|
Security Notice from the Fedora Repository Committers: October 19, 2010 This is a notification that a “Denial of Service” (DOS) vulnerability that affects all Fedora Version 2 and 3 versions has been found during code review and has been verified in testing. However, there have been no known attacks on any public or private Fedora repository. Our review indicates this vulnerability can corrupt the Fedora database in a way that will cause failure of your operating repository. However, it cannot be used to damage your archival storage. Fortunately, the repository may be recovered through the use of the rebuilder utility but until your system is patched it could be subject to additional DOS attacks. A set of patches for Fedora 3.3 and Fedora 3.4 as well as a full release of Fedora 3.4.1 in which the issue is fixed has been posted on SourceForge. We ask you contact your repository operator immediately about the issue. If you are using Fedora 3.0 through 3.2, we urge you to update to patched copies of Fedora 3.3 or 3.4, or the 3.4.1 release at your earliest opportunity. The security releases may be found at:
The instructions for installation may be found in the README files at the above locations along with the downloads. Additional information may be found on the DuraSpace Wiki in the Fedora Repository 3.4 Documentation (http://wiki.duraspace.org/x/AgAU). Unfortunately, Fedora 2 repositories remain vulnerable; a patch to Fedora 2, whose code base was declared at “end-of-life” two years ago, has proven beyond our resources at this time. Because of this, we will not being providing details about potential exploits in the near term. Fedora 2 installations are still of great concern to the Fedora committers since we know there are many installations in our community who may not be in a position to update to the latest Fedora release. We are seeking resources or volunteers to fix Fedora 2 but, at this time, we are not able to commit to a timeline for this work. If you cannot update soon please read the following section containing suggestions that may help mitigate the vulnerability of your repository. Your installation may have minimal risk if Fedora is not directly exposed to un-trusted users. You should:
This notification is to warn operators of production Fedora repositories. Please notify us if you have a sudden, unexplained failure of your system. As with all software, security issues may arise. We are collecting contact information for a responsible person for each production Fedora systems to help the notification process. Could you or your repository administrator please provide us with a suitable contact? If you know of any other production Fedora repositories, could you provide a suitable contact for it? If you have any questions or are operating a Fedora system in production please contact dda...@duraspace.org or cwil...@duraspace.org. -- Daniel W. Davis Cornell University, Computing and Information Science DuraSpace Affiliate http://duraspace.org dda...@duraspace.org dwda...@cs.cornell.edu |
------------------------------------------------------------------------------ Download new Adobe(R) Flash(R) Builder(TM) 4 The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly Flex(R) Builder(TM)) enable the development of rich applications that run across multiple browsers and platforms. Download your free trials today! http://p.sf.net/sfu/adobe-dev2dev
_______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
