https://bugzilla.redhat.com/show_bug.cgi?id=1059335
Bug ID: 1059335
Summary: CVE-2014-1693 erlang: erlang-inets: command injection
flaw in FTP module [epel-all]
Product: Fedora EPEL
Version: el6
Component: erlang
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: rjones(a)redhat.com
Reporter: mprpic(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: erlang(a)lists.fedoraproject.org, gemi(a)bluewin.ch,
rjones(a)redhat.com, skottler(a)redhat.com
Blocks: 1059331 (CVE-2014-1693)
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue affects multiple supported versions of Fedora EPEL.
Only one tracking bug has been filed; please ensure that it is only closed
when all affected versions are fixed.
[bug automatically created by: add-tracking-bugs]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1059331
[Bug 1059331] CVE-2014-1693 erlang-inets: command injection flaw in FTP
module
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1074175
Bug ID: 1074175
Summary: erlang-edown-0.4 is available
Product: Fedora
Version: rawhide
Component: erlang-edown
Keywords: FutureFeature, Triaged
Assignee: lemenkov(a)gmail.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: erlang(a)lists.fedoraproject.org, lemenkov(a)gmail.com
Latest upstream release: 0.4
Current version/release in Fedora Rawhide: 0.3.1-3.fc20
URL: https://github.com/esl/edown/tags
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1059333
Bug ID: 1059333
Summary: CVE-2014-1693 erlang: erlang-inets: command injection
flaw in FTP module [fedora-all]
Product: Fedora
Version: 20
Component: erlang
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: lemenkov(a)gmail.com
Reporter: mprpic(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: erlang(a)lists.fedoraproject.org, lemenkov(a)gmail.com,
rhbugs(a)n-dimensional.de, skottler(a)redhat.com
Blocks: 1059331 (CVE-2014-1693)
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue affects multiple supported versions of Fedora.
Only one tracking bug has been filed; please ensure that it is only closed
when all affected versions are fixed.
[bug automatically created by: add-tracking-bugs]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1059331
[Bug 1059331] CVE-2014-1693 erlang-inets: command injection flaw in FTP
module
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1036280
Bug ID: 1036280
Summary: selinux alerts about rabbitmq server ("access on the
tcp_socket")
Product: Fedora
Version: 20
Component: rabbitmq-server
Assignee: hubert.plociniczak(a)gmail.com
Reporter: pavel.nedr(a)gmail.com
QA Contact: extras-qa(a)fedoraproject.org
CC: erlang(a)lists.fedoraproject.org,
hubert.plociniczak(a)gmail.com, lemenkov(a)gmail.com
Description of problem:
I've seen flood in journalctl from SEalert about that error.
It begins from startup of the system (rabbitmq is enabled in systemctl)
There is a lot of error messages. They causes "audispd[643]: queue is full -
dropping event" error :)
rabbitmq-server
noarch
3.1.5
1.fc20
$ sudo sealert -l 82db9030-74db-4e60-97ab-6aef447e582d
SELinux is preventing /usr/lib64/erlang/erts-5.10.3/bin/beam.smp from name_bind
access on the tcp_socket .
***** Plugin bind_ports (92.2 confidence) suggests ************************
If you want to allow /usr/lib64/erlang/erts-5.10.3/bin/beam.smp to bind to
network port 10097
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 10097
где PORT_TYPE может принимать значения: amqp_port_t, couchdb_port_t,
jabber_client_port_t, jabber_interserver_port_t.
***** Plugin catchall_boolean (7.83 confidence) suggests ******************
If вы хотите выполнить следующее: разрешить NIS
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.
Дополнительная документация на 'None' ман странице.
Do
setsebool -P nis_enabled 1
***** Plugin catchall (1.41 confidence) suggests **************************
If вы считаете, что beam.smp следует разрешить доступ name_bind к tcp_socket
по умолчанию.
Then рекомендуется создать отчет об ошибке.
Чтобы разрешить доступ, можно создать локальный модуль политики.
Do
чтобы разрешить доступ, выполните:
# grep beam.smp /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:rabbitmq_beam_t:s0
Target Context system_u:object_r:unreserved_port_t:s0
Target Objects [ tcp_socket ]
Source beam.smp
Source Path /usr/lib64/erlang/erts-5.10.3/bin/beam.smp
Port 10097
Host bb.lan
Source RPM Packages erlang-erts-R16B-02.7.fc20.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-105.fc20.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name bb.lan
Platform Linux bb.lan 3.11.9-300.fc20.x86_64 #1 SMP Wed
Nov
20 22:23:25 UTC 2013 x86_64 x86_64
Alert Count 85
First Seen 2013-11-29 23:40:14 MSK
Last Seen 2013-11-30 15:01:23 MSK
Local ID 82db9030-74db-4e60-97ab-6aef447e582d
Raw Audit Messages
type=AVC msg=audit(1385809283.320:612): avc: denied { name_bind } for
pid=1897 comm="beam.smp" src=10097
scontext=system_u:system_r:rabbitmq_beam_t:s0
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1385809283.320:612): arch=x86_64 syscall=bind success=no
exit=EACCES a0=12 a1=7fac88cfb900 a2=1c a3=a items=0 ppid=1 pid=1897
auid=4294967295 uid=989 gid=984 euid=989 suid=989 fsuid=989 egid=984 sgid=984
fsgid=984 ses=4294967295 tty=(none) comm=beam.smp
exe=/usr/lib64/erlang/erts-5.10.3/bin/beam.smp
subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)
Hash: beam.smp,rabbitmq_beam_t,unreserved_port_t,tcp_socket,name_bind
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1033305
Bug ID: 1033305
Summary: rabbitmq-plugins is not in the default $PATH
Product: Fedora
Version: 19
Component: rabbitmq-server
Severity: low
Assignee: hubert.plociniczak(a)gmail.com
Reporter: johnhford(a)gmail.com
QA Contact: extras-qa(a)fedoraproject.org
CC: erlang(a)lists.fedoraproject.org,
hubert.plociniczak(a)gmail.com, lemenkov(a)gmail.com
Description of problem:
This program is used to, for instance, enable the http management console. In
the homebrew distribution, it's available in the default path.
In fedora it's:
$ rpm -ql rabbitmq-server | grep bin/rabbitmq-plugins
/usr/lib/rabbitmq/bin/rabbitmq-plugins
/usr/lib/rabbitmq/lib/rabbitmq_server-3.1.5/sbin/rabbitmq-plugins
In the official distribution, it's in the default path:
$ curl -LO
http://www.rabbitmq.com/releases/rabbitmq-server/v3.2.1/rabbitmq-server-3.2…
$ rpm -qpl rabbitmq-server-3.2.1-1.noarch.rpm | grep bin/rabbitmq-plugin
warning: rabbitmq-server-3.2.1-1.noarch.rpm: Header V4 DSA/SHA1 Signature, key
ID 056e8e56: NOKEY
/usr/lib/rabbitmq/bin/rabbitmq-plugins
/usr/lib/rabbitmq/lib/rabbitmq_server-3.2.1/sbin/rabbitmq-plugins
/usr/sbin/rabbitmq-plugins
How reproducible:
100%
Steps to Reproduce:
1. install rabbitmq-server
2. try to run "sudo rabbitmq-plugins enable rabbitmq_management"
Actual results:
Program not found in $PATH.
Expected results:
Program found in $PATH and can be run
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1059028
Bug ID: 1059028
Summary: rabbitmq restarts fail randomly
Product: Fedora
Version: 20
Component: rabbitmq-server
Assignee: hubert.plociniczak(a)gmail.com
Reporter: imcleod(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: erlang(a)lists.fedoraproject.org,
hubert.plociniczak(a)gmail.com, lemenkov(a)gmail.com,
skottler(a)redhat.com
Description of problem:
I originally encountered this issue when installing OpenStack via devstack but
have since been able to reproduce it by simply executing commands inside of a
fresh F20 install.
Version-Release number of selected component (if applicable):
rabbitmq-server-3.1.5-1.fc20.noarch
How reproducible:
Occurs regularly but not 100% of the time
Steps to Reproduce:
/sbin/service rabbitmq-server stop
/sbin/service rabbitmq-server start
rabbitmqctl change_password guest newpassword
Actual results:
About half the time, on a freshly installed F20, this will fail, claiming the
node cannot be contacted. A typical error message:
[root@cob-dell5 ~]# rabbitmqctl change_password guest ozrootpw
Changing password for user "guest" ...
Error: unable to connect to node 'rabbit@cob-dell5': nodedown
DIAGNOSTICS
===========
nodes in question: ['rabbit@cob-dell5']
hosts, their running nodes and ports:
- cob-dell5: [{rabbitmqctl2648,48609}]
current node details:
- node name: 'rabbitmqctl2648@cob-dell5'
- home dir: /var/lib/rabbitmq
- cookie hash: 8DNoVu56TqDYWypW7YXDJw==
Expected results:
Changing password for user "guest" ...
...done.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1036359
Bug ID: 1036359
Summary: ejabberd logs not reopened after rotation
Product: Fedora
Version: 20
Component: ejabberd
Assignee: lemenkov(a)gmail.com
Reporter: redhat(a)subs.maneos.org
QA Contact: extras-qa(a)fedoraproject.org
CC: erlang(a)lists.fedoraproject.org, jkaluza(a)redhat.com,
lemenkov(a)gmail.com, martin(a)laptop.org
Description of problem:
Version-Release number of selected component (if applicable):
ejabberd-2.1.13-7.fc20.x86_64
How reproducible:
Steps to Reproduce:
1. Make sure ejabberd is running and logrotate is enabled.
2. Wait until logrotate runs.
3. Check contents of /var/log/ejabberd/ejabberd.log.
Actual results:
0 size file that never gets updated.
Expected results:
File containing log entries for events as they occur.
Additional info:
/etc/logrotate.d/ejabberd is trying to run /usr/sbin/ejabberdctl, but
ejabberdctl is installed in /usr/bin now.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1023017
Bug ID: 1023017
Summary: Restore ECC support in Erlang's crypto library
Product: Fedora
Version: rawhide
Component: erlang
Severity: high
Assignee: lemenkov(a)gmail.com
Reporter: lemenkov(a)gmail.com
QA Contact: extras-qa(a)fedoraproject.org
CC: erlang(a)lists.fedoraproject.org, lemenkov(a)gmail.com,
rhbugs(a)n-dimensional.de
Right now ECC is disabled explicitly since it looks like Erlang's crypto
library assumes that it's either available fully or not. We've just enabled few
ECC curves so this confuses erlang-crypto and leads to a startup issue like
this:
=ERROR REPORT==== 24-Oct-2013::16:30:48 ===
Unable to load crypto library. Failed with error:
"load_failed, Failed to load NIF library:
'/usr/lib64/erlang/lib/crypto-3.1/priv/lib/crypto.so: undefined symbol:
EC_GROUP_new_curve_GF2m'"
OpenSSL might not be installed on this system.
We should patch crypto module to provide available ECC bits instead of
disabling it completely.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=COwcnn7Cu3&a=cc_unsubscribe
https://bugzilla.redhat.com/show_bug.cgi?id=1038314
Bug ID: 1038314
Summary: Cyclic dependencies: erlang and erlang-examples
Product: Fedora
Version: 19
Component: erlang
Assignee: lemenkov(a)gmail.com
Reporter: jakub.jedelsky(a)gmail.com
QA Contact: extras-qa(a)fedoraproject.org
CC: erlang(a)lists.fedoraproject.org, lemenkov(a)gmail.com,
rhbugs(a)n-dimensional.de
Description of problem:
It is impossible to remove erlang package with /usr/bin/rpm command with
erlang-examples and vice versa. There are cyclic dependencies among these two
packages.
Version-Release number of selected component (if applicable):
erlang-R16B-02.3.fc19.x86_64
How reproducible:
always
Steps to Reproduce:
1. try to remove erlang
$ /usr/bin/rpm -e erlang
returns:
error: Failed dependencies:
erlang(x86-64) = R16B-02.3.fc19 is needed by (installed)
erlang-examples-R16B-02.3.fc19.x86_64
2. try to remove erlang-examples
$ /usr/bin/rpm -e erlang-examples
returns:
error: Failed dependencies:
erlang-examples(x86-64) = R16B-02.3.fc19 is needed by (installed)
erlang-R16B-02.3.fc19.x86_64
3. try to remove erlang
...
Actual results:
can't remove erlang without erlang-examples and vice versa
Expected results:
One of packages is possible to remove without any dependencies.
Additional info:
It's because of puppet, which removes packages through rpm command. There is no
problem with removing through yum.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1082170
Bug ID: 1082170
Summary: CVE-2014-2668 couchdb: remote denial of service flaw
[fedora-all]
Product: Fedora
Version: 20
Component: couchdb
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: lemenkov(a)gmail.com
Reporter: vdanen(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: erlang(a)lists.fedoraproject.org, lemenkov(a)gmail.com
Blocks: 1082168 (CVE-2014-2668)
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue affects multiple supported versions of Fedora.
Only one tracking bug has been filed; please ensure that it is only closed
when all affected versions are fixed.
[bug automatically created by: add-tracking-bugs]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1082168
[Bug 1082168] CVE-2014-2668 couchdb: remote denial of service flaw
--
You are receiving this mail because:
You are on the CC list for the bug.