May 2006 - security [ARCHIVED] - Fedora Mailing-Lists

Bugzilla CCs?

by Jason L Tibbitts III

Would it be reasonable to CC security-related bugzilla tickets here? Currently it's not possible. - J<

17 years, 11 months

2
3
0 / 0

Apache 1.3.7 (RH73) question wrt CVEs

by Jim Popovitch

In another arena I saw a list of CVEs against Apache 1.3.7. RH73 ships with Apache 1.3.7-9 so I thought I would query BZ and see what I could find of these. (I am a BZ newbie when it comes to queries). CVE-2002-1233 Apache HTTP Server htpasswd and htdigest Multiple Vulnerabilities CVE-2004-0748, CVE-2004-0751 Apache HTTP Server mod_ssl Denial of Service CVE-2003-0083, CVE-2003-0020 Linux/Unix: Apache Escape Sequence Vulnerabilities CVE-2003-0993 Apache mod_access Security Bypass CVE-2004-0700 Apache mod_ssl Format String Vulnerability Unfortunately I couldn't find any of those in the Comments under Apache for Fedora Legacy Redhat 7.3. I can't believe that all of those aren't addressed, so lack of query results suggests to me that I am missing something. Some of those CVE/CANs are several years old, but wouldn't the still be in BZ comments somewhere? -Jim P.

17 years, 11 months

2
2
0 / 0

One Bugzilla report per distro version or one for all?

by Ville Skyttä

Best practice question: Assuming a security issue in package foo which is shipped and vulnerable in many distro versions, do people find it better to file one copy-pasted bug report per distro version or a "combined" one for all which lists the affected distro versions? The one-for-all approach would have the benefit of easier copy-pasting between audit/* files and probably more accurate Bugzilla references in maintainer %changelog entries as the same specfile is used for all distro versions in the vast majority of cases. It could make things slightly harder to track, eg. in Bugzilla queries and such.

17 years, 11 months

5
4
0 / 0

perl-Net-SSLeay vulnerability

by Jason L Tibbitts III

The maintainer of perl-Net-SSLeay, Jose Pedro Oliveira <jpo(a)lsd.di.uminho.pt> just contacted me about the procedure for getting a security review; it seems the version in FC3 and FC4 has a vulnerability but he would like some additional review of the backport. I asked him to contact this list, but I'm not sure it's open to nonmembers. - J<

17 years, 11 months

3
2
0 / 0

Fedora Extras Security Response Team

by Josh Bressers

Hello everybody. In case you didn't see, there was a post by Thorsten Leemhuis to the fedora-extras list regarding the creation of a Fedora Extras security response team. The message can be seen here: https://www.redhat.com/archives/fedora-extras-list/2006-April/msg01650.html Here are the people I know have an interest in helping out with the security response team: Hans de Goede Jason L Tibbitts III Dennis Gilmore Jochen Schmitt Ville Skyttä Michael J Knox If you're interested, feel free to chime in. Right now I have a pretty good idea of what's needed to get this project off the ground. We have a mailing list (which would be step one). I need to fix up some CVS space for things like tools and tracking text files. This repository is here: http://cvs.fedora.redhat.com/viewcvs/fedora-security/?root=fedora We will need a package manifest. Basically a file that tells us which packages and versions we're currently shipping in extras. A tool to generate this will also be needed since we'll want to update this file on a regular basis. Given how fast Extras changes I think this will be the easiest way to check if we currently ship package <foo>. An errata template is needed. I'm thinking we should copy the current Fedora Core template for now. We can mangle it as we see fit at a later date. Process needs to be documented on the fedoraproject wiki. Since we don't currently have a process, this is the only thing done :) The most important part of this will be making it easy to specify what we expect of ourselves. I hope to have some time this weekend to clean up the security wiki pages a bit. I think this is enough for now. Questions, Comments? -- JB

17 years, 11 months

9
17
0 / 0

Approved by the board

by Jesse Keating

We're now approved by the FESCO board. So a few things we need to do, setup wiki space for the security response group/team/whatever, include in there policy about what we're doing. Then link to this policy from the Extras main page where appropriate. Step 3, profit! -- Jesse Keating Release Engineer: Fedora

17 years, 11 months

6
8
0 / 0

Issues with no CVE number

by Ville Skyttä

Are security issues that don't have a CVE number tracked somewhere? Some issues may not have it by the time they're disclosed and I guess there are ones that for whatever reason don't have and aren't going to get one. If they're tracked in the usual audit/* files, what's the preferred format for them? By the way, if more help is needed, feel free to add me (scop) rights to commit to the fe[45] files.

17 years, 11 months

2
4
0 / 0

Hints for working with CVEs?

by Jason L Tibbitts III

Does anyone have any notes for dealing with the CVE lists? I know the main access page is http://www.cve.mitre.org/cve/, but all you can do is download the whole list or do a text search. (And the whole list in plain text is 15MB.) I see that someone at Purdue offers change lists, but the format is not terribly useful (just the numbers of the changed entries). Are there any tools that can extract useful summaries of this data that we could use? Even number and summary would be helpful. For example, I know there's a recent clamav vulnerability that affects Extras. Now, I can search to find out that it's CVE-2006-1989. I know Enrico pushed 0.88.2 on May 2 so we're not vulnerable. But, how would I have seen the CVE without knowing it existed? Click on every link in the daily changelogs and manually read the description? There has to be a more efficient way. BTW, what would be the format of the line to add to the fe4 and fe5 files for this? CVE-2006-1989 version (clamav, fixed 0.88.2) (no bug number, no announcement obviously) - J<

17 years, 11 months

4
9
0 / 0

[Fwd: Re: [vendor-sec] nagios]

by Jesse Keating

This is public. -------- Forwarded Message -------- From: Steven M. Christey <coley(a)linus.mitre.org> To: Josh Bressers <bressers(a)redhat.com> Cc: vendor-sec(a)lst.de, coley(a)mitre.org Subject: Re: [vendor-sec] nagios Date: Wed, 3 May 2006 16:28:36 -0400 (EDT) ====================================================== Name: CVE-2006-2162 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2162 Reference: CONFIRM:https://sourceforge.net/mailarchive/forum.php?thread_id=10297806&... Reference: CONFIRM:http://www.nagios.org/development/changelog.php Buffer overflow in CGI scripts in Nagios 1.x before 1.4 and 2.x before 2.3 allows remote attackers to execute arbitrary code via a negative content length (Content-Length) HTTP header. _______________________________________________ Vendor Security mailing list Vendor Security(a)lst.de https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec -- Jesse Keating Release Engineer: Fedora

17 years, 11 months

1
0
0 / 0

Am I on the right list

by John Stanton

Hello all, This may sound silly, but I am trying to figure out if I am on the correct list. I want to keep up with any security notices and patch releases for Fedora (FC4 in particular). Have I subscribed to the right list? Lately, there seems to be a lot of talk about \extras. This isn't a flame, I'm just seeking confirmation that this is the place to be to track security issues for FC. Thanks! John

17 years, 11 months

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

security [ARCHIVED] May 2006