January 2007 - security [ARCHIVED] - Fedora Mailing-Lists

[Bug 225469] New: wordpress < 2.1 multiple vulnerabilities

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=225469 Summary: wordpress < 2.1 multiple vulnerabilities Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: wordpress AssignedTo: jwb(a)redhat.com ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list(a)redhat.com Multiple (low CVSS score) vulnerabilities reported against Wordpress < 2.1: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0539 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0540 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0541 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

17 years, 2 months

1
2
0 / 0

[Bug 223101] New: CVE-2007-0{106, 107, 109, 262}: Wordpress < 2.0.7 multiple vulnerabilities

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=223101 Summary: CVE-2007-0{106,107,109,262}: Wordpress < 2.0.7 multiple vulnerabilities Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: wordpress AssignedTo: jwb(a)redhat.com ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list(a)redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0106 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0107 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0109 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0262 FE5+ apparently affected. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

17 years, 2 months

1
2
0 / 0

[Bug 221023] New: CVE-2006-6808: wordpress 2.0.5 XSS vulnerability

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=221023 Summary: CVE-2006-6808: wordpress 2.0.5 XSS vulnerability Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: high Priority: normal Component: wordpress AssignedTo: jwb(a)redhat.com ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list(a)redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6808 "Cross-site scripting (XSS) vulnerability in wp-admin/templates.php in WordPress 2.0.5 allows remote attackers to inject arbitrary web script or HTML via the file parameter." All FE4+ releases affected. This is supposedly fixed in 2.0.6, but it looks like it hasn't been released yet. Patch at http://trac.wordpress.org/changeset/4665 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

17 years, 2 months

1
2
0 / 0

clamav BZ tickets

by Christian Iseli

Hi folks, Could anyone from the security team have a look at BZ tickets 192266 and 192407 ? Not sure if these are real serious issues, but I'd feel better if someone versed in virus things could have a look... Thanks, C

17 years, 2 months

1
0
0 / 0

Security fix to Bind-9.2.8/Bind-9.3.4

by Stephen John Smoogen

The 9.3.4 affects FCL-5,6 BIND 9.3.4 is now available. BIND 9.3.4 is a security release for BIND 9.3. BIND 9.3.4 contains security fixes: 2126. [security] Serialise validation of type ANY responses. [RT #16555] 2124. [security] It was possible to dereference a freed fetch context. [RT #16584] 2089. [security] Raise the minimum safe OpenSSL versions to OpenSSL 0.9.7l and OpenSSL 0.9.8d. Versions prior to these have known security flaws which are (potentially) exploitable in named. [RT #16391] 2088. [security] Change the default RSA exponent from 3 to 65537. [RT #16391] 2066. [security] Handle SIG queries gracefully. [RT #16300] 1941. [bug] ncache_adderesult() should set eresult even if no rdataset is passed to it. [RT #15642] If you are running a BIND 9.3.x or BIND 9.4.x version without these changes you are advised to upgrade as soon as possible to one of BIND 9.3.4 or BIND 9.4.0rc2. BIND 9.3.4 can be downloaded from ftp://ftp.isc.org/isc/bind9/9.3.4/bind-9.3.4.tar.gz The PGP signature of the distribution is at ftp://ftp.isc.org/isc/bind9/9.3.4/bind-9.3.4.tar.gz.asc ftp://ftp.isc.org/isc/bind9/9.3.4/bind-9.3.4.tar.gz.sha256.asc ftp://ftp.isc.org/isc/bind9/9.3.4/bind-9.3.4.tar.gz.sha512.asc The signature was generated with the ISC public key, which is available at . A binary kit for Windows 2000, Windows XP and Windows 2003 is at ftp://ftp.isc.org/isc/bind9/9.3.4/BIND9.3.4.zip ftp://ftp.isc.org/isc/bind9/9.3.4/BIND9.3.4.debug.zip The PGP signature of the binary kit for Windows 2000, Windows XP and Windows 2003 is at ftp://ftp.isc.org/isc/bind9/9.3.4/BIND9.3.4.zip.asc ftp://ftp.isc.org/isc/bind9/9.3.4/BIND9.3.4.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.3.4/BIND9.3.4.zip.sha512.asc ftp://ftp.isc.org/isc/bind9/9.3.4/BIND9.3.4.debug.zip.asc ftp://ftp.isc.org/isc/bind9/9.3.4/BIND9.3.4.debug.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.3.4/BIND9.3.4.debug.zip.sha512.asc Note: There is no Windows NT 4.0 binary kit for BIND 9.3.4. Windows NT 4.0 is still supported in source form. A list of changes made since 9.3.0 follows. For earlier changes, see the file CHANGES in the distribution. -------- --- 9.3.4 released --- 2126. [security] Serialise validation of type ANY responses. [RT #16555] 2124. [security] It was possible to dereference a freed fetch context. [RT #16584] -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice"

17 years, 3 months

2
2
0 / 0

[Bug 194511] CVE-2006-2894 arbitrary file read vulnerability

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-2894 arbitrary file read vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=194511 ajschult(a)verizon.net changed: What |Removed |Added ---------------------------------------------------------------------------- External Bug| |http://bugzilla.mozilla.org/ Reference| |show_bug.cgi?id=258875 ------- Additional Comments From ajschult(a)verizon.net 2007-01-21 21:05 EST ------- A fix for this is in Mozilla trunk (SeaMonkey 1.5) in bug 258875, but never made it to the 1.8 branch -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

17 years, 3 months

1
0
0 / 0

[Bug 221958] New: Security vulnerability in MediaWiki

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=221958 Summary: Security vulnerability in MediaWiki Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: urgent Priority: urgent Component: mediawiki AssignedTo: Axel.Thimm(a)ATrpms.net ReportedBy: roozbeh(a)farsiweb.info QAContact: extras-qa(a)fedoraproject.org CC: fedora-security- list@redhat.com,fedora@theholbrooks.org,roozbeh(a)farsiweb .info MediaWiki has just made a release with a security vulnerabiliy fixed: http://lists.wikimedia.org/pipermail/mediawiki-announce/2007-January/0000... This means that FC6 and devel branches should be upgraded to 1.8.3. The situation for FC5 is more complex, as it is shipping 1.5.8 which is considered obsolete by upstream it seems. It may need to be upgraded to the 1.6.x or later series. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

17 years, 3 months

1
3
0 / 0

[Bug 222410] CVE-2006-6799: Remote execution vulnerability in cacti.

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-6799: Remote execution vulnerability in cacti. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=222410 ville.skytta(a)iki.fi changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Remote execution |CVE-2006-6799: Remote |vulnerability in cacti. |execution vulnerability in | |cacti. ------- Additional Comments From ville.skytta(a)iki.fi 2007-01-20 06:43 EST ------- For reference, this is CVE-2006-6799 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

17 years, 3 months

1
0
0 / 0

[Bug 212699] New: CVE-2006-5602: xsupplicant < 1.2.6 memory leaks

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212699 Summary: CVE-2006-5602: xsupplicant < 1.2.6 memory leaks Product: Fedora Extras Version: fc3 Platform: All URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5602 OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: xsupplicant AssignedTo: tcallawa(a)redhat.com ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: extras-qa(a)fedoraproject.org,fedora-security- list(a)redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5602 (FC3 only) -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

17 years, 3 months

1
2
0 / 0

[Bug 219937] New: CVE-2006-6574: mantis < 1.1.0a2 information disclosure

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219937 Summary: CVE-2006-6574: mantis < 1.1.0a2 information disclosure Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: mantis AssignedTo: giallu(a)gmail.com ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: extras-qa(a)fedoraproject.org,fedora-security- list(a)redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6574 "Mantis before 1.1.0a2 does not implement per-item access control for Issue History (Bug History), which allows remote attackers to obtain sensitive information by reading the Change column, as demonstrated by the Change column of a custom field." All FE releases are possibly affected. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

17 years, 3 months

1
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

security [ARCHIVED] January 2007