security [ARCHIVED] June 2007

security@lists.fedoraproject.org

16 participants
60 discussions

[Bug 240970] New: CVE-2007-2821: wordpress < 2.2 admin-ajax.php SQL injection
by Red Hat Bugzilla 05 Jul '07

05 Jul '07

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240970 Summary: CVE-2007-2821: wordpress < 2.2 admin-ajax.php SQL injection Product: Fedora Extras Version: fc6 Platform: All URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2821 OS/Version: Linux Status: NEW Severity: medium Priority: medium Component: wordpress AssignedTo: jwb(a)redhat.com ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list(a)redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2821 "SQL injection vulnerability in wp-admin/admin-ajax.php in WordPress before 2.2 allows remote attackers to execute arbitrary SQL commands via the cookie parameter." -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

1 2

[Bug 239904] New: CVE-2007-2627: wordpress sidebar.php XSS
by Red Hat Bugzilla 05 Jul '07

05 Jul '07

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239904 Summary: CVE-2007-2627: wordpress sidebar.php XSS Product: Fedora Extras Version: fc6 Platform: All URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2627 OS/Version: Linux Status: NEW Severity: medium Priority: medium Component: wordpress AssignedTo: jwb(a)redhat.com ReportedBy: ville.skytta(a)iki.fi QAContact: extras-qa(a)fedoraproject.org CC: fedora-security-list(a)redhat.com http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2627 "Cross-site scripting (XSS) vulnerability in sidebar.php in WordPress, when custom 404 pages that call get_sidebar are used, allows remote attackers to inject arbitrary web script or HTML via the query string (PHP_SELF), a different vulnerability than CVE-2007-1622." -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

1 3

Security Response product in Bugzilla, add-tracking-bugs?
by Ville Skyttä 02 Jul '07

02 Jul '07

Hi, Is the "Security Response" product in Bugzilla and the add-tracking-bugs functionality for creating dependency trees available for use to people who are not in the Red Hat security response team? Example: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244808 and its dependencies.

2 1

Need some security advice for systemtap
by David Smith 01 Jul '07

01 Jul '07

I need some security development help (and this might be the wrong list - if so, please point me in the right direction). I'm one of the systemtap developers. You can see <http://sourceware.org/systemtap/> for details, but a 2 second overview is that systemtap allows users to write a script that probes points in the kernel. systemtap takes the script, converts it into C, compiles the C into a kernel module, inserts the kernel module, and displays any output from the compiled script. When the script finishes, we remove the kernel module. One of the complaints we get from users is that we require root access (using sudo) to install/remove the kernel module. Large enterprise customers typically don't give out sudo access to all admins. So, they would like a way to designate certain scripts/modules as "blessed", and allow admins/developers/etc. without root access to run those "blessed" scripts/modules. Some basic ideas about how we can allow users without sudo access to run "blessed" scripts/modules can be seen at <http://sources.redhat.com/bugzilla/show_bug.cgi?id=4523>, So, I'm looking for thoughts, criticisms, pointers, etc. to do this in a manner that won't allow a system to be easily compromised. We're in the fairly early stages of this idea, and I'm looking for direction before heading down the wrong road. Thanks for the help. -- David Smith dsmith(a)redhat.com Red Hat http://www.redhat.com 256.217.0141 (direct) 256.837.0057 (fax)

8 17

fedora-security/audit fc7,1.30,1.31
by fedora-extras-commits＠redhat.com 30 Jun '07

30 Jun '07

Author: scop Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv29250 Modified Files: fc7 Log Message: +flac123, bz for ekg, sort gd CVS ids Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.30 retrieving revision 1.31 diff -u -r1.30 -r1.31 --- fc7 30 Jun 2007 07:59:40 -0000 1.30 +++ fc7 30 Jun 2007 08:28:36 -0000 1.31 @@ -4,14 +4,15 @@ *CVE are items that need verification for Fedora 7 +CVE-NOID VULNERABLE (flac123, fixed 0.0.10) #246322 CVE-2007-4168 VULNERABLE (libexif) #243890 -CVE-2007-3472 ** (gd) -CVE-2007-3473 ** (gd) -CVE-2007-3474 ** (gd) -CVE-2007-3475 ** (gd) -CVE-2007-3476 ** (gd) -CVE-2007-3477 ** (gd) CVE-2007-3478 ** (gd) +CVE-2007-3477 ** (gd) +CVE-2007-3476 ** (gd) +CVE-2007-3475 ** (gd) +CVE-2007-3474 ** (gd) +CVE-2007-3473 ** (gd) +CVE-2007-3472 ** (gd) CVE-2007-3410 VULNERABLE (HelixPlayer) #245838 CVE-2007-3393 VULNERABLE (wireshark) CVE-2007-3392 VULNERABLE (wireshark) @@ -128,9 +129,9 @@ CVE-2007-1710 version (php, fixed 5.2.2) CVE-2007-1709 ignore (php) no security impact *CVE-2007-1667 (xorg-x11) -CVE-2007-1665 VULNERABLE (ekg) -CVE-2007-1664 VULNERABLE (ekg) -CVE-2007-1663 VULNERABLE (ekg) +CVE-2007-1665 VULNERABLE (ekg) #246034 +CVE-2007-1664 VULNERABLE (ekg) #246034 +CVE-2007-1663 VULNERABLE (ekg) #246034 CVE-2007-1649 version (php, fixed 5.2.2) *CVE-2007-1622 version (wordpress, fixed 2.1.3-0.rc2) #233703 *CVE-2007-1614 version (zziplib, fixed 0.13.49) #233700 -- fedora-extras-commits mailing list fedora-extras-commits(a)redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits

1 0

fedora-security/audit fe5,1.209,1.210 fe6,1.123,1.124
by fedora-extras-commits＠redhat.com 30 Jun '07

30 Jun '07

Author: scop Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv29218 Modified Files: fe5 fe6 Log Message: flac123, ekg Index: fe5 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fe5,v retrieving revision 1.209 retrieving revision 1.210 diff -u -r1.209 -r1.210 --- fe5 28 Jun 2007 17:40:14 -0000 1.209 +++ fe5 30 Jun 2007 08:27:52 -0000 1.210 @@ -2,6 +2,7 @@ ** are items that need attention +CVE-NOID VULNERABLE (flac123, fixed 0.0.10) #246322 CVE-2007-3241 ** (wordpress) #245211 CVE-2007-3240 ** (wordpress) #245211 CVE-2007-3239 ** (wordpress) #245211 @@ -46,6 +47,9 @@ CVE-2007-1745 ignore (clamav, 0.90/0.90.1 only) #236703 CVE-2007-1732 ignore (wordpress) #235015 CVE-2007-1673 ignore (zoo, package removed from repository) +CVE-2007-1665 VULNERABLE (ekg) #246034 +CVE-2007-1664 VULNERABLE (ekg) #246034 +CVE-2007-1663 VULNERABLE (ekg) #246034 CVE-2007-1622 version (wordpress, fixed 2.1.3-0.rc2) #233703 CVE-2007-1614 version (zziplib, fixed 0.13.49) #233700 CVE-2007-1599 version (wordpress, fixed 2.1.3-0.rc2) #233703 Index: fe6 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fe6,v retrieving revision 1.123 retrieving revision 1.124 diff -u -r1.123 -r1.124 --- fe6 28 Jun 2007 17:40:14 -0000 1.123 +++ fe6 30 Jun 2007 08:27:52 -0000 1.124 @@ -2,6 +2,7 @@ ** are items that need attention +CVE-NOID VULNERABLE (flac123, fixed 0.0.10) #246322 CVE-2007-3241 ** (wordpress) #245211 CVE-2007-3240 ** (wordpress) #245211 CVE-2007-3239 ** (wordpress) #245211 @@ -51,6 +52,9 @@ CVE-2007-1799 version (ktorrent, fixed 2.1.3) #235014 CVE-2007-1745 ignore (clamav, 0.90/0.90.1 only) #236703 CVE-2007-1732 ignore (wordpress) #235015 +CVE-2007-1665 VULNERABLE (ekg) #246034 +CVE-2007-1664 VULNERABLE (ekg) #246034 +CVE-2007-1663 VULNERABLE (ekg) #246034 CVE-2007-1622 version (wordpress, fixed 2.1.3-0.rc2) #233703 CVE-2007-1614 version (zziplib, fixed 0.13.49) #233700 CVE-2007-1599 version (wordpress, fixed 2.1.3-0.rc2) #233703 -- fedora-extras-commits mailing list fedora-extras-commits(a)redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits

1 0

fedora-security/audit fc7,1.29,1.30
by fedora-extras-commits＠redhat.com 30 Jun '07

30 Jun '07

Author: scop Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv20850 Modified Files: fc7 Log Message: libpng10, jasper checked Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.29 retrieving revision 1.30 diff -u -r1.29 -r1.30 --- fc7 29 Jun 2007 15:37:23 -0000 1.29 +++ fc7 30 Jun 2007 07:59:40 -0000 1.30 @@ -58,7 +58,7 @@ CVE-2007-2768 ignore (openssh) needs pam OPIE which is not shipped. *CVE-2007-2756 ignore (gd) DoS only *CVE-2007-2754 (freetype) -*CVE-2007-2721 patch (jasper, fixed 1.900.1-2) #240397 +CVE-2007-2721 patch (jasper, fixed 1.900.1-2) #240397 *CVE-2007-2683 (mutt) *CVE-2007-2654 VULNERABLE (xfsdump) #240396 CVE-2007-2650 VULNERABLE (clamav, fixed in 0.90.3) #240395 @@ -80,7 +80,7 @@ CVE-2007-2448 VULNERABLE (subversion, fixed 1.4.4) #243856 *CVE-2007-2447 (samba) *CVE-2007-2446 (samba) -*CVE-2007-2445 version (libpng10, fixed 1.0.25) #240398 +CVE-2007-2445 version (libpng10, fixed 1.0.25) #240398 *CVE-2007-2444 (samba) *CVE-2007-2438 VULNERABLE (vim) #238734 *CVE-2007-2437 ignore (xorg-x11) DoS only @@ -436,7 +436,7 @@ *CVE-2006-5823 version (kernel, fixed 2.6.19.2) [since FEDORA-2007-058] was backport since FEDORA-2006-1223 *CVE-2006-5815 version (proftpd, fixed 1.3.0a) #214820 CVE-2006-5794 version (openssh, fixed 4.5) #214641 [since FEDORA-2006-1215] -*CVE-2006-5793 version (libpng10, fixed 1.0.21) #216263 +CVE-2006-5793 version (libpng10, fixed 1.0.21) #216263 *CVE-2006-5793 ignore (libpng, fixed 1.2.13) just a client crash *CVE-2006-5783 ignore (firefox) disputed *CVE-2006-5779 VULNERABLE (openldap, 2.3.29) #214768 -- fedora-extras-commits mailing list fedora-extras-commits(a)redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits

1 0

fedora-security/audit fc7,1.28,1.29
by fedora-extras-commits＠redhat.com 29 Jun '07

29 Jun '07

Author: lkundrak Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv29289 Modified Files: fc7 Log Message: gd, wireshark, gimp Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.28 retrieving revision 1.29 diff -u -r1.28 -r1.29 --- fc7 28 Jun 2007 23:20:00 -0000 1.28 +++ fc7 29 Jun 2007 15:37:23 -0000 1.29 @@ -4,11 +4,20 @@ *CVE are items that need verification for Fedora 7 -CVE-2007-1663 VULNERABLE (ekg) -CVE-2007-1664 VULNERABLE (ekg) -CVE-2007-1665 VULNERABLE (ekg) CVE-2007-4168 VULNERABLE (libexif) #243890 +CVE-2007-3472 ** (gd) +CVE-2007-3473 ** (gd) +CVE-2007-3474 ** (gd) +CVE-2007-3475 ** (gd) +CVE-2007-3476 ** (gd) +CVE-2007-3477 ** (gd) +CVE-2007-3478 ** (gd) CVE-2007-3410 VULNERABLE (HelixPlayer) #245838 +CVE-2007-3393 VULNERABLE (wireshark) +CVE-2007-3392 VULNERABLE (wireshark) +CVE-2007-3391 VULNERABLE (wireshark) +CVE-2007-3390 VULNERABLE (wireshark) +CVE-2007-3389 VULNERABLE (wireshark) CVE-2007-3241 ** (wordpress) #245211 CVE-2007-3240 ** (wordpress) #245211 CVE-2007-3239 ** (wordpress) #245211 @@ -21,6 +30,7 @@ CVE-2007-3152 version (c-ares, fixed 1.4.0) #243591 CVE-2007-3145 VULNERABLE (galeon) ** CVE-2007-3140 ** (wordpress) #245211 +CVE-2007-3126 ignore (gimp) just a crash CVE-2007-3123 VULNERABLE (clamav, fixed 0.90.3) #245219 CVE-2007-3122 VULNERABLE (clamav, fixed 0.90.3) #245219 *CVE-2007-3121 version (zvbi, fixed 0.2.25) @@ -118,6 +128,9 @@ CVE-2007-1710 version (php, fixed 5.2.2) CVE-2007-1709 ignore (php) no security impact *CVE-2007-1667 (xorg-x11) +CVE-2007-1665 VULNERABLE (ekg) +CVE-2007-1664 VULNERABLE (ekg) +CVE-2007-1663 VULNERABLE (ekg) CVE-2007-1649 version (php, fixed 5.2.2) *CVE-2007-1622 version (wordpress, fixed 2.1.3-0.rc2) #233703 *CVE-2007-1614 version (zziplib, fixed 0.13.49) #233700 -- fedora-extras-commits mailing list fedora-extras-commits(a)redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits

1 0

fedora-security/audit fc7,1.27,1.28
by fedora-extras-commits＠redhat.com 28 Jun '07

28 Jun '07

Author: lkundrak Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv4818 Modified Files: fc7 Log Message: ekg Index: fc7 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fc7,v retrieving revision 1.27 retrieving revision 1.28 diff -u -r1.27 -r1.28 --- fc7 28 Jun 2007 17:33:47 -0000 1.27 +++ fc7 28 Jun 2007 23:20:00 -0000 1.28 @@ -4,6 +4,9 @@ *CVE are items that need verification for Fedora 7 +CVE-2007-1663 VULNERABLE (ekg) +CVE-2007-1664 VULNERABLE (ekg) +CVE-2007-1665 VULNERABLE (ekg) CVE-2007-4168 VULNERABLE (libexif) #243890 CVE-2007-3410 VULNERABLE (HelixPlayer) #245838 CVE-2007-3241 ** (wordpress) #245211 -- fedora-extras-commits mailing list fedora-extras-commits(a)redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits

1 0

fedora-security/audit fe5,1.208,1.209 fe6,1.122,1.123
by fedora-extras-commits＠redhat.com 28 Jun '07

28 Jun '07

Author: scop Update of /cvs/fedora/fedora-security/audit In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv1413 Modified Files: fe5 fe6 Log Message: c-ares updated Index: fe5 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fe5,v retrieving revision 1.208 retrieving revision 1.209 diff -u -r1.208 -r1.209 --- fe5 21 Jun 2007 18:40:46 -0000 1.208 +++ fe5 28 Jun 2007 17:40:14 -0000 1.209 @@ -8,8 +8,8 @@ CVE-2007-3238 ** (wordpress) #245211 CVE-2007-3209 ignore (mail-notification, shipped with SSL enabled) CVE-2007-3165 VULNERABLE (tor, fixed 0.1.2.14) #244502 -CVE-2007-3153 VULNERABLE (c-ares, fixed 1.4.0) #243591 -CVE-2007-3152 VULNERABLE (c-ares, fixed 1.4.0) #243591 +CVE-2007-3153 version (c-ares, fixed 1.4.0) #243591 +CVE-2007-3152 version (c-ares, fixed 1.4.0) #243591 CVE-2007-3140 ** (wordpress) #245211 CVE-2007-3123 ** (clamav, fixed 0.90.3) #245219 CVE-2007-3122 ** (clamav, fixed 0.90.3) #245219 Index: fe6 =================================================================== RCS file: /cvs/fedora/fedora-security/audit/fe6,v retrieving revision 1.122 retrieving revision 1.123 diff -u -r1.122 -r1.123 --- fe6 21 Jun 2007 18:40:46 -0000 1.122 +++ fe6 28 Jun 2007 17:40:14 -0000 1.123 @@ -8,8 +8,8 @@ CVE-2007-3238 ** (wordpress) #245211 CVE-2007-3209 ignore (mail-notification, shipped with SSL enabled) CVE-2007-3165 VULNERABLE (tor, fixed 0.1.2.14) #244502 -CVE-2007-3153 VULNERABLE (c-ares, fixed 1.4.0) #243591 -CVE-2007-3152 VULNERABLE (c-ares, fixed 1.4.0) #243591 +CVE-2007-3153 version (c-ares, fixed 1.4.0) #243591 +CVE-2007-3152 version (c-ares, fixed 1.4.0) #243591 CVE-2007-3140 ** (wordpress) #245211 CVE-2007-3123 ** (clamav, fixed 0.90.3) #245219 CVE-2007-3122 ** (clamav, fixed 0.90.3) #245219 -- fedora-extras-commits mailing list fedora-extras-commits(a)redhat.com https://www.redhat.com/mailman/listinfo/fedora-extras-commits

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

security [ARCHIVED] June 2007