rquotad buffer overflow (#138098)

fc2:
* Wed Nov 16 2005 Jeff Sheltren [EMAIL PROTECTED] 1.0.6-22.2.legacy
- Add patch for CVE-2004-1014, sigpipe DOS (#138098, #152871)

* Mon Nov 14 2005 Jeff Sheltren [EMAIL PROTECTED] 1.0.6-22.1.legacy
- Patch for CVE-2004-0946, rquotad buffer overflow (#138098)

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh7.3:
fc563f70e9f2b5eeafb51b969689185ef504
redhat/7.3/updates-testing/i386/nfs-utils-0.3.3-6.73.2.legacy.i386.rpm
79dd718df766c23fc8ab4880a0e1557ca990c181
redhat/7.3/updates-testing/SRPMS/nfs-utils-0.3.3-6.73.2.legacy.src.rpm

rh9:
45c4f3a310d3090271f0d0798cae1e3148ab8299
redhat/9/updates-testing/i386/nfs-utils-1.0.1-3.9.2.legacy.i386.rpm
bf009c4fe075b7105316084c6ca577f15c5bdb52
redhat/9/updates-testing/SRPMS/nfs-utils-1.0.1-3.9.2.legacy.src.rpm

fc1:
1c96ae93420683ad79b675b205ecb5d6ddb61ef4
fedora/1/updates-testing/i386/nfs-utils-1.0.6-1.2.legacy.i386.rpm
6d4ee9e13e8b3bf1278d59b48ccb0c48f7645f7f
fedora/1/updates-testing/SRPMS/nfs-utils-1.0.6-1.2.legacy.src.rpm

fc2:
2063735e17273d7967c8fa1f3649ab86921c910e
fedora/2/updates-testing/i386/nfs-utils-1.0.6-22.2.legacy.i386.rpm
dc3207c089204dd1c47653dc4918fe45b81a8654
fedora/2/updates-testing/SRPMS/nfs-utils-1.0.6-22.2.legacy.src.rpm

-

Please test and comment in bugzilla.


signature.asc
Description: OpenPGP digital signature
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

Fedora Legacy Test Update Notification: openssh

2006-02-11 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-168935
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168935
2006-02-10
-

Name: openssh
Versions: rh73: openssh-3.1p1-14.3.legacy
Versions: rh9: openssh-3.5p1-11.4.legacy
Versions: fc1: openssh-3.6.1p2-19.4.legacy
Versions: fc2: openssh-3.6.1p2-34.4.legacy
Versions: fc3: openssh-3.9p1-8.0.4.legacy
Summary : The OpenSSH implementation of SSH protocol.
Description :
OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. SSH
replaces rlogin and rsh, to provide secure encrypted communications
between two untrusted hosts over an insecure network. X11 connections
and arbitrary TCP/IP ports can also be forwarded over the secure
channel. Public key authentication may be used for passwordless
access to servers.

-
Update Information:

Updated openssh packages that fix security issues are now available.

OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. SSH
replaces rlogin and rsh, and provides secure encrypted communications
between two untrusted hosts over an insecure network. X11 connections
and arbitrary TCP/IP ports can also be forwarded over a secure channel.
Public key authentication can be used for passwordless access to
servers.

A bug was found in the way the OpenSSH server handled the MaxStartups
and LoginGraceTime configuration variables. A malicious user could
connect to the SSH daemon in such a way that it would prevent additional
logins from occuring until the malicious connections are closed. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2004-2069 to this issue.

The scp command was found to expose filenames twice to shell expansion.
A malicious user could execute arbitrary commands by using specially
crafted filenames containing shell metacharacters or spaces. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CVE-2006-0225 to this issue.

Users of openssh should upgrade to these updated packages, which contain
backported patches to resolve these issues.

-
Changelogs

rh73:
* Mon Jan 23 2006 Marc Deslauriers [EMAIL PROTECTED]
3.1p1-14.3.legacy
- use fork+exec instead of system in scp - CVE-2006-0225

rh9:
* Mon Jan 23 2006 Marc Deslauriers [EMAIL PROTECTED]
3.5p1-11.4.legacy
- use fork+exec instead of system in scp - CVE-2006-0225

* Sun Jan 22 2006 Marc Deslauriers [EMAIL PROTECTED]
3.5p1-11.3.legacy
- CAN-2004-2069 - prevent DoS on openssh server

fc1:
* Mon Jan 23 2006 Marc Deslauriers [EMAIL PROTECTED]
3.6.1p2-19.4.legacy
- use fork+exec instead of system in scp - CVE-2006-0225

* Sun Jan 22 2006 Marc Deslauriers [EMAIL PROTECTED]
3.6.1p1-19.3.legacy
- CAN-2004-2069 - prevent DoS on openssh server

fc2:
* Mon Jan 23 2006 Marc Deslauriers [EMAIL PROTECTED]
3.6.1p2-34.4.legacy
- use fork+exec instead of system in scp - CVE-2006-0225

* Sun Jan 22 2006 Marc Deslauriers [EMAIL PROTECTED]
3.6.1p2-34.3.legacy
- CAN-2004-2069 - prevent DoS on openssh server

fc3:
* Mon Jan 23 2006 Marc Deslauriers [EMAIL PROTECTED]
3.9p1-8.0.4.legacy
- use fork+exec instead of system in scp - CVE-2006-0225

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh73:
5c732eac2396d1dbc767c6706b936177b04e3ba9
redhat/7.3/updates-testing/i386/openssh-3.1p1-14.3.legacy.i386.rpm
ac522209cbabd3638e8ca2b08bdf5453c1d9a8d4
redhat/7.3/updates-testing/i386/openssh-askpass-3.1p1-14.3.legacy.i386.rpm
a79e45b1fd78f517a2dfb846e1814aeff35ab86d
redhat/7.3/updates-testing/i386/openssh-askpass-gnome-3.1p1-14.3.legacy.i386.rpm
daa5d5518e33835ef47f41f3bb379d9659e2bc3f
redhat/7.3/updates-testing/i386/openssh-clients-3.1p1-14.3.legacy.i386.rpm
28d3e3a66e6c786db875c5ea8d629b6abcc7fe5b
redhat/7.3/updates-testing/i386/openssh-server-3.1p1-14.3.legacy.i386.rpm
d838db35baa90040dec9df7459af4682f8976b7a
redhat/7.3/updates-testing/SRPMS/openssh-3.1p1-14.3.legacy.src.rpm

rh9:
2e4da4da715512dccb420fc67f3bb24dae2d9a40
redhat/9/updates-testing/i386/openssh-3.5p1-11.4.legacy.i386.rpm
af36bd2aa23d16986072cf15c6906add540f8b8a
redhat/9/updates-testing/i386/openssh-askpass-3.5p1-11.4.legacy.i386.rpm
0cc2cf34bde4b876944c8f19c1cd58d9f4503757
redhat/9/updates-testing/i386/openssh-askpass-gnome-3.5p1-11.4.legacy.i386.rpm
f0e967606a821ec50f6d0af708935a9f04b52d11
redhat/9/updates-testing/i386/openssh-clients-3.5p1-11.4.legacy.i386.rpm
d49d40f814c95319dff11a49f8bb66dcdd3f808c
redhat/9/updates-testing/i386/openssh-server-3.5p1-11.4.legacy.i386.rpm
38544ce3e39dbebcb15ce213f4aff9bf3edb93a7
redhat/9/updates-testing/SRPMS/openssh-3.5p1-11.4.legacy.src.rpm

fc1

Fedora Legacy Test Update Notification: mozilla

2006-02-11 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-180036-1
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=180036
2006-02-11
-

Name: mozilla
Versions: rh7.3: mozilla-1.7.12-0.73.3.legacy
Versions: rh9: mozilla-1.7.12-0.90.2.legacy
Versions: fc1: mozilla-1.7.12-1.1.2.legacy
Versions: fc2: mozilla-1.7.12-1.2.3.legacy
Versions: fc3: mozilla-1.7.12-1.3.3.legacy
Summary : A Web browser.
Description :
Mozilla is an open-source Web browser, designed for standards
compliance, performance, and portability.

-
Update Information:

Updated mozilla packages that fix several security bugs are now
available.

Mozilla is an open source Web browser, advanced email and newsgroup
client, IRC chat client, and HTML editor.

Igor Bukanov discovered a bug in the way Mozilla's Javascript
interpreter dereferences objects. If a user visits a malicious web page,
Mozilla could crash or execute arbitrary code as the user running
Mozilla. The Common Vulnerabilities and Exposures project assigned the
name CVE-2006-0292 to this issue.

moz_bug_r_a4 discovered a bug in Mozilla's XULDocument.persist()
function. A malicious web page could inject arbitrary RDF data into a
user's localstore.rdf file, which can cause Mozilla to execute arbitrary
javascript when a user runs Mozilla. (CVE-2006-0296)

A denial of service bug was found in the way Mozilla saves history
information. If a user visits a web page with a very long title, it is
possible Mozilla will crash or take a very long time the next time it is
run. (CVE-2005-4134)

Users of Mozilla are advised to upgrade to these updated packages, which
contain backported patches to correct these issues.

-
Changelogs

rh7.3:
* Sun Feb 05 2006 Marc Deslauriers [EMAIL PROTECTED]
37:1.7.12-0.73.3.legacy
- Fix CVE-2005-4134, CVE-2006-0292, CVE-2006-0296

rh9:
* Mon Feb 06 2006 Marc Deslauriers [EMAIL PROTECTED]
37:1.7.12-0.90.2.legacy
- Fix CVE-2005-4134, CVE-2006-0292, CVE-2006-0296

fc1:
* Sun Feb 05 2006 Marc Deslauriers [EMAIL PROTECTED]
37:1.7.12-1.1.2.legacy
- Fix CVE-2005-4134, CVE-2006-0292, CVE-2006-0296

fc2:
* Fri Feb 10 2006 Marc Deslauriers [EMAIL PROTECTED]
37:1.7.12-1.2.3.legacy
- Added mozilla-nspr to BuildPrereq

* Sun Feb 05 2006 Marc Deslauriers [EMAIL PROTECTED]
37:1.7.12-1.2.2.legacy
- Fix CVE-2005-4134, CVE-2006-0292, CVE-2006-0296

fc3:
* Fri Feb 10 2006 Marc Deslauriers [EMAIL PROTECTED]
37:1.7.12-1.3.3.legacy
- Added mozilla-nspr, gnome-vfs2-devel, desktop-file-utils,
  and krb5-devel to BuildPrereq

* Sun Feb 05 2006 Marc Deslauriers [EMAIL PROTECTED]
37:1.7.12-1.3.2.legacy
- Fix CVE-2005-4134, CVE-2006-0292, CVE-2006-0296

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh7.3:
baf937574b92b01271c70169e5e6465eb7736c81
redhat/7.3/updates-testing/i386/mozilla-1.7.12-0.73.3.legacy.i386.rpm
4e401f2064201c290aa00527d148141904532d8a
redhat/7.3/updates-testing/i386/mozilla-chat-1.7.12-0.73.3.legacy.i386.rpm
d97acf0463781ac5600754b02b5a902125df5fd4
redhat/7.3/updates-testing/i386/mozilla-devel-1.7.12-0.73.3.legacy.i386.rpm
251eb4a2d0e0f8cf63b7b7975c9819a7e58fd5b3
redhat/7.3/updates-testing/i386/mozilla-dom-inspector-1.7.12-0.73.3.legacy.i386.rpm
584062b1c063fb8c2375693b49e48b8ae7530a00
redhat/7.3/updates-testing/i386/mozilla-js-debugger-1.7.12-0.73.3.legacy.i386.rpm
aa3594680a3224f6b8b7abb9a6b9585fa6f519c1
redhat/7.3/updates-testing/i386/mozilla-mail-1.7.12-0.73.3.legacy.i386.rpm
1676c32cd8143b9ff939b45269b2423b50d062f1
redhat/7.3/updates-testing/i386/mozilla-nspr-1.7.12-0.73.3.legacy.i386.rpm
9d9d350082b38b94d45e458e02f3345b0a4e3ed0
redhat/7.3/updates-testing/i386/mozilla-nspr-devel-1.7.12-0.73.3.legacy.i386.rpm
33753a720edea798966550963426db05a409a6c4
redhat/7.3/updates-testing/i386/mozilla-nss-1.7.12-0.73.3.legacy.i386.rpm
b17dec4e9eab3acca07dc0345d01fa522c3f43d8
redhat/7.3/updates-testing/i386/mozilla-nss-devel-1.7.12-0.73.3.legacy.i386.rpm
169c96bd3eae5e8f4220ed87291ceb176bf1f6b2
redhat/7.3/updates-testing/SRPMS/mozilla-1.7.12-0.73.3.legacy.src.rpm

rh9:
ffa6d9ff83d69b2aa32fb92a660775cbb92f2b53
redhat/9/updates-testing/i386/mozilla-1.7.12-0.90.2.legacy.i386.rpm
d4bc650d1652ae30bb4df3037bcd1f9f77781774
redhat/9/updates-testing/i386/mozilla-chat-1.7.12-0.90.2.legacy.i386.rpm
0148688359ca6168c0c77160c8891315ac319147
redhat/9/updates-testing/i386/mozilla-devel-1.7.12-0.90.2.legacy.i386.rpm
2be970089280e3b23401402e5ea5019cc57b95ba
redhat/9/updates-testing/i386/mozilla-dom-inspector-1.7.12-0.90.2.legacy.i386.rpm
653ceef20cbbd2d415ab8453b5c6d6e81193b6b3
redhat/9/updates-testing/i386/mozilla-js-debugger-1.7.12-0.90.2.legacy.i386.rpm

Fedora Legacy Test Update Notification: perl

2006-02-08 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-176731
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=176731
2006-02-08
-

Name: perl
Versions: rh9:   perl-5.8.0-90.0.13.legacy
Versions: fc1:   perl-5.8.3-17.5.legacy
Versions: fc2:   perl-5.8.3-19.5.legacy
Summary : The Perl programming language.
Description :
Perl is a high-level programming language commonly used for system
administration utilities and Web programming.

-
Update Information:

Updated perl packages that fix a security flaw are now available.

Perl is a high-level programming language commonly used for system
administration utilities and Web programming.

An integer overflow bug was found in Perl's format string processor.  It
is possible for an attacker to cause perl to crash or execute arbitrary
code if the attacker is able to process a malicious format string.  This
issue is only exploitable through a script which passes arbitrary
untrusted strings to the format string processor.  The Common
Vulnerabilities and Exposures project assigned the name CVE-2005-3962 to
this issue.


Note that this vulnerability do not affect perl packages in Red Hat
Linux 7.3

Users of perl are advised to upgrade to these packages which contain a
backported patch and are not vulnerable to this issue.

-
Changelogs

rh9:
* Sat Jan 28 2006 David Eisenstein [EMAIL PROTECTED] 2:5.8.0-90.0.13.legacy
- Integrate fix for CVE-2005-3962 - Perl Format String Vulnerability,
  bugzilla Bug #176731.


fc1:
* Thu Jan 26 2006 David Eisenstein [EMAIL PROTECTED] 3:5.8.3-17.5.legacy
- Integrate fix for CVE-2005-3962 - Perl Format String Vulnerability,
  bugzilla Bug #176731.


fc2:
* Sat Jan 28 2006 David Eisenstein [EMAIL PROTECTED] 3:5.8.3-19.5.legacy
- Replace broken perl-5.8.3-findbin-selinux.patch with better patch by
  Jose Pedro Oliveira so perl will not fail lib/FindBin test.  See
  Bugzilla Bug #176731 comment 2.


* Sat Jan 28 2006 David Eisenstein [EMAIL PROTECTED] 3:5.8.3-19.4.legacy
- Integrate fix for CVE-2005-3962 - Perl Format String Vulnerability,
  bugzilla Bug #176731.


-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh9:
4d2401a09f2cc0b126df88659bd9e259a528146d
redhat/9/updates-testing/i386/perl-5.8.0-90.0.13.legacy.i386.rpm
3b5448a2a8d8241a85c4c54ad5d5deb4b9d466d4
redhat/9/updates-testing/i386/perl-CGI-2.81-90.0.13.legacy.i386.rpm
40a05fcf3a7d128e7fa79b00022d54d0542bd3af
redhat/9/updates-testing/i386/perl-CPAN-1.61-90.0.13.legacy.i386.rpm
5444ce68de7e8f0b1b051a15a1658c7d497be61b
redhat/9/updates-testing/i386/perl-DB_File-1.804-90.0.13.legacy.i386.rpm
76ff3cdbe78a2e7c92c1f95760906fd396f974bf
redhat/9/updates-testing/i386/perl-suidperl-5.8.0-90.0.13.legacy.i386.rpm
62fbcae6dd839fd18aabcf5c9fcc6babfd844d94
redhat/9/updates-testing/SRPMS/perl-5.8.0-90.0.13.legacy.src.rpm

fc1:
3267a9d83ac3cadcfa650b1625cf5c458adb5540
fedora/1/updates-testing/i386/perl-5.8.3-17.5.legacy.i386.rpm
2445d66c7ced8bccc7d875a21404216a0cd5cdb6
fedora/1/updates-testing/i386/perl-suidperl-5.8.3-17.5.legacy.i386.rpm
297a649694e03e67b13cfbac7ae8211554cea44b
fedora/1/updates-testing/SRPMS/perl-5.8.3-17.5.legacy.src.rpm

fc2:
772f9571df3a0eab7749bb0d162311f4cd539879
fedora/2/updates-testing/i386/perl-5.8.3-19.5.legacy.i386.rpm
83cf2b36b48760eb1f99a042214eead7a9650d38
fedora/2/updates-testing/i386/perl-suidperl-5.8.3-19.5.legacy.i386.rpm
260cf2c8b759afe09f205318e1fd78cabdeefcb0
fedora/2/updates-testing/SRPMS/perl-5.8.3-19.5.legacy.src.rpm

-

Please test and comment in bugzilla.


signature.asc
Description: OpenPGP digital signature
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

Fedora Legacy Test Update Notification: gaim

2006-01-24 Thread Marc Deslauriers

.

Users of Gaim are advised to upgrade to this updated package which
contains Gaim version 1.5.0 and is not vulnerable to these issues.

-
7.3 changelog:
* Wed Jan 18 2006 Marc Deslauriers [EMAIL PROTECTED]
1.5.0-0.73.1.legacy
- Updated to 1.5.0 to fix security issues
- Added CVS backport patches from FC4

* Mon May 23 2005 Marc Deslauriers [EMAIL PROTECTED]
1.3.0-0.73.1.legacy
- Updated to 1.3.0 to fix security issues

* Sun May 01 2005 Marc Deslauriers [EMAIL PROTECTED]
1.2.1-0.73.2.legacy
- Added fix for perl plugin

* Sat Apr 16 2005 Marc Deslauriers [EMAIL PROTECTED]
1.2.1-0.73.1.legacy
- Updated to 1.2.1 to fix security issues
- Added CVS backport patches from RHEL

* Thu Mar 10 2005 Marc Deslauriers [EMAIL PROTECTED]
1.1.4-0.73.1.legacy
- Updated to 1.1.4 to fix security issues
- Added CVS backport patches from RHEL

9 changelog:
* Thu Jan 19 2006 Marc Deslauriers [EMAIL PROTECTED]
1:1.5.0-0.90.1.legacy

- Rebuilt as Fedora Legacy rh9 security update
- Added desktop-file-utils, mozilla-nspr-devel and mozilla-nss BuildRequires
- Added fix for perl plugin
- Disabled PIE patch

fc1 changelog:
* Sat Jan 21 2006 Marc Deslauriers [EMAIL PROTECTED]
1:1.5.0-1.fc1.1.legacy
- Rebuilt as Fedora Legacy FC1 security update
- Added desktop-file-utils to BuildRequires

fc2 changelog:
* Thu Jan 19 2006 Marc Deslauriers [EMAIL PROTECTED]
1:1.5.0-1.fc2.1.legacy
- Rebuilt as Fedora Legacy update for FC2
- Added desktop-file-utils to BuildRequires

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

a51c47a7e69e2ae0de301b5aea04a078a34bd494
redhat/7.3/updates-testing/i386/gaim-1.5.0-0.73.1.legacy.i386.rpm
cf664d6dea2391a620286c2a0558f344128dc09b
redhat/7.3/updates-testing/SRPMS/gaim-1.5.0-0.73.1.legacy.src.rpm
99901a3c55dc899071cd0373c71ce18b694e38d0
redhat/9/updates-testing/i386/gaim-1.5.0-0.90.1.legacy.i386.rpm
47f2231f0085bfd8c24e3a01ae707781543bb243
redhat/9/updates-testing/SRPMS/gaim-1.5.0-0.90.1.legacy.src.rpm
fda20f97bf8c2ce8a5075c579bcbf6c3e3a66e81
fedora/1/updates-testing/i386/gaim-1.5.0-1.fc1.1.legacy.i386.rpm
8be725ea3874e315278e4926ed72930c74a3d6df
fedora/1/updates-testing/SRPMS/gaim-1.5.0-1.fc1.1.legacy.src.rpm
d8c6b98a019633a8a2debd6e2a86daccae6cdeda
fedora/2/updates-testing/i386/gaim-1.5.0-1.fc2.1.legacy.i386.rpm
46e6ff8101c40018ab98b7f3c5e01f656eb2cdfe
fedora/2/updates-testing/SRPMS/gaim-1.5.0-1.fc2.1.legacy.src.rpm

-

Please test and comment in bugzilla.


signature.asc
Description: OpenPGP digital signature
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

Re: slapper worm

2006-01-23 Thread Marc Deslauriers

On Tue, 2006-01-24 at 06:32 +1000, Michael Mansour wrote:

 I'm using:
 
 perl-5.8.3-17.4.legacy
 httpd-2.0.51-1.9.legacy
 openssl-0.9.7a-33.13.legacy
 
 Are there any updates FL can do to any of the packages to fix/block slapper
 from an FC1 machine?

What version of php are you running?

Marc.


signature.asc
Description: This is a digitally signed message part
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

Fedora Legacy Test Update Notification: mod_auth_pgsql

2006-01-19 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-177326
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=177326
2006-01-19
-

Name: mod_auth_pgsql
Versions: fc1: mod_auth_pgsql-2.0.1-3.1.legacy
Versions: fc2: mod_auth_pgsql-2.0.1-4.2.legacy
Summary : Basic authentication for the Apache Web server using
  a PostgreSQL database.
Description :
Mod_auth_pgsql can be used to limit access to documents served by a
Web server by checking fields in a table in a PostgresQL database.

-
Update Information:

An updated mod_auth_pgsql package that fixes a format string flaw is now
available.

The mod_auth_pgsql package is an httpd module that allows user
authentication against information stored in a PostgreSQL database.

Several format string flaws were found in the way mod_auth_pgsql logs
information. It may be possible for a remote attacker to execute
arbitrary code as the 'apache' user if mod_auth_pgsql is used for user
authentication. The Common Vulnerabilities and Exposures project
assigned the name CVE-2005-3656 to this issue.

Please note that this issue only affects servers which have
mod_auth_pgsql installed and configured to perform user authentication
against a PostgreSQL database.

All users of mod_auth_pgsql should upgrade to these updated packages,
which contain a backported patch to resolve this issue.

-
Changelogs

fc1:
* Sun Jan 15 2006 David Eisenstein deisenst at gtw.net 2.0.1-3.1.legacy
- The following fixes lifted wholesale from FC3's .src.rpm, (Legacy Bug
  #177326).  Changes by Joe Orton of RedHat:
  * add security fix for CVE-2005-3656
  * don't strip .so file so debuginfo works
  * fix r-user handling (Mirko Streckenbach, #150087)
  * merge from Taroon (RHEL 3):
- don't re-use database connections (#115496)
- make functions static
- downgrade not configured log message from warning to debug

fc2:
* Sun Jan 15 2006 David Eisenstein deisenst at gtw.net 2.0.1-4.2.legacy
- Rebuilt for FC2

* Sun Jan 15 2006 David Eisenstein deisenst at gtw.net 2.0.1-3.1.legacy
- The following fixes lifted wholesale from FC3's .src.rpm, (Legacy Bug
  #177326).  Changes by Joe Orton of RedHat:
  * add security fix for CVE-2005-3656
  * don't strip .so file so debuginfo works
  * fix r-user handling (Mirko Streckenbach, #150087)
  * merge from Taroon (RHEL 3):
- don't re-use database connections (#115496)
- make functions static
- downgrade not configured log message from warning to debug

-
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

e6ce19c8be5f4638e2050437c4529b0d4a0f5e1f
fedora/1/updates-testing/i386/mod_auth_pgsql-2.0.1-3.1.legacy.i386.rpm
119b3b6045eaa3b175ebe3d613daca8e9c81b35c
fedora/1/updates-testing/SRPMS/mod_auth_pgsql-2.0.1-3.1.legacy.src.rpm
8f9c2503b417db84b73483e6daca445c4789e4e4
fedora/2/updates-testing/i386/mod_auth_pgsql-2.0.1-4.2.legacy.i386.rpm
52aabaff10fb0f862e1b96199facb7da046e94dc
fedora/2/updates-testing/SRPMS/mod_auth_pgsql-2.0.1-4.2.legacy.src.rpm

-

Please test and comment in bugzilla.


signature.asc
Description: OpenPGP digital signature
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

[FLSA-2006:167803] Updated mysql packages fix security issues

2006-01-10 Thread Marc Deslauriers

-
Fedora Legacy Update Advisory

Synopsis: Updated mysql packages fix security issues
Advisory ID: FLSA:167803
Issue date:2006-01-10
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2005-2558
-

-
1. Topic:

Updated mysql packages that fix a security issue are now available.

MySQL is a multi-user, multi-threaded SQL database server.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

Reid Borsuk discovered a buffer overflow in the MySQL init_syms()
function. A user with the ability to create and execute a user
defined function could potentially execute arbitrary code on the MySQL
server. The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2005-2558 to this issue.

This release fixes two additional problems. A regression was introduced
in a patch included in the previous MySQL packages that resulted in
queries performing a DELETE without a WHERE failing on ISAM tables.
Also, the MySQL init script was improved to allow the MySQL service to
restart properly during upgrades.

All users of the MySQL server are advised to upgrade to these updated
packages, which contain fixes for these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=167803

6. RPMs required:

Red Hat Linux 7.3:

SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/mysql-3.23.58-1.73.9.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mysql-3.23.58-1.73.9.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mysql-devel-3.23.58-1.73.9.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mysql-server-3.23.58-1.73.9.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/mysql-3.23.58-1.90.10.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/mysql-3.23.58-1.90.10.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mysql-devel-3.23.58-1.90.10.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mysql-server-3.23.58-1.90.10.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/mysql-3.23.58-4.7.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/mysql-3.23.58-4.7.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mysql-bench-3.23.58-4.7.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mysql-devel-3.23.58-4.7.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mysql-server-3.23.58-4.7.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/mysql-3.23.58-16.FC2.4.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/mysql-3.23.58-16.FC2.4.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/mysql-bench-3.23.58-16.FC2.4.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/mysql-devel-3.23.58-16.FC2.4.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/mysql-server-3.23.58-16.FC2.4.legacy.i386.rpm

7. Verification:

SHA1 sum Package Name
-

fc12c406faa476c68044f6cc55ef289ee64edd43
redhat/7.3/updates/i386/mysql-3.23.58-1.73.9.legacy.i386.rpm
0ddd640a8eb48f15be6dfa16193294c161af6f06
redhat/7.3/updates/i386/mysql-devel-3.23.58-1.73.9.legacy.i386.rpm
9d91d1c9e1fbc3900ee46200b8e99e02343403bf
redhat/7.3/updates/i386/mysql-server-3.23.58-1.73.9.legacy.i386.rpm

Fedora Legacy Test Update Notification: perl

2006-01-09 Thread Marc Deslauriers

-
Fedora Legacy Test Update Notification
FEDORALEGACY-2005-152845
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152845
2006-01-09
-

Name: perl
Versions: rh7.3: perl-5.6.1-38.0.7.3.3.legacy
Versions: rh9:   perl-5.8.0-90.0.12.legacy
Versions: fc1:   perl-5.8.3-17.4.legacy
Versions: fc2:   perl-5.8.3-19.3.legacy
Summary : The Perl programming language.
Description :
Perl is a high-level programming language commonly used for system
administration utilities and Web programming.

-
Update Information:

Updated perl packages that fix several security flaws are now available.

Perl is a high-level programming language commonly used for system
administration utilities and Web programming.

An unsafe file permission bug was discovered in the rmtree() function in
the File::Path module.  The rmtree() function removes files and
directories in an insecure manner, which could allow a local user to
read or delete arbitrary files.  The Common Vulnerabilities and
Exposures project has assigned the name CVE-2004-0452 to this issue.

Solar Designer discovered several temporary file bugs in various Perl
modules.  A local attacker could overwrite or create files as the user
running a Perl script that uses a vulnerable module.  The Common Vulner-
abilities and Exposures project has assigned the name CVE-2004-0976 to
this issue.

Kevin Finisterre discovered a stack based buffer overflow flaw in sperl,
the Perl setuid wrapper. A local user could create a sperl executable
script with a carefully created path name, overflowing the buffer and
leading to root privilege escalation.  The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CVE-2005-0156 to
this issue.


Kevin Finisterre discovered a flaw in sperl which can cause debugging
information to be logged to arbitrary files.  By setting an environment
variable, a local user could cause sperl to create, as root, files with
arbitrary filenames, or append the debugging information to existing
files.  The Common Vulnerabilities and Exposures project has assigned
the name CVE-2005-0155 to this issue.

Paul Szabo discovered a bug in the way Perl's File::Path::rmtree module
removed directory trees.  If a local user has write permissions to a
subdirectory within the tree being removed by File::Path::rmtree, it is
possible for them to create setuid binary files.  The Common Vulner-
abilities and Exposures project has assigned the name CVE-2005-0448 to
this issue.  (This issue updates CVE-2004-0452).

Note that CAN-2005-0077 is referred to in the changelogs below.  This
vulnerability does not affect these packages, but is a vulnerability
in perl-DBI packages instead.

Users of perl are advised to upgrade to these packages which contain
backported patches and are not vulnerable to these issues.

-
Changelogs

rh7.3:
* Tue Dec 20 2005 David Eisenstein [EMAIL PROTECTED]
1:5.6.1-38.0.7.3.3.legacy
- Add BuildRequires: byacc per John Dalbec.  Bug #152835.

* Sat Dec 17 2005 David Eisenstein [EMAIL PROTECTED]
1:5.6.1-38.0.7.3.2.legacy
- Add BuildRequires: db2-devel
- Since this is being build in mach, we cannot use the trick that Red Hat
  used (of running rpm -q in the build process) to generate the list of
files
  from which *.ph files are pulled.  So instead, I've created two static
files
  which list the same thing, Source11 and Source12.  These two files may
need
  to be refreshed when rebuilding again.

* Fri Dec 16 2005 David Eisenstein [EMAIL PROTECTED]
1:5.6.1-38.0.7.3.1.legacy
- fix perldb5.pl (debugger) to use $ENV{HOME}/.perldbtty$$ instead of
  /var/run/perldbtty$$, per Bug #152845 comment 33.  Replaces
  perl-5.6.1-solartmp.patch with an updated patch.

* Thu Jul 14 2005 John Dalbec [EMAIL PROTECTED] 1:5.6.1-38.0.7.3.legacy
- integrate fix for CAN-2005-0448

* Thu Dec 9 2004 John Dalbec [EMAIL PROTECTED] 1:5.6.1-37.0.7.3.legacy
- integrate new tmpfile patch from OWL/solar designer
- add BuildRequires: db1-devel db3-devel
  BuildRequires: glibc-devel gdbm-devel gpm-devel libjpeg-devel
  BuildRequires: libpng-devel libtiff-devel ncurses-devel popt
  BuildRequires: zlib-devel binutils libelf e2fsprogs-devel pam pwdb
  BuildRequires: rpm-devel

rh9:
* Thu Dec 29 2005 David Eisenstein [EMAIL PROTECTED] 2:5.8.0-90.0.12.legacy
- Add BuildRequires: libacl-devel, libcap-devel.  This provides missing
  .ph header files sys/acl.ph and sys/capability.ph.

* Fri Dec 23 2005 David Eisenstein [EMAIL PROTECTED] 2:5.8.0-90.0.11.legacy
- Add BuildRequires: byacc elfutils-devel
- Since this is being build in mach, we cannot use the trick that Red Hat
  used (of running rpm -q in the build process) to generate the list of
files
  from which

[FLSA-2006:136323] Updated gettext package fixes security issues

2006-01-09 Thread Marc Deslauriers

-
   Fedora Legacy Update Advisory

Synopsis:  Updated gettext package fixes security issues
Advisory ID:   FLSA:136323
Issue date:2006-01-09
Product:   Red Hat Linux, Fedora Core
Keywords:  Bugfix
CVE Names: CVE-2004-0966
-


-
1. Topic:

An updated gettext package that fixes security bugs is now available.

The GNU gettext package provides a set of tools and documentation for
producing multi-lingual messages in programs.

2. Relevant releases/architectures:

Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

Temporary file vulnerabilities were discovered in the gettext package. A
malicious user could use the autopoint and gettextize scripts to
create or overwrite another user's files. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CVE-2004-0966 to
this issue.

All users of gettext should upgrade to this updated package, which
includes a patch to correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which
are not installed but included in the list will not be updated.  Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt.  Many
people find this an easier way to apply updates.  To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.  This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136323

6. RPMs required:

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/gettext-0.11.4-7.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/gettext-0.11.4-7.2.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/gettext-0.12.1-1.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/gettext-0.12.1-1.2.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/gettext-0.14.1-2.1.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/gettext-0.14.1-2.1.2.legacy.i386.rpm


7. Verification:

SHA1 sum Package Name
-

7b6dee52052cf366ae9d78f42d2266045992e8b2
redhat/9/updates/i386/gettext-0.11.4-7.2.legacy.i386.rpm
ccb4260c2f1d4778bf1190bd6d96950c361b8131
redhat/9/updates/SRPMS/gettext-0.11.4-7.2.legacy.src.rpm

7b29432779dcbbb183b98fb5c60208366346ea93
fedora/1/updates/i386/gettext-0.12.1-1.2.legacy.i386.rpm
22bc34eef7d35bad85cf013381187660a4a68c8d
fedora/1/updates/SRPMS/gettext-0.12.1-1.2.legacy.src.rpm

7851e6bb612ae72e3fae9870ca160d2a96e7123b
fedora/2/updates/i386/gettext-0.14.1-2.1.2.legacy.i386.rpm
6c972dcef9866f7e53ba6855478078f8f24684d0
fedora/2/updates/SRPMS/gettext-0.14.1-2.1.2.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security.  Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v filename

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum filename

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0966

9. Contact:

The Fedora Legacy security contact is [EMAIL PROTECTED]. More
project details at http://www.fedoralegacy.org

-


signature.asc
Description: OpenPGP digital signature
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

[FLSA-2006:152803] Updated lesstif packages fix security issues

2006-01-09 Thread Marc Deslauriers

-
Fedora Legacy Update Advisory

Synopsis: Updated lesstif packages fix security issues
Advisory ID: FLSA:152803
Issue date:2006-01-09
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2004-0687 CVE-2004-0688 CVE-2004-0914
CVE-2005-0605
-

-
1. Topic:

Updated lesstif packages that fix flaws in the Xpm image library are
now available.

lesstif is a free replacement for OSF/Motif(R), which provides a full
set of widgets for application development.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

During a source code audit, Chris Evans and others discovered several
stack overflow flaws and an integer overflow flaw in the libXpm library
used to decode XPM (X PixMap) images. A vulnerable version of this
library was found within LessTif. An attacker could create a carefully
crafted XPM file which would cause an application to crash or
potentially execute arbitrary code if opened by a victim. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
names CVE-2004-0687, CVE-2004-0688, and CVE-2004-0914 to these issues.

An integer overflow flaw was found in libXpm; a vulnerable version of
this library is found within LessTif. An attacker could create a
malicious XPM file that would execute arbitrary code if opened by a
victim using an application linked to LessTif. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CVE-2005-0605 to this issue.

Users of lesstif are advised to upgrade to these errata packages,
which contain backported security patches correcting these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152803
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=135081

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/lesstif-0.93.18-2.3.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/lesstif-0.93.18-2.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/lesstif-devel-0.93.18-2.3.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/lesstif-0.93.36-3.3.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/lesstif-0.93.36-3.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/lesstif-devel-0.93.36-3.3.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/lesstif-0.93.36-4.3.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/lesstif-0.93.36-4.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/lesstif-devel-0.93.36-4.3.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/lesstif-0.93.36-5.3.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/lesstif-0.93.36-5.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/lesstif-devel-0.93.36-5.3.legacy.i386.rpm

7. Verification:

SHA1 sum Package Name
-

83e9647ade78338b07abdb618f5d88b0ed12b46b
redhat/7.3/updates/i386/lesstif-0.93.18-2.3.legacy.i386.rpm
c9dcedad7c1576504e12340753b391181d613714
redhat/7.3/updates/i386/lesstif-devel-0.93.18-2.3.legacy.i386.rpm
649a15edc64e3847238eb252be93db1583baa1cc
redhat/7.3/updates/SRPMS/lesstif-0.93.18-2.3.legacy.src.rpm

a4a8e6e888234cb0751800c181430db4c7b524e6
redhat/9/updates/i386/lesstif-0.93.36-3.3.legacy.i386.rpm
0804ad3304bf12be7f1ab71a463e980f4ea17975

1 2 >

1 - 100 of 115 matches

Mail list logo