Re: Moving Mozilla to Seamonkey
On Thu, 2006-07-27 at 15:11 -0600, Stephen John Smoogen wrote: I think it might be a good idea to evaluate a change of Firefox/Thunderbird/Mozilla to the latest tree set. This would mean changing Mozilla to Seamonkey, and moving Firefox/Thunderbird to 1.5.x series. I know this is a big change, but is the time to backport fixes worth the headache in time of bug open in this case? We should stick to what RHEL is doing. Seamonkey is coming out for RHEL, so that's a change we should make. I suggest waiting to see what happens with Firefox... Marc. signature.asc Description: This is a digitally signed message part -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: Moving Mozilla to Seamonkey
On Fri, 2006-07-28 at 03:42 +0530, Rahul wrote: In general, IMO, Fedora Legacy errata policy should be to bump up to the newer upstream version on ancillary packages and backport fixes to only libraries or software that have other visible major dependencies and externally defined interfaces which are known to be used by third parties. If there isnt any opposition to this, I will add this piece of info to the wiki pages and FAQ on legacy. Who is going to test the bump up to the newer upstream version? We have tried this in the past and got hit by more bugs and more work than simply backporting the security fixes. How do we determine what's considered an ancillary package? Is Firefox an ancillary package? What about PHP or sendmail? Marc. signature.asc Description: This is a digitally signed message part -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
[FLSA-2006:175040] Updated php packages fix security issues
- Fedora Legacy Update Advisory Synopsis: Updated php packages fix security issues Advisory ID: FLSA:175040 Issue date:2006-07-27 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2005-2933 CVE-2005-3883 CVE-2006-0208 CVE-2006-0996 CVE-2006-1490 CVE-2006-1990 - - 1. Topic: Updated PHP packages that fix multiple security issues are now available. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 Fedora Core 3 - i386, x86_64 3. Problem description: A buffer overflow flaw was discovered in uw-imap, the University of Washington's IMAP Server. php-imap is compiled against the static c-client libraries from imap and therefore needed to be recompiled against the fixed version. (CVE-2005-2933). An input validation error was found in the mb_send_mail() function. An attacker could use this flaw to inject arbitrary headers in a mail sent via a script calling the mb_send_mail() function where the To parameter can be controlled by the attacker. (CVE-2005-3883) The error handling output was found to not properly escape HTML output in certain cases. An attacker could use this flaw to perform cross-site scripting attacks against sites where both display_errors and html_errors are enabled. (CVE-2006-0208) The phpinfo() PHP function did not properly sanitize long strings. An attacker could use this to perform cross-site scripting attacks against sites that have publicly-available PHP scripts that call phpinfo(). (CVE-2006-0996) The html_entity_decode() PHP function was found to not be binary safe. An attacker could use this flaw to disclose a certain part of the memory. In order for this issue to be exploitable the target site would need to have a PHP script which called the html_entity_decode() function with untrusted input from the user and displayed the result. (CVE-2006-1490) The wordwrap() PHP function did not properly check for integer overflow in the handling of the break parameter. An attacker who could control the string passed to the break parameter could cause a heap overflow. (CVE-2006-1990) Users of PHP should upgrade to these updated packages, which contain backported patches that resolve these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175040 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/php-4.1.2-7.3.20.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-4.1.2-7.3.20.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-devel-4.1.2-7.3.20.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-imap-4.1.2-7.3.20.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-ldap-4.1.2-7.3.20.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-manual-4.1.2-7.3.20.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-mysql-4.1.2-7.3.20.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-odbc-4.1.2-7.3.20.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-pgsql-4.1.2-7.3.20.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-snmp-4.1.2-7.3.20.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/php-4.2.2-17.21.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/php-4.2.2-17.21.legacy.i386.rpm
Re: Squirrelmail 1.4.7 security fixes
On Mon, 2006-07-24 at 10:39 +0200, Nils Breunese (Lemonbit Internet) wrote: I see squirrelmail 1.4.7 fixes several security issues (see http:// www.squirrelmail.org/changelog.php), but I couldn't find any bugs related to these in bugzilla. I'm not a bugzilla wizard however, so I didn't open any, I might just be blind. Can anyone tell me if these issues affect current installations and should bug reports be opened? Yeah, current installation are probably vulnerable. There are no bugs open against this. Please feel free to open one. Thanks. Marc. signature.asc Description: This is a digitally signed message part -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
[FLSA-2006:189137-1] Updated mozilla packages fix security issues
- Fedora Legacy Update Advisory Synopsis: Updated mozilla packages fix security issues Advisory ID:FLSA:189137-1 Issue date: 2006-06-06 Product:Red Hat Linux, Fedora Core Keywords: Bugfix, Security CVE Names: CVE-2006-0748 CVE-2006-0749 CVE-2006-0884 CVE-2006-1727 CVE-2006-1728 CVE-2006-1729 CVE-2006-1730 CVE-2006-1731 CVE-2006-1732 CVE-2006-1733 CVE-2006-1734 CVE-2006-1735 CVE-2006-1737 CVE-2006-1738 CVE-2006-1739 CVE-2006-1740 CVE-2006-1741 CVE-2006-1742 CVE-2006-1790 - - 1. Topic: Updated mozilla packages that fix several security bugs are now available. Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 Fedora Core 3 - i386, x86_64 3. Problem description: Several bugs were found in the way Mozilla processes malformed javascript. A malicious web page could modify the content of a different open web page, possibly stealing sensitive information or conducting a cross-site scripting attack. (CVE-2006-1731, CVE-2006-1732, CVE-2006-1741) Several bugs were found in the way Mozilla processes certain javascript actions. A malicious web page could execute arbitrary javascript instructions with the permissions of chrome, allowing the page to steal sensitive information or install browser malware. (CVE-2006-1727, CVE-2006-1728, CVE-2006-1733, CVE-2006-1734, CVE-2006-1735, CVE-2006-1742) Several bugs were found in the way Mozilla processes malformed web pages. A carefully crafted malicious web page could cause the execution of arbitrary code as the user running Mozilla. (CVE-2006-0748, CVE-2006-0749, CVE-2006-1730, CVE-2006-1737, CVE-2006-1738, CVE-2006-1739, CVE-2006-1790) A bug was found in the way Mozilla displays the secure site icon. If a browser is configured to display the non-default secure site modal warning dialog, it may be possible to trick a user into believing they are viewing a secure site. (CVE-2006-1740) A bug was found in the way Mozilla allows javascript mutation events on input form elements. A malicious web page could be created in such a way that when a user submits a form, an arbitrary file could be uploaded to the attacker. (CVE-2006-1729) A bug was found in the way Mozilla executes in-line mail forwarding. If a user can be tricked into forwarding a maliciously crafted mail message as in-line content, it is possible for the message to execute javascript with the permissions of chrome. (CVE-2006-0884) Users of Mozilla are advised to upgrade to these updated packages containing Mozilla version 1.7.13 which corrects these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189137 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/mozilla-1.7.13-0.73.1.legacy.src.rpm http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/galeon-1.2.14-0.73.6.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-1.7.13-0.73.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-chat-1.7.13-0.73.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-devel-1.7.13-0.73.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-dom-inspector-1.7.13-0.73.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-js-debugger-1.7.13-0.73.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-mail-1.7.13-0.73.1.legacy.i386.rpm
[FLSA-2006:189137-2] Updated firefox package fixes security issues
- Fedora Legacy Update Advisory Synopsis: Updated firefox package fixes security issues Advisory ID:FLSA:189137-2 Issue date: 2006-06-06 Product:Fedora Core Keywords: Bugfix, Security CVE Names: CVE-2006-0748 CVE-2006-0749 CVE-2006-1724 CVE-2006-1727 CVE-2006-1728 CVE-2006-1729 CVE-2006-1730 CVE-2006-1731 CVE-2006-1732 CVE-2006-1733 CVE-2006-1734 CVE-2006-1735 CVE-2006-1737 CVE-2006-1738 CVE-2006-1739 CVE-2006-1740 CVE-2006-1741 CVE-2006-1742 CVE-2006-1790 - - 1. Topic: An updated firefox package that fixes several security bugs is now available. Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability. 2. Relevant releases/architectures: Fedora Core 3 - i386, x86_64 3. Problem description: Several bugs were found in the way Firefox processes malformed javascript. A malicious web page could modify the content of a different open web page, possibly stealing sensitive information or conducting a cross-site scripting attack. (CVE-2006-1731, CVE-2006-1732, CVE-2006-1741) Several bugs were found in the way Firefox processes certain javascript actions. A malicious web page could execute arbitrary javascript instructions with the permissions of chrome, allowing the page to steal sensitive information or install browser malware. (CVE-2006-1727, CVE-2006-1728, CVE-2006-1733, CVE-2006-1734, CVE-2006-1735, CVE-2006-1742) Several bugs were found in the way Firefox processes malformed web pages. A carefully crafted malicious web page could cause the execution of arbitrary code as the user running Firefox. (CVE-2006-0748, CVE-2006-0749, CVE-2006-1724, CVE-2006-1730, CVE-2006-1737, CVE-2006-1738, CVE-2006-1739, CVE-2006-1790) A bug was found in the way Firefox displays the secure site icon. If a browser is configured to display the non-default secure site modal warning dialog, it may be possible to trick a user into believing they are viewing a secure site. (CVE-2006-1740) A bug was found in the way Firefox allows javascript mutation events on input form elements. A malicious web page could be created in such a way that when a user submits a form, an arbitrary file could be uploaded to the attacker. (CVE-2006-1729) Users of Firefox are advised to upgrade to these updated packages containing Firefox version 1.0.8 which corrects these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189137 6. RPMs required: Fedora Core 3: SRPM: http://download.fedoralegacy.org/fedora/3/updates/SRPMS/firefox-1.0.8-1.1.fc3.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/3/updates/i386/firefox-1.0.8-1.1.fc3.1.legacy.i386.rpm x86_64: http://download.fedoralegacy.org/fedora/3/updates/x86_64/firefox-1.0.8-1.1.fc3.1.legacy.x86_64.rpm 7. Verification: SHA1 sum Package Name - 8b719bb18c6dfe14b472c684ac5133d82d1b96d0 fedora/3/updates/i386/firefox-1.0.8-1.1.fc3.1.legacy.i386.rpm 946f2ccbc412675ee6959a3dee50c2cb3ba90c3a fedora/3/updates/x86_64/firefox-1.0.8-1.1.fc3.1.legacy.x86_64.rpm 0747aa65730e328a9274ec66c0de8dc30645dc1d fedora/3/updates/SRPMS/firefox-1.0.8-1.1.fc3.1.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum filename 8. References:
[FLSA-2006:190777] Updated X.org packages fix security issue
- Fedora Legacy Update Advisory Synopsis: Updated X.org packages fix security issue Advisory ID: FLSA:190777 Issue date:2006-06-06 Product: Fedora Core Keywords: Bugfix CVE Names: CVE-2006-1526 - - 1. Topic: Updated X.org packages that fix a security issue are now available. X.org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces (GUIs) such as GNOME and KDE are designed upon. 2. Relevant releases/architectures: Fedora Core 3 - i386, x86_64 3. Problem description: A buffer overflow flaw in the X.org server RENDER extension was discovered. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the X.org server. (CVE-2006-1526) Users of X.org should upgrade to these updated packages, which contain a backported patch and is not vulnerable to this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=190777 6. RPMs required: Fedora Core 3: SRPM: http://download.fedoralegacy.org/fedora/3/updates/SRPMS/xorg-x11-6.8.2-1.FC3.45.3.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-deprecated-libs-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-deprecated-libs-devel-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-devel-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-doc-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-font-utils-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-libs-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-Mesa-libGL-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-Mesa-libGLU-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-sdk-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-tools-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-twm-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-xauth-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-xdm-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-Xdmx-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-xfs-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-Xnest-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/xorg-x11-Xvfb-6.8.2-1.FC3.45.3.legacy.i386.rpm x86_64: http://download.fedoralegacy.org/fedora/3/updates/x86_64/xorg-x11-6.8.2-1.FC3.45.3.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/xorg-x11-deprecated-libs-6.8.2-1.FC3.45.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/xorg-x11-deprecated-libs-6.8.2-1.FC3.45.3.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/xorg-x11-deprecated-libs-devel-6.8.2-1.FC3.45.3.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/xorg-x11-devel-6.8.2-1.FC3.45.3.legacy.i386.rpm
[FLSA-2006:190884] Updated squirrelmail package fixes security issues
- Fedora Legacy Update Advisory Synopsis: Updated squirrelmail package fixes security issues Advisory ID: FLSA:190884 Issue date:2006-06-06 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2006-0188 CVE-2006-0195 CVE-2006-0377 - - 1. Topic: An updated squirrelmail package that fixes three security issues is now available. SquirrelMail is a standards-based webmail package written in PHP4. 2. Relevant releases/architectures: Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 Fedora Core 3 - i386, x86_64 3. Problem description: A bug was found in the way SquirrelMail presents the right frame to the user. If a user can be tricked into opening a carefully crafted URL, it is possible to present the user with arbitrary HTML data. (CVE-2006-0188) A bug was found in the way SquirrelMail filters incoming HTML email. It is possible to cause a victim's web browser to request remote content by opening a HTML email while running a web browser that processes certain types of invalid style sheets. Only Internet Explorer is known to process such malformed style sheets. (CVE-2006-0195) A bug was found in the way SquirrelMail processes a request to select an IMAP mailbox. If a user can be tricked into opening a carefully crafted URL, it is possible to execute arbitrary IMAP commands as the user viewing their mail with SquirrelMail. (CVE-2006-0377) Users of SquirrelMail are advised to upgrade to this updated package, which contains SquirrelMail version 1.4.6 and is not vulnerable to these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=190884 6. RPMs required: Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/squirrelmail-1.4.6-3.rh9.1.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/squirrelmail-1.4.6-3.rh9.1.legacy.noarch.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/squirrelmail-1.4.6-4.fc1.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/squirrelmail-1.4.6-4.fc1.1.legacy.noarch.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/squirrelmail-1.4.6-4.fc2.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/squirrelmail-1.4.6-4.fc2.1.legacy.noarch.rpm Fedora Core 3: SRPM: http://download.fedoralegacy.org/fedora/3/updates/SRPMS/squirrelmail-1.4.6-4.fc3.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/3/updates/i386/squirrelmail-1.4.6-4.fc3.1.legacy.noarch.rpm x86_64: http://download.fedoralegacy.org/fedora/3/updates/x86_64/squirrelmail-1.4.6-4.fc3.1.legacy.noarch.rpm 7. Verification: SHA1 sum Package Name - rh9: 62ae72ed168667c97e1b6ccc5bc23dea6c374bcb redhat/9/updates/i386/squirrelmail-1.4.6-3.rh9.1.legacy.noarch.rpm 51264756a2f2bb5d8e6f5b6d1d33dcba40f41a68 redhat/9/updates/SRPMS/squirrelmail-1.4.6-3.rh9.1.legacy.src.rpm fc1: 0e2dbf765d4df6592fad31ff331a3101fd33674e fedora/1/updates/i386/squirrelmail-1.4.6-4.fc1.1.legacy.noarch.rpm 7c6d183c795bfd1da1e872a74e7ff1f197afb93a fedora/1/updates/SRPMS/squirrelmail-1.4.6-4.fc1.1.legacy.src.rpm fc2: 36bc9ae701f8844d6369dde0f2d4a537b2dce85c fedora/2/updates/i386/squirrelmail-1.4.6-4.fc2.1.legacy.noarch.rpm 60098c585bc6bab9df4e3883e3a0b0762fd4dc6d fedora/2/updates/SRPMS/squirrelmail-1.4.6-4.fc2.1.legacy.src.rpm fc3: 9e96352495249c4aa526b24729128696467ca728 fedora/3/updates/i386/squirrelmail-1.4.6-4.fc3.1.legacy.noarch.rpm 9e96352495249c4aa526b24729128696467ca728 fedora/3/updates/x86_64/squirrelmail-1.4.6-4.fc3.1.legacy.noarch.rpm
Re: Fedora products, to upgrade rather than backport?
On Mon, 2006-05-15 at 15:20 -0400, Jesse Keating wrote: So in the RHL space, the choice was clear. Backport whenever possible. However the Fedora landscape is different. Upstream Core does not do backporting, they more often than not version upgrade to resolve security issues. Why should Legacy be any different? If we want to be transparent to end users we should follow what upstream does. Every time we've decided to upgrade a package instead of backporting security fixes, we've broken other stuff and have had to work twice as hard to get things back into working order. I don't think we have the resources to upgrade packages. Backporting is a lot less work... Marc. signature.asc Description: This is a digitally signed message part -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Fedora Legacy Test Update Notification: mozilla
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-189137-1 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189137 2006-05-15 - Name: mozilla Versions: rh7.3: mozilla-1.7.13-0.73.1.legacy Versions: rh9: mozilla-1.7.13-0.90.1.legacy Versions: fc1: mozilla-1.7.13-1.1.1.legacy Versions: fc2: mozilla-1.7.13-1.2.1.legacy Versions: fc3: mozilla-1.7.13-1.3.1.legacy Summary : A Web browser. Description : Mozilla is an open-source Web browser, designed for standards compliance, performance, and portability. - Update Information: Updated mozilla packages that fix several security bugs are now available. Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Several bugs were found in the way Mozilla processes malformed javascript. A malicious web page could modify the content of a different open web page, possibly stealing sensitive information or conducting a cross-site scripting attack. (CVE-2006-1731, CVE-2006-1732, CVE-2006-1741) Several bugs were found in the way Mozilla processes certain javascript actions. A malicious web page could execute arbitrary javascript instructions with the permissions of chrome, allowing the page to steal sensitive information or install browser malware. (CVE-2006-1727, CVE-2006-1728, CVE-2006-1733, CVE-2006-1734, CVE-2006-1735, CVE-2006-1742) Several bugs were found in the way Mozilla processes malformed web pages. A carefully crafted malicious web page could cause the execution of arbitrary code as the user running Mozilla. (CVE-2006-0748, CVE-2006-0749, CVE-2006-1730, CVE-2006-1737, CVE-2006-1738, CVE-2006-1739, CVE-2006-1790) A bug was found in the way Mozilla displays the secure site icon. If a browser is configured to display the non-default secure site modal warning dialog, it may be possible to trick a user into believing they are viewing a secure site. (CVE-2006-1740) A bug was found in the way Mozilla allows javascript mutation events on input form elements. A malicious web page could be created in such a way that when a user submits a form, an arbitrary file could be uploaded to the attacker. (CVE-2006-1729) A bug was found in the way Mozilla executes in-line mail forwarding. If a user can be tricked into forwarding a maliciously crafted mail message as in-line content, it is possible for the message to execute javascript with the permissions of chrome. (CVE-2006-0884) Users of Mozilla are advised to upgrade to these updated packages containing Mozilla version 1.7.13 which corrects these issues. - Changelogs rh7.3: * Sat Apr 22 2006 Marc Deslauriers [EMAIL PROTECTED] 37:1.7.13-0.73.1.legacy - Updated to 1.7.13 to fix security issues rh9: * Sat Apr 22 2006 Marc Deslauriers [EMAIL PROTECTED] 37:1.7.13-0.90.1.legacy - Updated to 1.7.13 to fix security issues fc1: * Fri Apr 21 2006 Marc Deslauriers [EMAIL PROTECTED] 37:1.7.13-1.1.1.legacy - Updated to 1.7.13 to fix security issues fc2: * Fri Apr 21 2006 Marc Deslauriers [EMAIL PROTECTED] 37:1.7.13-1.2.1.legacy - Updated to 1.7.13 to fix security issues fc3: * Fri Apr 21 2006 Marc Deslauriers [EMAIL PROTECTED] 37:1.7.13-1.3.1.legacy - Updated to 1.7.13 to fix security issues - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh7.3: b7616c52ee2776f3577fcda0a0628c5ec6cffae7 redhat/7.3/updates-testing/i386/mozilla-1.7.13-0.73.1.legacy.i386.rpm a6234bd3b89616ce5b924a36c95ba1421b6b8ecf redhat/7.3/updates-testing/i386/mozilla-chat-1.7.13-0.73.1.legacy.i386.rpm 3d7b92d47b825f5a936c54ca63679916f428917e redhat/7.3/updates-testing/i386/mozilla-devel-1.7.13-0.73.1.legacy.i386.rpm 2b4c765543b3f4fc5ac04127ca70c70a33fddaec redhat/7.3/updates-testing/i386/mozilla-dom-inspector-1.7.13-0.73.1.legacy.i386.rpm c15eceb55105a87f8d5dc0db24b9cf95e815a5a2 redhat/7.3/updates-testing/i386/mozilla-js-debugger-1.7.13-0.73.1.legacy.i386.rpm 09dcdb176779a013efc6b1819e5391854d94a751 redhat/7.3/updates-testing/i386/mozilla-mail-1.7.13-0.73.1.legacy.i386.rpm 5126d56d8ff98dfdcd69ed6864821120fc959c55 redhat/7.3/updates-testing/i386/mozilla-nspr-1.7.13-0.73.1.legacy.i386.rpm d2db357f5fe0d1ffce22db18f7d95c96dcfcffa3 redhat/7.3/updates-testing/i386/mozilla-nspr-devel-1.7.13-0.73.1.legacy.i386.rpm 7b3a403f4981d5ffa676aa38e5699fca9e7c2f18 redhat/7.3/updates-testing/i386/mozilla-nss-1.7.13-0.73.1.legacy.i386.rpm 3eea1812fa6a6ef13ed8826cd7734bd266c9b0fb redhat/7.3/updates-testing/i386/mozilla-nss-devel-1.7.13-0.73.1.legacy.i386.rpm 46393b4afb72fcd8100de2c61b6531d9ffe1dbf5 redhat/7.3/updates-testing/i386/galeon-1.2.14-0.73.6.legacy.i386.rpm
Fedora Legacy Test Update Notification: firefox
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-189137-2 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189137 2006-05-15 - Name: firefox Versions: fc3: firefox-1.0.8-1.1.fc3.1.legacy Summary : Mozilla Firefox Web browser. Description : Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability. - Update Information: An updated firefox package that fixes several security bugs is now available. Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability. Several bugs were found in the way Firefox processes malformed javascript. A malicious web page could modify the content of a different open web page, possibly stealing sensitive information or conducting a cross-site scripting attack. (CVE-2006-1731, CVE-2006-1732, CVE-2006-1741) Several bugs were found in the way Firefox processes certain javascript actions. A malicious web page could execute arbitrary javascript instructions with the permissions of chrome, allowing the page to steal sensitive information or install browser malware. (CVE-2006-1727, CVE-2006-1728, CVE-2006-1733, CVE-2006-1734, CVE-2006-1735, CVE-2006-1742) Several bugs were found in the way Firefox processes malformed web pages. A carefully crafted malicious web page could cause the execution of arbitrary code as the user running Firefox. (CVE-2006-0748, CVE-2006-0749, CVE-2006-1724, CVE-2006-1730, CVE-2006-1737, CVE-2006-1738, CVE-2006-1739, CVE-2006-1790) A bug was found in the way Firefox displays the secure site icon. If a browser is configured to display the non-default secure site modal warning dialog, it may be possible to trick a user into believing they are viewing a secure site. (CVE-2006-1740) A bug was found in the way Firefox allows javascript mutation events on input form elements. A malicious web page could be created in such a way that when a user submits a form, an arbitrary file could be uploaded to the attacker. (CVE-2006-1729) Users of Firefox are advised to upgrade to these updated packages containing Firefox version 1.0.8 which corrects these issues. - Changelogs fc3: * Wed Apr 19 2006 Marc Deslauriers [EMAIL PROTECTED] 0:1.0.8-1.1.fc3.1.legacy - Update to firefox 1.0.8 - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) fc3: 8b719bb18c6dfe14b472c684ac5133d82d1b96d0 fedora/3/updates-testing/i386/firefox-1.0.8-1.1.fc3.1.legacy.i386.rpm 946f2ccbc412675ee6959a3dee50c2cb3ba90c3a fedora/3/updates-testing/x86_64/firefox-1.0.8-1.1.fc3.1.legacy.x86_64.rpm 0747aa65730e328a9274ec66c0de8dc30645dc1d fedora/3/updates-testing/SRPMS/firefox-1.0.8-1.1.fc3.1.legacy.src.rpm - Please test and comment in bugzilla. signature.asc Description: OpenPGP digital signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
[FLSA-2006:152898] Updated emacs packages fix a security issue
- Fedora Legacy Update Advisory Synopsis: Updated emacs packages fix a security issue Advisory ID: FLSA:152898 Issue date:2006-05-12 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2005-0100 - - 1. Topic: Updated Emacs packages that fix a string format issue are now available. Emacs is a powerful, customizable, self-documenting, modeless text editor. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 3. Problem description: Max Vozeler discovered several format string vulnerabilities in the movemail utility of Emacs. If a user connects to a malicious POP server, an attacker can execute arbitrary code as the user running emacs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0100 to this issue. Users of Emacs are advised to upgrade to these updated packages, which contain backported patches to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152898 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/emacs-21.2-3.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/emacs-21.2-3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/emacs-el-21.2-3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/emacs-leim-21.2-3.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/emacs-21.2-34.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/emacs-21.2-34.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/emacs-el-21.2-34.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/emacs-leim-21.2-34.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/emacs-21.3-9.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/emacs-21.3-9.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/emacs-el-21.3-9.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/emacs-leim-21.3-9.2.legacy.i386.rpm 7. Verification: SHA1 sum Package Name - 4441c55cfe91aabf2203d68bcbc0cf2bbd5f8798 redhat/7.3/updates/i386/emacs-21.2-3.legacy.i386.rpm 33e802e8f306f13519dd2c3f045eb9efe5e4680a redhat/7.3/updates/i386/emacs-el-21.2-3.legacy.i386.rpm f6293ffe1c51c3bb31f1b3941da0938d8a98eff2 redhat/7.3/updates/i386/emacs-leim-21.2-3.legacy.i386.rpm a5767f1100037b49602abb80831fa22da135c081 redhat/7.3/updates/SRPMS/emacs-21.2-3.legacy.src.rpm ae56dba68d59f5d49105f7afb6918ac945ad8b01 redhat/9/updates/i386/emacs-21.2-34.legacy.i386.rpm 84047366c8488fa3c95070466b1bd20ce5d8687a redhat/9/updates/i386/emacs-el-21.2-34.legacy.i386.rpm 8eb8449c456e7d475157992c3e6f8bc4bdf64c7b redhat/9/updates/i386/emacs-leim-21.2-34.legacy.i386.rpm 4cf0ba484c3ab93210d186beb3c79b68b4e56984 redhat/9/updates/SRPMS/emacs-21.2-34.legacy.src.rpm d56260f010b4603c89516ccf2ddd09c33c8c53c4 fedora/1/updates/i386/emacs-21.3-9.2.legacy.i386.rpm 6bf7cb9bacc6c0f9374849fa4507ededa13193cf fedora/1/updates/i386/emacs-el-21.3-9.2.legacy.i386.rpm fb23df114772b6c758499401751dfc389e2e1d88 fedora/1/updates/i386/emacs-leim-21.3-9.2.legacy.i386.rpm 1a1133d917d4993c92a03c30ba08e8916c6a7bfe fedora/1/updates/SRPMS/emacs-21.3-9.2.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm
[FLSA-2006:152904] Updated ncpfs package fixes security issues
- Fedora Legacy Update Advisory Synopsis: Updated ncpfs package fixes security issues Advisory ID: FLSA:152904 Issue date:2006-05-12 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2004-1079 CVE-2005-0013 CVE-2005-0014 - - 1. Topic: An updated ncpfs package is now available. Ncpfs is a file system that understands the Novell NetWare(TM) NCP protocol. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 Fedora Core 3 - i386, x86_64 3. Problem description: Buffer overflows were found in the nwclient program. An attacker, using a long -T option, could possibly execute arbitrary code and gain privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1079 to this issue. A bug was found in the way ncpfs handled file permissions. ncpfs did not sufficiently check if the file owner matched the user attempting to access the file, potentially violating the file permissions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0013 to this issue. A buffer overflow was found in the ncplogin program. A remote malicious NetWare server could execute arbitrary code on a victim's machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0014 to this issue. All users of ncpfs are advised to upgrade to this updated package, which contains backported fixes for these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152904 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/ncpfs-2.2.0.18-6.1.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/ncpfs-2.2.0.18-6.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/ipxutils-2.2.0.18-6.1.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/ncpfs-2.2.1-1.1.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/ncpfs-2.2.1-1.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/ipxutils-2.2.1-1.1.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/ncpfs-2.2.3-1.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/ncpfs-2.2.3-1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/ipxutils-2.2.3-1.1.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/ncpfs-2.2.4-1.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/ncpfs-2.2.4-1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/ipxutils-2.2.4-1.1.legacy.i386.rpm Fedora Core 3: SRPM: http://download.fedoralegacy.org/fedora/3/updates/SRPMS/ncpfs-2.2.4-5.FC3.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/3/updates/i386/ncpfs-2.2.4-5.FC3.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/ipxutils-2.2.4-5.FC3.1.legacy.i386.rpm x86_64: http://download.fedoralegacy.org/fedora/3/updates/x86_64/ncpfs-2.2.4-5.FC3.1.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/ipxutils-2.2.4-5.FC3.1.legacy.x86_64.rpm 7. Verification: SHA1 sum Package Name - 16740d3fa5e17a46429ad3586e4adf9a14a64f8d redhat/7.3/updates/i386/ncpfs-2.2.0.18-6.1.legacy.i386.rpm 21f8520c8a2a3d60e55041c0db028e03549f8544 redhat/7.3/updates/i386/ipxutils-2.2.0.18-6.1.legacy.i386.rpm
[FLSA-2006:152923] Updated xloadimage package fixes security issues
- Fedora Legacy Update Advisory Synopsis: Updated xloadimage package fixes security issues Advisory ID: FLSA:152923 Issue date:2006-05-12 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2005-0638 CVE-2005-3178 - - 1. Topic: A new xloadimage package that fixes bugs in handling malformed tiff and pbm/pnm/ppm images, and in handling metacharacters in file names is now available. The xloadimage utility displays images in an X Window System window, loads images into the root window, or writes images into a file. Xloadimage supports many image types (including GIF, TIFF, JPEG, XPM, and XBM). 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: A flaw was discovered in xloadimage where filenames were not properly quoted when calling the gunzip command. An attacker could create a file with a carefully crafted filename so that it would execute arbitrary commands if opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0638 to this issue. A flaw was discovered in xloadimage via which an attacker can construct a NIFF image with a very long embedded image title. This image can cause a buffer overflow. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-3178 to this issue. All users of xloadimage should upgrade to this erratum package, which contains backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152923 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/xloadimage-4.1-21.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/xloadimage-4.1-21.2.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/xloadimage-4.1-27.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/xloadimage-4.1-27.2.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/xloadimage-4.1-29.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/xloadimage-4.1-29.2.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/xloadimage-4.1-34.FC2.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/xloadimage-4.1-34.FC2.2.legacy.i386.rpm 7. Verification: SHA1 sum Package Name - 88326ff1a0753287240180322b36f8174686e0cc redhat/7.3/updates/i386/xloadimage-4.1-21.2.legacy.i386.rpm 663b64ed039000824bacd3475e807c29c835f388 redhat/7.3/updates/SRPMS/xloadimage-4.1-21.2.legacy.src.rpm 7fef8d73737dfacb3d56f203bf31f3c8e2014925 redhat/9/updates/i386/xloadimage-4.1-27.2.legacy.i386.rpm 2b4223a41ab2127ee3b173e0803635f3c441bb4f redhat/9/updates/SRPMS/xloadimage-4.1-27.2.legacy.src.rpm c24c7a2ae4d703b00a3f84623cae24775674d5d7 fedora/1/updates/i386/xloadimage-4.1-29.2.legacy.i386.rpm ec2c5a9b5049aeca3cd4d12e7b84c650fec1c295 fedora/1/updates/SRPMS/xloadimage-4.1-29.2.legacy.src.rpm 2910727dcd74a462a2f137746592e53ba5fcdfac fedora/2/updates/i386/xloadimage-4.1-34.FC2.2.legacy.i386.rpm 924f5e4ffc9ff7190dc1808def838e57377f5fd6 fedora/2/updates/SRPMS/xloadimage-4.1-34.FC2.2.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v filename If you only wish to verify
[FLSA-2006:185355] Updated gnupg package fixes security issues
- Fedora Legacy Update Advisory Synopsis: Updated gnupg package fixes security issues Advisory ID: FLSA:185355 Issue date:2006-05-12 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2006-0049 CVE-2006-0455 - - 1. Topic: An updated GnuPG package that fixes signature verification flaws is now available. GnuPG is a utility for encrypting data and creating digital signatures. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 Fedora Core 3 - i386, x86_64 3. Problem description: Tavis Ormandy discovered a bug in the way GnuPG verifies cryptographically signed data with detached signatures. It is possible for an attacker to construct a cryptographically signed message which could appear to come from a third party. When a victim processes a GnuPG message with a malformed detached signature, GnuPG ignores the malformed signature, processes and outputs the signed data, and exits with status 0, just as it would if the signature had been valid. In this case, GnuPG's exit status would not indicate that no signature verification had taken place. This issue would primarily be of concern when processing GnuPG results via an automated script. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0455 to this issue. Tavis Ormandy also discovered a bug in the way GnuPG verifies cryptographically signed data with inline signatures. It is possible for an attacker to inject unsigned data into a signed message in such a way that when a victim processes the message to recover the data, the unsigned data is output along with the signed data, gaining the appearance of having been signed. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0049 to this issue. Please note that neither of these issues affect the way RPM or up2date verify RPM package files, nor is RPM vulnerable to either of these issues. All users of GnuPG are advised to upgrade to this updated package, which contains backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=185355 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/gnupg-1.0.7-13.3.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/gnupg-1.0.7-13.3.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/gnupg-1.2.1-9.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/gnupg-1.2.1-9.2.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/gnupg-1.2.3-2.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/gnupg-1.2.3-2.2.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/gnupg-1.2.4-2.3.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/gnupg-1.2.4-2.3.legacy.i386.rpm Fedora Core 3: SRPM: http://download.fedoralegacy.org/fedora/3/updates/SRPMS/gnupg-1.2.7-1.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/3/updates/i386/gnupg-1.2.7-1.2.legacy.i386.rpm x86_64: http://download.fedoralegacy.org/fedora/3/updates/x86_64/gnupg-1.2.7-1.2.legacy.x86_64.rpm 7. Verification: SHA1 sum Package Name - 8908e71fbca5c2bae5f3aadd774e42a49a5cb957 redhat/7.3/updates/i386/gnupg-1.0.7-13.3.legacy.i386.rpm dd9dc31630ca66faffb4f214f425b973cb3212cf redhat/7.3/updates/SRPMS/gnupg-1.0.7-13.3.legacy.src.rpm b551dcbc9739ca6af6ca175c61709d5a4209fee6
Fedora Legacy Test Update Notification: tetex
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-152868 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152868 2006-04-26 - Name: tetex Versions: rh73: tetex-1.0.7-47.5.legacy Versions: rh9: tetex-1.0.7-66.3.legacy Versions: fc1: tetex-2.0.2-8.2.legacy Versions: fc2: tetex-2.0.2-14FC2.3.legacy Summary : The TeX text formatting system. Description : TeTeX is an implementation of TeX for Linux or UNIX systems. TeX takes a text file and a set of formatting commands as input and creates a typesetter-independent .dvi (DeVice Independent) file as output. Usually, TeX is used in conjunction with a higher level formatting package like LaTeX or PlainTeX, since TeX by itself is not very user-friendly. - Update Information: Updated tetex packages that fix several security issues are now available. TeTeX is an implementation of TeX. TeX takes a text file and a set of formatting commands as input and creates a typesetter-independent .dvi (DeVice Independent) file as output. A number of integer overflow bugs that affect Xpdf were discovered. The teTeX package contains a copy of the Xpdf code used for parsing PDF files and is therefore affected by these bugs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0888 and CVE-2004-1125 to these issues. Several flaws were discovered in the teTeX PDF parsing library. An attacker could construct a carefully crafted PDF file that could cause teTeX to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3191, CVE-2005-3192, CVE-2005-3193, CVE-2005-3624, CVE-2005-3625, CVE-2005-3626, CVE-2005-3627 and CVE-2005-3628 to these issues. Users of teTeX should upgrade to these updated packages, which contain backported patches and are not vulnerable to these issues. - Changelogs rh73: * Tue Apr 25 2006 Marc Deslauriers [EMAIL PROTECTED] 1.0.7-47.5.legacy - Added tetex tetex-latex and tetex-dvips to BuildPreReq! * Fri Apr 21 2006 Marc Deslauriers [EMAIL PROTECTED] 1.0.7-47.4.legacy - Added patch to remove expiration check * Wed Apr 19 2006 Marc Deslauriers [EMAIL PROTECTED] 1.0.7-47.3.legacy - Added missing netpbm-progs, ghostscript, ed and texinfo to BuildPrereq * Fri Mar 17 2006 Donald Maner [EMAIL PROTECTED] 1.0.7-47.2.legacy - Patches for CESA-2004-007, CAN-2004-1125, CAN-2004-0888, CVE-2005-3193 rh9: * Tue Apr 25 2006 Marc Deslauriers [EMAIL PROTECTED] 1.0.7-66.3.legacy - Added missing tetex, tetex-latex and tetex-dvips to BuildPreReq * Fri Apr 21 2006 Marc Deslauriers [EMAIL PROTECTED] 1.0.7-66.2.legacy - Added missing ed and texinfo to BuildPrereq * Thu Mar 16 2006 Donald Maner [EMAIL PROTECTED] 1.0.7-66.1.legacy - Patches for CESA-2004-007 CAN-2004-0888 CAN-2004-1125 CVE-2005-3193 (#152868) fc1: * Wed Apr 26 2006 Marc Deslauriers [EMAIL PROTECTED] 2.0.2-8.2.legacy - Added missing ed, texinfo, tetex, tetex-latex and tetex-dvips to BuildPreReq * Thu Mar 16 2006 Donald Maner [EMAIL PROTECTED] 2.0.2-8.1.legacy - Patches for CAN-2004-0888, CAN-2004-1125, CAN-2005-0064 and 2005-3193 fc2: * Tue Apr 25 2006 Marc Deslauriers [EMAIL PROTECTED] 2.0.2-14FC2.3.legacy - Fixed release tag - Added missing tetex, tetex-latex and tetex-dvips to BuildPreReq * Thu Mar 16 2006 Donald Maner [EMAIL PROTECTED] 2.0.2-14.3.legacy - Patch CVE-2005-3193 (#152868) - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: 80b05b7896c5db589e960da0d73b1cd4ae120cce redhat/7.3/updates-testing/i386/tetex-1.0.7-47.5.legacy.i386.rpm 28c6022b4f6a237d4695d1f268276ec6b18dcf4c redhat/7.3/updates-testing/i386/tetex-afm-1.0.7-47.5.legacy.i386.rpm 017fa321d9834685f04819070d4f5fb799e05d01 redhat/7.3/updates-testing/i386/tetex-doc-1.0.7-47.5.legacy.i386.rpm 3303175840f2fc37c5f3f77e672eeb3fafae718a redhat/7.3/updates-testing/i386/tetex-dvilj-1.0.7-47.5.legacy.i386.rpm fa43c7cbdf02cb7d439c9beeb0e358f8c69a5f22 redhat/7.3/updates-testing/i386/tetex-dvips-1.0.7-47.5.legacy.i386.rpm 1e69a574c3d47cec5b58963387956dfc8337d6ec redhat/7.3/updates-testing/i386/tetex-fonts-1.0.7-47.5.legacy.i386.rpm bb229acb3b38ae16025d56a77c41cab939a512ac redhat/7.3/updates-testing/i386/tetex-latex-1.0.7-47.5.legacy.i386.rpm d21419415faefcb90b688f8d8dc60a57a6374bad redhat/7.3/updates-testing/i386/tetex-xdvi-1.0.7-47.5.legacy.i386.rpm f646b3f3c2ebafa6ae264f20a3f056c778bd84db redhat/7.3/updates-testing/SRPMS/tetex-1.0.7-47.5.legacy.src.rpm rh9: 26f54ca0403372b21e6fd441d9bb64073f23e7de redhat/9/updates-testing/i386/tetex-1.0.7-66.3.legacy.i386.rpm e74de7855d1d07bcef6a713f4a8735e8008f5249 redhat
Fedora Legacy Test Update Notification: emacs
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-152898 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152898 2006-04-26 - Name: emacs Versions: rh73: emacs-21.2-3.legacy Versions: rh9: emacs-21.2-34.legacy Versions: fc1: emacs-21.3-9.2.legacy Summary : The libraries needed to run the GNU Emacs text editor. Description : Emacs is a powerful, customizable, self-documenting, modeless text editor. Emacs contains special code editing features, a scripting language (elisp), and the capability to read mail, news, and more without leaving the editor. - Update Information: Updated Emacs packages that fix a string format issue are now available. Emacs is a powerful, customizable, self-documenting, modeless text editor. Max Vozeler discovered several format string vulnerabilities in the movemail utility of Emacs. If a user connects to a malicious POP server, an attacker can execute arbitrary code as the user running emacs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0100 to this issue. Users of Emacs are advised to upgrade to these updated packages, which contain backported patches to correct this issue. - Changelogs rh73: * Sun Mar 12 2006 Jesse Keating [EMAIL PROTECTED] 21.2-3.legacy - Patch for CAN-2005-0100 (#152898) rh9: * Sun Mar 12 2006 Jesse Keating [EMAIL PROTECTED] 21.2-34.legacy - Patch for CAN-2005-0100 (#152898) fc1: * Wed Mar 15 2006 David Eisenstein [EMAIL PROTECTED] 21.3-9.2.legacy - Clean up the #101818 (vm/break dumper problem) workaround * Wed Mar 15 2006 David Eisenstein [EMAIL PROTECTED] 21.3-9.1.legacy - Oops. Forgot to rework make install for the broken setarch. Now done. * Wed Mar 15 2006 David Eisenstein [EMAIL PROTECTED] 21.3-9.legacy - Re-instate setarch stuff; but make use of setarch dependent upon whether or not it is broken in this given invocation of rpmbuild. Why? If setarch doesn't break, it is probably needed and will be used for the bugzilla #101818 issue. If setarch *does* break, then it is likely breaking because it is operating within another setarch (FC1's setarch breaks under that circumstance), such as when being built by plague/mock. In that instance, it is not needed. * Sun Mar 12 2006 Jesse Keating [EMAIL PROTECTED] 21.3-8.legacy - Patch for CAN-2005-0100 (#152898) - Remove setarch stuff, not needed in new build system - Added builddep on autoconf213 - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: 4441c55cfe91aabf2203d68bcbc0cf2bbd5f8798 redhat/7.3/updates-testing/i386/emacs-21.2-3.legacy.i386.rpm 33e802e8f306f13519dd2c3f045eb9efe5e4680a redhat/7.3/updates-testing/i386/emacs-el-21.2-3.legacy.i386.rpm f6293ffe1c51c3bb31f1b3941da0938d8a98eff2 redhat/7.3/updates-testing/i386/emacs-leim-21.2-3.legacy.i386.rpm a5767f1100037b49602abb80831fa22da135c081 redhat/7.3/updates-testing/SRPMS/emacs-21.2-3.legacy.src.rpm rh9: ae56dba68d59f5d49105f7afb6918ac945ad8b01 redhat/9/updates-testing/i386/emacs-21.2-34.legacy.i386.rpm 84047366c8488fa3c95070466b1bd20ce5d8687a redhat/9/updates-testing/i386/emacs-el-21.2-34.legacy.i386.rpm 8eb8449c456e7d475157992c3e6f8bc4bdf64c7b redhat/9/updates-testing/i386/emacs-leim-21.2-34.legacy.i386.rpm 4cf0ba484c3ab93210d186beb3c79b68b4e56984 redhat/9/updates-testing/SRPMS/emacs-21.2-34.legacy.src.rpm fc1: d56260f010b4603c89516ccf2ddd09c33c8c53c4 fedora/1/updates-testing/i386/emacs-21.3-9.2.legacy.i386.rpm 6bf7cb9bacc6c0f9374849fa4507ededa13193cf fedora/1/updates-testing/i386/emacs-el-21.3-9.2.legacy.i386.rpm fb23df114772b6c758499401751dfc389e2e1d88 fedora/1/updates-testing/i386/emacs-leim-21.3-9.2.legacy.i386.rpm 1a1133d917d4993c92a03c30ba08e8916c6a7bfe fedora/1/updates-testing/SRPMS/emacs-21.3-9.2.legacy.src.rpm - Please test and comment in bugzilla. signature.asc Description: OpenPGP digital signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: [Updated] [FLSA-2006:186277] Updated sendmail packages fix security issue
On Wed, 2006-04-05 at 12:50 -0400, Adam Gibson wrote: One thing I noticed after the latest yum update of sendmail from the previous update is that alternatives is broken for /etc/pam.d/smtp for the sendmail package. Sendmail used to create /etc/pam.d/smtp.sendmail which alternatives would create a symlink at /etc/pam.d/smtp to eventually point to the current configured smtp pam config (/etc/pam.d/smtp.sendmail for sendmail). Sendmail on rh73, rh9 and fc1 didn't use alternatives for /etc/pam.d/smtp. It was a real file. That was the problem with the first sendmail update we came out with, it used alternatives for that file and the proper symlink wouldn't get automatically created. In the latest update, we reverted to the previous functionality of having the package create a real /etc/pam.d/smtp file. Marc. signature.asc Description: This is a digitally signed message part -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
[FLSA-2006:152873] Updated xine package fixes security issues
- Fedora Legacy Update Advisory Synopsis: Updated xine package fixes security issues Advisory ID: FLSA:152873 Issue date:2006-04-04 Product: Red Hat Linux 7.3 Keywords: Bugfix, Security CVE Names: CVE-2004-0372, CVE-2004-1379 - - 1. Topic: An updated xine package that fixes security bugs is now available. xine is a free gpl-licensed video player for unix-like systems. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 3. Problem description: A vulnerability has been reported in the way xine handles a bug report email. A local user could create a specially crafted symlink which could result in xine overwriting a file which it has write access to. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0372 to this issue. A heap overflow has been found in the DVD subpicture decoder of xine-lib. This can be used for a remote heap overflow exploit, which can, on some systems, lead to or help in executing malicious code with the permissions of the user running a xine-lib based media application. The Common Vulnerabilities and Exposures project has assigned the name CVE-2004-1379 to this issue. All users of xine should upgrade to this updated package, which includes backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152873 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/xine-0.9.8-4.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/xine-0.9.8-4.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/xine-devel-0.9.8-4.2.legacy.i386.rpm 7. Verification: SHA1 sum Package Name - http://download.fedoralegacy.org/ 297e2b6fb5bb2dad8629944e03dc8d7635f5c225 redhat/7.3/updates/i386/xine-0.9.8-4.2.legacy.i386.rpm 465a4ea2a12017a0cee76883e9263ece27c31a6d redhat/7.3/updates/i386/xine-devel-0.9.8-4.2.legacy.i386.rpm 7336c58504919c05a6ccd5caac1c4a41bb7b7c12 redhat/7.3/updates/SRPMS/xine-0.9.8-4.2.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum filename 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0372 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1379 9. Contact: The Fedora Legacy security contact is [EMAIL PROTECTED]. More project details at http://www.fedoralegacy.org - signature.asc Description: OpenPGP digital signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
[FLSA-2006:152896] Updated mod_python package fixes a security issue
- Fedora Legacy Update Advisory Synopsis: Updated mod_python package fixes a security issue Advisory ID: FLSA:152896 Issue date:2006-04-04 Product: Red Hat Linux, Fedora Core Keywords: Bugfix, Security CVE Name: CVE-2005-0088 - - 1. Topic: An Updated mod_python package that fixes a security issue in the publisher handler is now available. Mod_python is a module that embeds the Python language interpreter within the Apache web server, allowing handlers to be written in Python. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 3. Problem description: Graham Dumpleton discovered a flaw affecting the publisher handler of mod_python, used to make objects inside modules callable via URL. A remote user could visit a carefully crafted URL that would gain access to objects that should not be visible, leading to an information leak. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0088 to this issue. Users of mod_python are advised to upgrade to this updated package, which contains a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152896 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/mod_python-2.7.8-1.7.3.3.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/mod_python-2.7.8-1.7.3.3.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/mod_python-3.0.1-4.1.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/mod_python-3.0.1-4.1.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/mod_python-3.0.4-0.1.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/mod_python-3.0.4-0.1.1.legacy.i386.rpm 7. Verification: SHA1 sum Package Name - f936f1ddb29779efae651ff90a19fa17d4edb9f8 redhat/7.3/updates/i386/mod_python-2.7.8-1.7.3.3.legacy.i386.rpm d7792718f71006a00d5e932009dff9b8688330a5 redhat/7.3/updates/SRPMS/mod_python-2.7.8-1.7.3.3.legacy.src.rpm 6b1e637878a7af1f58f1127d07b7614334b71136 redhat/9/updates/i386/mod_python-3.0.1-4.1.legacy.i386.rpm 5ef5e32ac4d17f77c602d99299baab7f7c00c52d redhat/9/updates/SRPMS/mod_python-3.0.1-4.1.legacy.src.rpm d3959d23e0718b15a4a0b4fc4126b3198e7e98f8 fedora/1/updates/i386/mod_python-3.0.4-0.1.1.legacy.i386.rpm 20c04acf2eadcb2d99cf6c076a6d1ea34537ed24 fedora/1/updates/SRPMS/mod_python-3.0.4-0.1.1.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum filename 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0088 9. Contact: The Fedora Legacy security contact is [EMAIL PROTECTED]. More project details at http://www.fedoralegacy.org - signature.asc Description: OpenPGP digital signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
[FLSA-2006:156290] Updated cyrus-imapd packages fix security issues
- Fedora Legacy Update Advisory Synopsis: Updated cyrus-imapd packages fix security issues Advisory ID: FLSA:156290 Issue date:2006-04-04 Product: Fedora Core Keywords: Bugfix, Security CVE Names: CVE-2005-0546 - - 1. Topic: Updated cyrus-imapd packages that fix several buffer overflow security issues are now available. The cyrus-imapd package contains the core of the Cyrus IMAP server. 2. Relevant releases/architectures: Fedora Core 2 - i386 3. Problem description: Several buffer overflow bugs were found in cyrus-imapd. It is possible that an authenticated malicious user could cause the imap server to crash. Additionally, a peer news admin could potentially execute arbitrary code on the imap server when news is received using the fetchnews command. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0546 to this issue. Users of cyrus-imapd are advised to upgrade to these updated packages, which contain cyrus-imapd version 2.2.12 to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=156290 6. RPMs required: Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/cyrus-imapd-2.2.12-1.1.fc2.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/cyrus-imapd-2.2.12-1.1.fc2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/cyrus-imapd-devel-2.2.12-1.1.fc2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/cyrus-imapd-murder-2.2.12-1.1.fc2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/cyrus-imapd-nntp-2.2.12-1.1.fc2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/cyrus-imapd-utils-2.2.12-1.1.fc2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/perl-Cyrus-2.2.12-1.1.fc2.1.legacy.i386.rpm 7. Verification: SHA1 sum Package Name - 869a5d94e05156e2bdcff36242fd25b2c0e1c6d1 fedora/2/updates/i386/cyrus-imapd-2.2.12-1.1.fc2.1.legacy.i386.rpm b3bfaca68420697544395c17dbf2cefb5eabcf8f fedora/2/updates/i386/cyrus-imapd-devel-2.2.12-1.1.fc2.1.legacy.i386.rpm 0a8652c25f5d608811b64c634191845b6dcd672a fedora/2/updates/i386/cyrus-imapd-murder-2.2.12-1.1.fc2.1.legacy.i386.rpm d7cfe6d91b0aa23b189949bf516e94479eefd8ef fedora/2/updates/i386/cyrus-imapd-nntp-2.2.12-1.1.fc2.1.legacy.i386.rpm 03b23f099fd26fa8421bf90f4542ff4e56226d36 fedora/2/updates/i386/cyrus-imapd-utils-2.2.12-1.1.fc2.1.legacy.i386.rpm 1d1f935c0d88f209321ebb9ae679af9a0ff23e42 fedora/2/updates/i386/perl-Cyrus-2.2.12-1.1.fc2.1.legacy.i386.rpm de27bfdc5d7e2a2c5268d769ef0842aba85bfed5 fedora/2/updates/SRPMS/cyrus-imapd-2.2.12-1.1.fc2.1.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum filename 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0546 9. Contact: The Fedora Legacy security contact is [EMAIL PROTECTED]. More project details at http://www.fedoralegacy.org - signature.asc Description: OpenPGP digital signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
[FLSA-2006:170411] Updated imap packages fix security issue
- Fedora Legacy Update Advisory Synopsis: Updated imap packages fix security issue Advisory ID: FLSA:170411 Issue date:2006-04-04 Product: Red Hat Linux, Fedora Core Keywords: Bugfix, Security CVE Names: CVE-2005-2933 - - 1. Topic: An updated imap package that fixes a buffer overflow issue is now available. The imap package provides server daemons for both the IMAP (Internet Message Access Protocol) and POP (Post Office Protocol) mail access protocols. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 3. Problem description: A buffer overflow flaw was discovered in the way the c-client library parses user supplied mailboxes. If an authenticated user requests a specially crafted mailbox name, it may be possible to execute arbitrary code on a server that uses the library. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2933 to this issue. All users of imap should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=170411 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/imap-2001a-10.3.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/imap-2001a-10.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/imap-devel-2001a-10.3.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/imap-2001a-18.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/imap-2001a-18.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/imap-devel-2001a-18.2.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/imap-2002d-3.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/imap-2002d-3.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/imap-devel-2002d-3.2.legacy.i386.rpm 7. Verification: SHA1 sum Package Name - a516bdac39c9b3946a51e2aa1b2c525418405097 redhat/7.3/updates/i386/imap-2001a-10.3.legacy.i386.rpm 7492a4f5a96f61a50bc1d486004a991407fb8a93 redhat/7.3/updates/i386/imap-devel-2001a-10.3.legacy.i386.rpm eb6df42d990be3bbf408b9c9cfe759d4ac31d82f redhat/7.3/updates/SRPMS/imap-2001a-10.3.legacy.src.rpm dd3d1a3bac748d1db5643a76a86c02568abec7d2 redhat/9/updates/i386/imap-2001a-18.2.legacy.i386.rpm d7986d8efea12260ebb0613bb6cd486d72ef4ac1 redhat/9/updates/i386/imap-devel-2001a-18.2.legacy.i386.rpm aef5ef7d054ff02b594bcb2ba564bfbb4778f00b redhat/9/updates/SRPMS/imap-2001a-18.2.legacy.src.rpm 369fb568801a2d2865a55b2ceabab87e496d8705 fedora/1/updates/i386/imap-2002d-3.2.legacy.i386.rpm 967a77fbc8a4d2dcc3fdfac8b715d7a84537c0c0 fedora/1/updates/i386/imap-devel-2002d-3.2.legacy.i386.rpm 43b5221927cbeb9c2f3387f6a4b8f46f66d4d77d fedora/1/updates/SRPMS/imap-2002d-3.2.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum filename 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2933 9. Contact: The Fedora Legacy security contact is [EMAIL PROTECTED]. More project details at http://www.fedoralegacy.org
[FLSA-2006:183571-1] Updated tar package fixes security issue
- Fedora Legacy Update Advisory Synopsis: Updated tar package fixes security issue Advisory ID: FLSA:183571-1 Issue date:2006-04-04 Product: Red Hat Linux, Fedora Core Keywords: Bugfix, Security CVE Names: CVE-2005-1918 - - 1. Topic: An updated tar package that fixes a path traversal flaw is now available. The GNU tar program saves many files together in one archive and can restore individual files (or all of the files) from that archive. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: In 2002, a path traversal flaw was found in the way GNU tar extracted archives. A malicious user could create a tar archive that could write to arbitrary files to which the user running GNU tar has write access (CVE-2002-0399). A security advisory was released containing a backported patch. It was discovered that the backported security patch contained an incorrect optimization and therefore was not sufficient to completely correct this vulnerability. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2005-1918 to this issue. Users of tar should upgrade to this updated package, which contains a replacement backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=183571 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/tar-1.13.25-4.7.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/tar-1.13.25-4.7.2.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/tar-1.13.25-11.1.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/tar-1.13.25-11.1.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/tar-1.13.25-12.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/tar-1.13.25-12.1.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/tar-1.13.25-14.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/tar-1.13.25-14.1.legacy.i386.rpm 7. Verification: SHA1 sum Package Name - 57d5b198335bcb254ff49b26b60b2ded6fdc3c29 redhat/7.3/updates/i386/tar-1.13.25-4.7.2.legacy.i386.rpm aec36c77c75a882b3c44a61fa61c23ff204ef4e5 redhat/7.3/updates/SRPMS/tar-1.13.25-4.7.2.legacy.src.rpm df30641462702e447ac80e5e71db048e039cc378 redhat/9/updates/i386/tar-1.13.25-11.1.legacy.i386.rpm 27e7678d52f44d3872047c5b05c6dfd751c2a806 redhat/9/updates/SRPMS/tar-1.13.25-11.1.legacy.src.rpm 0caee4057c9325f93ac327e1a4d067fee8b1a744 fedora/1/updates/i386/tar-1.13.25-12.1.legacy.i386.rpm 458a1d96fdf8f580b5702a7243f7653d8c581ac6 fedora/1/updates/SRPMS/tar-1.13.25-12.1.legacy.src.rpm 5565230fd52a82671b69a9310883a25f7844b8a6 fedora/2/updates/i386/tar-1.13.25-14.1.legacy.i386.rpm 864f986b64392dacaec2bde2c42339a4e6bd7e35 fedora/2/updates/SRPMS/tar-1.13.25-14.1.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum filename 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1918 9. Contact: The Fedora Legacy security contact is [EMAIL PROTECTED]. More project
[FLSA-2006:184074] Updated pine package fixes security issue
- Fedora Legacy Update Advisory Synopsis: Updated pine package fixes security issue Advisory ID: FLSA:184074 Issue date:2006-04-04 Product: Red Hat Linux Keywords: Bugfix, Security CVE Names: CVE-2003-0297 - - 1. Topic: An updated Pine package is now available to fix a denial of service attack. Pine is an email user agent. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 3. Problem description: The c-client IMAP client library, as used in Pine 4.44 contains an integer overflow and integer signedness flaw. An attacker could create a malicious IMAP server in such a way that it would cause Pine to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0297 to this issue. Users of Pine are advised to upgrade to these erratum packages which contain a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=184074 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/pine-4.44-19.73.1.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/pine-4.44-19.73.1.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/pine-4.44-19.90.1.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/pine-4.44-19.90.1.legacy.i386.rpm 7. Verification: SHA1 sum Package Name - 2f5de5f092e8d5c2d821e3715fcc6656b19e1b54 redhat/7.3/updates/i386/pine-4.44-19.73.1.legacy.i386.rpm 4fc304469e6dad1025ac0eb1c428bbc84a9ed76f redhat/7.3/updates/SRPMS/pine-4.44-19.73.1.legacy.src.rpm 043112c55f52e5454ab01e52f7a50968016ac6a1 redhat/9/updates/i386/pine-4.44-19.90.1.legacy.i386.rpm d84320a9dbe9b1b1917e2acb8c6306c005711075 redhat/9/updates/SRPMS/pine-4.44-19.90.1.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum filename 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0297 9. Contact: The Fedora Legacy security contact is [EMAIL PROTECTED]. More project details at http://www.fedoralegacy.org - signature.asc Description: OpenPGP digital signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
[FLSA-2006:184098] Updated libc-client packages fixes security issue
- Fedora Legacy Update Advisory Synopsis: Updated libc-client packages fixes security issue Advisory ID: FLSA:184098 Issue date:2006-04-04 Product: Fedora Core 2 Keywords: Bugfix, Security CVE Names: CVE-2005-2933 - - 1. Topic: Updated libc-client packages that fix a buffer overflow issue are now available. C-client is a common API for accessing mailboxes. 2. Relevant releases/architectures: Fedora Core 2 - i386 3. Problem description: A buffer overflow flaw was discovered in the way C-client parses user supplied mailboxes. If an authenticated user requests a specially crafted mailbox name, it may be possible to execute arbitrary code on a server that uses C-client to access mailboxes. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2933 to this issue. All users of libc-client should upgrade to these updated packages, which contain a backported patch that resolves this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=184098 6. RPMs required: Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/libc-client-2002e-5.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/libc-client-2002e-5.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/libc-client-devel-2002e-5.1.legacy.i386.rpm 7. Verification: SHA1 sum Package Name - 5232f6a722f64fac4c5e09ca3d34a8e5d33192ed fedora/2/updates/i386/libc-client-2002e-5.1.legacy.i386.rpm 5e03f3725e30f607708e8da1e9c1537d6e929a29 fedora/2/updates/i386/libc-client-devel-2002e-5.1.legacy.i386.rpm 489cbea579ce3fece1527c68df20f24e8c9bfe75 fedora/2/updates/SRPMS/libc-client-2002e-5.1.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum filename 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2933 9. Contact: The Fedora Legacy security contact is [EMAIL PROTECTED]. More project details at http://www.fedoralegacy.org - signature.asc Description: OpenPGP digital signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
[Updated] [FLSA-2006:186277] Updated sendmail packages fix security issue
- Fedora Legacy Update Advisory Synopsis: Updated sendmail packages fix security issue Advisory ID: FLSA:186277 Issue date:2006-04-04 Product: Red Hat Linux, Fedora Core Keywords: Bugfix, Security CVE Names: CVE-2006-0058 - - 1. Topic: Updated sendmail packages that fix a security issue are now available. The sendmail package provides a widely used Mail Transport Agent (MTA). [Updated 4th April 2006] Red Hat Linux 7.3, Red Hat Linux 9, and Fedora Core 1 packages have been updated to correct numerous problems with the previously released updates. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 Fedora Core 3 - i386, x86_64 3. Problem description: A flaw in the handling of asynchronous signals was discovered in Sendmail. A remote attacker may be able to exploit a race condition to execute arbitrary code as root. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0058 to this issue. In order to correct this issue for RHL 7.3 users, it was necessary to upgrade the version of Sendmail from 8.11 as originally shipped to Sendmail 8.12.11 with the addition of the security patch supplied by Sendmail Inc. This erratum provides updated packages based on Sendmail 8.12 with a compatibility mode enabled as provided by Red Hat for RHEL 2.1. After updating to these packages, users should pay close attention to their sendmail logs to ensure that the upgrade completed sucessfully. In order to correct this issue for RHL 9 and FC1 users, it was necessary to upgrade the version of Sendmail from 8.12.8 and 8.12.10 respectively to 8.12.11 with the addition of the security patch supplied by Sendmail Inc. After updating to these packages, users should pay close attention to their sendmail logs to ensure that the upgrade completed sucessfully. For Fedora Core 3 users, the patch supplied by Sendmail Inc. applies cleanly to the latest sendmail package previously released for Fedora Core 3. Users of Sendmail should upgrade to this updated package, which contains a backported patch to correct this issue. Users updating to these packages are urged to review their sendmail.cf file after updating. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=186277 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/sendmail-8.12.11-4.22.10.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/sendmail-8.12.11-4.22.10.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/sendmail-cf-8.12.11-4.22.10.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/sendmail-devel-8.12.11-4.22.10.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/sendmail-doc-8.12.11-4.22.10.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/sendmail-8.12.11-4.24.3.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/sendmail-8.12.11-4.24.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/sendmail-cf-8.12.11-4.24.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/sendmail-devel-8.12.11-4.24.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/sendmail-doc-8.12.11-4.24.3.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/sendmail-8.12.11-4.25.3.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/sendmail-8.12.11-4.25.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/sendmail-cf-8.12.11-4.25.3.legacy.i386.rpm
[UPDATED] Fedora Legacy Test Update Notification: gnupg
The rh73 packages were updated to correct a broken info page. - Fedora Legacy Test Update Notification FEDORALEGACY-2006-185355 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=185355 2006-04-01 - Name: gnupg Versions: rh73: gnupg-1.0.7-13.3.legacy Versions: rh9: gnupg-1.2.1-9.2.legacy Versions: fc1: gnupg-1.2.3-2.2.legacy Versions: fc2: gnupg-1.2.4-2.3.legacy Versions: fc3: gnupg-1.2.7-1.2.legacy Summary : A GNU utility for secure communication and data storage. Description : GnuPG (GNU Privacy Guard) is a GNU utility for encrypting data and creating digital signatures. GnuPG has advanced key management capabilities and is compliant with the proposed OpenPGP Internet standard described in RFC2440. Since GnuPG doesn't use any patented algorithm, it is not compatible with any version of PGP2 (PGP2.x uses only IDEA for symmetric-key encryption, which is patented worldwide). - Update Information: An updated GnuPG package that fixes signature verification flaws is now available. GnuPG is a utility for encrypting data and creating digital signatures. Tavis Ormandy discovered a bug in the way GnuPG verifies cryptographically signed data with detached signatures. It is possible for an attacker to construct a cryptographically signed message which could appear to come from a third party. When a victim processes a GnuPG message with a malformed detached signature, GnuPG ignores the malformed signature, processes and outputs the signed data, and exits with status 0, just as it would if the signature had been valid. In this case, GnuPG's exit status would not indicate that no signature verification had taken place. This issue would primarily be of concern when processing GnuPG results via an automated script. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0455 to this issue. Tavis Ormandy also discovered a bug in the way GnuPG verifies cryptographically signed data with inline signatures. It is possible for an attacker to inject unsigned data into a signed message in such a way that when a victim processes the message to recover the data, the unsigned data is output along with the signed data, gaining the appearance of having been signed. This issue is mitigated in the GnuPG shipped with Red Hat Enterprise Linux as the --ignore-crc-error option must be passed to the gpg executable for this attack to be successful. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0049 to this issue. Please note that neither of these issues affect the way RPM or up2date verify RPM package files, nor is RPM vulnerable to either of these issues. All users of GnuPG are advised to upgrade to this updated package, which contains backported patches to correct these issues. - Changelogs rh73: * Sat Apr 01 2006 Marc Deslauriers [EMAIL PROTECTED] 1.0.7-13.3.legacy - Added missing texinfo to BuildPrereq * Thu Mar 23 2006 Marc Deslauriers [EMAIL PROTECTED] 1.0.7-13.2.legacy - Added missing openldap-devel and zlib-devel to BuildPrereq * Wed Mar 15 2006 Donald Maner [EMAIL PROTECTED] 1.0.7-13.1.legacy - add patch from Werner Koch to error out on ambiguous armored signatures in message, with some more bits from Klaus Singvogel to handle argument parsing, backported (CVE-2006-0049, #185355) - add backport of patch from Werner Koch to fix the exit status when verifying signatures when no signature is provided (CVE-2006-0455, #185355) rh9: * Thu Mar 23 2006 Marc Deslauriers [EMAIL PROTECTED] 1.2.1-9.2.legacy - Added missing openldap to BuildPrereq * Wed Mar 15 2006 Donald Maner [EMAIL PROTECTED] 1.2.1-9.1.legacy - add patch from Werner Koch to error out on ambiguous armored signatures in message, with some more bits from Klaus Singvogel to handle argument parsing, backported (CVE-2006-0049, #185355) - add backport of patch from Werner Koch to fix the exit status when verifying signatures when no signature is provided (CVE-2006-0455, #185355) fc1: * Thu Mar 23 2006 Marc Deslauriers [EMAIL PROTECTED] 1.2.3-2.2.legacy - Added missing openldap-devel and zlib-devel to BuildPrereq * Wed Mar 15 2006 Donald Maner [EMAIL PROTECTED] 1.2.3-2.1.legacy - add patch from Werner Koch to error out on ambiguous armored signatures in message, with some more bits from Klaus Singvogel to handle argument parsing, backported (CVE-2006-0049, #185355) - add backport of patch from Werner Koch to fix the exit status when verifying signatures when no signature is provided (CVE-2006-0455, #185355) fc2: * Thu Mar 23 2006 Marc Deslauriers [EMAIL PROTECTED] 1.2.3-2.3.legacy - Added missing openldap-devel, bzip2-devel and zlib-devel to BuildPrereq * Wed Mar 15 2006 Donald Maner
Fedora Legacy Test Update Notification: ncpfs
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-152904 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152904 2006-03-28 - Name: ncpfs Versions: rh73: ncpfs-2.2.0.18-6.1.legacy Versions: rh9: ncpfs-2.2.1-1.1.legacy Versions: fc1: ncpfs-2.2.3-1.1.legacy Versions: fc2: ncpfs-2.2.4-1.1.legacy Versions: fc3: ncpfs-2.2.4-5.FC3.1.legacy Summary : Utilities for the ncpfs filesystem, a NetWare client. Description : Ncpfs is a filesystem which understands the Novell NetWare(TM) NCP protocol. Functionally, NCP is used for NetWare the way NFS is used in the TCP/IP world. For a Linux system to mount a NetWare filesystem, it needs a special mount program. The ncpfs package contains such a mount program plus other tools for configuring and using the ncpfs filesystem. - Update Information: An updated ncpfs package is now available. Ncpfs is a file system that understands the Novell NetWare(TM) NCP protocol. Buffer overflows were found in the nwclient program. An attacker, using a long -T option, could possibly execute arbitrary code and gain privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1079 to this issue. A bug was found in the way ncpfs handled file permissions. ncpfs did not sufficiently check if the file owner matched the user attempting to access the file, potentially violating the file permissions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0013 to this issue. A buffer overflow was found in the ncplogin program. A remote malicious NetWare server could execute arbitrary code on a victim's machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0014 to this issue. All users of ncpfs are advised to upgrade to this updated package, which contains backported fixes for these issues. - Changelogs rh73: * Fri Mar 10 2006 Marc Deslauriers [EMAIL PROTECTED] 2.2.0.18-6.1.legacy - fixed getuid security bug CVE-2005-0013 rh9: * Fri Mar 10 2006 Marc Deslauriers [EMAIL PROTECTED] 2.2.1-1.1.legacy - Added patches for CVE-2004-1079, CVE-2005-0013 and CVE-2005-0014 fc1: * Sat Mar 11 2006 Marc Deslauriers [EMAIL PROTECTED] 2.2.3-1.1.legacy - Added patches for CVE-2004-1079, CVE-2005-0013 and CVE-2005-0014 fc2: * Sat Mar 11 2006 Marc Deslauriers [EMAIL PROTECTED] 2.2.4-1.1.legacy - Added patches for CVE-2004-1079, CVE-2005-0013 and CVE-2005-0014 fc3: * Sat Mar 11 2006 Marc Deslauriers [EMAIL PROTECTED] 2.2.4-5.FC3.1.legacy - Added missing part of CVE-2005-0013 fix - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: 16740d3fa5e17a46429ad3586e4adf9a14a64f8d redhat/7.3/updates-testing/i386/ncpfs-2.2.0.18-6.1.legacy.i386.rpm 21f8520c8a2a3d60e55041c0db028e03549f8544 redhat/7.3/updates-testing/i386/ipxutils-2.2.0.18-6.1.legacy.i386.rpm 6704d55f1f43360b6ad4211e2ca0f92e9f2174c8 redhat/7.3/updates-testing/SRPMS/ncpfs-2.2.0.18-6.1.legacy.src.rpm rh9: 6acd3b7b7d09cb0e47769b43a888adf72a6278ac redhat/9/updates-testing/i386/ncpfs-2.2.1-1.1.legacy.i386.rpm c49d83f88b229ce57c689d313eccb4df7b89f36b redhat/9/updates-testing/i386/ipxutils-2.2.1-1.1.legacy.i386.rpm ac833c51fcf831bca3edef5d0275ccd1ae0a530f redhat/9/updates-testing/SRPMS/ncpfs-2.2.1-1.1.legacy.src.rpm fc1: 8379face8f68fe556d40bf32f72a5ab368e8eb6d fedora/1/updates-testing/i386/ncpfs-2.2.3-1.1.legacy.i386.rpm eefaa839a26179ca5d41897eacf7bbf3c49661e1 fedora/1/updates-testing/i386/ipxutils-2.2.3-1.1.legacy.i386.rpm ede00a8544200515b5e09a7a40836d8f558cac9d fedora/1/updates-testing/SRPMS/ncpfs-2.2.3-1.1.legacy.src.rpm fc2: 1d32d2f0c39475f98206d78f87c587d4f96ddb70 fedora/2/updates-testing/i386/ncpfs-2.2.4-1.1.legacy.i386.rpm c095ce2d66184b605516231609cddc30520c3eb5 fedora/2/updates-testing/i386/ipxutils-2.2.4-1.1.legacy.i386.rpm 874f8a48f85fef80615b5892a70d214f0935ed7a fedora/2/updates-testing/SRPMS/ncpfs-2.2.4-1.1.legacy.src.rpm fc3: dc329c8b3558f67350486358b01b6a62f6f467af fedora/3/updates-testing/i386/ncpfs-2.2.4-5.FC3.1.legacy.i386.rpm 1ddd6caafe4a693d4a69d341be69600df446de3b fedora/3/updates-testing/i386/ipxutils-2.2.4-5.FC3.1.legacy.i386.rpm db8660759a23570a6d06bda37c619e0931425ef8 fedora/3/updates-testing/x86_64/ncpfs-2.2.4-5.FC3.1.legacy.x86_64.rpm 1e8bc7d10995fde90688b424f5001c14f7d3e3bc fedora/3/updates-testing/x86_64/ipxutils-2.2.4-5.FC3.1.legacy.x86_64.rpm 7f29dd88dcf31f19970e22c8c3af7267c62a5508 fedora/3/updates-testing/SRPMS/ncpfs-2.2.4-5.FC3.1.legacy.src.rpm - Please test and comment in bugzilla
Fedora Legacy Test Update Notification: fetchmail
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-164512 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=164512 2006-03-28 - Name: fetchmail Versions: rh73: fetchmail-5.9.0-21.7.3.2.legacy Versions: rh9: fetchmail-6.2.0-3.4.legacy Versions: fc1: fetchmail-6.2.0-8.2.legacy Versions: fc2: fetchmail-6.2.5-2.2.legacy Summary : A remote mail retrieval and forwarding utility. Description : Fetchmail is a remote mail retrieval and forwarding utility intended for use over on-demand TCP/IP links, like SLIP or PPP connections. Fetchmail supports every remote-mail protocol currently in use on the Internet (POP2, POP3, RPOP, APOP, KPOP, all IMAPs, ESMTP ETRN, IPv6, and IPSEC) for retrieval. Then Fetchmail forwards the mail through SMTP so you can read it through your favorite mail client. - Update Information: Updated fetchmail packages that fix security flaws are now available. Fetchmail is a remote mail retrieval and forwarding utility. A bug was found in the way fetchmail allocates memory for long lines. A remote attacker could cause a denial of service by sending a specially- crafted email. The Common Vulnerabilities and Exposures project has assigned the name CVE-2003-0792 to this issue. A buffer overflow was discovered in fetchmail's POP3 client. A malicious server could cause send a carefully crafted message UID and cause fetchmail to crash or potentially execute arbitrary code as the user running fetchmail. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-2335 to this issue. A bug was found in the way the fetchmailconf utility program writes configuration files. The default behavior of fetchmailconf is to write a configuration file which may be world readable for a short period of time. This configuration file could provide passwords to a local malicious attacker within the short window before fetchmailconf sets secure permissions. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3088 to this issue. A bug was found when fetchmail is running in multidrop mode. A malicious mail server can cause a denial of service by sending a message without headers. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-4348 to this issue. Users of fetchmail should update to this erratum package which contains backported patches to correct these issues. - Changelogs rh73: * Sat Mar 11 2006 Donald Maner [EMAIL PROTECTED] 6.2.0-3.2.legacy - add patch for CAN-2003-0792 (#164512) - add patch for CAN-2005-4348 (#164512) - add patch for CAN-2005-3088 from RHEL 2.1 (#164512) * Thu Jul 28 2005 Jeff Sheltren [EMAIL PROTECTED] 5.9.0-21.7.3.1.legacy - add patch for POP3 buffer overflow - CAN-2005-2355 (#164512) rh9: * Thu Mar 23 2006 Marc Deslauriers [EMAIL PROTECTED] 6.2.0-3.4.legacy - Added missing e2fsprogs-devel to BuildPrereq * Sat Mar 11 2006 Donald Maner [EMAIL PROTECTED] 6.2.0-3.2.legacy - add patch for CAN-2003-0792 (#164512) - add patch for CAN-2005-3088 (#164512) * Thu Jul 28 2005 Jeff Sheltren [EMAIL PROTECTED] 6.2.0-3.1.legacy - add patch for POP3 buffer overflow - CAN-2005-2355 (#164512) fc1: * Sun Mar 12 2006 Donald Maner [EMAIL PROTECTED] 6.2.0-8.2.legacy - add patch for CAN-2005-3088 (#164512) - add patch for CAN-2005-2355 (#164512) * Thu Jul 28 2005 Jeff Sheltren [EMAIL PROTECTED] 6.2.0-8.1.legacy - add patch for POP3 buffer overflow - CAN-2005-2355 (#164512) fc2: * Sun Mar 12 2006 Donald Maner [EMAIL PROTECTED] 6.2.5-2.2.legacy - add patch for crash on empty message - CVE-2005-4348 (#164512) - add patch for CAN-2005-3088 (#164512) * Thu Jul 28 2005 Jeff Sheltren [EMAIL PROTECTED] 6.2.5-2.1.legacy - add patch for POP3 buffer overflow - CAN-2005-2355 (#164512) - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: 8b49bca60dc8bcbba7634b8e0559c82fbeef3db5 redhat/7.3/updates-testing/i386/fetchmail-5.9.0-21.7.3.2.legacy.i386.rpm 9c9c861757b4b8b2866f1d0e91dbc16d5037d956 redhat/7.3/updates-testing/i386/fetchmailconf-5.9.0-21.7.3.2.legacy.i386.rpm 9cca4f274cb21928d459ed25883e5d3c1f758f10 redhat/7.3/updates-testing/SRPMS/fetchmail-5.9.0-21.7.3.2.legacy.src.rpm rh9: 0fd22e51f83aab97d8c1790ed95423882f01aa9b redhat/9/updates-testing/i386/fetchmail-6.2.0-3.4.legacy.i386.rpm 7d2eb582d0aba96e07710eb89cd8c4c41c4530d3 redhat/9/updates-testing/SRPMS/fetchmail-6.2.0-3.4.legacy.src.rpm fc1: 5df158a0ba6bb0c323a75464e04b11e246dd8f98 fedora/1/updates-testing/i386/fetchmail-6.2.0-8.2.legacy.i386.rpm 927ed2783b8b4a29d0669e7936c1d27fd05564eb fedora/1/updates-testing/SRPMS/fetchmail-6.2.0-8.2.legacy.src.rpm fc2
Fedora Legacy Test Update Notification: gnupg
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-185355 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=185355 2006-03-28 - Name: gnupg Versions: rh73: gnupg-1.0.7-13.2.legacy Versions: rh9: gnupg-1.2.1-9.2.legacy Versions: fc1: gnupg-1.2.3-2.2.legacy Versions: fc2: gnupg-1.2.4-2.3.legacy Versions: fc3: gnupg-1.2.7-1.2.legacy Summary : A GNU utility for secure communication and data storage. Description : GnuPG (GNU Privacy Guard) is a GNU utility for encrypting data and creating digital signatures. GnuPG has advanced key management capabilities and is compliant with the proposed OpenPGP Internet standard described in RFC2440. Since GnuPG doesn't use any patented algorithm, it is not compatible with any version of PGP2 (PGP2.x uses only IDEA for symmetric-key encryption, which is patented worldwide). - Update Information: An updated GnuPG package that fixes signature verification flaws is now available. GnuPG is a utility for encrypting data and creating digital signatures. Tavis Ormandy discovered a bug in the way GnuPG verifies cryptographically signed data with detached signatures. It is possible for an attacker to construct a cryptographically signed message which could appear to come from a third party. When a victim processes a GnuPG message with a malformed detached signature, GnuPG ignores the malformed signature, processes and outputs the signed data, and exits with status 0, just as it would if the signature had been valid. In this case, GnuPG's exit status would not indicate that no signature verification had taken place. This issue would primarily be of concern when processing GnuPG results via an automated script. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0455 to this issue. Tavis Ormandy also discovered a bug in the way GnuPG verifies cryptographically signed data with inline signatures. It is possible for an attacker to inject unsigned data into a signed message in such a way that when a victim processes the message to recover the data, the unsigned data is output along with the signed data, gaining the appearance of having been signed. This issue is mitigated in the GnuPG shipped with Red Hat Enterprise Linux as the --ignore-crc-error option must be passed to the gpg executable for this attack to be successful. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0049 to this issue. Please note that neither of these issues affect the way RPM or up2date verify RPM package files, nor is RPM vulnerable to either of these issues. All users of GnuPG are advised to upgrade to this updated package, which contains backported patches to correct these issues. - Changelogs rh73: * Thu Mar 23 2006 Marc Deslauriers [EMAIL PROTECTED] 1.0.7-13.2.legacy - Added missing openldap-devel and zlib-devel to BuildPrereq * Wed Mar 15 2006 Donald Maner [EMAIL PROTECTED] 1.0.7-13.1.legacy - add patch from Werner Koch to error out on ambiguous armored signatures in message, with some more bits from Klaus Singvogel to handle argument parsing, backported (CVE-2006-0049, #185355) - add backport of patch from Werner Koch to fix the exit status when verifying signatures when no signature is provided (CVE-2006-0455, #185355) rh9: * Thu Mar 23 2006 Marc Deslauriers [EMAIL PROTECTED] 1.2.1-9.2.legacy - Added missing openldap to BuildPrereq * Wed Mar 15 2006 Donald Maner [EMAIL PROTECTED] 1.2.1-9.1.legacy - add patch from Werner Koch to error out on ambiguous armored signatures in message, with some more bits from Klaus Singvogel to handle argument parsing, backported (CVE-2006-0049, #185355) - add backport of patch from Werner Koch to fix the exit status when verifying signatures when no signature is provided (CVE-2006-0455, #185355) fc1: * Thu Mar 23 2006 Marc Deslauriers [EMAIL PROTECTED] 1.2.3-2.2.legacy - Added missing openldap-devel and zlib-devel to BuildPrereq * Wed Mar 15 2006 Donald Maner [EMAIL PROTECTED] 1.2.3-2.1.legacy - add patch from Werner Koch to error out on ambiguous armored signatures in message, with some more bits from Klaus Singvogel to handle argument parsing, backported (CVE-2006-0049, #185355) - add backport of patch from Werner Koch to fix the exit status when verifying signatures when no signature is provided (CVE-2006-0455, #185355) fc2: * Thu Mar 23 2006 Marc Deslauriers [EMAIL PROTECTED] 1.2.3-2.3.legacy - Added missing openldap-devel, bzip2-devel and zlib-devel to BuildPrereq * Wed Mar 15 2006 Donald Maner [EMAIL PROTECTED] 1.2.3-2.1.legacy - add patch from Werner Koch to error out on ambiguous armored signatures in message, with some more bits from Klaus Singvogel to handle
[UPDATED] Fedora Legacy Test Update Notification: sendmail
These updated test packages for rh73, rh9 and fc1 fix problems with the previous sendmail update. - Fedora Legacy Test Update Notification FEDORALEGACY-2006-186277 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=186277 2006-03-28 - Name: sendmail Versions: rh73: sendmail-8.12.11-4.22.10.legacy Versions: rh9: sendmail-8.12.11-4.24.3.legacy Versions: fc1: sendmail-8.12.11-4.25.3.legacy Summary : A widely used Mail Transport Agent (MTA). Description : The Sendmail program is a very widely used Mail Transport Agent (MTA). MTAs send mail from one machine to another. Sendmail is not a client program, which you use to read your email. Sendmail is a behind-the-scenes program which actually moves your email over networks or the Internet to where you want it to go. - Update Information: Updated sendmail packages that fix a flaw in the handling of asynchronous signals are now available. A flaw in the handling of asynchronous signals was discovered in Sendmail. A remote attacker may be able to exploit a race condition to execute arbitrary code as root. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0058 to this issue. In order to correct this issue for RHL 7.3 users, it was necessary to upgrade the version of Sendmail from 8.11 as originally shipped to Sendmail 8.12.11 with the addition of the security patch supplied by Sendmail Inc. This erratum provides updated packages based on Sendmail 8.12 with a compatibility mode enabled as provided by Red Hat for RHEL 2.1. After updating to these packages, users should pay close attention to their sendmail logs to ensure that the upgrade completed sucessfully. In order to correct this issue for RHL 9 and FC1 users, it was necessary to upgrade the version of Sendmail from 8.12.8 and 8.12.10 respectively to 8.12.11 with the addition of the security patch supplied by Sendmail Inc. After updating to these packages, users should pay close attention to their sendmail logs to ensure that the upgrade completed sucessfully. Users of Sendmail should upgrade to this updated package, which contains a backported patch to correct this issue. - Changelogs rh73: * Sat Mar 25 2006 Marc Deslauriers [EMAIL PROTECTED] 8.12.11-4.22.10.legacy - Added hesiod-devel to BuildRequires - Reverted to previous alternatives files - Removed new triggers - Modified instructions in sendmail.mc * Wed Mar 22 2006 Jesse Keating [EMAIL PROTECTED] 8.12.11-4.22.9.legacy - Sourced in for RHL7.3 - Added groff buildreq - Enable alternatives rh9: * Sun Mar 26 2006 Marc Deslauriers [EMAIL PROTECTED] - 8.12.11-4.24.3.legacy - Reverted statistics file path in mc file - Reverted CERT paths in mc file - Don't enable statistics by default * Sat Mar 25 2006 Marc Deslauriers [EMAIL PROTECTED] - 8.12.11-4.24.2.legacy - Reverted statistics file to /etc/mail - Reverted to previous alternatives files * Wed Mar 22 2006 Jesse Keating [EMAIL PROTECTED] - 8.12.11-4.24.1.legacy - fixed VU#834865 (#186277) - disable -fpie - enable old_setup - Add BuildReq gdbm-devel - Use sasl1 fc1: * Sun Mar 26 2006 Marc Deslauriers [EMAIL PROTECTED] - 8.12.11-4.25.3.legacy - Reverted statistics file path in mc file - Reverted CERT paths in mc file - Don't enable statistics by default * Sat Mar 25 2006 Marc Deslauriers [EMAIL PROTECTED] - 8.12.11-4.25.2.legacy - Reverted statistics file to /etc/mail - Reverted to previous alternatives files - Added gdbm-devel to BuildRequires * Wed Mar 22 2006 Jesse Keating [EMAIL PROTECTED] - 8.12.11-4.25.1.legacy - fixed VU#834865 (#186277) - enable old_setup - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: 950fc853550d93f521d4203b9f78023721fbdecd redhat/7.3/updates-testing/i386/sendmail-8.12.11-4.22.10.legacy.i386.rpm d8c06f3f92d7dd526426b86e52bdd244e75c061a redhat/7.3/updates-testing/i386/sendmail-cf-8.12.11-4.22.10.legacy.i386.rpm dde44f59a60481edae75ddf6d854341308e4ce62 redhat/7.3/updates-testing/i386/sendmail-devel-8.12.11-4.22.10.legacy.i386.rpm faf27d20eb151227225cc4e2ac5014bb205aa350 redhat/7.3/updates-testing/i386/sendmail-doc-8.12.11-4.22.10.legacy.i386.rpm e0b9ece564e8103a254311da19c6bc41a21c8ffc redhat/7.3/updates-testing/SRPMS/sendmail-8.12.11-4.22.10.legacy.src.rpm rh9: 9f1caeadce45e2922f6bc29ea0f4e7bce4e26d02 redhat/9/updates-testing/i386/sendmail-8.12.11-4.24.3.legacy.i386.rpm 6b7b437bb58ac9f805185ae992da9a157a0d755d redhat/9/updates-testing/i386/sendmail-cf-8.12.11-4.24.3.legacy.i386.rpm ae48cf1d3a5d8f5bfc789a408de392fe27e84b73 redhat/9/updates-testing/i386/sendmail-devel-8.12.11-4.24.3.legacy.i386.rpm
Re: New sendmail and missing /usr/lib/sendmail
On Sun, 2006-03-26 at 23:48 -0600, Mike McCarty wrote: Ah, now we get down to the nitty gritty of the desire to hasten the process of going from a Test state to a Release state. Hopefully, those who in past have seen no need to maintain a policy of no package can move from Test state to Release state unless it has actually gone through test to prove proper operation and want to change to one of if enough time has lapsed, then even if no verification of proper operation has taken place, we need to move from Test state to Release state can see a little bit of the other side of the fence, now. Curiously, sendmail actually DID get test votes for all platforms before it got moved to official updates. No part of the QA process was hastened. This has happened before. Most packages that got pushed out that had serious problems had been through QA and had people test them. One of the php updates is an example I know of. Marc. signature.asc Description: This is a digitally signed message part -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: New sendmail and missing /usr/lib/sendmail
On Mon, 2006-03-27 at 10:47 -0800, Jesse Keating wrote: These issues should be resolved in the newer packages in updates-testing. They're not in updates-testing yet. They're still awaiting PUBLISH votes in bugzilla. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=186277 Marc. signature.asc Description: This is a digitally signed message part -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: sendmail upgrade issues
On Sun, 2006-03-26 at 01:38 -0600, Eric Rostetter wrote: This is fixed in the package awaiting QA. I never received an email about any such package... I didn't know I had to send you one. :) Look here: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=186277 Marc. signature.asc Description: This is a digitally signed message part -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: RH 9.0: AUTH LOGIN issue with latest sendmail patch
On Sat, 2006-03-25 at 08:52 -0600, Mike Klinke wrote: There seem to be three missing links on RH9 and FC1: /usr/lib/sendmail - /etc/alternatives/mta-sendmail /usr/share/man/man8/sendmail.8.gz - /etc/alternatives/mta-sendmailman /etc/pam.d/smtp - /etc/alternatives/mta-pam If you do a alternatives --config mta and re-select sendmail, do the links get created? Marc. signature.asc Description: This is a digitally signed message part -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
[FLEA-2006:173091-1] Updated glibc packages add daylight savings rule enhancements
- Fedora Legacy Update Advisory Synopsis: Updated glibc packages add daylight savings rule enhancements Advisory ID: FLEA:173091-1 Issue date:2006-03-23 Product: Red Hat Linux Keywords: Enhancement - - 1. Topic: Updated glibc packages that add daylight savings rule enhancements for various countries are now available. The GNU libc packages (known as glibc) contain the standard C libraries used by applications. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 3. Problem description: This update adjusts timezone files for countries where daylight savings rules have recently changed or are going to change in the near future. Users in those countries should upgrade to these updated packages and rerun redhat-config-date to update the local timezone in /etc/localtime. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=173091 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/glibc-2.2.5-44.legacy.8.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-2.2.5-44.legacy.8.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-2.2.5-44.legacy.8.i686.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-common-2.2.5-44.legacy.8.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-debug-2.2.5-44.legacy.8.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-debug-2.2.5-44.legacy.8.i686.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-debug-static-2.2.5-44.legacy.8.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-devel-2.2.5-44.legacy.8.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-profile-2.2.5-44.legacy.8.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-utils-2.2.5-44.legacy.8.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/nscd-2.2.5-44.legacy.8.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/glibc-2.3.2-27.9.7.4.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-2.3.2-27.9.7.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-2.3.2-27.9.7.4.legacy.i686.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-common-2.3.2-27.9.7.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-debug-2.3.2-27.9.7.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-devel-2.3.2-27.9.7.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-profile-2.3.2-27.9.7.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-utils-2.3.2-27.9.7.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/nptl-devel-2.3.2-27.9.7.4.legacy.i686.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/nscd-2.3.2-27.9.7.4.legacy.i386.rpm 7. Verification: SHA1 sum Package Name - 8977060010fc16bbaf2aba545c3b958e4a953ec8 redhat/7.3/updates/i386/glibc-2.2.5-44.legacy.8.i386.rpm 4e4fce10ff1cfbdda21dbd0ca19132ffa3b34a15 redhat/7.3/updates/i386/glibc-2.2.5-44.legacy.8.i686.rpm ccc856a5f596cffca0d76f1242df7cecd413 redhat/7.3/updates/i386/glibc-common-2.2.5-44.legacy.8.i386.rpm f301116e857b0d3d63c39af5003dcbab897b4af2 redhat/7.3/updates/i386/glibc-debug-2.2.5-44.legacy.8.i386.rpm c7f784964cff0af15108e981fb0eed5f5b49b8b4 redhat/7.3/updates/i386/glibc-debug-2.2.5-44.legacy.8.i686.rpm 2f59c12525a171646595f56126f882a656107fb7
[FLEA-2006:173091-2] Updated tzdata package adds daylight savings rule enhancements
- Fedora Legacy Update Advisory Synopsis: Updated tzdata package adds daylight savings rule enhancements Advisory ID: FLEA:173091-2 Issue date:2006-03-23 Product: Fedora Core Keywords: Enhancement - - 1. Topic: An updated tzdata package that adds daylight savings rule enhancements for various countries is now available. The tzdata package contains data files with rules for various timezones around the world. 2. Relevant releases/architectures: Fedora Core 1 - i386 Fedora Core 2 - i386 Fedora Core 3 - i386, x86_64 3. Problem description: This update adjusts timezone files for countries where daylight savings rules have recently changed or are going to change in the near future. Users in those countries should upgrade to these updated packages and rerun redhat-config-date (or system-config-date in FC2) to update the local timezone in /etc/localtime. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=173091 6. RPMs required: Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/tzdata-2006a-2.fc1.1.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/tzdata-2006a-2.fc1.1.noarch.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/tzdata-2006a-2.fc2.1.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/tzdata-2006a-2.fc2.1.noarch.rpm Fedora Core 3: SRPM: http://download.fedoralegacy.org/fedora/3/updates/SRPMS/tzdata-2006a-2.fc3.1.src.rpm i386: http://download.fedoralegacy.org/fedora/3/updates/i386/tzdata-2006a-2.fc3.1.noarch.rpm x86_64: http://download.fedoralegacy.org/fedora/3/updates/x86_64/tzdata-2006a-2.fc3.1.noarch.rpm 7. Verification: SHA1 sum Package Name - e2ded77aca0a2b9f5dfb2ace0344ee59634f5776 fedora/1/updates/i386/tzdata-2006a-2.fc1.1.noarch.rpm 303892ebacb9b1f35612d7dade0cbb52c6c5cc3a fedora/1/updates/SRPMS/tzdata-2006a-2.fc1.1.src.rpm fcb96a5975ffe9e1b1acb183a97b6bb19ec51d51 fedora/2/updates/i386/tzdata-2006a-2.fc2.1.noarch.rpm 61e89be1e7373113c80f5fcda11a75a278f9b3ab fedora/2/updates/SRPMS/tzdata-2006a-2.fc2.1.src.rpm e8781a60ab8686bd4e1af2a70e233b292d41625a fedora/3/updates/i386/tzdata-2006a-2.fc3.1.noarch.rpm e8781a60ab8686bd4e1af2a70e233b292d41625a fedora/3/updates/x86_64/tzdata-2006a-2.fc3.1.noarch.rpm ad359bb43953718456cb876f6f06cf3eab08b69a fedora/3/updates/SRPMS/tzdata-2006a-2.fc3.1.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum filename 8. Contact: The Fedora Legacy security contact is [EMAIL PROTECTED]. More project details at http://www.fedoralegacy.org - signature.asc Description: OpenPGP digital signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
[FLEA-2006:173091-1] Updated glibc packages add daylight savings rule enhancements
- Fedora Legacy Update Advisory Synopsis: Updated glibc packages add daylight savings rule enhancements Advisory ID: FLEA:173091-1 Issue date:2006-03-23 Product: Red Hat Linux Keywords: Enhancement - - 1. Topic: Updated glibc packages that add daylight savings rule enhancements for various countries are now available. The GNU libc packages (known as glibc) contain the standard C libraries used by applications. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 3. Problem description: This update adjusts timezone files for countries where daylight savings rules have recently changed or are going to change in the near future. Users in those countries should upgrade to these updated packages and rerun redhat-config-date to update the local timezone in /etc/localtime. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=173091 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/glibc-2.2.5-44.legacy.8.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-2.2.5-44.legacy.8.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-2.2.5-44.legacy.8.i686.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-common-2.2.5-44.legacy.8.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-debug-2.2.5-44.legacy.8.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-debug-2.2.5-44.legacy.8.i686.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-debug-static-2.2.5-44.legacy.8.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-devel-2.2.5-44.legacy.8.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-profile-2.2.5-44.legacy.8.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-utils-2.2.5-44.legacy.8.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/nscd-2.2.5-44.legacy.8.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/glibc-2.3.2-27.9.7.4.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-2.3.2-27.9.7.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-2.3.2-27.9.7.4.legacy.i686.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-common-2.3.2-27.9.7.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-debug-2.3.2-27.9.7.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-devel-2.3.2-27.9.7.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-profile-2.3.2-27.9.7.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/glibc-utils-2.3.2-27.9.7.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/nptl-devel-2.3.2-27.9.7.4.legacy.i686.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/nscd-2.3.2-27.9.7.4.legacy.i386.rpm 7. Verification: SHA1 sum Package Name - 8977060010fc16bbaf2aba545c3b958e4a953ec8 redhat/7.3/updates/i386/glibc-2.2.5-44.legacy.8.i386.rpm 4e4fce10ff1cfbdda21dbd0ca19132ffa3b34a15 redhat/7.3/updates/i386/glibc-2.2.5-44.legacy.8.i686.rpm ccc856a5f596cffca0d76f1242df7cecd413 redhat/7.3/updates/i386/glibc-common-2.2.5-44.legacy.8.i386.rpm f301116e857b0d3d63c39af5003dcbab897b4af2 redhat/7.3/updates/i386/glibc-debug-2.2.5-44.legacy.8.i386.rpm c7f784964cff0af15108e981fb0eed5f5b49b8b4 redhat/7.3/updates/i386/glibc-debug-2.2.5-44.legacy.8.i686.rpm 2f59c12525a171646595f56126f882a656107fb7
[FLEA-2006:173091-2] Updated tzdata package adds daylight savings rule enhancements
- Fedora Legacy Update Advisory Synopsis: Updated tzdata package adds daylight savings rule enhancements Advisory ID: FLEA:173091-2 Issue date:2006-03-23 Product: Fedora Core Keywords: Enhancement - - 1. Topic: An updated tzdata package that adds daylight savings rule enhancements for various countries is now available. The tzdata package contains data files with rules for various timezones around the world. 2. Relevant releases/architectures: Fedora Core 1 - i386 Fedora Core 2 - i386 Fedora Core 3 - i386, x86_64 3. Problem description: This update adjusts timezone files for countries where daylight savings rules have recently changed or are going to change in the near future. Users in those countries should upgrade to these updated packages and rerun redhat-config-date (or system-config-date in FC2) to update the local timezone in /etc/localtime. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=173091 6. RPMs required: Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/tzdata-2006a-2.fc1.1.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/tzdata-2006a-2.fc1.1.noarch.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/tzdata-2006a-2.fc2.1.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/tzdata-2006a-2.fc2.1.noarch.rpm Fedora Core 3: SRPM: http://download.fedoralegacy.org/fedora/3/updates/SRPMS/tzdata-2006a-2.fc3.1.src.rpm i386: http://download.fedoralegacy.org/fedora/3/updates/i386/tzdata-2006a-2.fc3.1.noarch.rpm x86_64: http://download.fedoralegacy.org/fedora/3/updates/x86_64/tzdata-2006a-2.fc3.1.noarch.rpm 7. Verification: SHA1 sum Package Name - e2ded77aca0a2b9f5dfb2ace0344ee59634f5776 fedora/1/updates/i386/tzdata-2006a-2.fc1.1.noarch.rpm 303892ebacb9b1f35612d7dade0cbb52c6c5cc3a fedora/1/updates/SRPMS/tzdata-2006a-2.fc1.1.src.rpm fcb96a5975ffe9e1b1acb183a97b6bb19ec51d51 fedora/2/updates/i386/tzdata-2006a-2.fc2.1.noarch.rpm 61e89be1e7373113c80f5fcda11a75a278f9b3ab fedora/2/updates/SRPMS/tzdata-2006a-2.fc2.1.src.rpm e8781a60ab8686bd4e1af2a70e233b292d41625a fedora/3/updates/i386/tzdata-2006a-2.fc3.1.noarch.rpm e8781a60ab8686bd4e1af2a70e233b292d41625a fedora/3/updates/x86_64/tzdata-2006a-2.fc3.1.noarch.rpm ad359bb43953718456cb876f6f06cf3eab08b69a fedora/3/updates/SRPMS/tzdata-2006a-2.fc3.1.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum filename 8. Contact: The Fedora Legacy security contact is [EMAIL PROTECTED]. More project details at http://www.fedoralegacy.org - signature.asc Description: OpenPGP digital signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: US-CERT Technical Cyber Security Alert TA06-081A -- Sendmail Race Condition Vulnerability (fwd)
On Wed, 2006-03-22 at 10:29 -0800, Kenneth Porter wrote: For those of us accepting mail from outside on pre-FC4 Fedora, are any updates in the pipe to address this? Packages have been created and QA'd. They will be pushed to updates-testing soon. You may follow progress here: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=186277 Marc. signature.asc Description: This is a digitally signed message part -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
[FLSA-2006:173274] Updated gdk-pixbuf packages fix security issues
- Fedora Legacy Update Advisory Synopsis: Updated gdk-pixbuf packages fix security issues Advisory ID: FLSA:173274 Issue date:2006-03-16 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2005-2975 CVE-2005-2976 CVE-2005-3186 - - 1. Topic: Updated gdk-pixbuf packages that fix several security issues are now available. The gdk-pixbuf package contains an image loading library used with the GNOME GUI desktop environment. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: A bug was found in the way gdk-pixbuf processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gdk-pixbuf to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3186 to this issue. Ludwig Nussel discovered an integer overflow bug in the way gdk-pixbuf processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gdk-pixbuf to execute arbitrary code or crash when the file was opened by a victim. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2976 to this issue. Ludwig Nussel also discovered an infinite-loop denial of service bug in the way gdk-pixbuf processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gdk-pixbuf to stop responding when the file was opened by a victim. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2975 to this issue. Users of gdk-pixbuf are advised to upgrade to these updated packages, which contain backported patches and are not vulnerable to these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=173274 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/gdk-pixbuf-0.22.0-7.73.4.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/gdk-pixbuf-0.22.0-7.73.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/gdk-pixbuf-devel-0.22.0-7.73.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/gdk-pixbuf-gnome-0.22.0-7.73.4.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/gdk-pixbuf-0.22.0-7.90.4.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/gdk-pixbuf-0.22.0-7.90.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/gdk-pixbuf-devel-0.22.0-7.90.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/gdk-pixbuf-gnome-0.22.0-7.90.4.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/gdk-pixbuf-0.22.0-11.3.4.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/gdk-pixbuf-0.22.0-11.3.4.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/gdk-pixbuf-devel-0.22.0-11.3.4.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/gdk-pixbuf-gnome-0.22.0-11.3.4.2.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/gdk-pixbuf-0.22.0-12.fc2.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/gdk-pixbuf-0.22.0-12.fc2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/gdk-pixbuf-devel-0.22.0-12.fc2.1.legacy.i386.rpm
[FLSA-2006:175404] Updated xpdf package fixes security issues
- Fedora Legacy Update Advisory Synopsis: Updated xpdf package fixes security issues Advisory ID: FLSA:175404 Issue date:2006-03-16 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2005-2097 CVE-2005-3191 CVE-2005-3192 CVE-2005-3193 CVE-2005-3624 CVE-2005-3625 CVE-2005-3626 CVE-2005-3627 CVE-2005-3628 CVE-2006-0301 - - 1. Topic: An updated xpdf package that fixes several security issues is now available. The xpdf package is an X Window System-based viewer for Portable Document Format (PDF) files. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 Fedora Core 3 - i386, x86_64 3. Problem description: A flaw was discovered in Xpdf in that an attacker could construct a carefully crafted PDF file that would cause Xpdf to consume all available disk space in /tmp when opened. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-2097 to this issue. Several flaws were discovered in Xpdf. An attacker could construct a carefully crafted PDF file that could cause Xpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3191, CVE-2005-3192, CVE-2005-3193, CVE-2005-3624, CVE-2005-3625, CVE-2005-3626, CVE-2005-3627 and CVE-2005-3628 to these issues. A heap based buffer overflow bug was discovered in Xpdf. An attacker could construct a carefully crafted PDF file that could cause Xpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0301 to this issue. Users of Xpdf should upgrade to this updated package, which contains backported patches to resolve these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175404 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/xpdf-1.00-7.6.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/xpdf-1.00-7.6.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/xpdf-chinese-simplified-1.00-7.6.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/xpdf-chinese-traditional-1.00-7.6.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/xpdf-japanese-1.00-7.6.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/xpdf-korean-1.00-7.6.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/xpdf-2.01-11.4.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/xpdf-2.01-11.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/xpdf-chinese-simplified-2.01-11.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/xpdf-chinese-traditional-2.01-11.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/xpdf-japanese-2.01-11.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/xpdf-korean-2.01-11.4.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/xpdf-2.03-1.4.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/xpdf-2.03-1.4.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/xpdf-3.00-3.8.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/xpdf-3.00-3.8.1.legacy.i386.rpm Fedora Core 3: SRPM: http://download.fedoralegacy.org/fedora/3/updates/SRPMS/xpdf-3.01-0.FC3.5.legacy.src.rpm i386:
[FLSA-2006:178606] Updated kdelibs packages fix security issues
- Fedora Legacy Update Advisory Synopsis: Updated kdelibs packages fix security issues Advisory ID: FLSA:178606 Issue date:2006-03-16 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2005-0237 CVE-2005-0396 CVE-2005-1046 CVE-2005-1920 CVE-2006-0019 - - 1. Topic: Updated kdelibs packages that fix several security issues are now available. The kdelibs package provides libraries for the K Desktop Environment. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 Fedora Core 3 - i386, x86_64 3. Problem description: The International Domain Name (IDN) support in the Konqueror browser allowed remote attackers to spoof domain names using punycode encoded domain names. Such domain names are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0237 to this issue. Sebastian Krahmer discovered a flaw in dcopserver, the KDE Desktop Communication Protocol (DCOP) daemon. A local user could use this flaw to stall the DCOP authentication process, affecting any local desktop users and causing a reduction in their desktop functionality. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0396 to this issue. A buffer overflow was found in the kimgio library for KDE 3.4.0. An attacker could create a carefully crafted PCX image in such a way that it would cause kimgio to execute arbitrary code when processing the image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1046 to this issue. A flaw was discovered affecting Kate, the KDE advanced text editor, and Kwrite. Depending on system settings, it may be possible for a local user to read the backup files created by Kate or Kwrite. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-1920 to this issue. A heap overflow flaw was discovered affecting kjs, the JavaScript interpreter engine used by Konqueror and other parts of KDE. An attacker could create a malicious web site containing carefully crafted JavaScript code that would trigger this flaw and possibly lead to arbitrary code execution. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0019 to this issue. Users of KDE should upgrade to these erratum packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178606 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/kdelibs-3.0.5a-0.73.7.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/kdelibs-3.0.5a-0.73.7.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/kdelibs-devel-3.0.5a-0.73.7.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/kdelibs-3.1-17.1.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/kdelibs-3.1-17.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/kdelibs-devel-3.1-17.1.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/kdelibs-3.1.4-9.FC1.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/kdelibs-3.1.4-9.FC1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/kdelibs-devel-3.1.4-9.FC1.1.legacy.i386.rpm Fedora Core 2: SRPM:
Fedora Legacy Server Outage
As we sent out today's security advisories, one of our servers experienced an outage before completely syncing to the mirrors. As a result, the updates repository contains missing packages. This situation should be corrected shortly. I apologize for any problems this may cause. Marc. signature.asc Description: OpenPGP digital signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Fedora Legacy Test Update Notification: mod_python
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-152896 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152896 2006-03-15 - Name: mod_python Versions: rh73: mod_python-2.7.8-1.7.3.3.legacy Versions: rh9: mod_python-3.0.1-4.1.legacy Versions: fc1: mod_python-3.0.4-0.1.1.legacy Summary : An embedded Python interpreter for the Apache Web server. Description : Mod_python is a module that embeds the Python language interpreter within the server, allowing Apache handlers to be written in Python. - Update Information: An Updated mod_python package that fixes a security issue in the publisher handler is now available. Mod_python is a module that embeds the Python language interpreter within the Apache web server, allowing handlers to be written in Python. Graham Dumpleton discovered a flaw affecting the publisher handler of mod_python, used to make objects inside modules callable via URL. A remote user could visit a carefully crafted URL that would gain access to objects that should not be visible, leading to an information leak. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0088 to this issue. Users of mod_python are advised to upgrade to this updated package, which contains a backported patch to correct this issue. - Changelogs rh73: * Sat Mar 11 2006 Jeff Sheltren [EMAIL PROTECTED] 2.7.8-1.7.3.3.legacy - Patch for CAN-2005-0088 (#152896) - Patch config file to remove ieee linking which was causing build to fail rh9: * Sat Mar 11 2006 Jeff Sheltren [EMAIL PROTECTED] 3.0.1-4.1.legacy - Patch for CAN-2005-0088 (#152896) - Patch configure script not to link with ieee lib fc1: * Sat Mar 11 2006 Jeff Sheltren [EMAIL PROTECTED] 3.0.4-0.1.1.legacy - Patch for CAN-2005-0088 (#152896) - Patch configure script not to link to ieee lib - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: f936f1ddb29779efae651ff90a19fa17d4edb9f8 redhat/7.3/updates-testing/i386/mod_python-2.7.8-1.7.3.3.legacy.i386.rpm d7792718f71006a00d5e932009dff9b8688330a5 redhat/7.3/updates-testing/SRPMS/mod_python-2.7.8-1.7.3.3.legacy.src.rpm rh9: 6b1e637878a7af1f58f1127d07b7614334b71136 redhat/9/updates-testing/i386/mod_python-3.0.1-4.1.legacy.i386.rpm 5ef5e32ac4d17f77c602d99299baab7f7c00c52d redhat/9/updates-testing/SRPMS/mod_python-3.0.1-4.1.legacy.src.rpm fc1: d3959d23e0718b15a4a0b4fc4126b3198e7e98f8 fedora/1/updates-testing/i386/mod_python-3.0.4-0.1.1.legacy.i386.rpm 20c04acf2eadcb2d99cf6c076a6d1ea34537ed24 fedora/1/updates-testing/SRPMS/mod_python-3.0.4-0.1.1.legacy.src.rpm - Please test and comment in bugzilla. signature.asc Description: OpenPGP digital signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Fedora Legacy Test Update Notification: tcpdump
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-156139 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=156139 2006-03-15 - Name: tcpdump Versions: rh9: tcpdump-3.7.2-7.9.4.legacy Versions: fc1: tcpdump-3.7.2-8.fc1.3.legacy Versions: fc2: tcpdump-3.8.2-6.FC2.3.legacy Summary : A network traffic monitoring tool. Description : Tcpdump is a command-line tool for monitoring network traffic. Tcpdump can capture and display the packet headers on a particular network interface or on all interfaces. Tcpdump can display all of the packet headers, or just the ones that match particular criteria. - Update Information: Updated tcpdump packages that fix several security issues are now available. Tcpdump is a command-line tool for monitoring network traffic. Several denial of service bugs were found in the way tcpdump processes certain network packets. It is possible for an attacker to inject a carefully crafted packet onto the network, crashing a running tcpdump session. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-1267, CVE-2005-1278, CVE-2005-1279, and CVE-2005-1280 to these issues. Users of tcpdump are advised to upgrade to these erratum packages, which contain backported security patches and are not vulnerable to these issues. - Changelogs rh9: * Sat Jun 11 2005 Marc Deslauriers [EMAIL PROTECTED] 14:3.7.2-7.9.4.legacy - fix for Multiple DoS issues in tcpdump (CAN-2005-1280, CAN-2005-1279, CAN-2005-1278) fc1: * Sat Jun 11 2005 Marc Deslauriers [EMAIL PROTECTED] - 14:3.7.2-8.fc1.3.legacy - fix for Multiple DoS issues in tcpdump (CAN-2005-1280, CAN-2005-1279, CAN-2005-1278) fc2: * Sat Mar 11 2006 Jeff Sheltren [EMAIL PROTECTED] - 14:3.8.2-6.FC2.3.legacy - Patch CAN-2005-1267 (#156139) * Sat Jun 11 2005 Marc Deslauriers [EMAIL PROTECTED] - 14:3.8.2-6.FC2.2.legacy - fix for Multiple DoS issues in tcpdump (CAN-2005-1280, CAN-2005-1279, CAN-2005-1278) - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh9: 0beccb4a6dd929174bc2d70d680a2e3c4a094391 redhat/9/updates-testing/i386/tcpdump-3.7.2-7.9.4.legacy.i386.rpm 71e1ffc2c4dbf2a5c754630e198f17af94000e66 redhat/9/updates-testing/i386/libpcap-0.7.2-7.9.4.legacy.i386.rpm 843a832974f531413a8e406491f6c91d09bda24d redhat/9/updates-testing/i386/arpwatch-2.1a11-7.9.4.legacy.i386.rpm 192fa5bbebe8039f3c23b8aa26804d1c4b788412 redhat/9/updates-testing/SRPMS/tcpdump-3.7.2-7.9.4.legacy.src.rpm fc1: 1a426b6225718dbd325fbe0c6d54f8904b710103 fedora/1/updates-testing/i386/tcpdump-3.7.2-8.fc1.3.legacy.i386.rpm 45cffdb7d98c2eb03da004d89b776a7050ff5c40 fedora/1/updates-testing/i386/libpcap-0.7.2-8.fc1.3.legacy.i386.rpm 75e263aa296969c873d0475cc1c0785c30ea24d6 fedora/1/updates-testing/i386/arpwatch-2.1a11-8.fc1.3.legacy.i386.rpm 6e86c20a8af1fc607809c713d7ac00ab5e2f717c fedora/1/updates-testing/SRPMS/tcpdump-3.7.2-8.fc1.3.legacy.src.rpm fc2: 32d0dcf31fbe12225954cc32dad45dbcb6c5f5e4 fedora/2/updates-testing/i386/tcpdump-3.8.2-6.FC2.3.legacy.i386.rpm c84625e92600faa8566129c8229daa6c328dcee9 fedora/2/updates-testing/i386/libpcap-0.8.3-6.FC2.3.legacy.i386.rpm dbdcbed104a6d3985a0735aab55031a3be0e1a74 fedora/2/updates-testing/i386/arpwatch-2.1a13-6.FC2.3.legacy.i386.rpm bb98c4cd71507e4dec94da2c1c9f95ee9bbacde1 fedora/2/updates-testing/SRPMS/tcpdump-3.8.2-6.FC2.3.legacy.src.rpm - Please test and comment in bugzilla. signature.asc Description: OpenPGP digital signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Fedora Legacy Test Update Notification: cyrus-imapd
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-156290 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=156290 2006-03-15 - Name: cyrus-imapd Versions: fc2: cyrus-imapd-2.2.12-1.1.fc2.1.legacy Summary : A high-performance mail server with IMAP, POP3, NNTP and SIEVE support. Description : The cyrus-imapd package contains the core of the Cyrus IMAP server. It is a scaleable enterprise mail system designed for use from small to large enterprise environments using standards-based internet mail technologies. - Update Information: Updated cyrus-imapd packages that fix several buffer overflow security issues are now available. The cyrus-imapd package contains the core of the Cyrus IMAP server. Several buffer overflow bugs were found in cyrus-imapd. It is possible that an authenticated malicious user could cause the imap server to crash. Additionally, a peer news admin could potentially execute arbitrary code on the imap server when news is received using the fetchnews command. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0546 to this issue. Users of cyrus-imapd are advised to upgrade to these updated packages, which contain cyrus-imapd version 2.2.12 to correct these issues. - Changelogs fc2: * Mon Mar 06 2006 Marc Deslauriers [EMAIL PROTECTED] 2.2.12-1.1.fc2.1.legacy - Update to 2.2.12 to fix CVE-2005-0546. The only difference between 2.2.10 and 2.2.12 was the security fix, so upgrading is the equivalent of backporting the security fix. - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) fc2: 869a5d94e05156e2bdcff36242fd25b2c0e1c6d1 fedora/2/updates-testing/i386/cyrus-imapd-2.2.12-1.1.fc2.1.legacy.i386.rpm b3bfaca68420697544395c17dbf2cefb5eabcf8f fedora/2/updates-testing/i386/cyrus-imapd-devel-2.2.12-1.1.fc2.1.legacy.i386.rpm 0a8652c25f5d608811b64c634191845b6dcd672a fedora/2/updates-testing/i386/cyrus-imapd-murder-2.2.12-1.1.fc2.1.legacy.i386.rpm d7cfe6d91b0aa23b189949bf516e94479eefd8ef fedora/2/updates-testing/i386/cyrus-imapd-nntp-2.2.12-1.1.fc2.1.legacy.i386.rpm 03b23f099fd26fa8421bf90f4542ff4e56226d36 fedora/2/updates-testing/i386/cyrus-imapd-utils-2.2.12-1.1.fc2.1.legacy.i386.rpm 1d1f935c0d88f209321ebb9ae679af9a0ff23e42 fedora/2/updates-testing/i386/perl-Cyrus-2.2.12-1.1.fc2.1.legacy.i386.rpm de27bfdc5d7e2a2c5268d769ef0842aba85bfed5 fedora/2/updates-testing/SRPMS/cyrus-imapd-2.2.12-1.1.fc2.1.legacy.src.rpm - Please test and comment in bugzilla. signature.asc Description: OpenPGP digital signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Fedora Legacy Test Update Notification: imap
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-170411 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=170411 2006-03-15 - Name: imap Versions: rh7.3: imap-2001a-10.3.legacy Versions: rh9: imap-2001a-18.2.legacy Versions: fc1: imap-2002d-3.2.legacy Summary : Server daemons for IMAP and POP network mail protocols. Description : The imap package provides server daemons for both the IMAP (Internet Message Access Protocol) and POP (Post Office Protocol) mail access protocols. The POP protocol uses a post office machine to collect mail for users and allows users to download their mail to their local machine for reading. The IMAP protocol allows a user to read mail on a remote machine without downloading it to their local machine. - Update Information: An updated imap package that fixes a buffer overflow issue is now available. The imap package provides server daemons for both the IMAP (Internet Message Access Protocol) and POP (Post Office Protocol) mail access protocols. A buffer overflow flaw was discovered in the way the c-client library parses user supplied mailboxes. If an authenticated user requests a specially crafted mailbox name, it may be possible to execute arbitrary code on a server that uses the library. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2933 to this issue. All users of imap should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue. - Changelogs rh73: * Mon Mar 06 2006 Marc Deslauriers [EMAIL PROTECTED] 2001a-10.3.legacy - Replaced CVE-2005-2933 patch with the one from RHEL21 for consistency's sake * Wed Oct 12 2005 Ville Herva [EMAIL PROTECTED] 2001a-10.2.legacy - Added security patch for CAN-2005-2933 rh9: * Mon Mar 06 2006 Marc Deslauriers [EMAIL PROTECTED] 2001a-18.2.legacy - Added security patch for CVE-2005-2933 fc1: * Mon Mar 06 2006 Marc Deslauriers [EMAIL PROTECTED] 1:2002d-3.2.legacy - Added patch for CVE-2005-2933 - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh7.3: a516bdac39c9b3946a51e2aa1b2c525418405097 redhat/7.3/updates-testing/i386/imap-2001a-10.3.legacy.i386.rpm 7492a4f5a96f61a50bc1d486004a991407fb8a93 redhat/7.3/updates-testing/i386/imap-devel-2001a-10.3.legacy.i386.rpm eb6df42d990be3bbf408b9c9cfe759d4ac31d82f redhat/7.3/updates-testing/SRPMS/imap-2001a-10.3.legacy.src.rpm rh9: dd3d1a3bac748d1db5643a76a86c02568abec7d2 redhat/9/updates-testing/i386/imap-2001a-18.2.legacy.i386.rpm d7986d8efea12260ebb0613bb6cd486d72ef4ac1 redhat/9/updates-testing/i386/imap-devel-2001a-18.2.legacy.i386.rpm aef5ef7d054ff02b594bcb2ba564bfbb4778f00b redhat/9/updates-testing/SRPMS/imap-2001a-18.2.legacy.src.rpm fc1: 369fb568801a2d2865a55b2ceabab87e496d8705 fedora/1/updates-testing/i386/imap-2002d-3.2.legacy.i386.rpm 967a77fbc8a4d2dcc3fdfac8b715d7a84537c0c0 fedora/1/updates-testing/i386/imap-devel-2002d-3.2.legacy.i386.rpm 43b5221927cbeb9c2f3387f6a4b8f46f66d4d77d fedora/1/updates-testing/SRPMS/imap-2002d-3.2.legacy.src.rpm - Please test and comment in bugzilla. signature.asc Description: OpenPGP digital signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Fedora Legacy Test Update Notification: tar (rh73, rh9, fc1, fc2)
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-183571-1 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=183571 2006-03-15 - Name: tar Versions: rh73: tar-1.13.25-4.7.2.legacy Versions: rh9: tar-1.13.25-11.1.legacy Versions: fc1: tar-1.13.25-12.1.legacy Versions: fc2: tar-1.13.25-14.1.legacy Summary : A GNU file archiving program. Description : The GNU tar program saves many files together in one archive and can restore individual files (or all of the files) from that archive. Tar can also be used to add supplemental files to an archive and to update or list files in the archive. Tar includes multivolume support, automatic archive compression/decompression, the ability to perform remote archives, and the ability to perform incremental and full backups. - Update Information: An updated tar package that fixes a path traversal flaw is now available. The GNU tar program saves many files together in one archive and can restore individual files (or all of the files) from that archive. In 2002, a path traversal flaw was found in the way GNU tar extracted archives. A malicious user could create a tar archive that could write to arbitrary files to which the user running GNU tar has write access (CVE-2002-0399). A security advisory was released containing a backported patch. It was discovered that the backported security patch contained an incorrect optimization and therefore was not sufficient to completely correct this vulnerability. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2005-1918 to this issue. Users of tar should upgrade to this updated package, which contains a replacement backported patch to correct this issue. - Changelogs rh73: * Tue Mar 07 2006 Marc Deslauriers [EMAIL PROTECTED] 1.13.25-4.7.2.legacy - Updated security fix for CVE-2005-1918 rh9: * Tue Mar 07 2006 Marc Deslauriers [EMAIL PROTECTED] 1.13.25-11.1.legacy - Updated security fix for CVE-2005-1918 fc1: * Tue Mar 07 2006 Marc Deslauriers [EMAIL PROTECTED] 1.13.25-12.1.legacy - Updated security fix for CVE-2005-1918 fc2: * Wed Mar 08 2006 Marc Deslauriers [EMAIL PROTECTED] 1.13.25-14.1.legacy - Updated security fix for CVE-2005-1918 - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: 57d5b198335bcb254ff49b26b60b2ded6fdc3c29 redhat/7.3/updates-testing/i386/tar-1.13.25-4.7.2.legacy.i386.rpm aec36c77c75a882b3c44a61fa61c23ff204ef4e5 redhat/7.3/updates-testing/SRPMS/tar-1.13.25-4.7.2.legacy.src.rpm rh9: df30641462702e447ac80e5e71db048e039cc378 redhat/9/updates-testing/i386/tar-1.13.25-11.1.legacy.i386.rpm 27e7678d52f44d3872047c5b05c6dfd751c2a806 redhat/9/updates-testing/SRPMS/tar-1.13.25-11.1.legacy.src.rpm fc1: 0caee4057c9325f93ac327e1a4d067fee8b1a744 fedora/1/updates-testing/i386/tar-1.13.25-12.1.legacy.i386.rpm 458a1d96fdf8f580b5702a7243f7653d8c581ac6 fedora/1/updates-testing/SRPMS/tar-1.13.25-12.1.legacy.src.rpm fc2: 5565230fd52a82671b69a9310883a25f7844b8a6 fedora/2/updates-testing/i386/tar-1.13.25-14.1.legacy.i386.rpm 864f986b64392dacaec2bde2c42339a4e6bd7e35 fedora/2/updates-testing/SRPMS/tar-1.13.25-14.1.legacy.src.rpm - Please test and comment in bugzilla. signature.asc Description: OpenPGP digital signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Fedora Legacy Test Update Notification: pine
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-184074 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=184074 2006-03-15 - Name: pine Versions: rh73: pine-4.44-19.73.1.legacy Versions: rh9: pine-4.44-19.90.1.legacy Summary : A commonly used, MIME compliant mail and news reader. Description : Pine is a very popular, easy to use, full-featured email user agent that includes a simple text editor called pico. Pine supports MIME extensions and can also be used to read news. Pine also supports IMAP, mail, and MH style folders. - Update Information: An updated Pine package is now available to fix a denial of service attack. Pine is an email user agent. The c-client IMAP client library, as used in Pine 4.44 contains an integer overflow and integer signedness flaw. An attacker could create a malicious IMAP server in such a way that it would cause Pine to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0297 to this issue. Users of Pine are advised to upgrade to these erratum packages which contain a backported patch to correct this issue. - Changelogs rh73: * Wed Mar 08 2006 Marc Deslauriers [EMAIL PROTECTED] 4.44-19.73.1.legacy - Added patch for CVE-2003-0297 rh9: * Wed Mar 08 2006 Marc Deslauriers [EMAIL PROTECTED] 4.44-19.90.1.legacy - Added patch for CVE-2003-0297 - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: 2f5de5f092e8d5c2d821e3715fcc6656b19e1b54 redhat/7.3/updates-testing/i386/pine-4.44-19.73.1.legacy.i386.rpm 4fc304469e6dad1025ac0eb1c428bbc84a9ed76f redhat/7.3/updates-testing/SRPMS/pine-4.44-19.73.1.legacy.src.rpm rh9: 043112c55f52e5454ab01e52f7a50968016ac6a1 redhat/9/updates-testing/i386/pine-4.44-19.90.1.legacy.i386.rpm d84320a9dbe9b1b1917e2acb8c6306c005711075 redhat/9/updates-testing/SRPMS/pine-4.44-19.90.1.legacy.src.rpm - Please test and comment in bugzilla. signature.asc Description: OpenPGP digital signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Fedora Legacy Test Update Notification: libc-client
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-184098 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=184098 2006-03-15 - Name: libc-client Versions: fc2: libc-client-2002e-5.1.legacy Summary : C-client mail access routines for IMAP and POP protocols Description : C-client is a common API for accessing mailboxes. It is used internally by the popular PINE mail reader, the University of Washington's IMAP server and PHP. - Update Information: Updated libc-client packages that fix a buffer overflow issue are now available. C-client is a common API for accessing mailboxes. A buffer overflow flaw was discovered in the way C-client parses user supplied mailboxes. If an authenticated user requests a specially crafted mailbox name, it may be possible to execute arbitrary code on a server that uses C-client to access mailboxes. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2933 to this issue. All users of libc-client should upgrade to these updated packages, which contain a backported patch that resolves this issue. - Changelogs fc2: * Tue Mar 07 2006 Marc Deslauriers [EMAIL PROTECTED] 2002e-5.1.legacy - apply fix for CVE-2005-2933: buffer overflow - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) fc2: 5232f6a722f64fac4c5e09ca3d34a8e5d33192ed fedora/2/updates-testing/i386/libc-client-2002e-5.1.legacy.i386.rpm 5e03f3725e30f607708e8da1e9c1537d6e929a29 fedora/2/updates-testing/i386/libc-client-devel-2002e-5.1.legacy.i386.rpm 489cbea579ce3fece1527c68df20f24e8c9bfe75 fedora/2/updates-testing/SRPMS/libc-client-2002e-5.1.legacy.src.rpm - Please test and comment in bugzilla. signature.asc Description: OpenPGP digital signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
[FLSA-2006:168516] Updated pcre packages fix a security issue
- Fedora Legacy Update Advisory Synopsis: Updated pcre packages fix a security issue Advisory ID: FLSA:168516 Issue date:2006-03-07 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2005-2491 - - 1. Topic: Updated pcre packages are now available to correct a security issue. PCRE is a Perl-compatible regular expression library. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: An integer overflow flaw was found in PCRE, triggered by a maliciously crafted regular expression. On systems that accept arbitrary regular expressions from untrusted users, this could be exploited to execute arbitrary code with the privileges of the application using the library. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-2491 to this issue. Users should update to these erratum packages that contain a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168516 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/pcre-3.9-2.1.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/pcre-3.9-2.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/pcre-devel-3.9-2.1.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/pcre-3.9-10.1.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/pcre-3.9-10.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/pcre-devel-3.9-10.1.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/pcre-4.4-1.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/pcre-4.4-1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/pcre-devel-4.4-1.2.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/pcre-4.5-2.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/pcre-4.5-2.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/pcre-devel-4.5-2.2.legacy.i386.rpm 7. Verification: SHA1 sum Package Name - 9b641aa989639c706065bafc146d34bb6e282a22 redhat/7.3/updates/i386/pcre-3.9-2.1.legacy.i386.rpm 7d8b094083c7a85991d194d6741a0a664204a19d redhat/7.3/updates/i386/pcre-devel-3.9-2.1.legacy.i386.rpm 9a49145385042483532254fb5d05fae6c3f252f3 redhat/7.3/updates/SRPMS/pcre-3.9-2.1.legacy.src.rpm d876a7f4cdb3a936b2f72fb629fae928d3db6e96 redhat/9/updates/i386/pcre-3.9-10.1.legacy.i386.rpm 9e516b5e44944b25a47171b15c0229423b10f99d redhat/9/updates/i386/pcre-devel-3.9-10.1.legacy.i386.rpm 55de51292b97aacbad6c375b4ad8578561ac5fe3 redhat/9/updates/SRPMS/pcre-3.9-10.1.legacy.src.rpm 4edc206f1e0fc0c3df459b6f8de289f27417974b fedora/1/updates/i386/pcre-4.4-1.2.legacy.i386.rpm 0fcc5801dc238bb1fac0d59b8403e6cdcc72f126 fedora/1/updates/i386/pcre-devel-4.4-1.2.legacy.i386.rpm 57b3a2c5c2bb3435d3c7971daf29c665fb2c1687 fedora/1/updates/SRPMS/pcre-4.4-1.2.legacy.src.rpm bff4b330e8c9a76262020c7ddb2b48f71bf01788 fedora/2/updates/i386/pcre-4.5-2.2.legacy.i386.rpm 8354926500e18905dd94dddc1e6bf44cd236df68 fedora/2/updates/i386/pcre-devel-4.5-2.2.legacy.i386.rpm 9f43e7d484412d93734dfe4b08f87d2ef133100a fedora/2/updates/SRPMS/pcre-4.5-2.2.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with
[FLSA-2006:176751] Updated gpdf package fixes security issues
- Fedora Legacy Update Advisory Synopsis: Updated gpdf package fixes security issues Advisory ID: FLSA:176751 Issue date:2006-03-07 Product: Fedora Core Keywords: Bugfix CVE Names: CVE-2005-2097 CVE-2005-3191 CVE-2005-3192 CVE-2005-3193 CVE-2005-3624 CVE-2005-3625 CVE-2005-3626 CVE-2005-3627 CVE-2005-3628 - - 1. Topic: An updated gpdf package that fixes several security issues is now available. The gpdf package is a GNOME based viewer for Portable Document Format (PDF) files. 2. Relevant releases/architectures: Fedora Core 1 - i386 Fedora Core 2 - i386 Fedora Core 3 - i386, x86_64 3. Problem description: A flaw was discovered in gpdf. An attacker could construct a carefully crafted PDF file that would cause gpdf to consume all available disk space in /tmp when opened. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-2097 to this issue. Several flaws were discovered in gpdf. An attacker could construct a carefully crafted PDF file that could cause gpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3191, CVE-2005-3192, CVE-2005-3193, CVE-2005-3624, CVE-2005-3625, CVE-2005-3626, CVE-2005-3627 and CVE-2005-3628 to these issues. Users of gpdf should upgrade to this updated package, which contains backported patches to resolve these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=176751 6. RPMs required: Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/gpdf-0.110-1.5.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/gpdf-0.110-1.5.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/gpdf-2.8.2-4.1.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/gpdf-2.8.2-4.1.1.legacy.i386.rpm Fedora Core 3: SRPM: http://download.fedoralegacy.org/fedora/3/updates/SRPMS/gpdf-2.8.2-7.2.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/3/updates/i386/gpdf-2.8.2-7.2.1.legacy.i386.rpm x86_64: http://download.fedoralegacy.org/fedora/3/updates/x86_64/gpdf-2.8.2-7.2.1.legacy.x86_64.rpm 7. Verification: SHA1 sum Package Name - 646edd9bdaf07a2f74d0b9874a666f94dc4f7982 fedora/1/updates-testing/i386/gpdf-0.110-1.5.legacy.i386.rpm 23f1172453f4e6572bd5a5bebcf093fda9c9ef62 fedora/1/updates-testing/SRPMS/gpdf-0.110-1.5.legacy.src.rpm 2798a8e5ba37214b4ad3d537aa38b65c62c9e7c7 fedora/2/updates-testing/i386/gpdf-2.8.2-4.1.1.legacy.i386.rpm e6d36329145bd25d5646da0064124f4b3a3faf99 fedora/2/updates-testing/SRPMS/gpdf-2.8.2-4.1.1.legacy.src.rpm 2a08ad7afb9cecc7e41d80603a536b191d85f776 fedora/3/updates-testing/i386/gpdf-2.8.2-7.2.1.legacy.i386.rpm 3d3ab23bea79b424aaac1c26e3c16a3dfbee7af0 fedora/3/updates-testing/SRPMS/gpdf-2.8.2-7.2.1.legacy.src.rpm a434ff117af22aeacc3c76773fa6985be9c107c0 fedora/3/updates-testing/x86_64/gpdf-2.8.2-7.2.1.legacy.x86_64.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum filename 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2097 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3191 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3192
[UPDATED] Fedora Legacy Test Update Notification: kernel (fc1)
These packages were updated to fix an incorrect patch that caused instability under heavy load. - Fedora Legacy Test Update Notification FEDORALEGACY-2006-157459-2 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157459 2006-03-05 - Name: kernel Versions: fc1: kernel-2.4.22-1.2199.8.legacy.nptl Summary : The Linux kernel (the core of the Linux operating system). Description : The kernel package contains the Linux kernel (vmlinuz), the core of the Red Hat Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc. - Update Information: Updated kernel packages that fix several security issues are now available. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below: - a flaw in network IGMP processing that a allowed a remote user on the local network to cause a denial of service (disabling of multicast reports) if the system is running multicast applications (CVE-2002-2185) - a recent Internet Draft by Fernando Gont recommended that ICMP Source Quench messages be ignored by hosts. A patch to ignore these messages is included. (CVE-2004-0791) - flaws in ptrace() syscall handling on AMD64 and Intel EM64T systems that allowed a local user to cause a denial of service (crash) (CAN-2005-0756, CAN-2005-1762, CAN-2005-2553) - a flaw between execve() syscall handling and core dumping of ELF-format executables allowed local unprivileged users to cause a denial of service (system crash) or possibly gain privileges (CVE-2005-1263) - a flaw in gzip/zlib handling internal to the kernel that may allow a local user to cause a denial of service (crash) (CVE-2005-2458) - a flaw in sendmsg() syscall handling on 64-bit systems that allowed a local user to cause a denial of service or potentially gain privileges (CAN-2005-2490) - a flaw in exec() handling on some 64-bit architectures that allowed a local user to cause a denial of service (crash) (CVE-2005-2708) - a flaw in procfs handling during unloading of modules that allowed a local user to cause a denial of service or potentially gain privileges (CVE-2005-2709) - a flaw in IPv6 network UDP port hash table lookups that allowed a local user to cause a denial of service (hang) (CVE-2005-2973) - a flaw in 32-bit-compat handling of the TIOCGDEV ioctl that allowed a local user to cause a denial of service (crash) (CVE-2005-3044) - a network buffer info leak using the orinoco driver that allowed a remote user to possibly view uninitialized data (CVE-2005-3180) - a flaw in IPv4 network TCP and UDP netfilter handling that allowed a local user to cause a denial of service (crash) (CVE-2005-3275) - a minor info leak with the get_thread_area() syscall that allowed a local user to view uninitialized kernel stack data (CVE-2005-3276) - a flaw in the IPv6 flowlabel code that allowed a local user to cause a denial of service (crash) (CVE-2005-3806) - a flaw in file lease time-out handling that allowed a local user to cause a denial of service (log file overflow) (CVE-2005-3857) All users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. - Changelogs fc1: * Fri Mar 03 2006 Marc Deslauriers [EMAIL PROTECTED] 2.4.22-1.2199.8.legacy.nptl - Fixed the broken CVE-2005-0749 patch that was causing unstability * Fri Feb 17 2006 Marc Deslauriers [EMAIL PROTECTED] 2.4.22-1.2199.7.legacy.nptl - Added patch for CVE-2002-2185 (potential IGMP DoS) * Thu Feb 02 2006 Marc Deslauriers [EMAIL PROTECTED] 2.4.22-1.2199.6.legacy.nptl - Added patches for: CVE-2004-0791 (source quench DoS) CVE-2005-0756 (ptrace-check-segment x86_64 crash) CVE-2005-1263 (ELF core dump privilege elevation) CVE-2005-1762 (ptrace can induce double-fault on x86_64) CVE-2005-2458 (gzip/zlib flaws) CVE-2005-2490 (compat layer sendmsg() races) CVE-2005-2553 (32-bit ptrace find_target() oops) CVE-2005-2708 (user code panics kernel in exec.c) CVE-2005-2709 (sysctl races) CVE-2005-2973 (ipv6 infinite loop) CVE-2005-3044 (lost fput and sockfd_put could lead to DoS) CVE-2005-3180 (orinoco driver information leakage) CVE-2005-3275 (NAT DoS) CVE-2005-3276 (sys_get_thread_area minor info leak) CVE-2005-3806 (ipv6 flowlabel DOS) CVE-2005-3857 (lease printk DoS) - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) fc1: 5ec641496db89906ce3e587bda826b38f0e2b2b4 fedora/1/updates-testing/i386/kernel-2.4.22-1.2199.8
Re: Rebuild exisitng errata for x86_64?
On Sat, 2006-03-04 at 01:58 -0600, Eric Rostetter wrote: In any case, I think we should _at least_ release all FC3 packages for x86_64. In other words, we shouldn't release new FC3 x86_64 without releasing also the older FC3 x86_64, for consistency. So far, all FC3 updates have had x86_64 packages. Marc. signature.asc Description: This is a digitally signed message part -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Fedora Legacy Test Update Notification: glibc
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-173091-1 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=173091 2006-03-01 - Name: glibc Versions: rh73: glibc-2.2.5-44.legacy.8 Versions: rh9: glibc-2.3.2-27.9.7.4.legacy Summary : The GNU libc libraries. Description : The glibc package contains standard libraries which are used by multiple programs on the system. In order to save disk space and memory, as well as to make upgrading easier, common system code is kept in one place and shared between programs. This particular package contains the most important sets of shared libraries: the standard C library and the standard math library. Without these two libraries, a Linux system will not function. - Update Information: Updated glibc packages that add daylight savings rule enhancements for various countries are now available. The GNU libc packages (known as glibc) contain the standard C libraries used by applications. This update adjusts timezone files for countries where daylight savings rules have recently changed or are going to change in the near future. Users in those countries should upgrade to these updated packages and rerun redhat-config-date to update the local timezone in /etc/localtime. - Changelogs rh73: * Mon Feb 20 2006 Marc Deslauriers [EMAIL PROTECTED] 2.2.4-44.legacy.8 - Bring timezone info up to version 2006a * Sat Feb 18 2006 Marc Deslauriers [EMAIL PROTECTED] 2.2.4-44.legacy.7 - Bring timezone info up to version 2005m rh9: * Tue Feb 21 2006 Marc Deslauriers [EMAIL PROTECTED] 2.3.2-27.9.7.4.legacy - Bring timezone info up to version 2006a * Sun Feb 12 2006 Marc Deslauriers [EMAIL PROTECTED] 2.3.2-27.9.7.3.legacy - Bring timezone info up to version 2005m - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: 8977060010fc16bbaf2aba545c3b958e4a953ec8 redhat/7.3/updates-testing/i386/glibc-2.2.5-44.legacy.8.i386.rpm 4e4fce10ff1cfbdda21dbd0ca19132ffa3b34a15 redhat/7.3/updates-testing/i386/glibc-2.2.5-44.legacy.8.i686.rpm ccc856a5f596cffca0d76f1242df7cecd413 redhat/7.3/updates-testing/i386/glibc-common-2.2.5-44.legacy.8.i386.rpm f301116e857b0d3d63c39af5003dcbab897b4af2 redhat/7.3/updates-testing/i386/glibc-debug-2.2.5-44.legacy.8.i386.rpm c7f784964cff0af15108e981fb0eed5f5b49b8b4 redhat/7.3/updates-testing/i386/glibc-debug-2.2.5-44.legacy.8.i686.rpm 2f59c12525a171646595f56126f882a656107fb7 redhat/7.3/updates-testing/i386/glibc-debug-static-2.2.5-44.legacy.8.i386.rpm fbc27b34ed90759a4a8572c11b714e42bd2e3bda redhat/7.3/updates-testing/i386/glibc-devel-2.2.5-44.legacy.8.i386.rpm 1a53624c0e7ee609a57d60740769fcb8e661244f redhat/7.3/updates-testing/i386/glibc-profile-2.2.5-44.legacy.8.i386.rpm f316b55111db5e4e6afb6e7defdf04b4a5505867 redhat/7.3/updates-testing/i386/glibc-utils-2.2.5-44.legacy.8.i386.rpm 18bb566cbc5b0e8abb1f7d72db364601584efb92 redhat/7.3/updates-testing/i386/nscd-2.2.5-44.legacy.8.i386.rpm 3e8f11366500b362ef7040173912e0f07607b51c redhat/7.3/updates-testing/SRPMS/glibc-2.2.5-44.legacy.8.src.rpm rh9: 91117fc583591c8bcc04939cc2c02af012356fb3 redhat/9/updates-testing/i386/glibc-2.3.2-27.9.7.4.legacy.i386.rpm 18a13ba104fd958e1abcbe42cdf2ae31c9b0cb30 redhat/9/updates-testing/i386/glibc-2.3.2-27.9.7.4.legacy.i686.rpm cb5501a39b03cacda052757f8265bc6f02c92883 redhat/9/updates-testing/i386/glibc-common-2.3.2-27.9.7.4.legacy.i386.rpm bbf1af111006a214efde3da5b734372ec98c75d9 redhat/9/updates-testing/i386/glibc-debug-2.3.2-27.9.7.4.legacy.i386.rpm 753ea0d554610c4dd35cc54764def86269c2c148 redhat/9/updates-testing/i386/glibc-devel-2.3.2-27.9.7.4.legacy.i386.rpm 1ccda9c9ca1b424d5714016fad7b49280d981e3a redhat/9/updates-testing/i386/glibc-profile-2.3.2-27.9.7.4.legacy.i386.rpm 112788df6619fb9fc39282ab0eeaf7718d34f8b5 redhat/9/updates-testing/i386/glibc-utils-2.3.2-27.9.7.4.legacy.i386.rpm 6a8728560054bce9a0e4ddc8de897085fa54a8c6 redhat/9/updates-testing/i386/nscd-2.3.2-27.9.7.4.legacy.i386.rpm 326be845c248a3d35e66550b54fbcd3a9556cae7 redhat/9/updates-testing/i386/nptl-devel-2.3.2-27.9.7.4.legacy.i686.rpm 1cdcc8fa2428568fb571a6428b80217c17ec8183 redhat/9/updates-testing/SRPMS/glibc-2.3.2-27.9.7.4.legacy.src.rpm - Please test and comment in bugzilla. signature.asc Description: OpenPGP digital signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Fedora Legacy Test Update Notification: tzdata
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-173091-2 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=173091 2006-03-01 - Name: tzdata Versions: fc1: tzdata-2005r-3.fc1.1.legacy Versions: fc2: tzdata-2005r-3.fc2.1.legacy Summary : Timezone data Description : This package contains data files with rules for various timezones around the world. - Update Information: An updated tzdata package that adds daylight savings rule enhancements for various countries is now available. The tzdata package contains data files with rules for various timezones around the world. This update adjusts timezone files for countries where daylight savings rules have recently changed or are going to change in the near future. Users in those countries should upgrade to these updated packages and rerun redhat-config-date (or system-config-date in FC2) to update the local timezone in /etc/localtime. - Changelogs fc1: * Sat Feb 18 2006 Marc Deslauriers [EMAIL PROTECTED] 2005r-3.fc1.1.legacy - Rebuilt as a Fedora Legacy update to Fedora Core 1 fc2: * Sat Feb 18 2006 Marc Deslauriers [EMAIL PROTECTED] 2005r-3.fc2.1.legacy - Rebuilt as a Fedora Legacy update to Fedora Core 2 - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) fc1: 87a51c9f24d223e74e1c0c658a5e687953989e7d fedora/1/updates-testing/i386/tzdata-2005r-3.fc1.1.legacy.noarch.rpm cb64a4e80ad60994f21a95bf2f7e5043a1ca2f2a fedora/1/updates-testing/SRPMS/tzdata-2005r-3.fc1.1.legacy.src.rpm fc2: e308480e1839d599fe08fa795de988cb68711ce0 fedora/2/updates-testing/i386/tzdata-2005r-3.fc2.1.legacy.noarch.rpm cd90b47e9e6d5074194805c27a2eddaf948c78e8 fedora/2/updates-testing/SRPMS/tzdata-2005r-3.fc2.1.legacy.src.rpm - Please test and comment in bugzilla. signature.asc Description: OpenPGP digital signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
[FLSA-2006:175818] Updated udev packages fix a security issue
- Fedora Legacy Update Advisory Synopsis: Updated udev packages fix a security issue Advisory ID: FLSA:175818 Issue date:2006-02-27 Product: Fedora Core Keywords: Bugfix CVE Names: CVE-2005-3631 - - 1. Topic: Updated udev packages that fix a security issue are now available. The udev package contains an implementation of devfs in userspace using sysfs and /sbin/hotplug. 2. Relevant releases/architectures: Fedora Core 2 - i386 Fedora Core 3 - i386, x86_64 3. Problem description: Richard Cunningham discovered a flaw in the way udev sets permissions on various files in /dev/input. It may be possible for an authenticated attacker to gather sensitive data entered by a user at the console, such as passwords. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3631 to this issue. All users of udev should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175818 6. RPMs required: Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/udev-024-6.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/udev-024-6.2.legacy.i386.rpm Fedora Core 3: SRPM: http://download.fedoralegacy.org/fedora/3/updates/SRPMS/udev-039-10.FC3.9.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/3/updates/i386/udev-039-10.FC3.9.legacy.i386.rpm x86_64: http://download.fedoralegacy.org/fedora/3/updates/x86_64/udev-039-10.FC3.9.legacy.x86_64.rpm 7. Verification: SHA1 sum Package Name - d2b2850b4066a595a4d3c162e151dc27c5b43198 fedora/2/updates/i386/udev-024-6.2.legacy.i386.rpm 9ed5ef68d64987f8f644da065399d6885e7e1176 fedora/2/updates/SRPMS/udev-024-6.2.legacy.src.rpm a2682a89f6fe03c2f2c2401caa511c299c1ae1cc fedora/3/updates/i386/udev-039-10.FC3.9.legacy.i386.rpm fbcf92e15337b34511d4a305100d6797d644a84e fedora/3/updates/x86_64/udev-039-10.FC3.9.legacy.x86_64.rpm fe4e15a6ac3d4d80ce3db01f08a75c93985964e8 fedora/3/updates/SRPMS/udev-039-10.FC3.9.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum filename 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3631 9. Contact: The Fedora Legacy security contact is [EMAIL PROTECTED]. More project details at http://www.fedoralegacy.org - signature.asc Description: OpenPGP digital signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
[FLSA-2006:177326] Updated mod_auth_pgsql package fixes security issue
- Fedora Legacy Update Advisory Synopsis: Updated mod_auth_pgsql package fixes security issue Advisory ID: FLSA:177326 Issue date:2006-02-27 Product: Fedora Core Keywords: Bugfix CVE Names: CVE-2005-3656 - - 1. Topic: An updated mod_auth_pgsql package that fixes a format string flaw is now available. The mod_auth_pgsql package is an httpd module that allows user authentication against information stored in a PostgreSQL database. 2. Relevant releases/architectures: Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: Several format string flaws were found in the way mod_auth_pgsql logs information. It may be possible for a remote attacker to execute arbitrary code as the 'apache' user if mod_auth_pgsql is used for user authentication. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3656 to this issue. Please note that this issue only affects servers which have mod_auth_pgsql installed and configured to perform user authentication against a PostgreSQL database. All users of mod_auth_pgsql should upgrade to these updated packages, which contain a backported patch to resolve this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=177326 6. RPMs required: Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/mod_auth_pgsql-2.0.1-3.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/mod_auth_pgsql-2.0.1-3.1.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/mod_auth_pgsql-2.0.1-4.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/mod_auth_pgsql-2.0.1-4.2.legacy.i386.rpm 7. Verification: SHA1 sum Package Name - e6ce19c8be5f4638e2050437c4529b0d4a0f5e1f fedora/1/updates/i386/mod_auth_pgsql-2.0.1-3.1.legacy.i386.rpm 119b3b6045eaa3b175ebe3d613daca8e9c81b35c fedora/1/updates/SRPMS/mod_auth_pgsql-2.0.1-3.1.legacy.src.rpm 8f9c2503b417db84b73483e6daca445c4789e4e4 fedora/2/updates/i386/mod_auth_pgsql-2.0.1-4.2.legacy.i386.rpm 52aabaff10fb0f862e1b96199facb7da046e94dc fedora/2/updates/SRPMS/mod_auth_pgsql-2.0.1-4.2.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum filename 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3656 9. Contact: The Fedora Legacy security contact is [EMAIL PROTECTED]. More project details at http://www.fedoralegacy.org - signature.asc Description: OpenPGP digital signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
[FLSA-2006:177694] Updated auth_ldap package fixes security issue
- Fedora Legacy Update Advisory Synopsis: Updated auth_ldap package fixes security issue Advisory ID: FLSA:177694 Issue date:2006-02-27 Product: Red Hat Linux Keywords: Bugfix CVE Names: CVE-2006-0150 - - 1. Topic: An updated auth_ldap package that fixes a format string security issue is now available for Red Hat Linux 7.3. The auth_ldap package is an httpd module that allows user authentication against information stored in an LDAP database. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 3. Problem description: A format string flaw was found in the way auth_ldap logs information. It may be possible for a remote attacker to execute arbitrary code as the 'apache' user if auth_ldap is used for user authentication. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2006-0150 to this issue. Note that this issue only affects servers that have auth_ldap installed and configured to perform user authentication against an LDAP database. All users of auth_ldap should upgrade to this updated package, which contains a backported patch to resolve this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=177694 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/auth_ldap-1.6.0-4.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/auth_ldap-1.6.0-4.2.legacy.i386.rpm 7. Verification: SHA1 sum Package Name - 38f70135bc17c313fecdb81f61e776ac032b796e redhat/7.3/updates/i386/auth_ldap-1.6.0-4.2.legacy.i386.rpm 78b7ee876d5b900ff5268b1a396a59ca9f2385f0 redhat/7.3/updates/SRPMS/auth_ldap-1.6.0-4.2.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum filename 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0150 9. Contact: The Fedora Legacy security contact is [EMAIL PROTECTED]. More project details at http://www.fedoralegacy.org - signature.asc Description: OpenPGP digital signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
[FLSA-2006:181014] Updated gnutls packages fix a security issue
- Fedora Legacy Update Advisory Synopsis: Updated gnutls packages fix a security issue Advisory ID: FLSA:181014 Issue date:2006-02-27 Product: Fedora Core Keywords: Bugfix CVE Names: CVE-2006-0645 - - 1. Topic: Updated gnutls packages that fix a security issue are now available. The GNU TLS Library provides support for cryptographic algorithms and protocols such as TLS. GNU TLS includes Libtasn1, a library developed for ASN.1 structures management that includes DER encoding and decoding. 2. Relevant releases/architectures: Fedora Core 3 - i386, x86_64 3. Problem description: Several flaws were found in the way libtasn1 decodes DER. An attacker could create a carefully crafted invalid X.509 certificate in such a way that could trigger this flaw if parsed by an application that uses GNU TLS. This could lead to a denial of service (application crash). It is not certain if this issue could be escalated to allow arbitrary code execution. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0645 to this issue. Users are advised to upgrade to these updated packages, which contain a backported patch from the GNU TLS maintainers to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=181014 6. RPMs required: Fedora Core 3: SRPM: http://download.fedoralegacy.org/fedora/3/updates/SRPMS/gnutls-1.0.20-3.1.3.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/3/updates/i386/gnutls-1.0.20-3.1.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/gnutls-devel-1.0.20-3.1.3.legacy.i386.rpm x86_64: http://download.fedoralegacy.org/fedora/3/updates/x86_64/gnutls-1.0.20-3.1.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/gnutls-1.0.20-3.1.3.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/gnutls-devel-1.0.20-3.1.3.legacy.x86_64.rpm 7. Verification: SHA1 sum Package Name - 87b93af583ea3abaa48337b0a8c71cba97a45410 fedora/3/updates/i386/gnutls-1.0.20-3.1.3.legacy.i386.rpm dca7e6e11093d7b8528d82cc9c3f5f1b1c78ea23 fedora/3/updates/i386/gnutls-devel-1.0.20-3.1.3.legacy.i386.rpm 87b93af583ea3abaa48337b0a8c71cba97a45410 fedora/3/updates/x86_64/gnutls-1.0.20-3.1.3.legacy.i386.rpm 742be40634dc2a32b245f78caf610d0a6b45cb75 fedora/3/updates/x86_64/gnutls-1.0.20-3.1.3.legacy.x86_64.rpm 762630c8973f02bcc934adc8f5a946383f8479cc fedora/3/updates/x86_64/gnutls-devel-1.0.20-3.1.3.legacy.x86_64.rpm cce2a463b57be400362624f09dc49a4fdde09305 fedora/3/updates/SRPMS/gnutls-1.0.20-3.1.3.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum filename 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0645 9. Contact: The Fedora Legacy security contact is [EMAIL PROTECTED]. More project details at http://www.fedoralegacy.org - signature.asc Description: OpenPGP digital signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Fedora Legacy Test Update Notification: pcre
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-168516 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168516 2006-02-26 - Name: pcre Versions: rh73: pcre-3.9-2.1.legacy Versions: rh9: pcre-3.9-10.1.legacy Versions: fc1: pcre-4.4-1.2.legacy Versions: fc2: pcre-4.5-2.2.legacy Summary : Perl-compatible regular expression library. Description : Perl-compatible regular expression library. PCRE has its own native API, but a set of wrapper functions that are based on the POSIX API are also supplied in the library libpcreposix. Note that this just provides a POSIX calling interface to PCRE; the regular expressions themselves still follow Perl syntax and semantics. The header file for the POSIX-style functions is called pcreposix.h. - Update Information: Updated pcre packages are now available to correct a security issue. PCRE is a Perl-compatible regular expression library. An integer overflow flaw was found in PCRE, triggered by a maliciously crafted regular expression. On systems that accept arbitrary regular expressions from untrusted users, this could be exploited to execute arbitrary code with the privileges of the application using the library. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-2491 to this issue. Users should update to these erratum packages that contain a backported patch to correct this issue. - Changelogs rh73: * Fri Oct 28 2005 Leonard den Ottolander leonard agromisa org 3.9-2.1.legacy - Fix CAN-2005-2491 rh9: * Sun Feb 19 2006 Marc Deslauriers [EMAIL PROTECTED] 3.9-10.1.legacy - Added patch for CVE-2005-2491 fc1: * Sat Feb 25 2006 Marc Deslauriers [EMAIL PROTECTED] 4.4-1.2.legacy - Added pcre-devel to BuildPrereq * Sun Feb 19 2006 Marc Deslauriers [EMAIL PROTECTED] 4.4-1.1.legacy - Added patch for CVE-2005-2491 fc2: * Sat Feb 25 2006 Marc Deslauriers [EMAIL PROTECTED] 4.5-2.2.legacy - Added pcre-devel to BuildPrereq * Mon Feb 20 2006 Marc Deslauriers [EMAIL PROTECTED] 4.5-2.1.legacy - Added patch for CVE-2005-2491 - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: 9b641aa989639c706065bafc146d34bb6e282a22 redhat/7.3/updates-testing/i386/pcre-3.9-2.1.legacy.i386.rpm 7d8b094083c7a85991d194d6741a0a664204a19d redhat/7.3/updates-testing/i386/pcre-devel-3.9-2.1.legacy.i386.rpm 9a49145385042483532254fb5d05fae6c3f252f3 redhat/7.3/updates-testing/SRPMS/pcre-3.9-2.1.legacy.src.rpm rh9: d876a7f4cdb3a936b2f72fb629fae928d3db6e96 redhat/9/updates-testing/i386/pcre-3.9-10.1.legacy.i386.rpm 9e516b5e44944b25a47171b15c0229423b10f99d redhat/9/updates-testing/i386/pcre-devel-3.9-10.1.legacy.i386.rpm 55de51292b97aacbad6c375b4ad8578561ac5fe3 redhat/9/updates-testing/SRPMS/pcre-3.9-10.1.legacy.src.rpm fc1: 4edc206f1e0fc0c3df459b6f8de289f27417974b fedora/1/updates-testing/i386/pcre-4.4-1.2.legacy.i386.rpm 0fcc5801dc238bb1fac0d59b8403e6cdcc72f126 fedora/1/updates-testing/i386/pcre-devel-4.4-1.2.legacy.i386.rpm 57b3a2c5c2bb3435d3c7971daf29c665fb2c1687 fedora/1/updates-testing/SRPMS/pcre-4.4-1.2.legacy.src.rpm fc2: bff4b330e8c9a76262020c7ddb2b48f71bf01788 fedora/2/updates-testing/i386/pcre-4.5-2.2.legacy.i386.rpm 8354926500e18905dd94dddc1e6bf44cd236df68 fedora/2/updates-testing/i386/pcre-devel-4.5-2.2.legacy.i386.rpm 9f43e7d484412d93734dfe4b08f87d2ef133100a fedora/2/updates-testing/SRPMS/pcre-4.5-2.2.legacy.src.rpm - Please test and comment in bugzilla. signature.asc Description: OpenPGP digital signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Fedora Legacy Test Update Notification: xpdf
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-175404 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175404 2006-02-26 - Name: xpdf Versions: rh73: xpdf-1.00-7.6.legacy Versions: rh9: xpdf-2.01-11.4.legacy Versions: fc1: xpdf-2.03-1.4.legacy Versions: fc2: xpdf-3.00-3.8.1.legacy Versions: fc3: xpdf-3.01-0.FC3.5.legacy Summary : A PDF file viewer for the X Window System. Description : Xpdf is an X Window System based viewer for Portable Document Format (PDF) files. Xpdf is a small and efficient program which uses standard X fonts. - Update Information: An updated xpdf package that fixes several security issues is now available. The xpdf package is an X Window System-based viewer for Portable Document Format (PDF) files. A flaw was discovered in Xpdf in that an attacker could construct a carefully crafted PDF file that would cause Xpdf to consume all available disk space in /tmp when opened. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-2097 to this issue. Several flaws were discovered in Xpdf. An attacker could construct a carefully crafted PDF file that could cause Xpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3191, CVE-2005-3192, CVE-2005-3193, CVE-2005-3624, CVE-2005-3625, CVE-2005-3626, CVE-2005-3627 and CVE-2005-3628 to these issues. A heap based buffer overflow bug was discovered in Xpdf. An attacker could construct a carefully crafted PDF file that could cause Xpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0301 to this issue. Users of Xpdf should upgrade to this updated package, which contains backported patches to resolve these issues. - Changelogs rh73: * Mon Feb 20 2006 Marc Deslauriers [EMAIL PROTECTED] 1.00-7.6.legacy - Added better patch for CVE-2004-0888 * Sun Feb 19 2006 Marc Deslauriers [EMAIL PROTECTED] 1.00-7.5.legacy - Added patch for CVE-2005-3193 rh9: * Sun Feb 19 2006 Marc Deslauriers [EMAIL PROTECTED] 2.01-11.4.legacy - Added better patch for CVE-2004-0888 - Added patch for CVE-2005-3193 fc1: * Sun Feb 19 2006 Marc Deslauriers [EMAIL PROTECTED] 1:2.03-1.4.legacy - Added better patch for CVE-2004-0888 - Added patch for CVE-2005-3193 fc2: * Sun Feb 19 2006 Marc Deslauriers [EMAIL PROTECTED] 1:3.00-3.8.1.legacy - Apply patches for CVE-2005-2097, CVE-2005-3193, CVE-2006-0301 fc3: * Sat Feb 18 2006 Marc Deslauriers [EMAIL PROTECTED] 1:3.01-0.FC3.5.legacy - Added patch for CVE-2006-0301 - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: 6096aa2b487e635ae3003cf246ec66d53dc81d41 redhat/7.3/updates-testing/i386/xpdf-1.00-7.6.legacy.i386.rpm e670899dd04a31d466d0ba2cc213763157a3b101 redhat/7.3/updates-testing/i386/xpdf-chinese-simplified-1.00-7.6.legacy.i386.rpm c636a2b79eb22afe35993466675e9fdd086a84f2 redhat/7.3/updates-testing/i386/xpdf-chinese-traditional-1.00-7.6.legacy.i386.rpm 9a2bfe9e373cd20422a862f48d3d6ad787b7f0f1 redhat/7.3/updates-testing/i386/xpdf-japanese-1.00-7.6.legacy.i386.rpm bc47f11dea342606e74aff1a55cf74bd52783b60 redhat/7.3/updates-testing/i386/xpdf-korean-1.00-7.6.legacy.i386.rpm ace7a51b625269d9f5bd3355b07a842f0e1426f4 redhat/7.3/updates-testing/SRPMS/xpdf-1.00-7.6.legacy.src.rpm rh9: 4fe0714cdf2194cf0426e15210cbe509d77b2788 redhat/9/updates-testing/i386/xpdf-2.01-11.4.legacy.i386.rpm c54fad904f475d693c781632dbadfae9434e4c87 redhat/9/updates-testing/i386/xpdf-chinese-simplified-2.01-11.4.legacy.i386.rpm 1b6f0cf3f309515fd60b88576a1168f9d9bc7fe0 redhat/9/updates-testing/i386/xpdf-chinese-traditional-2.01-11.4.legacy.i386.rpm accef6df9ed9b1cee0e05fffa7e7dde085ae3f35 redhat/9/updates-testing/i386/xpdf-japanese-2.01-11.4.legacy.i386.rpm 69a7ae59cb1ddb5b422eccdec53711f459939c3f redhat/9/updates-testing/i386/xpdf-korean-2.01-11.4.legacy.i386.rpm 090ddacf36dc0180c16cef8526aedc9bb9c5225c redhat/9/updates-testing/SRPMS/xpdf-2.01-11.4.legacy.src.rpm fc1: 0349626a79f659adc0590938b99a6097f6898f10 fedora/1/updates-testing/i386/xpdf-2.03-1.4.legacy.i386.rpm 8612ba60a89cfb0ef195450d1c927487b868deec fedora/1/updates-testing/SRPMS/xpdf-2.03-1.4.legacy.src.rpm fc2: f60fc20854386ef91f6769aabd29f3a77e29084d fedora/2/updates-testing/i386/xpdf-3.00-3.8.1.legacy.i386.rpm 64139c039afc0af67eadcc8c87e03aed6c6254d0 fedora/2/updates-testing/SRPMS/xpdf-3.00-3.8.1.legacy.src.rpm fc3: 268cba4fb5fd62699595cdeed78375f324c874f6 fedora/3/updates-testing/i386/xpdf-3.01-0.FC3.5.legacy.i386.rpm 021ec4bb4d86192a519261b3073a3d348e4fa14a fedora/3
Fedora Legacy Test Update Notification: udev
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-175818 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175818 2006-02-26 - Name: udev Versions: fc2: udev-024-6.2.legacy Versions: fc3: udev-039-10.FC3.9.legacy Summary : A userspace implementation of devfs Description : udev is a implementation of devfs in userspace using sysfs and /sbin/hotplug. It requires a 2.6 kernel to run properly. - Update Information: Updated udev packages that fix a security issue are now available. The udev package contains an implementation of devfs in userspace using sysfs and /sbin/hotplug. Richard Cunningham discovered a flaw in the way udev sets permissions on various files in /dev/input. It may be possible for an authenticated attacker to gather sensitive data entered by a user at the console, such as passwords. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3631 to this issue. All users of udev should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue. - Changelogs fc2: * Sun Feb 26 2006 Marc Deslauriers [EMAIL PROTECTED] 024-6.2.legacy - Added missing glib2-devel to BuildRequires * Sun Feb 19 2006 Marc Deslauriers [EMAIL PROTECTED] 024-6.1.legacy - Changed permissions for input to fix CVE-2005-3631 fc3: * Sun Feb 19 2006 Marc Deslauriers [EMAIL PROTECTED] - 039-10.FC3.9.legacy - Change input permissions to fix CVE-2005-3631 - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) fc2: d2b2850b4066a595a4d3c162e151dc27c5b43198 fedora/2/updates-testing/i386/udev-024-6.2.legacy.i386.rpm 9ed5ef68d64987f8f644da065399d6885e7e1176 fedora/2/updates-testing/SRPMS/udev-024-6.2.legacy.src.rpm fc3: a2682a89f6fe03c2f2c2401caa511c299c1ae1cc fedora/3/updates-testing/i386/udev-039-10.FC3.9.legacy.i386.rpm fbcf92e15337b34511d4a305100d6797d644a84e fedora/3/updates-testing/x86_64/udev-039-10.FC3.9.legacy.x86_64.rpm fe4e15a6ac3d4d80ce3db01f08a75c93985964e8 fedora/3/updates-testing/SRPMS/udev-039-10.FC3.9.legacy.src.rpm - Please test and comment in bugzilla. signature.asc Description: OpenPGP digital signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
[FLSA-2006:138098] Updated nfs-utils package fixes security issues
- Fedora Legacy Update Advisory Synopsis: Updated nfs-utils package fixes security issues Advisory ID: FLSA:138098 Issue date:2006-02-25 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2004-0946 CVE-2004-1014 - - 1. Topic: An updated nfs-utils package that fixes security issues is now available. The nfs-utils package provides a daemon for the kernel NFS server and related tools, providing a much higher level of performance than the traditional Linux NFS server used by most users. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: Arjan van de Ven discovered a buffer overflow in rquotad. On 64-bit architectures, an improper integer conversion can lead to a buffer overflow. An attacker with access to an NFS share could send a specially crafted request which could lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0946 to this issue. In addition, the Fedora Core 2 update fixes the following issue: SGI reported that the statd daemon did not properly handle the SIGPIPE signal. A misconfigured or malicious peer could cause statd to crash, leading to a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1014 to this issue. All users of nfs-utils should upgrade to this updated package, which resolves these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=138098 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/nfs-utils-0.3.3-6.73.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/nfs-utils-0.3.3-6.73.2.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/nfs-utils-1.0.1-3.9.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/nfs-utils-1.0.1-3.9.2.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/nfs-utils-1.0.6-1.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/nfs-utils-1.0.6-1.2.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/nfs-utils-1.0.6-22.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/nfs-utils-1.0.6-22.2.legacy.i386.rpm 7. Verification: SHA1 sum Package Name - fc563f70e9f2b5eeafb51b969689185ef504 redhat/7.3/updates/i386/nfs-utils-0.3.3-6.73.2.legacy.i386.rpm 79dd718df766c23fc8ab4880a0e1557ca990c181 redhat/7.3/updates/SRPMS/nfs-utils-0.3.3-6.73.2.legacy.src.rpm 45c4f3a310d3090271f0d0798cae1e3148ab8299 redhat/9/updates/i386/nfs-utils-1.0.1-3.9.2.legacy.i386.rpm bf009c4fe075b7105316084c6ca577f15c5bdb52 redhat/9/updates/SRPMS/nfs-utils-1.0.1-3.9.2.legacy.src.rpm 1c96ae93420683ad79b675b205ecb5d6ddb61ef4 fedora/1/updates/i386/nfs-utils-1.0.6-1.2.legacy.i386.rpm 6d4ee9e13e8b3bf1278d59b48ccb0c48f7645f7f fedora/1/updates/SRPMS/nfs-utils-1.0.6-1.2.legacy.src.rpm 2063735e17273d7967c8fa1f3649ab86921c910e fedora/2/updates/i386/nfs-utils-1.0.6-22.2.legacy.i386.rpm dc3207c089204dd1c47653dc4918fe45b81a8654 fedora/2/updates/SRPMS/nfs-utils-1.0.6-22.2.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v filename If you only wish to verify that each package has not
[FLSA-2006:158543] Updated gaim package fixes security issues
- Fedora Legacy Update Advisory Synopsis: Updated gaim package fixes security issues Advisory ID: FLSA:158543 Issue date:2006-02-25 Products: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2005-0208 CVE-2005-0473 CVE-2005-0472 CVE-2005-0965 CVE-2005-0966 CVE-2005-0967 CVE-2005-1261 CVE-2005-1262 CVE-2005-2103 CVE-2005-2102 CVE-2005-2370 CVE-2005-1269 CVE-2005-1934 - - 1. Topic: An updated gaim package that fixes various security issues as well as a number of bugs is now available. The Gaim application is a multi-protocol instant messaging client. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: Two HTML parsing bugs were discovered in Gaim. It is possible that a remote attacker could send a specially crafted message to a Gaim client, causing it to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0208 and CVE-2005-0473 to these issues. A bug in the way Gaim processes SNAC packets was discovered. It is possible that a remote attacker could send a specially crafted SNAC packet to a Gaim client, causing the client to stop responding. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0472 to this issue. A buffer overflow bug was found in the way gaim escapes HTML. It is possible that a remote attacker could send a specially crafted message to a Gaim client, causing it to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0965 to this issue. A bug was found in several of gaim's IRC processing functions. These functions fail to properly remove various markup tags within an IRC message. It is possible that a remote attacker could send a specially crafted message to a Gaim client connected to an IRC server, causing it to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0966 to this issue. A bug was found in gaim's Jabber message parser. It is possible for a remote Jabber user to send a specially crafted message to a Gaim client, causing it to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0967 to this issue. A stack based buffer overflow bug was found in the way gaim processes a message containing a URL. A remote attacker could send a carefully crafted message resulting in the execution of arbitrary code on a victim's machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1261 to this issue. A bug was found in the way gaim handles malformed MSN messages. A remote attacker could send a carefully crafted MSN message causing gaim to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1262 to this issue. A heap based buffer overflow issue was discovered in the way Gaim processes away messages. A remote attacker could send a specially crafted away message to a Gaim user logged into AIM or ICQ that could result in arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-2103 to this issue. Daniel Atallah discovered a denial of service issue in Gaim. A remote attacker could attempt to upload a file with a specially crafted name to a user logged into AIM or ICQ, causing Gaim to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-2102 to this issue. A denial of service bug was found in Gaim's Gadu Gadu protocol handler. A remote attacker could send a specially crafted message to a Gaim user logged into Gadu Gadu, causing Gaim to crash. Please note that this issue only affects PPC and IBM S/390 systems running Gaim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-2370 to this issue. Jacopo Ottaviani discovered a bug in the way Gaim handles Yahoo! Messenger file transfers. It is possible for a malicious user to send a specially crafted file transfer request that causes Gaim to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1269 to this issue. Additionally, Hugo de Bokkenrijder discovered a bug in the way Gaim parses MSN Messenger messages. It is possible for a malicious user to send a specially crafted MSN Messenger message that causes Gaim to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1934 to this issue. Additionally, various client crashes,
[FLSA-2006:176731] Updated perl packages fix security issue
- Fedora Legacy Update Advisory Synopsis: Updated perl packages fix security issue Advisory ID: FLSA:176731 Issue date:2006-02-25 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2005-3962 - - 1. Topic: Updated perl packages that fix a security flaw are now available. Perl is a high-level programming language commonly used for system administration utilities and Web programming. 2. Relevant releases/architectures: Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: An integer overflow bug was found in Perl's format string processor. It is possible for an attacker to cause perl to crash or execute arbitrary code if the attacker is able to process a malicious format string. This issue is only exploitable through a script which passes arbitrary untrusted strings to the format string processor. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3962 to this issue. Note that this vulnerability do not affect perl packages in Red Hat Linux 7.3 Users of perl are advised to upgrade to these packages which contain a backported patch and are not vulnerable to this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=176731 6. RPMs required: Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/perl-5.8.0-90.0.13.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/perl-5.8.0-90.0.13.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/perl-CGI-2.81-90.0.13.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/perl-CPAN-1.61-90.0.13.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/perl-DB_File-1.804-90.0.13.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/perl-suidperl-5.8.0-90.0.13.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/perl-5.8.3-17.5.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/perl-5.8.3-17.5.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/perl-suidperl-5.8.3-17.5.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/perl-5.8.3-19.5.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/perl-5.8.3-19.5.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/perl-suidperl-5.8.3-19.5.legacy.i386.rpm 7. Verification: SHA1 sum Package Name - 4d2401a09f2cc0b126df88659bd9e259a528146d redhat/9/updates/i386/perl-5.8.0-90.0.13.legacy.i386.rpm 3b5448a2a8d8241a85c4c54ad5d5deb4b9d466d4 redhat/9/updates/i386/perl-CGI-2.81-90.0.13.legacy.i386.rpm 40a05fcf3a7d128e7fa79b00022d54d0542bd3af redhat/9/updates/i386/perl-CPAN-1.61-90.0.13.legacy.i386.rpm 5444ce68de7e8f0b1b051a15a1658c7d497be61b redhat/9/updates/i386/perl-DB_File-1.804-90.0.13.legacy.i386.rpm 76ff3cdbe78a2e7c92c1f95760906fd396f974bf redhat/9/updates/i386/perl-suidperl-5.8.0-90.0.13.legacy.i386.rpm 62fbcae6dd839fd18aabcf5c9fcc6babfd844d94 redhat/9/updates/SRPMS/perl-5.8.0-90.0.13.legacy.src.rpm 3267a9d83ac3cadcfa650b1625cf5c458adb5540 fedora/1/updates/i386/perl-5.8.3-17.5.legacy.i386.rpm 2445d66c7ced8bccc7d875a21404216a0cd5cdb6 fedora/1/updates/i386/perl-suidperl-5.8.3-17.5.legacy.i386.rpm 297a649694e03e67b13cfbac7ae8211554cea44b fedora/1/updates/SRPMS/perl-5.8.3-17.5.legacy.src.rpm 772f9571df3a0eab7749bb0d162311f4cd539879 fedora/2/updates/i386/perl-5.8.3-19.5.legacy.i386.rpm 83cf2b36b48760eb1f99a042214eead7a9650d38
Fedora Legacy Test Update Notification: gdk-pixbuf
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-173274 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=173274 2006-02-23 - Name: gdk-pixbuf Versions: rh73: gdk-pixbuf-0.22.0-7.73.4.legacy Versions: rh9: gdk-pixbuf-0.22.0-7.90.4.legacy Versions: fc1: gdk-pixbuf-0.22.0-11.3.4.2.legacy Versions: fc2: gdk-pixbuf-0.22.0-12.fc2.1.legacy Summary : An image loading library used with GNOME. Description : The gdk-pixbuf package contains an image loading library used with the GNOME desktop environment. The GdkPixBuf library provides image loading facilities, the rendering of a GdkPixBuf into various formats (drawables or GdkRGB buffers), and a cache interface. - Update Information: Updated gdk-pixbuf packages that fix several security issues are now available. The gdk-pixbuf package contains an image loading library used with the GNOME GUI desktop environment. A bug was found in the way gdk-pixbuf processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gdk-pixbuf to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3186 to this issue. Ludwig Nussel discovered an integer overflow bug in the way gdk-pixbuf processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gdk-pixbuf to execute arbitrary code or crash when the file was opened by a victim. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2976 to this issue. Ludwig Nussel also discovered an infinite-loop denial of service bug in the way gdk-pixbuf processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gdk-pixbuf to stop responding when the file was opened by a victim. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2975 to this issue. Users of gdk-pixbuf are advised to upgrade to these updated packages, which contain backported patches and are not vulnerable to these issues. - Changelogs rh73: * Sun Feb 19 2006 Marc Deslauriers [EMAIL PROTECTED] - 1:0.22.0-7.73.4.legacy - Prevent another integer overflow in the xpm loader (CVE-2005-2976) - Prevent an infinite loop in the xpm loader (CVE-2005-2975) - Prevent an integer overflow in the xpm loader (CVE-2005-3186) rh9: * Sun Feb 19 2006 Marc Deslauriers [EMAIL PROTECTED] - 1:0.22.0-7.90.4.legacy - Prevent another integer overflow in the xpm loader (CVE-2005-2976) - Prevent an infinite loop in the xpm loader (CVE-2005-2975) - Prevent an integer overflow in the xpm loader (CVE-2005-3186) fc1: * Sun Feb 19 2006 Marc Deslauriers [EMAIL PROTECTED] - 1:0.22.0-11.3.4.2.legacy - Prevent another integer overflow in the xpm loader (CVE-2005-2976) - Prevent an infinite loop in the xpm loader (CVE-2005-2975) - Prevent an integer overflow in the xpm loader (CVE-2005-3186) fc2: * Sun Feb 19 2006 Marc Deslauriers [EMAIL PROTECTED] - 1:0.22.0-12.fc2.1.legacy - Prevent another integer overflow in the xpm loader (CVE-2005-2976) - Prevent an infinite loop in the xpm loader (CVE-2005-2975) - Prevent an integer overflow in the xpm loader (CVE-2005-3186) - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: 68920e1aa48821ef2712597cfbb738a308fed989 redhat/7.3/updates-testing/i386/gdk-pixbuf-0.22.0-7.73.4.legacy.i386.rpm bed67c95aeba203d572601c03f61f4a87738577e redhat/7.3/updates-testing/i386/gdk-pixbuf-devel-0.22.0-7.73.4.legacy.i386.rpm 83b2d6fa22c90b3335c80e8516bbf7c013f3e0ce redhat/7.3/updates-testing/i386/gdk-pixbuf-gnome-0.22.0-7.73.4.legacy.i386.rpm 72d3a78c075cbd1108551c0f003d1d546474f345 redhat/7.3/updates-testing/SRPMS/gdk-pixbuf-0.22.0-7.73.4.legacy.src.rpm rh9: d2f5f242b378c44caa4b05ff2d157732b4f50896 redhat/9/updates-testing/i386/gdk-pixbuf-0.22.0-7.90.4.legacy.i386.rpm 5a4b0b7566fb195e3ae9ac9df3a1d0d85f86d53d redhat/9/updates-testing/i386/gdk-pixbuf-devel-0.22.0-7.90.4.legacy.i386.rpm 99deb34f608c31c177acc48aae2a5a22dbef5e27 redhat/9/updates-testing/i386/gdk-pixbuf-gnome-0.22.0-7.90.4.legacy.i386.rpm 34b8e79dfcfabfbd375636077a606f4c7193aabb redhat/9/updates-testing/SRPMS/gdk-pixbuf-0.22.0-7.90.4.legacy.src.rpm fc1: 0c08e3ec62a3ffc2cf4bf020f56dbce6c6abe55e fedora/1/updates-testing/i386/gdk-pixbuf-0.22.0-11.3.4.2.legacy.i386.rpm b51c2c8928ef71b22375ef359262f5ab0467ede1 fedora/1/updates-testing/i386/gdk-pixbuf-devel-0.22.0-11.3.4.2.legacy.i386.rpm c36d9f5d78ddb75cfade93741fac76b692159fc0 fedora/1
Fedora Legacy Test Update Notification: libungif
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-174479 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=174479 2006-02-23 - Name: libungif Versions: rh73: libungif-4.1.0-10.2.legacy Versions: rh9: libungif-4.1.0-15.2.legacy Versions: fc1: libungif-4.1.0-16.2.legacy Versions: fc2: libungif-4.1.0-17.3.legacy Summary : A library for manipulating GIF format image files. Description : The libungif package contains a shared library of functions for loading and saving GIF format image files. The libungif library can load any GIF file, but it will save GIFs only in uncompressed format; it will not use the patented LZW compression used to save normal compressed GIF files. - Update Information: Updated libungif packages that fix two security issues are now available. The libungif package contains a shared library of functions for loading and saving GIF format image files. Several bugs in the way libungif decodes GIF images were discovered. An attacker could create a carefully crafted GIF image file in such a way that it could cause an application linked with libungif to crash or execute arbitrary code when the file is opened by a victim. The Common Vulnerabilities and Exposures project has assigned the names CVE-2005-2974 and CVE-2005-3350 to these issues. All users of libungif are advised to upgrade to these updated packages, which contain backported patches that resolve these issues. - Changelogs rh73: * Wed Feb 22 2006 Marc Deslauriers [EMAIL PROTECTED] 4.1.0-10.2.legacy - Added missing XFree86-devel, netpbm-devel and texinfo to BuildRequires - Added patch from RHEL to get librle in * Sun Feb 19 2006 Marc Deslauriers [EMAIL PROTECTED] 4.1.0-10.1.legacy - Added patch for CVE-2005-2974 and CVE-2005-3350 rh9: * Wed Feb 22 2006 Marc Deslauriers [EMAIL PROTECTED] 4.1.0-15.2.legacy - Added missing XFree86-devel, netpbm-devel and texinfo to BuildRequires - Added patch from RHEL to get librle in * Sun Feb 19 2006 Marc Deslauriers [EMAIL PROTECTED] 4.1.0-15.1.legacy - Added patch to fix CVE-2005-2974 and CVE-2005-3350 fc1: * Thu Feb 23 2006 Marc Deslauriers [EMAIL PROTECTED] 4.1.0-16.2.legacy - Added missing XFree86-devel to BuildRequires * Sun Feb 19 2006 Marc Deslauriers [EMAIL PROTECTED] 4.1.0-16.1.legacy - Added patch to fix CVE-2005-2974 and CVE-2005-3350 fc2: * Thu Feb 23 2006 Marc Deslauriers [EMAIL PROTECTED] 4.1.0-17.3.legacy - Added missing xorg-x11-devel to BuildRequires * Sun Feb 19 2006 Marc Deslauriers [EMAIL PROTECTED] 4.1.0-17.2.legacy - Added patch to fix CVE-2005-2974 and CVE-2005-3350 - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: 540bf946dff308b065de73d7ce6ab9eb8d8c504a redhat/7.3/updates-testing/i386/libungif-4.1.0-10.2.legacy.i386.rpm 840791ef661042f779275b7c835760ab521a8d80 redhat/7.3/updates-testing/i386/libungif-devel-4.1.0-10.2.legacy.i386.rpm 81f2ed8f2bae2785ec2820234875b870f583c7ce redhat/7.3/updates-testing/i386/libungif-progs-4.1.0-10.2.legacy.i386.rpm 8e039159be2bf479bf2bdb84ebadc2a364b3bd06 redhat/7.3/updates-testing/SRPMS/libungif-4.1.0-10.2.legacy.src.rpm rh9: c78cfe7b9a7e46d45865fcebad0956efb8962970 redhat/9/updates-testing/i386/libungif-4.1.0-15.2.legacy.i386.rpm 1b8a2ff811fca4b56850adfc5fc602bd140876d8 redhat/9/updates-testing/i386/libungif-devel-4.1.0-15.2.legacy.i386.rpm 35f6365684cec0da676b5c5fea9bdf2e9863d1ff redhat/9/updates-testing/i386/libungif-progs-4.1.0-15.2.legacy.i386.rpm cb023ca008db9d81ad6d730cb714cb1f51ea97f3 redhat/9/updates-testing/SRPMS/libungif-4.1.0-15.2.legacy.src.rpm fc1: 351c84419dfff38690db6f343fa91a41e6b2af1e fedora/1/updates-testing/i386/libungif-4.1.0-16.2.legacy.i386.rpm 72af8bc46a9deb31ede1fc773866e67f20f0da0b fedora/1/updates-testing/i386/libungif-devel-4.1.0-16.2.legacy.i386.rpm 3d36816c8ec4479647419402be97568fade3088e fedora/1/updates-testing/i386/libungif-progs-4.1.0-16.2.legacy.i386.rpm 92a4859d10e58f5abc85e7e22c89e4cf4911fbf0 fedora/1/updates-testing/SRPMS/libungif-4.1.0-16.2.legacy.src.rpm fc2: 3a87b57220b6b788150d24094dc54f6732fe fedora/2/updates-testing/i386/libungif-4.1.0-17.3.legacy.i386.rpm c2d7e51e31ecb48546712d0c6f9998601af6daec fedora/2/updates-testing/i386/libungif-devel-4.1.0-17.3.legacy.i386.rpm fbde1aceba27f12aacb41c8acbe2cf58a59cc121 fedora/2/updates-testing/i386/libungif-progs-4.1.0-17.3.legacy.i386.rpm 609e3081132c7dca0da32f631e5ec4117df51265 fedora/2/updates-testing/SRPMS/libungif-4.1.0-17.3.legacy.src.rpm - Please test and comment in bugzilla. signature.asc Description: OpenPGP digital signature -- fedora
[FLSA-2006:180036-1] Updated mozilla packages fix security issues
- Fedora Legacy Update Advisory Synopsis: Updated mozilla packages fix security issues Advisory ID: FLSA:180036-1 Issue date:2006-02-23 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2005-4134 CVE-2006-0292 CVE-2006-0296 - - 1. Topic: Updated mozilla packages that fix several security bugs are now available. Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 Fedora Core 3 - i386, x86_64 3. Problem description: Igor Bukanov discovered a bug in the way Mozilla's Javascript interpreter dereferences objects. If a user visits a malicious web page, Mozilla could crash or execute arbitrary code as the user running Mozilla. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0292 to this issue. moz_bug_r_a4 discovered a bug in Mozilla's XULDocument.persist() function. A malicious web page could inject arbitrary RDF data into a user's localstore.rdf file, which can cause Mozilla to execute arbitrary javascript when a user runs Mozilla. (CVE-2006-0296) A denial of service bug was found in the way Mozilla saves history information. If a user visits a web page with a very long title, it is possible Mozilla will crash or take a very long time the next time it is run. (CVE-2005-4134) Users of Mozilla are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=180036 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/mozilla-1.7.12-0.73.3.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-1.7.12-0.73.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-chat-1.7.12-0.73.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-devel-1.7.12-0.73.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-dom-inspector-1.7.12-0.73.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-js-debugger-1.7.12-0.73.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-mail-1.7.12-0.73.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nspr-1.7.12-0.73.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nspr-devel-1.7.12-0.73.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nss-1.7.12-0.73.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nss-devel-1.7.12-0.73.3.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/mozilla-1.7.12-0.90.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-1.7.12-0.90.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-chat-1.7.12-0.90.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-devel-1.7.12-0.90.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-dom-inspector-1.7.12-0.90.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-js-debugger-1.7.12-0.90.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-mail-1.7.12-0.90.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nspr-1.7.12-0.90.2.legacy.i386.rpm
[FLSA-2006:180036-2] Updated firefox package fixes security issues
- Fedora Legacy Update Advisory Synopsis: Updated firefox package fixes security issues Advisory ID: FLSA:180036-2 Issue date:2006-02-23 Product: Fedora Core Keywords: Bugfix CVE Names: CVE-2005-4134 CVE-2006-0292 CVE-2006-0296 - - 1. Topic: An updated firefox package that fixes several security bugs is now available. Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability. 2. Relevant releases/architectures: Fedora Core 3 - i386, x86_64 3. Problem description: Igor Bukanov discovered a bug in the way Firefox's Javascript interpreter derefernces objects. If a user visits a malicious web page, Firefox could crash or execute arbitrary code as the user running Firefox. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0292 to this issue. moz_bug_r_a4 discovered a bug in Firefox's XULDocument.persist() function. A malicious web page could inject arbitrary RDF data into a user's localstore.rdf file, which can cause Firefox to execute arbitrary javascript when a user runs Firefox. (CVE-2006-0296) A denial of service bug was found in the way Firefox saves history information. If a user visits a web page with a very long title, it is possible Firefox will crash or take a very long time the next time it is run. (CVE-2005-4134) Users of Firefox are advised to upgrade to this updated package, which contains backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=180036 6. RPMs required: Fedora Core 3: SRPM: http://download.fedoralegacy.org/fedora/3/updates/SRPMS/firefox-1.0.7-1.3.fc3.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/3/updates/i386/firefox-1.0.7-1.3.fc3.legacy.i386.rpm x86_64: http://download.fedoralegacy.org/fedora/3/updates/x86_64/firefox-1.0.7-1.3.fc3.legacy.x86_64.rpm 7. Verification: SHA1 sum Package Name - 3b05d93992aba7369a418d53344250aa275330ac fedora/3/updates/i386/firefox-1.0.7-1.3.fc3.legacy.i386.rpm 850534b4cfa591372d8245808e46378c5923e086 fedora/3/updates/x86_64/firefox-1.0.7-1.3.fc3.legacy.x86_64.rpm a167dc9061c484aa26f89703dc0228883409235e fedora/3/updates/SRPMS/firefox-1.0.7-1.3.fc3.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum filename 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4134 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0292 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0296 9. Contact: The Fedora Legacy security contact is [EMAIL PROTECTED]. More project details at http://www.fedoralegacy.org - signature.asc Description: OpenPGP digital signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: x86_64 Packages missing
On Wed, 2006-02-22 at 13:07 +0100, Klaus Steinberger wrote: Hello, in the last Advisories (e.g. [FLSA-2006:175406]) also x86_64 Packages were mentioned, but they are missing from the updates Repository, they are just in updates-testing. Were they missed or is that intentional? the x86_64 Support is essential for me. Sorry about that. I forgot to move the x86_64 packages from updates-testing to updates. The mirrors are being synced now, they should appear shortly. Marc. signature.asc Description: This is a digitally signed message part -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: Fedora Legacy Test Update Notification: gpdf
On Wed, 2006-02-22 at 09:57 -0700, Michal Jaegermann wrote: On Mon, Feb 20, 2006 at 07:58:41PM -0500, Marc Deslauriers wrote: - Fedora Legacy Test Update Notification FEDORALEGACY-2006-176751 fedora/3/updates-testing/i386/gpdf-2.8.2-7.2.1.legacy.i386.rpm At least this package is unsigned so yum, in a default configuration from legacy-yumconf-3-4.fc3 plus enabled 'legacy-testing', will not install that. sha1sum agrees with what was posted, though. Thanks for noticing. I just pushed out signed ones. Marc. signature.asc Description: This is a digitally signed message part -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Fedora Legacy Test Update Notification: kernel (rh73 and rh9)
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-157459-1 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157459 2006-02-20 - Name: kernel Versions: rh7.3: kernel-2.4.20-45.7.legacy Versions: rh9: kernel-2.4.20-45.9.legacy Summary : The Linux kernel (the core of the Linux operating system). Description : The kernel package contains the Linux kernel (vmlinuz), the core of the Red Hat Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc. - Update Information: Updated kernel packages that fix several security issues are now available. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below: - a flaw in network IGMP processing that a allowed a remote user on the local network to cause a denial of service (disabling of multicast reports) if the system is running multicast applications (CVE-2002-2185) - a recent Internet Draft by Fernando Gont recommended that ICMP Source Quench messages be ignored by hosts. A patch to ignore these messages is included. (CVE-2004-0791) - flaws in the coda module that allowed denial-of-service attacks (crashes) or local privilege escalations (CVE-2005-0124) - a flaw between execve() syscall handling and core dumping of ELF-format executables allowed local unprivileged users to cause a denial of service (system crash) or possibly gain privileges (CVE-2005-1263) - a flaw in gzip/zlib handling internal to the kernel that may allow a local user to cause a denial of service (crash) (CVE-2005-2458) - a flaw in sendmsg() syscall handling on 64-bit systems that allowed a local user to cause a denial of service or potentially gain privileges (CAN-2005-2490) - a flaw in exec() handling on some 64-bit architectures that allowed a local user to cause a denial of service (crash) (CVE-2005-2708) - a flaw in procfs handling during unloading of modules that allowed a local user to cause a denial of service or potentially gain privileges (CVE-2005-2709) - a flaw in IPv6 network UDP port hash table lookups that allowed a local user to cause a denial of service (hang) (CVE-2005-2973) - a network buffer info leak using the orinoco driver that allowed a remote user to possibly view uninitialized data (CVE-2005-3180) - a flaw in the packet radio ROSE protocol that allowed a user to trigger out-of-bounds errors. (CVE-2005-3273) - a flaw in IPv4 network TCP and UDP netfilter handling that allowed a local user to cause a denial of service (crash) (CVE-2005-3275) - a minor info leak with the get_thread_area() syscall that allowed a local user to view uninitialized kernel stack data (CVE-2005-3276) - a flaw in the IPv6 flowlabel code that allowed a local user to cause a denial of service (crash) (CVE-2005-3806) - a flaw in file lease time-out handling that allowed a local user to cause a denial of service (log file overflow) (CVE-2005-3857) All users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. - Changelogs rh73: * Sat Feb 04 2006 Marc Deslauriers [EMAIL PROTECTED] 2.4.20-45.9.legacy - Removed CVE-2005-3044 patch (it was 64-bit only) - Fixed CVE-2005-2709 patch - Added patch for CVE-2002-2185 (potential IGMP DoS) * Fri Feb 03 2006 Marc Deslauriers [EMAIL PROTECTED] 2.4.20-44.9.legacy - Added patches for: CVE-2004-0791 (source quench DoS) CVE-2005-0124 (coda fs flaw) CVE-2005-1263 (ELF core dump privilege elevation) CVE-2005-2458 (gzip/zlib flaws) CVE-2005-2490 (compat layer sendmsg() races) CVE-2005-2708 (user code panics kernel in exec.c) CVE-2005-2709 (sysctl races) CVE-2005-2973 (ipv6 infinite loop) CVE-2005-3044 (lost fput and sockfd_put could lead to DoS) CVE-2005-3180 (orinoco driver information leakage) CVE-2005-3273 (ROSE ndigis verification) CVE-2005-3275 (NAT DoS) CVE-2005-3276 (sys_get_thread_area minor info leak) CVE-2005-3806 (ipv6 flowlabel DOS) CVE-2005-3857 (lease printk DoS) rh9: * Sat Feb 04 2006 Marc Deslauriers [EMAIL PROTECTED] 2.4.20-45.9.legacy - Removed CVE-2005-3044 patch (it was 64-bit only) - Fixed CVE-2005-2709 patch - Added patch for CVE-2002-2185 (potential IGMP DoS) * Fri Feb 03 2006 Marc Deslauriers [EMAIL PROTECTED] 2.4.20-44.9.legacy - Added patches for: CVE-2004-0791 (source quench DoS) CVE-2005-0124 (coda fs flaw) CVE-2005-1263 (ELF core dump privilege elevation) CVE-2005-2458 (gzip/zlib flaws) CVE-2005-2490 (compat layer sendmsg() races) CVE-2005-2708 (user code panics kernel in exec.c) CVE-2005-2709
Fedora Legacy Test Update Notification: kernel (fc1)
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-157459-2 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157459 2006-02-20 - Name: kernel Versions: fc1: kernel-2.4.22-1.2199.7.legacy.nptl Summary : The Linux kernel (the core of the Linux operating system). Description : The kernel package contains the Linux kernel (vmlinuz), the core of the Red Hat Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc. - Update Information: Updated kernel packages that fix several security issues are now available. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below: - a flaw in network IGMP processing that a allowed a remote user on the local network to cause a denial of service (disabling of multicast reports) if the system is running multicast applications (CVE-2002-2185) - a recent Internet Draft by Fernando Gont recommended that ICMP Source Quench messages be ignored by hosts. A patch to ignore these messages is included. (CVE-2004-0791) - flaws in ptrace() syscall handling on AMD64 and Intel EM64T systems that allowed a local user to cause a denial of service (crash) (CAN-2005-0756, CAN-2005-1762, CAN-2005-2553) - a flaw between execve() syscall handling and core dumping of ELF-format executables allowed local unprivileged users to cause a denial of service (system crash) or possibly gain privileges (CVE-2005-1263) - a flaw in gzip/zlib handling internal to the kernel that may allow a local user to cause a denial of service (crash) (CVE-2005-2458) - a flaw in sendmsg() syscall handling on 64-bit systems that allowed a local user to cause a denial of service or potentially gain privileges (CAN-2005-2490) - a flaw in exec() handling on some 64-bit architectures that allowed a local user to cause a denial of service (crash) (CVE-2005-2708) - a flaw in procfs handling during unloading of modules that allowed a local user to cause a denial of service or potentially gain privileges (CVE-2005-2709) - a flaw in IPv6 network UDP port hash table lookups that allowed a local user to cause a denial of service (hang) (CVE-2005-2973) - a flaw in 32-bit-compat handling of the TIOCGDEV ioctl that allowed a local user to cause a denial of service (crash) (CVE-2005-3044) - a network buffer info leak using the orinoco driver that allowed a remote user to possibly view uninitialized data (CVE-2005-3180) - a flaw in IPv4 network TCP and UDP netfilter handling that allowed a local user to cause a denial of service (crash) (CVE-2005-3275) - a minor info leak with the get_thread_area() syscall that allowed a local user to view uninitialized kernel stack data (CVE-2005-3276) - a flaw in the IPv6 flowlabel code that allowed a local user to cause a denial of service (crash) (CVE-2005-3806) - a flaw in file lease time-out handling that allowed a local user to cause a denial of service (log file overflow) (CVE-2005-3857) All users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. - Changelogs fc1: * Fri Feb 17 2006 Marc Deslauriers [EMAIL PROTECTED] 2.4.22-1.2199.7.legacy.nptl - Added patch for CVE-2002-2185 (potential IGMP DoS) * Thu Feb 02 2006 Marc Deslauriers [EMAIL PROTECTED] 2.4.22-1.2199.6.legacy.nptl - Added patches for: CVE-2004-0791 (source quench DoS) CVE-2005-0756 (ptrace-check-segment x86_64 crash) CVE-2005-1263 (ELF core dump privilege elevation) CVE-2005-1762 (ptrace can induce double-fault on x86_64) CVE-2005-2458 (gzip/zlib flaws) CVE-2005-2490 (compat layer sendmsg() races) CVE-2005-2553 (32-bit ptrace find_target() oops) CVE-2005-2708 (user code panics kernel in exec.c) CVE-2005-2709 (sysctl races) CVE-2005-2973 (ipv6 infinite loop) CVE-2005-3044 (lost fput and sockfd_put could lead to DoS) CVE-2005-3180 (orinoco driver information leakage) CVE-2005-3275 (NAT DoS) CVE-2005-3276 (sys_get_thread_area minor info leak) CVE-2005-3806 (ipv6 flowlabel DOS) CVE-2005-3857 (lease printk DoS) - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) fc1: 3e6b7ebfdf1b6c5f075aef36299ce8746f292d40 fedora/1/updates-testing/i386/kernel-2.4.22-1.2199.7.legacy.nptl.athlon.rpm 839072496f51940e258f5611b9cc58007a4d7364 fedora/1/updates-testing/i386/kernel-2.4.22-1.2199.7.legacy.nptl.i586.rpm 79d928006411ff6bffda331d2f2a4c1023b5f26f fedora/1/updates-testing/i386/kernel-2.4.22-1.2199.7.legacy.nptl.i686
Fedora Legacy Test Update Notification: kernel (fc2)
that is operating under a heavy load (CVE-2005-3110) - a network buffer info leak using the orinoco driver that allowed a remote user to possibly view uninitialized data (CVE-2005-3180) - a memory leak was found in the audit system that allowed an unprivileged local user to cause a denial of service. (CVE-2005-3181) - a race condition in ip_vs_conn_flush that allowed a local user to cause a denial of service (CVE-2005-3274) - a flaw in IPv4 network TCP and UDP netfilter handling that allowed a local user to cause a denial of service (crash) (CVE-2005-3275) - a minor info leak with the get_thread_area() syscall that allowed a local user to view uninitialized kernel stack data (CVE-2005-3276) - a flaw in mq_open system call that allowed a local user to cause a denial of service (crash) (CVE-2005-3356) - a flaw in set_mempolicy that allowed a local user on some 64-bit architectures to cause a denial of service (crash) (CVE-2005-3358) - a flaw in the auto-reap of child processes that allowed a local user to cause a denial of service (crash) (CVE-2005-3784) - a flaw in the POSIX timer cleanup handling that allowed a local user to cause a denial of service (crash) (CVE-2005-3805) - a flaw in the IPv6 flowlabel code that allowed a local user to cause a denial of service (crash) (CVE-2005-3806) - a memory leak in the VFS file lease handling that allowed a local user to cause a denial of service (CVE-2005-3807) - a flaw in network ICMP processing that allowed a local user to cause a denial of service (memory exhaustion) (CVE-2005-3848) - a flaw in file lease time-out handling that allowed a local user to cause a denial of service (log file overflow) (CVE-2005-3857) - a flaw in network IPv6 xfrm handling that allowed a local user to cause a denial of service (memory exhaustion) (CVE-2005-3858) - a flaw in procfs handling that allowed a local user to read kernel memory (CVE-2005-4605) - a memory disclosure flaw in dm-crypt that allowed a local user to obtain sensitive information about a cryptographic key (CVE-2006-0095) All users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. - Changelogs fc2: * Fri Feb 10 2006 Marc Deslauriers [EMAIL PROTECTED] 2.6.10-2.3.legacy_FC2 - Added patches for: CVE-2002-2185 (IGMP DoS) CVE-2005-3805 (POSIX timer cleanup handling on exit locking problem) CVE-2005-3807 (memory leak with file leases) CVE-2006-0095 (dm-crypt key leak) * Fri Feb 03 2006 Marc Deslauriers [EMAIL PROTECTED] 2.6.10-2.2.legacy_FC2 - Added patches for: CVE-2005-2800 (/proc/scsi/scsi DoS) CVE-2005-2801 (ext2/3 xattr sharing bug) CVE-2005-2872 (ipt_recent integer handling) CVE-2005-2973 (ipv6 infinite loop) CVE-2005-3053 (sys_set_mempolicy() bounds check) CVE-2005-3106 (exec_mmap race DoS) CVE-2005-3109 (HFS oops) CVE-2005-3110 (race in ebtables) CVE-2005-3180 (etherleak in orinoco) CVE-2005-3181 (names_cache memory leak) CVE-2005-3275 (NAT DoS) CVE-2005-3276 (sys_get_thread_area has minor info leak) CVE-2005-3848 (dst_entry leak DoS) CVE-2005-3858 (ip6_input_finish DoS) * Sat Jan 28 2006 Marc Deslauriers [EMAIL PROTECTED] 2.6.10-2.1.legacy_FC2 - Added patches for: CVE-2005-0756 (ptrace-check-segment x86_64 crash) CVE-2005-0839 (Only root should be able to set the N_MOUSE line discipline) CVE-2005-0867 (signedness issue in sysfs) CVE-2005-0937 (futex mmap_sem deadlock) CVE-2005-0977 (tmpfs truncate bug) CVE-2005-1041 (crash while reading /proc/net/route) CVE-2005-1263 (ELF core dump privilege elevation) CVE-2005-1264 (data corruptor/local root in raw driver) CVE-2005-1265 (Prevent NULL mmap in topdown model) CVE-2005-1368 (key lookup race DoS) CVE-2005-1369 (i2c alarms sysfs DoS) CVE-2005-1761 (ia64 ptrace vulnerability) CVE-2005-1762 (ptrace can induce double-fault on x86_64) CVE-2005-1763 (x86_64-ptrace-overflow crash) CVE-2005-2098 (key management session can leave semaphore pinned) CVE-2005-2099 (Destruction of failed keyring oopses) CVE-2005-2456 (IPSEC overflow) CVE-2005-2458 (gzip/zlib flaws) CVE-2005-2490 (compat layer sendmsg() races) CVE-2005-2492 (Fix raw_sendmsg accesses) CVE-2005-2555 (IPSEC lacks restrictions) CVE-2005-2709 (sysctl races) CVE-2005-3044 (lost fput and sockfd_put could lead to DoS) CVE-2005-3274 (ip_vs_conn_flush race condition DoS) CVE-2005-3356 (double decrement of mqueue_mnt-mnt_count in sys_mq_open) CVE-2005-3358 (prevent panic caused by invalid arguments to set_mempolicy) CVE-2005-3784 (auto-reap DoS) CVE-2005-3806 (ipv6 flowlabel DOS) CVE-2005-3857 (lease printk DoS) CVE-2005-4605 (kernel memory disclosure via /proc exploit) - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) fc2: 68999cdecf0bb3c6cda09edbe2cedd57fff709ad
Fedora Legacy Test Update Notification: kernel (fc3)
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-157459-4 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157459 2006-02-20 - Name: kernel Versions: fc3: kernel-2.6.12-2.3.legacy_FC3 Summary : The Linux kernel (the core of the Linux operating system). Description : The kernel package contains the Linux kernel (vmlinuz), the core of the Red Hat Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc. - Update Information: Updated kernel packages that fix several security issues are now available. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below: - a flaw in network IGMP processing that a allowed a remote user on the local network to cause a denial of service (disabling of multicast reports) if the system is running multicast applications (CVE-2002-2185) - a flaw in procfs handling during unloading of modules that allowed a local user to cause a denial of service or potentially gain privileges (CVE-2005-2709) - a flaw in 32-bit-compat handling of the TIOCGDEV ioctl that allowed a local user to cause a denial of service (crash) (CVE-2005-3044) - a race condition in ip_vs_conn_flush that allowed a local user to cause a denial of service (CVE-2005-3274) - a flaw in mq_open system call that allowed a local user to cause a denial of service (crash) (CVE-2005-3356) - a flaw in set_mempolicy that allowed a local user on some 64-bit architectures to cause a denial of service (crash) (CVE-2005-3358) - a race condition in do_coredump in signal.c that allowed a local user to cause a denial of service (crash) (CVE-2005-3527) - a flaw in the auto-reap of child processes that allowed a local user to cause a denial of service (crash) (CVE-2005-3784) - a flaw in the POSIX timer cleanup handling that allowed a local user to cause a denial of service (crash) (CVE-2005-3805) - a flaw in the IPv6 flowlabel code that allowed a local user to cause a denial of service (crash) (CVE-2005-3806) - a memory leak in the VFS file lease handling that allowed a local user to cause a denial of service (CVE-2005-3807) - a flaw in file lease time-out handling that allowed a local user to cause a denial of service (log file overflow) (CVE-2005-3857) - a flaw in procfs handling that allowed a local user to read kernel memory (CVE-2005-4605) - a memory disclosure flaw in dm-crypt that allowed a local user to obtain sensitive information about a cryptographic key (CVE-2006-0095) - a flaw while constructing an ICMP response that allowed remote users to cause a denial of service (crash) (CVE-2006-0454) All users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. - Changelogs fc3: * Sat Feb 18 2006 Marc Deslauriers [EMAIL PROTECTED] 2.6.12-2.3.legacy_FC3 - Corrected upstream reference in CVE-2006-0454 patch * Tue Feb 07 2006 Marc Deslauriers [EMAIL PROTECTED] 2.6.12-2.2.legacy_FC3 - Added patches for: CVE-2002-2185 (IGMP DoS) CVE-2005-3527 (do_coredump() vs SIGSTOP race) CVE-2005-3805 (POSIX timer cleanup handling on exit locking problem) CVE-2006-0095 (dm-crypt key leak) CVE-2006-0454 (ICMP route double-free) CVE-2005-3807 (memory leak with file leases) * Fri Jan 27 2006 Marc Deslauriers [EMAIL PROTECTED] 2.6.12-2.1.legacy_FC3 - Added patches for: CVE-2005-2709 (sysctl races) CVE-2005-3044 (lost fput and sockfd_put could lead to DoS) CVE-2005-3274 (ip_vs_conn_flush race condition DoS) CVE-2005-3356 (double decrement of mqueue_mnt-mnt_count in sys_mq_open) CVE-2005-3358 (prevent panic caused by invalid arguments to set_mempolicy) CVE-2005-3784 (auto-reap DoS) CVE-2005-3806 (ipv6 flowlabel DOS) CVE-2005-3857 (lease printk DoS) CVE-2005-4605 (kernel memory disclosure via /proc exploit) - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) fc3: b9e37d94319ce74e98aa053d9da798437b979a5e fedora/3/updates-testing/i386/kernel-2.6.12-2.3.legacy_FC3.i586.rpm e8698e932795b5a8c9ecc97e95fab42f55d71ac9 fedora/3/updates-testing/i386/kernel-2.6.12-2.3.legacy_FC3.i686.rpm 58e7014a387ef6e17bf9f68d26eb1242a9dab3f2 fedora/3/updates-testing/i386/kernel-doc-2.6.12-2.3.legacy_FC3.noarch.rpm d09fb6f194558505d8d52fb22a60420cd35a06f1 fedora/3/updates-testing/i386/kernel-smp-2.6.12-2.3.legacy_FC3.i586.rpm 640077c447f1ac5edf5e21000c916bb750006f84 fedora/3/updates-testing/i386/kernel-smp-2.6.12-2.3.legacy_FC3.i686.rpm
Fedora Legacy Test Update Notification: gpdf
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-176751 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=176751 2006-02-20 - Name: gpdf Versions: fc1: gpdf-0.110-1.5.legacy Versions: fc2: gpdf-2.8.2-4.1.1.legacy Versions: fc3: gpdf-2.8.2-7.2.1.legacy Summary : viewer for Portable Document Format (PDF) files for GNOME Description : This is GPdf, a viewer for Portable Document Format (PDF) files for GNOME. GPdf is based on the Xpdf program and uses additional GNOME libraries for better desktop integration. - Update Information: An updated gpdf package that fixes several security issues is now available. The gpdf package is a GNOME based viewer for Portable Document Format (PDF) files. A flaw was discovered in gpdf. An attacker could construct a carefully crafted PDF file that would cause gpdf to consume all available disk space in /tmp when opened. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-2097 to this issue. Several flaws were discovered in gpdf. An attacker could construct a carefully crafted PDF file that could cause gpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3191, CVE-2005-3192, CVE-2005-3193, CVE-2005-3624, CVE-2005-3625, CVE-2005-3626, CVE-2005-3627 and CVE-2005-3628 to these issues. Users of gpdf should upgrade to this updated package, which contains backported patches to resolve these issues. - Changelogs fc1: * Sat Feb 18 2006 Marc Deslauriers [EMAIL PROTECTED] 0.110-1.5.legacy - Use better patch for CVE-2004-0888 (from RHEL3 xpdf) - Add patch for CVE-2005-3193 fc2: * Sat Feb 18 2006 Marc Deslauriers [EMAIL PROTECTED] 2.8.2-4.1.1.legacy - Rebuilt as Fedora Legacy security update for Fedora Core 2 - Removed the desktop-file-utils dependencies * Fri Jan 06 2006 Ray Strode [EMAIL PROTECTED] 2.8.2-7.4 - Apply fix for CVE-2005-3624 (also covers CVE-2005-3193) (bug 176865) * Wed Dec 14 2005 Ray Strode [EMAIL PROTECTED] 2.8.2-7.3 - apply updated patch for CVE-2005-3193 (bug 175102) fc3: * Sat Feb 18 2006 Marc Deslauriers [EMAIL PROTECTED] 2.8.2-7.2.1.legacy - Rebuilt as Fedora Legacy security update for Fedora Core 3 * Fri Jan 06 2006 Ray Strode [EMAIL PROTECTED] 2.8.2-7.4 - Apply fix for CVE-2005-3624 (also covers CVE-2005-3193) (bug 176865) * Wed Dec 14 2005 Ray Strode [EMAIL PROTECTED] 2.8.2-7.3 - apply updated patch for CVE-2005-3193 (bug 175102) - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) fc1: 646edd9bdaf07a2f74d0b9874a666f94dc4f7982 fedora/1/updates-testing/i386/gpdf-0.110-1.5.legacy.i386.rpm 23f1172453f4e6572bd5a5bebcf093fda9c9ef62 fedora/1/updates-testing/SRPMS/gpdf-0.110-1.5.legacy.src.rpm fc2: 2798a8e5ba37214b4ad3d537aa38b65c62c9e7c7 fedora/2/updates-testing/i386/gpdf-2.8.2-4.1.1.legacy.i386.rpm e6d36329145bd25d5646da0064124f4b3a3faf99 fedora/2/updates-testing/SRPMS/gpdf-2.8.2-4.1.1.legacy.src.rpm fc3: b732b32164a34ddca2471548cffdb4fa654a61cd fedora/3/updates-testing/i386/gpdf-2.8.2-7.2.1.legacy.i386.rpm 3ec3762affc6295144245af9e804692e293614be fedora/3/updates-testing/SRPMS/gpdf-2.8.2-7.2.1.legacy.src.rpm e6c957006f2bc7c17c5754df527cd8eec86d0c9a fedora/3/updates-testing/x86_64/gpdf-2.8.2-7.2.1.legacy.x86_64.rpm - Please test and comment in bugzilla. signature.asc Description: OpenPGP digital signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Fedora Legacy Test Update Notification: perl-DBI
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-178989 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178989 2006-02-20 - Name: perl-DBI Versions: rh73: perl-DBI-1.21-1.1.legacy Versions: rh9: perl-DBI-1.32-5.1.legacy Versions: fc1: perl-DBI-1.37-1.1.legacy Versions: fc2: perl-DBI-1.40-4.1.legacy Summary : A database access API for Perl. Description : DBI is a database access Application Programming Interface (API) for the Perl programming language. The DBI API specification defines a set of functions, variables and conventions that provide a consistent database interface independent of the actual database being used. - Update Information: An updated perl-DBI package that fixes a temporary file flaw in DBI::ProxyServer is now available. DBI is a database access Application Programming Interface (API) for the Perl programming language. The Debian Security Audit Project discovered that the DBI library creates a temporary PID file in an insecure manner. A local user could overwrite or create files as a different user who happens to run an application which uses DBI::ProxyServer. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0077 to this issue. Users should update to this erratum package which disables the temporary PID file unless configured. - Changelogs rh73: * Sat Feb 18 2006 Marc Deslauriers [EMAIL PROTECTED] 1.21-1.1.legacy - Added fix for CVE-2005-0077 rh9: * Sat Feb 18 2006 Marc Deslauriers [EMAIL PROTECTED] 1.32-5.1.legacy - Added fix for CVE-2005-0077 fc1: * Sat Feb 18 2006 Marc Deslauriers [EMAIL PROTECTED] 1.37-1.1.legacy - Added fix for CVE-2005-0077 fc2: * Sat Feb 18 2006 Marc Deslauriers [EMAIL PROTECTED] 1.40-4.1.legacy - Added fix for CVE-2005-0077 - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: 847cb03e61abf1bbb965b2fa6e7c0f812e7edde1 redhat/7.3/updates-testing/i386/perl-DBI-1.21-1.1.legacy.i386.rpm 7c0c13670d8da3620d6bdc0d24f96201ff3feee8 redhat/7.3/updates-testing/SRPMS/perl-DBI-1.21-1.1.legacy.src.rpm rh9: 2e473b5822a019a10b7b9577f4de60933e75fecc redhat/9/updates-testing/i386/perl-DBI-1.32-5.1.legacy.i386.rpm 19934b803bf33b0cc93466ae43e2ac14302ac0df redhat/9/updates-testing/SRPMS/perl-DBI-1.32-5.1.legacy.src.rpm fc1: 50a02fd2d68f47d35f76bc690281253bbdf9a486 fedora/1/updates-testing/i386/perl-DBI-1.37-1.1.legacy.i386.rpm 0018ffba083fd98b88a4bcec3383005ed32d5e6a fedora/1/updates-testing/SRPMS/perl-DBI-1.37-1.1.legacy.src.rpm fc2: 69a623c7db409341705bfc125b5fd6f0c056af7b fedora/2/updates-testing/i386/perl-DBI-1.40-4.1.legacy.i386.rpm 4443111b0e9137bd1624183b9d209b2cada204dd fedora/2/updates-testing/SRPMS/perl-DBI-1.40-4.1.legacy.src.rpm - Please test and comment in bugzilla. signature.asc Description: OpenPGP digital signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
[FLSA-2006:152809] Updated squid package fixes security issues
- Fedora Legacy Update Advisory Synopsis: Updated squid package fixes security issues Advisory ID: FLSA:152809 Issue date:2006-02-18 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2004-0541 CVE-2004-0832 CVE-2004-0918 CVE-2005-0094 CVE-2005-0095 CVE-2005-0096 CVE-2005-0097 CVE-2005-0173 CVE-2005-0174 CVE-2005-0175 CVE-2005-0194 CVE-2005-0211 CVE-2005-0241 CVE-2005-0446 CVE-2005-0626 CVE-2005-0718 CVE-2005-1345 CVE-1999-0710 CVE-2005-1519 CVE-2004-2479 CVE-2005-2794 CVE-2005-2796 CVE-2005-2917 - - 1. Topic: An updated Squid package that fixes several security issues is now available. Squid is a full-featured Web proxy cache. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: A buffer overflow was found within the NTLM authentication helper routine. If Squid is configured to use the NTLM authentication helper, a remote attacker could potentially execute arbitrary code by sending a lengthy password. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0541 to this issue. An out of bounds memory read bug was found within the NTLM authentication helper routine. If Squid is configured to use the NTLM authentication helper, a remote attacker could send a carefully crafted NTLM authentication packet and cause Squid to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0832 to this issue. iDEFENSE reported a flaw in the squid SNMP module. This flaw could allow an attacker who has the ability to send arbitrary packets to the SNMP port to restart the server, causing it to drop all open connections. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0918 to this issue. A buffer overflow flaw was found in the Gopher relay parser. This bug could allow a remote Gopher server to crash the Squid proxy that reads data from it. Although Gopher servers are now quite rare, a malicious web page (for example) could redirect or contain a frame pointing to an attacker's malicious gopher server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0094 to this issue. An integer overflow flaw was found in the WCCP message parser. It is possible to crash the Squid server if an attacker is able to send a malformed WCCP message with a spoofed source address matching Squid's home router. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0095 to this issue. A memory leak was found in the NTLM fakeauth_auth helper. It is possible that an attacker could place the Squid server under high load, causing the NTML fakeauth_auth helper to consume a large amount of memory, resulting in a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0096 to this issue. A NULL pointer de-reference bug was found in the NTLM fakeauth_auth helper. It is possible for an attacker to send a malformed NTLM type 3 message, causing the Squid server to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0097 to this issue. A username validation bug was found in squid_ldap_auth. It is possible for a username to be padded with spaces, which could allow a user to bypass explicit access control rules or confuse accounting. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0173 to this issue. The way Squid handles HTTP responses was found to need strengthening. It is possible that a malicious web server could send a series of HTTP responses in such a way that the Squid cache could be poisoned, presenting users with incorrect webpages. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0174 and CVE-2005-0175 to these issues. When processing the configuration file, Squid parses empty Access Control Lists (ACLs) and proxy_auth ACLs without defined auth schemes in a way that effectively removes arguments, which could allow remote attackers to bypass intended ACLs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0194 to this issue. A buffer overflow bug was found in the WCCP message parser. It is possible that an attacker could send a malformed WCCP message which could crash the Squid server or execute arbitrary code. The Common Vulnerabilities and Exposures project
[FLSA-2006:168935] Updated openssh packages fix security issues
- Fedora Legacy Update Advisory Synopsis: Updated openssh packages fix security issues Advisory ID: FLSA:168935 Issue date:2006-02-18 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2004-2069 CVE-2006-0225 - - 1. Topic: Updated openssh packages that fix security issues are now available. OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. SSH replaces rlogin and rsh, and provides secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over a secure channel. Public key authentication can be used for passwordless access to servers. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 Fedora Core 3 - i386, x86_64 3. Problem description: A bug was found in the way the OpenSSH server handled the MaxStartups and LoginGraceTime configuration variables. A malicious user could connect to the SSH daemon in such a way that it would prevent additional logins from occuring until the malicious connections are closed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-2069 to this issue. The scp command was found to expose filenames twice to shell expansion. A malicious user could execute arbitrary commands by using specially crafted filenames containing shell metacharacters or spaces. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2006-0225 to this issue. Users of openssh should upgrade to these updated packages, which contain backported patches to resolve these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168935 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/openssh-3.1p1-14.3.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssh-3.1p1-14.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssh-askpass-3.1p1-14.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssh-askpass-gnome-3.1p1-14.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssh-clients-3.1p1-14.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssh-server-3.1p1-14.3.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/openssh-3.5p1-11.4.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/openssh-3.5p1-11.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/openssh-askpass-3.5p1-11.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/openssh-askpass-gnome-3.5p1-11.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/openssh-clients-3.5p1-11.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/openssh-server-3.5p1-11.4.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/openssh-3.6.1p2-19.4.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/openssh-3.6.1p2-19.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/openssh-askpass-3.6.1p2-19.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/openssh-askpass-gnome-3.6.1p2-19.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/openssh-clients-3.6.1p2-19.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/openssh-server-3.6.1p2-19.4.legacy.i386.rpm Fedora Core 2: SRPM:
[FLSA-2006:175406] Updated Apache httpd packages fix security issues
- Fedora Legacy Update Advisory Synopsis: Updated Apache httpd packages fix security issues Advisory ID: FLSA:175406 Issue date:2006-02-18 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2005-2970 CVE-2005-3352 CVE-2005-3357 - - 1. Topic: Updated Apache httpd packages that correct three security issues are now available. The Apache HTTP Server is a popular and freely-available Web server. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 Fedora Core 3 - i386, x86_64 3. Problem description: A memory leak in the worker MPM could allow remote attackers to cause a denial of service (memory consumption) via aborted connections, which prevents the memory for the transaction pool from being reused for other connections. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-2970 to this issue. This vulnerability only affects users who are using the non-default worker MPM. A flaw in mod_imap when using the Referer directive with image maps was discovered. With certain site configurations, a remote attacker could perform a cross-site scripting attack if a victim can be forced to visit a malicious URL using certain web browsers. (CVE-2005-3352) A NULL pointer dereference flaw in mod_ssl was discovered affecting server configurations where an SSL virtual host is configured with access control and a custom 400 error document. A remote attacker could send a carefully crafted request to trigger this issue which would lead to a crash. This crash would only be a denial of service if using the non-default worker MPM. (CVE-2005-3357) Users of httpd should update to these erratum packages which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175406 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/apache-1.3.27-9.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/apache-1.3.27-9.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/apache-devel-1.3.27-9.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/apache-manual-1.3.27-9.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/httpd-2.0.40-21.21.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-2.0.40-21.21.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-devel-2.0.40-21.21.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-manual-2.0.40-21.21.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mod_ssl-2.0.40-21.21.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/httpd-2.0.51-1.10.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-2.0.51-1.10.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-devel-2.0.51-1.10.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-manual-2.0.51-1.10.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mod_ssl-2.0.51-1.10.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/httpd-2.0.51-2.9.5.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/httpd-2.0.51-2.9.5.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/httpd-devel-2.0.51-2.9.5.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/httpd-manual-2.0.51-2.9.5.legacy.i386.rpm
Fedora Legacy Test Update Notification: sudo
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-162750 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=162750 2006-02-17 - Name: sudo Versions: rh7.3: sudo-1.6.5p2-2.3.legacy Versions: rh9: sudo-1.6.6-3.3.legacy Versions: fc1: sudo-1.6.7p5-2.3.legacy Versions: fc2: sudo-1.6.7p5-26.2.legacy Summary : Allows restricted root access for specified users. Description : Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. Sudo operates on a per-command basis. It is not a replacement for the shell. Features include: the ability to restrict what commands a user may run on a per-host basis, copious logging of each command (providing a clear audit trail of who did what), a configurable timeout of the sudo command, and the ability to use the same configuration file (sudoers) on many different machines. - Update Information: An updated sudo package is available that fixes a race condition in sudo's pathname validation. The sudo (superuser do) utility allows system administrators to give certain users the ability to run commands as root with logging. A race condition bug was found in the way sudo handles pathnames. It is possible that a local user with limited sudo access could create a race condition that would allow the execution of arbitrary commands as the root user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1993 to this issue. Users of sudo should update to this updated package, which contains a backported patch and is not vulnerable to this issue. - Changelogs rh73: * Mon Feb 13 2006 Marc Deslauriers [EMAIL PROTECTED] 1.6.5p2-2.3.legacy - Fix CVE-2005-1993 sudo trusted user arbitrary command execution rh9: * Mon Feb 13 2006 Marc Deslauriers [EMAIL PROTECTED] 1.6.6-3.3.legacy - Fix CVE-2005-1993 sudo trusted user arbitrary command execution fc1: * Wed Feb 15 2006 Marc Deslauriers [EMAIL PROTECTED] 1.6.7p5-2.3.legacy - Fix CVE-2005-1993 sudo trusted user arbitrary command execution fc2: * Thu Feb 16 2006 Marc Deslauriers [EMAIL PROTECTED] 1.6.7p5-26.2.legacy - Added missing libselinux-devel to BuildRequires * Wed Feb 15 2006 Marc Deslauriers [EMAIL PROTECTED] 1.6.7p5-26.1.legacy - Fix CVE-2005-1993 sudo trusted user arbitrary command execution - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh7.3: 5eed8171a2be78f8a03de987b86220b1c8ecb9d4 redhat/7.3/updates-testing/i386/sudo-1.6.5p2-2.3.legacy.i386.rpm f1fdc4b82456cf66f89764ec7f9c0909a0603805 redhat/7.3/updates-testing/SRPMS/sudo-1.6.5p2-2.3.legacy.src.rpm rh9: 7a84e2d96bba56142ca8c6dec2603577e31b2072 redhat/9/updates-testing/i386/sudo-1.6.6-3.3.legacy.i386.rpm 4aca97be1c9e5f61efa1165955eb219fce3af70e redhat/9/updates-testing/SRPMS/sudo-1.6.6-3.3.legacy.src.rpm fc1: 4e7b55e41c355e51b4cdd3a820a6d5c94df43fdc fedora/1/updates-testing/i386/sudo-1.6.7p5-2.3.legacy.i386.rpm 6843f6ee7792e8c63f1034107a4a4e464a613798 fedora/1/updates-testing/SRPMS/sudo-1.6.7p5-2.3.legacy.src.rpm fc2: 954a6e7098b7e86e7bc1f1532a72f8a3dab32380 fedora/2/updates-testing/i386/sudo-1.6.7p5-26.2.legacy.i386.rpm 82c884d6bcff123dd510ffdb8a0d81ce63606364 fedora/2/updates-testing/SRPMS/sudo-1.6.7p5-26.2.legacy.src.rpm - Please test and comment in bugzilla. signature.asc Description: OpenPGP digital signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Fedora Legacy Test Update Notification: XFree86
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-168264-1 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168264 2006-02-17 - Name: XFree86 Versions: rh73: XFree86-4.2.1-16.73.31.legacy Versions: rh9: XFree86-4.3.0-2.90.61.legacy Versions: fc1: XFree86-4.3.0-60.legacy Summary : The basic fonts, programs and docs for an X workstation. Description : XFree86 is an open source implementation of the X Window System. It provides the basic low level functionality which full fledged graphical user interfaces (GUIs) such as GNOME and KDE are designed upon. - Update Information: Updated XFree86 packages that fix security issues are now available. XFree86 is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces (GUIs) such as GNOME and KDE are designed upon. An integer overflow flaw was found in libXpm, which is used by some applications for loading of XPM images. An attacker could create a malicious XPM file that would execute arbitrary code if opened by a victim using an application linked to the vulnerable library. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0605 to this issue. Several integer overflow bugs were found in the way XFree86 parses pixmap images. It is possible for a user to gain elevated privileges by loading a specially crafted pixmap image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-2495 to this issue. Users of XFree86 should upgrade to these updated packages, which contain backported patches and are not vulnerable to these issues. - Changelogs rh73: * Sun Feb 12 2006 Marc Deslauriers [EMAIL PROTECTED] 4.2.1-16.73.31.legacy - Add XFree86-4.1.0-xpm-security-fix-CAN-2005-0605.patch. - Add XFree86-4.3.0-security-CAN-2005-2495.patch to fix various integer overflows. rh9: * Sun Feb 12 2006 Marc Deslauriers [EMAIL PROTECTED] 4.3.0-2.x.61.legacy - Add XFree86-4.1.0-xpm-security-fix-CAN-2005-0605.patch. - Add XFree86-4.3.0-security-CAN-2005-2495.patch to fix various integer overflows. fc1: * Sun Feb 12 2006 Marc Deslauriers [EMAIL PROTECTED] 4.3.0-60.legacy - Add XFree86-4.1.0-xpm-security-fix-CAN-2005-0605.patch. - Add XFree86-4.3.0-security-CAN-2005-2495.patch to fix various integer overflows. - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: 0cbc1cb6499a8684d19f24cf111b4fea65ba92ae redhat/7.3/updates-testing/i386/XFree86-100dpi-fonts-4.2.1-16.73.31.legacy.i386.rpm 8c2025d75448c2f03b9bd2493cdc42f84741ba14 redhat/7.3/updates-testing/i386/XFree86-4.2.1-16.73.31.legacy.i386.rpm 45d182c851d2d98fcf551ee5f4229ba76f7fe1ae redhat/7.3/updates-testing/i386/XFree86-75dpi-fonts-4.2.1-16.73.31.legacy.i386.rpm 57d848f52c35787175eb7556350cf6202a3acc9e redhat/7.3/updates-testing/i386/XFree86-base-fonts-4.2.1-16.73.31.legacy.i386.rpm 6b7e1499d32cea54eda46c7a23586edff860b01f redhat/7.3/updates-testing/i386/XFree86-cyrillic-fonts-4.2.1-16.73.31.legacy.i386.rpm 5ae4db073a051453c1ea05328ba611820c54ac6e redhat/7.3/updates-testing/i386/XFree86-devel-4.2.1-16.73.31.legacy.i386.rpm 8f5ddf6f2ffc17a706368dbdcd9f6880cf163eca redhat/7.3/updates-testing/i386/XFree86-doc-4.2.1-16.73.31.legacy.i386.rpm e80034e10d2babcab44f449040556f1c62b9c65b redhat/7.3/updates-testing/i386/XFree86-font-utils-4.2.1-16.73.31.legacy.i386.rpm 67b6b5d8b00a4f53ad300bc07d5c35c6c023280f redhat/7.3/updates-testing/i386/XFree86-ISO8859-15-100dpi-fonts-4.2.1-16.73.31.legacy.i386.rpm c25c85a92e2fb2e80fb9ee2c19b0cb017e92b065 redhat/7.3/updates-testing/i386/XFree86-ISO8859-15-75dpi-fonts-4.2.1-16.73.31.legacy.i386.rpm a54081ce435b2ed6695231f895e8cce95972027f redhat/7.3/updates-testing/i386/XFree86-ISO8859-2-100dpi-fonts-4.2.1-16.73.31.legacy.i386.rpm ceb5c88c82123d553c09ed2dceb7395abf893dfc redhat/7.3/updates-testing/i386/XFree86-ISO8859-2-75dpi-fonts-4.2.1-16.73.31.legacy.i386.rpm 9d8a2d217d1161cd8e37187ab82826592fced64b redhat/7.3/updates-testing/i386/XFree86-ISO8859-9-100dpi-fonts-4.2.1-16.73.31.legacy.i386.rpm 7b7684a8bca628231f42d04aa545624052ebd59b redhat/7.3/updates-testing/i386/XFree86-ISO8859-9-75dpi-fonts-4.2.1-16.73.31.legacy.i386.rpm dc04b533163d6a61471e2ce404bbce11e8a026de redhat/7.3/updates-testing/i386/XFree86-libs-4.2.1-16.73.31.legacy.i386.rpm 58388c03cb94a1b74c4e65246a21b364e3e9bec0 redhat/7.3/updates-testing/i386/XFree86-tools-4.2.1-16.73.31.legacy.i386.rpm 23d5801937faf0b0033db434d4713719bf13992f redhat/7.3/updates-testing/i386/XFree86-truetype-fonts-4.2.1-16.73.31.legacy.i386.rpm
Fedora Legacy Test Update Notification: xorg-x11
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-168264-2 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168264 2006-02-17 - Name: xorg-x11 Versions: fc2: xorg-x11-6.7.0-14.1.legacy Summary : The basic fonts, programs and docs for an X workstation. Description : X.org X11 is an open source implementation of the X Window System. It provides the basic low level functionality which full fledged graphical user interfaces (GUIs) such as GNOME and KDE are designed upon. - Update Information: Updated X.org packages that fix a security issue are now available. X.org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces (GUIs) such as GNOME and KDE are designed upon. Several integer overflow bugs were found in the way X.org parses pixmap images. It is possible for a user to gain elevated privileges by loading a specially crafted pixmap image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-2495 to this issue. Users of X.org should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue. - Changelogs fc2: * Sun Feb 12 2006 Marc Deslauriers [EMAIL PROTECTED] 6.7.0-14.1.legacy - Add XFree86-4.3.0-security-CAN-2005-2495.patch to fix various integer overflows. - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) fc2: fb2e8bbd5c2f1132d19ee20bd773be9d3179db9d fedora/2/updates-testing/i386/xorg-x11-100dpi-fonts-6.7.0-14.1.legacy.i386.rpm 02ff368c88f7907764b2da5e385f2e079f3849cd fedora/2/updates-testing/i386/xorg-x11-6.7.0-14.1.legacy.i386.rpm c81dda89910ea896c7070eab733df161dba54a39 fedora/2/updates-testing/i386/xorg-x11-75dpi-fonts-6.7.0-14.1.legacy.i386.rpm 501f87e1196be0a33d95f0d52ead826677a34f22 fedora/2/updates-testing/i386/xorg-x11-base-fonts-6.7.0-14.1.legacy.i386.rpm 1e0c6b43d3965b5e7d2d049bbc790d9a8c73a7d0 fedora/2/updates-testing/i386/xorg-x11-cyrillic-fonts-6.7.0-14.1.legacy.i386.rpm 82eb2326f5b8494f96761e6092e34056e700a809 fedora/2/updates-testing/i386/xorg-x11-devel-6.7.0-14.1.legacy.i386.rpm c0d1461ddb2c070cdabddf6b3ebccc34ec66d3ef fedora/2/updates-testing/i386/xorg-x11-doc-6.7.0-14.1.legacy.i386.rpm 3f6382954c75e22ab177abbe1707140feea0170d fedora/2/updates-testing/i386/xorg-x11-font-utils-6.7.0-14.1.legacy.i386.rpm 6f0c373860e9d64c5efea95e77d3e6d5872dacc0 fedora/2/updates-testing/i386/xorg-x11-ISO8859-14-100dpi-fonts-6.7.0-14.1.legacy.i386.rpm c861aa4032a4f169929f225d46e798f5e0f18890 fedora/2/updates-testing/i386/xorg-x11-ISO8859-14-75dpi-fonts-6.7.0-14.1.legacy.i386.rpm 83eb270f4395c14edd17cc55a1d78965e5f602e8 fedora/2/updates-testing/i386/xorg-x11-ISO8859-15-100dpi-fonts-6.7.0-14.1.legacy.i386.rpm a99b042654bd86640eea6e7e1b76bda402d49b85 fedora/2/updates-testing/i386/xorg-x11-ISO8859-15-75dpi-fonts-6.7.0-14.1.legacy.i386.rpm 52b7c9ff7e29265605c4bb1d08a735b279287fc5 fedora/2/updates-testing/i386/xorg-x11-ISO8859-2-100dpi-fonts-6.7.0-14.1.legacy.i386.rpm 4e3900230a90728563f1173c8af82af2272dec03 fedora/2/updates-testing/i386/xorg-x11-ISO8859-2-75dpi-fonts-6.7.0-14.1.legacy.i386.rpm 5091477dffb64324caae7d3d558882ab73e26609 fedora/2/updates-testing/i386/xorg-x11-ISO8859-9-100dpi-fonts-6.7.0-14.1.legacy.i386.rpm 9ef03f7f4355a5e1d3f19f71d597e541cad3e831 fedora/2/updates-testing/i386/xorg-x11-ISO8859-9-75dpi-fonts-6.7.0-14.1.legacy.i386.rpm f1ea8740e9802ad98b194284e8afb3eee8e1106d fedora/2/updates-testing/i386/xorg-x11-libs-6.7.0-14.1.legacy.i386.rpm 222037711ead385d31fac145142c10c9c93f8c51 fedora/2/updates-testing/i386/xorg-x11-libs-data-6.7.0-14.1.legacy.i386.rpm c21a7c11d52eaabe8bae5145e270c5301fcf8c17 fedora/2/updates-testing/i386/xorg-x11-Mesa-libGL-6.7.0-14.1.legacy.i386.rpm 3314b29f2bc32e4ccd837b7973fc07847d073df0 fedora/2/updates-testing/i386/xorg-x11-Mesa-libGLU-6.7.0-14.1.legacy.i386.rpm 3eac8219f4e3753644511090657ddc513a75c0c8 fedora/2/updates-testing/i386/xorg-x11-sdk-6.7.0-14.1.legacy.i386.rpm f99d01e683755302d4ed5ea8a03f09b4828b7ea0 fedora/2/updates-testing/i386/xorg-x11-syriac-fonts-6.7.0-14.1.legacy.i386.rpm d265d17e698e8d2e3a40c9b8519fe70cd01a1ca2 fedora/2/updates-testing/i386/xorg-x11-tools-6.7.0-14.1.legacy.i386.rpm ff8ff747514e3b9bf7945aac37ed19ab00293fbd fedora/2/updates-testing/i386/xorg-x11-truetype-fonts-6.7.0-14.1.legacy.i386.rpm e6141cfe3188c556c6e8ba54eba44d5e8645f09b fedora/2/updates-testing/i386/xorg-x11-twm-6.7.0-14.1.legacy.i386.rpm 05fc596a5a8956e8fcbd1ac788bbba855e87fbba fedora/2/updates-testing/i386/xorg-x11-xauth-6.7.0-14.1.legacy.i386.rpm
Fedora Legacy Test Update Notification: postgresql
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-157366 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157366 2006-02-12 - Name: postgresql Versions: rh9: postgresql-7.3.10-0.90.1.legacy Versions: fc1: postgresql-7.3.10-1.1.legacy Versions: fc2: postgresql-7.4.8-1.FC2.1.legacy Summary : PostgreSQL client programs and libraries. Description : PostgreSQL is an advanced Object-Relational database management system (DBMS) that supports almost all SQL constructs, including transactions, subselects, and user-defined types and functions. The postgresql package includes the client programs and libraries that you need to access a PostgreSQL DBMS server. - Update Information: Updated postgresql packages that fix several security vulnerabilities and risks of data loss are now available. PostgreSQL is an advanced Object-Relational database management system (DBMS) that supports almost all SQL constructs (including transactions, subselects and user-defined types and functions). The PostgreSQL community discovered two distinct errors in initial system catalog entries that could allow authorized database users to crash the database and possibly escalate their privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-1409 and CVE-2005-1410 to these issues. Although installing this update will protect new (freshly initdb'd) database installations from these errors, administrators MUST TAKE MANUAL ACTION to repair the errors in pre-existing databases. The appropriate procedures are explained at http://www.postgresql.org/docs/8.0/static/release-7-4-8.html for Fedora Core 2 users, or http://www.postgresql.org/docs/8.0/static/release-7-3-10.html for Fedora Core 1 and Red Hat Linux 9 users. This update also includes fixes for several other errors, including two race conditions that could result in apparent data inconsistency or actual data loss. All users of PostgreSQL are advised to upgrade to these updated packages and to apply the recommended manual corrections to existing databases. - Changelogs rh9: * Sat Feb 11 2006 Marc Deslauriers [EMAIL PROTECTED] 7.3.10-0.90.1.legacy - Update to PostgreSQL 7.3.10 (fixes CVE-2005-1409 and CVE-2005-1410) fc1: * Sat Feb 11 2006 Marc Deslauriers [EMAIL PROTECTED] 7.3.10-1.1.legacy - Rebuilt as Fedora Legacy security update for Fedore Core 1 - Added missing libtermcap-devel, perl-SGMLSpm, openjade, docbook-utils and docbook-style-dsssl to BuildRequires fc2: * Sat Feb 11 2006 Marc Deslauriers [EMAIL PROTECTED] 7.4.8-1.FC2.1.legacy - Rebuild as a Fedora Legacy update for Fedora Core 2 - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh9: 88bf97be3530effdf1c7c3a779bfe7f80e7ea6be redhat/9/updates-testing/i386/postgresql-7.3.10-0.90.1.legacy.i386.rpm 6130777335db38d64a44d52106353cd76154ca23 redhat/9/updates-testing/i386/postgresql-contrib-7.3.10-0.90.1.legacy.i386.rpm 4bce5f9e6e80edb944a7aa24839f34c609c44c99 redhat/9/updates-testing/i386/postgresql-devel-7.3.10-0.90.1.legacy.i386.rpm f6d7a63730df0a33b4f7582077472bf8cecc0f4e redhat/9/updates-testing/i386/postgresql-docs-7.3.10-0.90.1.legacy.i386.rpm 3f76bb95ef0ce2da9b6a58993cdf7a1000e33019 redhat/9/updates-testing/i386/postgresql-jdbc-7.3.10-0.90.1.legacy.i386.rpm a7a9187c41f2820ca9c2d2364f63859d33d21044 redhat/9/updates-testing/i386/postgresql-libs-7.3.10-0.90.1.legacy.i386.rpm 0d0e4d4e566583111f30f4c06f255daeaf9bbd49 redhat/9/updates-testing/i386/postgresql-pl-7.3.10-0.90.1.legacy.i386.rpm def9d9581141c219e013a875146c75b65af67e91 redhat/9/updates-testing/i386/postgresql-python-7.3.10-0.90.1.legacy.i386.rpm 43590dabe9601ddbefbc6d9086c9b7dfb363acaa redhat/9/updates-testing/i386/postgresql-server-7.3.10-0.90.1.legacy.i386.rpm e4769b82d862178d6d395f52ebcbd56a75e36e71 redhat/9/updates-testing/i386/postgresql-tcl-7.3.10-0.90.1.legacy.i386.rpm fbd07e5eaad5e4ee5bd1b30e02001a043331daff redhat/9/updates-testing/i386/postgresql-test-7.3.10-0.90.1.legacy.i386.rpm 57fc00132f9d6626372956fd1eba3d7a9d2f redhat/9/updates-testing/SRPMS/postgresql-7.3.10-0.90.1.legacy.src.rpm fc1: de59e42459e24cd8846fbd6d765bc892d621a0dc fedora/1/updates-testing/i386/postgresql-7.3.10-1.1.legacy.i386.rpm 88abba3e24f01c6189be15b6481d77b135b6191c fedora/1/updates-testing/i386/postgresql-contrib-7.3.10-1.1.legacy.i386.rpm 39a6163dffc299ba088f8f71c0393fca08648ae9 fedora/1/updates-testing/i386/postgresql-devel-7.3.10-1.1.legacy.i386.rpm 0ac78a44e03f5b31113b7b110d35472aded5ecbd fedora/1/updates-testing/i386/postgresql-docs-7.3.10-1.1.legacy.i386.rpm e8a17936599c1c2aa7a26056ee3449e43a460d07 fedora
Fedora Legacy Test Update Notification: gnutls
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-181014 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=181014 2006-02-12 - Name: gnutls Versions: fc3: Summary : A TLS implementation. Description : The GNU TLS Library provides support for cryptographic algorithms and protocols such as TLS. GNU TLS includes Libtasn1, a library developed for ASN.1 structures management that includes DER encoding and decoding. - Update Information: Updated gnutls packages that fix a security issue are now available. The GNU TLS Library provides support for cryptographic algorithms and protocols such as TLS. GNU TLS includes Libtasn1, a library developed for ASN.1 structures management that includes DER encoding and decoding. Several flaws were found in the way libtasn1 decodes DER. An attacker could create a carefully crafted invalid X.509 certificate in such a way that could trigger this flaw if parsed by an application that uses GNU TLS. This could lead to a denial of service (application crash). It is not certain if this issue could be escalated to allow arbitrary code execution. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0645 to this issue. Users are advised to upgrade to these updated packages, which contain a backported patch from the GNU TLS maintainers to correct this issue. - Changelogs fc3: * Sun Feb 12 2006 Marc Deslauriers [EMAIL PROTECTED] 1.0.20-3.1.3.legacy - Added missing zlib-devel to BuildPrereq * Sat Feb 11 2006 Marc Deslauriers [EMAIL PROTECTED] 1.0.20-3.1.2.legacy - Added patch for GnuTLS x509 DER DoS - CVE-2006-0645 - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) fc3: 87b93af583ea3abaa48337b0a8c71cba97a45410 fedora/3/updates-testing/i386/gnutls-1.0.20-3.1.3.legacy.i386.rpm dca7e6e11093d7b8528d82cc9c3f5f1b1c78ea23 fedora/3/updates-testing/i386/gnutls-devel-1.0.20-3.1.3.legacy.i386.rpm 87b93af583ea3abaa48337b0a8c71cba97a45410 fedora/3/updates-testing/x86_64/gnutls-1.0.20-3.1.3.legacy.i386.rpm 742be40634dc2a32b245f78caf610d0a6b45cb75 fedora/3/updates-testing/x86_64/gnutls-1.0.20-3.1.3.legacy.x86_64.rpm 762630c8973f02bcc934adc8f5a946383f8479cc fedora/3/updates-testing/x86_64/gnutls-devel-1.0.20-3.1.3.legacy.x86_64.rpm cce2a463b57be400362624f09dc49a4fdde09305 fedora/3/updates-testing/SRPMS/gnutls-1.0.20-3.1.3.legacy.src.rpm - Please test and comment in bugzilla. signature.asc Description: OpenPGP digital signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: no mandatory QA testing at all [Re: crazy thought about how to ease QA testing]
On Fri, 2006-02-10 at 22:00 -0800, Jesse Keating wrote: On Sat, 2006-02-11 at 07:32 +0200, Pekka Savola wrote: I agree that this would complicate the process further. I have proposed something simpler, and still do: 1) every package, even without any VERIFY QA votes at all, will be released automatically in X weeks (suggest: X=2). exception: at package PUBLISH time, the packager and/or publisher, if they think the changes are major enough (e.g., non-QAed patches etc.), they can specify that the package should not be automatically released. 2) negative reports block automatic publishing. 3) positive reports can speed up automatic publishing (for example: 2 VERIFY votes -- released within 1 week, all verify votes: released immediately after the last verify) There is no need (IMHO) to grade packages to more or less critical ones. Every QA tester and eventual package user uses his or her own value judgment. If (s)he fears that the (potentially untested) automatic update would break the system, (s)he would test it before two weeks are over. Publishing positive reports can be made simpler but that probably isn't on the critical path here. I agree to this. Marc signature.asc Description: This is a digitally signed message part -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
[UPDATED] Fedora Legacy Test Update Notification: httpd
This notification was updated to include x86_64 packages for Fedora Core 3. - Fedora Legacy Test Update Notification FEDORALEGACY-2006-175406 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175406 2006-02-11 - Name: httpd Versions: rh73: apache-1.3.27-9.legacy Versions: rh9: httpd-2.0.40-21.21.legacy Versions: fc1: httpd-2.0.51-1.10.legacy Versions: fc2: httpd-2.0.51-2.9.5.legacy Versions: fc3: httpd-2.0.53-3.4.legacy Summary : The httpd Web server Description : This package contains a powerful, full-featured, efficient, and freely-available Web server based on work done by the Apache Software Foundation. It is also the most popular Web server on the Internet. - Update Information: Updated Apache httpd packages that correct three security issues are now available. The Apache HTTP Server is a popular and freely-available Web server. A memory leak in the worker MPM could allow remote attackers to cause a denial of service (memory consumption) via aborted connections, which prevents the memory for the transaction pool from being reused for other connections. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-2970 to this issue. This vulnerability only affects users who are using the non-default worker MPM. A flaw in mod_imap when using the Referer directive with image maps was discovered. With certain site configurations, a remote attacker could perform a cross-site scripting attack if a victim can be forced to visit a malicious URL using certain web browsers. (CVE-2005-3352) A NULL pointer dereference flaw in mod_ssl was discovered affecting server configurations where an SSL virtual host is configured with access control and a custom 400 error document. A remote attacker could send a carefully crafted request to trigger this issue which would lead to a crash. This crash would only be a denial of service if using the non-default worker MPM. (CVE-2005-3357) Users of httpd should update to these erratum packages which contain backported patches to correct these issues. - Changelogs rh73: * Sun Jan 22 2006 Marc Deslauriers [EMAIL PROTECTED] 1.3.27-9.legacy - mod_imap: add security fix for XSS issue (CVE-2005-3352) rh9: * Sun Jan 22 2006 Marc Deslauriers [EMAIL PROTECTED] 2.0.40-21.21.legacy - mod_ssl: add security fix for HTTP-on-SSL-port handling (CVE-2005-3357) - mod_imap: add security fix for XSS issue (CVE-2005-3352) - worker MPM: add security fix for memory consumption DoS (CVE-2005-2970), and bug fixes for handling resource allocation failures (#171759) fc1: * Sun Jan 22 2006 Marc Deslauriers [EMAIL PROTECTED] 2.0.51-1.10.legacy - mod_ssl: add security fix for HTTP-on-SSL-port handling (CVE-2005-3357) - mod_imap: add security fix for XSS issue (CVE-2005-3352) - worker MPM: add security fix for memory consumption DoS (CVE-2005-2970), and bug fixes for handling resource allocation failures (#171759) fc2: * Sun Jan 22 2006 Marc Deslauriers [EMAIL PROTECTED] 2.0.51-2.9.5.legacy - mod_ssl: add security fix for HTTP-on-SSL-port handling (CVE-2005-3357) - mod_imap: add security fix for XSS issue (CVE-2005-3352) - worker MPM: add security fix for memory consumption DoS (CVE-2005-2970), and bug fixes for handling resource allocation failures (#171759) fc3: * Sun Jan 22 2006 Marc Deslauriers [EMAIL PROTECTED] 2.0.53-3.4.legacy - mod_ssl: add security fix for HTTP-on-SSL-port handling (CVE-2005-3357) - mod_imap: add security fix for XSS issue (CVE-2005-3352) - worker MPM: add security fix for memory consumption DoS (CVE-2005-2970), and bug fixes for handling resource allocation failures (#171759) - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: c55d929dd5acbf4b0191a28b0ad128f1064810f8 redhat/7.3/updates-testing/i386/apache-1.3.27-9.legacy.i386.rpm aae52f7966d03dd6e81f8b8b5a090bf60fa8e601 redhat/7.3/updates-testing/i386/apache-devel-1.3.27-9.legacy.i386.rpm fafcea3e68311223b5a814a482927cd645c4356a redhat/7.3/updates-testing/i386/apache-manual-1.3.27-9.legacy.i386.rpm db23f5e77a78f78a346104038a564f0197ee9414 redhat/7.3/updates-testing/SRPMS/apache-1.3.27-9.legacy.src.rpm rh9: 8e6ca52b5fb88a43322a38966ffeb0285b0699e1 redhat/9/updates-testing/i386/httpd-2.0.40-21.21.legacy.i386.rpm be601feefd0483b24e3ce5efdfadcef6b5d7d040 redhat/9/updates-testing/i386/httpd-devel-2.0.40-21.21.legacy.i386.rpm 8816478ae2287a3d2d4c9ca91d55662efcae2b87 redhat/9/updates-testing/i386/httpd-manual-2.0.40-21.21.legacy.i386.rpm 2d565db0d6fa0756c51ca7aef8211b463c5f5348 redhat/9/updates-testing/i386/mod_ssl-2.0.40-21.21.legacy.i386.rpm e05115a5178fbf853dfe8fdc75b962c44a787316
Fedora Legacy Test Update Notification: nfs-utils
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-138098 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=138098 2006-02-11 - Name: nfs-utils Versions: rh7.3: nfs-utils-0.3.3-6.73.2.legacy Versions: rh9: nfs-utils-1.0.1-3.9.2.legacy Versions: fc1: nfs-utils-1.0.6-1.2.legacy Versions: fc2: nfs-utils-1.0.6-22.2.legacy Summary : NFS utilities and supporting daemons for the kernel NFS server. Description : The nfs-utils package provides a daemon for the kernel NFS server and related tools, providing a much higher level of performance than the traditional Linux NFS server used by most users. This package also contains the showmount program. Showmount queries the mount daemon on a remote host for information about the NFS (Network File System) server on the remote host. - Update Information: An updated nfs-utils package that fixes security issues is now available. The nfs-utils package provides a daemon for the kernel NFS server and related tools, providing a much higher level of performance than the traditional Linux NFS server used by most users. Arjan van de Ven discovered a buffer overflow in rquotad. On 64-bit architectures, an improper integer conversion can lead to a buffer overflow. An attacker with access to an NFS share could send a specially crafted request which could lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0946 to this issue. In addition, the Fedora Core 2 update fixes the following issue: SGI reported that the statd daemon did not properly handle the SIGPIPE signal. A misconfigured or malicious peer could cause statd to crash, leading to a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1014 to this issue. All users of nfs-utils should upgrade to this updated package, which resolves these issues. - Changelogs rh73: * Mon Nov 14 2005 Jeff Sheltren [EMAIL PROTECTED] 0.3.3-6.73.2.legacy - Patch for CVE-2004-0946, rquotad buffer overflow (#138098) rh9: * Mon Nov 14 2005 Jeff Sheltren [EMAIL PROTECTED] 1.0.1-3.9.2.legacy - Patch for CVE-2004-0946, rquotad buffer overflow (#138098) fc1: * Mon Nov 14 2005 Jeff Sheltren [EMAIL PROTECTED] 1.0.6-1.2.legacy - Patch for CVE-2004-0946, rquotad buffer overflow (#138098) fc2: * Wed Nov 16 2005 Jeff Sheltren [EMAIL PROTECTED] 1.0.6-22.2.legacy - Add patch for CVE-2004-1014, sigpipe DOS (#138098, #152871) * Mon Nov 14 2005 Jeff Sheltren [EMAIL PROTECTED] 1.0.6-22.1.legacy - Patch for CVE-2004-0946, rquotad buffer overflow (#138098) - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh7.3: fc563f70e9f2b5eeafb51b969689185ef504 redhat/7.3/updates-testing/i386/nfs-utils-0.3.3-6.73.2.legacy.i386.rpm 79dd718df766c23fc8ab4880a0e1557ca990c181 redhat/7.3/updates-testing/SRPMS/nfs-utils-0.3.3-6.73.2.legacy.src.rpm rh9: 45c4f3a310d3090271f0d0798cae1e3148ab8299 redhat/9/updates-testing/i386/nfs-utils-1.0.1-3.9.2.legacy.i386.rpm bf009c4fe075b7105316084c6ca577f15c5bdb52 redhat/9/updates-testing/SRPMS/nfs-utils-1.0.1-3.9.2.legacy.src.rpm fc1: 1c96ae93420683ad79b675b205ecb5d6ddb61ef4 fedora/1/updates-testing/i386/nfs-utils-1.0.6-1.2.legacy.i386.rpm 6d4ee9e13e8b3bf1278d59b48ccb0c48f7645f7f fedora/1/updates-testing/SRPMS/nfs-utils-1.0.6-1.2.legacy.src.rpm fc2: 2063735e17273d7967c8fa1f3649ab86921c910e fedora/2/updates-testing/i386/nfs-utils-1.0.6-22.2.legacy.i386.rpm dc3207c089204dd1c47653dc4918fe45b81a8654 fedora/2/updates-testing/SRPMS/nfs-utils-1.0.6-22.2.legacy.src.rpm - Please test and comment in bugzilla. signature.asc Description: OpenPGP digital signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Fedora Legacy Test Update Notification: openssh
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-168935 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168935 2006-02-10 - Name: openssh Versions: rh73: openssh-3.1p1-14.3.legacy Versions: rh9: openssh-3.5p1-11.4.legacy Versions: fc1: openssh-3.6.1p2-19.4.legacy Versions: fc2: openssh-3.6.1p2-34.4.legacy Versions: fc3: openssh-3.9p1-8.0.4.legacy Summary : The OpenSSH implementation of SSH protocol. Description : OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. SSH replaces rlogin and rsh, to provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. Public key authentication may be used for passwordless access to servers. - Update Information: Updated openssh packages that fix security issues are now available. OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. SSH replaces rlogin and rsh, and provides secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over a secure channel. Public key authentication can be used for passwordless access to servers. A bug was found in the way the OpenSSH server handled the MaxStartups and LoginGraceTime configuration variables. A malicious user could connect to the SSH daemon in such a way that it would prevent additional logins from occuring until the malicious connections are closed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-2069 to this issue. The scp command was found to expose filenames twice to shell expansion. A malicious user could execute arbitrary commands by using specially crafted filenames containing shell metacharacters or spaces. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2006-0225 to this issue. Users of openssh should upgrade to these updated packages, which contain backported patches to resolve these issues. - Changelogs rh73: * Mon Jan 23 2006 Marc Deslauriers [EMAIL PROTECTED] 3.1p1-14.3.legacy - use fork+exec instead of system in scp - CVE-2006-0225 rh9: * Mon Jan 23 2006 Marc Deslauriers [EMAIL PROTECTED] 3.5p1-11.4.legacy - use fork+exec instead of system in scp - CVE-2006-0225 * Sun Jan 22 2006 Marc Deslauriers [EMAIL PROTECTED] 3.5p1-11.3.legacy - CAN-2004-2069 - prevent DoS on openssh server fc1: * Mon Jan 23 2006 Marc Deslauriers [EMAIL PROTECTED] 3.6.1p2-19.4.legacy - use fork+exec instead of system in scp - CVE-2006-0225 * Sun Jan 22 2006 Marc Deslauriers [EMAIL PROTECTED] 3.6.1p1-19.3.legacy - CAN-2004-2069 - prevent DoS on openssh server fc2: * Mon Jan 23 2006 Marc Deslauriers [EMAIL PROTECTED] 3.6.1p2-34.4.legacy - use fork+exec instead of system in scp - CVE-2006-0225 * Sun Jan 22 2006 Marc Deslauriers [EMAIL PROTECTED] 3.6.1p2-34.3.legacy - CAN-2004-2069 - prevent DoS on openssh server fc3: * Mon Jan 23 2006 Marc Deslauriers [EMAIL PROTECTED] 3.9p1-8.0.4.legacy - use fork+exec instead of system in scp - CVE-2006-0225 - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: 5c732eac2396d1dbc767c6706b936177b04e3ba9 redhat/7.3/updates-testing/i386/openssh-3.1p1-14.3.legacy.i386.rpm ac522209cbabd3638e8ca2b08bdf5453c1d9a8d4 redhat/7.3/updates-testing/i386/openssh-askpass-3.1p1-14.3.legacy.i386.rpm a79e45b1fd78f517a2dfb846e1814aeff35ab86d redhat/7.3/updates-testing/i386/openssh-askpass-gnome-3.1p1-14.3.legacy.i386.rpm daa5d5518e33835ef47f41f3bb379d9659e2bc3f redhat/7.3/updates-testing/i386/openssh-clients-3.1p1-14.3.legacy.i386.rpm 28d3e3a66e6c786db875c5ea8d629b6abcc7fe5b redhat/7.3/updates-testing/i386/openssh-server-3.1p1-14.3.legacy.i386.rpm d838db35baa90040dec9df7459af4682f8976b7a redhat/7.3/updates-testing/SRPMS/openssh-3.1p1-14.3.legacy.src.rpm rh9: 2e4da4da715512dccb420fc67f3bb24dae2d9a40 redhat/9/updates-testing/i386/openssh-3.5p1-11.4.legacy.i386.rpm af36bd2aa23d16986072cf15c6906add540f8b8a redhat/9/updates-testing/i386/openssh-askpass-3.5p1-11.4.legacy.i386.rpm 0cc2cf34bde4b876944c8f19c1cd58d9f4503757 redhat/9/updates-testing/i386/openssh-askpass-gnome-3.5p1-11.4.legacy.i386.rpm f0e967606a821ec50f6d0af708935a9f04b52d11 redhat/9/updates-testing/i386/openssh-clients-3.5p1-11.4.legacy.i386.rpm d49d40f814c95319dff11a49f8bb66dcdd3f808c redhat/9/updates-testing/i386/openssh-server-3.5p1-11.4.legacy.i386.rpm 38544ce3e39dbebcb15ce213f4aff9bf3edb93a7 redhat/9/updates-testing/SRPMS/openssh-3.5p1-11.4.legacy.src.rpm fc1
Fedora Legacy Test Update Notification: mozilla
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-180036-1 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=180036 2006-02-11 - Name: mozilla Versions: rh7.3: mozilla-1.7.12-0.73.3.legacy Versions: rh9: mozilla-1.7.12-0.90.2.legacy Versions: fc1: mozilla-1.7.12-1.1.2.legacy Versions: fc2: mozilla-1.7.12-1.2.3.legacy Versions: fc3: mozilla-1.7.12-1.3.3.legacy Summary : A Web browser. Description : Mozilla is an open-source Web browser, designed for standards compliance, performance, and portability. - Update Information: Updated mozilla packages that fix several security bugs are now available. Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Igor Bukanov discovered a bug in the way Mozilla's Javascript interpreter dereferences objects. If a user visits a malicious web page, Mozilla could crash or execute arbitrary code as the user running Mozilla. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0292 to this issue. moz_bug_r_a4 discovered a bug in Mozilla's XULDocument.persist() function. A malicious web page could inject arbitrary RDF data into a user's localstore.rdf file, which can cause Mozilla to execute arbitrary javascript when a user runs Mozilla. (CVE-2006-0296) A denial of service bug was found in the way Mozilla saves history information. If a user visits a web page with a very long title, it is possible Mozilla will crash or take a very long time the next time it is run. (CVE-2005-4134) Users of Mozilla are advised to upgrade to these updated packages, which contain backported patches to correct these issues. - Changelogs rh7.3: * Sun Feb 05 2006 Marc Deslauriers [EMAIL PROTECTED] 37:1.7.12-0.73.3.legacy - Fix CVE-2005-4134, CVE-2006-0292, CVE-2006-0296 rh9: * Mon Feb 06 2006 Marc Deslauriers [EMAIL PROTECTED] 37:1.7.12-0.90.2.legacy - Fix CVE-2005-4134, CVE-2006-0292, CVE-2006-0296 fc1: * Sun Feb 05 2006 Marc Deslauriers [EMAIL PROTECTED] 37:1.7.12-1.1.2.legacy - Fix CVE-2005-4134, CVE-2006-0292, CVE-2006-0296 fc2: * Fri Feb 10 2006 Marc Deslauriers [EMAIL PROTECTED] 37:1.7.12-1.2.3.legacy - Added mozilla-nspr to BuildPrereq * Sun Feb 05 2006 Marc Deslauriers [EMAIL PROTECTED] 37:1.7.12-1.2.2.legacy - Fix CVE-2005-4134, CVE-2006-0292, CVE-2006-0296 fc3: * Fri Feb 10 2006 Marc Deslauriers [EMAIL PROTECTED] 37:1.7.12-1.3.3.legacy - Added mozilla-nspr, gnome-vfs2-devel, desktop-file-utils, and krb5-devel to BuildPrereq * Sun Feb 05 2006 Marc Deslauriers [EMAIL PROTECTED] 37:1.7.12-1.3.2.legacy - Fix CVE-2005-4134, CVE-2006-0292, CVE-2006-0296 - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh7.3: baf937574b92b01271c70169e5e6465eb7736c81 redhat/7.3/updates-testing/i386/mozilla-1.7.12-0.73.3.legacy.i386.rpm 4e401f2064201c290aa00527d148141904532d8a redhat/7.3/updates-testing/i386/mozilla-chat-1.7.12-0.73.3.legacy.i386.rpm d97acf0463781ac5600754b02b5a902125df5fd4 redhat/7.3/updates-testing/i386/mozilla-devel-1.7.12-0.73.3.legacy.i386.rpm 251eb4a2d0e0f8cf63b7b7975c9819a7e58fd5b3 redhat/7.3/updates-testing/i386/mozilla-dom-inspector-1.7.12-0.73.3.legacy.i386.rpm 584062b1c063fb8c2375693b49e48b8ae7530a00 redhat/7.3/updates-testing/i386/mozilla-js-debugger-1.7.12-0.73.3.legacy.i386.rpm aa3594680a3224f6b8b7abb9a6b9585fa6f519c1 redhat/7.3/updates-testing/i386/mozilla-mail-1.7.12-0.73.3.legacy.i386.rpm 1676c32cd8143b9ff939b45269b2423b50d062f1 redhat/7.3/updates-testing/i386/mozilla-nspr-1.7.12-0.73.3.legacy.i386.rpm 9d9d350082b38b94d45e458e02f3345b0a4e3ed0 redhat/7.3/updates-testing/i386/mozilla-nspr-devel-1.7.12-0.73.3.legacy.i386.rpm 33753a720edea798966550963426db05a409a6c4 redhat/7.3/updates-testing/i386/mozilla-nss-1.7.12-0.73.3.legacy.i386.rpm b17dec4e9eab3acca07dc0345d01fa522c3f43d8 redhat/7.3/updates-testing/i386/mozilla-nss-devel-1.7.12-0.73.3.legacy.i386.rpm 169c96bd3eae5e8f4220ed87291ceb176bf1f6b2 redhat/7.3/updates-testing/SRPMS/mozilla-1.7.12-0.73.3.legacy.src.rpm rh9: ffa6d9ff83d69b2aa32fb92a660775cbb92f2b53 redhat/9/updates-testing/i386/mozilla-1.7.12-0.90.2.legacy.i386.rpm d4bc650d1652ae30bb4df3037bcd1f9f77781774 redhat/9/updates-testing/i386/mozilla-chat-1.7.12-0.90.2.legacy.i386.rpm 0148688359ca6168c0c77160c8891315ac319147 redhat/9/updates-testing/i386/mozilla-devel-1.7.12-0.90.2.legacy.i386.rpm 2be970089280e3b23401402e5ea5019cc57b95ba redhat/9/updates-testing/i386/mozilla-dom-inspector-1.7.12-0.90.2.legacy.i386.rpm 653ceef20cbbd2d415ab8453b5c6d6e81193b6b3 redhat/9/updates-testing/i386/mozilla-js-debugger-1.7.12-0.90.2.legacy.i386.rpm
Fedora Legacy Test Update Notification: perl
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-176731 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=176731 2006-02-08 - Name: perl Versions: rh9: perl-5.8.0-90.0.13.legacy Versions: fc1: perl-5.8.3-17.5.legacy Versions: fc2: perl-5.8.3-19.5.legacy Summary : The Perl programming language. Description : Perl is a high-level programming language commonly used for system administration utilities and Web programming. - Update Information: Updated perl packages that fix a security flaw are now available. Perl is a high-level programming language commonly used for system administration utilities and Web programming. An integer overflow bug was found in Perl's format string processor. It is possible for an attacker to cause perl to crash or execute arbitrary code if the attacker is able to process a malicious format string. This issue is only exploitable through a script which passes arbitrary untrusted strings to the format string processor. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3962 to this issue. Note that this vulnerability do not affect perl packages in Red Hat Linux 7.3 Users of perl are advised to upgrade to these packages which contain a backported patch and are not vulnerable to this issue. - Changelogs rh9: * Sat Jan 28 2006 David Eisenstein [EMAIL PROTECTED] 2:5.8.0-90.0.13.legacy - Integrate fix for CVE-2005-3962 - Perl Format String Vulnerability, bugzilla Bug #176731. fc1: * Thu Jan 26 2006 David Eisenstein [EMAIL PROTECTED] 3:5.8.3-17.5.legacy - Integrate fix for CVE-2005-3962 - Perl Format String Vulnerability, bugzilla Bug #176731. fc2: * Sat Jan 28 2006 David Eisenstein [EMAIL PROTECTED] 3:5.8.3-19.5.legacy - Replace broken perl-5.8.3-findbin-selinux.patch with better patch by Jose Pedro Oliveira so perl will not fail lib/FindBin test. See Bugzilla Bug #176731 comment 2. * Sat Jan 28 2006 David Eisenstein [EMAIL PROTECTED] 3:5.8.3-19.4.legacy - Integrate fix for CVE-2005-3962 - Perl Format String Vulnerability, bugzilla Bug #176731. - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh9: 4d2401a09f2cc0b126df88659bd9e259a528146d redhat/9/updates-testing/i386/perl-5.8.0-90.0.13.legacy.i386.rpm 3b5448a2a8d8241a85c4c54ad5d5deb4b9d466d4 redhat/9/updates-testing/i386/perl-CGI-2.81-90.0.13.legacy.i386.rpm 40a05fcf3a7d128e7fa79b00022d54d0542bd3af redhat/9/updates-testing/i386/perl-CPAN-1.61-90.0.13.legacy.i386.rpm 5444ce68de7e8f0b1b051a15a1658c7d497be61b redhat/9/updates-testing/i386/perl-DB_File-1.804-90.0.13.legacy.i386.rpm 76ff3cdbe78a2e7c92c1f95760906fd396f974bf redhat/9/updates-testing/i386/perl-suidperl-5.8.0-90.0.13.legacy.i386.rpm 62fbcae6dd839fd18aabcf5c9fcc6babfd844d94 redhat/9/updates-testing/SRPMS/perl-5.8.0-90.0.13.legacy.src.rpm fc1: 3267a9d83ac3cadcfa650b1625cf5c458adb5540 fedora/1/updates-testing/i386/perl-5.8.3-17.5.legacy.i386.rpm 2445d66c7ced8bccc7d875a21404216a0cd5cdb6 fedora/1/updates-testing/i386/perl-suidperl-5.8.3-17.5.legacy.i386.rpm 297a649694e03e67b13cfbac7ae8211554cea44b fedora/1/updates-testing/SRPMS/perl-5.8.3-17.5.legacy.src.rpm fc2: 772f9571df3a0eab7749bb0d162311f4cd539879 fedora/2/updates-testing/i386/perl-5.8.3-19.5.legacy.i386.rpm 83cf2b36b48760eb1f99a042214eead7a9650d38 fedora/2/updates-testing/i386/perl-suidperl-5.8.3-19.5.legacy.i386.rpm 260cf2c8b759afe09f205318e1fd78cabdeefcb0 fedora/2/updates-testing/SRPMS/perl-5.8.3-19.5.legacy.src.rpm - Please test and comment in bugzilla. signature.asc Description: OpenPGP digital signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Fedora Legacy Test Update Notification: gaim
. Users of Gaim are advised to upgrade to this updated package which contains Gaim version 1.5.0 and is not vulnerable to these issues. - 7.3 changelog: * Wed Jan 18 2006 Marc Deslauriers [EMAIL PROTECTED] 1.5.0-0.73.1.legacy - Updated to 1.5.0 to fix security issues - Added CVS backport patches from FC4 * Mon May 23 2005 Marc Deslauriers [EMAIL PROTECTED] 1.3.0-0.73.1.legacy - Updated to 1.3.0 to fix security issues * Sun May 01 2005 Marc Deslauriers [EMAIL PROTECTED] 1.2.1-0.73.2.legacy - Added fix for perl plugin * Sat Apr 16 2005 Marc Deslauriers [EMAIL PROTECTED] 1.2.1-0.73.1.legacy - Updated to 1.2.1 to fix security issues - Added CVS backport patches from RHEL * Thu Mar 10 2005 Marc Deslauriers [EMAIL PROTECTED] 1.1.4-0.73.1.legacy - Updated to 1.1.4 to fix security issues - Added CVS backport patches from RHEL 9 changelog: * Thu Jan 19 2006 Marc Deslauriers [EMAIL PROTECTED] 1:1.5.0-0.90.1.legacy - Rebuilt as Fedora Legacy rh9 security update - Added desktop-file-utils, mozilla-nspr-devel and mozilla-nss BuildRequires - Added fix for perl plugin - Disabled PIE patch fc1 changelog: * Sat Jan 21 2006 Marc Deslauriers [EMAIL PROTECTED] 1:1.5.0-1.fc1.1.legacy - Rebuilt as Fedora Legacy FC1 security update - Added desktop-file-utils to BuildRequires fc2 changelog: * Thu Jan 19 2006 Marc Deslauriers [EMAIL PROTECTED] 1:1.5.0-1.fc2.1.legacy - Rebuilt as Fedora Legacy update for FC2 - Added desktop-file-utils to BuildRequires - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) a51c47a7e69e2ae0de301b5aea04a078a34bd494 redhat/7.3/updates-testing/i386/gaim-1.5.0-0.73.1.legacy.i386.rpm cf664d6dea2391a620286c2a0558f344128dc09b redhat/7.3/updates-testing/SRPMS/gaim-1.5.0-0.73.1.legacy.src.rpm 99901a3c55dc899071cd0373c71ce18b694e38d0 redhat/9/updates-testing/i386/gaim-1.5.0-0.90.1.legacy.i386.rpm 47f2231f0085bfd8c24e3a01ae707781543bb243 redhat/9/updates-testing/SRPMS/gaim-1.5.0-0.90.1.legacy.src.rpm fda20f97bf8c2ce8a5075c579bcbf6c3e3a66e81 fedora/1/updates-testing/i386/gaim-1.5.0-1.fc1.1.legacy.i386.rpm 8be725ea3874e315278e4926ed72930c74a3d6df fedora/1/updates-testing/SRPMS/gaim-1.5.0-1.fc1.1.legacy.src.rpm d8c6b98a019633a8a2debd6e2a86daccae6cdeda fedora/2/updates-testing/i386/gaim-1.5.0-1.fc2.1.legacy.i386.rpm 46e6ff8101c40018ab98b7f3c5e01f656eb2cdfe fedora/2/updates-testing/SRPMS/gaim-1.5.0-1.fc2.1.legacy.src.rpm - Please test and comment in bugzilla. signature.asc Description: OpenPGP digital signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: slapper worm
On Tue, 2006-01-24 at 06:32 +1000, Michael Mansour wrote: I'm using: perl-5.8.3-17.4.legacy httpd-2.0.51-1.9.legacy openssl-0.9.7a-33.13.legacy Are there any updates FL can do to any of the packages to fix/block slapper from an FC1 machine? What version of php are you running? Marc. signature.asc Description: This is a digitally signed message part -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Fedora Legacy Test Update Notification: mod_auth_pgsql
- Fedora Legacy Test Update Notification FEDORALEGACY-2006-177326 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=177326 2006-01-19 - Name: mod_auth_pgsql Versions: fc1: mod_auth_pgsql-2.0.1-3.1.legacy Versions: fc2: mod_auth_pgsql-2.0.1-4.2.legacy Summary : Basic authentication for the Apache Web server using a PostgreSQL database. Description : Mod_auth_pgsql can be used to limit access to documents served by a Web server by checking fields in a table in a PostgresQL database. - Update Information: An updated mod_auth_pgsql package that fixes a format string flaw is now available. The mod_auth_pgsql package is an httpd module that allows user authentication against information stored in a PostgreSQL database. Several format string flaws were found in the way mod_auth_pgsql logs information. It may be possible for a remote attacker to execute arbitrary code as the 'apache' user if mod_auth_pgsql is used for user authentication. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3656 to this issue. Please note that this issue only affects servers which have mod_auth_pgsql installed and configured to perform user authentication against a PostgreSQL database. All users of mod_auth_pgsql should upgrade to these updated packages, which contain a backported patch to resolve this issue. - Changelogs fc1: * Sun Jan 15 2006 David Eisenstein deisenst at gtw.net 2.0.1-3.1.legacy - The following fixes lifted wholesale from FC3's .src.rpm, (Legacy Bug #177326). Changes by Joe Orton of RedHat: * add security fix for CVE-2005-3656 * don't strip .so file so debuginfo works * fix r-user handling (Mirko Streckenbach, #150087) * merge from Taroon (RHEL 3): - don't re-use database connections (#115496) - make functions static - downgrade not configured log message from warning to debug fc2: * Sun Jan 15 2006 David Eisenstein deisenst at gtw.net 2.0.1-4.2.legacy - Rebuilt for FC2 * Sun Jan 15 2006 David Eisenstein deisenst at gtw.net 2.0.1-3.1.legacy - The following fixes lifted wholesale from FC3's .src.rpm, (Legacy Bug #177326). Changes by Joe Orton of RedHat: * add security fix for CVE-2005-3656 * don't strip .so file so debuginfo works * fix r-user handling (Mirko Streckenbach, #150087) * merge from Taroon (RHEL 3): - don't re-use database connections (#115496) - make functions static - downgrade not configured log message from warning to debug - This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) e6ce19c8be5f4638e2050437c4529b0d4a0f5e1f fedora/1/updates-testing/i386/mod_auth_pgsql-2.0.1-3.1.legacy.i386.rpm 119b3b6045eaa3b175ebe3d613daca8e9c81b35c fedora/1/updates-testing/SRPMS/mod_auth_pgsql-2.0.1-3.1.legacy.src.rpm 8f9c2503b417db84b73483e6daca445c4789e4e4 fedora/2/updates-testing/i386/mod_auth_pgsql-2.0.1-4.2.legacy.i386.rpm 52aabaff10fb0f862e1b96199facb7da046e94dc fedora/2/updates-testing/SRPMS/mod_auth_pgsql-2.0.1-4.2.legacy.src.rpm - Please test and comment in bugzilla. signature.asc Description: OpenPGP digital signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
[FLSA-2006:167803] Updated mysql packages fix security issues
- Fedora Legacy Update Advisory Synopsis: Updated mysql packages fix security issues Advisory ID: FLSA:167803 Issue date:2006-01-10 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2005-2558 - - 1. Topic: Updated mysql packages that fix a security issue are now available. MySQL is a multi-user, multi-threaded SQL database server. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: Reid Borsuk discovered a buffer overflow in the MySQL init_syms() function. A user with the ability to create and execute a user defined function could potentially execute arbitrary code on the MySQL server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-2558 to this issue. This release fixes two additional problems. A regression was introduced in a patch included in the previous MySQL packages that resulted in queries performing a DELETE without a WHERE failing on ISAM tables. Also, the MySQL init script was improved to allow the MySQL service to restart properly during upgrades. All users of the MySQL server are advised to upgrade to these updated packages, which contain fixes for these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=167803 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/mysql-3.23.58-1.73.9.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/mysql-3.23.58-1.73.9.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mysql-devel-3.23.58-1.73.9.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mysql-server-3.23.58-1.73.9.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/mysql-3.23.58-1.90.10.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/mysql-3.23.58-1.90.10.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mysql-devel-3.23.58-1.90.10.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mysql-server-3.23.58-1.90.10.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/mysql-3.23.58-4.7.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/mysql-3.23.58-4.7.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mysql-bench-3.23.58-4.7.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mysql-devel-3.23.58-4.7.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mysql-server-3.23.58-4.7.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/mysql-3.23.58-16.FC2.4.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/mysql-3.23.58-16.FC2.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/mysql-bench-3.23.58-16.FC2.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/mysql-devel-3.23.58-16.FC2.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/mysql-server-3.23.58-16.FC2.4.legacy.i386.rpm 7. Verification: SHA1 sum Package Name - fc12c406faa476c68044f6cc55ef289ee64edd43 redhat/7.3/updates/i386/mysql-3.23.58-1.73.9.legacy.i386.rpm 0ddd640a8eb48f15be6dfa16193294c161af6f06 redhat/7.3/updates/i386/mysql-devel-3.23.58-1.73.9.legacy.i386.rpm 9d91d1c9e1fbc3900ee46200b8e99e02343403bf redhat/7.3/updates/i386/mysql-server-3.23.58-1.73.9.legacy.i386.rpm
Fedora Legacy Test Update Notification: perl
- Fedora Legacy Test Update Notification FEDORALEGACY-2005-152845 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152845 2006-01-09 - Name: perl Versions: rh7.3: perl-5.6.1-38.0.7.3.3.legacy Versions: rh9: perl-5.8.0-90.0.12.legacy Versions: fc1: perl-5.8.3-17.4.legacy Versions: fc2: perl-5.8.3-19.3.legacy Summary : The Perl programming language. Description : Perl is a high-level programming language commonly used for system administration utilities and Web programming. - Update Information: Updated perl packages that fix several security flaws are now available. Perl is a high-level programming language commonly used for system administration utilities and Web programming. An unsafe file permission bug was discovered in the rmtree() function in the File::Path module. The rmtree() function removes files and directories in an insecure manner, which could allow a local user to read or delete arbitrary files. The Common Vulnerabilities and Exposures project has assigned the name CVE-2004-0452 to this issue. Solar Designer discovered several temporary file bugs in various Perl modules. A local attacker could overwrite or create files as the user running a Perl script that uses a vulnerable module. The Common Vulner- abilities and Exposures project has assigned the name CVE-2004-0976 to this issue. Kevin Finisterre discovered a stack based buffer overflow flaw in sperl, the Perl setuid wrapper. A local user could create a sperl executable script with a carefully created path name, overflowing the buffer and leading to root privilege escalation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0156 to this issue. Kevin Finisterre discovered a flaw in sperl which can cause debugging information to be logged to arbitrary files. By setting an environment variable, a local user could cause sperl to create, as root, files with arbitrary filenames, or append the debugging information to existing files. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-0155 to this issue. Paul Szabo discovered a bug in the way Perl's File::Path::rmtree module removed directory trees. If a local user has write permissions to a subdirectory within the tree being removed by File::Path::rmtree, it is possible for them to create setuid binary files. The Common Vulner- abilities and Exposures project has assigned the name CVE-2005-0448 to this issue. (This issue updates CVE-2004-0452). Note that CAN-2005-0077 is referred to in the changelogs below. This vulnerability does not affect these packages, but is a vulnerability in perl-DBI packages instead. Users of perl are advised to upgrade to these packages which contain backported patches and are not vulnerable to these issues. - Changelogs rh7.3: * Tue Dec 20 2005 David Eisenstein [EMAIL PROTECTED] 1:5.6.1-38.0.7.3.3.legacy - Add BuildRequires: byacc per John Dalbec. Bug #152835. * Sat Dec 17 2005 David Eisenstein [EMAIL PROTECTED] 1:5.6.1-38.0.7.3.2.legacy - Add BuildRequires: db2-devel - Since this is being build in mach, we cannot use the trick that Red Hat used (of running rpm -q in the build process) to generate the list of files from which *.ph files are pulled. So instead, I've created two static files which list the same thing, Source11 and Source12. These two files may need to be refreshed when rebuilding again. * Fri Dec 16 2005 David Eisenstein [EMAIL PROTECTED] 1:5.6.1-38.0.7.3.1.legacy - fix perldb5.pl (debugger) to use $ENV{HOME}/.perldbtty$$ instead of /var/run/perldbtty$$, per Bug #152845 comment 33. Replaces perl-5.6.1-solartmp.patch with an updated patch. * Thu Jul 14 2005 John Dalbec [EMAIL PROTECTED] 1:5.6.1-38.0.7.3.legacy - integrate fix for CAN-2005-0448 * Thu Dec 9 2004 John Dalbec [EMAIL PROTECTED] 1:5.6.1-37.0.7.3.legacy - integrate new tmpfile patch from OWL/solar designer - add BuildRequires: db1-devel db3-devel BuildRequires: glibc-devel gdbm-devel gpm-devel libjpeg-devel BuildRequires: libpng-devel libtiff-devel ncurses-devel popt BuildRequires: zlib-devel binutils libelf e2fsprogs-devel pam pwdb BuildRequires: rpm-devel rh9: * Thu Dec 29 2005 David Eisenstein [EMAIL PROTECTED] 2:5.8.0-90.0.12.legacy - Add BuildRequires: libacl-devel, libcap-devel. This provides missing .ph header files sys/acl.ph and sys/capability.ph. * Fri Dec 23 2005 David Eisenstein [EMAIL PROTECTED] 2:5.8.0-90.0.11.legacy - Add BuildRequires: byacc elfutils-devel - Since this is being build in mach, we cannot use the trick that Red Hat used (of running rpm -q in the build process) to generate the list of files from which
[FLSA-2006:136323] Updated gettext package fixes security issues
- Fedora Legacy Update Advisory Synopsis: Updated gettext package fixes security issues Advisory ID: FLSA:136323 Issue date:2006-01-09 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2004-0966 - - 1. Topic: An updated gettext package that fixes security bugs is now available. The GNU gettext package provides a set of tools and documentation for producing multi-lingual messages in programs. 2. Relevant releases/architectures: Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: Temporary file vulnerabilities were discovered in the gettext package. A malicious user could use the autopoint and gettextize scripts to create or overwrite another user's files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0966 to this issue. All users of gettext should upgrade to this updated package, which includes a patch to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136323 6. RPMs required: Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/gettext-0.11.4-7.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/gettext-0.11.4-7.2.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/gettext-0.12.1-1.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/gettext-0.12.1-1.2.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/gettext-0.14.1-2.1.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/gettext-0.14.1-2.1.2.legacy.i386.rpm 7. Verification: SHA1 sum Package Name - 7b6dee52052cf366ae9d78f42d2266045992e8b2 redhat/9/updates/i386/gettext-0.11.4-7.2.legacy.i386.rpm ccb4260c2f1d4778bf1190bd6d96950c361b8131 redhat/9/updates/SRPMS/gettext-0.11.4-7.2.legacy.src.rpm 7b29432779dcbbb183b98fb5c60208366346ea93 fedora/1/updates/i386/gettext-0.12.1-1.2.legacy.i386.rpm 22bc34eef7d35bad85cf013381187660a4a68c8d fedora/1/updates/SRPMS/gettext-0.12.1-1.2.legacy.src.rpm 7851e6bb612ae72e3fae9870ca160d2a96e7123b fedora/2/updates/i386/gettext-0.14.1-2.1.2.legacy.i386.rpm 6c972dcef9866f7e53ba6855478078f8f24684d0 fedora/2/updates/SRPMS/gettext-0.14.1-2.1.2.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum filename 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0966 9. Contact: The Fedora Legacy security contact is [EMAIL PROTECTED]. More project details at http://www.fedoralegacy.org - signature.asc Description: OpenPGP digital signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
[FLSA-2006:152803] Updated lesstif packages fix security issues
- Fedora Legacy Update Advisory Synopsis: Updated lesstif packages fix security issues Advisory ID: FLSA:152803 Issue date:2006-01-09 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2004-0687 CVE-2004-0688 CVE-2004-0914 CVE-2005-0605 - - 1. Topic: Updated lesstif packages that fix flaws in the Xpm image library are now available. lesstif is a free replacement for OSF/Motif(R), which provides a full set of widgets for application development. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: During a source code audit, Chris Evans and others discovered several stack overflow flaws and an integer overflow flaw in the libXpm library used to decode XPM (X PixMap) images. A vulnerable version of this library was found within LessTif. An attacker could create a carefully crafted XPM file which would cause an application to crash or potentially execute arbitrary code if opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0687, CVE-2004-0688, and CVE-2004-0914 to these issues. An integer overflow flaw was found in libXpm; a vulnerable version of this library is found within LessTif. An attacker could create a malicious XPM file that would execute arbitrary code if opened by a victim using an application linked to LessTif. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0605 to this issue. Users of lesstif are advised to upgrade to these errata packages, which contain backported security patches correcting these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152803 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=135081 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/lesstif-0.93.18-2.3.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/lesstif-0.93.18-2.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/lesstif-devel-0.93.18-2.3.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/lesstif-0.93.36-3.3.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/lesstif-0.93.36-3.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/lesstif-devel-0.93.36-3.3.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/lesstif-0.93.36-4.3.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/lesstif-0.93.36-4.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/lesstif-devel-0.93.36-4.3.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/lesstif-0.93.36-5.3.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/lesstif-0.93.36-5.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/lesstif-devel-0.93.36-5.3.legacy.i386.rpm 7. Verification: SHA1 sum Package Name - 83e9647ade78338b07abdb618f5d88b0ed12b46b redhat/7.3/updates/i386/lesstif-0.93.18-2.3.legacy.i386.rpm c9dcedad7c1576504e12340753b391181d613714 redhat/7.3/updates/i386/lesstif-devel-0.93.18-2.3.legacy.i386.rpm 649a15edc64e3847238eb252be93db1583baa1cc redhat/7.3/updates/SRPMS/lesstif-0.93.18-2.3.legacy.src.rpm a4a8e6e888234cb0751800c181430db4c7b524e6 redhat/9/updates/i386/lesstif-0.93.36-3.3.legacy.i386.rpm 0804ad3304bf12be7f1ab71a463e980f4ea17975